2016 has been a busy year so far for privacy lawmakers and regulators as they strive to keep up with the rapid pace of innovation in the information economy. So far, we have seen the approval of a new framework for transferring data from the EU to the US (the Privacy Shield); adoption of the new General Data Protection Regulation (GDPR); the passing of the Network and Information Security Directive; and the announcement of a review of the ePrivacy Directive. In other words...
In other words, we have witnessed a complete overhaul of the privacy and cybersecurity landscape in Europe and we’re only just bidding farewell to the summer. Outside of Europe, Turkey and Brazil have both announced new data protection laws and China has taken further steps to introduce its long-awaited law on cybersecurity. The regulatory landscape for the use of data is simultaneously expanding and becoming more complex.
The EU’s data protection laws are already some of the most comprehensive and restrictive in the world when it comes to the use of an individual’s data. The GDPR extends these even further by giving consumers new rights such as the “right to be forgotten” or the right to “port” data. Businesses are also under more onerous obligations, but the headline grabber is the introduction of fines of up to €20 million or 4% of a group’s annual worldwide turnover (whichever is higher) for serious data breaches.
What’s more, the EU is exporting its data protection rules globally as both GDPR and the proposed amendments to ePrivacy legislation are intended to apply to all businesses that collect, store or process data about EU residents, regardless of where in the world they might be located. Without doubt, this is particularly aimed at Silicon Valley companies and designed to level the playing field, ensuring the providers of web-based services that target Europe are subject to the same rules as European companies. As privacy laws increasingly start to ignore geographical boundaries and data businesses become more global, companies will need to consider how they adopt a strategy for complying with tougher rules while offering the same service and a coherent user experience in multiple countries.
The last few years have seen an expansion across the world of data privacy laws modelled on the EU approach. Alongside the eleven countries or territories already recognised by the European Commission as providing adequate data protection, there have been several new entrants on the scene as South Korea, India, Hong Kong, Singapore, South Africa, Japan, Turkey and Brazil have either amended or introduced new comprehensive data protection laws that mirror the EU’s principles. China’s conspicuous absence from this list may also be temporary, as the draft PRC Cyber-security Law, which introduces wide-ranging provisions for cyber-security, data anonymisation and data retention, had its second reading in July 2016.
Given these trends, companies are considering building their products and services to the standards required by GDPR. If the goal is to provide a single service or product across multiple countries, the way to mitigate legal risks of doing business in so many countries is to build these services or products to the highest standards.
The question of where a post-Brexit UK might fit into the data protection regulatory landscape is, as with anything Brexit related, currently still unclear. Although the UK has traditionally angled for a “lighter touch” approach to privacy regulation within the EU, if UK businesses expect to continue to offer goods and services to the internal market or operate on a global basis, they will need to comply with the GDPR regardless of where they base their operations.
A more pertinent consideration would be what the future of data protection in a post-Brexit EU will look like without the tempering influence of the UK in drafting and policy discussions. Major changes to the GDPR are unlikely to be forthcoming any time soon, but it is possible that - without the UK present or with a UK delegation taking a back seat during discussions - negotiations for the new ePrivacy Directive will result in a more prescriptive or onerous approach by the European Commission.
With a post-UK EU leading the way in standards of privacy regulation globally, we are likely to see a continued trend towards introducing increasingly stringent rules. Businesses must be ready to adjust their practices accordingly, or face the not-so-light-touch consequences.