Does the GDPR Have Momentum Left?
Despite a few high profile fines issued, the focal point of data protection & privacy has not been the European Union so far in 2023. It’s an interesting development, given just how much more progressive and committed the European stance on data privacy has been over the past decade compared to the rest of the world.
Yes, the EU saw the first phase of the Digital Services Act go into effect in August, but otherwise has had most of its attention fixed on enforcement and wondering what to do with AI. The United States and Asia, meanwhile, have been passing regulations and having conversations about how to move data privacy forward and balance it with economic development.
Europe had some of these conversations years ago, in which case the rest of the world is catching up on the issues, but the gap is closing between the EU and other regions. If five years ago Europe was ten times more advanced on data privacy, today that number is maybe only twice as advanced.
As of 2023, the GDPR is over 5 years old, but it has yet to see any major amendments and European data protection authorities still interpret various parts of the legislation differently, as evidenced by the vast disparity in the number of violations countries have brought against companies. The complex process of enforcing such a landmark regulation has clearly slowed progress on the European data protection front.
That doesn't mean Europe has fallen behind, far from it. Among other matters, Europe continues to tell the United States that its framework for data transfers between the two economies must be stronger for the EU board to deem it adequate. GDPR fines are still coming, in some cases with eye-popping figures.
But the wheels are finally turning with speed for both American and Asian data protection. So far this year, eight American states and two major APAC nations have passed comprehensive data privacy laws, and a few more may pass before the year ends.
July 1, 2023 also marked a key date for U.S. data privacy, as California's CPRA, Colorado's CPA, and Connecticut's CTDPA all officially become effective. Suffice to say, a lot is happening.
There is finally momentum on data privacy in America, and even if all these bills fail to match the full scope of the GDPR, the bevy of regulations makes it feel like the gap in how both sides of the Atlantic approach data might be closing. The same is true for Asian countries like India, Vietnam, and Indonesia, all of which have new comprehensive data regulations that while similar to GDPR, each have their own unique flavor.
A large test in the coming year will be how these new laws adjust. The sphere is moving so fast, places like Connecticut had to drop a few major amendments to its law weeks before it went live to increase protections for children's data and health data. That’s what makes it so surprising that the EU has largely left the GDPR unchanged since 2018, despite only modest perceptions of the regulation’s success over that time.
Over the next year, there are legitimate questions about the new slate of regulations: Will India issue a fine over DPDP noncompliance? Will Texas tweak the language of the TDPSA? Most of these pertain to the U.S. and Asia, not Europe.
This is particularly true of California and the CCPA, which famously passed sweeping progressive amendments to its own regulations within 24 months of passing. The CPRA amendments will enter into full force in March 2024, but the state legislature has also passed the DELETE Act in 2023.
The DELETE Act appears revolutionary. It will provide consumers with the ability to remove their personal data from all California-based data brokers with a single, verifiable consumer request. This will serve as the flip side to the Global Privacy Control. One allows consumers to mass opt out of data processing, while the other allows them to issue mass DSRs to reclaim their data.
This law alone puts America data protection in a better spot relative to where it's previously ever been compared to the EU.
Europe has paved the way and continues to push forward with the plow forward, but its pace has slowed and countries like the U.S. have greatly benefited from the set path, catching up faster than many assumed they would. As much of GDPR enforcement has been targeted at Big Tech, EU data regulators have gotten bogged down in expensive, lengthy legal battles.
That fact has brought us to a point where if the EU wants to continue its clear global leadership on data protection, it must come up with a better answer than Big Tech fines when asked what’s next for the GDPR. The DSA may be part of the solution, but with this field evolving so quickly, regulations need to as well.