Personal data protection in the US

Apply for SearchInform DLP TRY NOW

The human right to protect personal life, its inviolability, includes the protection of the right to protect personal data from unlawful use and distribution. The regulation of this area in the United States and in the European Union, whose model was adopted in Russia, is different. American legislation is sometimes significantly stricter, especially with regard to regulations adopted at the level of individual states. The standards that need to be implemented to protect personal data are more advisory in nature, and their implementation is ensured by means of judicial enforcement.

Federal and regional legislation

The country has adopted two levels of legal regulation of any significant relations: at the federal level and at the state level, whose powers in the field of lawmaking under the US Constitution are very broad. At the national level, there is no systemic regulation of the right to personal data protection as such. Two normative acts have been adopted that define the responsibilities of state bodies in this area, without touching on the rules governing the processing of personal data of citizens of operating companies. The Privacy Act of 1974 and the Privacy Protection Act of 198 are to be applied only by federal authorities. Because they contain technical regulations governing data confidentiality, companies can use them as guidelines for organizing their activities. In the event of disputes related to the protection of personal data, the court is more likely to turn not to them, but to case law.

The legislation of the US states, which are completely autonomous in their legal creativity, often turns out to be much more specific and stricter than the federal one. The state of California has one of the most striking privacy and security regulations. It only applies to operating companies that collect personal data from Internet users. Now every person using their services has the right to know:

  • what kind of information providers and other Internet companies collect about them;
  • for what purpose this information is collected;
  • how they will be used.

Users of Internet services have acquired the right to demand the destruction of this data or prohibit its transfer to third parties for any purpose. This rule is to some extent analogous to the Russian one, which allows individuals to withdraw consent to the processing of personal data, with one exception. American data subjects did not provide such consent, and the information collected by companies is related to a large extent to the Internet activity of users. Such a tough level of regulation, if the law is enforced on a large scale by California residents, can cause serious damage to Internet companies. In addition, California law minimizes the rights of operators to collect and transfer personal data of minors to third parties.

The only thing that makes life easier for Internet companies is that the law will take effect only in 2020. This time gap will enable operators to prepare and optimize business processes. The reason for the adoption of the law was information that the company, whose business was the storage of data of Internet users, Cambridge Analytica, improperly used information about several tens of millions of people. The law will apply to all legal entities located in California, and since this is where Silicon Valley is located, it will have a significantly greater impact on the development of the Internet industry than if it was passed in any other state.

U.S. Privacy Standards

The laws in force in America cannot completely cover the entire legal field related to the regulation of personal data protection. In Russia, the same model operates, the application of the law is ensured by the adoption of many bylaws at the government and FSTEC level. In America, the scope of two federal acts did not include the standards and parameters that govern the requirements for the automation of personal data protection systems. Since this area of ensuring the security of information during its storage and processing requires additional serious regulation, similar to that which is carried out in Russia by the FSB and FSTEC, American operators are instructed to use the recommendations issued by the National Institute of Standards and Technology (NIST). This organization publishes regulatory documents in the nature of Russian GOSTs.

In the field of personal rights protection, there is a guideline No. SP 800-122, which was first presented to US personal data operators in 2009. It describes all the systemically important norms and rules concerning measures of the following nature:

  • organizational;
  • technical;
  • legal.

In addition, the regulation explains how to properly apply US federal law, and provides examples of the implementation and implementation of various measures to protect personal data. The recommendations adopted in the USA have a character radically different from the FSTEC orders in force in Russia, which contain an extremely strict list of organizational and technical measures, basic and compensating, as well as strict requirements for certification and attestation of both the system itself and the software used. means of cryptographic protection and other necessary hardware solutions. American developers of the personal data protection system use a different basic concept. In the United States, the emphasis is on systematic training of employees in basic and special rules for working with confidential information. This speaks of greater trust in employees and their understanding of responsibility, law-abidingness than in Russia, when the only possible way to protect personal data is to restrict access to them. This is due not so much to the legal nihilism of the employees of the Russian company, but to their willingness to share confidential information, including personal data, the value of which they are unable to understand, based on friendly and social ties.

In the United States, a trained employee must know and be able to apply the following standards in practice:

  • how to understand that the processed information array contains personal data;
  • federal and state data protection requirements;
  • existing restrictions on the collection, processing, storage and use of personal data of various categories;
  • the level of responsibility for illegal handling of data;
  • data protection obligations;
  • rules for media-safe processing;
  • actions taken in the situation of detecting violations related to the processing and protection of personal data.

Further, if in Russia there is a requirement for the development of local regulatory acts of the operator, often representing a set of rules and a retelling of the rules in force in this area - government decrees and FSTEC orders, in the United States there is a need to create a flexible personal data management policy prepared in accordance with NIST recommendations ... This policy should detail the principles:

  • obtaining the right to access personal data;
  • basic requirements for their storage on servers and in infobases;
  • requirements for the response of the operator's employees to information security incidents and the rules governing their elimination;
  • restriction on any form of personal data circulation, including use and distribution.

There is one more systemic difference between the Russian and American models of regulation. In the United States, there are recommendations for minimizing the processed personal data and their maximum depersonalization, which makes it difficult to identify a specific person and obtain any other information about her life, property, health. The inability to extract information about a specific person from the general data set significantly complicates their misuse or dissemination.

After the policy describes the backbone aspects of personal data protection, namely the requirements for the qualifications and knowledge of personnel, it becomes necessary to describe the measures in force in a particular operating company to protect confidential information. Among the applied protection measures:

  • audit of information security incidents;
  • management of employees' access to information arrays;
  • methods of identification and authentication of employees who are authorized to process personal data;
  • measures for handling material carriers of information, their labeling, storage and mode of movement within the premises occupied by the operator and outside it;
  • data protection during transmission by encryption;
  • monitoring the performance of the information system for protecting personal data.

A significant drawback of the personal data protection model used in the United States is that it cannot be fully implemented in small companies. They cannot afford to spend serious money on staff training and development of documentation, nevertheless, they strive for it. There are requirements for which these responsibilities are relevant. The practice of protecting personal data used in the United States gives more freedom to a particular operator in choosing the means of protecting personal data. But the American judicial system allows multimillion-dollar claims for data protection violations. Such claims are satisfied, and financial leverage significantly more disciplines operators and increases their responsibility for the protection of confidential information than administrative enforcement measures.

Personal data protection in the United States relies on greater operator freedom and greater trust in its employees than one working in Russia. But this regulation model is far from always optimal. The terrorist attacks on the World Trade Center have led to a revision of the current security system; now the country's administration is more interested in the ability to get instant and unhindered access to personal data bases than in their protection. Time will show how American legislation will develop in the face of the growing threat of cyber terrorism.