Recently, I have given several presentations about the European Union’s General Data Protection Regulation (GDPR). A common question that arises is whether we should expect a similar data protection regulation in the US.  

This morning, an interesting article on the subject crossed my desk: “No more waiting: it’s time for a federal data breach law in the U.S.”

A few excerpts:

With the recent passage of data breach notification laws in Alabama and North Dakota, all U.S. states and the District of Columbia now require that companies let us know when our personal data are breached. It only took 15 years.

Notably, states overwhelmingly require notification only if some sort of financial data or password information is involved. That’s a problem because data breaches often entail other kinds of harm. A better, more rights-respecting standard — one that could be incorporated into existing state standards and a new federal law — would require companies to notify us of breaches of our personal information tied to other harms.

It is crucial that any new federal standard does not prevent states from adding protections. A federal breach law should create a floor of minimum standards that companies must meet, not a ceiling prohibiting tougher state enforcement.

Members of Congress have already proposed a number of data breach notification laws, but while some proposals are better than others, none have been great for the people these laws are supposed to protect. Even one of the better efforts had provisions to preempt stronger state laws. As we wait for the right bill, ordinary people remain vulnerable and without sufficient redress under many state laws.

It seems to me that demand in the US for privacy protection in general and breach notification in particular has lagged such demand in Europe, probably because of difference in culture and political philosophy.  However, due to the increaser in high-profile data breaches in the last couple of years, I expect we will see federal legislation fairly soon. 

 

I currently publish two blogs: “Discovering Identity” (this one) and “I Love Freedom.”  Usually, the information I publish on these blogs doesn’t overlap, but this subject certainly does, and is posted on both sites.

Thanks to an acquaintance, Jane Grafton, I recently read two opposing views on the subject of federal government regulations of privacy:

An LA Times article, Privacy and the Web, concluded:

Although Washington shouldn’t try to micromanage the Net, it should make clear that websites have a duty to help users manage their personal information effectively, giving them the chance to understand the tradeoffs they’re making and to choose wisely.

Phil Lieberman of Lieberman Software responded in his post, “Internet Privacy Is No Place for Government Regulations”:

Attempts by the federal government to constrain the collection of data, and the ability to tailor offers based on this data, is a case of the government meddling in areas where it has no place.  Interference with the free market serves only to punish those companies that know how to efficiently mine their data and so is the worst form of government interference with the free market.

I’m all for privacy and opt-in/opt-out options. However I feel it does little good to cripple those companies who are good at business for the purpose of expanding the nanny-state. Any decision to overreach with privacy controls will also provide a bounty for greedy and litigious attorneys looking for fresh kills on the Internet.

What do you think? 

Although the LA Times article mildly asks the federal government not to “micromanage the Net,” history has that government has the propensity to always micromanage everything it touches.  How’s that for a cynical view?

If I believe the most effective way to deal with this issue would be for private industry to self-regulate. In much the same that PCI DSS has become an effective industry-driven regulation of the credit card industry, perhaps we need an “Online Privacy Standard” developed and enforced by the online industry itself. 

Otherwise, if such industry self-regulation doesn’t happen, given the current mood in Congress, I think federal government regulation of online privacy is a foregone conclusion (more cynicism).