top of page

NORTH AMERICA - Data Protection and GDPR Review

The history of data protection in North America, particularly in the United States and Canada, is quite different from Europe’s more centralized approach. The U.S., for example, has no single, comprehensive federal law regulating the collection and use of personal data. Instead, it relies on a patchwork of federal and state laws and regulations that can sometimes overlap. Here is a timeline outlining some key moments and pieces of legislation in the history of data protection in North America:

1970s: Early Steps

  • 1970: In the United States, the Fair Credit Reporting Act (FCRA) becomes the first major piece of privacy legislation, governing the collection and dissemination of consumer credit information.

  • 1974: The U.S. passes the Privacy Act, which places restrictions on the federal use of personal data. It also passes the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records.

1980s: Computer Matching and Privacy Protection

  • 1980: The Organisation for Economic Co-operation and Development (OECD) releases its privacy guidelines, which influence U.S. policy.

  • 1988: The U.S. Video Privacy Protection Act is enacted after a newspaper publishes Judge Robert Bork's video rental history during his Supreme Court nomination process.

1990s: Internet Age and the Private Sector

  • 1996: The U.S. passes the Health Insurance Portability and Accountability Act (HIPAA), which safeguards medical information.

  • 1998: In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is enacted, establishing rules for the management of personal information by private sector organizations.

  • 1999: The Gramm-Leach-Bliley Act is enacted in the U.S., requiring financial institutions to disclose their data-sharing practices and to safeguard sensitive data.

2000s: State-Level Initiatives and Sector-Specific Laws

  • 2003: California passes the nation's first data breach notification law, requiring organizations to notify individuals of security breaches involving personal information.

  • 2009: The HITECH Act in the U.S. expands the scope of privacy and security protections available under HIPAA.

2010s: Fragmented Efforts and GDPR Influence

  • 2012: The U.S. Federal Trade Commission (FTC) releases a report advocating for the creation of a “Do Not Track” system, although it has yet to be widely adopted.

  • 2018: The European Union’s GDPR comes into effect, impacting some U.S. and Canadian companies that deal with EU citizens' data.

  • 2018: California passes the California Consumer Privacy Act (CCPA), one of the most comprehensive state privacy laws in the U.S.

  • 2020: The California Privacy Rights Act (CPRA) is passed, expanding on the CCPA and creating a new regulatory agency for enforcement.

2020s: Ongoing Discussions and Federal Legislation?

  • 2021: Virginia passes the Consumer Data Protection Act, becoming the second U.S. state with comprehensive privacy legislation.

The regulatory landscape is still evolving, with discussions about federal privacy legislation ongoing. Some advocates hope for a more unified, national approach similar to the EU’s GDPR, while others value the sector-specific flexibility that the U.S. system currently offers.

This overview is not exhaustive, but it provides an outline of significant developments in North American data protection history.

While the General Data Protection Regulation (GDPR) is a European Union (EU) legislation, its influence extends well beyond the EU's borders. If you are a North American business that processes the data of EU citizens, GDPR compliance is not optional but a legal necessity. This guide aims to provide an overview of the key aspects of GDPR as they pertain to North American entities.

Table of Contents

  1. The Extraterritorial Scope of GDPR

  2. Key GDPR Principles

  3. Who is Affected in North America?

  4. Rights of EU Data Subjects

  5. Responsibilities of North American Businesses

  6. Data Protection Officer (DPO)

  7. Data Breach Notification

  8. Transferring Data Across Borders

  9. Fines and Penalties

  10. Steps Towards Compliance

  11. FAQs

  12. Conclusion

1. The Extraterritorial Scope of GDPR

GDPR applies not only to businesses located within the EU but also to those outside the EU that offer goods or services to EU citizens or monitor their behavior.

2. Key GDPR Principles

Understanding the fundamental principles of GDPR, such as data minimization, purpose limitation, and accountability, is crucial for any organization aiming to be compliant.

3. Who is Affected in North America?

Any organization—small, medium, or large—based in North America that processes the personal data of EU citizens is subject to GDPR.

4. Rights of EU Data Subjects

The GDPR grants several rights to EU citizens, including but not limited to:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure (the "Right to be Forgotten")

  • Right to data portability

5. Responsibilities of North American Businesses

North American businesses must:

  • Obtain explicit consent from EU citizens for data collection and processing.

  • Implement adequate security measures to protect data.

  • Perform Data Protection Impact Assessments (DPIAs) for riskier or more complex data processing activities.

6. Data Protection Officer (DPO)

Some organizations will need to designate a Data Protection Officer. This person should have expertise in data protection laws, including GDPR.

7. Data Breach Notification

In the event of a data breach affecting EU citizens' data, North American organizations must notify the appropriate EU supervisory authorities within 72 hours and inform affected individuals without undue delay.

8. Transferring Data Across Borders

Data transfers from the EU to North America must comply with GDPR regulations, using mechanisms like Standard Contractual Clauses (SCCs) or an Adequacy Decision.

9. Fines and Penalties

Non-compliance can result in severe penalties, including fines up to €20 million or 4% of the company's annual global turnover, whichever is higher.

10. Steps Towards Compliance

  • Audit: Conduct a comprehensive audit of all data collection and processing activities that involve EU citizens' data.

  • Update Privacy Policies: Make sure your privacy policies are transparent and GDPR-compliant.

  • Train Staff: Staff should be trained and made aware of their responsibilities under GDPR.

  • Review Third-Party Vendors: Ensure your third-party vendors are GDPR-compliant to avoid being indirectly in violation of GDPR regulations.

11. FAQs

  • Does GDPR apply even if we don’t have a physical presence in the EU?

    • Yes, if you process the personal data of EU citizens, GDPR applies.

  • Is compliance with state laws like California’s CCPA enough for GDPR compliance?

    • No, GDPR and state-level laws like CCPA have different requirements. Compliance with one does not mean compliance with the other.

12. Conclusion

For North American businesses, understanding and complying with GDPR is not only a legal requirement but also a best practice that can enhance data management and customer trust. Failure to comply carries both legal risks and the potential for reputational damage.

Disclaimer: This guide is for informational purposes only and should not be considered as legal advice. Always consult with legal professionals for advice related to your specific needs.

By being proactive and informed, you can navigate the complexities of GDPR and ensure that your organization is compliant, thus safeguarding both your business interests and the data privacy rights of individuals.


bottom of page