Bruce Schneier testified to Congress on the Equifax Breach and posted his testimony onto his blog. .Because of the political nature of the content, he is frequently much more technical some of the the comments are very superficial, complaining about the need for more regulation.
The problem is, as he says, that without regulation business wont keep personal data secure. The problem is bad corporate behaviour.
His testimony, in my mind, shows the weakness of seeing this as a consumer protection issue. Much of the bad behaviour comes from 3rd parties; the data subject is not the customer and thus have no rights of tort and in the US, the FTC can’t pursue the data controllers. By placing privacy in a consumer protection framework, they also leave it to the victims of breaches to prove harm.
In the EU, our rights based legal framework means that a breach is harm, because our human rights to privacy have been infringed.
Schneier raises the GDPR as an example of how companies can confirm to better standards and raises the spectre of the EU imposed fines on US companies. He also hints at the fragility of safe harbour/privacy shield.