In the old continent the laws are very clear to privilege the privacy of user data over any other interest. The Protection Regulation Data Protection Regulation (GDPR) came into force in May 2016 and since that time a large number of changes have been generated with the intention of preserving data security, despite technological advances.
For United States protection The protection of user data on the Internet has not yet been the subject of major regulations. In this country, the priority is still national security over the ownership of citizen privacy.
In North America, data are protected by three laws: Health Insurance Portability and Accountability Act enacted in 1996 to preserve individual medical information, making it available only to treating health care professionals; the federal Fair and Accurate Credit Transactions Act, enacted with the intent of safeguarding consumer credit information and preventing fraud associated with data theft; and the United States Children's Privacy Protection Act, created to protect the privacy of young people under 13 years of age on the web.
New scope of data protection
However, the GDPR has action on any company or individual. offering goods or services to any citizen of the European Union, regardless of where in the world the company or individual is located. The regulation also does not distinguish whether a commercial transaction took place between the company and the customer or not. It also applies to those who monitor online behavior in the case of actions carried out in the European Union.
The regulation specifies that its measures protect fundamental rights and freedoms. of European citizens, particularly the guarantee of personal data protection. However, it clarifies that the free movement of personal data is neither restricted nor prohibited.
In Europe, institutions have been created to monitor and regulate compliance with established laws that have a general scope.. For its part, the United States has not defined any authority with similar powers and cases are resolved individually in the corresponding courts.
Another marked difference between the two systems of protection lies in the fact that in the old continent the focus of the regulations is preventive, avoiding the infringement of users' rights. In the American country, the approach is purely one of action, since the authorities become involved once the law has been violated.
A protective shield for both visions
Between 1998 and 2000, principles were developed with the aim of unifying in some way the actions of the United States and Europe with regard to data protection, taking into account that both regions maintain important commercial and information exchanges via the Web. U.S. companies handling user data relied on these principles:
- Notification: consumers had to be notified about the collection of the data and its final destination.
- ElectionUsers may have the option to opt out of data collection and transmission to third parties.
- TransferIndividuals must be able to transfer, if they wish, their data to other institutions.
- SecurityData security protocols must be constantly reinforced.
- Data integrityThe collection of data must respond to a specific purpose.
- AccessThe information collected about them should be accessible to users, and they can change it if they wish to do so.
- ApplicationThe appropriate systems must be generated for the application of all these principles mentioned above.
A common protection framework
To address the legal differences between the two regions, the European Union and the United States reached an agreement called Privacy Shield.. This personal data protection framework came into force in 2017 and in it both parties commit to develop a data transfer that protects users' privacy. Unlike the previous agreement called Safe Harbor, in the Privacy Shield, U.S. companies that process or store data of European citizens have more responsibilities to comply with.
These new measures include the obligation and collaboration with the European authorities when it comes to protecting user data. In that sense, companies must inform users about the data they are collecting and providing to the authorities. Likewise, the United States cannot make indiscriminate use of this personal information. Any arbitrariness in this regard will be dealt with in the corresponding courts.
The privacy agreement is reviewed annually to make the necessary modifications to adapt to current market realities.