Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, countries outside of the European Union have begun to take a serious look at crafting their own data protection measures that could prevent data misuse, minimize data breaches, and afford new rights to data subjects. The United States is one of these countries. The country is responding to growing calls from not only US-based tech firms and law firms, but also the international community, to pass a baseline federal privacy law. Although it’s only in the early stages, Senators from the US Congress have begun to mull the idea of US federal data protection laws, seeking input from international data protection authorities and lobbying for bipartisan support. Yet even with mounting momentum in the US Capitol, many are not optimistic that such sweeping regulations will pass anytime soon. Why? It’s politics, as usual.
In the absence of federal action, the State of California has taken its own action by passing the first comprehensive data protection law, the California Consumer Privacy Act (CCPA). Slated to take effect on January 1, 2020, CCPA is the first law in the United States to mirror GDPR, particularly with regards to the rights afforded to California citizens in accessing and managing the data collected about them.
Additionally, CCPA is the first law of its kind to include a private right of action — that is, an individual’s right to sue for violation of the provisions of CCPA, a right not granted to EU citizens under GDPR. This private right of action is a hot-button issue, thus serving to delay the adoption of a GDPR-style law on the federal level in the US.
Predictably, Republican Senators have said that they will not pass a bill which includes a private right of action, while Democratic Senators noted that they will not pass a bill without it — a stalemate at its finest.
Although not as demanding as CCPA, at least 25 other states in the US have enacted their own laws which address data protection practices of private sector entities. While these laws mainly regulate the security measures that a business must adopt, at least a dozen of these state laws also prescribe practices related to access, use, modification, destruction, and disclosure of personal data. So, how are national and international companies expected to comply with the hodgepodge of rules?
Amongst all the debate and noise surrounding data protection and privacy, certain fundamental principles remain — reasonable security procedures and practices, transparency in data processing, and an individual’s right to access, control, and delete their data.
International companies understand that these principles are the new gold standard and are committed to affording them to their customers around the globe, not just in the EU. This is the stance that Dwellworks takes. We believe that adhering to GDPR as our minimum standard is sound business practice and are confident that these standards will weather well against any future US data protection laws. While a federal privacy law will reflect US legal precedents and our cultural values and norms, it will also likely mirror GDPR. This is good news for American businesses since an interplay between the two should reduce complexity and cost, alleviating the burden of data protection compliance in multiple countries and paving the way for a single, global standard.
There is little doubt that federal data protection and privacy law is coming to the United States. When it will occur and what the law will address is another story. Regardless of this, Dwellworks remains steadfast in its commitment to data privacy, transparency, and accountability. Through ongoing monitoring and sound preparation, we can ensure that any evolution in the law or adoption of new ones has a minimal impact on the way we conduct business. Continuing to adhere to GDPR principles allows us to afford basic data rights to our customers, with the flexibility to adjust our practices as required by law and avoid an unanticipated crisis.