A little more than one month after the European Union enacted the General Data Protection Regulation (GDPR) to extend new data privacy rights to its people, the governor of California signed a separate, sweeping data protection law that borrowed several ideas from GDPR, sparking a torch in a legislative data privacy trend that has now spanned at least 10 countries.
In Chile, lawmakers are updating decades-old legislation to guarantee that their Constitutional data protections include the rights to request, modify, and delete personal data. In Argentina, legislators are updating a set of data privacy protections that already granted the country a "whitelist" status, allowing it to more seamlessly transfer data to the European Union. In Brazil, the president signed a data protection law that comes into effect this August that creates a GDPR-like framework, setting up rules for data “controllers” and “owners,” and installing a data protection authority to regulate and review potential violations.
Beyond South America, India is mulling a new law that would restrict how international companies use personal data, but the law includes a massive loophole for government agencies. Canada passed its first, national data breach notification law, and in the United States, multiple state and federal bills have borrowed liberally from GDPR’s ideas to extend the rights of data access, deletion, and portability to the public.
GDPR came into effect two years ago, and its impact is clear: Data privacy is the law of the land, and many lands look to GDPR for inspiration.
Amy de La Lama, a partner at Baker McKenzie who focuses her legal practice on global privacy, data security, and cybersecurity, said the world is undergoing major shifts in data privacy, and that GDPR helped spur much of the current conversations.
“At a high level, there’s a huge amount of movement in the privacy world," de La Lama said, "and, without a doubt, the GDPR has been a huge driver."
The following laws and bills are a sample of the many global efforts to bring data privacy home. Often, the newer laws and legislation are influenced by GDPR, but several countries that passed data privacy laws before GDPR are still working to update their own rules to integrate with the EU.
This is GDPR around the world.
Several countries in South America already grant stronger data protection rights to their public than in the United States, with several enshrining a right to data protection in their constitutions.
In 2018, Chile joined that latter club, supplementing its older, constitutional right to privacy with a new right to data protection. The constitution now says:
“The Constitution ensures to every person: … The respect and protection of private life and the honor of the person and his family, and furthermore, the protection of personal data. The treatment and protection of this data will be put into effect in the form and conditions determined by law.”
That last reference to “conditions determined by law” matters deeply to Chileans’ actual data protection rights because even though the Constitution protects data, it does not specify how that data should be protected.
Think of it like the US Constitution, which, for instance, protects US persons against unreasonable searches. Only within the past few decades, however, have courts and lawmakers interpreted whether “unreasonable searches” include, for instance, searches of emails sent through a third-party provider, or searches of historical GPS data tracked by a mobile phone.
Now, Chile is working to determine what its data protection rights will actually include, with a push to repeal and replace a decades-old data protection law called the “Personal Data Protection Act,” or Act No. 19.628. The latest legislative efforts include a push to include the rights to request, modify, and delete personal data, along with the right to withdraw consent from how a company collects, stores, writes, organizes, extracts, transfers, and transmits personal data.
Revamping older data protections is not unique to Chile.
Argentina implemented its Personal Data Protection Law (PDPL) in 2000. But that law, unlike Chile’s, drew inspiration from the European Union long before the passage of GDPR. Instead, Argentina’s lawmakers aligned their legislation with the law that GDPR repealed and replaced—Data Protection Directive of 1995.
This close relationship between Argentinian and European data protection law made Argentina a near shoe-in for the GDPR’s so-called “whitelist,” a list of countries outside the European Union that have been approved for easier cross-country data transfers because of those countries’ “adequate level of data protection.” This status can prove vital for countless companies that move data all around the world.
According to the European Commission, countries that currently enjoy this status include Andorra, Argentina, Canada (for commercial organizations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. The US is also included, so long as data transfers happen under the limited Privacy Shield framework—an agreement that replaced the previous, separate data transfer agreement called “Safe Harbor,” which itself was found invalid by the Court of Justice for the European Union.
(Privacy Shield also faces challenges of its own, so maybe the US should not get too comfortable with its status.)
Despite Argentina’s current whitelist status with the European Commission, the country is still trying to update its data protection framework with a new piece of legislation.
The new bill, Bill No. MEN-2018-147-APN-PTE, was introduced to Argentina’s Congress in September 2018. Its proposed changes include allowing the processing of sensitive data with approved consent from a person, expanding the territorial reach of personal data protections, creating new rules for when to report data breaches to the country’s data regulator, and drastically increasing the sanctions for violating the law.
Within South America, there is still at least one more country influenced by GDPR.
In August 2018, Brazil’s then-president Michel Temer signed the country’s General Data Privacy Law (“Lei Geral de Proteção de Dados Pessoais” or LGPD). The law comes into effect August 2020.
The similarities to GDPR are many, de La Lama said.
“Like the GDPR, the new law, when it comes into effect, applies extraterritorially, contains notice and consent and cross-border transfer requirements as well as obligations with regard to data subject rights and data protection officer appointment," de La Lama said. "EU Standard Contractual clauses may be recognized under the new law but this step has not yet been taken.”
The LGPD defines “sensitive data” as personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership, along with genetic data, biometric data used for uniquely identifying a natural person, health and medical information, and data concerns a person’s sex life or sexual orientation.
Similar to GDPR, Brazil’s LGPD also creates a distinction between data controllers or owners, and data processors, a framework that has quickly rolled out in proposed laws around the world, including the United States. Brazil’s LGPD also applies beyond the country’s borders. The law applies to companies and organizations that offer goods or services to those living within Brazil, much like how GDPR applies to companies that direct marketing towards those living inside the European Union.
The law also, following amendments, includes the creation of the Brazilian Data Protection Authority. That body will have the sole authority to issue regulations and sanctions for organizations that violate the law because of a data breach.
