October 9 2015 - For any cybersecurity or privacy expert coming to work in the United States (US) from the European Union
(EU), there are some key differences in privacy and security matters to keep in mind. Privacy laws and cybersecurity regulations differ greatly
from the EU to the US. Also diverging is the overall attitude about privacy and personal data in the two territories. Understanding the fundamental
differences will help you successfully navigate a move whether you are an individual coming to work for a company in the US, an EU company looking
to expand into the US market or, an entrepreneur launching a cybersecurity business in the US.
Under the current legal scheme in the EU, the laws are not uniform. The European Data Directive is a 'floor' to which Member States
must adhere and each may (and most have) promulgate(d) a variety of laws above and beyond the required measures in the Data Directive. However,
there is a body of law that specifically addresses privacy and cybersecurity requirements. The fact that there is a Data Directive, soon to be
replaced by the EU General Data Protection Regulation (GDPR), means that in general, there is one place that companies, individuals and
organizations may look to for privacy and security laws and regulations.
By contrast, in the US, privacy laws are by and large sector based. Instead of going to one particular federal statute to determine
what privacy and security measures must be implemented by those who collect, use or process personal data, there are a variety of laws which include
a privacy component. The healthcare industry has specific regulations that address privacy and security concerns. Similarly, the financial services
industry also has a set of regulations to follow relating to privacy and security concerns. There are a several other federal laws geared to
specific industries which contain a privacy component - such as several communications related acts: Wire Tap, Do Not Call Registry, the
CAN-SPAM act, the Children's Online Privacy Protection Act, Federal Credit Reporting Act and a variety of State laws and State breach notification
In short, there is no one place to look in the US for guidance on privacy and security but a multitude of statutes, regulations and
state laws. Apart from the actual laws, the approach to personal data diverges from the EU to the US. At its essence, personal data is at the core
of the majority privacy and security laws. In the EU, personal data is treated as property of the data subject, regardless of who collects it or
stores it. The individual person has rights in and to that data. In the US, individuals are not necessarily considered the owners of the data about
them. Instead, the companies who collect and store that data have been treated as the owners of that data and indeed, organizations have and
continue to create business models based on the collection, manipulation and sale of data about others. This view of personal data seems to be
changing in the US, however the fundamental view on personal data is that it is a commodity, not a personal right.
As data grows exponentially, how to handle it, contain it, analyze it, secure it and ultimately dispose of it is becoming a booming
industry in the US, as elsewhere in the world. If you are coming to work for a company in the US, be very clear about expectations, time-frames,
budget and human resources. Unless the company is in a regulated industry or under some consent agreement, then privacy and information security
tend to be seen as preventative and optional not mandatory. You may encounter more restrictions and resistance than you would expect.
If you are coming to establish a US branch of an EU company in the US or to launch an independent company with security expertise,
ensure you have a clear understanding of US privacy laws, security requirements and a clear marketing campaign and target audience. In the US you
will have to make a compelling case for privacy restrictions on the use of personal data and on the ways to secure it.
Among the other professionals from whom you should seek guidance before the trans-Atlantic move are a tax attorney with an
understanding of US tax laws and how they comport with the tax laws in your jurisdiction so that you establish the appropriate corporate entity,
an employment attorney who can provide guidance on employment laws and requirements in the US and an immigration attorney.