While efforts to harmonize data security laws in the United States so far have been futile, the European Union is close to implementing an information protection law that will homogenize the responsibility of all of its 27 member states.
But while the European General Data Protection Regulation, now under review by the European Parliament, is expected to efface some of the confusion around complying with a hodgepodge of disparate laws, some companies are concerned that its provisions and penalties are too burdensome. That includes some of the most powerful globally serving U.S.-based firms, which currently are heavily lobbying the EU for amendments, a move that has Jacob Kohnstamm, the head of a working group representing EU privacy and data protection regulators, telling these companies to back off. “If such a lobby from the European side were organized toward Congress, we would be kicked out of there,” he reportedly said.
So what’s causing concern on the American side? The proposed provisions are heavy on privacy and consumer protection. They include a requirement that any company handling EU citizens’ data must notify data protection authorities and affected individuals of a breach within 24 hours. But what’s particularly upsetting to titans like Google and Facebook is a “right-to-be-forgotten” clause, which instructs companies to expunge any data published by someone upon their request. Fines for violating the regulation could swell to two percent of an offender’s annual global revenue.
While it’s unlikely Congress in the United States would ever pass anything as stringent as what is proposed in the EU, one unintended consequence of a synthesized framework in Europe is that it may push U.S. policymakers to also consider adopting an overarching law here, said Paul Luehr, managing director and chief privacy officer at Stroz Friedberg, a New York-based computer forensic firm.
Right now, nearly all states have breach notification laws. Despite a slew of high-profile incidents that have generated interest from Congress, the body has tried and failed several times in the past, even after urging from the White House, to enact a national law. Typically efforts have been hampered by disagreement over the threshold that should constitute notification, concerns from privacy advocates, pushback from corporations not wanting to spend additional money on compliance and opposition from some who believe the state laws provide greater protection.