One example of the GDPR’s influence in the United States is the California Consumer Privacy Act (the “CCPA”). The CCPA was passed in June of 2018 and is tentatively set to take effect in January of 2020. Similar to the GDPR, the CCPA is intended to require significantly increased transparency between consumers and the companies that receive, maintain, and use their data. The CCPA creates similar rights for consumers such as the right to access and the right to be forgotten. The CCPA also places similar burdens upon data-collecting companies, such as providing reasonable security procedures, obtaining consent for the collection and use of personal information, and providing policies in plain English. The fines under the CCPA are also similarly large, which will encourage companies to comply.
Beyond that, there is another similar data privacy bill in the formulation process in India right now. In July of 2018, India’s Committee of Experts released the first draft of that bill to the public. The bill includes the right to access, the right to data portability, and the right to be forgotten for consumers. The bill also requires companies to hire a DPO and will levy severe fines against data collecting companies for non-compliance. There is another common theme through the GDPR, the CCPA, and the new, potential data privacy bill in India, which is the applicability of all three statutes to the personal data of consumers who are residents of those three jurisdictions no matter where such residents might be located throughout the world.
The CCPA and India’s data privacy bill are two examples of legislation influenced by the GDPR, but they are not the only data privacy regulations that have been introduced or passed following the enactment of the GDPR. In recent news, Oregon Senator Ron Wyden introduced the United States Consumer Data Protection Act (the “USCDPA”), which is intended to regulate data privacy on a federal level. In addition, the Brazilian government recently passed its own General Data Protection Law, which will take effect in February of 2020.
The trend of stricter data privacy regulation is only beginning. Over the next few years, data privacy bills almost certainly will continue to proliferate around the world. The legislation that has been introduced following the GDPR derives key concepts and elements from the GDPR, and that is a trend tha tis likely to continue as well. While companies may feel that the GDPR does not apply to them right now or that the EU lacks jurisdiction to enforce the law against them as presently situated, it is wise for all companies to consider becoming GDPR compliant, if only for the purpose of positioning themselves to comply with future data privacy regulations or to participate in our increasingly global economy.
The GDPR has set the bar and the world is following suit. Until one or more courts render precedential opinions discussing whether the EU can exercise extraterritorial jurisdiction, companies must acknowledge their potential exposure to its requirements. Even if the EU were unable to exercise that jurisdiction, companies should be pursuing compliance due to the inevitability of a more direct, applicable regulation being passed and taking effect in their jurisdictions. As we see the CCPA, the USCDPA, and other bills taking effect, being passed, or even just being introduced, it is evident that all companies soon will be required to comply with some consumer data privacy measure. The GDPR has created the future of data privacy and with it has determined what compliance will look like moving forward. While various questions surrounding the GDPR remain, the one thing that is certain is that the GDPR has influenced the future of corporate compliance at a global level and that its influence will only grow in the coming months, years, and decades.