New Model Code For Personal Data Protection Is Better Than GDPR
A review of the European Union’s General Data Protection Regulation (GDPR) almost four years since implementation suggests that Congress was wise not to adopt the European approach. Europeans do not report greater trust online from the rules. In fact, a large majority of UK and German survey respondents say the GDPR’s impact is neutral if not negative. A new Canadian report of 30 independent assessments of the GDPR note staggering regulatory burden for regulators and companies, the adverse impact to small and medium enterprises (SMEs), increased consumer complexity with noted frustration of endless pop-ups and “consent fatigue”, reduced innovation, and obstructed cross-border commerce. A key indictment against the GDPR may be the lack of growth of EU-based digital enterprise. Today Europe accounts for just 3 percent of the world’s internet value and is on track to be eclipsed by Africa.
Meanwhile US behemoths Google (Alphabet), Facebook (Meta), Amazon, and China’s TikTok have increased market share and profitability in Europe. GDPR style rules underpin the California Consumer Privacy Act (CCPA), and its high compliance cost is a small business killer.
Fortunately there is a viable alternative which protects consumers without overburdening business and regulatory authorities.
The Uniform Law Commission (ULC), a national, non-partisan, non-profit composed of 350 commissioners appointed by the respective US states, develops model legislation to bring clarity and stability to conflicting state and federal laws. ULC commissioners along with hundreds of diverse stakeholders from the data protection domain worked through the pandemic to create a model code called the Uniform Personal Data Protection Act. (UPDPA) The Act applies fair information practices (FIPPs) for collection and use of personal data, provides reasonable levels of consumer protection without undue cost to regulators or business, and defines compatible, incompatible, and prohibited use of data.
Key to the efficacy of the UPDPA is the risk-based approach, which balances the interests of consumers and businesses, and permits flexibility and innovation, which can benefit consumers. It has an important limiting principle to focus on entities which “maintain” data as part of a system of records about individual data subjects for retrieval for the purpose of individualized communication or decisional treatment. Whereas the EU approach mandates that the coffee bar loyalty program has the same level of data protection as a health care record, the UDPDA focuses on personal data which matters to people and where risk is high. For example, there is little value to add personal data regulation to one-time transactions like credit card purchases (which are already regulated with other consumer protection laws) or unstructured forms of information like email.