In this photo illustration, Facebook CEO Mark Zuckerberg is seen on a mobile screen while testifying remotely during the U.S. Senate Committee on Commerce, Science and Transportation’s view entitled “The Sweep Immunity of the Section 230 allows bad behavior of big technologies? ” at Capitol Hill in Washington, DC, USA.
Pavlo Conchar | LightRocket | Getty Images
As Europe’s drastic GDPR laws approach their third anniversary, other jurisdictions around the world are taking signals to develop their own frameworks.
EU regulation (the General Data Protection Regulation) has helped put data protection at the forefront of policymakers and businesses, especially with the multitude of fines.
“The GDPR has definitely created a much greater awareness of privacy. Many companies are now saying that it is being discussed in boards because of the potential amount of fines,” said Estelle Masse, the group’s senior policy analyst. of Access Rights digital rights.
One such law is the California Privacy Rights Act, which was passed in November 2020 and extended to the 2018 California Consumer Privacy Act.
The law has drawn up many comparisons between observers and GDPR on how it gives more control to the consumer and presents the possibility of fines for data breaches and breaches.
“I think there were similarities in the sense that they both provided more rights and protections to the user, so they had a pretty user-centric approach,” Masse said.
Other jurisdictions may look to the RGPD for inspiration on what works and what doesn’t, although there are many European nuances and traits to keep in mind that don’t necessarily translate.
“But there are a number of basic rights and basic requirements. That people need to be protected, that people have control over their information, and that it becomes an obligation for companies if they want to use that information,” Masse explained.
The main difference between California law and the RGPD is due to enforcement. California is just one state, while the EU has 27 nations with their own data protection authorities and their own challenges.
This has led to arguments between the various data protection commissioners about who is taking their weight in the application and who is not, with the Irish authority being the most critical.
“Our application model shows some cracks, so I think there’s a great lesson learned for others who are looking at Europe,” Masse told CNBC.
“I think the RGPD is a legislative success, but so far it is a failure in implementation and we can learn from it.”
The key to meeting these challenges is to ensure total independence for a data protection authority, while providing it with ample budgets and resources to regulate the growing data economy.
Federal law
Mark McCreary, a privacy and data security attorney for Philadelphia’s Fox Rothschild, said U.S. states introducing their own data privacy laws create unique challenges for companies to meet a state’s to another.
He points to the recently passed Virginia Consumer Data Protection Act as one more novelty. It has similar characteristics to California, but also presents its own nuances.
“The definition of personal information is a little different and the definition of sensitive personal data is a little different,” McCreary said.
Different actions at the state level can often renew calls for some kind of federal privacy law.
“People have been asking for it for years,” said Alex Wall, a corporate privacy lawyer on Rimini Street and formerly of Adobe and New Relic.
“I think it’s difficult because, on the one hand, it depends on the administration that is in charge and they both have different reasons for wanting privacy legislation.”
Such delays and obstacles in the development of federal legislation can cause more states to take their own actions, gradually creating a mosaic of different state-by-state data protection laws.
“Then it will finally get to the point where all Washington business lobbyists are involved in streamlining and circumventing these laws because they have become so difficult to navigate,” Wall said.
McCreary added that drafting a federal law will likely lead to many disputes, with states with different expectations about the finer details, such as the right to private action, allowing private parties to file a lawsuit.
“Part of the problem is that you have California standing up and saying that if you try to pass a federal privacy law and you don’t have any right to private action, we won’t support it,” McCreary said.
Global movements
Beyond the United States, several large nations have passed or updated their national data protection laws.
The General Data Protection Act of Brazil came into force late last year. The regulation updated and consolidated 40 different rules in a single framework.
The LGPD is still in its infancy, but other governments across Latin America are following suit and have their new laws in place, such as Argentina, Access Now’s Masse said.
But the next big data protection law that legal hawks are watching is in India.
The Personal Data Protection Bill is making its way through the various stages of the Parliament of India and will introduce stricter limits on how companies can use the data and grant more control to users, to the GDPR.
Masse said India’s regulation, when passed, will likely have a significant influence on other countries’ future laws as well “due to the large number of people and the role that country would play in a global economy. of data “.