Author(s)
Gabe Maldoff and
Omer Tene
Source
Colorado Technology Law Journal, Vol. 17, pp. 295-310 (2019)
Summary
Europe’s General Data Protection Regulation (GDPR) imposes privacy rules that differ significantly from privacy policies in the United States. But the GDPR often draws on US sources, revealing that Europe and the US share privacy values.
Policy Relevance
The GDPR could support a transatlantic approach to privacy.
Main Points
- The GDPR emphasizes the importance of individuals' reasonable expectations of privacy, a concept first developed in US Supreme Court cases.
- Privacy law and regulation in the US emphasizes the importance of the context of data collection.
- The Federal Trade Commission (FTC) encourages different forms of notice depending on the context.
- Under the GDPR, notice should be specific to the context of data collection.
- European and US-based agencies take measures to ensure accountability for privacy violations, such as required third-party audits.
- The GDPR introduces accountability into formal EU privacy law for the first time, including record-keeping, review, and update requirements.
- US health privacy guidelines introduced privacy impact statements (PIAs) in 1973; the GDPR also requires PIAs.
- California enacted the first data breach notification law in 2002, followed by other US states and nations around the world; the GDPR extends the duty of breach notification to all data controllers.
- The idea of privacy by design, where privacy is engineered into the architecture of the product, was first adopted by Canadian regulators, then by the FTC; the GDPR incorporates this idea, requiring data minimization, pseudonymization, and default settings that protect privacy.
- In 1998, Congress enacted the Children's Online Privacy Protection Act (COPPA), the first privacy law directed at children; the GDPR also includes specific provisions to protect children.