GDPR Privacy by Default – Will the US Senate Follow Europe?

On May 25th, Senators Edward J. Markey (D-Mass.), Dick Durbin (D-Ill.), Richard Blumenthal (D-Conn.), and Bernie Sanders (I-Vt.) introduced a Senate resolution calling for U.S. companies and institutions covered by the European Union's (EU) new privacy law, the General Data Protection Regulation (GDPR), to provide Americans with privacy protections included in the European law.

The 5 page Resolution summarizes the GDPR as requiring:

  1. that data processors have a legal basis for processing the data of users; and
  2. that opt-in, freely given, specific, informed, and unambiguous consent from users is a primary legal basis.

The Resolution is not a bill and has not yet been debated or adopted. However, it was symbolically introduced on the very same day that European GDPR became law.

Many US enterprises are impacted by the new EU law, because they control or process the personal data of people in the EU. Some US companies have announced full compliance with the GDPR for all people worldwide. Others have geofenced and blocked EU data subjects. Others, like the Washington Post, have erected a supposedly compliant paywall to provide GDPR-compliant and ad-free access to the EU countries.

The Markey Resolution "encourages entities" already covered by the impact of the EU GDPR, including "edge providers, broadband providers, and data brokers" to:

  1.  provide the people of the United States with the privacy protections included in the GDPR in a manner consistent with existing laws and rights in the United States, including the First Amendment; and
  2. include in those privacy protections the requirement that data processors design their systems around some core GDPR principles:
  • "data processors" must have a legal basis for processing user data;
  • that such legal basis is principally based on "opt-in, freely given, specific, informed, and unambiguous consent" and only for the purpose agreed to;
  • that data processors design systems:
    • to minimize the amount of data to "only what is necessary for the specific purpose stated to the individual";
    • that "by default protects personal information from being used for other purposes";
  • personal information about children must receive special protections, particularly with reference to the use of the data of children for marketing purposes;
  • data processors are responsible for "appropriate oversight over third party data processors" (think FaceBook & Cambridge Analytica);
  • Individuals (known under GDPR as data subjects) have the right to:
    • revoke consent at any time;
    • "not be subject to automated decisionmaking, including profiling, without human intervention if the decisionmaking has legal or otherwise significant effects on the individual";
    • "know which entities have access to the data of the individual and how that data is being used";
    • "correct the data of the individual if it is inaccurate or incomplete"; and
    • "obtain and reuse the data of the individual for the purposes of the individual across other services".

For a summary of how GDPR impacts US-based organizations, download our new White Paper: The Top 10 Things to Know About GDPR.