Where Europe leads in redefining data protection

07/05/2016 08:57

Europe is taking the lead in redefining data protection laws and that's not surprising given that attitudes to data and privacy run very deep in certain European countries for historical and cultural reasons.  Privacy is a very fundamental right in Europe and the idea that you shouldn't be able to profile people in terms of their identity is deeply rooted in the European psyche.

The EU General Data Protection Regulation (GDPR) has taken four years to emerge as a champion for individual rights. And across the world policymakers can be seen to be moving in the same direction - new laws in South Africa clearly follow the EU model and we've also seen reforms in other jurisdictions too as diverse as Israel, Denmark, Japan, Morocco and South Korea. 

While few Asia Pacific states have data protection regimes as rigorous as Europe's, an increasing number are bringing their own laws up to international standards and that means roughly in the same direction of travel as the GDPR.  And this is particularly true of jurisdictions that aspire to be economic hubs for the region, such as Singapore and Hong Kong. China meanwhile has focused its efforts on online data collection and consumer personal data rather than employees  - which isn't that surprising given it's the world's fastest growing e-commerce market outside of the EU.

As multinationals get to grips with the GDPR over the next 24 months, those operating in economic regions outside of the EU are highly likely to adopt the same approach and apply common standards that will be modelled on the GDPR.

Whether the US follows suit is another matter as a question mark hangs over the legality of the Privacy Shield that was meant to be a solution to the defunct Safe Harbor Agreement.  This simply serves to illustrate the point that many lawyers have known for a very long time - that the DNA of the regulatory frameworks in Europe and the US are very different and although there's been pressure on the US to move towards the EU approach, it's still going to be very hard to achieve real compatibility.

This is further complicated by the looming US Presidential Election as well as a possible Brexit of the UK from the heart of Europe.

In the former, if Donald Trump triumphs to become President of the United States then it's anyone's guess as to how fast the US will pull up its drawbridge to the rest of the world.

And in the latter, according to a recent independent review by the House of Lords, it could take as long as 9 years for the UK to untangle itself from the European Union although it may retain a vast amount of EU laws if this is in the 'public interest'.

Neither outcome is a forgone conclusion, but what is clear right now is that the US is considered by many EU Member States as an "unsafe" jurisdiction in terms of drawing up contracts to cover personal data transfer.

After the US Presidential Election on November 8 2016 it remains to be seen whether privacy laws will be revised in the direction of those on mainland Europe or whether the US is heading in the opposite direction.

However US-owned companies that target EU citizens and residents or monitor their online behaviour will be subject to the GDPR and as a result, their subsidiaries will also be subject to the new, stricter rules that will shape all future commercial agreements between Data Controllers and Data Processors.

So for many multi-national organisations there's no way of getting away from it. GDPR is a fact of life and is here to stay.

My guess is that many organisations will eventually see the GDPR as a robust approach to privacy and as a matter of good corporate responsibility that's essential for their long-term profitability and sustainability.

Read more:https://www.linkedin.com/pulse/where-europe-leads-redefining-data-protection-ardi-kolah-ll-m?trk=hp-feed-article-title-publish