Data privacy is a human right. Consumers demanded their governments take action in protecting their privacy and finally, governments started listening. Europe was the first and jump-started this global trend of keeping data safe and regulated. They began by enforcing the General Data Protection Regulation (GDPR) in May 2018, which significantly increased the protection of people’s online data rights.
GDPR, which applies to any business that operates in the European Union, enshrines into law that personal information including names, addresses, social security numbers and photos cannot be used in ways that violate an individual’s privacy. This means companies must inform their users how they are using this information, and gives users the right to opt-out of services. It also grants people a “right to be forgotten,” meaning companies must delete the requestor’s information. Since the implementation of GDPR, there have been thousands of violations of these principles that resulted in high penalties. According to a recent analysis, authorities have rapidly increased GDPR enforcement activities, with 190 fines and penalties as of early February. In 2019, fines for violating various regulations totaled more than $1.45 billion.
Meanwhile, the U.S. has significantly lagged behind. While GDPR provides blanket coverage to all EU members, California is the only state that offers similar protections to its consumers. The California Consumer Privacy Act (CCPA), inspired by GDPR, went into effect on Jan. 1 of this year, and subjects companies to fines of up to $7,500 for each violation.
As data regulations surge across the globe, our team formulated a Global Data Residency Regulation Report in which we analyzed 128 countries with specific laws around profile, finance, health, employee and payment data. In our report, we found that amongst all the countries, the U.S. ranks in the middle – below nations like India and South Korea. Our analysis took into consideration research on numerous regional data protections, regulatory frameworks and key differentiations, such as the presence of data protection agencies, as well as expert viewpoints and customer experiences. Each factor was ranked on a score between 1 and 10.
At the top of the rankings are China and Russia. Both countries operate their own versions of the internet and have strict laws around the commercial availability, transfer and exchange of data. Consent is required for the collection of any personal data. Both countries, however, enforce intense levels of government surveillance on their own citizens.
The rest of the top of the list is dominated by EU countries, which have scores between 7 and 7.5. Among these GDPR regulated countries’ ranks are Australia, New Zealand, Switzerland and Canada, which have their own laws requiring consent around user data. Across the world, more than 107 countries have implemented data privacy and protection laws.
At the bottom of the list is Brazil, which currently lacks any protection around data collection and storage, but that will change this year. The world’s sixth most populated country in August will implement the Lei Geral de Proteção de Dados Pessoais (General Data Privacy Law or LGPD), which is similar to GDPR. Second to last is Trinidad and Tobago, which passed its Data Protection Act in 2011 but has yet to implement it fully.
The U.S. only has a score of 3.9 because it has no federal law around data consent. Its only two federal laws around the internet are limited in scope. First, there’s the Children’s Online Privacy Protection Act (COPPA), which imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and for those knowingly collecting personal information from children under 13. The other is HIPAA, which along with HITECH, establishes national standards for the protection of certain health information.
But the U.S. may soon join the ranks of Europe and Brazil. Sen. Kirsten Gillibrand of New York has written a bill, the Data Protection Act, that would establish a federal agency that would enforce data protection across the country. One of the core tenets of the senator’s bill is to “give Americans control and protection over their own data.” If passed, Americans would finally be assured that their data is protected, joining the more than 100 countries that have passed laws protecting people online.
Laws such as GDPR and CCPA haven’t existed for long, but they’re a clear indication of where the world is headed. Protecting user data will no longer be just a nice-to-have feature, but a requirement for all businesses going forward, as well as a customer expectation. Even if their municipality doesn’t require it now, companies, no matter their size, would be wise to make the investment in privacy.
Tell us: Do you believe the protections afforded by these regulations do enough to protect consumers online? What can enterprises do to comply with these regulations?