While some lawmakers are mimicking GDPR in their new and proposed data privacy laws, others are distancing themselves from it. Let’s look deeper into why and what the impacts of that decision could be.
Going along with GDPR
Ever since the EU’s General Data Protection Regulation came into effect in 2018, the rest of the world has had to decide whether to fall in line or leave the EU behind. The recent decisions by various data protection authorities regarding Google Analytics violating GDPR have led companies to focus more intently on ensuring that their GDPR transfer mechanism is accurate and reliable.
Lawmakers have also been getting in line with GDPR to keep up with business operations. The new Brazilian General Data Protection Law (LGPD) came into effect in 2020 with similar regulations. New Zealand’s new privacy law allowed the EU to make an adequacy decision for data transfers. In the US, though federal legislation hasn’t followed GDPR, laws like the California Privacy Rights Act and the Virginia Consumer Data Protection Act share similarities with the EU law.
This is not the case for all countries or jurisdictions. Canada, India, and the UK have proposed updates or have received recommendations to update to their privacy laws in ways that would separate them from the GDPR. These changes will each come with various pros and cons for international economies.
Lifting the burden on business
The Canadian Marketing Association (CMA) produced a compilation of findings to the Canadian government in which they argued that the GDPR has brought regulatory burden, limited innovation and economic growth, and obstructed cross-border transfers. Moving to legislation that is closer to GDPR, they said, would place the brunt of the cost on small and medium-sized enterprises. What they want to see in Personal Information Protection and Electronic Documents Act (PIPEDA) reform is a technology- and sector-neutral approach to privacy.
Reducing the elements of GDPR that stifle innovation and emerging technologies would allow innovation and economic growth to improve the lives of Canadians. The trick will be in following the recommendation of the CMA to do this in a way that protects privacy rights at the same time.
Easing formalized GDPR requirements
The UK government also has in mind to create regulatory updates that will reduce the burden placed on business, as noted in their consultation from late last year, as reported by EDPO. In place of the requirements for Data Protection Impact Assessments and records of processing activities, there would merely be requirements to identity and minimize data protection risks. They would also replace the Data Protection Officer requirement with a dedicated person in charge of the privacy program while the recommended roles, responsibilities, and qualifications remain the same as listed in the UK GDPR.
Freeing businesses and organizations from the necessity of official or formalized requirements would make it easier for them to comply with the law. It’s inherently easier to designate someone in charge of the privacy program than to hire an unbiased DPO.
While moving away from the GDPR may be welcome relief to local businesses, there are some proposed privacy law changes between Canada, India, and the UK that could create further complications.
Easing formalized GDPR requirements
Getting rid of the requirements for Data Protection Officers and Data Protection Impact Assessments in the UKGDPR could also affect the level of effort that organizations put in when they’re mitigating and minimizing risks. This may allow some risks to fall through the cracks. The formalization of these processes encourages organizations take the requirements more seriously, and they may not take their duties as seriously without them.
Requiring data localization
China’s Personal Information Protection Law, which came into effect November 1st of 2021, was the first of its kind to introduce data localization requirements. Following its lead, the proposed Data Protection Bill in India would implement data localization requirements for critical and sensitive data. This would create more complications for businesses that rely on transferring data into and out of India. Companies including Dell, Amazon, Google, and Cisco already responded to the opinions of the joint parliamentary committee with related concerns.
Another concern with data localization is that it can inhibit timely access to data in the event of a cyberattack both in defending against a potential attack and restoring or securing access to the data afterward. This would inadvertently compromise the security of network traffic.
Adding additional measures for data transfers
While the proposed changes would reduce the burden placed on UK businesses, they may be adding to the burden of non-UK businesses who rely on data transfer to or from the UK to operate. The UK will be implementing their own Standard Contractual Clauses later this month (provided there are no objections) with two options: the International Data Transfer Agreement and the addendum to the EU SCC. This may affect other markets requiring companies to adopt the new UK SCCs along with the EU SCCs in their contracts and duplicating the effort and resources required to comply with both.