When it comes to data protection, the General Data Protection Regulation is the new gold-standard and its international impact cannot be overstated. Less than one year after its entry into force, many countries outside the EU, from Japan to Brazil, have drawn inspiration from it, even if significant differences exist between the each state. An overview of data protection legislation across the globe.
The GDPR has made the European Union the leading light in terms of data protection. The new regulation is groundbreaking: never before have measures dedicated to the protection of personal data been so exacting, or the penalties so severe. And with good reason, the law seeks to guarantee fundamental freedoms enshrined the Charter of Fundamental Rights of the European Union. Namely article 7, the right to have one’s private life and communications respected, and article 8, concerning the right to the protection of personal data.
Not a copy-paste
The 28 members states of the EU are henceforth seen as the guarantors of data protection, capable of creating a new world order. But Brussels demures. According to the Assistant European Data Protection Supervisor, Wojciech Wiewioroski, the GDPR was never intended to be a model for other nations. “The text was drafted with the European Union in mind and as such it was never going to a panacea to be copy and pasted to all jurisdictions worldwide.”
Nevertheless, the content of the text and its process of adoption lead one to conclude that the EU hopes the GDPR will carry global significance. As early as July 2018, European authorities began actively encouraging other nations to adopt similar data-protection measures. Vera Jourova the European commissioner for justice, consumers and gender equality, has toured the globe lobbying for the adoption of stricture data protection measures. What’s more, by applying articles 40 and above of the new regulation, the transfer of data to a country outside the EU is not authorized except in those instances where the third country benefits from an adequacy decision from the European Commission – simply put, if the country has a similar level of data protection to that of the EU. So, in order to facilitate the exchange of data with European countries, it would seem that the nations of the world will have to take measures to improve data protection in within their borders.
Data-protection ducks in a row
Latin America’s biggest economy, Brazil has already done just that. In August, the Brazilian parliament adopted their own version of the text, the LGPD or lei geral de proteção de dados. The regulation provides the framework for the conditions under which data may be collected and used, in order to prevent them being exploited. It also accords new rights to Brazilian citizens, such as the right to be forgotten. Finally, as in Europe, a regulator will be appointed to ensure the law is being upheld. While Brasilia awaits Brussels adequation decision, the steps it has taken put it well on the road to being compatible with the European Union. Another country quick off the mark was Japan. Tokyo has added its own supplementary guarantees to be applied when handling data from EU citizens. The new law, which applies to all Japanese countries, has already had the desired outcome. In January Tokyo signed an adequation agreement with Brussels.
Not all countries have the same philosophy regarding the protection of personal data however. For some states, personal data is an indispensable tool in the modern commercial marketplace, for others it is a means with which to keep the population under control and an instrument of state power. In both extremes, resistance to the GDPR is likely to be heavy. In the US, for example opinions vary on the need for data protection regulations.
Fault lines appear in Silicon Valley
On the one hand, the excesses of the GAFA has pushed some in the American tech industry to lobby their government for more regulation. The latest scandal to hit Silicon Valley: the collection by Facebook of the personal data of young users. Between 2016 and 2018 the social network paid users between the ages of 13 and 35 to download the Facebook Research app, which allowed the company broad access to the data present on their devices, the goal being to better understand the consumer behavior of Facebook users. The director of Apple, Tim Cook, has stated that the collecting giant quantities of personal data could cause harm and has encouraged the government to adopt new federal laws. Apple, alongside Microsoft, have been pleading for many years for stronger safeguards to protect the private data of their customers, and last year the two multinationals committed to applying the norms outlined in the GDPR in their handling of customer information throughout the world.
On the other hand Facebook and Amazon have strongly reject the enacting of any GDPR-inspired legislation in the United States. The European regulation is too strict, they say, and should similar legislation be adopted by Washington, it would constitute a barrier to commerce and innovation. Nevertheless, last June the state of California adopted a data protection regulation of their own. Due to come into force in 2020, the California Consumer Privacy Act will give customers similar rights to those of the GDPR. Some tech giants tried, in vain, to stop its adoption.
The US government has been working since last summer to introduce new data protection measure at federal level. The department of commerce has met with tech and telecoms representatives to get their input on the substance of any future national data-protection text. But arriving at a consensus is not going to be easy and for the moment there is no deal on the horizon.
Social engineering made easy
China has gained a reputation for not respecting the private lives of its citizens or their personal data. However the GDPR may even lead to change in the Middle Kingdom: Beijing is looking to adopt a similar regulation by 2023. In 2016 China enacted a law on cybersecurity, already in force, stressing the principles of “legality, legitimacy and necessity” regarding in the collection, usage and transfer of personal data, which has already limited the growth of commercial data-mining. In addition, Beijing insists that the most important data be stored on servers in China. However, this regulation is designed squarely with companies in mind. The Chinese authorities themselves continue to process the data of their 1.4 billion citizens and have even put in place a system of social credit in order to grade the their behavior. China intends to attribute its nationals with a score between 350 and 950 and will use their personal data to help assign a score. This would seem to be an obvious double standard.
If the GDPR has led to a major shift in the way the world views and individual’s personal data, the road to having standardized data protection for all of Earths citizens is still a long one.
By Maeva Kpadonou
(Translation: Simon McGeady)