Young Choo, MJLST Staffer
The EU General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC in May of 2018. Unlike the Directive, GDPR does not require each European state to enact a national statute. The GDPR would uniformly apply to countries in the European Union. European Commission proposed the GDPR to “strength and unify data protections for people in the European Union.” The regulation also addresses the export of personal data outside of the European Union. More specifically, Article 3 of GDPR says that “if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.” Consequently, companies in United States dealing with European Union consumer information are expected to be in compliance with GDPR.
Could these U.S. companies’ movement to be in compliance with GDPR also influence the United States’ Data Protection law as well? The answer is “possibly”. California recently initiated the move toward more stringent data privacy laws. “The California Consumer Personal Information Disclosure and Sale Initiative (#17-0039) may appear on the ballot in California.” The Initiative includes the following rights for consumers:
Gives consumers right to learn categories of personal information that
businesses collect, sell, or disclose about them, and to whom information
is sold or disclosed. Gives consumers right to prevent businesses from
selling or disclosing their personal information. Prohibits businesses from
discriminating against consumers who exercise these rights.
Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies.
Another impact the movement toward stringent data protection compliance could bring is the changes of perception of “harms” in the data breach setting. United States courts have not considered “data breach” itself as a harm. They always required an additional showing of consequential harm arising out from the data breach, such as money spent on monitoring the data breach or any credit card misuses arising from the breach. On the other hand, the E.U. data protection law is strongly based on the idea that data breach itself is a harm because privacy is a fundamental human right. It is important to note how circuit courts would decide Article III on a standing issue, one of the requirements for the plaintiffs to prove is a “concrete and particularized harm”, in the data breach setting.