How Does U.S. Data Privacy Stack Up Worldwide?
Spoiler alert: It’s not good
Do you believe there are adequate protections in place for your data privacy online? According to PEW Research, a majority of Americans think their personal data is less secure now, that data collection poses more risks than benefits, and believe it is not possible to go through daily life without being tracked.
While other parts of the world surge ahead in data protections, the U.S. lags behind, currently ranking 18th on a global list of 110 countries published by ChamberOfCommerce.org.
Why data privacy matters
Think of all the things we use that are internet connected. Cell phones and computers are common avenues where we allow personal information to be mined. But also consider other ways our sensitive personal data is collected—health care providers, financial institutions, shopping and business loyalty programs, devices like fitness trackers, VR headsets, security systems and appliances. The list goes on. People in most states literally have no control over how data is collected, shared, sold and hacked.
How the U.S. compares globally
Let’s examine the U.S. lack of strong national policy on data privacy and security compared to other nations.
Naturally, we must first review European Union’s General Data Protection Regulation (GDPR) implemented in May, 2018. GDPR provides some of the strongest data privacy and security provisions in the world, among countries using the world wide web.
Europe’s policy is most often looked to and emulated when reviewing and creating policy to keep data safe and regulated.
GDPR applies to any business that operates in the European Union. This includes any foreign company that has customers in Europe. The law provides that personal information, including names, addresses, social security numbers and photos, cannot be used in ways that violate an individual’s privacy. Companies must inform users in advance how they are using this information, and give them the right to opt-out of services.
The “right to be forgotten” is another popular aspect of GDPR. It means the company must delete the requestor’s information completely from their records. Violators of GDPR have received stiff fines for noncompliance. As of February, 2019, these fines totaled more than $1.45 billion.
The top 10 countries with strong data privacy and security laws are:
- New Zealand
Meanwhile, U.S. has a mishmash of federal and state policies, leaving wide gaps or things open for interpretation. On the federal level, there is legislation regarding electronic transactions, outdated consumer protection laws addressing spam, spyware and fraud, two laws regarding privacy- one from 1974 and a Federal Trade Commission (FTC) version from 2006. Narrow legislation addresses hacking under a Confidentiality, Integrity and Availability of Computer, Data and Systems act, and an ancient Computer Fraud and Abuse act from 1986.
According to legal website ICLG.com, each state has adopted some form of data breach notification legislation, but some states are stronger than others in specific data privacy laws, while some have none at all. California has been a leader in enacting legislation. The California Consumer Privacy Act (CCPA), inspired by GDPR, has recently been amended with even stronger data privacy laws. Colorado and Virginia followed suit with similar stringent laws, and other states have legislation pending. However, 20 states have no data privacy laws.
Can you imagine what a nightmare we are creating for online businesses with customers in different states trying to interpret and comply with various statutes?
As an Amazon Associate, Arvig earns from qualifying purchases.
The worst country for data privacy
There are countries a lot worse off than the U.S. China ranks last on the list, even though the country has their own versions of the internet, with stringent laws around commercial use, transfer and date exchange. While consumer consent is required for collection of data, it’s kind of a moot point since citizens in China are extensively surveiled by their own government.
Will there ever be a national policy in the U.S.?
The U.S. scores low behind other developed nations because of our lack of overall federal law around data consent. However, as more and more states enact their own data privacy laws, the push is stronger than ever for national policy improvements.
There are some barriers. Critics argue that state Notice and Choice provisions put too much emphasis on consumers having to make a decision, and not enough restrictions on covered companies. Some are pushing for Congress to address discrimination in the use of big data and algorithms in a national privacy law. Discrimination is purported to lead to “disparate impact and outcomes for marginalized or disadvantaged communities.” There also may be potentially conflicting policies between the U.S. and GRPR countries related to transferring data internationally.
While we likely will see federal legislation proposed in 2022, industry leaders like cybersecurity and privacy attorney Kirk J. Nahra says don’t expect to see anything passed until 2023. Maybe. Regardless, companies would be wise to study GDPR and envision the impacts of a similar national policy in the U.S.