Over the past few weeks, you’ve most likely received a number of emails from businesses that highlight their efforts to comply with the General Data Protection Regulation (GDPR). And if you live in the EU, your inbox has been stuffed with requests to verify your communication preferences and notifications about updates to privacy policies.
While much of the current noise around GDPR relates to individuals who live in Europe, Alex Stern, founder and CEO of Attorney IO, who earned a law degree from UC Berkeley School of Law, points out that the EU’s regulations could cross paths with the U.S. in the future. Data, after all, is transmitted across borders every day, and the blurred boundaries of the digital landscape mean that judges must pay attention to what’s happening around the world. “It’s becoming increasingly common for courts on different continents to intersect in the era of connectivity,” Stern told PCMA.
Stern penned a piece on the potential implications of GDPR that points to the possibility of a future clash between the new European rules and a landmark piece of legislation in the U.S.: the Civil Rights Act of 1964. “The biggest source of potential controversy is whether it is illegal under U.S. law to give GDPR rights to immigrants from the EU and not to everyone,” he wrote. According to Stern, a U.S. citizen could claim that if GDPR rights are extended to anyone in the U.S., those same rights should be extended to him or her. “The Civil Rights Act of 1964 bans discrimination on the basis of national origin in places of public accommodation,” Stern said. “These public accommodations are sometimes ruled to include websites.”
Rather than focusing solely on giving enhanced data protections to citizens in the EU, Stern believes it may be wise to proactively embrace those guidelines for all customers, users, and attendees — no matter where they call home. While it may take some time to see a case connecting the dots between discrimination and data policies, Stern believes the risks of giving one political body stronger rights than others are quite high. “Cautious Internet organizations are encouraged to avoid discriminating against their users in the provision of the rights outlined in the GDPR,” Stern wrote. “If that means someone from New York has equal rights to data privacy as someone from Spain, it seems like a reasonable cost compared to a discrimination lawsuit.”
Stern said that reconciling those different laws from different places is often referred to as choice of law. “In choice of law, there are typically two completely conflicting laws from different jurisdictions,” Stern said. “So the judge must determine which law applies. The unique thing about looking at GDPR and the Civil Rights Act is that these two laws aren’t actually in conflict at all.”
Stern’s perspective makes it clear that there are still plenty of questions about how the law will shape the future. What will be the first business to incur a fine for failure to comply with the guidelines? Will online users in other parts of the world start to demand similar protections from their governments? For now, Stern recommends that all organizations should embrace a new perspective on the value of information.
“Two years ago, everyone in Silicon Valley looked at data as an asset,” Stern told PCMA. “You need to view data as both an asset and a responsibility. It can quickly become a liability.”