The European Union’s globally applicable General Data Protection Regulation (GDPR) has set the global benchmark for data protection standards. In 2019, it will continue to reverberate far beyond Europe; more countries around the world will adopt GDPR-like standards, often creating headaches for global business in the process. Will the GDPR now inevitably become the world standard?
The EU has successfully branded itself and the GDPR as the gold standard for data protection. Rightly or wrongly, the GDPR and its standards now connote unimpeachable credibility on consumer protection and are firmly establishing the idea of data protection as an issue of fundamental rights.
Now, when country “X” is looking to update its data protection laws, the GDPR is the first jar on the shelf they reach for. Countries are emulating the GDPR, in whole or in part, proliferating standards to empower individual consumers like providing affirmative rights for data subjects, defining legal obligations for data controllers and data processors, requiring adequacy for cross-border transfers, and imposing heavy fines for non-compliance, among others.
This trend has been long building. When the EU established the GDPR in 2016, their first-mover advantage was helped along by fortuitous timing, intersecting with a string of troubling revelations about the privacy practices of tech giants. Scandals like the Facebook/Cambridge Analytica revelations or repeated privacy failures in India’s enormous Aadhaar digital ID system have made treatment of personal data online a pressing political issue, impossible for policy-makers to ignore. Europe has capitalised on these problems with a tough line on unpopular US tech companies.
We have already seen the GDPR’s normative power in 2018, with adoption of a new data protection framework in Brazil that bears substantial similarities to the EU’s system, as well as policy proposals in India and elsewhere that have been deeply influenced by the GDPR framework.
Why does it matter?
The GDPR is a stringent framework for data protection with costs for businesses; the spread of these norms will raise costs for firms of all sizes around the world. Companies have scrambled in the past year to achieve compliance amid an uncertain enforcement climate. The focus now is getting the right type of consent from citizens and proving good faith efforts upfront to regulators, absorbing substantial time and energy.
However, what is more difficult than the spread of GDPR standards is the imprecise copying of GDPR standards, which threatens to multiply compliance and cross-border data transfer burdens. Each country is putting their own spin on the ideas of the GDPR and arriving at subtly different standards for how to implement general principles.
Further, some popular elements of the GDPR, even if copied exactly, have the effect of fragmenting global data flows. For example, the concept of “adequacy” for international transfers of personal data requires each country to stitch together a network of bilateral determinations and negotiated agreements — a laborious and time-consuming approach.
What is next?
India promises to be the next biggest development in global data protection norms. The government is due to propose a comprehensive data protection legislative package in the summer of 2019. Early drafts bore significant resemblance to the GDPR.
In a twist that would have been unthinkable even a few years ago, we are now seeing the EU set the terms of the policy debate even in the US, which is in the early stages of developing a long-deferred comprehensive consumer data protection regime at the federal level.
While the legislative process will be long and painful, momentum has grown substantially. Many, even some in Congress, would be happy to import the GDPR as a US solution.
The extent to which GDPR-inspired ideas creep into US and Indian models in 2019 — two of the largest and most influential data markets — will have ramifications for decades to come. This year, we may see policy-makers surrender the idea of creating an alternative model to the GDPR altogether.
Author: Logan Finucan, Senior Policy Analyst, Access Partnership