In late 2019, India’s lawmakers introduced a data protection law two years in the making, which included minor similarities to the EU’s GDPR. The Personal Data Protection Bill of 2019, or PDPB, would require international companies to seek the consent of India’s public for many uses of personal data, and grant the people a new right to have their data erased.
The similarities stop there.
While portions of the law feint the main purpose of GDPR, the data protections actually included suffer from an enormous loophole. As written, though the law’s data restrictions apply to government agencies, the law also allows the newly-created data protection authority to pick any government agency that it wants exempted.
The law would permit New Delhi to “exempt any agency of government from application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order,” according to an early, leak draft of the law obtained by TechCrunch.
This exceptionally broad language is akin to any loophole in the United States that applies to “national security,” and it is one that digital rights activists in India are fighting.
“This is particularly concerning in India given that the government is the largest collector of data,” said Apar Gupta, executive director of the Internet Freedom Foundation, in talking to the New York Times.
Salman Waris, who leads the technology practice at the New Delhi law firm TechLegis, also told the New York Times that the new Indian law purports to protect the public while actually accomplishing something else.
“It gives a semblance of owning your data, and having the right to know how it is used, to the individual,” Waris said, “but at the same time it provides carte blanche to the government.”
GDPR in the United States
Though we’ve focused on GDPR’s impact on a global scale, it is impossible to deny the influence felt at home in the United States.
While Congress’s efforts to pass a comprehensive data privacy law date back to the Cambridge Analytica scandal of 2018, some of the ideas embedded in more current data privacy legislation relate directly to GDPR.
One clear example is the California Consumer Privacy Act (CCPA), said Sarah Bruno, partner at Reed Smith who works at the intersection of intellectual property, privacy, and advertising. Though the law was signed less than one month after GDPR took effect in the EU, it was drafted with more than enough time to borrow from GDPR after that law’s earlier approval, in 2016.
“GDPR did have an impact on CCPA,” Bruno said, “and it has a lot of components in CCPA.”
CCPA grants Californians the rights to access and delete data, the right to take their data and port it to a separate provider, along with the right to know what data about them is being collected. Californians also enjoy the explicit right to opt out of having their data sold, which is not verbatim included in GDPR, though that law does give residents protections that could result in a similar outcome. And though CCPA does not grant rights to “data subjects,” as written in GDPR, it does have a similar scope of effect. Much of the law is about giving consumers access to their own information.
“Consumers are able to write to a company, similar to GDPR, to find out what information [the company] is collecting on them, via cookies, about their purchase history, what they’re looking at on websites when on there,” Bruno said. She added that CCPA contends that “all that information, a California consumer should have access to that, and that’s new in the US, but similar to GDPR.”
But California is just one state inspired by GDPR. There’s also Washington, which, earlier this year, introduced a remodeled version of its Data Privacy Act.
“It’s similar as well to CCPA,” Bruno said about Washington's revamped bill. “As I call it, CCPA plus.”
The Data Privacy Act scores close to GDPR, in that it borrows some of the EU law’s language on data “controllers” and “processors,” which would both receive new restrictions on how personal data is collected and shared. The law, much like GDPR, would also provide Washingtonians with the rights to access, control, delete, and port their data. Much like CCPA, the Data Privacy Act would also let residents specifically opt out of data sales.
Though the bill initially drew a warm welcome from Microsoft and the Future of Privacy Forum, shortly after, Electronic Frontier Foundation opposed the legislation, calling it a “weak, token effort at reining in corporations’ rampant misuse of personal data.”
The bill, introduced on January 13 this year, has not moved forward.
GDPR's legacy: Fines or fatigue?
GDPR’s passage came with a clear warning sign to potential violators—break the law and face fines of up to 2 percent of global revenue. For an Internet conglomerate like Alphabet, which owns Google, such an enforcement action would mean paying more than a billion dollars. The same is true for Apple, Facebook, Amazon, Verizon, and AT&T, just to name a few.
Despite having the tools to hand down billion-dollar penalties, authorities across Europe were initially shy to use them. In early January 2019, France’s National Data Protection Commission (CNIL) slapped a €50 million penalty against Google after investigators found a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” It was the largest penalty at the time, but it paled in comparison to what GDPR allowed: Based on Alphabet’s 2018 revenue, it could have received a fine of about €2.47 billion, or $2.72 billion in today’s dollars.
Six months later, regulators leaned more heavily into their powers. In July 2019, the Information Commissioner for the United Kingdom (which was at the time still a member of the European Union) fined British Airways $230 million because of an earlier data breach that affected 500,000 customers. The penalty represented 1.5 percent of the airline’s 2018 revenue.
But regulatory fines tell just one side of GDPR’s story, because, as de La Lama said, after the law’s passage, her clients tell her of fatigue in trying to comply with every new law.
The nuances between each country’s data protection laws have produced guide after guide from multiple, global law firms, each attacking the topic with their own enormous tome of information. De la Lama’s own law firm, Baker McKenzie, released its annual, global data protection guide last year, clocking in at 886 pages. A quick glance reveals the subtle but important differences between the world’s laws: Countries that adopt a framework that separates data restrictions between “controllers” and “processors,” countries that protect “consumers” versus “data subjects,” countries that require data breaches to be reported to data protection authorities, countries that create data protection authorities, and countries that differ on just what the hell personal information includes.
Complying with one data protection law can be hard enough, de La Lama said, and there’s little assurances that the current data privacy movement is coming to a close.
“There’s difficulty in trying to bring a company into compliance with a wide variety of privacy and technical specifications and finding internal resources to do that is a daunting task,” de la Lama said. "And when you’re trying to replicate that across multiple jurisdictions, we’re seeing a lot of companies just trying to wrap their arms around how to do that, knowing that GDPR isn’t the end game, but really just the start.”