In this photo-illustration, Facebook CEO Mark Zuckerberg was seen on a mobile screen while testifying remotely during the trial of the U.S. Senate Committee on Trade, Science and Transport, entitled “Let Article 230’s Great Immunity Be Bad Big Tech behavior possible? ” on Capitol Hill in Washington, DC, United States.
Pavlo Conchar | LightRocket | Getty Images
As Europe’s comprehensive GDPR laws approach their third anniversary, other jurisdictions around the world are taking steps to develop their own frameworks.
EU regulation (the General Data Protection Regulation) has helped to put data protection first for policymakers and businesses, especially with the imposition of large fines.
“The AVG has certainly created a much greater privacy awareness. Many companies are now saying that it is being discussed in boardrooms because of the potential amount of the fines,” said Estelle Masse, senior policy analyst at digital rights group Access Now.
One such law is the California Privacy Rights Act, which was passed in November 2020 and extended to the 2018 California Consumer Privacy Act.
The law has drawn many comparisons between observers and AVG in how it gives more control to the consumer and provides the possibility of penalties for violations and breaches of data.
“I think there were similarities in the sense that they both provided more rights and protection to the user, so they were fairly user-oriented in their approach,” Masse said.
Other jurisdictions may look to the AVG for inspiration on what does and what does not work, although there are many nuances and European features to consider that may not necessarily translate.
“But there is a range of core rights and core requirements. That people need to be protected, people need to stay in control of their information and that there needs to be an obligation on companies if they want to use this information,” Masse explained.
The biggest difference between California law and AVG comes down to enforcing it. California is just one state, while the EU is 27 countries with their own data protection authorities and their own challenges.
This has led to arguments among various Commissioners for Data Protection over who owes their weight to enforcement and who does not, with the authority of Ireland being the most critical.
“Our enforcement model shows cracks, so I think a great lesson has been learned for others watching Europe,” Masse told CNBC.
“I think the AVG is a legislative success, but so far it is a failure of enforcement and we can learn from it.”
The key to meeting those challenges is to ensure a data protection authority total independence, while providing adequate budgets and resources to regulate the ever-growing data economy.
Federal law
Mark McCreary, a privacy and data security lawyer at Fox Rothschild, Philadelphia, said U.S. states that enact their own privacy laws create unique challenges for businesses to comply with from state to state.
He points to Virginia’s newly approved law on the protection of consumer data as another development. It has similar characteristics to California, but also offers its own nuances.
“The definition of personal information is a little different and the definition of sensitive personal data is a little different,” McCreary said.
Different actions at the state level can often renew calls for a federal privacy law.
“People have been asking for it for years,” said Alex Wall, industry adviser for privacy at Rimini Street, formerly of Adobe and New Relic.
“I think it’s difficult because it depends on one side of the administration in control and that they both have different reasons why they want privacy legislation.”
These kinds of delays and obstacles in the development of federal legislation can lead to more states taking their own actions, gradually creating a patchwork quilt of different state-to-protection laws.
“Then it will finally reach a point where the business lobbyists in Washington are all on board to rationalize the laws and move forward because it’s so difficult to navigate,” Wall said.
McCreary added that cutting out a federal law is likely to lead to many disputes, with states having varying expectations about the finer details, such as private law of action – enabling private parties to file a lawsuit.
“Part of the problem is that California stands up and says that if you try to enforce a federal privacy law and you do not have a private right of action, we are not going to support it,” McCreary said.
Global moves
Outside of the US, several major countries have adopted their national data protection laws.
Brazil Lei Geral de Proteção de Dados came into force at the end of last year. The regulation updated and consolidated 40 different rules in one framework.
The LGPD is still in its infancy, but other Latin American governments are following suit and have their new laws in place, such as Argentina, Access Now’s Masse said.
But the next important data protection law that closely monitors legal falcons is in India.
The Personal Data Protection Bill is currently going through the various phases of the Indian Parliament and will impose stricter restrictions on the way companies can use data and give more control to users, a general AVG.
Masses said India’s regulation is also likely to have a significant impact on future laws in other countries, due to the large number of people and the role this country will play in a global data economy. ‘