American Data Privacy Enforcement: Is it Actually Good?
Thanks to how progressive and ambitious the GDPR was when it came into effect in 2018, as well as its influence on so many other data privacy regulations globally in the years since, the EU has entrenched itself as the epicenter of data privacy and protection.
The effects and influence of the GDPR can't be understated, but one thing that has left something to be desired is its enforcement.
On the other side of the Atlantic, the United States has traditionally lagged behind on many data compliance matters. The country still lacks comprehensive national data privacy regulation, and has struggled for years to gain an adequacy decision for data transfers to Europe until this summer's green light.
Despite those flaws and the decentralized grab bag of data privacy laws on the books throughout the country, American enforcement has actually been rather strong.
The Federal Trade Commission (FTC) has maintained a firm position of valuing data privacy in the past half decade, launching numerous investigations into consumer-unfriendly things like dark patterns and health breach notifications.
The FTC has also amassed a somewhat daunting list of companies receiving fines for data privacy violations, from getting over $700 million out of Meta in 2019 to over $500 million from Epic Games last year over violations to the Children's Online Privacy Protection Act (COPPA)
With three COPPA violation orders issued in 2023 to Edmodo, Amazon, and Microsoft, there is a stronger push than ever to protect children’s data online. After a bipartisan Senate committee also called on the FTC to investigate Youtube over targeted ads to children, perhaps the largest COPPA violation in history could be on the horizon–particularly true since if proven, this would be Youtube’s second COPPA violation.
But it isn’t COPPA enforcement alone that has made the FTC into a fearsome regulatory. The agency has also changed the discourse around data breaches and responsible data protection by taking action directly against former Drizly CEO James Cory Rellas for his role in a major data breach that occurred while he headed the company.
Progress on that case has been slow as it navigates the courts, but even introducing the idea of executive responsibility over data protection will hopefully compel more companies than ever to devote resources to data privacy and cybersecurity.
The EU has issued thousands of fines for GDPR noncompliance, usually for issues with data processing principles or legal bases for processing data, but the vast majority of fines come in at low amounts. To date, only 90 GDPR fines have been over €1 million.
Most of the bigger fines also end up swamped in legal battles, ending up in a resource drain and sometimes a settlement below the proposed number. This is not aided by the fact that the Irish Data Protection Authority is arguably the most aggressive in the EU, all while Ireland’s economy depends on the corporations it has attracted into the country with extremely business-friendly tax rates. It’s a conflict of interest in fully enforcing and pushing for large fines that data protection activists like Max Schrems have routinely pointed out.
By comparison, the regulations that exist in the U.S. are weaker, but when it comes to the actual enforcement, the FTC has done good work in keeping data regulations meaningful despite the lack of a comprehensive national law. Without that, the FTC won't have wide-ranging enforcement power, but it has acquitted itself well in the fight for data rights and privacy, which cannot be consistently said about EU regulators.
Now it’s time for both regions to match one competency to another. The U.S. needs the regulation to match enforcement and the EU needs enforcement to match the regulation & commitment to data protection. But hey, at least each side has set a standard for their strengths.