EU versus US Privacy Legislation

EU versus US Privacy Legislation – Convergence?


eu vs us privacy

This is my second article looking at Privacy Legislation and it’s impact around the world. Please see here for the first article.

So today’s article looks specifically at Privacy Legislation in the USA and in Europe. Whilst I have added my own comments and views, quotes and information have been taken from various sources, including Information Commissioners Office, European Commission,, HIPAA Journal (Health Insurance Portability and Accountability Act of 1996) and EndPoint Protector.

The Fundamentals – Part 1

In Europe, privacy and data protection appear as fundamental freedoms under the European Union Charter so it is therefore no wonder that the EU’s GDPR was shaped into a single piece of ground-breaking legislation in defense of these rights.

The United States has opted for a different approach to data protection. Instead of formulating one all-encompassing regulation such as the GDPR, it chose to implement sector specific data protection laws and regulations that work together with state-level legislation to safeguard American citizens’ data.

The Fundamentals – Part 2

As well as the difference between the EU’s single GDPR legislation and the US’ multiple pieces of legislation, there is another fundamental difference. GDPR is geared towards a person’s RIGHT TO PRIVACY. US laws generally do not encompass the right to privacy – whilst US legislation addresses data security and the importance of private records, privacy is often absent from the discussion, appearing in separate privacy laws.

A European Attitude to Privacy and Personal Information

eu flagOne of the main aims of the GDPR is to ensure that every individual located within the EU, no matter which member state, is guaranteed the same rights and freedoms – including the right to privacy, which is thought of as a basic human right. To accomplish this, the GDPR enshrines this and other rights in the legislative framework of the EU member states. The result is a cohesive and secure approach to processing personal data collected across the EU, which protects individuals and their privacy. GDPR introduces, among other requirements, the need for privacy by default and by design, stricter controls over cross-border data transfers and cements EU citizens’ right to be forgotten, essentially allowing them to request the deletion of their data.

An American Attitude to Privacy and Personal Information

us flagIn a legal sense, the United States does not provide for an overall expectation of privacy. The collection and processing of personal data is generally regulated based on the type of data under discussion. This is why, for example, data related to healthcare is subject to the Health Insurance Portability and Accountability Act, commonly known as HIPAA, and financial data is governed by the Gramm-Leach-Bliley Act, known as GBLA. As there is no current law in the US that is analogous to the GDPR, many types of data that are covered by the GDPR do not have corresponding protections under American law. This will more than likely result in a situation where data gathered from within the EU will have to be processed and stored to different requirements and to different standards than data gathered from within the US.

How Does An Organisation Maintain Compliance In EU and In USA?

One answer is to run separate systems, processes and procedures. Implementing, managing, and overseeing two different but parallel approaches to data processing will undoubtedly strain the resources of any organisation. Making use of several systems depending on the type of data and the location from which it was gathered introduces a level of complexity that will impact the efficiency of operations and that could lead to mix ups and mistakes, potentially resulting in fines or sanctions for non-compliance with the correct regulations.

edward munchFurther confusing the issue is that a single individual may have data that falls under both or multiple sets of legislation. In an increasingly globalised world, it is not out of the question for someone living in New York to have their data gathered within the US throughout the course of their daily activities, and to then take a trip to Europe for business or pleasure and have their data gathered within the EU during the trip. If their data is collected by the same US based multinational group, say a coffee shop chain, online accommodation service, or electronics manufacturer, then this company would have data from the same individual subject to different sets of legislation – essentially prohibiting the merging of the data and the ability to extract useful information from it. What a logistical nightmare!

A Single Approach? Or Multiple Approaches?

web formsOne solution that is being proposed to this double standard is to simply eliminate it by applying the same procedures to all data collecting and processing activities. Solutions such as the Cassie Personal Data Management platform aim take this approach and Cassie is currently used by organisations around the world, in 36 languages, totalling 165 million worldwide customer records with 2.4 billion preferences and making 2.5 million updates EVERY DAY! A single approach effectively applies the GDPR fundamental freedoms of privacy and data protection, irrespective of geography, whilst providing functionality to ensure compliance with the US legislation.

The US Is Changing!

