Tim Stevens
Friday, May 15, 2020

The Global Expansion of Data Privacy Rules

The Global Expansion of Data Privacy Rules

EU privacy rules are the strictest in the world – now other countries are following suit.

When the EU’s General Data Protection Regulation (GDPR) came into effect, it replaced previous law from 1995 and strengthened consumer rights while making data protection law consistent across all EU countries. It also made businesses more accountable to those whose data they collect, with much more stringent penalties for non-compliance.

When the new regulation came in in May 2018, it gave the European Union the world’s strictest rules concerning data privacy. GDPR is also leading the way in that other nations are now (albeit slowly) starting to follow this lead. There’s certainly a firm hope that GDPR will set a ‘gold standard’ for other jurisdictions.

While many of the latest changes relate to consumer data, it’s likely that similar updates for the laws surrounding B2B will soon follow, and so all these changes should be noted. Below, we give some examples of parts of the world that are upgrading their data laws.

In April 2020, the UK data regulator the ICO said it would adopt a ‘lighter touch’ to investigations and fines in view of the Covid-19 crisis. Organisations found to have breached the rules may be given more time to put things right if they can prove they’ve been affected by the pandemic.

Data privacy around the world

GDPR set in motion a wave of privacy policies worldwide.

In the US, data privacy regulations vary from state to state. There is no overarching US consumer data privacy law, meaning all action so far has been at state level, although there have been calls, such as here, for a single, federal data policy.

The California Consumer Privacy Act (CCPA) is a major new data privacy law which applies to some businesses that collect personal information from that state and comes into effect on January 1 2020.

The CCPA was passed a little more than a month after GDPR, and gives state residents the right to know what personal information is being gathered about them, to say no to the sale of personal data, and to know whether their personal data is sold or disclosed, and, if so, who to. Equally, Californians have the right to access personal data, without fear of discrimination for doing so. They can also ask a business to delete personal information.

Meanwhile, in Washington Senate Democrats are putting forward broad federal data privacy legislation that would allow people to see the information organisations have gathered about them, and demand its deletion. It’s likely to face challenges from both the Republican-controlled Senate and the tech industry. Called the Consumer Online Privacy Rights Act, the bill is similar to the CCPA. And, so far, the Washington Privacy Act has twice failed to become law.

In New York, the SHIELD Security Act, which has already taken effect, expands current law on data security and adds to the section on breach notifications and updating definitions, while adding new cybersecurity rules. At the same time, New Jersey is considering heightened data security and privacy obligations.

Additionally, the EU and US have adopted the EU-US Privacy Shield Framework, providing European and American organisations with a mechanism for complying with EU data protection rules when personal data is being transferred from the EU to the US.

Elsewhere in the world:

In Africa, 19 nations have enacted data protection and privacy laws, including South Africa, while six have draft legislation including Kenya, Zimbabwe and Nigeria. The African Union adopted a progressive convention on personal data protection five years ago.

In Australia, the government has amended the 1988 Australia Privacy Act to incorporate compulsory breach notification requirements. New Zealand also has data protection legislation.

Across Asia 15 nations, including China, India, Hong Kong, Japan and the UAE, have laws in this area, while four are drafting them.

In Brazil, the world’s fourth biggest internet market, the Brazilian General Data Protection Law, dubbed Brazil’s GDPR, comes into force in mid-August 2020. Closely modelled on GDPR, its 65 points offer people a streamlined set of rights, related specifically to different industries. All organisations must appoint a Data Protection Officer.

This global rise in data protection laws shows the issue’s increasing importance internationally. However, it’s true that more still needs to be done, especially across continents, with greater harmonisation to ensure a more coherent worldwide policy and reduce confusion when issues arise between countries. And with many countries still without any data protection laws at all, it could be naïve to assume that the whole world will be adopting the EU’s ‘gold standard’ immediately.

But, these days, security breaches clearly attract wide publicity, and consumers are increasingly aware about what happens to their data. In 2016, more than half (57%) of consumers globally said they were more worried about online privacy than they were two years earlier, according to a study from the Centre for Internet Governance Innovation and Ipsos.

So organisations are rightfully much more aware of these matters and how they handle data generally. And it’s important to be aware of and compliant with not just of changing EU legislation, but the many B2B data rules have been updated across the world.

At i-4business, we only supply data that’s 100% accurate and fully compliant with all legislation. To book your free data trial and audit, please get in touch with one of the i-4business team today.

Editor's Note: This post was originally published in November 2019 but has been updated to better reflect the changed B2B market as a result of the Covid-19 Pandemic.