HAPPY 2nd ANNIVERSARY to the GDPR – and welcome to the brave new world of enhanced privacy rights across the globe
Two years ago, before the General Data Protection Regulation (GDPR) became applicable across the EU, privacy professionals had been speculating about the potential cross-border effects of the enhanced EU data protection regulation. We were hoping that the GDPR would help EU citizens to be more aware of their rights and that this could catalyze more sophisticated case law – leading to more awareness. The extraterritorial effect of the GDPR was also a hot topic: a lot of us were wondering if the GDPR would be applied effectively in the case of third-country businesses.
Looking back on the evolution of privacy between 2018 and 2020, one thing is for sure: individuals started to claim back their digital privacy rights – not only in the EU, but across the globe. It seems that the GDPR has given data protection legislation around the globe a powerful boost. Although the institution of data protection already appeared back in the 1970s, the era of the GDPR has introduced new perspectives and higher standards to the field of privacy.
Some countries already have data protection regulations in place, but they wish to bring these in line with the GDPR, while others have just started to introduce comprehensive protection of individual privacy rights on a legislation level. On the second anniversary of the GDPR, it may be worth to look around and dive into the data protection laws around the globe – inspired by the GDPR.
Here are four countries which have already implemented or are about to adopt comparable data privacy laws:
Until recently, the USA relied on industry-specific and/or state-level legislation such as the HIPAA, which requires health organizations to ensure the security of medical data. California was the first state to implement a broad (and probably the strictest) regulation of individual privacy rights. The California Consumer Privacy Act took effect in 2020 and grants similar rights to Californian consumers as the GDPR. Under the CCPA, consumers have the right to know whether a business collects or sells any of their personal data, and they are entitled to request access to or the deletion of their data. But the great novelty of the CCPA is the consumer’s authorization to institute a civil action in the case of the consumer’s nonencrypted personal data being compromised by unauthorized access.
New York followed California’s example soon after and signed into law the Stop Hacks and Improve Electronic Data Security Act a.k.a. SHIELD Act, as a response to the major data breaches from the recent past. To go even further, a new data protection act called the New York Privacy Act has been drafted and is now on the table of the Senate Committee. This act intends to allocate rights corresponding with the GDPR and CCPA to New York residents.
New Zealand decided to reform its almost 30-year-old data protection act, and there is a new bill in the pipeline to be accepted by the end of 2020. According to the Privacy Commissioner of New Zealand, compliance with their privacy law will take organizations a long way towards compliance with the GDPR. There are some equivalents between the two regulations, such as the requirement to have a privacy officer (the GDPR “Data Protection Officer” equivalent in New Zealand). The obligation to notify a serious data breach is also planned to be enacted – right now it is before the New Zealand Parliament.
There has been a unification process in Brazil wherethrough the Brazilian Senate approved the data protection law of Brazil, the Lei Geral de Proteção de Dados on 3rd April 2020. In terms of its content, the regulation was clearly inspired by the GDPR: for example, it extends its scope beyond Brazil to protect as much Brazil-related personal data as possible. The LGPD establishes very similar rights to data subjects as the GDPR does, and the LGPD requires the notification of data breaches as well.
Thailand’s new data protection law, which has been adopted in 2019, will come into effect in May. It was clearly modelled after the GDPR, in particular considering its extraterritorial scope and the requirements for a valid legal basis for data processing. The potential sanctions for non-compliance are also significant. In addition to administrative fines and criminal penalties, the Personal Data Protection Act of Thailand authorizes Thai citizens and residents to bring class action lawsuits.
Data protection regulations are growing like weeds, and this is rather an evolution than a revolution. There is no doubt that the GDPR now dictates the standard for data privacy laws worldwide, and the high level of protection required by the EU is acknowledged and followed across the globe. Hence if you feel lost in the legislation of different jurisdictions, it is always a good start to comply with the GDPR, as it might help you to meet privacy expectations in most cases.