However US legislation is changing. As the world becomes aware of the vast amount of personal information held by companies and the way this data is used/misused, (particularly by the giants – Facebook, Google, Amazon, Apple, Microsoft, etc), the public want protection. And so do the legislators!

california consumer privacy act


A great example is The California Consumer Privacy Act of 2018 (CCPA). This is a bill that enhanced privacy rights and consumer protections for residents of the US state of California. The intention of the act is to provide California residents with the right to:


  • Know what personal information is being collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Say no to the sale of personal information.
  • Access their personal information.
  • Equal service and price, even if they exercise their privacy rights.

The CCPA applies to any business, including any for-profit entity that collects consumers’ personal information, which does business in California, and satisfies one or more of the following thresholds:

  • Has annual gross revenues in excess of US$25 million;
  • Possesses the personal information of 50,000 or more consumers, households, or devices; or
  • Earns more than half of its annual revenue from selling consumers’ personal information

Whilst CCPA is different to GDPR, there are many parallels – this is hardly surprising as GDPR was the inspiration – including the concepts of GDPR. In my view, over time, more states will introduce similar legislation and the current piecemeal approach will become more standardised.

Privacy Legislation – A Positive Vision

If US legislators listen to the Public, they will (in my opinion) adopt a position very similar to GDPR, including the fundamental concept of a RIGHT TO PRIVACY. I have to caveat this – unless Big Business and their Lobbyists throw around enough money to influence said legislators.

the customer serviceResearch shows that Consumers appreciate and value the brands that clearly give them choice and control. If done well, those brands will then generate a higher level of engagement and loyalty from the customer/supporter/stakeholder base. By opting in, (or by not opting-out of Legitimate Interests!) a consumer is showing the highest level of interest in your cause, product or organisation. That is gold-dust! It is the best way to do a value segmentation of all consumers who touch your brand in some way – if they opt in, they are interested and you should focus your effort on them. So whilst Privacy Legislation will result in a smaller active customer/supporter/stakeholder base than pre-Privacy Legislation, the base will be of higher engagement and probably higher value than the current average. That means lower campaign and admin costs and higher responses. That equals improved ROI. And that is a good thing for all involved. The Consumer gets control of how business uses their data. Businesses are forced to become more relevant (or they won’t get consent) and so result in more engaged customers. Everyone is happy!

Does US Compliance Equate to EU Compliance (or vice versa)?

Erm – NO! But the convergence discussed above and legislation such as CCPA moves us closer.

complianceThink back to the fundamental differences between the EU approach and the US approach. While US legislation addresses data security and the importance of private records, privacy (unlike the EU) is often absent from the discussion, appearing in separate privacy laws. These are enforced through government bodies such as the Federal Communication Committee (FCC) and privacy organizations such as the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF) which provide a legal framework for them. And here are just a few other laws:

The Health Insurance Portability and Accountability Act (HIPAA), a set of standards created to secure protected health information (PHI) by regulating healthcare providers.

  • NIST 800-171, a special publication released by the National Institute of Standards and Technology aimed at protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations.
  • The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, that seeks to protect the personal information of consumers stored in financial institutions.
  • The Federal Information Security Management Act (FISMA), a federal law part of the larger E-Government Act of 2002, that made it a requirement for federal agencies to develop, document, and implement an information security and protection program.

While states such as California have a security breach notification law in place from as early as 2002, not all states have one. Therein lies the problem with US data protection legislation. Given the number of laws in existence and their differences at state-level, some may be up to GDPR standards, while others may not.

Data protection is also addressed by the Federal Trade Commission (FTC), which has the power to act against unfair and deceptive practices perpetrated by a large range of companies. In the case of data protection, these include failures to implement reasonable data security measures and apply privacy policies as well as unauthorized disclosures of personal information.


consumer protectionEmail regulation is probably the best example of differences in US/EU approach, principles and concepts. The acronym CAN-SPAM derives from the bill’s full name: Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. It plays on the word “canning” (putting an end to) spam, as in the usual term for unsolicited email of this type.

