A number of the world’s largest countries are considering new privacy laws this year
Corporate privacy discussions in recent years have largely revolved around two jurisdictions: the European Union and California. That’s about to change.
Lawmakers and regulators in some of the world’s largest countries are ramping up enforcement of privacy laws, revising statutes or debating new rules. The upshot, executives and privacy experts say, is a vast expansion of protections for personal data and a fast-changing, potentially expensive landscape for companies that use such information to power the digital economy.
“There’s so much happening,” said Gabriela Zanfir-Fortuna, senior counsel at the Future of Privacy Forum, a think tank. She added that much of the action stems from “outside of the Western thought leaders of privacy.”
The frameworks aim to give consumers more control over their data as the coronavirus pandemic pushes more daily life online. Companies that break the rules could face fines or penalties—risks that may be difficult to anticipate.
The movement in countries including Brazil, India, China and Canada comes as U.S. lawmakers remain deadlocked over a federal privacy standard
Companies warn that inaction in Washington will perpetuate a state-by-state patchwork of laws, such as the California Consumer Privacy Act, that could be most onerous for startups. Lawmakers in Washington state and Virginia are pushing forward legislation this year.
U.S. officials also are ceding power to Brussels and increasingly to other power centers to do the same on a global scale, said Microsoft Corp. Chief Privacy Officer Julie Brill.
“There will be norms set and rules set,” Ms. Brill said. “They won’t be inspired by the U.S. approach.”
Some executives like Ms. Brill are concerned about measures that inhibit storing or processing consumer information internationally. Such data localization could require businesses to expand staff or facilities in different countries to handle data that can’t cross borders, privacy experts say, or slow the flow of data that fuels growth of the U.S. tech sector and, increasingly, other industries.
Maintaining data flows is critical for companies such as Facebook Inc., which warned in a regulatory filing last month that new regulations could significantly affect its business. Facebook didn’t respond to requests for comment.
In India, where some privacy experts expect long-awaited legislation to pass this year, data localization policy remains a question mark.
A 2018 draft of India’s Personal Data Protection Bill would compel firms to store copies of all personal information within the country, but an updated version in 2019 limited the requirement to “sensitive personal data” such as health information or caste. The 2019 version, which is now making its way through parliament, also would give a data-protection authority power to approve the processing of “critical personal data” internationally.
The hitch is that “there’s no clarity of what exactly goes into that category of critical [personal] data,” said Rahul Matthan, a Bangalore, India-based partner at law firm Trilegal.
Privacy experts say such debates hinge on governments’ ability to protect citizens’ data from other governments—including the U.S.—or access data for security reasons.
The friction could spread as more laws come online, executives and privacy experts say.
In July, the EU’s top court invalidated a key mechanism for businesses transferring citizens’ data to the U.S. out of concerns that surveillance by Washington would violate their privacy rights.
GDPR, SO FAR…
Read The Full Article at WSJ