The GDPR has created a recipe for the world

In this photo illustration, Facebook CEO Mark Zuckerberg saw it on a mobile screen while remotely testifying during a Senate U.S. Department of Commerce, Science, and Transportation hearing titled “Does Section 230’s wiping immunity allow for bad technological behavior?” on Capitol Hill in Washington, DC, USA.

Pavlo Conchar | LightRocket | Getty Images

As Europe’s fast-paced GDPR laws approach their third anniversary, other jurisdictions around the world are taking cues from it to develop their own frameworks.

EU regulation (General Data Protection Regulation) has helped policy makers and companies to put data protection at the forefront, especially in the case of large fines.

“Definitely, the GDPR has created a much greater privacy awareness. Many companies now say it’s being discussed in town halls because of the potential amount of fines,” said Estelle Masse, a senior policy analyst at the Access Now digital rights group.

One such law is the California Privacy Act, which was passed in November 2020 and expanded by the 2018 California Consumer Privacy Act.

The law compared enforcement agents to the GDPR in a way that gives the consumer more control and presents the possibility of fines for violations and data breaches.

“I think there were similarities in the sense that they both provided more rights and protection to the user, so they were pretty user-oriented in their approach,” Masse said.

Other jurisdictions may seek GDPR as inspiration for what works and what doesn’t work, although there are many nuances and European features that do not necessarily translate.

“But there are a number of basic rights and basic requirements. That people need to be protected, that people need to stay in control of their data, and that obligations need to be made if they want to use that information,” Masse explained.

The main difference between California law and the GDPR comes down to law enforcement. California is only one state, while the EU is 27 states with its own data protection authorities and its own challenges.

This has led to discussions among various data protection commissioners about who is pulling their weight in enforcement and who is not, and the Irish body has attracted the most criticism.

“Our implementation model shows some cracks, so I think a great lesson has been learned for others looking to Europe,” Masse told CNBC.

“I think the GDPR is a legislative success, but for now it is a failure to implement and we can learn from it.”

The key to addressing these challenges is to ensure the full independence of the data protection authority, while providing it with extensive budgets and resources to regulate the growing data economy.

Federal law

Mark McCreary, a privacy and data security attorney at the Philadelphia firm Fox Rothschild, said U.S. states by introducing their own data privacy laws create unique challenges for businesses in complying with state-to-state laws.

He points to the recently passed Virginia Consumer Data Protection Act as another development event. It has similar characteristics as California, but it also presents its nuances.

“The definition of personal data is a little different, and the definition of sensitive personal data is a little different,” McCreary said.

Various actions at the state level can often renew calls for some kind of federal privacy law.

“People have been looking for it for years,” said Alex Wall, a corporate privacy adviser at Rimini Street, formerly Adobe and New Relic.

“I think it’s difficult because on the one hand it depends on which administration is in charge and they both have different reasons why they want privacy laws.”

Such delays and obstacles in the development of federal legislation can lead to more states taking action, gradually creating a patchwork of different data protection laws.

“Then it will eventually get to the point that all the business lobbyists in Washington are in power and streamlining and passing those laws because it has become so difficult for them to move,” Wall said.

McCreary added that the passage of federal law is likely to lead to many disputes, and states will have different expectations regarding fine details, such as the private right to sue – which allows private parties to file a lawsuit.

“Part of the problem is that California is getting up and talking if you try to pass a federal privacy law and you don’t have a private right to sue, we’re not going to support it,” McCreary said.

Global moves

In addition to the United States, several major states have adopted or updated their national data protection laws.

Brazilian Lei Geral de Proteção de Dados came into force late last year. The regulation updated and consolidated 40 different rules into one framework.

The LGPD is still in its infancy, but other governments across Latin America are following suit and working on new laws, such as Argentina, Access Now’s Masse said.

But the next major data protection law that legal hawks are keeping a close eye on is in India.

The Personal Data Protection Act is currently breaking through various phases of the Indian Parliament and will introduce stricter restrictions on how companies can use the data and assign more control to users, a la GDPR.

Masse said the Indian regulation, once adopted, is likely to have a significant impact on future laws in other countries as well “because of the large number of people and the role this country would play in the global data economy”.