In this photo illustration, Facebook CEO Mark Zuckerberg seen on a mobile screen as he testified remotely during a hearing of the U.S. Senate Committee on Commerce, Science and Transportation entitled “Section 230 Sweeping Immunity Allows Bad Behavior big technology? ” on Capitol Hill in Washington, DC, United States.
Pavlo Conchar | LightRocket | Getty Images
As GDPR laws in Europe approach their third anniversary, other jurisdictions around the world are taking clues to develop their own frameworks.
The EU Regulation (General Data Protection Regulation) has helped to put data protection at the forefront of policy makers and businesses, especially with the spectrum of large fines.
“The GDPR has certainly created a much greater awareness of privacy. A lot of companies are now saying that they are discussing in boardrooms because of the potential value of the fines,” said Estelle Masse, senior policy analyst at access rights group Digital. Now.
One such law is the California Privacy Rights Act, which was passed in November 2020 and expanded into the 2018 California Consumer Privacy Act.
The law has made many comparisons from observers to the GDPR in terms of how it gives more control to the consumer and presents the possibility of fines for crimes and data breaches.
“I think there were similarities in the sense that both offered more user rights and protections, so they were quite user-oriented in their approach,” Masse said.
Other jurisdictions may look to the GDPR for inspiration as to what works and what doesn’t, although there are many European nuances and features to consider that may not necessarily translate.
“But there are a number of fundamental rights and basic requirements. That people must be protected, people must remain in control of their information, and an obligation must be imposed on companies if they want to use that information,” Masse explained.
The major difference between California law and the GDPR comes down to law enforcement. California is just one state, while the EU has 27 nations with their own data protection authorities and challenges.
This has led to discussions between the various data protection commissioners as to who plays the role of law enforcement and who does not, the Irish authority attracts the most criticism.
“Our application model shows some cracks, so I think there’s an important lesson learned for others looking at Europe,” Masse told CNBC.
“I think the GDPR is a legislative success, but so far it is a failure of implementation and we can learn from it.”
The key to addressing these challenges is to ensure full independence for a data protection authority, while providing it with ample budgets and resources to regulate the ever-growing data economy.
Federal law
Mark McCreary, a lawyer for privacy and data security at Fox Rothschild in Philadelphia, said that US states that introduce their own data privacy laws create unique challenges for businesses to comply with state to state.
He points to the consumer data protection law recently passed by Virginia as another development. It has similar characteristics to California, but also has its own nuances.
“The definition of personal information is a little different, and the definition of sensitive personal data is a little different,” McCreary said.
Different actions at the state level can often renew appeals for some sort of federal privacy law.
“People have been asking for this for years,” said Alex Wall, a corporate privacy advisor on Rimini Street and formerly of Adobe and New Relic.
“I think it’s difficult because, on the one hand, it depends on the responsible administration, and they both have different reasons why they want privacy legislation.”
These types of delays and obstacles in the development of federal legislation can lead to several states taking their own actions, gradually creating a mix of different state-to-state data protection laws.
“Then it will finally get to a point where Washington business lobbyists are all on board with streamlining and preventing these laws because they have become so difficult to navigate,” Wall said.
McCreary added that enacting a federal law is likely to lead to many disputes, with states having varying expectations about finer details, such as the private right of action – which allows private parties to initiate a lawsuit.
“Part of the problem is that California is standing up and saying that if you try to pass a federal privacy law and you don’t have a private right of action, we won’t support it,” McCreary said.
Global movements
Beyond the US, several large nations have adopted or updated their national data protection laws.
Lei Geral de Proteção de Dados from Brazil came into force at the end of last year. The regulation updated and consolidated 40 different rules in a single framework.
The LGPD is still in its infancy, but other Latin American governments are following suit and have their new laws in place, such as Argentina, Access Now’s Masse said.
But the next major data protection law that legal hawks pursue is in India.
The draft law on personal data protection is currently making its way through the various stages of the Indian Parliament and will introduce stricter limits on how companies can use the data and give more control to users, to the GDPR.
Masse said India’s regulation, when adopted, is likely to have a significant influence on future laws in other countries as well “because of the large number of people and the role that country would play in a global economy.” data “.