A Comparative Analysis of Data Protection Requirements in the European Union and the Us Focusing on Germany and California
| Publication year | 2019 |
| Author | Dyann Heward-Mills* |
Dyann Heward-Mills*
Helga Turku**
In May 2018, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which aims to modernize and harmonize EU data protection laws across Europe. Other recent EU legislation on data protection includes the Data Protection Law Enforcement Directive1 (which protects data used by criminal law enforcement authorities) and the Data Protection Regulation (which protects data used by EU institutions and bodies).2 The EU has taken the view that rigorous data protection regulations are essential to safeguard the rights and freedoms of individuals in a democracy.3
The right to privacy is a fundamental human right enshrined in the Universal Declaration of Human Rights,4 the European Convention on Human Rights,5 and the European Charter of Fundamental Rights,6 and the GDPR extends this right to data protection. In a global economy — increasingly driven by big data — personal data is not only an essential element of human dignity but also a valuable asset that needs protection.
Public awareness of data protection issues and expectations that personal data will be protected and appropriately handled have been increasing exponentially in recent years. Identity theft, data leaks, illegal content sharing, discriminatory practices, and intrusive surveillance are among the issues generating interest in stronger data protection laws. Legislative bodies around the world are responding to such public demand by adopting or taking steps to adopt comprehensive data protection rules.
Headlines abound regarding staggering fines imposed: $5 billion against Facebook by the US Federal Trade Commission (FTC), $170 million against Google's YouTube by the FTC and New York's Attorney General, $100 million against Facebook by the US Securities and Exchange Commission, and €57m against Google by the French Data Protection Authority. In the UK alone, the UK Information Commissioner's Office imposed a £500,000 fine against Facebook, £183.4 million against British Airways, and £99.2 million against Marriott. Data protection has become a serious issue and the appropriate agencies are taking action. Companies must safeguard their consumers' data.
Although the regulatory regimes are still developing, some governments are getting out in front of the issues and taking action to protect data. This article explores three such examples: laws adopted at EU level, in Germany, and in California. Comparing and contrasting these three examples, the article shows how data protection laws have been fashioned in these different jurisdictions and offers insights on general trends in data protection. Any business operating in the EU and California would be wise to carefully read and abide by these new and imminent data protection laws.
The movement toward better data protection7 has two main drivers. First, data is a valuable asset for an entity. The rise of the big data economy has in part been accelerated by the value generated by data collection, sharing, and processing. Data has been one of the main factors that has contributed to the rise of behemoths such as Facebook, Google, and Amazon. The normative duality of the need to use data for business growth while maintaining transparency and trust with consumers has been at the center of many public discussions and has underpinned legal challenges against big data businesses.8
[Page 15]
Second, privacy is one of the fundamental elements of democracy in the digital age. Unlawful data collection of a person's information "degrades the health of a deliberative democracy."9 Questionable data collection and processing practices have the potential to "shift[] power to private organizations and public bureaucracies,"10 thus creating a stealth power structure where the general public has little or no say. It is imperative that fair data collection/processing practices be integrated into domestic and international laws on data protection. The need to define and create a safe space for individuals on the internet necessitates a comprehensive normative structure implemented globally.
To this end, legislation in both the EU and the US has the potential to set a global trend in data protection. The key principles that characterize these pieces of legislation are: (1) limits on the collection of personal data; (2) transparency in collection and processing; (3) substantive rights for individuals subject to data collection; and (4) enforcement and accountability. The following discussion examines some key elements of the new laws in the EU and US.
The GDPR, which came into effect in May 2018, set the standard for a comprehensive data protection regime in Europe. Although the GDPR introduces a single legal framework, its provisions allow individual EU member states to enact domestic legislation defining, expanding, or restricting the scope of protection outlined in the GDPR. At the moment, all but three EU states have adopted laws to adhere to the GDPR's legal framework.11 As one example, this article takes a brief look at the Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG)12 in Germany, which is arguably the most stringent in Europe.
While the EU has been proactive in creating a comprehensive data protection regime, laws on data protection in the US are still very much developing. Absent a comprehensive federal data protection law, the California Consumer Privacy Act (CCPA) is one of the first significant pieces of legislation dealing with this issue in the US. Just as California often leads the way in legislative matters, its CCPA, which will come into effect in January 2020, may well set the standard for data protection in the country.
Although these three laws have similar terminology, they differ in some key respects. Specifically, the GDPR, BDSG, and CCPA have different scopes, rules concerning accountability, and limitations on data collection. The GDPR (and BDSG in a similar fashion) requires that companies appoint a data protection officer,13 maintain a register of data processing activities,14 and in certain circumstances where there is the possibility of a "high risk to the rights and freedoms of natural persons,"15 the company's controller should carry out a Data Protection Impact Assessment. The CCPA, on the other hand, only has a general provision that companies should adequately handle consumers' requests to disclose or delete information.16
Whereas the GDPR provides six grounds or legal bases for processing personal data,17 the CCPA only creates a mechanism by which individuals can opt out of the sale of their personal data or request that their personal data be deleted. The CCPA also excludes from its scope the processing of certain categories of personal information, such as medical data, health data, and information processed by reporting agencies, which are covered by other US federal and state laws.
The GDPR focuses on accountability by making the controller responsible for proper implementation of the law.18 The BDSG, by introducing a lower threshold for when a DPO is necessary, has arguably created a stricter standard of accountability than that in the GDPR. Conversely, rather than focusing on accountability, the CCPA focuses on transparency and includes provisions that limit selling of personal data, by obligating businesses to include a "Do not sell my personal information" link on their homepages and to provide consumers with the right to opt out in cases of mergers and acquisitions if those will materially alter how and for what purpose the data collected is used.19
Under both the GDPR and the CCPA, individuals have the right to access their data. However, the GDPR allows a data subject to access all processed personal data, while the CCPA grants access only for personal information collected in the 12 months preceding the request. Although the CCPA has not yet come into force, it is important to note that businesses that fall under its provisions (discussed later) should be prepared, immediately after the CCPA comes into force, to answer requests for data collected for the year preceding enactment.
The expansiveness of these data protection laws reflects how legislatures are privileging the rights of their constituents against the potential economic burden to businesses (especially small ones) facing new data protection regimes. The next sections examine in more detail the three laws and compare key features.
Data owners, data handlers, and data processors in the EU and in California have a lot at stake in the ever-changing legal landscape of data privacy. The scope of these laws varies depending on the jurisdiction, but knowledge of and compliance with these laws are particularly important in a global economy where data protection laws have extraterritorial application. The following is an overview of how the CCPA, GDPR, and BDSG may apply to entities operating in these jurisdictions.
[Page 16]
The CCPA aims to increase transparency about how and why businesses collect a consumer's personal data. For the purposes of the Act, "a consumer is a natural person who is a California resident."20 The CCPA defines a business as a for-profit entity that does business in the State of California and "that collects consumers' personal information, or on the behalf of which such information is collected"21 and satisfies any of these thresholds: (1) its annual gross revenue is more than $25 million (it is not exactly clear whether this refers to the business's total revenue or just revenue in California);22 (2) alone or in combination, it annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; and (3) it...
To continue reading
Request your trial