It seems our government is failing us when it comes to data privacy laws. Data is pervasive in modern society, and it is impossible to do anything without data about us being collected, tracked and used in ways we have no control over. The only control you have on how data is created about you, is by limiting what you do online, but this is virtually impossible these days. Every website, app, or online platform you use stores and uses your data in one way or another and it is impossible to know how each one is using it. The data you generate can be stored, shared, sold, manipulated, and even hacked. Every time you decide to use the internet or any apps you must decide the level of risk you are willing to undertake in terms of your personal data.
The myriad of data privacy laws are the only ways in which your data privacy is protected. This article will explore some of the different laws in place in both Europe and the United States that are meant to protect consumer data privacy and the ways in which they work. It will also explore some of the benefits and short comings of these laws.
Data privacy in Europe
Data protection laws in Europe are quite strict and are governed by the General Data Protection Regulation (or GDPR for short). This data protection policy was put into effect on May 25, 2018 and is a wide ranging and comprehensive legislation. Under the GDPR consumers and internet users must know, understand, and consent to the collection, processing, and use of their data.
Despite being put into effect by the European union, the GDPR affects any organisation that targets or collects any data produced by European citizens. Companies and organisations must now be extremely clear and transparent about what exactly it is they are collecting and a failure to comply with the mandates set out in the GDPR can result in hefty fines being levied against them.
There are many key data protection and privacy requirements that must be followed by all companies wishing to sell to EU citizens. Some of these include:
- Requiring the consent/permission of consumers before processing their data
- Providing notifications to consumers whenever there is a data breach
- Ensuring that any data collected is anonymized in order to protect the privacy of users.
- Safely handling the transferring of data especially across borders.
Data privacy in the United States
The data protection laws and policies in the United States are much different from that of the European Union. While there is one overarching data protection and privacy policy in Europe (the General Data Protection Policy), there isn’t one such policy in the United States. The United States instead employs many different laws that work in many different ways. US data protection laws are a complicated patchwork of sector specific laws rules. These laws cover health information, financial institutions, telecommunications, credit information, etc.
This patchwork of laws includes a mix of different laws that cover specific types of data and are delivered and managed in different ways. They go by acronyms such as HIPPA, FERPA, ECPA, FCRA, COPPA, VPPA, and GLBA. We explore each of these a bit more in this section.
- The Health Insurance Portability and Accounting Act (HIPPA) covers the communication between health professionals and institutions such as doctors, hospitals, pharmacies, insurers, etc and doesn’t really have much to do with privacy. This act governs the collection of health information in the United States, but it does not, however, cover every single type of health data that can be collected. Your Fitbit, for example, is not covered or protected by this law.
- The Family Educational Rights and Privacy Act (FERPA) is concerned with who can request the educational records of students. It can, for example, give parents the right to have access to their children’s educational records, the right to have those records amended, as well as the right to decide what personal information is disclosed within those documents. Under this federal law, once the student turns 18, or enters into a post-secondary institution such as university (at any age), the rights under FERPA transfer from their parents to them.
- The Electronic Communications Privacy Act (ECPA) governs the privacy of electronic devices and restricts government wiretaps on phone calls and other electronic transmissions and signals. In addition to the government, it also regulates companies and set rules on the ways in which employers can monitor employee communications. One major critique of this law is its antiquated nature and enforcement as it was created pre the modern internet era and does not protect against modern data and surveillance methods such as cloud data and data stored on servers.
- The Fair Credit Reporting Act (FCRA) regulates the information in your credit report and covers the collection and use of different credit information. This act limits who is able to see a credit report, how the credit information is obtained, and what credit bureaus can collect.
- The Children’s Online Privacy Protection Rule (COPPA) has to do with the collection of data about minors and limits the ability of companies to collect personal information or data for/on children under 13 years old. It applies to commercial websites and online services that are either directed specifically at children under 13 and collect their personal data or to services that have actual knowledge that they are actively collecting personal data from children under 13 years old. This law was established in 1998 making it an old law that could also be considered antiquated and outdated in terms of modern internet practices.
- The Video Privacy Protection Act (VPPA) is a data protection law that prohibits video tape suppliers from knowingly disclosing the personal information of a consumer’s rental, purchase, or subscription to a prerecord video without their consent. It is possible for consumer information to be disclosed under this act, but it can only occur through very specific situations and procedures.
- The Gramm-Leach-Bliley Act (GLBA) is an act that governs financial institutions (companies that offer financial products and services such as investment advice, loans, insurance, etc) and requires them to disclose their information and data sharing practices to their customers as well as the fact that customers have the right to opt out of this data collection. While this law doesn’t directly restrict how companies can use and manipulate the data they collect as long as they disclose their usage practices beforehand, it does help to make the process more transparent and include the customer more in their digital life.
In addition to these sector specific laws which are enforced differently state to state, the United States also employs the use of the Federal Trade Commission Act (FTC Act) to govern and enforce U.S privacy policy including data privacy. The FTC isn’t explicitly involved in the regulation of website information or privacy policies, but it does enforce general privacy laws and takes steps to protect consumers and users from data exploitation.
Comparing the two systems
As detailed above, the data protection laws in Europe and the United States differ vastly and cover many different aspects of data and information privacy. Europe utilises the GDPR which is a wide ranging and comprehensive data protection policy that protects European citizens from data exploitation and manipulation from companies both in Europe and Abroad. The United States on the other hand doesn’t have any one such policy in comparison. Only three states have comprehensive data protection laws in a similar manner to that of the GDPR (California, Virginia, and Colorado). Every other state must rely on the patchwork of laws that focus on different areas within data protection and can be enforced in different ways depending on the state.
One major benefit the GDPR has over the US data protection laws and policies is that it is up to date and was created during the modern technology and internet era (2018). Many of the United States’ laws in comparison were established decades ago making them outdated and ill equipped to effectively handle the complex and ever changing data and technology landscape. Policy makers are beginning to catch up however, and new laws are constantly being developed to help protect consumers from data companies and data exploitation.
Conclusion
We create and consume data on a daily basis, but most people have no idea where their data is going or how it is being used. This means that large companies have a large amount of control over people’s personal information and data which can result in that data being stored, manipulated, and exploited without the knowledge or consent of the consumers or people generating the data. To combat this there are many different data protection and privacy laws that exist in order to act as a barrier between these large companies and consumer. These laws vary by country and region and are implemented in different ways each with their own benefits and draw backs. In Europe the GDPR is used while in the United States there is a myriad of different laws that focus on different areas of data protection and work in different ways to attempt to protect consumers’ data.
If you are a consumer, it is in your best interest to know how your data is being used and who is using it and, if you are a business, it is important to understand the laws that govern data collection and usage in your country/region to ensure that you aren’t breaking any laws.
Don’t wait on the government to protect your data. Join the Ctrl.ly movement to help regular people control their data privacy. Simply joining the movement helps us get the momentum we need to make Ctrl.ly a reality.