General Data Protection Regulation (GDPR) is precedent-setting legislation which extends EU jurisdiction beyond Europe
Nations around the world are scrambling to update their data legislation to bring it into line with Europe’s tough new privacy and data protection law, the General Data Protection Regulation (GDPR).
Under GDPR’s strict requirements, any business globally that sells to or targets European Union consumers will need to comply with the new law, wherever that business is based. The EU is effectively making GDPR a global benchmark for privacy regulation. Countries with data legislation that fails to match GDPR’s requirements could find themselves shut out of the European market. There is one big exception to this, the United States which has a very different approach to data protection.
“GDPR is interesting because it is the first time that the EU is exporting regulation,” says Rashmi Knowles, chief technology officer at RSA Security. ”In the past, everything created by the EU applied to the EU. Now we have this regulation, but it is going to apply globally. If anybody wants to use the data of EU citizens or consumers, they have to comply, so it is exporting privacy rules to other countries.”
Multinational companies adopting GDPR across worldwide operations
This is causing panic among companies outside the EU, according to Eduardo Ustaran, a partner at law firm Hogan Lovells. He says multinational companies are adopting GDPR standards across their worldwide operations. “That means that irrespective of where in the world that data is being collected, used and analysed, it is being used as if all the data is coming from Europe,” says Mr Ustaran.
“Because GDPR is having so much prominence in what organisations around the world are doing to meet data protection requirements, it is becoming the de facto global legal framework.”
He says national governments are updating their data legislation to mirror GDPR. His team drafted the new data protection law for Bermuda as the state sought to ensure that its local businesses, particularly insurance, could comply with European laws.
Because GDPR is having so much prominence in what organisations around the world are doing to meet data protection requirements, it is becoming the de facto global legal framework
“I’ve been working in countries in Africa such as Ghana building up the laws in this area for the same reason. A lot of developing economies are looking at technology as a sector they wish to foster and this law is very aligned with that aim,” Mr Ustaran adds.
There is mounting pressure on businesses to decide how to implement GDPR globally. Facebook recently said it was ready for GDPR in Europe, but there was uproar from other users demanding similar protection. Facebook then said it would apply the rules of GDPR to all users whether EU citizens or not.
“That is the first domino that will ripple across companies that have mixed user-bases and countries,” says Perry Krug, principal architect at database company Couchbase. “Why would they bother making up different rules if they already have a reasonable benchmark in GDPR that is already very public and is already being adopted?”
Non-EU countries introducing GDPR-compliant legislation
Many other governments are attempting to introduce privacy legislation that complies with GDPR to enable their businesses to trade more easily with European markets.
Japan has been following developments closely and is looking to make its data laws compatible with European legislation, says Data Protection Network chairman Robert Bond, a partner at legal firm Bristows.
Under EU data adequacy rules, businesses cannot transfer personal data outside the European Union to another country unless its data legislation is deemed to be “essentially equivalent” to European data laws. The alternative is to create a complex contract that protects EU individuals or puts them on an equal footing to local citizens.
Over the years, the EU has given its blessing to the data laws of 12 territories, including Argentina, New Zealand, Israel, the Channel Islands and Isle of Man. Most nations are not considered to have adequate data laws, whether Japan, South Korea, Russia or South Africa.
But with the stringent demands of GDPR, more countries such as Japan are trying to gain data adequacy status. Mr Bond gives the example of Singapore, which has a growing digital economy, with call centres, server farms, digital marketing and advertising technology.
“Their regulators have been following GDPR to make sure they are not disadvantaged in the brave new world,” he says. “When you look at GDPR, it says that you can’t transfer data to another part of the world that isn’t deemed to have adequate protections for the rights of individuals or a decent law.
“In Singapore, they are thinking ‘Well we need to get our law in line because currently we are not approved by the EU as a safe place for the data to go to, so it means all our businesses have to jump through the hoops of having all these contracts’.”
Many countries holding fire to see how GDPR works before implementing
Meanwhile, South Africa has a new data privacy law which Mr Bond says is modelled on European legislation.
But according to Scott Bancroft, chief information security officer for technology consultancy Capco, many countries will wait to see how GDPR works in practice before moving to adopt it in their own legislation. “There are a few potential blocks to that such as cost and complexity; it may not work so well in low-cost countries and emerging markets,” he says.
There are still many questions about how GDPR will work and he expects legal test cases, especially in the US, while there is likely to be further guidance from the European Commission about the working of the legislation. Although some countries might adopt the legislation, others are more likely to adapt it.
“Smaller emerging-market countries are less likely to want to add that level of legislation, compliance and expense to what is not such a big economy and may not be badly affected by not holding that data,” says Mr Bancroft.
Harmonising data protection laws across the world will in theory make it easier to do business in the global marketplace. The EU is using its sheer size and market power to make it hard for other countries to resist the pull of GDPR.
Insight: United States
When it comes to privacy law, the United States is an exception. In most parts of the world, privacy is a fundamental right of citizens and consumers. But this is not universal in America where there are data protection laws that apply to particular sectors.
For instance, there is the Children’s Online Protection Act; the Health Insurance Portability and Accountability Act for medical information; and the Gramm-Leach-Bliley Act for financial services.
Each US state makes its own laws, so there are dozens of different interpretations of what constitutes a data breach. “There is a lot of data law in the US, but it is not in one place and it doesn’t apply across the board. That is where they are out of sync with almost everywhere else,” says Robert Bond, a partner at law firm Bristows.
This will make it hard for the US to comply with the European Union’s General Data Protection Regulation (GDPR).
The EU negotiated the Safe Harbour agreement with the US in 2000 to ensure the safe exchange of data between Europe and America. But this was struck down by the European Court of Justice in 2015 following revelations by Edward Snowden that the US National Security Agency was conducting global mass surveillance programmes.
It has been replaced by a new agreement known as the Privacy Shield. However, this is not fully compliant with GDPR. The big question is how the US will respond to the new EU data law. Some states such as California and Massachusetts may be more responsive to the spirit of GDPR than others.
Tomas Lopez Fernebrand, general counsel at travel technology company Amadeus, says the key distinction between US and EU law is that GDPR puts individuals in charge of their own personal data. Under GDPR the issue of data privacy is a fundamental human right and individuals have the right to manage the privacy of their own data, including knowing how it is processed and who has access to it. “It remains to be seen whether the US will follow the lead offered by GDPR,” he says.