As Europe’s sweeping GDPR laws approach their third anniversary, other jurisdictions around the world are taking cues from it to develop their own frameworks.
The EU regulation (the General Data Protection Regulation) has helped put data protection front of mind for policymakers and businesses, especially with the specter of large fines.
“Definitely the GDPR has created a much bigger privacy awareness. A lot of companies are saying now that it’s being discussed in boardrooms because of the potential amount of the fines,” Estelle Masse, senior policy analyst at digital rights group Access Now, said.
One such law is the California Privacy Rights Act, which was passed in November 2020 and expanded upon 2018′s California Consumer Privacy Act.
The law has drawn many comparisons from observers to GDPR in how it grants more control to the consumer and presents the possibility of fines for infractions and data breaches.
“I think there were similarities in the sense that they were both providing more rights and protections to the user, so they were quite user-centric in their approach,” Masse said.
Other jurisdictions can look at the GDPR for inspiration on what does and doesn’t work, though there are many nuances and European traits to consider that may not necessarily translate.
“But there are a series of core rights and core requirements. That people need to be protected, people need to remain in control over their information and an obligation needs to be put on companies if they want to use this information,” Masse explained.
The major difference between California’s law and GDPR comes down to enforcement. California is just one state while the EU is 27 nations with their own data protection authorities and their own challenges.
This has led to arguments among different data protection commissioners over who is pulling their weight in enforcement and who is not, with Ireland’s authority attracting the most criticism.
“Our enforcement model is showing some cracks, so I think there is a big lesson learned for others who are looking at Europe,” Masse told CNBC.
“I think the GDPR is a legislative success but so far it’s an enforcement failure and we can learn from it.”
The key to addressing those challenges is ensuring total independence for a data protection authority while providing it with ample budgets and resources to regulate the ever-growing data economy.
Mark McCreary, a privacy and data security lawyer at Philadelphia firm Fox Rothschild, said that U.S. states introducing their own data privacy laws creates unique challenges for businesses in complying from state to state.
He points to Virginia’s recently passed Consumer Data Protection Act as yet another development. It bears similar hallmarks to California but presents its own nuances as well.
“The definition of personal information is a little bit different and the definition of sensitive personal data is a little bit different,” McCreary said.
Differing actions at the state level can often renew calls for some kind of federal privacy law.
“People have been asking that for years,” Alex Wall, corporate counsel for privacy at Rimini Street, and formerly of Adobe and New Relic, said.
“I think that it’s difficult because on one hand, it depends on what administration is in charge and they both have different reasons for wanting privacy legislation.”
Those kind of delays and hurdles in developing federal legislation may lead to more states taking their own actions, gradually creating a patchwork of different data protection laws state to state.
“Then it will eventually reach a point that the business lobbyists in Washington are all on board with rationalizing and pre-empting those laws because they’ve become so difficult to navigate,” Wall said.
McCreary added that carving out a federal law will likely lead to many disputes, with states having varying expectations over the finer details, such as private right of action — which allows private parties to bring a lawsuit.
“Part of the problem is you have California standing up and saying if you guys try to pass a federal privacy law and you don’t have a private right of action, we’re not going to support it,” McCreary said.
Beyond the U.S., several large nations have passed or updated their national data protection laws.
Brazil’s Lei Geral de Proteção de Dados came into effect late last year. The regulation updated and consolidated 40 different rules into one framework.
The LGPD is still in its infancy but other governments around Latin America are following suit and have their new laws in the works, such as Argentina, Access Now’s Masse said.
But the next major data protection law that legal hawks are keeping a keen eye on is in India.
The Personal Data Protection Bill is currently making its way through the various stages of India’s Parliament and will introduce tighter limits on the way companies can use data and grant more control to users, a la GDPR.
Masse said that India’s regulation, when passed, will likely have a significant influence too on future laws in other countries “because of the sheer amount of people and the role that this country would have in a global data economy.”