Representatives of Apple, Facebook, Google and Microsoft joined forces in October as they declared their support for a U.S. federal data privacy law as powerful as the European Union’s (EU) General Data Protection Regulation (GDPR).
Apple CEO Tim Cook was clear in his keynote at the International Conference of Data Protection and Privacy Commissioners in Brussels: Apple is in full support of a comprehensive and stringent U.S. federal data privacy law. Today’s data driven world, as he describes, “has exploded into a data industrial complex. Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.” Cook continued to declare that the protection of personal information is akin to defending a fundamental human right.
In response to industry concerns about privacy regulation constraining technological developments, Cook explained that true advancement is impossible without the full trust of end users. Other technology leaders are also beginning to share this view, and voicing their commitment to protecting personal data.
At the conference, Facebook Chief Privacy Officer Erin Egan asserted that she was in support of a U.S. federal data privacy law. Google’s General Counsel Kent Walker pointed to steps the company has already taken to support privacy legislation, and Microsoft Vice President and Deputy General Counsel Julie Brill noted that the company is now offering many EU GDPR protections to all customers, regardless of residency.
Data privacy is here to stay
While there are many uncertainties in the industry, one thing is clear: data privacy isn’t going anywhere. With new technological advancements, more personal information is being collected than ever before. As the quantity and sensitivity of this information accumulates, it becomes increasingly important to not only protect the information, but allow individuals to have a say in how their data is handled.
Data privacy regulations cannot be ignored. In addition to many state laws, organizations must comply with a long list of industry specific U.S. data privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair and Accurate Credit Transactions Act (FACTA), the Gramm-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA).
The need for U.S. federal privacy law
Without a federal data privacy law in place, individual U.S. states rely on their own laws to protect residents. Until state regulations are harmonized, companies must be mindful of the states in which they operate, and follow individual laws accordingly.
Most states have rules about data retention, breach reporting, required security controls and telemarketing. Differences do, however, exist between the varying states’ laws, and understanding those differences and nuances can be confusing for organizations. Some states’ laws include data retention rules that only apply to paper records, and in others, they only apply to electronic records. In Massachusetts, businesses must comply with specific requirements related to implementing information security controls. North Carolina’s requirements include particular rules about the “reasonable measures” organizations must take to protect against unauthorized access to information. The state of California is gaining the most attention for its California Consumer Privacy Act (CaCPA), a landmark policy based on GDPR and set to go into effect in 2020.
U.S. federal privacy law may mirror GDPR
It is no coincidence that during his keynote speech, Cook called for sweeping data protection policy in the U.S. that embraces the principles of data minimization, transparency, data subject rights and security: all key elements of the GDPR in the EU.
The EU has set the standard for data protection policies, and GDPR remains the most rigorous and inclusive data privacy law to date. Many expect a future U.S. federal privacy law to also borrow heavily from GDPR, including more accountability for companies, heavier penalties and more power awarded to data subjects in the U.S. than ever before.
Steps organizations should take now
While keeping up with constantly changing regulations can be daunting for organizations, it can also create new opportunities. Companies committed to protecting the privacy of their customers can gain not only the trust of customers, but also a competitive edge.
Organizations can best prepare with the following steps:
- Clarify which new regulations may apply to your organization. Look carefully at the data you collect and process. Some regulations, such as GDPR, may apply to companies even if they don’t have a physical presence in the EU.
- Determine how your privacy program will be managed by your organization. Some companies may need to appoint a data protection officer (DPO).
- Develop and implement a risk-based privacy program based on leading practices. Focus on key principles such as data minimization, transparency, data subject rights and security.
For more information on this topic, or to learn how Baker Tilly specialists can help you with privacy regulation compliance or assessing readiness, contact our team.