In this brand blog, I’ve brought up some issues when it comes to consumer protections, most recently in the post entitled Cookie Preferences: Consumers Empowered to Choose. As one can imagine, consumer protections around the world depend on the regulations of the country. This is the reason why when I came to Europe, all of a sudden I had to consent to the cookies used during my browsing while there was never any need to give such consent in the United States. The difference comes from the fact that the EU and the US have different regulations on personal data privacy. While the EU is very concerned about the safety of its citizens, the US is more concerned over the health of the economy and the progress of innovation.
The consumer privacy legislation guiding companies participating in the European Union is General Data Protection Regulation (i.e. GDPR). It was put into effect on May 25th, 2018 and states that essentially anything that can be tied to an individual is personal data, for which the company needs to request consent in order to use in any way. It is for this reason that every page now has a cookies preferences and consent bar at the bottom of the page. If a company fails to ask for such consent and is found liable, it can be fined up to 4% of the company’s global gross revenue. This is a very serious penalty given that many of companies work with a profit margin that is less than 4%. Besides consent, the other major legal basis for personal data processing is public interest. Public interest refers to both security and health. This means that while you don’t give your consent to be filmed by street cameras on the street, you can still be filmed because the government may need to find an individual in order to keep the group safe. This can for example be the case when a criminal is loose and the country is trying to track them in order to catch them.
On the other hand, the United States does not have any overarching regulation on personal data. Instead, there is some specific regulation on some of the main industries. Otherwise, states are left to decide how they want to deal with that matter. When it comes to the specific regulation, the US has laws on how financial and health data should be stored. The laws though are less to protect the consumer and more to make sure that the data is stored correctly. California is one of the few states that have their own supplemental regulations on consumer privacy. While there are not many regulations to protect consumer privacy, consumers have a great tool on their side when it comes to requesting damages to be paid: a class action suit. Class action suits are not specific to personal data disputes but it is a method that can allow thousands of harmed consumers to band together to fight against the large company. This can reduce and even eliminate the cost of counsel and may increase the chances that the suit is successful and returns the maximum amount of damages. Unlike European courts, US courts can give out punitive damages. This means that if it can be proven that the company knowingly infringed on the rights of the plaintiffs, they can be fined up to three times the normal fine for the offense.
Currently, several countries in Asia are debating which personal data protections system they should adapt. Which one would you prefer? The overarching EU regulation or the laissez-faire US method?
If the EU is the one who adopted GDPR, how did Google, a US-based company, get into hot water with the French data protection watchdog over GDPR issues? Feel free to read this short paper discussing the recent fine given to Google for not fulfilling the GDPR requirements.