Question

How does the US government get involved in the regulation of information technology, and how do our policies compare to the EU?

Answer 1

The U.S. has opted for a different data protection approach. Instead of formulating an all-encompassing regulation such as the GDPR, it chose to implement sector-specific data protection laws and regulations that work in conjunction with state-level legislation to protect the data of American citizens. These include: the Health Insurance Portability and Accountability Act (HIPAA), a set of standards set by regulating health care providers to secure protected health information (PHI).

NIST 800-171, a special document issued by the National Institute of Standards and Technology to secure Unclassified Controlled Information (CUI) in non-federal information systems and organizations.
The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the 1999 Financial Modernization Act, which aims to protect customers ' personal information deposited in financial institutions.
The Federal Information Security Management Act (FISMA), a federal law part of the 2002 broader E-Government Act, made it a requirement for federal agencies to develop, document and implement a program for information security and protection.

There is also the issue of privacy importance highlighted in the GDPR. While US law addresses data security and the importance of private records, privacy is often missing from the discussion, appearing as separate and segmented privacy laws. These are implemented by government bodies such as the Federal Communication Commission (FCC) and private-sector groups such as the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF), which provide them with a legal framework.

The Federal Trade Commission (FTC), which has the authority to act against unfair and deceptive practices committed by a wide range of companies, also tackles data protection. These include failures to implement reasonable data security measures and enforce privacy policies in the case of data protection, as well as unauthorized disclosure of personal information.

Replacing the EU Data Protection Directive 95/46/EC, which was no longer felt to adequately address the tremendous technological growth of recent years, the GDPR aims to harmonize data privacy laws across Europe while not only protecting sensitive data of EU citizens, but also empowering them to better control their data. It introduces, among other requirements, the need for privacy by default and design, more stringent controls on cross-border data transfers and cements the right of EU citizens to be forgotten, essentially allowing them to request that their data be deleted.

Also, the Privacy Shield does not address the GDPR's individual privacy rights. The right to be forgotten and the mandatory appointment of data protection officers by processors of large quantities of EU data subjects ' personal information are just some of the GDPR requirements not included in the EU-US Privacy Shield.

Whether the balance will move towards protecting the privacy of people in the U.S. as well as in the future, any U.S. business that wants to continue to process EU citizens ' data will have to adhere to the strict requirements of the GDPR. If it has a positive impact on how data protection is viewed in the U.S., it will depend entirely on how effective the GDPR will be in real-world circumstances.