Analysis of the US Privacy Model: Implications of the GDPR in the US

Analysis of the US Privacy Model: Implications of the GDPR in the US

Francisco García Martínez (Illinois Institute of Technology, Chicago, USA)
DOI: 10.4018/IJHIoT.2019010103

Abstract

The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws. In this article, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.
Article Preview
Top

Gdpr Most Significant Updates

Apart from the already mentioned increased penalties, the General Data Protection Regulation has included many other updates that directly affect US companies with businesses in Europe. This is, in fact, the most important update: every non-EU organization must be compliant with the regulation when they conduct activities related to the collection and treatment of private data to EU citizens (“Regulation (EU) 2016/679 of the European Parliament and of the Council,” 2016).

With the goal of preserving the security and liability of the enterprise, as well as of offering guidance to technology professionals, controllers have to designate a qualified individual called Data Protection Officer (DPO) in the following scenarios (“Regulation (EU) 2016/679 of the European Parliament and of the Council,” 2016):

  • Processing is carried out by a public authority, except a court acting in the exercise of its judicial function;

  • The main activities consist of processing operations which, by reason of their nature, scope and/or purposes, require routine and systematic observation of subjects of large-scale data;

  • The main activities consist of the large-scale processing of special categories of personal data and of data relating to convictions and criminal offences.

Another great way of preserving the security and minimizing risks is by performing a Privacy Impact Assessment (PIA). This is basically a risk assessment to better know the potential risks to which an organization is exposed based upon the type of activities that it does with the personal data. Specifically, the GDPR defines that a PIA must be performed, at least, in any of the following cases (“Regulation (EU) 2016/679 of the European Parliament and of the Council”, 2016):

  • The company’s activities involve profile elaboration;

  • The company treats large scale sensitive data;

  • The organization systematically observes great scale data of public areas.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 4: 2 Issues (2020): Forthcoming, Available for Pre-Order
Volume 3: 2 Issues (2019)
Volume 2: 2 Issues (2018)
Volume 1: 2 Issues (2017)
View Complete Journal Contents Listing