Data privacy, a concept that has been brewing for many decades, was thrust to the main stage with one of the largest global economies—the EU accounts for approximately 15% of international trade—adopting a robust and extensive data protection regulation with presumably real bite.
Three years into a post-GDPR world, how has the GDPR impacted privacy? And how will the GDPR continue to influence the global dialogue and approach to privacy?
A look at the last three years
First, one of the main impacts of the GDPR is the force with which it has caused both businesses and other legislatures to stand up and take notice of privacy—some for the first time. Take, for example, the United States. Privacy law in the U.S. is heavily focused on privacy vis-a-vis the state, with much of jurisprudence reliant on the Fourth Amendment of the U.S. Constitution and a citizen's "reasonable expectation of privacy." The concept of privacy vis-a-vis a private entity rests more in the abstract and theoretical, and prior to the GDPR, there was not significant guidance on the practical ways to address privacy concerns for individuals. While the Federal Trade Commission (FTC) does provide some protections under the FTC Act, Section 5, "unfair and deceptive trade practice," privacy is not addressed head on.
The GDPR changed the privacy conversation within the U.S., garnering legislative attention, both at the state and federal level, on whether the U.S. should consider similar laws focused on privacy protections within the private sector. California led the charge, adopting the California Consumer Privacy Act of 2018 (CCPA), followed by revisions to the CCPA in November 2020 with the ballot initiative, the California Privacy Rights Act (CPRA). The CCPA, as amended by the CPRA, provides for the California Privacy Protection Agency (CalPPA), a data protection enforcement agency mirrored after the GDPR Supervisory Authorities in each EU Member State. Further, the CCPA/CPRA incorporates data privacy rights analogous to the GDPR.
Since the adoption of the GDPR, followed by the CCPA, a number of other U.S. states have passed, or at least considered, a more serious level than ever before, broader data privacy legislation. For example, Virginia passed the Virginia Consumer Data Protection Act (CDPA) in March 2021 that again borrows heavily from the GDPR. The Virginia CDPA aligns with the GDPR in many ways, including the use of the terms "controller" and "processor," the express limitations on data usage, and the various data privacy rights provided to data subjects. It does diverge, and take somewhat of a U.S. legislative approach, but the influence of the GDPR is hard to mistake.
While several other states continue to grapple with data privacy, and how best to address it within the state laws, the federal government has also begun to weigh in on the privacy conversation. The unanswered question is whether the U.S. federal government will adopt a similar GDPR law. And, while there is no clear answer, since the GDPR went into effect, the dialogue at the national level has certainly increased, and several laws have been proposed that would address privacy beyond the discrete areas that privacy protections at the federal level already exist (i.e., HIPAA, GLBA, etc.). To be sure, in the last two Congressional Sessions (2019-2020 and 2021-2022), there have been dozens of privacy laws introduced that range from digital privacy to public health emergency privacy to address the pandemic, and so on. Some of these proposals align with the GDPR (using terminology like "controller" and "processor"), but others diverge and take a less European approach to privacy. However, regardless of the approach, they all heavily stem from the EU's influence on the global privacy conversation.
The above only outlines the impact of the GDPR within the U.S. Globally, the GDPR is dominating the privacy conversation. Almost every region of the world is now addressing privacy within their legislation. Some, like Brazil, are almost verbatim adopting the GDPR within their national legislation. Additionally, the following countries are in the process of revising their national data privacy laws to align more with the GDPR approach: Canada, Australia, and Japan. There are additional regions updating/revising their laws, as well (the Middle East, China, etc.).
All of these changes point to the real and lasting influence of the GDPR on the global privacy conversation. These legislative changes have resulted in businesses of all sizes, across a variety of industries, creating privacy compliance programs to address the GDPR and its many requirements. So much of privacy compliance rests in both knowledge of the personal data collected by the business and then proactively incorporating privacy within any business operations that include that personal data. For many businesses, the GDPR, and these follow-on laws across the globe, have required the creation of new compliance programs, employee training, and, most importantly, a cultural shift to more privacy-aware business operations. All of this can feel daunting and lofty for businesses and take time to implement and embrace.
Given the global impact of the GDPR in just these first three years, it is important to be forward-thinking about the next phase of privacy, and the continued impact of the GDPR going forward. In some ways, the roll out and corresponding enforcement of the GDPR has felt slow, with investigations taking months and fines slow to be issued. However, seeing all that has been accomplished, both by the regulators and by companies, to understand the GDPR and all that it requires, in some ways, the law has made fast and lasting impact.
So, what do the next three years likely hold?
As Data Protection Authorities across each Member State in the EU gain more robust and effective teams, enforcement of the GDPR will likely increase and become more sophisticated. For example, this spring, the Commission nationale de l'informatique et des libertés (CNIL), the French Data Protection Authority, announced that it will begin conducting audits of websites to determine if a website complies with the CNIL's guidance on web cookies. While the first three years of enforcement were the result of either data subject complaints or privacy breaches, Data Protection Authorities are now starting to be more proactive and going out to companies to determine GDPR compliance. This practice is only anticipated to grow in the coming years.
Additionally, the use of the private right of action, and also the concept of class actions, to privately enforce the GDPR is only anticipated to grow. While the EU legal systems historically have not been very litigious, the GDPR has provided a platform for individuals to assert their rights against companies in court. And there are many privacy advocates that are using these mechanisms to push the GDPR to the forefront for courts. Max Schrems, with his non-governmental organization None Of Your Business (NYOB), is one of the most well-known advocates in this space. But cases are increasingly also filed by individuals seeking to redress GDPR harms and obtain damages for those harms. Lawsuits, and the impact of those lawsuits on the interpretation of the GDPR, will likely continue to grow in the coming years.
Finally, the coming months and years will undoubtedly see a continued discussion between the Data Protection Authorities around methods to collaborate and maximize the efforts made by each to enforce the GDPR. The one-stop-shop method under the GDPR encourages this approach, with one authority taking the lead on an action, even if there are cross-border implications. In fact, this approach was supported by the Court of Justice of the European Union's Advocate General Michal Bobek in his opinion in Case C-645/19, Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority. However, the practicalities of how this operates, and the collaboration between the authorities, will continue to be worked on throughout the next few years.
The GDPR, and global data privacy, is here to stay
The GDPR created an interesting and dynamic past three years. For many companies, the GDPR is the first journey into privacy and security, and it has created a sometimes steep learning curve. The GDPR requires both privacy-oriented processes and documentation to demonstrate how compliance is achieved. Addressing both is only going to become increasingly important as more jurisdictions follow, or at least consider following, a more European approach to privacy.
However, in the coming years, the GDPR will likely not be the only law driving the international privacy conversation. California continues to dominate from the U.S., and more countries are beginning to address and adopt varying privacy protections. While the influence of the GDPR can be seen in many of these laws, it is by no means the only approach to privacy. And, with more jurisdictions weighing in, the global privacy legal frameworks may add more complexity to the creation of global compliance programs. While the GDPR still dominates, the next three years will be around understanding how the GDPR requirements relate to other jurisdictions, and where synergies that allow companies to create globally compliant programs can be found and harnessed.