Just four months into the General Data Protection Regulation (GDPR), the jury is in: Europe has seized a first-mover advantage and set the terms of the global privacy debate. Whatever its virtues or flaws, the GDPR is now the de facto global standard that other countries’ privacy regimes are measured against, and countries around the world are adapting their own laws accordingly.
As the United States begins a meaningful dialogue about a national privacy law, the GDPR will likely dominate the conversation once again. Ensuring rough equivalency (or, in GDPR parlance, “adequacy”) with data protection standards in the European Union (EU)—and protecting lucrative cross-border data flows—will be a critical function of any U.S. data privacy law. At the same time, the process of crafting a comprehensive law presents U.S. lawmakers with the opportunity to recapture a global leadership role on privacy norms and to promote a template that will reduce barriers to international business.
Europe Has Planted Its Flag
The GDPR was big and radical, and now we’re stuck with it. Based on a conception of data protection as a fundamental right, it applies globally to uses of European citizens’ personal data and empowers regulators to apply steep fines for noncompliance—up to EUR 20 million (approximately US$23 million) or 4 percent of a company’s global turnover, whichever is higher.
The GDPR sets up a legal obligation for organisations that control and process personal data of any European citizen. It lays out strict standards of notice, consent, purpose limitation, and data minimisation. It also grants European citizens whose data is being collected, stored, or processed affirmative rights to access, rectification, erasure, and data portability, and enables them to restrict or object to processing of their data.
In theory, these rights should change the nature of dialogue between users of online platforms and service providers, and should give the users more control over how their data is used. In practice, though, the benefits of the extra information are questionable. The onslaught of opt-back-in emails sent the week before the GDPR took effect on May 25 is a prime example: Most users simply clicked “accept” without reading the terms and conditions; thus, the disclosures didn’t actually provide them with a better understanding of, or control over, how their data is used.
Under the GDPR, organisations are accountable for implementing appropriate technical and organisational measures to comply with the law, including the appointment of a data protection officer (DPO). The GDPR also sets a strict standard for data transfers, which is fast becoming the global benchmark. It requires that any jurisdiction receiving European data subjects’ personal information have substantively similar data protection regulations—it must receive an “adequacy” finding by the European Commission. So far, only a handful of countries have achieved this, but more are moving in that direction, lest they be left out of business process outsourcing (BPO) markets.
Cumulatively, these obligations are placing a significant burden on businesses. Several studies have documented that large businesses are spending tens of millions of dollars to get to compliance. The burden is likely heavier on small to midsize enterprises, which can’t afford teams of lawyers to work out the details. Even more significant than one-time compliance costs is the chilling effect the GDPR is having on business uses of personal data. Many companies—spooked by the law and its fines, but lacking a deep understanding of what is and is not permitted—have simply walled off data that they could be using legally and productively.
One more impediment to doing business in the EU is the GDPR’s high bar for transferring personal data. But the new barriers to transfers of EU citizens’ data are just part of the story. As more and more countries adopt this approach, obstacles to international data transfers are multiplying, threatening to seriously hamper how global businesses are run.
An Idea That Is Spreading
The GDPR has already demonstrated an attractive power far beyond Europe. In offering an all-encompassing framework which, for all its flaws, is comparatively easy to understand, it’s rapidly becoming the first reference point for any country that is looking to write or rewrite a national privacy law. And what regulator would refuse the power to levy fines worth 4 percent of a company’s global turnover?
Politically, the content of the GDPR is almost irrelevant to this attraction. Impact on business aside, proposing a GDPR-like law offers a policymaker in a non-EU country certain benefits:
- instant prestige and global respectability,
- unimpeachable credibility as a supporter of individual privacy rights, and
- a tough stance on “foreign” (particularly American) big business.
We are starting to see the impact, as other countries align themselves to the GDPR regime. The recent passage of legislation in Brazil and India’s proposed Personal Data Protection Bill illustrate how the GDPR has become the global norm.
Brazil Adopts “GDPR-Lite”
After nearly eight years of development, a new General Data Protection Law (LGPD) passed the Brazilian legislature in July and was signed by President Michel Temer on August 14. The new law draws heavily on the GDPR in structure and standards: The relationships it outlines between data subjects, data controllers, and data processors are similar to those found in the GDPR. Its framework is also fundamentally consent-centric and uses standards comparable to the GDPR. And although its cross-border transfer conditions are somewhat looser, the framework is fundamentally in sync with the EU approach, centring on adequacy and standard contractual clauses.
Due to some quirks in the Brazilian constitutional system and proclivities of President Temer, Brazil’s regime—at least in the near term—will differ from the GDPR in one important respect: Brazil will not have an independent data protection authority (DPA). Originally included in the law, the DPA was removed by a presidential line-item veto. In Brazil, the enforcement, implementation, and regulation-writing functions that the GDPR assigns to the DPA will instead be assumed by the Ministry of Justice. This difference will likely keep Brazil from receiving an adequacy decision from the EU, at least in the short term, maintaining barriers to data flows between Brazil and the European bloc.
Brazil is likely to get a DPA eventually, but it will have to be proposed separately by Temer or (more likely) his successor. Pressure will be great to do so sooner rather than later.
India Drives Toward Something Both Lighter and Heavier
Like Brazil, India is on the “GDPR-lite” track, but with some important differences. A government committee recently released the draft Personal Data Protection Bill, which mimics the structure and standards of the GDPR, including:
- tripartite division of data subjects (or data “principals”), data controllers (or “fiduciaries”), and data processors—each with obligations comparable to those in GDPR;
- stronger notice and consent requirements for the processing of personal data, purpose limitation, and “explicit consent” for the processing of sensitive personal data;
- international jurisdiction, though defined in terms of legal incorporation, not an Indian citizen’s fundamental rights; and
- cross-border transfer of personal data through a combination of user consent and one of the following: a country adequacy decision, use of standard contractual clauses, or an intragroup scheme akin to EU binding corporate rules (BCRs).
