Nuclear Tech Inspired Good and Bad
future GDPR impacts on U.S. business not fully realized
The General Data Protection Regulation (GDPR) established in 2018 by the European Union (EU) resulted in significant U.S. business impact. The video points to impacts that are far broader than U.S. law as pertains to the applicability for “citizens” whereas GDPR applies to spatially located persons within the bounds of the EU. GDPR extends to U.S. companies conducting business in the EU which may collect information on human data subjects, a conflation of humans as users and data subjects personifying the regulation. [1] This is different than U.S. code applied only to U.S. persons including citizens, resident aliens, and legally permitted aliens.
Secondary and tertiary impacts on business practices for American companies might surprise some. The President of the U.S. (POTUS) recently signed an Executive Order (EO) that updates how existing federal mandates must comply with GDPR. The EO On Enhancing Safeguards For United States Signals Intelligence Activities outlines how foreign intelligence collection [2] conducted on areas overlapping within EU purview must comply with GDPR even to ensure national security needs. This shows that GDPR is having impacts on U.S. federal policy and something that may continue to impact a landscape of federal contracting service agreements. U.S. companies that support signals intelligence must by virtue of this EO comply with GDPR.
The U.S. pivoted towards an idea of greater transparency a year ago when POTUS signed an EO helping to protect Americans from hostile foreign intelligence collection.[3] This signature of American values blunted an emerging trend of information sovereignty and competing digital ecosystems.
The linkages are not always positive. GDPR inspired the California Consumer Protection Act (CCPA) and drove action for other positively inclined state policies in the U.S. It appears to have spawned the Personal Information Protection Law (PIPL), the People’s Republic of China (PRC) latest data protection policy. PIPL was passed at around the same time as EO Protecting Americans’ Sensitive Data from Foreign Adversaries. [4] What is unique about PIPL when compared to GDPR are the provisions for significant exceptions for what the PRC calls national security. In those exceptions, PIPL provides an allowances for retaliatory actions toward other countries behind what has been termed the Great Chinese Firewall. It allows the PRC to not only defend from within the confines of this new digital wall — it allows for discriminate acts in places that PRC persons use their infrastructure abroad. [5] The implications to U.S. companies operating within the confines of PRC, and PRC persons employed by American companies in the U.S. has yet to be fully realized. GDPR’s impacts have largely been positive, but many argue PIPL and other hostile foreign state policies have mutated its original intent. Like nuclear technology, it can be hard to imagine how the idea for power generation can be transformed into power destruction.
References:
[1] Virtual Session: GDPR without the Hype, (Jun. 30, 2017). Accessed: Nov. 23, 2022. [Online Video]. Available: https://www.youtube.com/watch?v=HgYl7OQsiLY
[2] T. W. House, “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” The White House, Oct. 07, 2022. https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/ (accessed Nov. 23, 2022).
[3] T. W. House, “Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries,” The White House, Jun. 09, 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/ (accessed Nov. 23, 2022).
[4] “Beyond Europe’s GDPR: how Beijing has forged a formidable data regime,” South China Morning Post, Aug. 26, 2021. https://www.scmp.com/tech/tech-war/article/3146523/chinas-privacy-law-borrows-page-europes-gdpr-it-goes-further-beijing (accessed Nov. 23, 2022).
[5] S. Lu, “Unpacking China’s game-changing data law,” Protocol, Aug. 24, 2021. https://www.protocol.com/china/china-personal-information-protecion-law (accessed Nov. 23, 2022).
