The United States (US) is working on its own version of the European General Data Privacy Regulation (GDPR). However, this regulation, which is currently in its drafting phase, will not constitute any laws or fines for rule-breakers.
On 25th September, the US government initiated a public comment period for its initial proposal so that the users can contribute to the regulation themselves. The Department of Commerce (DoC) which is responsible for this process said that it is a user-centric approach that aims to provide high-level of protection to individuals without taking away legal clarity or innovation from organizations.
Nothing imposed, all voluntary:
The purpose of the DoC working on these new rules is because they wish to safeguard American’s privacy on the internet. At the same time though, the DoC is also being much considerate to the organizations since none of it is legally binding, and all of it is voluntary. In fact, even during these early stages of drafting, the DoC has ruled out the possibility of new laws or fines.
This statement confirms that this is indeed a voluntary effort and not a legal demand from the organizations handling user data. No matter what perspective you look from, this new policy is just an effort to address concerns voiced over data privacy in the US.
Other than the policy, the DoC is also working on a voluntary privacy framework with NIST – the National Institute of Standards and Technology. This framework is aimed to assist organizations in managing risks associated with data privacy. The DoC is using an approach which is much less authoritative to the European GDPR, but it reflects on how the concept of a free-market operates in the US. The policy is more focused on the desired outcomes of achieving maximum user privacy, rather than dictating on how these outcomes should be achieved.
Moving on to the topics within the initial proposal, these are more or less the same as the GDPR. The policy broadly discusses:
- The ability for users to be able to exercise control over what information is gathered.
- Improved data security.
- The accessibility to data – users should be able to view, and correct data held about them.
- The accountability and transparency over how data is gathered, stored, and used.
- A minimized approach towards data gathering which encourages companies to only collect the data which they need.
The GDPR – a contrasting regulation:
Both the GDPR and the American flavor of it by the DoC aim to achieve the same goal – to protect the users’ online privacy. However, the GDPR approach towards the matter is entirely different.
Unlike the user-centric approach by the DoC, the GDPR makes use of a prescriptive approach in which it imposes laws and fines on organizations for breaching the regulation. This is perhaps one of the reasons why the GDPR has been so effective. For instance, the GDPR constituted massive fines of up to 20 million euros or 4% of the total revenue of an organization for breaking the rules of the regulation. This forced and authoritative approach has ensured that several companies comply with these new rules for data privacy, even if they might not agree with them.
In contrast to the GDPR, the US version of compliance to privacy is rather limited in terms of implementation. It is more encouraging than imposing and seems like an effort being made by the Federal Trade Commission (FTC) for investigating data privacy breaches.
The DoC has said that the request for comments on the initial proposal does not “call for the creation of a statutory standard”. Instead, the commenters are expected to let the government body know about details of how privacy outcomes can be achieved.
Google’s influence on the policy:
One key finding about the policy is that it comes from within the industry, and not consumer groups. This means that organizations themselves are actively involved with the formation of these fresh rules for privacy. One notable organization among these is Google, which has been the matter of a number of privacy debates in the past. On 24th September, a day before the DoC announced the request for comments, Google published its own framework for data protection. The striking factor here is that this framework by Google is very similar to the DoC, even containing exact phrases and words as the DoC’s version on some occasions.
The need for an American version:
The question is: if it is not being imposed through laws and fines, what is the need for such a policy concerning privacy?
Second, several US states, particularly California which is home to the global center for technology i.e. Silicon Valley, have proposed or passed their own new data privacy legislations. Such actions by the states force the hand of the federal government to devise its own regulation for data privacy.
The NTIA has acknowledged the impact of these policies in its request for comments since it states that US states and foreign countries have shown distinct visions for addressing privacy concerns. The NTIA believes that these distinct visions lead to fragmentation on a national and global level. It further adds that such fragmentation increases regulatory costs for organizations and thus the goal of its policy is to reduce fragmentation and improve interoperability and harmonization.
One thing is certain though that the DoC is not looking to open doors for a legislative privacy regulation. None of the 16 questions in the request for comments encourage such changes being made to the policy. To further stress on this, we can quote the DoC as saying in its request for comments that “the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes”.
If you are a consumer in the US government and wish to contribute to the policy, then you can let your views known until 26th October 2018. You can email the NTIA at the email address: firstname.lastname@example.org. It is worth mentioning here that if no consumers respond then the US government will take it that users are happy with the approach it is taking.