Global Data Protection and the right to be forgotten

In the 2013 landmark case between Google Spain v Marcio C. Gonzalez, in an instant Google – the world’s largest and most advanced search engine – had to comply with a European Union (EU) court outcome to erase personal information as requested by an individual.

The Spanish Data Protection Authority based its decision on EU Directive 1995/46EU. This would apply to any search engine data processor that is a processor of personal data. The court also determined that Google Spain is a Google affiliated company and thus Google Inc. Is subject to the EU Directive. So, in the end search engines that process an EU citizens information are subject to this directive.

About data protection, the EU directive states “obliges member states to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”  If you are a US citizen you probably know that the US Constitution does even mention the right to privacy, it’s addressed in the 4^th amendment under Search and Seizure:

“The right of the people to be secure in their person, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” —4^th Amendment, U.S. Constitution.

Does the 4^th amendment address privacy for technology?

At the time the 4^th Amendment was written the items that could be searched did not include search engines and computer data systems. Our personal effects to protect now are not only in our homes but rather in a cloud database that we subscribe to. The bottom line here is that in the EU privacy is a human right and, in the US, it’s not. Privacy and freedom of expression are foundational values of the US Constitution and its 27 Amendments, but they don’t translate directly to the EU notion that privacy is a human right. Our freedom of expression is stated in the 1^st Amendment, which guarantees the right to the freedom of speech, press and religion and protects the right to petition the government.

Existing US data protection acts and regulations

The US has sector-specific data security laws. This includes laws for our financial, healthcare, telecommunications, credit reports, telemarketing and so on. It’s a very siloed approach, to say the least.

Some US data protection acts include the Healthcare Insurance & Portability Act (HIPAA), which gives consumers rights over their personal health records and sets limits on who can look at or review your health information. Another US data protection act is the Fair & Accurate Credit Transactions Act, (FACTA), which replaced the Fair Credit Reporting Act (FCRA). This act requires that financial institutions meet requirements for information privacy, accuracy and disposal and puts limits of sharing consumer information. This act was also responsible for masking the Personal Account Number (PAN) on your credit card receipts to show just the last 4 digits to prevent fraud.

The Federal Trade Commission (FTC) enforces data privacy through its authority to protect consumers against unfair and deceptive trade practices. The FTC targets companies for: failing to implement reasonable data security measures, failing to abide by industry self-regulatory principles and for failing to adhere to the FTC’s consumer privacy framework or other national laws or regulations.

Privacy is a human right in the EU not the USA?

On the other hand, the European Union (EU) has a much more robust and unified data protection framework, the GDPR (General Data Protection Regulation). This law became active in 2016 for the EU. It’s based on the premise that in the EU privacy is a human right unlike the US which has no such right mentioned in the US Constitution.

The GDPR replaced the Data Protection Directive (DPD) that was put in place in 1995. The GDPR changed the definition of personal data as it relates to how industry cloud applications now use our data. Companies can’t simply build a personal profile of users to data mine however they choose. GDPR requires opt-in consent, this means explicit consent from a consumer is required before any personal information can be used. This includes the right to know how, when and where their personal data is and how it’s being used and by whom.

The GDPR also includes “the right to be forgotten.” Consumers in the EU have the right to request any searchable personal information about them be removed and discarded, to never show up in a search result again.

Can we balance an individual’s right to privacy, data protection and the general public’s access to information?

So, how do we balance the desires of corporations to make as much money from consumers as possible yet maintain consumer privacy? This is still being debated and argued in courts across the globe. Because the EU has a broad GDPR data privacy law impacting US companies, the fear is that US companies will continue to face lawsuits from states and others like Google did in Google Spain v Marcio C. Gonzalez. Recently 51 US-based CEOs stated they want a fair and balanced solution. So, what do they propose? They want a softer US-wide privacy law to protect them from much harsher state laws.

The US, applicable laws and policies of cyber defense responsibilities

As stated earlier, the US has a siloed approach to data security laws. A couple not mentioned aboce include the Federal Information Security Management Act, (FISMA) which does not apply to private industry or to any US city agencies or governments. We also have Sarbanes-Oxley for the financial sector and HIPAA for the healthcare sector.

Knowing that all financial, healthcare and banking sectors across the globe are facing the same internet threats, we must look for common points on a national level – such as each nation’s cyber policies. US cybersecurity policy is based on Comprehensive National Cybersecurity Imitative (CNCI) which came from the Bush Administration in 2008. The Obama administration added the Cyberspace Policy Review (CRP), then later added the National Cyber Incident Response Plan (NCIP), which only applies to areas the federal government can regulate (healthcare, finance and banking).

What about private corporations? “The degree of US government intervention in regard to cybersecurity policy and related public-private partnership are now based on voluntary self-regulation, while the US government also tries to remove obstacles for the promotion of self-regulation”

The EU, applicable laws and policies of cyber defense responsibilities

The EU faces the same dilemma as the US, namely, the federal government’s ability to regulate private industry. The EU bases its cyberpolicy on the Open, Safe and Secure Cyberspace and the Digital Agenda for Europe (DAE). The DAE is a plan of 101 actions plans in 7 fields and sets top priorities. The EU set up the Network and Information Security (NIS) which is delegated to enforce the cybersecurity plans, which resulted in a unified standard for monitoring of online stability by establishing the Computer Emergency Response Team (CERT).

The bottom line here is there’s a siloed approach versus a unified cybersecurity strategy plan in the EU and the US as private companies outside of banking, finance and healthcare can’t be directly regulated by the government. Both the US and EU do a very good job regulating cybersecurity in the financial, banking and healthcare sectors, while the US has a lot of catching up to do regarding general data privacy. Especially now that the EU has GDPR, which is a globally enforceable privacy regulation that protects its citizens in any data systems wherever they reside geographically.

The bottom line

It’s pretty simple: EU citizens have a right to be forgotten. All US corporations that store and process any EU citizen’s personal information must comply with the right to be forgotten law and be fully compliant with GDPR. In the meantime, the US is still trying to figure out if it will continue with its siloed approach of state laws or finally land on a single federal privacy law like the EU’s GDPR.

Whatever happens, it will impact all of us one way or another. As a lawyer colleague of mine recently shared with me, whenever the federal government makes a law that applies to all states, then those states lose their individual rights in that area.

Should we continue to let each state make its own privacy laws, effectively continuing our siloed and often-disjointed approach, or do we strive for one federal law that covers all states?