Trends in global data privacy laws

Privacy continues to be in focus for legislators, regulators and the public more than three years after the effective date of the EU’s General Data Protection Regulation (GDPR).

According to Adrian Godfrey, International Global Business Operations Director with JPMorgan Chase Commercial Banking, there are a number of factors contributing to this sustained focus. These include, but aren’t limited to:

• Increasing technological capabilities
• Exotic uses of data
• Greater public awareness of privacy harms
• Privacy as a social justice matter
• Control of data (including personal data) as a concern of national sovereignty

The impact of COVID-19 only accelerated these shifts.

“The pandemic changed our way of life fundamentally by increasing the online presence of nearly everyone, providing even more personal data to the massive collection that was already taking place,” Godfrey says.

As concerns over data privacy persist, organizations will need to address privacy with a comprehensive strategy that accounts for all these factors.

Data privacy law coverage expands

The introduction of GDPR was a watershed event in global data protection. Since taking effect in 2018, it has become the blueprint for several new laws around the world.

GDPR not only gives individuals in the EU rights in relation to their personal data, but it also promotes organizational accountability by creating a range of obligations that impact all aspects of the data lifecycle, regulating it from the time of original collection or creation of personal data until the end of its useful life. GDPR can also sometimes have extraterritorial application—it can apply to companies’ data processing activities even when the organization is established outside the EU. Finally, companies found to violate GDPR can face steep fines of up to 4% of their annual turnover.

Following the passage of the GDPR, countries on every continent have enacted new privacy laws or updated existing ones. And while no GDPR-like federal law exists in the U.S., multiple states are attempting to address that gap, with California, Colorado and Virginia already passing comprehensive legislation.

To help businesses better understand and prepare for the global data privacy landscape, we look at regulatory developments in three economically important countries—the United Kingdom, Brazil and India—that may signal what to expect in the future, as well as identify steps business leaders might consider to optimally position themselves for the future.

U.K. privacy law after Brexit

Brexit introduced a wave of operational uncertainty for international businesses. One question was how an exit from the EU would affect the EU’s perspective on British businesses’ ongoing compliance with GDPR. As Parliament moved quickly to preserve the U.K.’s implementation of GDPR in the form of the Data Protection Act, known as the “U.K. GDPR,” the U.K. was granted adequacy as a data protection regime and short-term uncertainty passed.

However, the U.K. GDPR is merely a starting point. In September 2021, the U.K. Government’s Department for Digital, Culture, Media and Sport launched a consultation to consider regulatory changes that would give companies more flexibility and reduce compliance burdens. Ultimately, many businesses may not elect to take advantage of this new flexibility given that their compliance and controls for GDPR are established and serving them well.

Brazil gets a comprehensive privacy law

In 2020, Brazil became the first country in Latin America to pass a comprehensive data protection law fashioned on the EU GDPR.

Brazil’s General Personal Data Protection Law (or LGPD based on its name in Portuguese, “Lei Geral de Proteção de Dados”) draws heavily from GDPR. For example, it grants individuals data rights and requires organizations to have a lawful reason for processing personal data.

It’s still too early to assess the law’s long-term impacts—enforcement only began in August 2021, and there are several areas where regulatory guidance is necessary, such as cross-border transfers. Although the concept of protections for transferred data has strong roots in EU privacy law, Brazilian guidance is likely to be informed both by the GDPR and the nuances of Brazilian culture, politics and jurisprudence. Though other Latin American countries have individual privacy laws, Brazil’s LGPD is notable for unifying more than 40 disparate and sometimes contradictory regulations.

India keeps data privacy in focus

India’s parliament has been going through a years-long process of refining its Personal Data Protection Bill (PDPB). While not yet law, the PDPB would enshrine many of the principles of GDPR, including individual data rights and requirements for notification of privacy breaches. International organizations should track progress of the PDPB given the scale of impact this legislation stands to have, covering the world’s second-largest population and impacting a country in which many multinationals have both a business and operations presence.

3 ways to prepare now

For international businesses, there’s no better time to prepare for the year ahead than now. Here are three ways you can improve your approach to compliance and data privacy:

1. Bring everyone together to design for privacy: Privacy should be a central tenet of your business, not something relegated to compliance. Employees, customers, clients, stakeholders, investors and regulators demand as much. Placing privacy at the center of your corporate culture can help eliminate barriers to innovation, resource management and transparency. Get all your stakeholders with a role in respect to privacy and data together—and do it globally. If your various stakeholders don’t know what each other are doing you are more likely to experience overlapping agendas, conflicting priorities, misuse of resources and friction in your innovation capabilities. Bringing people together and establishing clear accountability is key to meeting long-term business objectives.
2. Gather data on your data: If you don’t have the best, most easily accessible information on how your organization is collecting, creating, using and sharing data, it’s going to be difficult for you to comply­—and even harder to compete.
3. Automate your processes: The volume and the velocity at which data is being created, collected and stored is increasing every year. As the world becomes more digitally connected, computing power increases and advances in AI enable even more novel and extraordinary innovation, the automation of your processes to identify, detect and prevent risk in the data environment will be essential. Automation can take many forms but includes tools that persistently track where data is, who is accessing it and what laws apply to it, or tools that assess the risk of a proposed data processing based on certain parameters to aid in making decisions about whether and how to proceed.

Changes and trends are hard to predict—some of the triggers for recent activity have been events over the past few years: Cambridge Analytica, the Edward Snowden revelations and the recent Facebook whistleblower, to name just a few from the headlines. That said, direction of travel is clear.

These developments underscore the importance of establishing a unified global, sustainable compliance model that is founded on international or regional standards and, where necessary, accounts for the material country-level differences that emerge. Organizations that can best harmonize their data protection practices across the globe and across the entire data life cycle will be best positioned to both comply and unlock their potential for data-driven innovation.  

_{© 2021 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.}

_{Note: The data protection regulations and proposed legislation included in this article are current as of publish date.}