The U.S. Can Avoid Mistakes Made By The E.U. in Digital Security
No one would disagree that the internet has reshaped the world. Business, government, and people all need information. The question becomes, how do we keep the information safe from criminals, hostile governments, and business competitors? Experts have wrestled with this question since the birth of data mining. And now that cyber-attacks, including terrorist activity, are a reality, the need for security is even more critical.
Protecting people is a demanding and complicated job. About eight years ago, the European Union’s (EU) Commission acted on information protection. They felt compelled to upgrade the rights afforded to people in the EU. A few years of research and planning resulted in the General Data Protection Regulation (GDPR). A law whose foundation rested on seven fundamental principles:
1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
5. Storage limitation
6. Integrity and confidentiality (security)
Although the GDPR includes some of the most robust tools anywhere aimed at privacy protections, there have been some issues. One goal of the GDPR was that the U.S. would also follow the EU’s lead and create complementary laws. Instead, many U.S. states are drafting their version of the protection laws. [there is only 1 regulation- and many principles]
Businesses find it difficult to juggle multiple regulations, because of cost in terms of money and in time dealing with multiple compliance requirements.
Regulators in Europe were busy educating businesses on their obligations and people as to their obligations and their rights, but there remains some confusion as to the nature of those rights and obligations. The dispute mechanism procedure, which is invoked where regulators dealing with cross-border data flows cannot come to agreement on appropriate fines or sanctions, has not worked smoothly, leading to delays in enforcement.
The EU effort and results serve also as learning opportunities for the U.S. and other countries: Structure laws for ease of use. Develop privacy protections, but balance this appropriately with allowing for innovation and for business opportunities. Data Protection is essential, but it does not have to be costly in terms of economic growth. Compliance can come at an affordable price.