The Regulation of Data Privacy and Cybersecurity

Data privacy protection is stronger in the European Union (EU) compared to the U.S.: EU organisations must generally obtain a valid legal basis, often explicit consent, before collecting, storing or processing personal data from individuals who have the right to withdraw their consent at any time; conversely, in the U.S., privacy assurances in the contexts of law enforcement and national security at the federal level are industry-specific. The European General Data Protection Regulation (GDPR) has a wide scope, covering areas such as data protection impact assessments, data breach notification, and privacy by design. In the U.S., data privacy protection and disclosure of breaches are delegated to the states such that there is no unified framework with definitions of a (material) data breach, reporting thresholds, enforcement responsibilities, penalties for violations, and application scope. Yet, mandatory disclosure regulation of data breaches and privacy violations are still insufficient in both Europe and the U.S.

In relation to regulations in the realm of fighting cybercrime through the implementation of minimum cybersecurity levels, this paper demonstrates how complex, heterogenous, and incomplete the regulatory landscape is. Remarkably, there is no encompassing up-to-date federal law regulating cybersecurity in the U.S. as this regulation was delegated to the individual states who are responsible for standard setting and compliance. Furthermore, cybersecurity regulation has been developed for specific industries and critical infrastructure. This has resulted in a proliferation of enforcement agencies with heterogeneous standards, reporting requirements, and penalties. While publicly-traded companies must disclose material cyber events according to securities regulation, these ad-hoc disclosure requirements are even less stringent in Europe.

While the EU and the U.S. agree on the importance of certification and baseline cybersecurity requirements, they have different approaches. EU member states require all organisations to follow the Directive on security of Network and Information Systems (NIS Directive) for the best safeguards, while the adoption of the National Institute of Standards and Technology Cybersecurity (NIST) Framework for cybersecurity crisis management is voluntary in the U.S.