The European Union’s (current) approach to data privacy legislation
In May 2018, the EU implemented the General Data Protection Regulation (GDPR) which became the new legal backbone on data protection and privacy in the EU. GDPR is an extensive piece of legislation which covers many areas of the digital sphere, and, because of the nature of EU law, the regulation was applied to every member state within the EU. As the digital sphere begins to evolve, the EU has taken a proactive stance to ensure its legislation keeps up with the changing times.
On February 19, 2020, the European Commission released a white paper which introduced its new “European Strategy for Data.” This white paper outlined future policy goals for the Commission in the area of privacy, data protection, artificial intelligence, and other areas of the digital sphere; however, what exactly will result from this new policy direction remains to be seen. The Commission can suggest a direction for policy in one particular area, but the other legislative bodies of the EU, which represent varying interests of EU Member States and its citizens, will also have a say in this process and be able to steer the eventual legislation one way or the other.
Data privacy legislation in the USA
The United States, on the other hand, legislates data privacy differently from the EU and does not have an all-encompassing data protection law like GDPR. According to International Comparative Legal Guides, the United States has a variety of federal and state laws that aim to protect a citizen’s privacy and online data. There is not one, large governing piece of legislation at the national level, but, rather, a hodge-podge of federal and state laws that serve this purpose. However, the idea of creating a large piece of legislation similar to GDPR is not out of the question.
Many lawmakers have proposed new federal legislation in an attempt to expand the data privacy protections present under U.S. law. In February 2020, a new proposal from Senator Kirsten Gillibrand (D-NY) recommended the creation of a new Data Protection Agency. This new federal agency would be charged with enforcing the U.S.’s data privacy regulations and conducting investigations into potential violations of these protections. However, the concerns and needs of industry actors and the business community are equally as important when considering these types of legislation. Organisations such as Privacy for America, which represents a conglomerate of industry bodies in data privacy, work to ensure any new legislation passed within the United States is considerate of the needs of the industry.
These two behemoth political entities — the European Union and the United States — have two very different approaches to maintaining data privacy and protections for its citizens. The EU took a top-down approach to data privacy, while the United States has more of a bottom-up approach. After studying both the systems of the EU and the United States, this difference in approach comes as no surprise to me. The European Union was an institution founded on a balance of intergovernmental and supranational policies, and, in this case, its approach to data privacy is supranational. The United States, conversely, continues to emphasise states’ rights in its governing, and, its bottom-up approach to data privacy is conducive to that emphasis.
Ultimately, these two entities are in very different places in terms of data privacy legislation. The EU now has an existing overarching legislation, has further made data privacy a clear priority, and, as a result, is continuing to develop that legislation as time goes on. The United States, on the other hand, is still searching for its top-down solution and may find it in the creation of a new federal agency. But only time will tell.