Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

View from Washington: Data privacy rules needed

Reprints
GDPR

Happy belated birthday to the General Data Protection Regulation.

The European Union’s GDPR, which not only applies to organizations within the bloc but all companies processing and holding the personal data of EU residents regardless of location, turned a year old on May 25.

The regulation requires that data controllers notify their jurisdiction’s data protection authority of a breach within 72 hours, and fines for breaches can be substantial — up to 4% of annual revenue for the most serious breaches. The GDPR fines are quickly becoming the bane of existence for companies, with regulators in 11 European countries fining companies $62.4 million for data privacy-related violations in the first nine months since the GDPR took effect on May 25, 2018. And that is seen by some experts as the tip of the iceberg.

Other jurisdictions are following in the EU’s footsteps.

California has adopted the California Consumer Privacy Act — often referred to as GDPR lite — a law that includes a broad definition of personal data and has adopted the GDPR’s right to be forgotten. California is often the first domino to fall at the state level, so other U.S. states are moving to follow suit but may take approaches that conflict with the European Union and California.

Despite the high cost for running afoul of the GDPR, what some U.S. companies apparently fear the most is not the mere existence of data privacy regulation — they seem to have made peace with its inevitability — but the current patchwork approach to such regulation.

This is where the U.S. Congress can step in. The federal legislature is considering proposals for a national data privacy law — something the Federal Trade Commission has implored Congress to pursue, in addition to asking the legislature to strengthen its enforcement authority and resources.

Major tech companies that are the most well-known targets of data privacy efforts are also asking for federal data privacy legislation.

“Like GDPR, this framework should uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect,” Julie Brill, corporate vice president and deputy general counsel of Redmond, Washington-based Microsoft Corp., said in a May 20 blog post. But Microsoft wants Congress to go even further than California in ensuring that companies act responsibly in handling consumers’ personal data, including finding a viable solution to replace that pesky opt-in/opt-out privacy model that consumers often pretend to pay attention to and agree to every time they sign up for a new app.

In February, the U.S. Chamber of Commerce released a model for federal privacy legislation that explicitly preempts state laws and that some fear could undermine consumer protections such as those featured in California’s legislation. But will Congress take the tough step of preempting state legislative and regulatory efforts on the data privacy front?

There doesn’t appear to much appetite for that in Washington, as the preemption issue has apparently stalled legislative efforts, meaning companies could continue to find themselves having to navigate a confusing and contradictory patchwork of data privacy rules for the foreseeable future.

 

 

 

 

 

Read Next