In this photo illustration, Facebook CEO Mark Zuckerberg looked at a cell phone screen as he distantly testified during the hearing of the U.S. Senate Committee on Trade, Science and Transport entitled “Is Section 230’s Sweeping Immunity Possible for Big Tech Bad Behavior?” at Capitol Hill in Washington, DC, USA.
Pavlo Conchar | LightRocket | Getty Images
The EU regulation (the general data protection regulation) has helped to put data protection in the minds of politicians and companies, especially with large fines.
“Absolute GDPR has created a much greater sense of confidentiality. Many companies now say it is being discussed in boardrooms because of the potential size of the fines,” said Estelle Masse, senior policy analyst at Digital Rights Group Access Now.
One such law is the California Privacy Rights Act, which was enacted in November 2020 and expanded with the 2018 California Consumer Privacy Act.
The law has drawn many comparisons from observers to the GDPR in how it provides more control to the consumer and presents the possibility of fines for violations and data breaches.
“I think there were similarities in the sense that they both provided more rights and protection to the user, so they were pretty user-centered in their approach,” Masse said.
Other jurisdictions may look to the GDPR for inspiration on what works and what does not work, although there are many nuances and European features to consider that may not necessarily translate.
“But there are a number of core rights and core requirements. That people need to be protected, people need to stay in control of their information, and companies need to be imposed an obligation if they want to use that information,” Masse explained.
The biggest difference between California law and the GDPR comes to enforcement. California is only one state, while the EU is 27 nations with their own data protection authorities and their own challenges.
This has led to arguments among various data protection commissioners as to who draws their weight in enforcement and who does not, with the Irish authority attracting the most criticism.
“Our enforcement model is showing some cracks, so I think there’s a big lesson being learned for others watching Europe,” Masse told CNBC.
“I think the GDPR is a legislative success, but so far it is an enforcement error and we can learn from it.”
The key to tackling these challenges is to ensure the total independence of a data protection authority, while providing ample budgets and resources to regulate the ever-growing data economy.
Mark McCreary, a privacy and data security lawyer at Philadelphia firm Fox Rothschild, said U.S. states that enact their own laws on data protection create unique challenges for companies to comply with from state to state.
He points to Virginia’s recently enacted law on the protection of consumer data as another development. It bears similar characteristics to California, but also presents its own nuances.
“The definition of personal information is a little different, and the definition of sensitive personal data is a little different,” McCreary said.
Various actions at the state level can often renew calls for some sort of federal privacy law.
“People have been asking that for years,” said Alex Wall, a business consultant for privacy on Rimini Street, and formerly Adobe and New Relic.
“I think it’s difficult because on the one hand it depends on which administration is responsible and they both have different reasons why they want privacy legislation.”
Such delays and obstacles in the development of federal law can lead to more states taking their own actions and gradually creating a patchwork of different data protection laws from state to state.
“Then it will eventually reach a point where business lobbyists in Washington are all on board rationalizing and anticipating these laws because they have become so difficult to navigate,” Wall said.
McCreary added that passing a federal law is likely to lead to many disputes where states have different expectations for the finer details, such as the private right to action – allowing private parties to sue.
“Part of the problem is that you have California to stand up and say that if you guys are trying to pass a federal privacy law and you do not have a private right to act, we will not support it,” McCreary said.
In addition to the United States, several major nations have enacted or updated their national data protection laws.
Brazil’s Lei Geral de Proteção de Dados came into force at the end of last year. The regulation updated and consolidated 40 different rules in one framework.
The LGPD is still in its infancy, but other governments around Latin America are following suit and have their new laws on the way, such as Argentina, Access Now’s Mass said.
But the next big data protection law that legal hawks are keeping an eye on is in India.
The Personal Data Protection Act is currently going through the various stages of India’s Parliament and will impose stricter limits on how companies can use data and provide more control to users, a la GDPR.
Masses said that India’s regulation, once enacted, is also likely to have a significant impact on future laws in other countries “because of the large number of people and the role this country would play in a global computer economy.”