In this photo illustration, Facebook CEO Mark Zuckerberg saw on a mobile screen as he testified remotely at the US Senate Committee on Commerce, Science, and Transportation hearing titled “Does the sweeping immunity of Section 230 Big Tech allow bad behavior? ” on Capitol Hill in Washington, DC, United States.
Pavlo Conchar | LightRocket | Getty Images
As Europe’s extensive GDPR laws near their third anniversary, other jurisdictions around the world are taking cues to develop their own frameworks.
The EU regulation (the General Data Protection Regulation) has helped put data protection at the center of policy makers and businesses, especially with the specter of heavy fines.
“The GDPR has certainly created a much greater privacy awareness. Many companies now say it is being discussed in boardrooms because of the potential size of the fines,” said Estelle Masse, senior policy analyst at the digital rights group Access Now.
One such act is the California Privacy Rights Act, which was passed in November 2020 and expanded on the California Consumer Privacy Act of 2018.
The law has drawn many observers’ comparisons to the GDPR in how it gives consumers greater control and allows for fines for violations and data breaches.
“I think there were similarities in the sense that they both offered more rights and protection to the user, so they were quite user-centric in their approach,” Masse said.
Other jurisdictions can consult the GDPR for inspiration on what works and what doesn’t, although there are many nuances and European features that don’t necessarily need to be translated.
“But there are some core rights and core requirements. That people must be protected, people must remain in control of their information and there must be an obligation on companies if they want to use this information,” explains Masse.
The main difference between California law and GDPR comes down to enforcement. California is only one state, while the EU is 27 countries with their own data protection authorities and their own challenges.
This has sparked arguments between various Data Protection Commissioners about who is taking their weight in enforcement and who is not, with the Irish authority being the most criticized.
“Our enforcement model has some cracks, so I think a big lesson has been learned for others looking to Europe,” Masse told CNBC.
“I think the GDPR is a legislative success, but so far it has been an enforcement error and we can learn from it.”
The key to addressing these challenges is ensuring total independence for a data protection authority, while at the same time having sufficient budgets and resources to regulate the ever-growing data economy.
Federal law
Mark McCreary, a privacy and data security attorney at the Philadelphia firm Fox Rothschild, said that U.S. states introducing their own data privacy laws pose unique challenges for companies in state-to-state compliance.
He points to the recently passed Virginia Consumer Data Protection Act as yet another development. It bears similar characteristics to California, but also presents its own nuances.
“The definition of personal information is a little bit different and the definition of sensitive personal information is a little bit different,” said McCreary.
Various state-level actions can often call for some sort of federal privacy law to be renewed.
“People have been asking that for years,” said Alex Wall, Rimini Street corporate privacy attorney and formerly of Adobe and New Relic.
“I think it’s difficult because on the one hand it depends on which administration is in charge and they both have different reasons for wanting privacy laws.”
These kinds of delays and hurdles in the development of federal law can cause more states to take their own measures, gradually creating a patchwork of different data protection laws from state to state.
“Then it will eventually reach a point where Washington’s business lobbyists are all on board rationalizing and anticipating those laws because they have become so difficult to navigate,” Wall said.
McCreary added that drafting a federal law is likely to lead to a lot of litigation, with states having different expectations about the finer details, such as the private right of action – allowing private parties to sue.
“Part of the problem is that California is standing up and saying that if you try to pass a federal privacy law and you don’t have a private right to action, we’re not going to support it,” McCreary said.
Global movements
Outside of the US, several major countries have adopted or updated their national data protection laws.
The Brazilian Lei Geral de Proteção de Dados came into effect at the end of last year. The regulation has updated and consolidated 40 different rules in one framework.
The LGPD is still in its infancy, but other governments in Latin America are following suit and have their new laws in the works, such as Argentina, Access Now’s Masse said.
But the next major data protection law that legal hawks are keeping a close eye on is in India.
The Personal Data Protection Act is currently working its way through the various stages of the Indian Parliament and will put in place stricter limits on how companies can use data and give more control to users, a la GDPR.
Masse said India’s regulations, if passed, will likely also have a significant impact on future laws in other countries “because of the sheer number of people and the role this country would play in a global data economy.”