It is an essential principle of the law not only in the United States of America but throughout a multitude of nations globally that an individual has the superior right to his/her personal property. Whether it be a car, a coat or a television, an individual who owns that item also owns various legal rights attendant to that item. The right to exclude people from using one’s property, the right to permit others to use one’s property, and the right to alienate or otherwise to control one’s property are merely a few of the rights associated with personal property in nearly all legal systems throughout the world. The law, however, has been slow in many respects to account for the most unique, personal variety of personal property which is our personal information.
That lack of legal authority concerning ownership of personal information has changed significantly with the recent enactment of the General Data Protection Regulation (the “GDPR”) in the European Union (the “EU”). In a broad sense, the GDPR has given EU residents power over their personal information. The GDPR bill, which was passed in 2016 and took effect in May of 2018, grants EU residents substantial rights with regard to their personal information. Those rights include:
- Right to be forgotten;
- Right to access; and
- Right to data portability.
Those rights listed above afford EU residents the ability to have their personal information erased, disclosed, or transferred by a company who possesses, has control, or otherwise processes that information. The GDPR also places a heavy burden on companies engaged in the collection, maintenance, and use of personal information.
The GDPR has been a topic of controversy due to the ambiguity surrounding its scope and whether the EU will be able to exercise extraterritorial jurisdiction based on the obligations outlined in the GDPR applying to personal information of all EU residents, notwithstanding where those EU residents might be located at any given time (Example: an EU resident/student studying abroad for a semester in the United States who provides his/her personal information to an American retailer on a trip to the mall). While there is significant validity to that argument that the EU does not have the power to burden companies in non-member countries located on the other side of the globe, that does not reduce the necessity for companies across the world to take note and to address GDPR compliance in the near term. That is especially the case because the GDPR, while wide reaching itself under its express provisions, has sparked the introduction and passage of many laws around the globe concerning data privacy regulation. These policies resemblance to the GDPR displays that the GDPR has set the standard for what data privacy regulation and compliance will be moving forward.
One example of the GDPR’s influence in the United States is the California Consumer Privacy Act (the “CCPA”). The CCPA was passed in June of 2018 and is tentatively set to take effect in January of 2020. Similar to the GDPR, the CCPA is intended to require significantly increased transparency between consumers and the companies that receive, maintain, and use their data. The CCPA creates similar rights for consumers such as the right to access and the right to be forgotten. The CCPA also places similar burdens upon data-collecting companies, such as providing reasonable security procedures, obtaining consent for the collection and use of personal information, and providing policies in plain English. The fines under the CCPA are also similarly large, which will encourage companies to comply.
Beyond that, there is another similar data privacy bill in the formulation process in India right now. In July of 2018, India’s Committee of Experts released the first draft of that bill to the public. The bill includes the right to access, the right to data portability, and the right to be forgotten for consumers. The bill also requires companies to hire a DPO and will levy severe fines against data collecting companies for non-compliance. There is another common theme through the GDPR, the CCPA, and the new, potential data privacy bill in India, which is the applicability of all three statutes to the personal data of consumers who are residents of those three jurisdictions no matter where such residents might be located throughout the world.
The CCPA and India’s data privacy bill are two examples of legislation influenced by the GDPR, but they are not the only data privacy regulations that have been introduced or passed following the enactment of the GDPR. In recent news, Oregon Senator Ron Wyden introduced the United States Consumer Data Protection Act (the “USCDPA”), which is intended to regulate data privacy on a federal level. In addition, the Brazilian government recently passed its own General Data Protection Law, which will take effect in February of 2020.
The trend of stricter data privacy regulation is only beginning. Over the next few years, data privacy bills almost certainly will continue to proliferate around the world. The legislation that has been introduced following the GDPR derives key concepts and elements from the GDPR, and that is a trend tha tis likely to continue as well. While companies may feel that the GDPR does not apply to them right now or that the EU lacks jurisdiction to enforce the law against them as presently situated, it is wise for all companies to consider becoming GDPR compliant, if only for the purpose of positioning themselves to comply with future data privacy regulations or to participate in our increasingly global economy.
The GDPR has set the bar and the world is following suit. Until one or more courts render precedential opinions discussing whether the EU can exercise extraterritorial jurisdiction, companies must acknowledge their potential exposure to its requirements. Even if the EU were unable to exercise that jurisdiction, companies should be pursuing compliance due to the inevitability of a more direct, applicable regulation being passed and taking effect in their jurisdictions. As we see the CCPA, the USCDPA, and other bills taking effect, being passed, or even just being introduced, it is evident that all companies soon will be required to comply with some consumer data privacy measure. The GDPR has created the future of data privacy and with it has determined what compliance will look like moving forward. While various questions surrounding the GDPR remain, the one thing that is certain is that the GDPR has influenced the future of corporate compliance at a global level and that its influence will only grow in the coming months, years, and decades.