Home of internet privacy

Privacy in America vs. Europe: Here’s how the EU does data different

This post was originally published on May 15, 2018.

Back in 2017, The Economist that prophetically pegged personal data as the world’s greatest resource, but it’s only in the past few months that most of the world is beginning to realize why, as more details about the Facebook and Cambridge Analytica scandal have come to light.

How governments and regulators are responding to this wake-up call, however, is very different. In the U.S., Congress summoned Facebook CEO Mark Zuckerberg only to grandstand, taking no explicit action actually to prevent similar data-mining scandals in the future. Meanwhile, Europe is getting ready to enact new privacy regulations to give people more power over how companies collect and use their personal data. The wide-sweeping act, known as the General Data Protection Regulation (GDPR), will go into effect May 25.

So the European Union’s new regulations differ from data laws in the U.S.? Let’s dive in.

America’s negligent approach to privacy

Europe’s proactive approach towards personal data regulations is so far removed from America’s current position that it’s almost like looking at two different worlds. The U.S. is not just failing to take steps towards stronger data privacy regulations; it’s also rolling back protections. Last year, Congress voted to eliminate rules that would have required ISPs to get their customers’ consent before selling their browsing history to advertisers.

According to the European Commission, the new regulations were created to help address the growing lack of trust people have in how their data is used.

This sentiment doesn’t seem to hold much water in the U.S. where, back in 2012, the Consumer Privacy Bill of Rights tried to introduce similar legislation. The bill was painfully picked apart and ultimately rejected.

Politicians on privacy and…ads about chocolate?

America’s aimlessness was put on display during Zuckerberg’s recent testimony before Congress.

Instead of asking legitimate questions, lawmakers throughout both parties grilled Zuckerberg over ridiculous accusations and spouted inane talking points to score political points, including questioning whether Facebook had a “liberal” bias and suggesting opioid sales were common on the site. One senator even asked Zuckerberg why they sometimes see chocolate ads on their newsfeed.

The whole escapade is further proof that many lawmakers have a poor grasp on exactly how data is used, and why it’s important.

How the GDPR could affect privacy in the U.S.

Under Europe’s new data laws, any company offering its services to EU residents must abide by more stringent privacy regulations—regardless of where they’re headquartered. Companies like Facebook (among others) will have to systematically change their privacy settings to grant Europeans more access to their data and control over how it’s used.

While Europe is taking a unified approach when it comes to data regulation, the U.S. appears to be doing the opposite. With little action being taken on a federal level, California is currently considering a ballot initiative to establish its own stringent privacy protections, which are similar to Europe’s.

Still, the fact that Facebook, Google, and other tech companies are changing their privacy protocols in Europe means, at least hypothetically, that they’ll have the blueprints to do the same in the U.S.

The EU is working to minimize data breaches

It’s worth mentioning that the GDPR also includes a clause that states companies must alert authorities in the event of a privacy breach within the first 72 hours of discovering it, as well as informing impacted customers promptly in high-risk breaches. Again, this is a stark contrast to current laws in the U.S., where there is no federal law obligating companies to disclose data breaches or hacks.

Look at the painful string of recent big-name data breaches where tech giants like Yahoo, Equifax, and Uber waited months—sometimes even years—before alerting their users. In the last example, the company only went public with the information after a journalist had uncovered the story.

This invasive nature of hiding breaches also comes with a hefty price tag: With the rising occurrence of identity theft spreading across the U.S., the average consumer cost has exceeded $16 billion a year. By requiring companies to alert and help protect their users in the event of an attack immediately, the EU’s new law has the potential to help mitigate long-term costs.

So how far away is the U.S. from realizing that it needs to do more to protect its citizens from having their personal data exploited, misused, and stolen? And is the answer to greater digital privacy really more regulations? You tell us.