Serious discussion of a federal privacy law has been going on since 2018. It’s now four years later and the US is the only major country in the world that doesn’t have federal data protection. For example, the UK has the General Data Protection Regulation (GDPR). Russia, Japan, and Egypt all have their own versions of federal data protection in place. In the US we have always relied on state-level and local laws as opposed to the government putting something together for the entire nation. It’s significant that Congress is finally acting and is putting a law in motion that will protect US citizens and our information and precious data. It’s a little late as we have been privy to multitudes of data and information being stolen, but as the saying goes, better late than never.
On the legal side, Congress is working towards putting together a retroactive component. Making individuals liable for the past two years but many ask what about the multitude of breaches that have occurred over the last two years.
Potential flaws and implications
As we analyze the bipartisan Bill, it’s important to consider its potential flaws and implications. An obvious flaw is that the US is planning to create a federal privacy law that will be new to everyone and likely slow to roll out and be implemented. What our nation’s decision-makers should have considered is adopting the UK’s GDPR as it has been tried and tested since 2018, has proven to be incredibly successful, and most importantly, companies are following the rules very closely for fear of being hit with severe penalties.
In today’s globalized world, country boundaries don’t exist on the internet. A shift toward universal laws is key as we only continue to become more interconnected. A hurdle we will likely face with The American Data Privacy Protection Act is that its components will differ greatly from that of GDPR putting American companies or any company that has data on US citizens in a difficult position, forcing the segmentation of US data and encryption on the country of origin. This alone will slow the rollout and implementation of the law and put a tremendous burden on American companies. Because of these differentiations in privacy laws globally, it will be necessary to have dual competing and contradictory standards in place. Aside from the solution of having a single database, another way to be compliant with regulations will be bringing the discussion about encryption and OTP (one-time pad) to the forefront.
The importance of enforcement
Because rollout is so far behind and the government is proposing a rapid 6-12 month timeline for rollout, there is a lot of heat around the subject. There is much concern that this timeline is not realistic and if rushed has the potential to get messy. However, the more important factor in getting it right and establishing efficiency is to try and ensure individuals and organizations are compliant. The reasons why organizations are compliant with GDPR has nothing to do with the European Standard. GDPR is effective because of the enforcement and significant fines. If we take a look at PCI and HIPAA compliance, the US has struggled with enforcement and for ADPPA to be effective better enforcement will be critical to its success. It will be a make-or-break moment and questions like who will enforce the law? What will the penalties be? and what are the costs of implementation? These questions and answers will have to be clearly defined in order to raise the likelihood of compliance and prove effective or ineffective.
The good the bad and the ugly
If this law comes into effect the US government will have made tremendous strides by introducing a protection law at both the federal and national level. One tremendous benefit of this is that it is being kept bipartisan and that it will be clear and concise with no contradictory state laws that could get messy. But as with anything, there are potential challenges and downsides. With the ADPPA, a tremendous negative is that it is not compatible with European laws and will have many contradictions with companies abroad as well as US subsidiaries abroad and different laws and regulations will be enforced in addition. In order for ADPPA to be successful if passed, strict enforcement will be key. As we’ve seen with our European counterparts, if companies don’t have real consequences or penalties enforcement will be unlikely. What will the enforcement of ADPPA be? One thing is clear, is that it will have to be enough to scare to take action and implement.
Overall, decision-makers have much work to do in order to make ADPPA a success. Enforcement will be the most important factor. The stricter the enforcement the higher likelihood of compliance and will dictate implementation willingness across the board. In addition, compatibility with GDPR will be key because the world is so interconnected in every sense. Because GDPR is tried and tested the closer ADPPA is made to mirror it, the bigger win it will be for everyone.