The GDPR has been part of EU law since May 2018 and its impact is being felt around the world. Aside from the fact that all businesses processing the data of EU citizens must comply with the regulation, the GDPR has inspired a data privacy movement in both the corporate world and among international legislation.
Many prominent technology business leaders have spoken out in support of stronger data privacy laws. Notably, these business leaders comprise some of the biggest companies in Silicon Valley that handle huge swathes of user data.
Data privacy is at the core of Apple and CEO Tim Cook’s agenda. As a company, Apple has taken measures to prevent their users’ data being accessed without permission – including end-to-end encryption, blocking third-party cookies and never building a ‘back door’ into their software.
Tim Cook himself speaks out regularly on the need for greater rights for data subject. In a recent op-ed for Time magazine, he wrote, “Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user data profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.”
Microsoft founder Bill Gates also voiced his endorsement for a data privacy law in the US, telling Fox News Sunday that, “The notion that this ability to identify anyone, that we’re going to think about how do businesses get to use that and how does government get to use that? It makes a lot of sense.”
Google has long been a target of data privacy regulators, whose access to vast amounts of user data is a cause for concern for many. However, with the advent of GDPR, Google were the only adtech vendor to see their market share increase, as other, smaller firms lacked the deep pockets to bring their complex data handling activities into compliance.
Sundar Pichai, Google’s CEO, faced a congressional hearing in 2018 over his company’s data and algorithm practices. When asked whether the US should adopt a GDPR-style framework, Pichai responded that he thought ‘global policy harmonization’ was a good idea, and that he actively supported the GDPR as a ‘well thought-out law’.
Countries outside the EU have begun introducing data privacy legislation similar to the GDPR. Whether inspired by the GDPR or developed before the GDPR was conceptualized, they all represent a shift in the global approach towards stricter data privacy legislation.
California Consumer Privacy Act
In the US, data privacy is currently dealt with on a state-by-state level (though pressure is mounting for federal regulation).
California introduced new data privacy legislation, the California Consumer Privacy Act, in June 2018. It is considered the first piece of US legislation to follow in the footsteps of the GDPR by focusing on consumer data rights, although its protections are more limited than the GDPR’s in scope and effect. Businesses affected by CCPA will need to become compliant by January 2020.
General Data Protection Law (Brazil)
In 2018 Brazil’s then-president Michel Temer sanctioned the General Data Protection Law (LGDP). Like the EU GDPR, the Brazilian law protects the rights of its citizens internationally and adopts a risk-based approach emphasizing lawfulness, fairness, accountability and data minimization.
Also in parallel to the GDPR, the LGDP gives data subjects rights of access and erasure, requires data breach notifications and the appointment of data protection officers.
China has been working on its internet security legislation since 2014, requiring businesses to take stringent measures in order to protect personal data.
The new laws share much with the GDPR. It spells out detailed rules on what consent is and the conditions upon which companies can collect, process and store personal data. Some even see the Chinese regulation as more stringent than the GDPR. Reasons include:
- China’s definition of personal data is broader, which gives its scope more breadth.
- China’s law requires consent to share personal data with other parties, whereas the GDPR allows for other lawful bases for sharing data.
- China has stricter requirements around the information displayed and the presentation of privacy notices
Further legislation will soon be introduced to regulate data shared internationally.
Canada introduced Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000 which required affected organizations to collect consent for certain data processing activities and gave data subject a right to access their data.
Since GDPR took effect in Europe, there has been a push to update PIPEDA to ensure it meets the standard of the GDPR. This includes a requirement to report data breaches to The Office of the Privacy Commissioner and affected individuals.
The global push to improve data privacy standards has been accelerated by the efforts of the GDPR. The potential for businesses to be shut out of markets due to inadequate data privacy legislation provides a strong motivation for governments and businesses to place a focus on data privacy. As more countries introduce their own legislation and businesses review their data processing activities, it is undeniable that the GDPR is becoming a blueprint for legislation around the world.