With the GDPR firmly embedded in our company compliance programs, we might not have realized that it has not just changed our companies’ approach towards processing of personal data, but that it has also had a major impact on global privacy legislation. It has inspired similar approaches towards rights and safeguards of individuals’ privacy rights globally, but just as importantly: its extra-territorial scope is a big step in escalating the global shift towards digital protectionism and even stoke a global trade war of sorts whose global impact we are witnessing.
GDPR has brought along new, stricter requirements that must be complied with not only by the companies established under the EU laws, but by any company that wishes to provide goods and services to EU customers or monitor them – which spells global reach.
In fact, while the notion of additional requirements and sometimes barriers to international personal data flows is certainly not novel, it has been gaining major traction among legislators in the last decade. Some lawmakers may be motivated by their concern about privacy rights of their residents, others may be focused on ensuring better enforcement and cybersecurity for their citizens’ data wherever it flows. There may however also be motivations to establish barriers for global companies entering domestic markets, or to control and censor online media.
Whatever the legislators’ motivations may be, regulating use of personal data and its flows certainly is a tempting instrument: contribution of data flows to global GDP has already several years ago surpassed that of physical goods trade.[1] The global economy is becoming more information and data-driven, with even heavy industries and logistics relying on data much more for the future of their business. We have seen the truth of the statement that the data is becoming a key for businesses these days – this trend is already recognized as ‘information economy’ or ‘data capitalism’ with consumer-centric tech giants paving the way for the rest of the businesses to follow.[2] If economies are now based more on data, then the control of it is strategically more important too.
So, with the GDPR in mind, from the perspective of a non-EU government, it is quite inconvenient and surprising that despite your country’s sovereignty, the EU dictates quite detailed requirements as to how your domestic businesses should conduct their operations. And what’s more, the EU looks to you to help with the enforcement – unless you want to put up with additional restrictions to trade in the form of revoked or missing adequacy decisions etc.
While China and Russia have been sporting digital protectionism and extraterritorial limitations for some time already, the GDPR has caused a domino effect of new global privacy laws with similar extraterritorial outreach and some form of restrictions on international data flows.
California has adopted its (GDPR-inspired[3]) Consumer Privacy Act[4] (CCPA) protecting resident consumers against businesses from everywhere in the world. While probably winning an unofficial competition for the fastest legislative process, California has also struck fear among the tech companies that each U.S. state will come up with its own interpretation of new privacy obligations applicable to foreign businesses (Imagine a ‘do not sell my personal information’ link with 50 U.S. variations). As a result, we see companies like Intel drafting their own U.S. Federal Privacy Bill[5] and straining to get ahead of the curve.
It is not just the EU and U.S. that are now raising the bar with their privacy laws: Brazil has enacted new General Data Protection Law (‘LGPD’)[6], while Argentina and India just recently proposed new GDPR-reminiscent Privacy Bills[7] with very similar exterritorial limitations on personal data use and international data transfers[8].
With the EU making its big move with the GDPR, it is probably natural that countries globally try to instate their own rules on how to handle personal data upon the companies (and states) in the EU and beyond. [9] It is therefore not a stretch to say, that the GDPR has escalated a new form of global trade war, where instead of tariffs and taxes, we see privacy laws and mutual country adequacy decisions as weapons of choice.
As a result, we are witnesses (and often unwilling participants) to the recent very dynamic development in the privacy field. We can see exponential growth of obligations and restrictions related to processing of personal data that is happening worldwide, no longer just in the EU. Very much like with trade tariffs and taxes on goods, privacy legislation has evolved beyond just protecting personal data during international transfers into another instrument significantly affecting global trade. Obligations and restrictions on handling of personal data of certain country’s citizens and on transferring such data outside a given state are increasing and spreading worldwide with unprecedented speed.
The common denominator for these laws is that in pursuit of better safeguards and protection for their residents’ personal information, the countries enact their version of privacy laws and obligations that again stretches out exterritorialy, potentially binding for any company in the world.
[1] https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows
[2] https://www.ft.com/content/6c6c730e-3298-11e8-ac48-10c6fdc22f03
[3] https://www.exchangewire.com/blog/2018/09/04/how-the-california-consumer-privacy-act-aims-to-put-an-end-to-the-data-wild-west/
[4] Official text of the Act: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
[5] https://usprivacybill.intel.com/
[6]Text of the Act (in Portuguese): http://legis.senado.leg.br/legislacao/ListaTextoSigen.action?norma=27457334&id=27457354&idBinario=27457731&mime=application/rtf
OneTrust PrivacyPedia summary of the Act: https://www.privacypedia.org/laws/brazilian-general-data-protection-law/
[7] Argentina: https://iapp.org/news/a/argentinas-new-bill-on-personal-data-protection/ or https://globaldatareview.com/article/1174716/argentina-set-to-pass-new-data-protection-law
Text of the Argentinian Bill (in ESP): https://www.argentina.gob.ar/sites/default/files/mensaje_ndeg_147-2018_datos_personales.pdf
India: https://iapp.org/news/a/understanding-indias-draft-data-protection-bill/ or https://www.forbes.com/sites/sindhujabalaji/2018/08/03/india-finally-has-a-data-privacy-framework-what-does-it-mean-for-its-billion-dollar-tech-industry/#3e51d49670fe
Text of the Indian Bill: http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
[8] Furthermore, Vietnam is planning to enforce its strict Cybersecurity law alongside with China and Russia already enforcing their own strict data localization and compliance requirements.
[9] Global list of countries with emerging or debated privacy laws updates includes: U.S., Brazil, Argentina, India, Japan, Barbados, Egypt, Morocco et al. https://iapp.org/news/privacy-tracker/