However, India’s proposed framework differs from the GDPR in several ways. The draft has somewhat vaguer standards for lawful processing of data, as well as lighter notification obligations in the event of a data breach. More fundamentally, Indian policymakers clearly understood the costs the GDPR would impose on the Indian economy, so they exempted small firms from the law and reserved particularly onerous measures—including impact assessments, recordkeeping, auditing, and appointment of a DPO—for just a special category of “significant” data fiduciaries. The BPO industry also received a generous carve-out for firms that process only foreign data.
On the other hand, these reprieves from certain GDPR requirements are paired with measures that will make the law much more costly. It requires that all personal data be stored locally, and completely bars cross-border processing of specially notified “critical personal data.” In addition, the definition of “sensitive personal data”—for which notice, consent, and compliance standards are heightened relative to other personal data—is expansive, encompassing passwords and financial data.
Expect More of (Not Quite Exactly) the Same
There is no indication that the global privacy rush is slowing down. In Latin America, for example, several countries—including Mexico and Chile—recently updated their privacy laws for the digital economy. Now that their legislatures are well-versed in these issues, they may decide to come up with new models that aim for a local interpretation of GDPR-style strictness. While Argentina already has EU adequacy, it needs to do more work to give its DPA the latitude and independence of an EU DPA. As often happens in the region, Brazil’s passage of the LGPD may spur similar laws in surrounding countries.
In Asia, while nations like Japan and Malaysia have relatively recent personal data protection laws, many shoes are left to drop. Thailand is actively preparing legislation that is more lenient than the GDPR but nonetheless bears its mark. New Zealand is due for a new privacy law, as well, and recently opened trade talks with the EU. Its new left-leaning government may decide the time is right to align with Europe on privacy, too.
In Africa, Zimbabwe has a data protection reform bill waiting in the wings for when the nation’s political turmoil can be resolved, and the Kenyan government recently opened debate with a proposed new privacy law. The continent is also reeling from a series of social media control laws—including Uganda’s social media tax law and Kenya’s cybercrime law. It is easy to foresee the rollout of a raft of bills regulating content on social media platforms under the banner of privacy.
Can You Blame Them?
Although the GDPR is quite radical, it is easy to see why many countries are turning to it as their model: There are few (palatable) alternatives anywhere else in the world.
Chinese data protection regulations are a confusing patchwork, deliberately designed to erect protectionist barriers and safeguard the government’s ability to exercise oversight of society and to conduct extensive surveillance. Few other foreign governments are prepared to take such an aggressive approach.
The United States privacy regime is difficult for many outside the U.S. to understand. It combines a profoundly laissez-faire ethos in some areas with strict curbs on some specific types of sensitive data and on government access. This patchwork has fuelled misperceptions of the U.S. as a sort of Wild West for privacy protection. Our Canadian neighbours are not much better off.
More positively, the APEC Cross-Border Privacy Rules (CBPRs) are constructive. Developed by the 21-member Asia-Pacific Economic Cooperation, the rules offer a useful model from a cross-border transfer perspective. However, vis-a-vis the GDPR, they fail to provide a fully elaborated legal framework that policymakers can easily leverage. Much like the NIST Cybersecurity Framework, the APEC CBPRs are easy to customise but don’t satiate regulators’ lust for checkboxes.
The regulatory framework in Japan may land somewhere close to the sweet spot that other countries should emulate. Japan’s relatively recent personal data protection law (an amendment to the Act on the Protection of Personal Information—APPI) offers an alternative approach by a large, prosperous, and digitally engaged state. While ratcheting up standards in a manner approaching the GDPR, or at least enough to achieve reciprocal adequacy with the EU, the law still facilitates cross-border data flows, which have strong political backing by Japanese policymakers.
The Champion We Need
As countries gravitate toward the GDPR, their orbits are far from concentric. The strict approach of the GDPR may appeal to lawmakers, but they still want to tinker with the details and adjust standards and compliance obligations to suit local tastes. This is just about the worst-case scenario for industry, since the only thing worse than worldwide implementation of the GDPR would be a fragmented hodgepodge of laws that are just as stringent the GDPR but different enough that companies cannot cross-apply their compliance efforts.
The business community needs to push back against the global multiplication of overly burdensome and trade-distorting privacy rules. But in order to do so, it needs a better model to point to that won’t multiply barriers when adopted in new markets. The Japanese regime has some potential to be this model, but the government is inching too slowly toward more assertive external policy engagement to be an effective champion.
The serious prospect of comprehensive U.S. privacy reform is an important opening for building such a model. For a new privacy regime to be attractive enough to serve as a counterweight to the GDPR, it must also offer attendant political benefits:
- It must be easily understandable and coherent.
- It must plausibly allow policymakers to claim they are protecting and empowering consumers.
- It must put meaningful guardrails on uses of data, while also supporting innovation, entrepreneurship, and growth of businesses.
- It must proactively enable engagement with the world.
- Finally, this is an opportunity to one-up the GDPR by building a strong narrative around the U.S. tradition of limiting government access to, and uses of, personal data.
If U.S. lawmakers can do the hard work of framing a comprehensive privacy law, they can remake the global privacy debate and promote a model that isn’t as anti–global-business as the GDPR, but that still protects individual rights to privacy. For global businesses’ sake, let’s hope U.S. lawmakers can do it.
- Ryan Johnson, Senior Manager, International Public Policy, Access Partnership
- Logan Finucan, Senior Analyst, International Public Policy, Access Partnership
This article was originally published in Treasury & Risk Magazine on 11 October 2018.