Here we examine the variations in the regulation of data protection and privacy between the United States and Europe.
- There is no all-encompassing federal legislation regulating data protection and individual privacy.
- Each state has different laws. Federal laws are enacted on a sectoral approach. Legislation exists for certain industries but each industry’s legislation is different. The complexity of legislation combined with mandatory breach notice laws introduces opportunities for class action as well as punitive actions by regulatory bodies, state Attorney Generals and the Federal Trade Commission.
- Last year, the US Securities and Exchange Commission, which oversees publicly-traded companies, adopted a directive requiring certain regulated financial institutions and creditors to adopt and implement identity theft programs in light of the new cyber threats.
- In the United States, data privacy is the focus of cyber.
- In Europe, data is viewed as human right and the “right to be forgotten” has ensured that comprehensive regulation exists to protect the individual’s data and privacy.
- The collection and purpose of data is subject to strict conditions but with limited (EUR600,000) monetary sanctions, no compulsory notification of data subjects and no tradition of class action.
- For European organizations, the business interruption element (first party) is of at least equal importance as the cyber coverage.
The EU is looking to update its data protection regulation in the coming year. The exact wording of the regulation is yet to be finalized, but it is expected to come into place in 2015, with a two year implementation period. This is the EU Data Protection Reform.
The new regulation will harmonize European law and introduce new measures including notifications of data breaches and removing data of individuals who withdraw consent for them to be held. Fines and penalties for noncompliance are expected to increase.
Furthermore, in February 2013, the Commission proposed the Cyber Security Directive. This contains measures that would impose minimum security requirements on business in terms of network and information security.