By Jay Bemis | Advertising Systems Inc.
A $57 million fine that the French data protection authority levied on Google last week is the largest yet under the European Union’s newer privacy law, and it could well bolster efforts to enact similar legislation in the United States.
California already has passed a data privacy protection act of its own, and that legislation — similar to the European Union’s General Data Protection Regulation (GDPR) under which France fined Google — takes effect in early 2020.
In Congress, meanwhile, a number of lawmakers, most of them Democrats, have introduced data protection bills that would be similar to the GDPR. And the White House said this past summer that it was looking forward to working with Congress on “a consumer privacy protection policy that is the appropriate balance between privacy and prosperity.”
Historically, the U.S. has taken an industry-by-industry, on-demand approach to regulating privacy, as it did with privacy laws affecting the health industry in 2003.
But a revelation by Facebook this past year that it had released private information about more than 50 million of its users to Cambridge Analytica, the passage of the GDPR and California’s new law all are serving as rallying cries for the United States to abandon the on-demand approach and regulate internet users’ privacy nationwide.
Facebook and Twitter also reportedly are being scrutinized by GDPR regulators, but Google’s $57 million fine is the first leveled against those three major platforms. The Federal Trade Commission, meanwhile, is conducting an ongoing investigation of the Facebook/Cambridge Analytica data release exposed last March.
European Union’s GDPR Explained
For EU citizens, the GDPR replaces a 1998 law enacted before the likes of Google and Facebook even existed. The new law gives EU citizens more rights in controlling their online information and presents a number of technically demanding requirements for companies to meet. It also threatens fines of up to 4 percent of a company’s annual revenue for violations.
One of two key elements of the law is the right of erasure, or the right to be forgotten — if you don’t want your personal information made public, then you can request its removal or erasure. A second element is the right of portability — when companies address “opt-in/opt-out” clauses to their users, for example, notices must be easy to understand and precise on the clauses’ terms.
Though GDRP doesn’t directly regulate U.S. companies, any companies that do business with UK citizens, including such social platforms as Google and Facebook, were required to be GDPR-compliant when the law took effect last May.
California’s Version of GDPR
In June, on the heels of the GDPR’s enactment, California Gov. Jerry Brown signed into law that state’s own version of GDPR to protect the privacy of its citizens.
California’s law gives online users the right to know what information companies are collecting about them, why the companies are collecting that data and with whom the data is shared. Californians also can tell companies to delete their information or not sell or share their data.
Should a company commit a data breach, the law, once it becomes effective next January, makes it easier for consumers to sue companies after a data breach. It also bestows more authority for the state’s attorney general to fine companies that don’t comply with the new rules — and it makes it more difficult to share or sell data on children who are younger than 16.
What Might Lie in Store for the U.S.
With their continually growing numbers and the platforms they serve for marketers, Google, Facebook and Twitter certainly aren’t going anywhere soon. But they and all other U.S. companies, large and small — as well as marketers for those companies — must be aware of the regulations and privacy rights that the likes of the GDPR and the California Consumer Privacy Act command.
What sort of national data privacy law might Congress eventually pass? Whatever emerges from Capitol Hill and a presidential signature, likely after much lobbying by tech giants and privacy advocates alike, probably won’t be a GDPR copycat, experts say.
“Privacy and data protection are fundamental rights from the EU perspective but not in the U.S.,” Eduardo Ustaran, codirector of the privacy practice at law firm Hogan Lovells, recently told Fortune magazine.
“That is a major philosophical difference between the two jurisdictions, and that will be reflected in the law.”
Marc Rotenberg, president of the Electronic Privacy Information Center, a Washington, D.C., advocacy group, says any new law should be spearheaded by an agency that coordinates enforcement and reports on the current state of affairs and emerging threats to people’s privacy.
“The U.S. needs to improve its understanding of this critical issue,” he told Fortune.