October 9 2015 - For any cybersecurity or privacy expert coming to work in the United States (US) from the European Union (EU), there are some key differences in privacy and security matters to keep in mind. Privacy laws and cybersecurity regulations differ greatly from the EU to the US. Also diverging is the overall attitude about privacy and personal data in the two territories. Understanding the fundamental differences will help you successfully navigate a move whether you are an individual coming to work for a company in the US, an EU company looking to expand into the US market or, an entrepreneur launching a cybersecurity business in the US.
Under the current legal scheme in the EU, the laws are not uniform. The European Data Directive is a 'floor' to which Member States must adhere and each may (and most have) promulgate(d) a variety of laws above and beyond the required measures in the Data Directive. However, there is a body of law that specifically addresses privacy and cybersecurity requirements. The fact that there is a Data Directive, soon to be replaced by the EU General Data Protection Regulation (GDPR), means that in general, there is one place that companies, individuals and organizations may look to for privacy and security laws and regulations.
By contrast, in the US, privacy laws are by and large sector based. Instead of going to one particular federal statute to determine what privacy and security measures must be implemented by those who collect, use or process personal data, there are a variety of laws which include a privacy component. The healthcare industry has specific regulations that address privacy and security concerns. Similarly, the financial services industry also has a set of regulations to follow relating to privacy and security concerns. There are a several other federal laws geared to specific industries which contain a privacy component - such as several communications related acts: Wire Tap, Do Not Call Registry, the CAN-SPAM act, the Children's Online Privacy Protection Act, Federal Credit Reporting Act and a variety of State laws and State breach notification laws.
In short, there is no one place to look in the US for guidance on privacy and security but a multitude of statutes, regulations and state laws. Apart from the actual laws, the approach to personal data diverges from the EU to the US. At its essence, personal data is at the core of the majority privacy and security laws. In the EU, personal data is treated as property of the data subject, regardless of who collects it or stores it. The individual person has rights in and to that data. In the US, individuals are not necessarily considered the owners of the data about them. Instead, the companies who collect and store that data have been treated as the owners of that data and indeed, organizations have and continue to create business models based on the collection, manipulation and sale of data about others. This view of personal data seems to be changing in the US, however the fundamental view on personal data is that it is a commodity, not a personal right.
As data grows exponentially, how to handle it, contain it, analyze it, secure it and ultimately dispose of it is becoming a booming industry in the US, as elsewhere in the world. If you are coming to work for a company in the US, be very clear about expectations, time-frames, budget and human resources. Unless the company is in a regulated industry or under some consent agreement, then privacy and information security tend to be seen as preventative and optional not mandatory. You may encounter more restrictions and resistance than you would expect.
If you are coming to establish a US branch of an EU company in the US or to launch an independent company with security expertise, ensure you have a clear understanding of US privacy laws, security requirements and a clear marketing campaign and target audience. In the US you will have to make a compelling case for privacy restrictions on the use of personal data and on the ways to secure it.
Among the other professionals from whom you should seek guidance before the trans-Atlantic move are a tax attorney with an understanding of US tax laws and how they comport with the tax laws in your jurisdiction so that you establish the appropriate corporate entity, an employment attorney who can provide guidance on employment laws and requirements in the US and an immigration attorney.
- More HR Strategy Articles
Maia T. Spilman is an Information Privacy and Intellectual Property Attorney. She helps corporate clients understand the legal obligations connected to the electronic information companies collect, use and maintain. She then guides them how to implement appropriate safeguards to diminish potential liability related to personal and sensitive information.
Maia works with companies in the pharmaceutical, technology and entertainment industries. As a transactional attorney, she structures and negotiates all types of agreements. A seasoned attorney, Maia has had her own practice for over a decade, has worked as in-house counsel with a variety of companies.
Maia is a member of the Information Technology Law Committee of the New York City Bar Association, serves on the Board of Directors of the Musicians Foundation and is the Regional Chapter Co-Chair of her law school's New York chapter.
She received her J.D. from Northeastern University in Boston, her Bachelor of Arts degree in English and Fine Arts from Syracuse University and attended the High School of Music & Art in New York City (the 'Fame' school). Music, sailing, running and travel are among her passions.