Europe’s New Data Protections Expected to Spill Over into U.S.

The European Union is enacting sweeping new data protections while Congress dithers, and the impact on Americans’ data security could be significant.

AP Photo/Yves Logghe
Feb. 12, 2018, 6:53 p.m.

When credit-reporting agency Equifax first revealed the theft of personal and financial data from more than 145 million of its customers last fall, some cybersecurity experts believed the time was finally ripe for Congress to craft data-security and breach-notification rules for all aspects of the U.S. economy.

Months later, most now admit their expectation of congressional action was misplaced. While the steady drumbeat of data breaches continues and lawmakers still give lip service to the notion of federal standards beyond the health care and financial sectors, the broader political gridlock gripping Washington seems to have stymied Capitol Hill.

“I don’t suspect that there’ll be [federal legislation] right now,” said Jocelyn Aqua, a privacy and cybersecurity expert at consulting firm PwC. “I would’ve thought with Equifax, that would’ve been the closest.”

But the absence of wide-ranging federal rules governing corporate cybersecurity doesn’t mean Americans are stuck in limbo when it comes to data privacy. In fact, most experts believe that over the next several years, consumers will experience a significant increase in the level of protection and notification they receive when their corporate-held data is stolen or comes under threat.

The catalyst of this expected shift is a set of sweeping new data-privacy rules that regulators in the European Union will start enforcing in May. Dubbed the General Data Protection Regulation, these rules dramatically expand the types of consumer data protected under EU law, increase the ability of European consumers to exert control over their data, and give companies a slim 72-hour window to disclose breaches to consumers and regulators.

Any American company that does business with Europeans—even those with no physical presence on EU soil—will have to comply. And regulators are expected to dish out up to $6.4 billion in fines per year to recalcitrant companies, making it imperative for U.S. firms to change their privacy practices accordingly.

“The threat of 2 to 4 percent of global revenue in fines for violations is real, especially since the EU has demonstrated it has no qualms throwing large fines at U.S. tech companies,” said David O’Brien, a senior researcher at Harvard University’s Berkman Klein Center for Internet & Society.

Though the new law applies only to European consumers, it’s expected to also have a powerful impact on the protections afforded to Americans.

Because it’s difficult and expensive for companies to navigate a patchwork of varying data-protection standards, many U.S. firms will likely harmonize their global data-privacy and breach-notification practices with Europe’s strict new model.

“We’re looking at this completely holistically for the protection and privacy of our customers,” said Grant Bourzikas, the chief information security officer at cybersecurity firm McAfee.

Bourzikas made clear that the majority of protections granted to European consumers will be passed on to McAfee’s customers in the U.S. “We’re embedding it in how we operate as an organization,” he said.

Tom Pendergast, the chief security and privacy strategist at consulting firm MediaPro, believes major U.S. firms such as Microsoft, Boeing, General Motors, and Chevron will follow suit. “No company wants to manage multiple data-protection practices,” he said. “So they tend to skew toward the highest standard.”

That standard may also extend to companies that don’t have any European customers but supply larger firms that do. “These big global companies are pushing those requirements down through their supply chain,” said Pendergast, who expects the GDPR to initiate “a ripple effect throughout the U.S. economy.”

For many Americans, one of the most infuriating aspects of data-privacy standards is the lag time between when companies discover a breach and when they report it to their customers—a gap that can sometimes extend for months or even years.

But because the GDPR gives companies just three days to sound the alarm once a breach of European data is discovered, that lag time could be significantly reduced for Americans affected by the same breach.

“You’ll have a significant population of individuals receiving notification for types of personal-data compromises,” said Kimberly Peretti, a cochair of the cybersecurity wing of the law firm Alston & Bird. “That may trigger individuals in other locations—when they hear about the press related to it, or employees talk about it—that could certainly create the question to the company, ‘Am I impacted?’”

And many firms will be hard-pressed to explain to American consumers why the new protections and notification requirements for Europeans aren’t necessary on their side of the pond. “There will have to be some consideration of how that looks,” Aqua said.

Until recently, one of the largest hurdles to greater consumer control over their corporate-held data was a technical one. Before the advent of the GDPR, few companies had the tools and processes in place to go into consumer databases and alter, extract, or delete data.

Now that the EU has required companies to build and develop those tools, many firms are expected to deploy them to the United States as well as Europe. “This kind of forces a revolution in data-handling practices,” said Pendergast.

Still, there will inevitably be differences in how European and American data is handled by companies. Some experts believe the new 72-hour breach-notification window is far too narrow, and that Americans will receive less information and have to wait longer after a data breach than people across the pond. It’s also not clear whether companies with business models built on amassing mounds of consumer data will be comfortable giving Americans the ability to remove or significantly alter that data.

“We generally don’t follow the EU’s footsteps in privacy law and policy,” said O’Brien. “Although we share certain values and principles in practice, the U.S. has historically taken a very hands-off approach to commercial privacy.”

But as data breaches continue to make headlines, other experts believe the blasé corporate culture surrounding data privacy in the U.S. is changing rapidly.

“For big American companies, it’s not just being in compliance that matters,” said Pendergast. “Being trustworthy is really critical.”

What We're Following See More »
Trump Inauguration Spending Now Under Investigation
54 minutes ago

"Federal prosecutors in Manhattan are investigating whether President Trump’s 2017 inaugural committee misspent some of the record $107 million it raised from donations, people familiar with the matter said. The criminal probe by the Manhattan U.S. attorney’s office, which is in its early stages, also is examining whether some of the committee’s top donors gave money in exchange for access to the incoming Trump administration, policy concessions or to influence official administration positions."

Federal Judges Nix Proposed Atlantic Pipeline
2 hours ago

In a rare rebuke to energy companies in the Trump era, "a panel of federal judges has rejected permits for the Atlantic Coast natural gas pipeline to cross two national forests and the Appalachian trail in Virginia, finding that the national Forest Service 'abdicated its responsibility' and kowtowed to private industry in approving the project. The harshly worded, 60-page decision issued Thursday by three judges from the U.S. Court of Appeals for the Fourth Circuit is part of a string of legal setbacks for the 600-mile pipeline. The $7 billion project, being built by a consortium of companies led by Dominion Energy, is planned to carry natural gas from West Virginia, through Virginia and into North Carolina."

Senate Moves to End Support for Saudi War
3 hours ago
Federal Judge Upholds Ranked-Choice Voting in Maine
5 hours ago

"A federal judge on Thursday rejected Republican U.S. Rep. Bruce Poliquin’s constitutional claims against ranked-choice voting and denied the incumbent’s request for a new election against Democratic Congressman-elect Jared Golden. U.S. District Court Judge Lance Walker ruled that, contrary to the arguments of Poliquin’s legal team, the U.S. Constitution does not require that whichever congressional candidates receives the most votes—or 'a plurality'—be declared the winner. Instead, Walker ruled the Constitution grants states broad discretion to run elections."

Mueller Probing Middle East Countries' Influence Campaigns
5 hours ago

Officials working under Special Counsel Robert Mueller are investigating Middle Eastern countries' attempts to influence American politics, and are set to release the findings in early 2019. "Various witnesses affiliated with the Trump campaign have been questioned about their conversations with deeply connected individuals from the United Arab Emirates, Saudi Arabia, and Israel ... Topics in those meetings ranged from the use of social-media manipulation to help install Trump in the White House to the overthrow of the regime in Iran." Investigators are also probing meetings organized by Lebanese-American businessman George Nader, and Joel Zamel, "a self-styled Mark Zuckerberg of the national-security world with deep ties to Israeli intelligence."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.