The European Union’s much-vaunted General Data Protection Regulation (GDPR) comes into force this week. But Europe isn’t the only entity trying to balance digital freedoms with citizens’ privacy rights.
These five facts look at the state of data privacy laws around the world.
What is GDPR?
GDPR is the updated replacement to Europe’s 1995 Data Protection Directive, one that’s taken almost a decade to get across the finish line.
At its heart, GDPR provides European citizens with the tools they need to better control the data collected about them. Under the law, from May 25 onwards, firms anywhere in the world that collect data on E.U. citizens need to offer users the option to see the information collected about them, and to move or delete that information. Firms will also be required to report any data breaches within 72 hours.
There are numerous other GDPR regulations that companies will need to comply with as well. But the basic idea behind the law is to orient companies toward “privacy by default” and put people in charge of their personal data.
The penalty for violating GPDR are significant — the maximum fine can be up to $23.5 million or 4 percent of the firm’s revenue, whichever is larger. Even if you’re Amazon, a $7 billion fine is going to smart.
Europe’s approach to privacy
Europeans were well ahead of the data privacy curve long before Cambridge Analytica came onto the scene. The European Court of Justice ruled in 2014 that European citizens have a “right to be forgotten” and can have material stricken from search engines if it is determined to be “inaccurate, inadequate, irrelevant, or excessive for the purpose of the data processing,” a ruling enshrined in GDPR as well. In the eyes of Brussels, data privacy is an intrinsic human right, and therefore should be under the control of the individual user. GDPR is a critical step in that direction.
And because GDPR applies to companies doing business in Europe rather than just those based there, plenty of folks around the world will also be at least partially covered by GDPR as companies shift to comply with it. Firms like Facebook have already vowed to operate in accordance with GDPR across their global user base—both because it’s easier for Facebook and because it generates good press on the privacy front.
The American approach to privacy
That’s especially good news for the 61 percent of Americans who would like to do more to protect their privacy, and the 68 percent who say current data privacy laws aren’t stringent enough. To be fair, Congress is now mulling the Social Media Privacy Protection and Consumer Rights Act of 2018, a bipartisan proposal that in many ways resembles GDPR. If voted into law, it would require websites to give users a readout of all the data that a firm has on them, in addition to a list of who has had access to that data and how it’s being used. It’s not as far-reaching as GDPR, but it’s better than nothing.
The most interesting element of this idea is its timing; the bill was proposed in the wake of Facebook CEO Mark Zuckerberg’s testimony to Capitol Hill amid the Cambridge Analytica fallout. Whereas Europe has spent seven years shepherding GDPR along, it took a massive privacy scandal to force Congress to even consider acting. This is in line with the U.S.’s general (and riskier) approach to data privacy: relying on tech companies to police themselves and only considering regulatory remedies once data breaches have already occurred. Some say this freedom afforded to tech companies is the triumph of the free market; others argue it’s the failure of that same free market. The truth is somewhere in the middle.
China’s approach to digital privacy
While Europe believes the responsibility of data privacy belongs to individual users and the U.S. believes it’s the responsibility of tech companies, China starts from a different framework altogether: it’s the government’s responsibility to protect users from having their personal data used to commit fraud or for other illegal purposes. To that end, Beijing has been building a “personal information and important data protection system” as a standard to govern user data privacy.
In many ways, China’s approach to data privacy is even stricter than Europe’s GDPR. It has a broader definition of “personal data” than the European variant, considering any type of personal information that could harm individuals, property, mental health or reputations as falling under its mandate. Under GDPR, it’s still possible for firms to share data with third-parties for “legitimate” reasons without a user’s explicit consent; not so in China.
But Beijing is less inclined to place restrictions on the use of personal data in other ways—for example, to improve medical diagnoses through training artificial intelligence algorithms. After all, for Beijing, technology is the future, and AI research is a critical component of that future and of its national security strategy. But if you take a step back, you see that over the last couple of years Chinese authorities responsible for cybersecurity have moved closer to the European model. It’s the U.S. that’s falling behind.
The Russian approach to privacy
Russia has taken a different tack when it comes to data privacy. History matters here; Russians are used to the idea of state surveillance. There was the entirety of the Soviet experience, and the SORM monitoring system has been attached to phone boxes and servers since the 1990s, an effective way for the Kremlin to supervise what Russians do online. But up until five years ago, Russians faced relatively little internet regulation; the Kremlin tries to assert its power in the cyber sphere without making Russians feel that they are being cut off from the world, an admittedly difficult feat.
Russia does data privacy rules its own way, but Kremlin policymakers look to global developments for cues. There’s a version of the “right to be forgotten” law in Russia, for instance. The first data localization law that came into effect in 2015 was described as a personal data protection measure, and it introduced rules requiring companies to take down personal data following a request process. The Kremlin frames data privacy and state surveillance as two sides of the same coin—the state asserts the right to protect citizens’ personal data from each other or from other actors, but retains its own oversight powers. Russia wants to promote this concept as a global norm—that the state, not the user, is the basic actor online. As politics grow more chaotic in both the physical and cyber spheres, it is an approach that could become more appealing elsewhere, particularly in struggling emerging markets.