The CAN-SPAM Act is occasionally referred to by critics as the “You-Can-Spam” Act because the bill fails to prohibit many types of e-mail spam and pre-empts some state laws that would otherwise have provided victims with practical means of redress. In particular, it does not require e-mailers to get permission before they send marketing messages. It also prevents states from enacting stronger anti-spam protections, and prohibits individuals who receive spam from suing spammers except under laws not specific to e-mail. The basic tenets of the Act are:

  • The use of accurate header information to correctly identify the origins of the message;
  • The use of subject lines that reflect message content;
  • The clear identification of a commercial message as an advertisement;
  • The inclusion of a valid physical postal address;
  • The inclusion of opt-out measures;
  • Prompt and effective action on opt-out requests within 10 business days which in no way inconveniences the recipient;
  • The sender assumes responsibility for the message even if a third party vendor is contracted to execute the service.

Now compare CAN-SPAM to GDPR. The biggest difference is a consumers’ Consent/Permission/Opt-in – it is not a requirement under CAN-SPAM. Whereas data processing for marketing/sales emailing is only allowed by the General Data Protection Regulation if the data subject has consented. By law, an EU consumer cannot be “cold-emailed” if they have not given consent – their privacy is a right.

The GDPR also provides a right named “the right to object”, under which data subjects shall have the right to object at any time for data processing in direct marketing, and the data shall not be processed for such purpose. The GDPR specifically points out that the right to object for processing personal data in direct marketing (ie to opt-out) is an absolute right which means there is no exemption or grounds for organizations to refuse. This is the impact of the EU principles – the right to privacy, which is considered a basic human right – it therefore overrides a business’ wish to market or sell their products and services. The legitimate interest of the controller (The Business) to process data for marketing purposes can never outweigh the objection of the data subject (The Consumer).

The EU-US Privacy Shield Framework

privacy shield frameworkWhen talking about data protection and privacy practices between the EU and the US, a word must be said about the EU-US Privacy Shield Framework. Designed by the European Commission and the US Department of Commerce to facilitate transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, it replaced the previous Safe Harbour Privacy Principles which were declared invalid by the European Court of Justice in 2015. US companies wanting to transfer sensitive data to Europe and vice versa, must be self-certified under the Privacy Shield.

However, while the EU-US Privacy Shield is meant to ensure that businesses maintain high data protection standards, it is an agreement, not a regulation. The US Department of Commerce and the FTC support the monitoring and enforcement of the Privacy Shield, but companies found not to meet standards are simply excluded from doing business with the EU. They are liable to fines only if they choose to violate the administrative orders or court orders sought by the FTC.

The Privacy Shield also fails to address the individual privacy rights vouchsafed by the GDPR. The right to be forgotten as well as the mandatory appointment of data protection officers by processors of large quantities of personal information of EU data subjects are only some of the GDPR requirements the EU-US Privacy Shield does not include.

Convergence Of Legislation?

convergence of legislationThe GDPR, with its broad considerations and at times vague definitions, may seem to American policy makers as a far too general tool to address particular use cases. Accustomed to compartmentalized data protection, they can find it daunting to consider applying the same regulations to such diverse sectors and mediums as those found in today’s commercial landscape.

The EU’s goal in developing the GDPR, however, was precisely that. To provide a universal data protection legislation that would supersede all the previous, fragmented laws that existed at national level, across different sectors and jurisdictions in Europe. Seen in this way, the GDPR is the next step that follows the micro-management model of data protection regulations.

The essential difference between the US and EU when it comes to data protection, is their point of focus. The US seems more concerned with integrity of data as a commercial asset, while the EU, with the GDPR, has firmly put individual rights before the interest of businesses. In the EU, it will be companies that will be held liable in the eyes of the law and pay if they fail to protect EU data subjects’ data.

Whether the balance will shift towards the protection of individuals’ data in the US as well in the future, for now, any US business that wants to continue processing the data of EU citizens, will have to adhere to the GDPR’s strict requirements. If it will have a positive influence on the way data protection is viewed in the United States will depend entirely on how effective the GDPR will prove itself to be in real world circumstances.


For more information on the Cassie Personal Data Management please contact James Squires. Tel: 0330 043 1593 or email:

customer data made simple