Privacy laws — the regulations that govern how personally identifiable information is used, managed, and stored — have become increasingly important to consumer-facing businesses over the past few years as the digitization of data ramps up.
This trend has been placed high on the agenda for businesses dealing with data particularly after the General Data Protection Regulations (GDPR) came into effect two years ago, which imposed obligations on any organization that collects data related to residents in the European Union (the EU).
Although other similar regulations exist in other parts of the world, GDPR is arguably the most stringent and comprehensive privacy and security law to date. This is likely driven by a perceived level of awareness in the EU regarding digital privacy, with EU citizens perhaps more engaged with and abreast of consumer rights. The different attitudes from EU citizens also lead to more willingness to bring up concerns and educate consumers on their privacy rights.
But in the United States of America (USA), it’s been argued that the reactions regarding specific personal data rights and protections are even more outspoken — especially when they come under attack or are under threat of violation. A year before GDPR’s implementation, for instance, there were outcries throughout the American people online when the Federal Communications Commission (FCC) voted to undo net neutrality.
So instead of arguing over whether American or European privacy laws are stricter, perhaps it is more important to acknowledge that there are no unified solutions for companies that will work globally.
Instead, it would be wise to examine the concepts of each approach and continue observing the developments in the regulatory space to understand which aspects work better, and the reasons behind them.
European Union’s Approach
It’s been two and a half years now since GDPR was passed into law, with enforcement already seeing several successful convictions against violators. An extensive piece of legislation, GDPR is the undisputed legal backbone for data protection and privacy in the EU. It comprehensively covers many digital aspects and even has an outline of its future direction clarified earlier this year with the EU’s new “European Strategy for Data.”
Unlike other directives, which allow for national interpretations by member states, the GDPR is binding on a common interpretation that harmonizes existing privacy laws across Europe. Nevertheless, other legislative bodies of the union representing different interests of member states can have a say in the ratification process and still have powers to direct eventual laws.
Superseding the EU Data Protection Directive 95/46/EC, the GDPR aims not only to protect sensitive data of EU citizens but to empower them with better control over their data – most obviously through the so-called “right to be forgotten”. This allows individuals to make verbal or written requests to any organization to erase any data collected from and about them.
GDPR compliance requires businesses and organizations to design privacy in their data systems by default and designates responsibilities of control and process among data handlers.
United States Approach
The largest economy in the world doesn’t have all-governing data protection and privacy law like the EU. Instead, it has a plethora of federal and state laws that carve up the specific areas of privacy and digital data.
Policymakers have made several proposals for new federal legislation that would unite these pieces of state legislation. For instance, Senator Kirsten Gillibrand (D-NY) proposed the creation of a federal Data Protection Agency that would enforce data privacy regulations and investigate potential violations.
Currently, lobbying bodies, like Privacy for America probably wield the most decision-making power, since they represent large conglomerates of industry bodies in data privacy to ensure any legislation passed would work for industry requirements.
Essentially, this means that the US approach is a bottom-up one, prioritizing the states’ rights in self-governance. This is true, at least, compared to a seemingly top-bottom approach in the EU which balances supranational and intergovernmental policies.
The California Consumer Privacy Act of 2018 (CCPA) probably resembles GDPR the most as it gives consumers more control over the personal data collected by businesses, with one difference.
While GDPR requires businesses to justify data collection, CCPA only asks that they enable users to opt out of data collection.
Is Compliance difficult?
According to the EU itself, it has been quite challenging for SMEs (small and medium-sized enterprises) that are struggling, in particular, to apply GDPR principles to sophisticated technologies like big data and artificial intelligence.
In the US, because there is no single law to comply with, compliance would depend on the specific industry businesses and organizations are working in. Finance, healthcare, education, and government institutions are among those most rigidly scrutinized in this regard.
One approach that would help facilitate compliance would be to upgrade data systems with solutions that already have tools designed to have automatic compliance with specific privacy laws. In highly regulated industries like healthcare, archiving patient information also needs to fulfill the goal of protecting patient data privacy under HIPAA. On-premise or cloud solutions offered by companies like Jatheon, for example, can provide the necessary built-in privacy law compliance that ensures both.
Many companies, including those working in emerging technologies like blockchain, are already working on such solutions. Google Drive, for example, claims to support GDPR compliance with data protection and security features. Another example is AIKON, which seeks to provide GDPR & CCPA compliant Identity-as-a-Service solutions to businesses.
Whether the balance in the EU and US will move towards even tighter protection of individuals’ data, or a shift towards consumer data as a commercial asset, any business that wants to deal with digital data must now contend with privacy law compliance.
For most, this may mean looking for ready-made and compliance-ready data management solutions, and a forward-thinking few will be turning to the blockchain. The inherent blockchain data privacy benefits come from having no central location that stores private user data. Therefore, system and information security are unbreachable as there is no single point of attack that malicious users can pinpoint.
As privacy laws largely focus on securing user information and giving control over them to the users themselves, blockchain-based identity management solutions need to ensure compliance to all customers.
AIKON’s ORE ID and ORE Protocol are the perfect examples of that as they are both GDPR and CCPA compliant. Moreover, they also represent the future of the sector with forward-looking development that allows for mass adoption of blockchain technology in general.