What the US can learn from EU Privacy Regulations

Key Takeaways

  • The GDPR is the EU’s comprehensive data privacy legislation in effect since 2018.

  • The GDPR defines the obligations of companies that control data, the user’s rights with respect to their own data, and it can serve out harsh fines for not complying with its regulations.

  • The GDPR differs from the CCPA in that GDPR applies to all entities that collect data while CCPA only applies to certain for-profit businesses and the GDPR has harsher penalties.

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of data privacy rules governing the collection and processing of data from individuals living in the European Union (EU). It was adopted by the European Parliament and European Council in 2016 and came into force in 2018. 

What is covered in GDPR?

The GDPR is unsurprisingly a very large document with 11 chapters and 99 articles. Article 5 of the GDPR lays out the seven governing principles of the legislation which includes things like data minimization, storage limitation, and confidentiality (security). These principles influence the rest of the document which includes several concrete responsibilities of “data collectors” and rights granted to users. Here we cover a few of the most important topics covered in GDPR.

Defines personal data. The GDPR defines personal data as any information related to a person that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social media websites, medical information, or even a computer IP address.

Clarity. The GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it. 

Consent. The GDPR makes it crystal clear that businesses and organizations handling private or sensitive data must ask for consent and permission each and every time they access the data.

Breach Notification. Compliance with the GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discovering it. 

User rights. After all, the GDPR is designed to help protect the rights of individuals. As such there are eight rights laid out by the GDPR:

  1. The right to be informed - providing individuals with clear and concise information about what companies do with their personal data.

  2. The right of access - gives individuals the right to obtain a copy of their personal data.

  3. The right to rectification - individuals have the right to have inaccurate personal data rectified.

  4. The right to erasure - individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

  5. The right to restrict processing - means that an individual can limit the way that an organization uses their data.

  6. The right to data portability - gives individuals the right to receive personal data they have provided to a company in a structured, commonly used and machine readable format.

  7. The right to object - gives individuals the right to object to the processing of their personal data at any time. 

  8. Rights in relation to automated decision making and profiling - Examples of automated decision making include an online decision to award a loan or a recruitment aptitude test which uses pre-programmed algorithms and criteria. The GDPR restricts companies from making solely automated decisions that have a legal or similarly significant effect on individuals.

Privacy by design. Companies must implement appropriate technical and organizational measures in an effective way to protect the rights of data subjects.

Data Protection Officers. Enterprises that meet certain requirements must designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. 

Who does GDPR apply to?

GDPR applies to any organization operating within the EU, regardless of where the website, app, or service is based. This basically means that every major corporation in the world needs to be compliant to GDPR. 

Fines

The fines levied by the European data protection authorities during the first 4 years of the GDPR’s existence shows that European authorities are willing and able to enforce this legislation with serious consequences. Failure to comply with GDPR can result in a fine ranging from 10 million euros to four percent of the company's annual global turnover, a figure which for some could mean billions.

The largest fine to date was Google and Facebook being fined a combined $238M for making it easier for users to accept cookies than refuse them. This violates the statute that it must be as easy to withdraw consent as it is to give it.

Comparing GDPR vs CCPA

As covered in our previous blog, the California Consumer Privacy Act (CCPA) was the first state-wide privacy legislation and as such is held up as the standard of measure for US privacy. How do the CCPA and GDPR differ?

Who they apply to

GDPR law applies to any entity that deals with personal data from the EU, that includes small businesses and non-profit organizations. CCPA only affects for-profit entities who meet one of the following characteristics:

  • has an annual gross revenue >$25 million

  • collects, buys, sells, or shares the data of >50,000 consumers, devices, or households in California (this includes your company's visitors)

  • at least 50% percent of their annual revenue comes from selling this data

Penalties

As stated earlier, GDPR financial penalties for non-compliance and/or data breaches can range as high as $24 million, or 4% of the violating company’s annual global turnover from the previous fiscal year—depending on whichever amount is higher.

The CCPA differs from the GDPR noticeably here, in that non-compliance alone isn’t considered enough cause for fining. Instead, penalties are only applied after a data breach occurs. When one does happen, all pre-existing violations relevant to the breach are taken into consideration and individually fined. The maximum fines are as follows:

  • $2,500 for violations

  • $7,500 for intentional violations

  • $100 to $750 in damages in civil court (The CCPA provides consumers affected by a breach the opportunity to independently sue the responsible party as well.)

Conclusion

While the CCPA and GDPR target different geographies, they both have global reach. While we focused on the differences, the two regulations have much more in common than not. They overlap when it comes to the most important topic - rights. So if you are compliant with one, chances are you are well on your way to meeting the other’s requirements. If you want to look more in depth at key requirement comparisons for CCPA vd GDPR check out this handy comparison chart.

The GDPR serves as a model for a comprehensive privacy law that the US federal government is currently lacking. While being able to serve 27 separate countries, the GDPR has been enforced in an impressive way. The US federal government has privacy legislation models from its own states and also from the EU; implementing a comprehensive federal law will simplify the legal landscape for companies in the US and should be a top priority for lawmakers.