One year ago, Europe’s landmark privacy law called the General Data Protection Regulation (GDPR) put big tech on the defensive.
Now, with their companies under unrelenting scrutiny over how they handle user data, Facebook CEO Mark Zuckerberg, Apple CEO Tim Cook and Google CEO Sundar Pichai have called for similar “comprehensive privacy legislation ” on a federal level in the U.S.
Privacy legislation has become a rare bipartisan topic on Capitol Hill, and some states have swiftly forged ahead with their own versions of the EU law.
While CEOs and policymakers pile on the praise for GDPR, they are also quick to point out its flaws.
“As lawmakers adopt new privacy regulations, I hope they can help answer some of the questions GDPR leaves open,” Facebook’s Zuckerberg wrote in a blog post in March.
GDPR: The bad and good
GDPR went into effect last May across the European Union, harmonizing privacy laws across the bloc. Regulators and privacy advocates heralded the legislation as a victory for consumers seeking more control over their personal data in the wake of scandals like Cambridge Analytica. The law includes key principles such as the right to access and delete your data and requires companies to notify authorities of any data breaches within 72 hours.
The EU rules also give teeth to privacy regulation enforcement. Companies that breach GDPR can face fines of up to 20 million euros of 4% of annual revenues, whichever is bigger. So far, regulators haven’t levied any of the billion-dollar fines some expected, while the complexity of the law has frustrated some users and companies during its first-year in effect.
Lawmakers, lobbyists and CEOs in the U.S. are looking to trying to pick out the best parts of GDPR – and ditch what they see as the worst.
“We want to adapt many of the protections under GDPR but we also want to streamline those compliance requirements that under GDPR are quite burdensome,” said Denise Zheng, VP of Technology and Innovation Policy at Business Roundtable, in an interview in Washington last month.
Zheng said requirements like “opt-in” banners on websites can hurt users’ online experience, while penalties under GDPR are “quite significant” for smaller businesses.
Companies back many of the individual rights under GDPR such as transparency, correction, deletion and access to data, Zheng said. She added there is broad support for a common framework like GDPR that “harmonizes” privacy rules across different regions.
“You can’t have a patchwork of laws and still expect to have consumers understanding what their rights are, having consistent rights,” she said. “We need a single national standard.”
Federal vs. state
Last year California passed a data privacy law that copies many of GDPR’s principles, like the rights to access and delete personal data. The state law, which will go into effect in 2020, imposes fines of up to $7500 on big companies that fail to disclose data collection practices or to receive users’ permission to sell their information.
One big sticking point when it comes to U.S. federal privacy legislation is whether it would pre-empt California’s state rules. Some Democrats like Sen. Dianne Feinstein (D.-Calif.) have said they won’t support a federal bill that “weakens” California’s standards, while tech companies and some Republicans favor a national law that would override, and possibly ease, state requirements.
Victoria Espinel, President and CEO of trade group BSA | The Software Alliance, said California’s legislation was “a very important step forward” but added she would like to see “federal privacy legislation go beyond California.”
“What we would like to do is take that strong level of protection that is in GDPR and then adapt it to the U.S. legal system…but maintain that high level of protection,” she said in an interview in her Washington office last month.
Can GDPR go global?
European officials are working hard to decode the complexity of GDPR, especially for smaller companies, Espinel said. One criticism of the law is that it is easy for big tech companies with ample legal resources to comply, and even stomach fines, while smaller business has been left in with uncertainty.
GDPR applies to any company that has customers in the European Union, even the business is headquartered outside of the bloc. Many big companies ultimately say a uniform standard, whether it’s Europe’s law or something else, would be the easiest way to guarantee privacy rights – but an international agreement looks unlikely any time soon.
“A global consensus on privacy is probably a few years off. That’s a goal to grow towards, but that’s where we want to end up,” Espinel said.