Data privacy law has gone global. It started off as a European phenomenon, the first modern data protection law originated in Germany in the 1970’s. The UK’s first data protection law came into force in 1984, and in 1995 a Data Protection Directive came into force across Europe. In the meantime, other countries across the world were developing their own laws, based on the same basic principles but with some significant local differences.
The General Data Protection Regulation came into force across Europe in 2018. It is often seen as the data protection ‘gold standard’. Currently discussions are taking place in the US and other countries about whether they should adopt GDPR-style law. It is not clear how these discussions will conclude. It is clear though that most developed countries have some form of data protection law, that businesses operating internationally have several different data protection laws to comply with and that this number will increase as data protection law branches out globally.
How to comply?
The reality is that organisations collecting and using personal information globally will have many different data privacy laws to comply with. Even if it is possible to obtain a copy of all the relevant laws, court judgements and regulators’ guidance (if any), it can still be very difficult and resource intensive to produce a bespoke compliance programme for each territory an organisation operates in or whose laws it is bound by.
It will always be difficult to work within different legal traditions, to comply with national laws and to understand regulators’ priorities. Even within Europe – where the law is meant to be the same across the piece – there are considerable variations, for example in terms of the way modifications of individuals’ rights work or how the rules around workplace surveillance and interception of emails operate. Despite attempts to standardise the law within Europe and to foster greater international co-operation between regulators, it seems inevitable that organisations operating internationally will be required to comply with a patchwork of different data protection rules or the foreseeable future.
Why is this important?
Tracking carried out by regulators and others suggests that people are becoming more aware of personal information issues and are becoming more willing to exercise their rights. Since the GDPR was introduced, some organisations have been dealing with subject access requests – and the complaints about content that can follow them – for the first time.
In Europe, the US and elsewhere, active civil liberties groups are lobbying regulators, particularly over the big technology companies’ collection and use of personal information. Personal information is becoming a board-level issue, and organisations are realising that mishandling customer or employee personal information can lead to complaints, reputational damage, financial loss and regulatory action. This tendency is sure to continue, as more services are delivered online and as public awareness of personal information issues increases.
The global reach of the law?
The GDPR applies – in full – to any organisation worldwide that offers goods or services to people in the EU.
This means that any business in the US or China, for example, that runs a website making its services available to people in the UK or France, has to comply with the data protection principles and even appoint a Data Protection Officer, if it monitors EU customers’ online behaviour. International enforceability is a complex area, particularly where there is a conflict of laws. This is largely uncharted territory.
However, it is clearly the intention of the GDPR to ensure people in the EU enjoy the same level of protection regardless of the geographical location of the organisations they’re dealing with. It seems that other non-EU laws are taking the same approach. This could mean, for example, that South Korean consumers will enjoy the same level of data protection whether they are dealing with a South Korean firm or a UK one.
If this tendency continues, it could mean that a UK firm operating globally could – in theory – be required to comply with the data protection laws of all the countries in which it has customers. This could present an insurmountable challenge, given the need for detailed local knowledge and regulatory insight and the fact that the various laws an organisation is required to comply with may differ in significant ways – for example the rules around marketing. An alternative approach to global compliance is needed.
An alternative approach
The various data protection laws around the world differ, even within Europe. However, they are all based on the same basic principles – principles with international roots that predate even European data protection law. In short, these address transparency (eg privacy notices), fair use of personal information, individuals’ rights, data quality and governance, and information security.
If an organisation can address those basic issues, then it can be largely compliant with the key requirements of most international data protection laws - and those are the areas that regulators tend to focus on. The areas of national divergence tend to be in more technical areas, such as the framing of exemptions or local requirements to register data processing activity with the regulator.
When working with organisations that operate internationally, we have also found that focusing on the basic principles and mapping compliance onto business processes makes data privacy more accessible to non-experts, and achieves greater corporate ‘buy-in’ across an organisation. This is more effective than simply following the letter of the law and thinking about legal compliance.
We have also found that presenting data privacy as a matter of good practice, of ethical behaviour and of developing a relationship of trust between an organisation and the people whose personal information it collects provides the best basis for a positive, sustainable and internationally valid approach to data privacy.