Management, compliance & auditing

6 ways that U.S. and EU data privacy laws differ

April 12, 2022 by Ralph O'Brien

The U.K. has left the EU, and for those of us that live there, we’ve historically adopted a European “fundamental human rights” approach to data protection. Still, we can sometimes be culturally closer to the U.S., with a shared language and influence of larger U.S. technology providers that sometimes struggle in Europe due to their design for the U.S. market, which has a different approach to “data privacy.” 

This blog looks at the contrast between European and U.S. approaches to data privacy.

1. PII vs. personal data

The GDPR defines personal data as “any information related to an identified or identifiable natural person.” A single definition for the whole of the EEA to adopt. This generally is interpreted as an extensive definition that includes data in the public domain, which is often excluded from U.S. definitions of personally identifiable information (PII). 

U.S. definitions of PII vary, as several laws in the U.S. define PII differently depending on the topic (for example, under HIPAA, the PII definition would only include heath data processed by healthcare providers, whereas under COPPA, it would be children’s data on technology platforms). In addition, the definitions of sensitive data in the U.S. look at financial data, and strong government identifiers, whereas the EU special category data are built from areas that may affect human rights, for example, areas such as religion, health, race, ethnicity, political views, biometrics, sex life or genetics.

2. Legal basis and opt-in vs. opt-out

Another major difference is the EU general starting point prohibition on processing — a “NO, unless…” as opposed to the U.S. starting point of “YES, unless…”. 

This means the U.S. defaults to an “opt-out” approach as standard (we will do it unless you say no), whereas the EU adopts more of a protective privacy approach of only being able to process with a valid legal basis (which in the case of consent is normally an “opt-in” model)

3. Omnibus vs. sectoral privacy laws

There are pros and cons of different approaches. Still, I like the U.S. sectoral approach to law at a federal level because they can be more prescriptive than the EU can as they have specialized data laws for each sector such as HIPAA, COPPA, FERPA, etc. However, these don’t cover all data or all sectors.

In the EU the approach is called “omnibus” in that there is one single privacy law, which by its nature has to adopt general principles, so cannot be as specific, even though it covers a larger scope of all data of anyone (as opposed to say CCPA that looks mainly at Californian consumers). 

4. Pan European/member state vs. federal/state

The EU’s GDPR ensures a standard that provides a one-stop-shop across 27 countries, with another three EEA countries brought in by treaty to a similar level of protection. There is scope for national law variance, but this cannot dip below the levels of the GDPR and can only vary the GDPR where the GDPR itself specifies. Otherwise, the law harmonizes across all member states. 

The U.S. has a similar structure with federal law, generally pre-empting and superior to individual state laws. However, there are only three states out of 50 with any data protection law as the EU would recognize it (Virginia, Colorado, and California). Even these laws are limited in scope, content and rights compared to the EU data protection laws, focussing more on business activity such as “do not sell” rights.

5. Fundamental human rights vs. consumer protection 

Though the U.S. has long recognized the right of privacy of U.S. citizens, there is no general right of privacy for non-nationals. EU experience in WW2 and beyond has brought in an approach based on a fundamental human right to privacy and data protection separately, extending to all people regardless of activity and nationality. 

U.S. approaches are more about business trading standards and being good to your customer, and therefore can exclude governmental and human resources type of privacy rights. This is also extended to the regulators, where the EU tends to have dedicated data protection regulators. In contrast, the U.S. may have different regulators depending on the law. The FTC takes the lead for business with fines generally issued for “unfair and deceptive business practices” and out-of-court “consent decrees” common over legal penalties.

6. Privacy rights and data ownership 

With a fundamental rights model in the EU comes the concept that data protection rights should be free to all, as it is often the most vulnerable who has the most need. This also extends to data protection law, only assigning obligations and rights, but not data ownership. This can lead to data being traded as a commodity, where the poor sell and the rich can afford their privacy. 

The U.S.looks more at data ownership as intellectual property, which can lead to privacy models where privacy is only available to those with the resources to defend it.

Which is better for privacy: U.S. or EU?

Note that neither regime is “superior,” as they both have sovereign powers. However, they have different starting points, with the U.S. often more business-friendly, focussing on commerce. And in the wake of the September 11th atrocities, often with security laws “trumping” those of individual privacy. The EU takes the opposite philosophical approach with individual rights trumping security needs. 

Both approaches have definite merit and drawbacks, and with international transfers, international businesses face issues with incompatibilities. However, the problem is a political one. We look to the future to see if the different regimes converge or keep data transfers difficult by diverting in approach.

Want to learn more about privacy? Check out my privacy courses on Infosec Skills.

Posted: April 12, 2022
Author
Ralph O'Brien
View Profile

Ralph is a trusted advisor on global privacy and security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments. He has worked in various industry sectors, including defense, public sector, pharma and financial services, representing multinational corporations and boutique specialist consultancies. He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus on business processes, information protection, and an ethos of management assurance, risk management and knowledge transfer, he ensures effective protection of assets appropriate to the client's business needs.

Leave a Reply

Your email address will not be published.