What might the ‘US GDPR’ look like? American business community weighs in
In the wake of repeated data leaks, the Business Roundtable proposed a framework for US national privacy legislation. The recommendations represent the position of over 200 corporations and come as US politicians have promised to introduce a new American privacy bill.
The Business Roundtable’s (BRT) framework for consumer privacy legislation drew inspiration from the EU’s General Data Protection Regulation. Similar to the GDPR, the proposed regulations call for all businesses to create adhere to a national standard for notifying users about a data breach, to give data protection more consideration, and to give consumers more control of their data, including an American version of the “right to be forgotten.”
The BRT’s document outlines general principles rather than specific legislation. They propose that the Federal Trade Commission would be in charge of enforcement. But overall, the recommendations track closely with the data protection and consumer rights provisions of the GDPR. The primary focus of the proposal is to ensure that privacy regulations do not interfere with corporate innovation.
“We see a real need to both protect consumers at a time when digital services and the digital economy is so important and expanding, and at the same time, making sure we’re advancing global competitiveness,” said Julie Sweet, the chief executive of Accenture North America, who chairs the Business Roundtable’s technology committee, to The Washington Post.
The framework calls for harmonizing the patchwork of US laws governing data collection. The current regulatory situation is a fragmented mess. At the federal level, the current law addressing corporate cyber security, the Cybersecurity Enhancement Act (CEA), was passed in 2014. It created voluntary standards that are sector-specific, meaning certain privacy standards that apply to one industry are not applicable to another. The CEA does not impose any penalty for organizations that fail to safeguard personal data.
Further complicating matters are the different standards that each state has applied. Lack of coherence from federal law enforcement has meant that state attorneys general have taken the lead in regulating data privacy, leading to a variety of policies. The California Consumer Privacy Act (CCPA), which will go into effect in 2020, is significantly more stringent than any other standard being implemented in the US today, although it still falls short of the GDPR.
What it means for businesses
While any federal legislation concerning data collection and protection is still a ways off, one thing is clear: regulation is coming. That the stated privacy principles of the Business Roundtable, an association of chief executive officers from major US corporations whose goal is to promote pro-business public policy, are so similar to those of the GDPR shows that businesses realize more must be done to protect private data. By submitting its own framework, the BRT is trying to preserve some space for self-regulation and avoid the hefty fines of the GDPR.
Unfortunately for them, their proposal came out right after the massive hack of Marriott hotels. This data breach led several lawmakers to call for GDPR-style fines for companies that fail to protect customer data — or even for the CEOs of negligent companies to face jail time. Many US lawmakers have already stated they will not support a national law that contains less robust protections than those consumers have in local jurisdictions, making the CCPA a likely starting point for any future US privacy bill.
While the picture will remain murky for the foreseeable future, if your company is already compliant with the GDPR, you have little to fear. The GDPR is currently viewed as the gold-standard when it comes to data privacy, and any US legislation will likely use the GDPR as its inspiration.