The Data Privacy Regulatory Landscape (as of August 2021)

blog-image

Data privacy regulations are gaining traction domestically and internationally. Business and tech leaders would do well to take notice and re-consider their approach to privacy. Here’s a synopsis of the latest regulations taking effect or up for consideration.

US: States Take the Helm

Within the U.S., states have taken the initiative to adopt and pass data privacy regulations in the absence of action by Congress at the federal level. To date, California, Virginia, and most recently Colorado have passed data privacy and protection laws. Washington state is on the cusp of passing the Washington Privacy Act, perhaps the strongest state-level data privacy law. Florida and Connecticut are expected to pass data privacy laws in upcoming legislative sessions.

In general, most of these data privacy laws give consumers the right to prevent their data from being sold, to see what data companies have collected on them, and ask for it to be deleted. None have yet (at least at the time of this writing) granted consumers the right to sue companies for violations, which could be game-changing.

International: It’s Not Just GDPR Anymore

The European Union’s (EU) General Data Protection Regulation (GDPR), which took effect in May 2018, set the global standard for data privacy protections. The EU leveraged its collective market, exacting standards, and demographic power (called the “Brussels effect”) to set the precedent for data privacy protection. At the same time, other countries have moved to pass their own laws, largely based on GDPR, but tailored to cultural context and governance regime.

Brazil

In 2018, Brazil passed the Lei Geral de Proteção de Dados Pessoais (“LGPD”), or General Law for the Protection of Personal Data. The law became enforceable in August 2021 and applies to any data processing on natural persons or entities residing in Brazil. It also created the National Data Protection Authority (ANPD) similar to the European Data Protection Supervisor (EDPS).

India

Data privacy and protection have been governed by the Data Protection Rules passed in 2011, which requires companies to have “reasonable security practices and procedures” (RSPP) for privacy assurance. However, in July 2021 the Bureau of Indian Standards (“BIS”) issued new standards for data privacy assurance while Parliament continues to debate a new comprehensive data privacy law introduced in 2019.

South Africa

In July 2020, South Africa passed the Protection of Personal Information (POPI) Act, which took effect in July 2021. Modeled off GDPR, it applies to the personal data of any individual in South Africa, regardless of their nationality. It also requires companies to appoint an Information Officer, reporting to the CEO.

China

China continues to update its legal framework for data privacy and protection. In August 2021, China passed the Personal Information Protection Law, which takes effect November 1, 2021, and applies to companies collecting personal data on users in China. This quickly follows the Data Security Law, passed in June 2021 (taking effect in September 2021), which requires companies to categorize data into three groups (core to the state, important, general), maintain critical information infrastructure, and forbids cross-border transfer of data.

Moving to Privacy-first Computing

The proliferation of data privacy laws is ushering in a new era of privacy-first computing as more of our lives moves online. Consumers increasingly demand protections as social media, mobile computing, and location-based apps become more prevalent and data breaches more common.

Trust is required to succeed in business and many companies have adopted a position of “data entitlement”. As trust erodes, governments are stepping in to protect their constituents. It’s important to note that each of the states and countries listed above are bellwether locales; just as GDPR set a global precedent, it’s likely that Brazil has set a regional precedent in South America, India in South Asia, and South Africa in Africa, not to mention California, Virginia, and Washington in the US.

Yet, relying on regulations to set data protection policies essentially concedes the task to a third-party and results in a “check-the-box” approach with a clear motivation: determine the minimum effort needed to comply.

In contrast, business and tech leaders should adopt a core philosophy that prioritizes the privacy expectations of their customers and takes a “privacy by design” approach. Trust is a valuable currency in the business world, hard to earn and easy to lose. Taking a privacy-first approach demonstrates respect, value, and care. Companies must adopt the right policies and proper data infrastructure to place consumer protections front-and-center and privacy as a foundation to their long-term sustainability and growth.


Photo by Irina Shishkina on Unsplash