EU protections include affirmative opt-in consent, notifications about all data collection and oversight of third party processors

Washington (May 24, 2016) – With some of the world’s strongest privacy rules set to take effect tomorrow, May 25, in the European Union, Senators Edward J. Markey (D-Mass.), Dick Durbin (D-Ill.), Richard Blumenthal (D-Conn.), and Bernie Sanders (I-Vt.) today introduced a Senate resolution calling for U.S. companies and institutions covered by the European Union’s (EU) new privacy law, the General Data Protection Regulation (GDPR), to provide Americans with privacy protections included in the European law. The robust EU privacy protections include clear opt-in consent before users’ information is used; notification to users about all collection, use, and sharing of users’ personal information; data security requirements; notification to affected individuals in the event of a data breach; and requiring companies to implement special protections for children’s data, among other rules.

“When the European privacy law takes effect, the American people are going to wonder why they are getting second-class privacy protections,” said Senator Markey. “If companies can afford to protect Europeans’ privacy, they can also afford to do so for their American customers and users. Under the European rules, privacy is not an afterthought, and consumers, not corporations, are in charge of personal information. The American people want and deserve a comprehensive privacy bill of rights, and it is time Congress acts to protect this important 21st century right.”

A copy of the Senate resolution can be found HERE.

Protections in the European privacy law include, but are not limited to, the following requirements and rights:

The requirement that data processors have a legal basis for using individuals’ data, including opt-in consent

The requirement that data processors design their systems in a way that minimizes the processing of data to only what is necessary for the specific purpose stated to the individual, and the requirement that data processors, by default, protect personal information from being used for other purposes

The requirement that entities processing children’s data institute special protections, particularly with reference to the use of children’s data for marketing purposes

The individual’s right to know who has access to her/his data

The individual’s right to revoke permission to use her/his data at any time

The individual’s right to not be subject to automated decision making, including profiling, without human intervention that has legal or otherwise significant effects on the individual

###