The human right to the protection of personal life and its inviolability includes the protection of the right to the protection of personal data from unlawful use and disclosure. Regulation in this area differs in the United States and in the European Union. American legislation is sometimes substantially stricter, especially regulations adopted at the level of individual states. The standards that must be implemented to protect personal data are more of an advisory nature and are enforced by judicial enforcement measures.
Federal and Regional Legislation
The country has two levels of legal regulation of any significant relationship: at the federal level and at the state level, whose lawmaking authority under the U.S. Constitution is very broad. At the state level, there is no systematic regulation of the right to protection of personal data as such. Two normative acts have been adopted that define the obligations of public authorities in this area without touching the norms regulating the processing of personal data of citizens by data processing companies. Privacy Act of 1974 and Privacy Protection Act of 198 are to be applied only by federal agencies. Since they contain technical rules governing data privacy, companies may use them as guidelines for their operations. In the event of disputes related to the protection of personal data, a court is more likely to turn to case law rather than them.
U.S. state law, completely autonomous in its legal creativity, is often substantially more specific and stringent than federal law. One of the most striking regulations governing this area and privacy has been adopted in the state of California. It applies only to companies-operators collecting personal data on Internet users. Now every person using their services has the right to know
exactly what information about them is collected by ISPs and other Internet companies;
What is the purpose for which this information is collected;
how they will be used.
Users of Internet services have gained the right to demand the destruction of this data or to prohibit its transfer to third parties for any purpose. This rule is somewhat analogous to other countries, allowing individuals to withdraw consent to the processing of personal data, with one exception. U.S. data subjects have not provided such consent, and the information companies collect is mostly related to users’ online activity. Such a stringent level of regulation, if enforced en masse by California residents, could cause serious losses for Internet companies. Additionally, the California law minimizes the rights of operators to collect and share the personal data of minors with third parties.
The only thing that makes life easier for Internet companies is the fact that the law will not take effect until 2020. This time gap will give operators the opportunity to prepare and optimize business processes. The reason for the law was the information that the company whose business was the storage of Internet users’ data, Cambridge Analytica, misused information about several tens of millions of people. The law will apply to all legal entities based in California, and because Silicon Valley is located here, it will have a much greater impact on the development of the Internet industry than if it had been adopted in any other state.
U.S. standards for the protection of personal data
The laws in force in America cannot completely cover the entire legal field related to the regulation of personal data protection. In other countries, the same model applies, the application of the law is ensured by the adoption of numerous bylaws at the government and FSTEC level. In America, the standards and parameters governing the requirements for automating personal data protection systems are not covered by two federal acts.
In the area of personal data protection, Guideline No. SP 800-122 is in effect; it was first presented to the American personal data operators in 2009. It describes all the systematic rules and regulations relating to the following measures
- Organizational;
- technical;
- legal.
In addition, the regulation explains how to properly apply the rules of U.S. federal law and provides examples of implementing and enforcing various measures for the protection of personal data. The recommendations adopted in the United States are of a fundamentally different nature from the current FSTEC orders, which contain an extremely strict list of organizational and technical measures, basic and compensatory, as well as strict certification and attestation requirements for both the system itself and the applied software, cryptographic protection means and other necessary hardware solutions. U.S. developers of personal data protection systems apply a different basic concept. The emphasis in the U.S. is placed on systematic training of employees in basic and special standards for handling confidential information. This demonstrates greater confidence in employees and their understanding of responsibility and compliance with the law than in other countries, where the only possible way to protect personal data is to restrict access to it.
In the U.S., an employee who has been trained must know and be able to apply the following rules in practice:
- how to understand that the information being processed contains personal data;
- Current data protection requirements of federal and state laws;
- Existing restrictions on the collection, processing, storage, and use of various categories of personal data;
- the level of liability for data mishandling;
- data protection obligations;
- rules for safe processing for the carrier;
- actions taken in situations where breaches related to the processing and protection of personal data are discovered.
In the U.S., there is a need for a flexible personal data management policy, prepared in accordance with NIST recommendations. This policy should detail the principles of:
- the entitlement to access personal data;
- the basic requirements for their storage on servers and in data bases;
- requirements for the operator’s staff response to information security incidents and regulations governing their resolution;
- Restrictions on any forms of personal data circulation, including its use and distribution.
There is another systemic difference between the American model of regulation. In the U.S. there are recommendations to minimize the processing of personal data and depersonalize it as much as possible, which makes it difficult to identify a specific person and obtain any other information about his life, property and health. The inability to extract information about a specific person from the total dataset makes it much more difficult to misuse or distribute it.
Once the policy describes the systematic aspects of personal data protection, namely the requirements for staff qualifications and knowledge, it is necessary to describe the measures for the protection of confidential information in a particular company-operator. Among the protection measures in place are:
- conducting an audit of information security incidents;
- managing employee access to information arrays;
- Methods of identification and authentication of employees with access to the processing of personal data;
- measures for the treatment of tangible information carriers, their marking, storage and regime of movement within the premises occupied by the operator and outside it;
- protection of data during their transfer by encryption method;
- monitoring the efficiency of the personal data protection information system.
A significant disadvantage of the personal data protection model used in the U.S. is that it cannot be fully implemented in small companies. They cannot afford to spend serious money on training personnel and developing documentation, yet they strive to do so. There are requirements for which these duties prove relevant. The U.S. practice of personal data protection gives more freedom to the individual operator to choose the means to protect personal data. But the U.S. court system allows for multi-million dollar lawsuits for data protection violations. Such suits are satisfied, and financial leverage significantly more disciplines operators and increases their responsibility for protecting personal information than administrative coercive measures.
Personal data protection in the U.S. relies on greater freedom of the operator and greater confidence in its employees. But by no means always is this model of regulation optimal. The terrorist attacks on the World Trade Center led to a review of the current security system; now the administration is more interested in getting instant and unfettered access to databases of personal data than in protecting it. Time will tell how U.S. law will evolve in the face of the growing threat of cyberterrorism.