6 ways that U.S. and EU data privacy laws differ
The U.K. has left the EU, and for those of us that live there, we’ve historically adopted a European "fundamental human rights" approach to data protection. Still, we can sometimes be culturally closer to the U.S., with a shared language and influence of larger U.S. technology providers that sometimes struggle in Europe due to their design for the U.S. market, which has a different approach to "data privacy."
This blog looks at the contrast between European and U.S. approaches to data privacy.
Get your free course catalog
1. PII vs. personal data
The GDPR defines personal data as "any information related to an identified or identifiable natural person." A single definition for the whole of the EEA to adopt. This generally is interpreted as an extensive definition that includes data in the public domain, which is often excluded from U.S. definitions of personally identifiable information (PII).
U.S. definitions of PII vary, as several laws in the U.S. define PII differently depending on the topic (for example, under HIPAA, the PII definition would only include heath data processed by healthcare providers, whereas under COPPA, it would be children's data on technology platforms). In addition, the definitions of sensitive data in the U.S. look at financial data, and strong government identifiers, whereas the EU special category data are built from areas that may affect human rights, for example, areas such as religion, health, race, ethnicity, political views, biometrics, sex life or genetics.
2. Legal basis and opt-in vs. opt-out
Another major difference is the EU general starting point prohibition on processing — a "NO, unless…" as opposed to the U.S. starting point of "YES, unless…".
This means the U.S. defaults to an "opt-out" approach as standard (we will do it unless you say no), whereas the EU adopts more of a protective privacy approach of only being able to process with a valid legal basis (which in the case of consent is normally an "opt-in" model)
3. Omnibus vs. sectoral privacy laws
There are pros and cons of different approaches. Still, I like the U.S. sectoral approach to law at a federal level because they can be more prescriptive than the EU can as they have specialized data laws for each sector such as HIPAA, COPPA, FERPA, etc. However, these don't cover all data or all sectors.
In the EU the approach is called "omnibus" in that there is one single privacy law, which by its nature has to adopt general principles, so cannot be as specific, even though it covers a larger scope of all data of anyone (as opposed to say CCPA that looks mainly at Californian consumers).
4. Pan European/member state vs. federal/state
The EU's GDPR ensures a standard that provides a one-stop-shop across 27 countries, with another three EEA countries brought in by treaty to a similar level of protection. There is scope for national law variance, but this cannot dip below the levels of the GDPR and can only vary the GDPR where the GDPR itself specifies. Otherwise, the law harmonizes across all member states.
The U.S. has a similar structure with federal law, generally pre-empting and superior to individual state laws. However, there are only three states out of 50 with any data protection law as the EU would recognize it (Virginia, Colorado, and California). Even these laws are limited in scope, content and rights compared to the EU data protection laws, focussing more on business activity such as "do not sell" rights.
5. Fundamental human rights vs. consumer protection
Though the U.S. has long recognized the right of privacy of U.S. citizens, there is no general right of privacy for non-nationals. EU experience in WW2 and beyond has brought in an approach based on a fundamental human right to privacy and data protection separately, extending to all people regardless of activity and nationality.
U.S. approaches are more about business trading standards and being good to your customer, and therefore can exclude governmental and human resources type of privacy rights. This is also extended to the regulators, where the EU tends to have dedicated data protection regulators. In contrast, the U.S. may have different regulators depending on the law. The FTC takes the lead for business with fines generally issued for "unfair and deceptive business practices" and out-of-court "consent decrees" common over legal penalties.
6. Privacy rights and data ownership
With a fundamental rights model in the EU comes the concept that data protection rights should be free to all, as it is often the most vulnerable who has the most need. This also extends to data protection law, only assigning obligations and rights, but not data ownership. This can lead to data being traded as a commodity, where the poor sell and the rich can afford their privacy.
The U.S.looks more at data ownership as intellectual property, which can lead to privacy models where privacy is only available to those with the resources to defend it.
Get your free course catalog
Which is better for privacy: U.S. or EU?
Note that neither regime is "superior," as they both have sovereign powers. However, they have different starting points, with the U.S. often more business-friendly, focussing on commerce. And in the wake of the September 11th atrocities, often with security laws "trumping" those of individual privacy. The EU takes the opposite philosophical approach with individual rights trumping security needs.
Both approaches have definite merit and drawbacks, and with international transfers, international businesses face issues with incompatibilities. However, the problem is a political one. We look to the future to see if the different regimes converge or keep data transfers difficult by diverting in approach.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- 6 ways that U.S. and EU data privacy laws differ
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing