The General Data Protection Regulation (GDPR) protects the personal data of the citizens of the European Union (EU), but the law’s impacts have rippled across the globe. The lessons of this legislation, paired with high-profile data breach and misuse cases, have Americans considering what actions need to be taken on information privacy laws in the US.
Legislators, the business sector, and the general public have awakened to the need for and likelihood of federal and state data privacy laws after the GDPR. And the European law has provided a glimpse of the possible impacts of data privacy legislation for law firms, technology companies, other sectors of business, and individuals.
The State of Information Privacy Laws in the US
The White House released a statement regarding the need for information privacy laws in the US post-GDPR. The US Congress, both before and after the European law went into effect, has been mulling the possible approaches, with multiple bills presented in both the Senate and the House of Representatives.
When it comes to state data privacy laws after the GDPR, California passed the most comprehensive legislation, the California Consumer Privacy Act of 2018, which is scheduled to take effect on January 1, 2020. Vermont and South Carolina each passed more limited legislation related to personal data and cybersecurity, while Washington State and others debated various bills, but failed to take broad action.
With the imminent prospect of inconsistent state data privacy laws after the GDPR, technology companies have joined the calls for federal information privacy laws in the US, in hopes that this legislation will preempt state laws and lessen the burdens of compliance.
Primary Requirements of the GDPR
The GDPR recognizes the fundamental—though not absolute—right of individuals to the protection of personal information and sets forth the requirements for entities who process and maintain that data. The provisions include the following:
- Personal data must be acquired with consent, or under other specific conditions, for “specified, explicit, and legitimate purposes”.
- Only information necessary for the purpose at hand should be collected.
- Further processing of data must be consistent with the original purpose for which the information was obtained.
- Data “processors” and “controllers” must act to reasonably protect data from misuse “by design and by default”.
- Penalties can be applied to responsible parties that disregard the regulations of the GDPR and the right to protection of personal data.
California Passes First Comprehensive State Data Privacy Laws after GDPR
Responsibility for promulgating rules related to the California Consumer Privacy Act is assigned to the state Office of the Attorney General. The Act shares many features of the GDPR, including recognition of the rights of consumers to know what personal data is collected and how it is used, to request deletion of personal data, and to opt out of third-party data sales.
California’s law also includes the right of a consumer to file a civil action against a company when personal data is exposed as a result of the data holder’s failure to reasonably act to secure data.
Features of Proposed Information Privacy Laws in the US
The federal privacy bills that have been proposed in Congress generally assign responsibility for regulation to the Federal Trade Commission (FTC) and state attorneys general.
Consumer consent is one of the heavily debated topics in current proposals, with some bills requiring consumers to opt in, others requiring an opt out, and at least one recognizing a “duty of care” that lies with providers and information processors regardless of a consumers consent or lack thereof.
The right to personal civil action is another point of debate in federal privacy legislation. Technology companies are lobbying to limit these rights, while consumer advocacy groups are arguing for stronger enforcement, including a consumer right to action.
Information Privacy Laws in the US: Impacts of Data Privacy Legislation on Law Firms and Businesses
Government regulation of personal privacy has vast implications for technology companies that buy, sell, and otherwise use and share consumer data for the benefit and profit of the business. Law firms and other businesses that handle personal data, but don’t typically use that information for financial gain, might find that the requirements for data security don’t unduly exceed the data security precautions that should already be in place.
However, the scope of the impacts of data privacy legislation on law firms and other businesses goes beyond internal data management. It is important to remember that the data privacy regulations currently in effect require companies to reasonably act to protect consumer data, which includes ensuring that IT vendors and data processors are also taking appropriate security precautions.
Federal and state data privacy laws might also impact the way attorneys work. E-discovery is a good example of an area where privacy regulations could affect the daily tasks, approaches, and systems used in the legal industry.
Ultimately, attorneys have a professional responsibility to protect the private personal data with which they are entrusted. Firms that have neglected to seriously address law firm data protection might be encouraged to do so by the current and proposed regulations. In a best case scenario, new information privacy laws in the US will provide a framework by which law firms and businesses can improve data security practices and better protect clients.