A four-year analysis of the General Data Protection Regulation (GDPR) adopted by the European Union reveals that following it was…stupid.
That is to say, the right data choice by the U.S. Congress not to follow the European method of data protection brought enhanced data safety. How did we arrive at this point?
Protection Fails in Europe
Europeans do not report that the restrictions have increased their internet confidence. In reality, most poll respondents in the United Kingdom and Germany believe the GDPR will have a neutral, if not hostile, effect.
According to a new Canadian report, the GDPR imposes a massive regulatory burden on regulators and businesses. The GDPR apparently harms small and medium enterprises (SMEs) and increases consumer complexity. Similarly, it includes frustration with endless pop-ups and “consent fatigue,” reduces innovation, and obstructs cross-border commerce.
The lack of EU-based digital businesses development might be a significant indictment of the GDPR. Today, Europe accounts for just 3% of global internet value, and it is on the verge of being surpassed by Africa. Meanwhile, Google (Alphabet), Facebook (Meta), Amazon, and TikTok, a Chinese app, have expanded their market share and profitability in Europe.
The California Consumer Privacy Act (CCPA) has GDPR-style standards, and its high compliance cost is a small company killer.
Fortunately, a realistic solution protects consumers without putting undue strain on businesses and regulatory agencies. The Uniform Law Commission (ULC), a non-profit organization comprised of 350 commissioners selected by the different U.S. states, prepares model legislation to offer consistency and clarity to contradictory state and federal laws.
During the pandemic, hundreds of data protection stakeholders, including ULC commissioners, worked to establish a model code known as the Uniform Personal Data Protection Act (UPDPA).
Protection of Customer Data Needs a Wake-Up Call
The Act establishes fair information practices (FIPPs) for collecting and using personal data. It also specifies compatible, incompatible, and forbidden data use. The Act protects and ensures that consumers have a reasonable cost to regulators and businesses.
The risk-based approach, which balances the interests of consumers and companies while allowing for flexibility and innovation that may benefit consumers, is critical to the UPDPA’s effectiveness. Its emphasis on entities that “keep” data as part of a system of records about individual data subjects for retrieval for customized communication or decisional treatment is a fundamental limiting concept.
For example, there are fewer data breaches before small business audits than after. Another benefit of the UPDPA is that it creates a safe harbor for low-risk suitable activities that do not need permission. These behaviors are in the person’s best interests and are within their reasonable expectations.
For instance, two examples are leveraging location data for a community’s COVID risk assessment and targeted advertising while accessing free content and services. Small businesses are exempt from the UPDPA for practical reasons. The Ukraine offers a grim example. No one wants to repeat these mistakes.
A Requirement for Consent
A requirement is consent for practices that pose a risk. Technology for small businesses always carries risks.
When sensitive personal data is breached — such as race, religious belief, gender, sexual orientation, citizenship, immigration status — it’s legally actionable. Even more so for financial account numbers, Social Security numbers, government-issued identification numbers, and real-time geolocations. Criminal records, medical diagnoses, or information about children under the age of 13 is also a growing risk.
Prohibited behaviors include shame, ridicule, intimidation, harassment, or identity theft that is carried out without appropriate security. These might result in financial, bodily, or reputational damage. Selling personal data for marketing purposes is an incompatible activity as well.
People also have the right to a copy of personal data and the ability to rectify and change it under the UPDPA.
Data controllers must follow a clear and easily accessible data privacy policy that discloses the types of personal information kept, notification of practices, procedures for responding to data subjects’ rights, applicable state and federal laws, and any voluntary consensus standards (VCS) they use.
VCS is a collection of user-developed, bottom-up tailored rules for specific applications, services, and contexts. Therefore, the office will notify the appropriate attorney general if they encourage innovation and standardization for the sake of online data protection.
Oklahoma, Nebraska, and the District of Columbia have already enacted the UPDPA. The Act allows states to include enforcement measures from an implementing state’s existing consumer protection law.
However, state attorneys general may issue regulations to execute the Act. They are expected to work together to promote consistency in enforcement. Private action delays the adoption of federal internet data protection laws. The UPDPA leaves that up to each state.
