Digital Privacy: How the EU Sets the Standard for the US

Digital Privacy: How the EU sets the standard for the US

In 2013 the Internet was distributing around 4.4 zettabytes of information on the Internet.  Fast forward to 2020 and that amount should reach 44 zettabytes, a 1000% increase over seven years (The Fourth Industrial Revolution, n.d.). This extreme amount of data creates a bigger challenge when trying to uphold the three pillars of Cybersecurity: confidentiality, integrity, and availability.  The United States (US) and the European Union (EU), are spearheading unique laws for this challenge.  The EU’s deployment of the General Data Protection Regulation (GDPR) and the US’s Health Insurance Portability and Accountability Act (HIPAA), Graham-Leach Bliley Act (GLBA), and the Federal Information Security Management Act (FISMA) share some similarities and differences.

Your right to Privacy

GDPR’s goal is to make the protection of personally identifiable information (PII) more modern. Article 2 of the GDPR establishes that a person has an inalienable right to the protection of personal data (European Parliament and the Council of the European Union, 2016). This language places the idea of privacy at the level of other rights such as the life, liberty, pursuit of happiness, an equitable education, clean food/water, housing, and medical care.  HIPAA, GLBA, and FISMA’s goals each establish the necessity to protect Personal Financial Information (PFI), PII, and Personable Health Information (PHI) but not as an inalienable right (PWC US, 2016).

Defining Data Breach

Currently, the responsibility of defining and enforcing the term “data breach” in the US is left on the shoulders of each state. Some examples are the "unauthorized acquisition of computerized data" in Texas or "unauthorized acquisition or unreasonable belief of unauthorized acquisition, of personal information" found in Alaska’s law (Data Breach Notification in the United States and Territories, 2018). Article 85 in the GDPR takes a more broad definition to include “physical, material, or non-material” data and what constitutes a breach e.g. limitations of one’s rights, fraud/identity theft/financial loss, and any damage that puts economic/social disadvantage against someone (European Parliament and the Council of the European Union, 2016). The US’s three major privacy laws do not specifically call out data breaches and adopt a basic definition for PII, PHI, and PFI.

Notifications

  Breach notifications are another big topic for discussion when comparing the GDPR and US laws.  HIPAA dictates how to handle the release of PHI including when authorization is required (HIPAA Journal, 2018).  Before 2009, the responsibility for notification laws also fell on the states to dictate what requires a notification, who gets notified, and a timeline for notification. The Health Information Technology for Economic and Clinical Act (HITECH Act) bridged this gap by requiring a breach with over 500 patients to notify Health & Human Services (HHS) and could require the breached company to provide credit monitoring to those involved (Compliancy Group, n.d.).

 The GLBA addresses breaches differently by mandating that a response program is in place with little details about what goes into the program (Stevens, 2010). Because of this, it is the state’s job to pick up the slack for breach notification laws too. FISMA does demand that breaches of a government agency must send a notification within the first hour but, limits the parameters of a breach to only digital or physical (paper) formats (Stevens, 2010). However, the GDPR gives a vendor up to 72 hours to report a breach and expresses the use of phased notifications as information unfolds about the breach (European Parliament and the Council of the European Union, 2016).

 Furthermore, Article 33 in the GDPR details all the content that must be in a notification (European Parliament and the Council of the European Union, 2016).  Article 34 compliments Article 33 giving criteria of when a notification does not have to go out (European Parliament and the Council of the European Union, 2016). This means that under Article 33 one should always expect a notification unless otherwise mentioned.

Have I been Pwnd?

 The job of the Better Business Bureau (BBB) or the U.S. Department of Education is to report the legitimacy of a business or school. When it comes to data breaches though, there is no easily available “wall of shame” in either country. Currently, the only mention of public breach reporting is in the HITECH Act which requires breaches greater than 500 subjects to be reported to the Secretary of HHS (Compliancy Group, n.d.). With the lack of federal statues, besides the HITECH Act, another issue falls to the state level to create legislation. On the other hand, the GDPR also does not ask for this information to be public but, that a company has a compliant annual assessment and certification on file (European Parliament and the Council of the European Union, 2016).

Conclusion

 Digital Privacy from the beginning seems very simple in nature, just protect the data. However, what is being discovered across the globe is that digital privacy is monstrous, intricate, and needing priority.  The US and EU have taken different approaches to this topic but, the EU’s GDPR resonates protection of the users over the protection of vendors, companies, and individualized states. The GDPR’s intention is also to be the bare-bones minimum standard of compliance and sets the expectation that member states would enforce additional/stricter laws against each article in the GDPR.  The EU will be a great use case to determine whether the US should take a similar approach instead of cobbling together laws to try to and fix gaps in the language. 

References

• Compliancy Group. (n.d.). What is the HITECH Act? Retrieved February 28, 2020, from Compliancy Group HIPAA Done Right: https://compliancy-group.com/what-is-the-hitech-act/
• Data Breach Notification in the United States and Territories. (2018, December 10). Retrieved February 27, 2020, from Privacy Rights Clearinghouse: https://privacyrights.org/resources/data-breach-notification-united-states-and-territories
• European Parliament and the Council of the European Union. (2016, April 27). General Data Protection Regulation. Retrieved February 27, 2020, from Official Journal of the European Union: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
• HIPAA Journal. (2018, March 1). What does HIPAA Cover? Retrieved February 28, 2020, from HIPAA Journal: https://www.hipaajournal.com/what-does-hipaa-cover/
• Park, S.-C. (2018). The Fourth Industrial Revolution and implications for innovative cluster policies. AI & Society, 33(3). doi:10.1007/s00146-017-0777-5
• Stevens, G. (2010, January 28). Federal Information Security and Data Breach Notification Laws. Retrieved February 28, 2020, from Congressional Research Service: https://fas.org/sgp/crs/secrecy/RL34120.pdf
• The Fourth Industrial Revolution. (n.d.). Retrieved February 27, 2020, from Equinti: https://equiniti.com/uk/news-and-views/eq-views/the-fourth-industrial-revolution/