New Model Code For Personal Data Protection Is Better Than GDPR

A review of the European Union’s General Data Protection Regulation (GDPR) almost four years since implementation suggests that Congress was wise not to adopt the European approach. Europeans do not report greater trust online from the rules. In fact, a large majority of UK and German survey respondents say the GDPR’s impact is neutral if not negative. A new Canadian report of 30 independent assessments of the GDPR note staggering regulatory burden for regulators and companies, the adverse impact to small and medium enterprises (SMEs), increased consumer complexity with noted frustration of endless pop-ups and “consent fatigue”, reduced innovation, and obstructed cross-border commerce. A key indictment against the GDPR may be the lack of growth of EU-based digital enterprise. Today Europe accounts for just 3 percent of the world’s internet value and is on track to be eclipsed by Africa.

Meanwhile US behemoths Google (Alphabet), Facebook (Meta), Amazon, and China’s TikTok have increased market share and profitability in Europe. GDPR style rules underpin the California Consumer Privacy Act (CCPA), and its high compliance cost is a small business killer.

Fortunately there is a viable alternative which protects consumers without overburdening business and regulatory authorities.

The Uniform Law Commission (ULC), a national, non-partisan, non-profit composed of 350 commissioners appointed by the respective US states, develops model legislation to bring clarity and stability to conflicting state and federal laws. ULC commissioners along with hundreds of diverse stakeholders from the data protection domain worked through the pandemic to create a model code called the Uniform Personal Data Protection Act. (UPDPA) The Act applies fair information practices (FIPPs) for collection and use of personal data, provides reasonable levels of consumer protection without undue cost to regulators or business, and defines compatible, incompatible, and prohibited use of data.

Key to the efficacy of the UPDPA is the risk-based approach, which balances the interests of consumers and businesses, and permits flexibility and innovation, which can benefit consumers. It has an important limiting principle to focus on entities which “maintain” data as part of a system of records about individual data subjects for retrieval for the purpose of individualized communication or decisional treatment. Whereas the EU approach mandates that the coffee bar loyalty program has the same level of data protection as a health care record, the UDPDA focuses on personal data which matters to people and where risk is high. For example, there is little value to add personal data regulation to one-time transactions like credit card purchases (which are already regulated with other consumer protection laws) or unstructured forms of information like email.

Another advantage of the UPDPA is the creation of a safe harbor for compatible practices with low risk which do not require consent. These are practices consistent with the person’s interest and reasonable expectations. Examples include using location data for COVID risk assessment of a community and targeted advertising reasonably expected when receiving free content and services. Under UDPDPA, small business is exempt for compatible purposes.

Practices which present risk require consent. Risk emerges with the use of sensitive personal data such as race, religious belief, gender, sexual orientation, citizenship, immigration status, financial account numbers, Social Security number, government issued identification numbers, geolocation in real time, criminal record, medical diagnosis, or information about children under 13.

Prohibited practices are those which are performed without reasonable security and/or could result in financial, physical, or reputational harm; embarrassment, ridicule, intimidation, harassment, or identity theft. Incompatible practices include selling personal data for marketing purposes if such a sale is not reasonable or expected or selling personal data for an unrestricted purpose.

Importantly, under UPDPA people have a right to a copy of their data and to correct and amend it. Data controllers must abide by a clear and accessible data privacy policy disclosing categories of personal information maintained, notification of practices, procedures to respond to data subjects’ rights, applicable state and federal laws, and any voluntary consensus standards (VCS) used. VCS are set of bottom-up specialized rules developed by users and companies for specific applications, services, and context. They promote innovation and standardization, for the purposes of online data protection, would be reported to the relevant attorney general.

Already the UPDPA has been introduced in Oklahoma, Nebraska, and the District of Columbia. The Act offers states flexibility to incorporate enforcement provisions of an enacting state’s existing consumer protection act. State attorneys general can promulgate rules to implement the Act and are encouraged to coordinate enforcement to achieve uniformity. The sticking point of adopting federal online data protection rules has been a private action; the UPDPA leaves that to the individual state.

Originally published in Forbes.