By Susan Hoffman
Contributor

In today’s wide-open social media era where virtually anything can be broadcast online, maintaining data privacy is a hard battle to win. We regularly hear stories of how attackers have penetrated companies with weak cybersecurity, stealing thousands of names, Social Security numbers and email addresses to be sold on the dark Web for a profit.

Data Privacy Legislation Worldwide

There are numerous regulations worldwide to control data privacy in various countries. For instance, nations such as Switzerland, Norway, Romania, Iceland, Bulgaria, the British Virgin Islands, the Seychelles and Panama have tough laws in place to protect citizens’ privacy.

To help protect the personal data of citizens in European countries, the European Union (EU) enacted the General Data Protection Regulation (GDPR) on May 25, 2018. This legislation applies to organizations located in the EU and foreign countries that provide goods or services to EU country residents or that monitor the behavior of EU residents. The fines for non-compliance are steep – 20 million euros (about $22.4 million USD) or four percent of a company’s annual global turnover.

Unfortunately, data protection on a global scale needs definite improvement. According to the United Nations Conference on Trade and Development (UNCTAD), only 58 percent of countries have data protection and privacy legislation. Other countries have legislation in draft form (10 percent) or no legislation at all (21 percent).

Regulation in the US Is a Group of Laws, Not One Comprehensive Law

Within the U.S., there are various legal protections in place to preserve data privacy. For example, the Health Insurance Portability and Accountability Act (HIPAA) protects your health data and the Family Educational Rights and Privacy Act (FERPA) guards against the disclosure of student-related data such as immunizations. For children, there is the Children’s Online Privacy Protection Act (COPPA) that protects the data of children under 13.

According to the National Conference of State Legislatures, about 25 states have their own data security regulations. These laws require private-sector entities and/or government agencies to “implement and maintain reasonable security procedures and practices.”

National Data Privacy Law Is Currently Under Consideration

On February 22, 2019, the House Consumer Protection and Commerce Subcommittee met to work out how to accomplish a comprehensive data privacy law. Unfortunately, the lawmakers were not able to agree on how to reach this goal, so such a law is a still a work in progress.

Over time, however, it may be possible to pass a national, comprehensive law that provides data privacy for people of all ages. It should include strict penalties for violators who knowingly fail to comply with the law while at the same time not stifling businesses.

Lawrence D. Dietz, JD, MSS, a School of Security and Global Studies faculty member at American Military University, believes that such a law might be feasible one day. He says, “It is possible to have a more general law, one that specifies today’s Personally Identifiable Information (PII) and Personal Health Information (PHI) in particular.”

He adds, “An appropriate national law could also incorporate the Data Subject rights found in the GDPR, which are frankly an expression of common sense. The person who the data is about should know why it’s being used, have the ability to object to that use and the ability to correct false data.

“The law could spell out the burden on the organization that is using/storing the data (the data processor in the GDPR) and a minimum level of cybersecurity. It would be appropriate to require a higher level of care by those organizations that are fiduciaries and health care providers. This law would certainly benefit the U.S. and improve its standing at a potential data transfer partner.”