The EU General Data Protection Regulation (GDPR), which came into force in 2018, represented important change in data privacy regulation for businesses operating within and in relation to the European Union (see the Digital Journal article “European business needs to get smart about data protection“). The regulation harmonized data privacy laws across Europe; put in place measures to protect and empower all EU citizens data privacy; and it has reshaped the way organizations across the region approach data privacy.
To discuss the significance of this law and to ponder whether the U.S. needs something similar, Digital Journal spoke with Teresa Scassa. Teresa Scassa is a senior fellow with the Centre for International Governance Innovation, Canada Research Chair in Information Law and Policy and a full professor at the University of Ottawa’s faculty of law.
Digital Journal: What’s the idea behind the recent European data law?
Teresa Scassa: The GDPR tackles new privacy challenges posed by the so-called ‘data revolution’, and does so by creating new rights and obligations. These include the right of data portability which gives consumers the right to take their consumption data from one service provider to another, and an interesting new right to an explanation of automated decision-making.
These are really rather cutting-edge data protection rights as they go far beyond a ‘notice and consent’ approach to data protection and attempt to empower consumers in new ways. At the same time, there are ways in which the GDPR is meant to accommodate the changing needs of businesses. One of these is to allow data processing for “legitimate interests”, however there are already conflicting interpretations and concerns over what some of these changes mean in practical terms.
DJ: Is this an effective piece of legislation for addressing data privacy?
Scassa: It may depend on who you ask. Individuals are increasingly concerned about their personal information and how it is being used. Strong privacy laws offer protection and recourse for violations of rights. Businesses argue that strong data protection laws create barriers to doing business – particularly for small and medium sized businesses that will struggle with compliance costs. They will also argue that unduly strict data protection laws will limit innovation – particularly in a context that relies upon vast amounts of data, much of it about people and their activities.
Finding an appropriate balance is challenging. This is particularly the case in the EU where privacy is treated as a basic human right that cannot easily be traded away to suit the needs of business. The other thing to consider is the sheer scope of the GDPR and its attempt to find novel solutions to hard privacy problems. It may well be that some solutions will prove more effective than others.
DJ: Is something similar needed for the U.S.?
Scassa: Again, it depends on what is meant by “similar”. Right now the U.S. has very patchwork privacy protection. There is a federal statute to protect children’s privacy as well as some sector-based privacy legislation. Some states have enacted fairly robust privacy laws; others have not. This can make compliance very challenging.
This patchwork of protection makes compliance challenging for businesses, particularly if their activities cross state and international borders. It also creates enormous gaps which leave individuals with frankly inadequate privacy protection. It is fair to say that privacy protection for U.S. citizens is less robust than that available in the EU.
Beyond thinking about whether the U.S. needs a GDPR-style privacy statute it may be time for the global community to develop a privacy convention that sets minimum norms of protection, providing at least a global baseline for privacy protection. The challenge will be agreeing on the baseline. Given how far apart the EU and the US are on privacy, this will be easier said than done.
DJ: How likely is a tighter data privacy law to happen in the U.S.?
Scassa: I think it would be a hard sell, at least at the national level because there is considerable resistance to data protection laws. The cost of compliance is argued to be prohibitive for small and even mid-sized businesses. Others argue that it will put a brake on innovation in data-dependent sectors such as AI and machine learning. And of course, there are many businesses in the US that either depend upon or that have grown rich on the largely unrestrained collection, use and disclosure of massive amounts of personal information.
Right now, the GDPR, rightly or wrongly, is being used as an example of what can go wrong with privacy regulation. Any challenges experienced with its implementation and application will be used by US business lobbyists as nightmare scenarios in arguments against privacy legislation.
In a follow up interview, Teresa Scassa discusses data privacy issues in general, examining concerns in relation to modern technology. See: “Q&A: Data ownership conundrum in the data driven world.“
