In this photo, Facebook CEO Mark Zuckerberg, seen on a mobile screen as he testifies remotely at the US Senate Committee on Commerce, Science and Transportation hearing titled “Immunity to Sweeping of does Article 230 allow bad behavior for big technologies? ” on Capitol Hill in Washington, DC, United States.
Pavlo Conchar | LightRocket | Getty Images
As major European GDPR laws approach their third anniversary, other jurisdictions around the world are drawing inspiration from them to develop their own frameworks.
The EU regulation (the General Data Protection Regulation) has helped put data protection at the forefront of policy makers and businesses, especially with the specter of large fines.
“The GDPR has undeniably created a much greater awareness of privacy. Many companies are now saying this is being discussed in boards of directors because of the potential amount of fines,” said Estelle Masse, senior policy analyst at Access Now.
One of those laws is the California Privacy Rights Act, which was passed in November 2020 and extended to that of 2018. California Consumer Privacy Act.
The law has drawn many observer comparisons to the GDPR on how it grants more control to the consumer and presents the possibility of fines for breaches and data breaches.
“I think there were similarities in that they both offered more rights and protections to the user, so they were more user-centric in their approach,” Masse said.
Other jurisdictions may look to the GDPR for inspiration on what works and what doesn’t, although there are many European nuances and traits to consider that don’t necessarily translate.
“But there is a series of basic rights and basic requirements. That people must be protected, people must maintain control over their information and an obligation must be placed on companies if they want to use this information,” explained Mass.
The main difference between California law and GDPR comes down to its application. California is just one state while the EU is made up of 27 nations with their own data protection authorities and their own challenges.
This has led to disputes between different data protection commissioners over who is important in the app and who is not, with The Irish authority is the most criticized.
“Our app model shows some flaws, so I think there is a big lesson for others watching Europe,” Masse told CNBC.
“I think GDPR is a legislative success, but so far it is an enforcement failure and we can learn from it.”
The key to meeting these challenges is to ensure the full independence of a data protection authority while providing it with sufficient budgets and resources to regulate the ever-growing data economy.
Mark McCreary, privacy and data security attorney at Philadelphia law firm Fox Rothschild, said U.S. states introducing their own data privacy laws are creating unique challenges for businesses as they move forward. conforming from state to state.
He points out that Virginia’s recently passed consumer data protection law is another development. It wears features similar to California, but also has its own undertones.
“The definition of personal information is a little different and the definition of sensitive personal data is a little different,” McCreary said.
Different actions at the state level can often renew calls for some sort of federal privacy law.
“People have been asking for this for years,” said Alex Wall, corporate privacy counsel at Rimini Street, formerly of Adobe and New Relic.
“I think it’s difficult because on the one hand it depends on which administration is in charge and they both have different reasons for wanting privacy legislation.”
These kinds of delays and obstacles in the development of federal legislation can cause more states to take their own steps, gradually creating a patchwork of different data protection laws from state to state.
“Then it will finally reach a point where business lobbyists in Washington all agree to rationalize and anticipate these laws because they have become so difficult to navigate,” Wall said.
McCreary added that crafting a federal law would likely result in a lot of disputes, with states having varying expectations on the finer details, such as the private right of action – which allows private parties to bring an action. in justice.
“Part of the problem is California is standing up and saying that if you’re trying to pass a federal privacy law and you don’t have a private right of action, we’re not going to support her, ”McCreary said.
Beyond the United States, several large countries have passed or updated their national data protection laws.
Brazil’s Lei Geral de Proteção de Dados entered into force at the end of last year. The regulation updated and consolidated 40 different rules into a single framework.
The LGPD is still in its infancy, but other Latin American governments are following suit and have their new laws in the works, such as Argentina, Masse said of Access Now.
But the next major data protection law that legal hawks are watching closely is in India.
The draft law on the protection of personal data is currently make his way through the various stages of the Indian Parliament and will introduce stricter limits on how companies can use data and grant more control to users, to GDPR.
Masse said India’s regulations, once adopted, are likely to have a significant influence on future laws in other countries as well “because of the sheer number of people and the role India would have in a global economy. data”.