You Can Run From the GDPR, But You Can’t Hide – Data Protection Goes Global
Avid European readers of the Tronc family of newspapers – including the LA Times, Chicago Tribune, and Baltimore Sun – awoke to disappointment on May 25th. As the GDPR took effect that morning, the Tronc news sites simply disappeared, replaced by a plain text notice.
It’s a gesture well-known to petulant children - see the South Park meme, “Screw you guys, I’m going home!”) Of course, business leaders have every right to determine in what markets they want to offer their products or services1. But storming off the playground simply because you don’t like the (data) rules will increasingly prove to be a financially dubious strategy, for the simple reason that . . .
It’s not only Brussels pouting about data protection
The fact is, GDPR-like data protection is going global. On July 10, Brazil’s Federal Senate effected final approval of the Data Protection Bill of Law, which is explicitly modeled on the GDPR. Similarities include: the requirement that consent be “free, informed, and unequivocal,” the appointment of data protection officers, and the mandatory practice of privacy by design. It is set to take effect in about 18 months2.
Surprisingly, the Bill reportedly passed both houses of the Brazilian legislature with a unanimous vote. You’d think that at least a few representatives would have been seduced by the sweet nothings whispered into their ears by AdTech lobbyists – you know, about how data protection is lethal for the free internet, free speech, and freedom of the press. The unanimous vote ought to put a chill in the heart of those who hope to evade governmental legislation with self-policing and self-regulation.
Elsewhere, draft legislation in Indonesia – the fourth most populous country in the world, with an economy growing at over five percent per year – has been described as “more or less a copy/paste of concepts and provisions from European Union law.” Similarly, Hong Kong’s Personal Data Ordinance mirrors GDPR principles like purpose specification, data minimization, and informed consent.
At this rate, companies that don’t want to play by strict data protection rules may have to retreat to the US market alone. Well, except . . . as of late June, the White House is reportedly considering GDPR-like data regulations.
The threat of fragmentation
It’s easy to be skeptical about how far the current US regime will go in protecting consumer privacy and data rights. (Witness the reversal of the consent requirements for ISPs in early 2017.) But from a business perspective, a single, nationwide regulation would be far preferable to the state and local data restrictions that are currently proliferating like tomatoes in the mid-summer heat.
As usual, California has taken the lead, with the California Consumer Privacy Act of 2018. While nowhere near as strict as the GDPR, the law does grant consumers the right to know if their data is being processed and to restrict its usage without losing access to the relevant digital services, (although companies can offer different services or rates to consumers according to the amount of data they provide.)
The California bill also passed unanimously. But that’s because it was reluctantly supported by the tech industry and rushed through the legislature in days in order to avoid a potentially much more restrictive data protection referendum on the November ballot. Companies reportedly will try to water down the bill with amendments before it takes effect – a predictable but misguided reaction, since the public appetite for a citizen referendum has already been validated.
It’s equally predictable that other states will pursue similar legislation. Indeed, within a year of the reversal on ISP restrictions, 20 US states had considered or passed bills expanding consumer rights over their data.
The resulting fragmentation of data rules would be the true nightmare for businesses. Imagine having to track and manage dozens or hundreds of different and potentially incompatible regulations in order to do business across the US.
The attraction of Californication
The alternative to pulling out of markets that don’t allow your desired level of data collection – and/or trying to keep up with the nuances of the laws in all of the markets you do serve – is to embrace and institute the highest level of data processing protections and policies.
I’ve called this the Californication of data processing.
Californication occurs when a single part of a large market is able to dictate the behavior of practitioners across the entire market. Example: After California introduced higher auto emission standards, most manufacturers eventually built almost all of their US-market cars to meet the California requirements.
It’s fair to say that the GDPR currently represents the highest standards for privacy and data protection – especially if, as the regulators persistently advise – you look at it not as a box-ticking compliance exercise but as an opportunity (well, actually a demand) to put consumers in control of their data and institute “sensitive and ethical” data processing practices.
As I’ve noted before - watch my presentation: “Can the GDPR Save Customer Experience Management (From Itself)” - global consumer surveys consistently show that ensuring consumers they are in control of how their data is collected, used, and shared is the only way to address the “trust deficit” that erodes customer satisfaction and inhibits long-term, mutually beneficial relationships.
Instead of running away from the GDPR, you ought to aggressively adopt it, and adapt your culture to reflect it. In business – as on the playground – perseverance beats petulance every time.
1Although, the withdrawal method may not ensure compliance with the GDPR. There’s a good argument that non-EU based firms are still obligated to ensure that a) any previously collected personal data of EU residents is now processed (even if that only means stored) in a compliant manner and b) they are able to support the GDPR’s data subject rights.
2The Bill must first be signed by Brazil’s president. It takes effect 18 months after it is published in Brazil’s Federal Gazette. However, see this article about how certain financing restrictions may delay (some parts of) the bill.
Tim Walters, Ph.D., Privacy Lead at The Content Advisory