On Wednesday this week, Apple CEO Tim Cook delivered a keynote address at the European Union's International Conference of Data Protection and Privacy Commissioners in which he denounced the misuse of customer data by large technology corporations and called for the United States to adopt federal data privacy regulations similar to the EU's General Data Protection Regulation.After praising the EU for its passage of GDPR, Cook said "it is time for the rest of the world, including my home country, to follow your lead." He went on to suggest the US should enact a "comprehensive federal privacy law" that is based on the following "four essential rights":
1. The right to have personal data minimized - companies should de-identify customer data or not collect it at all.
2. The right to knowledge - users should always know what data is being collected and what it is being collected for.
3. The right to access - users should be able to easily get a copy of, correct, and delete their personal data.
4. The right to security - security is foundational to trust and all other privacy rights.
All four of these rights and more are covered by GDPR Chapter II: 'Principles' and Chapter III: 'Rights of the Data Subject'.
Currently there are a number of federal and state laws in the United States that overlap to varying degrees with certain parts of GDPR, one of which was recently passed in Apple's home state: the California Consumer Privacy Act of 2018. However, there is no comprehensive federal law regarding data protection on the same level as GDPR.
Data is always at risk and as Cook pointed out, data security is foundational to privacy rights. Even if an organization and all of its members are committed to respecting their customers' privacy, that means nothing if the data they store is not properly secured. There is always the risk of falling victim to the next big data breach which could potentially expose your customers' data to unknown and malicious actors.