How GDPR has inspired a global arms race on privacy regulations

With many jurisdictions embracing EU-style privacy rules in line with the European Union’s GDPR, such as mandatory data-protection impact assessments, data privacy officers, and notification to individuals and regulators in the event of a data security breach, compliance is increasingly complex and an increasing burden for organizations.

At the same time, data sovereignty rules laws that require companies to store data locally, are rising. So too is a focus in some countries on data security. How privacy laws have developed, why they exist in the first place, and how they are regulated each are different in almost every country. These factors all add to the heightened regulatory requirements.

The multiple trends affecting data protection and privacy laws

When comparing various countries’ approach to privacy, the question is this: ‘Do they view privacy as a fundamental human right, like they do in Europe?’,” says Miriam Wugmeister, a Morrison Foerster partner and cochair of its global privacy and data security group.

GPDR has inspired many countries to strengthen their data-protection and privacy rules. Its biggest change from the previous rules — and why everybody paid attention — was because it radically changed the penalties, Wugmeister says.

For many organizations, all these developments can mean adhering to different standards across their global footprint, she says. “Some use the GDPR, particularly European-headquartered ones. Some organizations just use the core principles and then look at the details for different regions.”

Australia is currently reviewing its privacy laws and one of the questions is whether to adopt GDPR-compliant regulations. GDPR principles are finding their way into laws throughout the world. Canada is now considering similar privacy laws, as is its Québec province, in addition to existing regulations around data sovereignty. “Japan has increasingly improved its privacy laws. South Korea has always been really strong and is even a lot stronger now. Thailand has introduced a GDPR-based law. Just recently Sri Lanka enacted its GDPR-influenced laws. Pakistan and India both have pretty strongly GDPR-influenced bills that are still making their way through the legislative process,” says Graham Greenleaf, a professor of law and information systems at the University of New South Wales at Sydney and founding codirector of the Australasian Legal Information Institute (AustLII).

By contrast, the United States federal government has largely ignored the GDPR-inspired trend, Greenleaf says. “Although there are federal GDPR-flavored bills floating around, there are no signs of them coming into law,” he says. Instead, various states have taken the lead on bringing GDPR-like principles, including California, Maine, and Nevada, with Utah now considering its own laws.

Data-protection and privacy efforts beyond GDPR

The various changes in data-protection and privacy regulations across the globe go beyond GDPR-inspired ones.

For example, Asian countries such as Japan, Singapore, and South Korea are the leaders in terms of data security. Wugmeister expects to see more focus on data security and specific requirements in regulations, guidance, and statutes because of the level of cybersecurity incidents and the volume of criminal and state-sponsored activity with respect to ransomware and other kinds of cyberattacks.

Wugmeister says the US is further ahead than any other country with respect to breach notification. “There are two laws that have come into effect to do with critical-infrastructure organizations and public companies having to give notice within a very short period of time. So the US is the leader in terms of transparency around data breaches,” she tells CSO Online.

Although it’s not strictly a privacy issue, she points to cheap storage creating a real threat for organizations’ data protection. It has led organizations to become less rigorous about getting rid of stuff. “They keep everything and so when there’s a breach, there’s information on people they haven’t interacted with for 10 years, or they have sensitive information they should have destroyed,” she says.

Pitfalls of data-protection and privacy regulations

When it comes to the focus of privacy policies, there’s a divergence between the direction regulations are going and what consumers actually want, Wugmeister says. She sees the laws moving toward more detailed disclosures to individuals and more focused on individual choice. “I don’t think consumers care about most of what’s in a privacy policy. They don’t really want choice. They want their information not to be misused. They want their information to be protected, and they don’t want to be surprised,” she says.

But the way the regulations are implemented can overwhelm consumers, Wugmeister says. “More organizations are supposed to list every single service provider with whom they share information. It’s just overly bureaucratic on companies and completely unhelpful to the consumers. We’re seeing that across the globe; it’s not unique to any region.”

Another big challenge is the divergence among the privacy laws. “Every single privacy law is based on the same set of core principles: notice, choice, access and correction, supervision of service providers, and data security. To a large extent, it’s possible to create a privacy program and build products that will take into account these core principles,” she says. However, as each law becomes more detailed and more bureaucratic, it becomes harder to build consistency and to build programs that really do protect privacy using those same set of core principles.

“We need to return to the core principles, as opposed to just ratcheting up requirements or just matching what another country is doing,” Wugmeister says. “Trying to make things stricter and stricter, for example, isn’t necessarily helpful. It can create a patchwork of different regimes that is not actually privacy-enhancing.”

Wugmeister also warns that data localization, a.k.a. data sovereignty — moving data from centralized databases to spreading it across multiple locations, to provide greater local control over that data and discourage it being held outside a country’s reach — is emerging as new requirements in some countries. More than 100 countries have this requirement, and India is considering it. “If you’re going to move to data localization, you’re going to go back to having lots of servers in lots of different places. And then the question is, ‘How will those be kept in a secure way?’”

Data localization also carries another risk, she says: “Companies keep data in their country so that regulators have access to it. So is that really about privacy or is that about nationalism? Privacy laws can get used and interpreted to accomplish other goals.” China, for example, has the world’s strongest data-localization requirements.

An international treaty on data privacy may be needed

Although GDPR has become a kind of global yardstick — and for good reasons — UNSW Sydney’s Greenleaf argues that a more uniform and binding framework would be helpful. An international treaty could offer some much-needed consistency for organizations dealing with different country regimes and create a genuine reference point to gauge the relative strength and weaknesses of various regimes.

Greenleaf points to the original Council of Europe Convention 108 from the 1980s that could be developed and extended to be a global benchmark. “It’s the only actual international treaty in relation to data privacy, whereas GDPR is not a treaty,” he says.

With Convention 108, countries sign up voluntarily and commit themselves to observe its principles and allow the free flow of personal data to other countries that are parties to it. As an open treaty, any country whose laws meet its standards can apply to become a party to it. “There have been eight countries outside Europe that are parties to it, and all of them at this stage are located in either Africa or Latin America,” Greenleaf says.

Greenleaf says that, instead of starting with an entirely new convention with no existing signatories, it’s better to expand Convention 108, which is a moderate version of the GDPR and has 55 parties already, including many of the world’s most advanced economies.

Related articles

• CSO’s ultimate guide to security and privacy laws, regulations, and compliance
• General Data Protection Regulation: GDPR requirements, deadlines, and facts
• The state of privacy regulations across Asia
• China’s PIPL privacy law imposes new data-handling requirements
• What every Canadian CISO needs to know about data sovereignty
• CPRA explained: New California privacy law ramps up restrictions on data use
• What CISOs need to know about Australia’s consumer data right
• What will the Australian privacy law review deliver?
• What CISOs must know about the New Zealand Privacy Act in practice
• How UAE’s new data law will change the way enterprises use personal data
• 5 things for African CIOs to do in the vacuum of data privacy laws
• Data sovereignty laws place new burdens on CISOs
• Data-residency laws pushing companies toward residency as a service