Can One Year of GDPR Teach the U.S. Anything on Privacy?

Last June when the General Data Protection Regulation was going into effect in Europe, I wondered if lawmakers and tech companies in the United States might be able to learn anything from that kind of privacy regulation. At the time, there wasn’t much of an impetus on the part of lawmakers to do anything similar in this country, despite a growing consumer demand for more personal data protection. Now that GDPR has been in effect for almost a full year, and by all accounts is doing very well, could that trigger more acceptance on this side of the ocean for something similar?

One of the reasons that leaders here have been reluctant to support new privacy laws is that most of what has been proposed so far simply vilifies companies that get breached. But GDPR is more elegant than that. Basically, if a company does everything it can to protect the data it has collected, and then gets breached anyway, they may not be blamed or fined, especially if they follow the guidelines and alert affected customers within 72 hours. Yes, the fines with GDPR can be huge but those are mostly reserved for firms that blatantly break the rules and more or less contribute to their own data theft.

GDPR is also well-crafted because it does not advocate a specific technology or protection scheme. It merely lays out a series of best practices and then fines companies that don’t improve their defenses and get breached as a result. One of the key elements is actually encouraging companies not to collect and store unneeded information in the first place. GDPR encourages firms to only collect the information they explicitly need to perform whatever product or service they are providing, and to delete and destroy that data when they are finished with it, or when a customer asks for their data to be removed and forgotten.

Under those guidelines, for example, your cable or phone company probably would decide that it no longer needed to collect your Social Security number. For one, they don’t need it to provide their service. And for another, they would be responsible for that bit of data if it ever got stolen. And finally, everyone would probably exercise their legal right to ask the company to destroy it. Those looming fines would ensure compliance, but only if a company stubbornly went ahead collecting data it didn’t need, not protecting it, and eventually having it stolen.

What effect a successful GDPR will have in the United States and places beyond Europe is an open question. Personally, I’m not really sure if anything like that could happen at the federal level, though various states are already experimenting with protecting privacy. One only needs to look at what California is doing with its California Consumer Privacy Act that is set to become law in 2020 as an example. The CCPA will be a big deal too, since it happens to be strategically placed in a location where many tech companies reside.

Technology experts are commenting on what a full year of GDPR might mean for this country, and many more will likely weigh in as the official first year of GDPR approaches. I’ve collected a few thoughts from experts that I believe have a good handle on the situation or an interesting perspective on the state of privacy laws in this new post-GDPR era.

Some experts looked at GDPR success in terms of encouraging statewide programs like the CCPA. These may, eventually, force the federal government to act as well.

“The biggest impact of GDPR has been not in European capitals, but in Washington, Palo Alto, Sydney and beyond. Privacy is now a popular topic with both politicians and technology CEOs, this is a credit to the rise of GDPR,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “GDPR is creating debate and political action well beyond European Union states. This trend shows no sign of changing for the next few years.”

“GDPR put privacy controls in the hands of the consumer, rather than in the hands of a business or government.  As a result, GDPR has become the blueprint for many other privacy laws coming out in the U.S., which took those principles and built laws around protecting consumer privacy in their state,” said Jonathan Deveaux, head of enterprise data protection at comforte AG, “The California Consumer Privacy Act is a prime example. There is even talk now of the possibility of a Federal Data Privacy Law in the works.”

“The GDPR has certainly spurred more conversation in the United States around data privacy and protection. The NIST Privacy Framework has grown a massive following and is highly anticipated, in part I would argue because of the GDPR movement," noted George Wrenn, CEO of CyberSaint Security. “California has instituted privacy laws, and many other states are planning on following suit. Data privacy and protection has become a federal and state issue in the U.S. and only continues to grow momentum.”

Others say that regardless of the impact of the year-old regulation on governments, that the effect on companies is tangible. Nobody really thought too much about privacy before, but now it’s becoming a primary concern.

“In the last 12 months, almost every enterprise customer we visited was motivated by a GDPR compliance discussion. While it seems that big enterprises have put some GDPR compliance practices in place and are protecting part of their data, midsize companies are now asking similar questions,” said Pankaj Parekh, chief product and strategy officer at SecurityFirst, “Also, the big companies who have initially deployed some security solutions for GDPR compliance are asking questions about continuous data protection and security that follows the protected data.”

“The biggest difference since the introduction of GDPR is that data is now part of every conversation. Understanding what data is being captured, stored and processed is often a business priority and one that is shared through the business,” said Laurence Pitt, security strategy director at Juniper Networks, “The GDPR has made the world sit up and listen, as other countries have started to implement their own versions: Brazil, Singapore, Australia, Philippines, even the U.S. While the GDPR is still the only regulation to be implemented with a global reach, that will very likely change in the coming years.”

So it seems like companies are starting to put a greater value on privacy and data protection, while in government, smaller, incremental laws are starting to try and enforce that mindset. While there may not be a grand, sweeping law that suddenly protects everyone’s privacy in America, I think that Ryan Tully, VP of product strategy for STEALTHbits Technologies summed it up best when he predicted that “while data breaches still remain a common topic in the news, the impacts of the GDPR and subsequent domestic regulations that come as a result of those should truly give people transparency and control over their personal information—one regulation at a time.”

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys