Recently 51 technology CEOs from Amazon, AT&T, Dell, IBM, Salesforce, Visa, Mastercard, State Farm, have requested a federal data privacy law in the face of ew regulations forming in states and GDPR in full effect. the aim is that one common regulation for the U.S. would be better.
As a result there is some pressure on Congress to make a decision. It also stands that many companies are finding themselves short of compliance.
Jacob Serpa, Senior Product Marketing Manager of Bitglass explains to Digital Journal what a new regulation might look like.
Serpa starts by noting the rise in data privacy regulations: “In the last couple of years, a plethora of data privacy regulations have emerged around the world.” This comes with consequences for businesses, as the European GDPR demonstrates: “In 2019, we’ve seen companies receive fines in the hundreds of millions of dollars under GDPR, as well as a mass corporate scrambling to prepare for the California Consumer Privacy Act (CCPA) ahead of the January 1, 2020 deadline.”
It also stands, that in the U.S., which has so far not gone down the unified European route, several states seem set to follow California with their own regulations. Serpa notes: “In just the last year, several states, including New York, Maine, and Washington, have proposed their own privacy acts.”
This array of regulations means: “It may become an impossible task for companies that operate across state lines to remain in compliance if every state has its own privacy requirements (not to mention existing industry-specific regulations).”
Differences include, Serpa notes: “Who is required to comply, the definition of personal information, penalties for noncompliance, and more. Unfortunately, some regulations can even conflict with one another’s requirements.”
He pulls out the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act as being particulalry troublesome for companies that are trying to remain compliant with GDPR. Serpa explains: “This is because the CLOUD Act contradicts the EU law and requires that contract data processors provide stored data to relevant US authorities as requested. However, when these data processors share data as demanded under the CLOUD Act, it can lead to noncompliance for organizations under GDPR if said data falls within the scope of the EU’s data privacy law. ”
In setting out the argument for a federal law, Serpa states: “The US would circumvent many issues. It would ensure that there are consistent data protection standards throughout the country, that there are no conflicting mandates between states, and that companies are held accountable when they fail to protect consumers’ personal information.”
Furthermore, he notes: “Such a regulation should include rules for ensuring that only authorized parties can access data; preventing unauthorized viewing and sharing of sensitive information is critical. Additionally, a federal data privacy law should contain measures related to securing data on employees’ personal devices, including smartphones, laptops, and tablets. Finally, it should mandate that companies maintain clear visibility over how and where their data is stored, viewed, used, and shared.”
