CWU Information and Data Privacy in the US and EU Discussion

The European Union (EU), takes a much more liberal view on privacy when compared to the privacy laws of the United States. The concepts of privacy between both nations are similar in tone, but the differences lie in the way these privacy laws are being executed. For example, in the US, privacy laws are standard references for information or data privacy statues. In the EU, these same laws fall under a broader category, which covers all scope of privacy, and it is referred to as data protection laws. Furthermore, the EU “General Data Protection Regulation” (GDPR) holds all EU companies in various parts of the world including the US to adhere and comply with the EU privacy laws set-forth within the GDPR. By the same token, companies that conduct business transactions in the EU must follow the GDRP or suffer severe penalties.

The EU has different approaches to privacy than the laws we are familiar with in the U.S. Most notably, are the ways in which privacy laws apply to industries across different sectors. In the United States, separate privacy laws apply to businesses based on the type of data they are overseeing; this is known as a sectoral approach. Whereas, in the EU, laws regarding privacy apply to all business sectors equally and without prejudice, which is an omnibus approach to privacy. According to Swire & Ahmad (2012), “Although there is no federal omnibus law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements.” Another approach to privacy in the EU is based on using a data controller. The data controller can be a person or an office designed for such purpose, where individuals can get additional information regarding their personal data, and how that information is being utilized. A critical point about the EU approach to privacy is that one law governs all facets of privacy and it is strictly enforced across all public and private entities.

The GDPR for the European Union supplies additional rights for individuals’ and create more openness to data privacy. Conversely, this provides more transparency of the data being collected, and facilitate consumers in making simplified choices concerning their privacy. In addition, the concepts of “privacy by design, the right to be forgotten; and the right to be informed” covers the totality of consumers’ privacy expectations and the way in which personal data are collected and stored in information systems. According to Dr. Terwangne, “the purpose principle specifies that personal data must be processed for a determined, legitimate and transparent purpose” (2013).

• Privacy by Design – this concept addresses the design of information systems where consumers’ data are being protected within the technology and throughout the lifecycle of a system. It takes into account data privacy in software development, projects, along with products and services, to be compliant with GDPR. It also accounts for both technical and organizational security measures taken to protect the data privacy of consumers. Any company that processes data must consider data privacy in every step of their business. By contrast, there is also privacy by default, which specifies that when a product is released, by default privacy settings will automatically apply. According to ICS (2020), “the strictest privacy settings should apply by default, without any manual input from the end-user.”
• Right to be Forgotten – requires that a person’s private data be immediately erased when it is not needed for the purpose of processing. According to Intersoft Consulting (2018), the data will be erased when “the data subject has withdrawn his consent, and there is no other legal ground for processing, the data subject has objected, and there are no overriding legitimate grounds for the processing.” It is important to note that the subject must request to the data controller to permanently erase the data. It thereby satisfies the individual’s “right to be forgotten.
• Right to be Informed – this GDPR right shows transparency between the consumer data collected and how the data is being used by companies. According to Intersoft Consulting, “the right to be informed also includes the duration of storage, rights of the data subject, ability to withdraw consent, and the right to lodge a complaint with the authorities.” Furthermore, individuals’ have the right to know with whom their personal data is being shared and for what purposes. Agencies can inform the individual through writing correspondence, or electronically via E-documents.

Red Clay Renovations must align their business practices with the EU GDPR mandates in order to supply satisfactory protection for customers’ data privacy. Five of the recommended best practices that Red Clay will incorporate into their IT security policy for the protection of privacy are:

1. Right to be forgotten.
2. Privacy by design.
3. Data protection officer.
4. User consent.

Data breach notifications.

In closing, the EU GDPR protected the privacy of consumers’ personally identifiable information and established regulations to put control of personal data back into the hands of the sole proprietor. A person has the right to know how their data are being harvested, used, and shared with external entities. Information technology systems must also be designed in a way that protects consumers’ data privacy before, during, and after transactions. Red Clay Renovations can implement the five industry best practices listed above into their IT security policies to better protect the company and individual customer’s privacy, along with their most precious asset, DATA!