The difference in data protection around the world

In the old continent laws are very clear to privilege users’ data privacy over any other interest. The General Data Protection Regulation entered into force on May 2016 and since that moment, a great amount of changes has taken place with the intention of preserving data security, despite technological advances.
For the United States, users’ data protection on the internet still hasn’t been subject to major regulations. In this country, the priority is still national security over the property of private citizenship.

Through three acts data is protected in North America: the Health Insurance Portability and Accountability Act, passed in 1996 to preserve individual medical information, making it only available for treating health professionals; the Fair and Accurate Credit Transactions Act, enacted with the intention of safeguarding consumers credit information and avoiding frauds associated to data theft; and the Children’s Online Privacy Protection Act, adopted to protect on the web the privacy of children under 13 years old.

A new scope on data protection

However, the GDPR can be applied to any company or individual who offers goods or services to any citizen of the European Union, no matter the place of the world where the aforementioned company or citizen is. Also, the regulation doesn’t make distinction if commercial transactions were made or not between companies and customers. It also applies for those who monitor behaviors on the net, when those actions are made in the European Union.

The regulation specifies that its measures protect fundamental rights and freedoms of european citizens, particularly gua ranteeing the protection of personal data. Nevertheless, it clarifies that the free movement of personal data is not restricted or forbidden.

In Europe, institutions have been created to watch and regulate the enforcement of the established laws which have a general scope. For its part, the United States have not defined yet any authority with similar competences, so cases are resolved in an individual way in the corresponding courts. Another important difference between both protection systems is that in the old continent the regulation’s approach is preventive, avoiding vulnerability of users’ rights. In the American country the approach is purely of action, since the authorities get involved once the law has been violated.

A protective shield for both perspectives

Between 1998 and 2000, a set of principles were developed to unify somehow the way the United States and Europe were acting on the matter of data protection, taking into consideration that both regions keep important commercial and information exchanges through the web. The United States companies that managed users’ data, supported themselves on these principles:

  • Notification: consumers should be notified about data collection and its final destination.
  • Election: users could have the option of not participating in data collection and its transfer to third parties.
  • Security: security data protocols must be constantly strengthened.
  • Data integrity: data collection must have a specific purpose.
  • Access: users must have access to the information gathered about them, as well as the right to change it if they want to.
  • Application: adequate systems must be created for the application of the above mentioned principles.

A framework for common protection

To deal with the legal differences between both regions, the European Union and the United States came to an agreement: the Privacy Shield. This framework of protection for personal data entried into force in 2017 and on it, both parties commit themselves to develop a data transfer that protects users’ privacy. Unlike in the previous agreement, the Safe Harbor, in the Privacy Shield the US companies that manage or store european citizens’ data, have more responsibilities to fulfill.

Among these new measures it can be highlighted the obligation and collaboration with european authorities, on the matter of user’s data protection. In this sense, companies must report to their users about the information they are gathering and submitting to authorities. Likewise, the United States cannot make indiscriminate use of this personal information. Any arbitrariness that might be committed, will be taken to the corresponding courts.

The privacy agreement is reviewed annually, to make the necessary modifications that adapts the agreement to the reality of the current market.

Consulted sources