America cooks up its flavor of GDPR – and Google's over the moon
But Uncle Sam has already ruled out any actual laws and fines for breaking rules
The US government has started the process to create fresh rules to safeguard Americans' online privacy, opening a "request for comments" on its initial proposal.
On Tuesday morning, the Department of Commerce opened a public comment period on a "user centric" approach it says will "provide high levels of protection for individuals, while giving organizations legal clarity and the flexibility to innovate."
The DoC also announced it was working on a "voluntary privacy framework" with standards body the National Institute of Standards and Technology (NIST) that it says will be designed to "help organizations manage risk.
The proposed approach [PDF] is a less prescriptive than the European GDPR legislation, reflecting the US' typical free-market approach. It describes itself as focused "on the desired outcomes… rather than dictating what those practices should be."
But broadly the same topics are broached:
- Transparency and accountability over how data is collected and will be used and stored
- Ability for users to "exercise control" over the information they provide
- A minimization approach to data gathering i.e. companies should gather only the data that they need
- Greater data security
- User access to the data held on them, and a right to "correct" it
The critical difference however is that even at this early stage, the DoC has ruled out the introduction of law or fines: something that will make it more a voluntary effort than a legal demand, and will lead to accusations of the new policy being little more than a data privacy fig leaf.
Follow the money
The reason that Europe's GDPR has been effective is that it came with massive fines: up to €20m or 4 per cent of total corporate revenue "whichever is higher" for the worst cases. That forced a lot of companies to comply with the new rules despite determined efforts by some to put it off. The American version of compliance would appear to be loud tutting and an investigation by toothless watchdog the Federal Trade Commission (FTC).
"This RFC does not call for the creation of a statutory standard," the document states. "Rather, it is looking to commenters to respond with details as to how these privacy outcomes and goals can be achieved."
GDPRmageddon: They think it's all over! Protip, it has only just begunREAD MORE
Unwittingly revealing the fact that the approach comes from industry than consumer groups, one of the key companies in the data privacy debate, Google, today published its "framework for data protection legislation" that almost exactly mirrors the DoC's version, sometimes using the exact same words and phrases.
If anything, Google will be kicking itself for even including the word "legislation" in the blog post title. The actual draft framework [PDF] opts for the softer word "regulation."
And to stress the loosey-goosey nature of what the DoC proposes it goes on to say in its RFC: "Instead of creating a compliance model that creates cumbersome red tape - without necessarily achieving measurable privacy protections - the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes."
Ask me another
Of the 16 questions asked in the RFC, only one even opens the door to actual legislation: "What aspects of the Department’s proposed approach to consumer privacy, if any, are best achieved via other means? Are there any recommended statutory changes?"
The drive to redefine data privacy rights in the US is not new – the DoC's National Telecommunications and Information Administration (NTIA) has been working on a proposal for several years – but it has taken on much greater urgency following the introduction into law of Europe's GDPR legislation and the subsequent impact.
Microsoft, for example, has extended GDPR protections to customers all over the world. Facebook has created a European walled data garden and legally shifted every other user in the world to California. Internet overseer ICANN has been forced to scrap its domain name address book service called Whois. And there is a serious risk that the critical Privacy Shield covering transatlantic data transfers will be scrapped over the United States' failure to adequately protect personal data.
Just as important, various US states – in particular California – have either passed or proposed new data privacy legislation, forcing the federal government's hand.
In its RFC, the NTIA acknowledges the impact of these changes: "A growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape," it notes, adding:
"Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale. The Administration hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization and interoperability nationally and globally."
The US government says it actually wants to hear from consumers – meaning that if consumers don't respond it will assume they are happy with the approach. If you want to make your views known, you have one month – until October 26 – to email them to email@example.com. ®