“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
-Article 12 from the Universal declaration of human rights by the United Nations.
Even though the declaration of human rights from 1943 contains a reference to privacy, it is not until recently that more emphasis has been put on privacy on the internet. The digital landscape of today has put pressure on the definition of privacy that earlier generations could not have anticipated. The definition of privacy in the physical world differs from the digital world. Before the digital revolution, the biggest risk to privacy was thought to come from governments who had the best chance of gathering and storing extensive amounts of data about individuals. With the explosion of digital and online services on which we each rely on a daily basis, the companies that manage these services collect huge amounts of data about us.
Earlier regulations that mostly affected government organisations and institutions such as banks and insurance companies were discovered to be inadequate for the new digital world. This clear need for better regulation has helped to create regulation such as the GDPR in the European Union.
Even though better regulations have been created in most countries of the world, it’s good to understand that in some cases they are mostly ignored. China, for example, has added privacy laws that are often overlooked by the authorities themselves. Even when the laws are followed by governments, they often include exceptions for some agencies for reasons of national security.
EU countries have taken a huge step forward in protecting the privacy of their citizens. Let's take a deeper look into the GDPR and compare it to the equivalent regulation in the US.
GDPR
The EU privacy regulation GDPR (General Data Protection Regulation) aims to protect the privacy rights of EU citizens. The primary goal of GDPR is to provide a framework for companies that store or control data about any EU citizen. Ultimately, GDPR will ensure stronger privacy rights for individuals by defining how private data should be handled and defining punishments for violations of these regulations.
GDPR is a reaction to the rise of services that store and handle your data online. Regulation about privacy has been, and still is in most of the world, fragmented. With GDPR, the EU now boasts the most comprehensive and protective digital privacy regulatory framework in the world.
The rights cover all EU citizens even if the service they’re using is not located in the EU, as long as they offer any service inside the EU or to EU citizens.
GDPR defines 8 rights for users. They are:
The Right to Information: The individual has the right to know what kind of data is stored and how it is used.
The Right of Access: You have the right to see what information the service has stored about you.
The Right to Rectification: You have the right to correct data that the services store about you.
The Right to Erasure: You have the right to require the service to erase the data it stores about you.
The Right to Restriction of Processing: You have the right to request cessation of the processing of your data in certain cases.
The Right to Data Portability: The right to receive the personal data held by the service for personal purposes or to send it to another service.
The Right to Object: You have the right to object to the processing of your data, for example you have the right to object to cookie tracking.
The Right to Avoid Automated Decision-Making: You have the right to not be subjected to automated processing or profiling.
All these rights have exceptions and other stipulations, but in essence they provide you with the possibility to decide if the service is allowed to store data about you, and if it is allowed, you’re in control over how it's used and you can request deletion of the data.
GDPR defines the data in two categories, “personally identifying” and “sensitive personal” data. As we covered in the previous chapter, personally identifying data is data that can be tied to you personally such as addresses. Sensitive personal data is data that might reveal your biometric, genetic, health, sexual, religious, philosophical, political, racial or ethnic information. If the service is storing and using sensitive personal data, it is subject to stricter measures for consent and for protecting the data from unauthorised use.
GDPR has seen many controversies, and there has been lots of pressure to add amendments to the regulations, but the core content of the regulations will not likely change much. GDPR’s penalties for violations have sparked a lot of discussion as well. The penalties can go as high as €20 million, or 4% of the company’s annual global revenue, whichever is higher.
Privacy laws in the US
The United States does not have unified regulation like GDPR in the EU, although this can change in the future. Instead, the US relies on a host of different regulations on federal and state levels. Regulation such as GDPR is not out of the question in the US either, although organisations like Privacy for America, a lobbying group for industry bodies in the US, work to ensure that the needs of these companies are met. Some have called for a Data Protection Agency to be formed that would have the role of enforcing US privacy laws. The differences do not mean that the US doesn’t have privacy laws – it does. Most of the problems in the US relate to the patchwork of regulations and laws where some laws are on the federal level and some are on the state level.
Probably the biggest obstacle for a GDPR-like legislature in the US is the difference between the country and the EU. The US emphasises the states’ rights and federal regulation is seen as infringing the rights of the states to govern themselves. Ultimately, some kind of solution will most likely be found in the US as well, but the end result might look quite different from what we have in the EU.
Some states have taken a much stricter view on their citizens’ privacy than the federal level. For example, the CCPA (California Consumer Privacy Act) covers essentially the same rights as GDPR. CCPA also covers all Californians globally, and it’s really important as California is the fifth largest economy in the world.
The EU-US Privacy Shield framework
The EU and the US have come together to facilitate the transfer of data between the parties while protecting privacy in a way that is agreeable to both. US companies who want to transfer data between the US and the EU have to self-certify under the Privacy Shield.
Privacy Shield is not a regulation but an agreement. It means that violations by US companies under GDPR can’t be enforced unless the companies violate the orders of the FTC in the US. Privacy Shield also doesn’t cover all privacy rights in the GDPR. It’s worthwhile to note that the predecessor for the Privacy Shield, Safe Harbour Privacy Principles, was declared invalid by the courts in the EU and Privacy Shield might someday face the same fate.