Understanding the U.S.’s data service laws

The United States was once the leader in creating rules curtailing fraud on stock exchanges. One of its most famous rules, Rule 10-b5 codified at 17 CFR 240.10b-5, was created in the 1940s and prohibits acts or omissions resulting in fraud or deceit in connection with securities trading.

Like many laws, it was imitated on a global scale, but it took almost 60 years before it was adopted in such trusted exchanges as Hong Kong and Tokyo. Nowadays things move a bit faster.

The European Union’s GDPR (General Data Protection Regulation) became law on May 25, 2018. Today, less than 4 years later, there are similar laws in more than 20 countries.

The reason is simple. Article 44 of the Regulation states that if a third country wants to use EU residents’ personal data, it must protect their rights. To do this, its data protection laws have to be “adequate.” Most countries quickly figured out that to be “adequate,” you passed a law that looks a lot like the GDPR. The exception is the U.S.

Global regulation of personal data processing has not stopped with the GDPR. In the EU and the U.S., legislatures are busy passing new laws that regulate how organizations process information, and regulators are busy enforcing them.

The European Commission has passed, is close to passing, or is considering several laws as part of its digital strategy. These include the Data Governance Act, the Digital Markets Act, the Digital Services Act, the AI (Artificial Intelligence) Act, the Data Act, and the ever-popular ePrivacy Regulation.

Fortunately, the biggest impact of these laws will be limited to the largest tech companies, including Google, Microsoft, Facebook (Meta), Apple, and Amazon. In terms of regulating these organizations, the U.S. is not far behind, although without a strategy.

Data governance and digital markets

The following is a simplification of the complex laws. The Data Governance Act is about the sharing of information. It seems to be focused on public information, most likely from EU national health services. No doubt the Act will result in more anonymization of data.

The Digital Markets Act is focused on “gatekeepers” (U.S. big tech), providing more regulation of big tech almost as an anti-trust problem. Little is known about the Data Act or AI Act because there are no concrete proposals at this time. For most of us, the Digital Services Act is probably the most interesting since it has analogs in U.S. Congress.

The Digital Services Act focuses on one of the largest problems for social media: algorithms –specifically their impact. The Act aims to stop the largest platforms from publishing and spreading illegal or potentially harmful content such as copyright infringements, terrorist content, child sexual abuse material, or hate speech, as well as selling counterfeit, illegal, or dangerous products.

Under section 230 of the Communications Decency Act of 1996 (47 U.S. Code § 230), large Internet platforms are not liable for speech published on their platforms.

Unlike other media outlets such as newspapers and television, companies like Google and Facebook cannot be sued if the content on their platforms causes harm. This has become a major issue, especially in light of recent evidence that social media apps like TikTok have caused harm to teenage users. The platforms have also been used to organize criminal activities.

The Filter Bubble Transparency Act

Given the problems with section 230, it is not surprising that there have been numerous efforts to either delete the provision or reform it. One of the latest efforts is the Filter Bubble Transparency Act. Focused on algorithms, it allows Internet users to choose between the platform algorithms and an algorithm developed with the user’s input.

The largest impact of the Digital Services Act in the EU and the Filter Bubble Transparency Act in the U.S. would be more transparent algorithms. Both laws reflect governmental preferences.

In the EU, regulators determine whether the algorithm promotes illegal content. In the U.S., the user will determine what they want to see. Neither act has cleared all hurdles to becoming law, although the Digital Services Act is closer.

The Filter Bubble Transparency Act has been introduced in both chambers of U.S. Congress. It has a long list of cosponsors and is bipartisan. The latest polls show that the majority of Americans (56% and rising) are in favor of government regulation of big tech.

It is not just legislative efforts. While the EU attempts to limit the power of “gatekeepers” with the Digital Markets Act, U.S. regulators have turned to the courts. Most complaints are based on big tech anti-competitive behavior. The Federal Trade Commission is suing Facebook and Amazon. The U.S. Justice Department is suing Apple and Google.

Finally, 38 states have joined forces to sue Google. These lawsuits deal with the way these companies compete in app stores, in marketplaces, on the Internet of Things, and online. Like the Digital Markets Act, these lawsuits will force big tech to change their behavior or be broken up.

What effect do these laws have?

Fortunately, for most companies these laws will have little impact. The Digital Markets Act and the Digital Services Act only apply to platforms that have active users equal to 10% of the EU population (about 45 million people). The Data Governance Act is mainly interested in access to public information.

This does not mean that companies that process personal data (basically all companies) should be complacent. It always takes the law time to catch up with major changes in technology. When it does, it can regulate with a vengeance everywhere. The jurisdiction of these laws is limited for now. Do not expect that to continue.

Furthermore, not being big enough to be subject to regulation does not mean that an organization is small enough to avoid cyber criminals. The best tactic, whatever your size, is to create good cybersecurity that protects your customers’ information.

At IT Governance USA, we can help you do this. We are a one-stop shop for your cybersecurity and data protection needs, offering a variety of tools you can use to bolster your defences and maintain regulatory compliance.

Subscribe to our Weekly Round-up to get the latest cybersecurity news and tips delivered straight to your inbox.

newsletter sign-up