October 12, 2017
The US might be a world leader in innovation, but its regulators have been slow to adapt to rapid changes in the digital economy – leaving the EU to draft effective privacy rules in their stead. The Equifax data breach is only the most recent example of why American authorities need to catch up, and fast.
In September it was revealed that one of the ‘Big Three’ credit reporting companies had been exposed to the worst cyber security incident in history, affecting 143 million people in the US, Canada, and Britain. Similarly, Yahoo announced that all of its three billion email accounts were hacked in a 2013 data theft. These two events laid bare the extent to which the US regulatory environment is still miles behind the EU when it comes to issues of online privacy, data protection, and corporate responsibility.
Many Europeans, borne out of bitter historical experiences – particularly in Germany – are acutely sensitive to interference in the personal sphere. It is therefore unsurprising that the EU has introduced tough online privacy laws, such as the ‘right to be forgotten’ scheme. Nevertheless, and paradoxically, Europeans have are less sceptical than their Americans counterparts towards government oversight. Unlike in the US, consumers in the EU expect authorities, not corporations, to prevent calamities such as the Equifax and Yahoo scandals.
As a result, the EU will soon implement its new General Data Protection Regulation (GDPR) as a way to prevent incidents like the Yahoo breach from happening and deal with their aftermath. Due to come into force next May, the GDPR will govern how firms store personal data, putting the onus on them to report breaches within 72 hours. Failure to do so will result in fines of either 4% of global revenue, or €20 million, whichever is higher.
It’s clear that many US firms are woefully underprepared for the EU’s new regulations. Some are worried about the extra costs and the potential impact on their business models. Others believe the new rules will be unenforceable. But flaunting the regulations for whatever reason would be a mistake. Failure to implement the GDPR could mean exclusion from a highly lucrative market of more than 500 million consumers, one that digital firms cannot pass over. Indeed, adapting quickly to the rules could mean competitive advantages in the long-term, given that European consumers place special value on transparency and integrity.
In addition to setting the standard on online privacy, both the EU and individual European countries have been actively crafting other digital regulations. The EU-US ‘Privacy Shield’ – itself a successor to the International Safe Harbour Privacy Principles – is an initiative to govern transatlantic data access. EU regulators have also sought to increase supervision over fintech firms while Irish authorities are seeking to alter Facebook’s procedures on privacy. Underlying all this, and despite the lack of major home-grown tech giants, is the suspicion by the EU that the US – and its GAFA ecosystem – are doing too little to protect consumers. As a result the EU is now the world’s ‘de facto privacy regulator’.
Even small European states like Malta have been leading on consumer protection efforts, not only when it comes to privacy but also regulation of new digital industries – such as online gambling. The industry as a whole is now worth $44.5 billion, having doubled in size over the past 10 years, and 50% of its global revenues come from Europe, where regulations are more expansive. Malta, which derives more than 12% of its GDP from online gaming, has set the bar by proactively setting up new institutions, such as the Player Protection Unit, to help protect consumers, address their complaints, and help them self-exclude from gaming websites if necessary.
As a result, Malta’s proactive approach to consumer protection in the online gaming industry has helped attract a disproportionate number of players to its relatively small market. The initiative has engendered economic dividends not only for gaming companies’ revenues, but also for the state’s coffers – showing the benefits of what can happen when corporations buy in to innovative regulations designed to protect end users. Buoyed by the industry, real GDP growth for 2017 is estimated at 6.5%, up 1.5 percentage points from last year’s performance.
The tiny Baltic state of Estonia, too, which currently holds the EU’s rotating presidency, has been leading on digital regulatory issues. Tallinn, which already offers most government services online and has made ‘e-citizenship’ available for aspiring entrepreneurs, is a major backer of incorporating digitalisation into the European Commission’s electricity market design proposal. Estonian officials have called for using smart meters to share consumption data with their energy providers, while emphasizing the importance of proper data protection.
To be fair, the US has made some attempts to enact greater consumer protections and reform privacy laws – but many remain stalled. For instance, the Obama administration proposed a Consumer Privacy Bill of Rights, yet it remains frustrated after years of wrangling. It is highly unlikely that the Republican-dominated Congress – unable to pass any law, let alone one that increases government power – will pursue this issue.
In the meantime, with domestic legislation on these issues still lacking, American companies will have no choice but to comply with the GDPR and other EU legislation if they want to reap the benefits of accessing the vast European single market. And though they might do so reluctantly, American firms will probably be forced to apply the same higher standards to all consumers’ data – whether European or not – to avoid extra work. In the long term, however, US authorities will have to raise their waning standards on consumer protection if the country wants to retain its preeminent position in the digital economy.Meredith Smith