Personal data legal framework: comparative law between France and USA
A difference of concept
At first, the definition of personal data is different between France and America. In French law, personal data is “any related information that physically identifies a person, either directly or indirectly.” On the contrary in USA it’s any “personal identifiable information”. Then, we can observe American concept is wider than French. The latter does not take into account anonymous data on the contrary in American points of view.
A difference of logic
Secondly, the American logic about personal data is different. According to them, data is market items. On the contrary, in French logic, personal data is people’s property. It’s part of people’s privacy which is protected by Charter of Fundamental Right. That’s why there is a big difference in the way data is used by French and American companies.
In French law perspective, data has a “cycle of life”, when it is too old or irrelevant, data has to be erased. On the contrary, for the Americans, data is valuable in the market, so it’s irrelevant to erase it even if the data is old.
A difference of protection
Beyond these, there is a difference in legal framework. In France, personal data is strictly protected. There are numerous laws on the subject and people have different right over their data. In addition, France, like other European’s countries, has an administrative authority: the CNIL. This system doesn’t exist in USA mostly because there is the distrust against the government. Therefore the Privacy act in its disposition protects people against the government intrusion. On the contrary, in France dispositions are mostly against companies, by protecting against an abusive use of data. However, penalties were weak before the GDPR.
However, the American system is not the same way as the data use. As already noted, in USA data is market items and they are use as one. That’s why personal data is directed by the “principle of fair information practices” which is a general rules in electronic marketplace. Its principle is described by the FTC (Federal trades Commission). The Federal Trades Commission is an independent agency of the American government. Its mission is promoting the consumer protection. The FTC is not like the CNIL, it’s more like the DGCCRF. Consumers can’t apply to the Commission. It has not a lot of power and it can only sue companies when it proves to be illegal. It has been applied only in a few cases. It can be explained by the distrust against the government. Moreover, generally most of the cases are closed with an agreement.
Finally, in the USA most of the data regulations come from companies’ accountability. It’s a logic that we can find in the GDPR with the “principle of accountability”. The GDPR’s goal is to involve companies in the “privacy by design” and take care of the data’s cycle of life. In this way, this is consistent with the concept of autonomy in the United States.