Skip to main content
GDPR Kit CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy statement.
 

We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our privacy statement

OK

Mobile Menu

The US needs to catch up with Europe in putting people - not companies - in control of personal data

By Lewis Barr | Posted on January 25, 2018

Data Privacy Day 2018

Data Privacy Day - Sunday, January 28 - commemorates the first international treaty for privacy and data protection as one effort to promote privacy awareness worldwide. Last year was a watershed in privacy awareness. While many of last year’s privacy conversations in Europe focused on preparations for, and the anticipated impact of, the General Data Protection Regulation (GDPR) which takes effect this May, press coverage of the Equifax breach and the continued lack of a comprehensive U.S. data protection law highlighted the lack of adequate personal data protection in the U.S. As in many areas, the U.S. government is lagging behind the leadership of many U.S. enterprise businesses which recognize that consumer and employee confidence in how businesses treat their personal data is key to establishing a mutually beneficial, long-term relationship.

In contrast to the lack of a coordinated U.S. approach to privacy and data protection, Estonia has built a personal data sharing platform. A recent New Yorker article, Estonia - The Digital Republic, highlights Estonia’s success in creating this secure online platform for its citizens to use for significant applications from authenticating themselves for online voting, to sharing medical records with health care providers and others, to paying taxes. The platform reportedly is based on the principle that an individual owns all the information recorded about him or her, such that every interaction by a third party with that information is recorded and, thereby traceable for accountability. More impressive than the transactional efficiencies afforded by a user’s ability to control online access to his or her personal data is Estonia’s success in securely operationalizing the principle of citizen control over their respective personal information online.

Estonia’s approach of putting the individual in the personal data sharing driver seat aligns nicely with the General Data Protection Regulation that will take effect in all EU member states this coming May and also be applied to non-European companies marketing to EU residents. In contrast, in the United States, with rare exception, data brokers and other entities without established individual customer relationships or consent continue to obtain and process vast amounts of personal data with little regulatory oversight, let alone the threat of significant fines (like those which may be imposed under the GDPR) for failing to reasonably protect the data processed. Case in point is the credit bureau Equifax, which failed to update its software with available security patches. The result was that the personal data of about 143 million people, including their social security and driver license numbers, was put at risk as a result of the breach.

While much has been written about the Equifax breach apart from its magnitude -- from questioning the continued use of certain personal identifiers to the impunity which which Equifax operated -- perhaps the most striking aspect of the press coverage was that there was little question over the right of Equifax to be collecting and otherwise processing the personal data of hundreds of millions of individuals without their clear understanding in the first place. To add insult to injury, the former chief executive of Equifax’s asserted in a Congressional hearing that an individual should not be able to delete her data held by the company. Such a position would be untenable under the GDPR, which requires a company to honor an individual’s request that it delete her data. Despite much questioning and expressions of disgust by members of Congress, in the end no action was taken.

So where does that leave us today? Painfully aware that the need for strong national privacy and data protection in the U.S. remains while individuals should continue to take sensible measures to protect themselves, including by only engaging with brands that put them in the driver seat when it comes to the treatment of their personal data.

Popular Posts

About the author

Lewis Barr

General Counsel and VP, Privacy

Lewis manages Janrain's legal compliance and privacy functions as the company continues its international expansion. He brings more than 15 years of leadership in a wide range of legal and privacy-related matters for growing technology companies. Lewis also utilizes his diverse background as a litigator in private practice, federal appeals court staff attorney, and teacher. Prior to Janrain, Lewis was General Counsel and Secretary of Fios, Inc. and before that, he was General Counsel of New Edge Networks (now EarthLink Business). Lewis holds a Juris Doctor degree from the University of Missouri School of Law and a Bachelor's Degree from Georgetown University’s School of Foreign Service. He is also a Certified Information Privacy Professional (CIPP/US).

View all posts by Lewis Barr