Nations around the world are scrambling to update their data legislation to bring it into line with Europe’s tough new privacy and data protection law, the General Data Protection Regulation (GDPR).
Under GDPR’s strict requirements, any business globally that sells to or targets European Union consumers will need to comply with the new law, wherever that business is based. The EU is effectively making GDPR a global benchmark for privacy regulation. Countries with data legislation that fails to match GDPR’s requirements could find themselves shut out of the European market. There is one big exception to this, the United States which has a very different approach to data protection.
“GDPR is interesting because it is the first time that the EU is exporting regulation,” says Rashmi Knowles, chief technology officer at RSA Security. ”In the past, everything created by the EU applied to the EU. Now we have this regulation, but it is going to apply globally. If anybody wants to use the data of EU citizens or consumers, they have to comply, so it is exporting privacy rules to other countries.”
Multinational companies adopting GDPR across worldwide operations
This is causing panic among companies outside the EU, according to Eduardo Ustaran, a partner at law firm Hogan Lovells. He says multinational companies are adopting GDPR standards across their worldwide operations. “That means that irrespective of where in the world that data is being collected, used and analysed, it is being used as if all the data is coming from Europe,” says Mr Ustaran.
“Because GDPR is having so much prominence in what organisations around the world are doing to meet data protection requirements, it is becoming the de facto global legal framework.”
He says national governments are updating their data legislation to mirror GDPR. His team drafted the new data protection law for Bermuda as the state sought to ensure that its local businesses, particularly insurance, could comply with European laws.
Because GDPR is having so much prominence in what organisations around the world are doing to meet data protection requirements, it is becoming the de facto global legal framework
“I’ve been working in countries in Africa such as Ghana building up the laws in this area for the same reason. A lot of developing economies are looking at technology as a sector they wish to foster and this law is very aligned with that aim,” Mr Ustaran adds.
There is mounting pressure on businesses to decide how to implement GDPR globally. Facebook recently said it was ready for GDPR in Europe, but there was uproar from other users demanding similar protection. Facebook then said it would apply the rules of GDPR to all users whether EU citizens or not.
“That is the first domino that will ripple across companies that have mixed user-bases and countries,” says Perry Krug, principal architect at database company Couchbase. “Why would they bother making up different rules if they already have a reasonable benchmark in GDPR that is already very public and is already being adopted?”
Non-EU countries introducing GDPR-compliant legislation
Many other governments are attempting to introduce privacy legislation that complies with GDPR to enable their businesses to trade more easily with European markets.
Japan has been following developments closely and is looking to make its data laws compatible with European legislation, says Data Protection Network chairman Robert Bond, a partner at legal firm Bristows.
Under EU data adequacy rules, businesses cannot transfer personal data outside the European Union to another country unless its data legislation is deemed to be “essentially equivalent” to European data laws. The alternative is to create a complex contract that protects EU individuals or puts them on an equal footing to local citizens.
Over the years, the EU has given its blessing to the data laws of 12 territories, including Argentina, New Zealand, Israel, the Channel Islands and Isle of Man. Most nations are not considered to have adequate data laws, whether Japan, South Korea, Russia or South Africa.
But with the stringent demands of GDPR, more countries such as Japan are trying to gain data adequacy status. Mr Bond gives the example of Singapore, which has a growing digital economy, with call centres, server farms, digital marketing and advertising technology.
“Their regulators have been following GDPR to make sure they are not disadvantaged in the brave new world,” he says. “When you look at GDPR, it says that you can’t transfer data to another part of the world that isn’t deemed to have adequate protections for the rights of individuals or a decent law.
“In Singapore, they are thinking ‘Well we need to get our law in line because currently we are not approved by the EU as a safe place for the data to go to, so it means all our businesses have to jump through the hoops of having all these contracts’.”
Many countries holding fire to see how GDPR works before implementing
Meanwhile, South Africa has a new data privacy law which Mr Bond says is modelled on European legislation.
But according to Scott Bancroft, chief information security officer for technology consultancy Capco, many countries will wait to see how GDPR works in practice before moving to adopt it in their own legislation. “There are a few potential blocks to that such as cost and complexity; it may not work so well in low-cost countries and emerging markets,” he says.
There are still many questions about how GDPR will work and he expects legal test cases, especially in the US, while there is likely to be further guidance from the European Commission about the working of the legislation. Although some countries might adopt the legislation, others are more likely to adapt it.
“Smaller emerging-market countries are less likely to want to add that level of legislation, compliance and expense to what is not such a big economy and may not be badly affected by not holding that data,” says Mr Bancroft.
Harmonising data protection laws across the world will in theory make it easier to do business in the global marketplace. The EU is using its sheer size and market power to make it hard for other countries to resist the pull of GDPR.