Key Theme: Global Data Protection and Privacy Law Developments

According to the United Nations, two-thirds of countries worldwide have now put in place legislation to secure data protection and privacy and a further 10% have draft bills in the pipeline.

As public awareness of data privacy grows, and particularly since the implementation of the European Union’s ground-breaking General Data Protection Regulation (GDPR) three years ago, governments have felt compelled to respond in kind.

We’ve seen a plethora of bills across the global, and whilst many of the basic principles around consent, legitimate reasons for processing data, data quality, and data security are shared globally, there are key disparities in  how these objectives are being met. This approach causes many challenges not just for data protection, privacy and cyber security, but in particularly for organisations operating in different jurisdictions. 

PrivSec Global livestream experience features a whole group of sessions on global data protection and privacy law developments, with focus on the U.S., South Africa and China. You can find out more and register to attend here. 

To get you in the mood, here we pick out some of the more interesting global data protection and privacy law developments around the world. 

European Union

The success of GDPR can be seen in the number of pieces of legislation that are described as “GDPR-style” as well in the adoption of GDPR-standards worldwide by tech giants such as Microsoft.

There is a sense that, with the legislation having bedded down, regulators are now flexing their muscles and increasingly likely to use their enforcement powers. Law firm in January publisher research showing a 19% annual increase in GDPR breach fines and suggested regulators were beginning to “test the limits” of their powers.

The Irish Data Protection Commission has however faced heat over what some, including campaigner Max Schrems, see as a lack of enforcement action.

The Irish DPC, which reportedly asked for more resources from the Irish government last year, is understood to be stretched by its role as the EU’s de facto data protection regulator for big tech. this is due to the fact that many major tech firms have their EU headquarters in Ireland.

Helen Dixon, the Irish Data Protection Commissioner, has defended the commission’s record compared to that of other EU regulators, and was strongly criticised by Germany’s federal data protection regulator (BfDI) Ulrich Kelber.

This in March resulted in the unedifying spectacle of the European Commission Vice President Vera Jourova telling the regulators to “stop squabbling”, and raising the prospect of a centralised model of enforcement.

All of this raises questions about the future of the One Stop Shop model – under which organisations work with one supervisory authority (in the nation in which they are head-quartered) even if they conduct cross-border data processing in several countries.

What next for GDPR? A key question is the extent to which the legislation needs updating in the face of new technology. 

Expect key debates over the next few years about how the regulation can be revised.

 

 

United States

November 2020 was a dramatic month for United States politics. Whilst the world watched President Donald Trump lose his grip on power, voters in the Sunshine state passed the Proposition 24 ballot bringing the California Privacy Rights Act into law. 

This law, itself coming hot on the heels of the first comprehensive state privacy law, the California Consumer Privacy Act, established the California Privacy Protection Agency (CPPA) – an independent agency to handle regulation and enforcement.

It allows consumers to prevent businesses from sharing and amending their personal data, and limit the use of “sensitive personal information” such as race, ethnicity, health information and precise geolocation. Companies would need to apply data minimisation and consumers are able to find out the length their data will be retained.

California has led the charge, but now other states are also trying to pass their own legislation. In March, Virginia became the second state to pass a comprehensive privacy law with its Consumer Data Protection Act, which comes into effect in 2023.

The Virginia Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021, making Virginia the second US state after California to pass a comprehensive data privacy law. While not quite as expansive as the GDPR in every respect, the CDPA is a broad-based privacy law that is on par with the California Consumer Privacy Act. 

Several states have seen their attempts to pass law fail: most notably The Washington Privacy Act of 2021 failed to pass for a third year in row, additionally Florida’s proposed privacy law, House Bill 969, showed promise of making it to law, but that did not happen during the 2021 legislative session.

 

Brazil

While it’s unclear whether the United States will ever have a comprehensive federal privacy law, supporters of such legislation can look south for inspiration.

Lei Geral de Proteção de Dados (LGPD) is Brazil’s federal data privacy law that went into effect on September 18, 2020, with enforcement starting on August 1, 2021. With Brazil being a key market in Latin America for big US tech companies, it is thought that the LGPD has been a positive move forward for Brazil’s legal privacy framework. 

The LGPD aims to unite over 40 different statutes that currently govern personal data, both online and offline, by replacing certain legislations and supplementing others. This unification shares similarity with the EU’s GDPR. 

Inspired by the GDPR, the LGPD establishes detailed rules for the collection, use, processing, and storage of personal data, and it will have an impact on all sectors of the economy, including customer-supplier relationships, employee-employer relationships, transnational and national commercial relations, and other relationships in which personal data is collected in the digital environment or out.

China

China’s Personal Information Protection Law (PIPL), which passed on 20 August 21 and comes into force 1 November 2021, will join three of the world’s top four economies with an omnibus privacy law. 

The PIPL, which is based on China’s Constitution and serves as China’s first comprehensive law in the area of personal information protection, aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information.”

The PIPL, the Cybersecurity Law, and the Data Security Law will establish an overarching framework to manage data protection, cybersecurity, and data security in China for years to come, from a larger cyber and data security governance viewpoint.

Whilst the PIPL bears some resemblance to the GDPR, there are slight differences. It is largely written to protect consumers from private companies collecting their data, while giving state authorities a free pass to do just that. 

Foreign corporations conducting business in the region are also subject to the PIPL’s rigorous requirements, which include data-mining behemoths like Facebook that offer services to Chinese customers through obscure subsidiaries. According to the PIPL, any of these organisations must not only comply with the new law, but also “pass a security assessment performed by the State cybersecurity and information department” before they are allowed to operate in the country. 

Companies found violating the law can be fined up to 50 million Yuan, roughly $7,690,00. 

“The release of the PIPL completes the trifecta of China’s foundational data governance regime, and will usher in a new age of data compliance for tech companies,” said Kendra Schaefer, Beijing-based partner at Trivium China consultancy.