#GDPR and data privacy: a legislative world tour

Though the regulation applies to companies that target European citizens, its influence is visible far beyond the borders of the EU, extending to Argentina, Brazil, India, and even China. New cybersecurity and data privacy laws are being drafted all around the world, and deepening the debate. But the economic, legislative, and philosophical foundations vary hugely from country to country, ranging from American liberalism to Chinese centralism. So, what do we need to know about protecting personal data outside of Europe?

The United States: caught between liberalism and interventionism

While the GDPR was about to be implemented across Europe, the US Congress was making a radical change by passing a March 2018 law called the Cloud Act (Clarifying Lawful Overseas Use of Data). The law allows the US government to obtain foreign data, using operators and Internet service providers. Access is restricted, however, to legal proceedings.

Since the GDPR was implemented, many American publishers have also tried to limit their exposure to the law, by blocking access to their services to users located in the EU (temporarily or otherwise) as a “precaution”. Even some media outlets have blocked access to their content, such as the Los Angeles Times, New York Daily News, and US Magazine. The website dataverifiedjoseph.com lists sites that are blocked in the EU.

According to American website Axios, however, discussions are underway at the White House regarding a privacy protection law. In April 2018, Facebook CEO Mark Zuckerberg testified before the US Congress regarding the Cambridge Analytica scandal. When the personal data of some 87 million users was exploited without their knowledge, all Americans (and elected officials) realized the importance of data protection.

In June 2018, California led the way by announcing a law to protect its citizens’ personal data from 2020 onwards, requiring companies to specify what kinds of data they collect on clients : “California Consumer Privacy Act”. Apple CEO Tim Cook saluted this effort during the International Conference of Data Protection and Privacy Commissioners in Brussels in October 2018. This law is the first step towards stricter regulation for data collection, directly inspired by Europe’s GDPR, even if its approach seems more flexible. Indeed, as French journalist Elisa Braun says, “web giants failed to prevent California from passing the law”. They hope that Washington will adopt a more lenient federal law which would supersede the Californian legislature. According to Amazon’s lawyer Andrew DeVore in early September, this could lead to a regulations “patchwork”, where each American state would create its own privacy frame. If web giants manage to create an alliance with telecommunication operators, the birth of strict privacy regulation in the United States would be less likely.

Asia following in Europe’s footsteps

Industry players based in Asia are already faced with handling a variety of local laws on personal data protection. The good news is that some of the principles laid out by the GDPR are similar to local laws ( DPO in the Philippines, Hong Kong Basic Law), so this isn’t a huge revolution for companies that already have an established data governance structure in place. Here are a few examples:

• Personal Data Protection Commission in Singapore
• Privacy Commissioner for Personal Data in Hong Kong
• Personal Information Protection Commission in Japan
• National Privacy Commission in the Philippines

Lastly, China remains an unusual case (and how!). In June 2017, the new cybersecurity law came into effect across the country. The law strictly limits collecting, transferring, and otherwise exploiting personal information, by imposing principles of “legality, rightfulness, and necessity.” In addition, any “important” or personal data must be stored on local servers on Chinese territory. Paradoxically, before the upcoming implementation of China’s “social credit” system, which will rate citizens’ reputations, personal data is becoming a way to better manage societal governance – a type of “mass surveillance tool” (more info here). So the Chinese government – known for its interventionist practices – protects its citizens’ personal data… But maintains the right to use it!

Should the GDPR be considered an inspiration for the rest of the world? Whatever the answer, the regulation is drumming up some serious conversation, and has given rise to a worldwide movement – even if interpretations differ.