Lila Kee is the General Manager for GlobalSign’s North and South American operations, as well as the company’s Chief Product Officer.
It’s a fraught time in American politics. There’s no need to rehash all the reasons why. Suffice it to say, with the Covid-19 pandemic still stifling the economy and political vitriol at levels not seen in decades, both sides are seeking ways to unify and lower the temperature around our national discourse.
We need a piece of low-hanging fruit that both political tribes can agree on—an easy win. Well, here it is: Now is the time to enact a national data law.
Frankly, we’ve needed one for almost a decade, but now with the world turning to remote work arrangements that leverage the internet and networking like never before, the United States simply cannot afford to continue forward without codifying something at the national level.
The reason this is so important is that it’s putting American businesses at a disadvantage. The same internet and networking technologies that American companies were so integral in creating are now being regulated by bureaucrats in other countries because the United States has failed to take the lead with regard to data rights and security.
Instead, the European Union has taken the lead on data regulation, most notably with its General Data Protection Regulation (GDPR) that was enacted in 2018. As a regulation (vs directive) the GDPR has been uniformly implemented across all EU member states with slight additions by Germany and France that required EU sanction. The U.S. could follow a similar approach by passing minimum baseline federal regulations that individual states could build upon if they so choose.
The EU makes adequacy decisions on other jurisdictions (other countries and regional organizations) that dictate what—if any—additional steps European businesses must take when operating in these regions or partnering with companies hailing from them in order to remain compliant with their GDPR commitments.
The United States is not on the whitelist.
The fact that the United States has not been deemed to have “adequate technical safeguards” by the EU is an embarrassing indictment of just how poorly this country has done at leading in this arena. Again, this is an arena the U.S. pretty much created itself.
Instead, the United States relies on a patchwork of state and federal laws that require differing levels of commitment to data rights and security from different industries and types of companies. The de facto result is that American businesses are beholden to whatever individual state has the most stringent regulation around data security—as of right now that’s California with the CCPA, and Virginia could be next—in lieu of an overarching national framework.
To put it in a more humanist way, Americans do not enjoy the same digital rights as their European counterparts.
We live in a truly global age, with the internet allowing business to be conducted across all corners of the world. American companies hailing from a country deemed to have “inadequate” technical safeguards creates a competitive disadvantage when those companies try to do business in regions that are governed by “adequate” data regulations.
Let’s continue using the EU as an example. If an American business wants to operate in the European economic area, it basically becomes incumbent upon them to proactively assert they have taken additional data security steps in order to abide by regulations in that area. This can take different forms. It can be asserted through legal clauses in contracts and accreditation bodies that can be joined that serve as attestation, but the long and short of it is this creates additional burdens for U.S. businesses before they can compete in other markets. It also makes it harder to create partnerships across borders because additional legal agreements and evaluations must be included. These are burdens American businesses wouldn’t have to contend with if the U.S. government could unite on national data regulation.
And in the true spirit of compromise, there are certainly things both political sides of the American equation could take back home to their bases as clear-cut victories. Whether that’s ensuring American consumers have the same rights as European and Asian consumers, helping to promote American business interests around the digital world or even just serving as a check on a tech industry whose excesses concern both sides of the spectrum—passing a national data regulation would be a great unifying first step as we work toward rebuilding our economy and coming back from the Covid-19 pandemic that has kept us so cooped up over the past year.
In some ways, coming late to the game with national data protection legislation has its advantages. U.S. lawmakers and technology leaders alike have had ample time to observe what went right and what went wrong with how GDPR requirements were specified, how much and under which conditions penalties might be levied, as well as how to retrofit current systems and business processes. The U.S. should not necessarily mimic the GDPR framework hook, line and sinker but should instead find ways to simplify while harmonizing with EU key principles.
Obviously, we are not the EU; the U.S. holds slightly different values when it comes to markets and economics, but it would be foolish to ignore the precedents set by GDPR and other similar regulations out of hand.
For instance, one place we can learn from our European counterparts is by acknowledging the unique burdens these kinds of new rules and laws have on small and medium-sized businesses, most of which lack the talent resources of deep-pocketed companies like Google or Facebook. Additionally, a penalty that might amount to a small slap on the wrist to a tech giant could represent an existential threat to an SMB. We must adjust our approach accordingly.
This is the perfect middle-ground issue that we can work to build consensus around and pass together. Let’s unify around this. Let’s take the lead again in the digital space and build back stronger.