People who live in the countries that are members of the European Union (EU) are celebrating the General Data Protection Regulation (GDPR) that takes effect today. It clarifies and strengthens European’s privacy rights – rights that for the most part we lack in the United States (US).
The Center for Digital Democracy (CDD) has created a good factsheet to explain those rights in simple terms. If you want to get further into the weeds, there is a more detailed description of what the GDPR requires from the Trans Atlantic Consumer Dialogue, a forum that brings US and EU consumer organizations together to advocate for consumers’ interests.
Essentially, the GDPR is based on the principle that privacy is a fundamental human right. It embodies “fair information practices” that are widely recognized, such as treating individuals’ personal data with fairness, being transparent about what you’re doing with it, only collecting data that is necessary for the purposes you’ve stated and limiting its use to those purposes, keeping the data accurate, giving people access to their data, retaining the data only as long as needed, and maintaining it securely. The GDPR gives individuals important controls over their personal data such as the right to “portability” (to take their data and move it somewhere else) and the right to revoke permission to use their data. It requires explicit consent for particularly sensitive personal data to be collected or used.
Companies must comply with the GDPR no matter where they are located if they are handling Europeans’ personal data. Since many big American companies do business in the EU, they’ll have to follow it there, so why shouldn’t they treat the personal data of US residents the same way? Wouldn’t that be easier than having two sets of operating procedures, one for Europe and the other for the US? Why not make the core elements of the GDPR a worldwide standard so that individuals’ personal data is treated with the respect that it deserves everywhere? Yesterday CFA and 27 other consumer organizations asked some of the world’s largest corporations to do just that. In the Senate, a Resolution has been introduced encouraging US companies to adopt the GDPR data protections here at home.
We’re tired of being second-class citizens when it comes to our personal information. We want legislation to be enacted in this country to protect our privacy and security. But in the meantime, US companies can show that they really do care about Americans by applying the basic GDPR principles to the way that they handle their personal data.