Check Point Email Security | Blog

GDPR US Equivalent: Is the US Version of GDPR on the Horizon?

Written by Reece Guida | October 2, 2018

It is starting to look like the US, following in the footsteps of the EU, may crack down on how tech companies collect personal data.

The National Telecommunications and Information Administration (NTIA) is requesting comments from the public on how to improve consumer privacy and also provide “legal clarity and the flexibility to innovate” to organizations. Given the EU’s recent $5 billion antitrust fine against Google and the takeover of 90 million Facebook accounts this past week, it seems likely that public opinion will support policy formation on how tech companies use and store customer data and ultimately, regulate themselves.

This move indicates a General Data Protection Regulation (GDPR)-inspired global policy shift centered around data privacy. This could catalyze fundamental changes to the data-centric relationship between government, tech companies, and users.

Could this be the beginning of a federal equivalent to GDPR?

Political, Public, and Business Interests in Data Privacy

This idea, that federal regulations on data management are expected in a post-GDPR landscape, is important to understanding how data breaches have shaped global data privacy policies.

The administration's call to conversation about dynamic data policy anticipates that questions will arise about the functions of key institutions and the ways in which they share data and shape policy. Collaboration between the public and private sectors will be necessary, but the relationship between government, citizens, and corporations is complex.

 

Political Interests

In the press release, the current administration anticipates that the policy shift will have a GDPR-like impact and establish the US as a leader in privacy, suggesting that “the International Trade Administration is working to increase global regulatory harmony" and thus standardize data privacy protocols.

Case Study: NTIA and Desired Outcomes for Data Privacy

Senior U.S. Commerce Department official David Redl, who oversees the NTIA, said that 75% of American households using the internet have “significant concerns” about privacy and security risks, during a recent speech to the Internet Governance Forum USA. In the official request for public comment on data privacy, the National Telecommunications and Information Administration listed the following desired outcomes of their policy approach:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems. 

 

Public Interests

In a post-WikiLeaks era, public knowledge of data leaks, breaches, and exploits continues to rise, and so will the impact of data policy on daily lives. 

Case Study: Policy and Culture

A perpetually buzzworthy subject in the movement for tightened policy regulations, Twitter also serves as a town square for policy conversation itself—spreading public opinion algorithmically (and now, more safely) through the app.

Similarly, citizens themselves are at the center of these policy debates. At the Global Citizens Festival in Manhattan this past weekend, Microsoft representative Jamal Edwards launched a policy-forward petition for digital peace: “our world leaders need a wakeup call—and that starts with you...It’s about stopping cyber warfare and telling our world leaders to take real policy action—before it’s too late.” Cyber warfare—from phishing to national leaks—relies on privacy breaches.

If the government were to change federal policy on how US companies use data, protections around that data would become more stringent. This would make companies more accountable for breaches and deter politically-motivated exploits that use data harvested by companies to phish corporate executives, public figures, and government officials. 

 

Corporate Interests 

Although recent security events have certainly sparked debate about proper data privacy policy, the underlying issue seems to be about who owns the data. Is it the customer? The corporations whose devices the customer uses? Or the government that regulates customers and corporations? These questions will become increasingly contentious as GDPR-enforcement causes companies to prioritize data security without complicating the user experience of their services.

Case Study: 5G Providers/FCC vs. South Bay

The relationship between government, citizens, and corporations is complex, as the FCC's recent media rounds have made clear. Their complicated position in the public eye is one of government service and corporate collaboration.

Lately, the FCC has been a frequent subject of the press. In August, it was revealed that the FCC lied about a DDoS attack on their system in 2017. (The issue turned out to be a massive amount of submissions to their comments section, and not some DDoS attack. It occurred after John Oliver of Last Week Tonight  asked fans to oppose the net neutrality repeal.) Furthermore, the FCC-incentivized 5G push has tested how major technological infrastructure changes are implemented at a federal, state, and local level. This has sparked debate on the nature of regulatory authority and has led to cities in the South Bay area partnering to improve conditions as they currently are under corporate and federally led 5g cable installation. 

 

Who is the Authority on Data Privacy?

The short answer is data ownership will trend toward government control as the EU's influence over global corporations spreads with each inevitable data breaches that incidentally strengthens GDPR-compliance. 

Citizens have limited say over how their data is stored, and therefore, how much of it they can actually control. (Outside of litigation, there are no official channels for victims of a data breach whose personally identifiable information was compromised—and likely profited from by some third party, whether it be undetected hackers or government agencies collecting fines.) On the other hand, corporations can use loopholes and red tape to their advantage, but must tighten tighten privacy regulations in order to retain their liberties over data governance.

 

Implications of a GDPR US Equivalent

The discussion about federal data policy will direct much-needed attention to the cybersecurity industry, which can apply technical solutions to the many anxieties surrounding privacy issues. Protecting data through policy is truly about controlling the value that big data brings to information security and national decisions. For example, China has begun applying AI to diplomatic incentives, such as predicting economic shifts and instituting a social credit system.

As policies on data privacy are articulated, the uses of data will become more regulated, but at the same time, more publicly available. Still, data breaches will occur, and citizens will only know so much about them. Perhaps the Freedom of Information Act outlines a reasonable future that American consumers can expect in a post-GDPR world. 

It says that government organizations “should withhold information only if they reasonably foresee that disclosure would harm [or] if disclosure is prohibited by law. Agencies should also consider partial disclosure [if] they determine that full disclosure is not possible and they should take reasonable steps to segregate and release nonexempt information.” In a US-GDPR future, Americans can anticipate that governments and corporations will become more accountable for private data, and somewhat more transparent about data misuses, but not entirely transparent. 

 

Submit Data Privacy Concerns to the NTIA:

Comments are due by October 26, 2018 and may be submitted by email to privacyrfc2018@ntia.doc.gov