The U.S. Senate Committee on Banking, Housing and Urban Affairs considered testimony on the collection, use, and protection of personally identifiable information in light of the EU's General Data Protection Regulation ("GDPR"). GDPR enumerates rights to privacy notices, data access, data rectification, objection to processing, the withdrawal of consent for processing, objection to automated processing, data erasure and data portability.

Peter H. Chase, Senior Fellow at the German Marshall Fund of the United States, stated that GDPR was created to enforce a single approach to data protection, rather than a sectoral one, and to address the monetization of personal data. He stated GDPR emphasizes activities concerning large amounts of personal data, and said that while GDPR is "very prescriptive," few data processing activities are prohibited. He also noted that Data Protection Authorities will have discretion over how they handle complaints.

Maciej Ceglowski, the founder of a for-profit data collection archiving service, stated that GDPR is based on an outdated notion of data, in which individuals own their own data and can choose to either share or revoke access. Mr. Ceglowski said that obtaining informed consent is "not possible," since an individual would have to read extensive privacy policies on each website that he/she is attempting to access. Additionally, Mr. Ceglowski noted that the debate over consent will soon be made irrelevant by machine learning and predictive inference. He said that companies already have so much data that they can make assumptions with "astonishing accuracy," without further mining personal data.

Based on the implementation of GDPR, Mr. Ceglowski advised the Committee to ensure that:

  • users and companies both can easily understand privacy regulation;
  • privacy regulation will not punish anyone for seeking privacy;
  • there are retention limits on behavior data;
  • GDPR's "right to download" is expanded to include all information that third-party data brokers have on a user;
  • the privacy regulation must be uniform across all industries to ensure equal competition; and
  • privacy regulations preserve liberty and do not hinder innovation.

Jay Cline, United States Privacy and Consumer Protection Leader for PricewaterhouseCoopers LLC, offered perspective on the experience of United States financial institutions with GDPR over the last three years. Generally, he said "it is an experience marked by large-scale technical and organizational change to afford new privacy rights to EU residents in an evolving regulatory environment."

On GDPR, Mr. Cline offered the following observations:

1. Consumers most often exercised their GDPR rights to access, erasure and objection over the use of their information for marketing.

2. GDPR's "right to erasure" introduces complications under U.S. regulation due to requirements concerning fraud prevention, cybersecurity, anti-money laundering, terrorist watchlists and litigation matters.

3. Strong authentication is necessary for "right of access" requests, and yet GDPR limits companies' abilities to store sufficient information to ensure such authentication level (e.g., a name and e-mail address do not comprise adequate information for authentication purposes).

4. The lack of distinction between primary and secondary data controllers must be clarified.

5. GDPR's fines (potentially four percent of global revenues for violations) initially motivated companies to prepare for GDPR, but after none of the enforcement actions approached the maximum penalty amount, the pressure to remain in compliance decreased.

6. U.S. financial industries need a formalized approach to data governance because personal data moves across vertically structured financial institutions.

7. GDPR has not achieved total harmonization across EU member states.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.