Individuals and businesses on both sides of the Atlantic might feel that because the General Data Protection Regulation is EU legislation, it only applies to EU countries. Yet that interpretation is flawed.
The truth is that the GDPR’s application is more about who you are targeting rather than where your business is based. So if you’re a US-based business with EU customers, you’ll need to take heed of – and comply with – the GDPR. Some US businesses still need to be convinced on this point.
UK vs US Data Privacy Laws
The GDPR applies to almost everyone who handles personal data in the European Union, or who handles the personal data of people in the European Union.
In contrast, the US has no single data privacy law with an equally broad application. We found a variety of federal and state laws which knit together to form a piecemeal data protection regime, with particular sectors (such as healthcare) being the main focus. This approach can make compliance difficult, as the required data protection standards vary from state to state.
Perhaps unsurprisingly, we found the standard required by the GDPR was usually sufficient to satisfy the standards required by the relevant US laws, too.
The GDPR provides a universal definition of “Personal Data”; the equivalent term in the US is “Personally Identifiable Information”, and what constitutes PII varies according to state law. For example, financial data and national insurance numbers in the UK are not seen as “sensitive” in terms of the strict legal definition, but financial data and social security number are often considered sensitive in US privacy legislation.
The GDPR is based on the idea that personal data should be protected and individuals should have control over how their data is used. These rights include the right to erasure, data portability, withdraw consent, rectify inaccurate data, access, restriction and objection.
Data subjects’ rights in the US are far more limited. Although US law makes it clear that certain information should be provided to the data subjects at the point when their personal data is collected, there are generally no further data subject access rights, or the right to erasure. The limited data subject rights which are in place relate to children’s data, such as the Children’s Online Privacy Protection Act, which allows parents to view the personal information collected by a website about their child, and to delete and correct that information.
The new California Consumer Privacy Act introduces various rights to Californian residents – enabling them to understand how their data is used, to erase it, and to opt out of a business being able to sell their information.
Under the GDPR, transfers of personal data outside the EEA are restricted – principally to ensure that the data rights available to individuals aren’t undermined because an international provider is being used. This usually means that international transfers of personal data will be subject to the EU-US privacy shield, the Model Contractual Clauses or Binding Corporate Rules.
In contrast, there are few limits on the transfer of personal data outside the US imposed by US law. Whilst US laws and regulations do continue to apply to data after it has left the US, these mainly focus on ensuring the US entities remain liable for the data.
The GDPR has extended the maximum penalties for breaches of data protection to €20million or 4% of annual global turnover, whichever is the highest. In contrast, the FTC (Federal Trade Commission) allows for fines of up to $16,000 per offence.
What’s not so different?
Shouldn’t we just get consent for everything?
Collecting consent is often seen as a simple way of avoiding considering data practices in detail. Let’s just get the data subject’s consent to everything, right? Wrong.
Consent is one of the six ways you can legitimise handling personal data, but it is not the only one, and is often overused. Both the GDPR and the US data protection laws align here – you don’t need consent for everything.
In the EU, data controllers must notify their national supervisory authority if there is a data security breach and in some situations, the data controllers will also need to notify the data subject. Data breach notifications are also required in the US, where 48 out of 50 states have now enacted security breach notification laws.
About this article
This article was jointly written by Taylor Vinters in the UK and Kenneth Polk, Innovation Counsel at the American Chemical Society. It’s the first in a series that will give businesses an overview of the legal nuances associated with operating across multiple jurisdictions.