have proposed several digital privacy bills, but none
consumers cannot be identified and their information
has received the support of both political parties.
is not publicly available. Further, they cannot process
By comparison, the European Union implemented major privacy regulation legislation in 2018, the
personal data unless it falls under specific legal bases, which include contract or legal requirement.7
General Data Protection Regulation (GDPR), giving
In addition, to collect and use data, companies
EU consumers greater agency over how companies
must disclose the lawful basis for its processing, the
use their data. Without similar federal legislation, the
length of data retainment, and whether data are to
United States is not only compromising its constituents’
be shared to any third party or party outside of the
right to privacy, it is allowing big tech to grow without
EU.8 European consumers can request a copy of
the necessary consumer safeguards. As California
their data and have their data erased under some
Congresswoman Zoe Lofgren highlights, “a legal
circumstances.9
framework for digital privacy is needed to protect
The GDPR requires some public and private
consumers from the ever-growing data-collection and
authorities that use data collection to employ a
data-sharing industries that make billions annually
data-protection officer to manage compliance with
off Americans’ personal information.”2
the legislation.10 Companies must also report data breaches to each member state’s supervisory authorities
Europe’s Digital Privacy Regulations
within 72 hours if there is impact on user privacy.11
The GDPR established fundamental digital privacy rights for its citizens and residents, which have served
US State and Local Response
as a model for national legislation elsewhere, including
One of the first states to enshrine a “right to pri-
in Brazil. Due to the size of the European market,
vacy” in its constitution, and the first to pass a da-
GDPR regulations have prompted tech companies to
ta-breach-notification law, California also passed
change their data standards in Europe.3 For example,
the first comprehensive digital privacy legislation in
Facebook began asking users if they wanted to see
the United States.12,13 Similar to GDPR, the CCPA
certain ads or share their profile information with its
requires companies to disclose to customers what
advertising partners. Many see changes in Europe as
data they collect and how consumers can request
a first step toward broader, global privacy updates. “If
the company delete or stop selling their data. 14
we can export [these changes] to the world, I will be
Companies cannot deny service if consumers opt
happy,” said Vera Jourova, the European commissioner
out from data collection.15
4
in charge of consumer protection and privacy, who
CCPA’s passage has already impacted how technology companies operate in the United States. In late
also helped draft GDPR.5 Under the GDPR, any public or private entity
2019, Microsoft was the first company to announce
handling data must have “appropriate technical and
that it would abide by the new regulations in every
organizational measures” to protect individuals. The
state, calling privacy a “fundamental human right.”16
entities must design information systems that ensure
As of August 2019, at least 25 states and Puerto
6
Rico had introduced digital privacy bills, though
“Without similar federal legislation, the United States is not only compromising its constituents’ right to privacy, it is allowing big tech to grow without the necessary consumer safeguards.”
California’s is still the only success. New York’s failed privacy bill was even more expansive than California’s. It introduced in the United States the concept of private right of action, allowing individuals to sue technology companies for data breaches instead of depending on collective action.17 GDPR does allow private right to action, but it is not clear whether each
88 harvardkennedyschoolreview.com
