How GDPR Has Spawned a Global Data Law Revolution
Nations including the US, South Africa and the UAE have taken inspiration from the EU's General Data Protection Regulation in introducing new laws. But this is just the beginning, lawyers say.
July 24, 2020 at 04:58 AM
5 minute read
The original version of this story was published on Law.com International
A global revolution is quietly taking place in the world of data law.
In January, the California Consumer Privacy Act (CCPA) took effect, essentially making one's privacy a constitutional right. Since then new, wide-ranging data laws have been introduced in both the Middle East and Africa.
What do these new pieces of legislation all have in common? They wouldn't exist were it not for the European Union's General Data Protection Regulation (GDPR). The GDPR has started an understated but significant process of change around the world. And lawyers believe there is more to come.
A little over two years has passed since the GDPR landed and transformed the relationship between people, business, and that most precious of commodities—data.
Brought in to "harmonize" the mostly well-meaning but highly diffuse data laws across the European Union, the GDPR ushered in a fresh suite of new and enhanced rights for European consumers. To name but a few, these included the right to be informed that your data was being collected; the right to access your data; the right to rectification and, famously, the right to erasure.
It's introduction came, crucially, at a time when the online world superseded the tangible one for commercial dominance, when businesses like Amazon and Apple were hitting $1 trillion valuations, and concurrently, when one's place online faced a growing threat by an ever deepening and vastly sophisticated pool of scammers and hackers, and a panoply of other technologically astute ill-willers.
|Europe-made
So how did the GDPR become a springboard for this quiet but very global data law revolution?
"[Other nations] see the GDPR as the quintessential data law, not so much because it enshrines values we've held dear for so long, but because it has huge simplification power," says a data partner at a U.S. firm. "And laws that are simple, and generally translate into meaningful on the ground regulation are those that do best and achieve their outcomes.
"The GDPR does this," they add.
One of the world's fastest growing financial districts cottoned onto this, with little hesitation. Earlier this month, the Dubai International Financial Centre (DIFC) Authority introduced new data protection legislation designed to align the area's data laws with the GDPR.
Dino Wilkinson, partner and head of the technology, media and telecommunications team at Clyde & Co in the Middle East, said that the new law positions the DIFC as a safe and top-tier jurisdiction as regards data protection issues.
"Data protection is becoming an increasingly important global issue and the new DIFC Data Protection Law will help to align the DIFC's regulatory framework with international best practices."
A partner at a local Dubai firm said the GDPR responds to a "deep yearning" for "better data hygiene" and a greater desire to "take control over how your information is being used".
"Once the GDPR was effective, there was a surge in demand for data subject access requests. But whether that will happen in the UAE remains to be seen. But what it shows is that Dubai knew that if it was going to modernize its data laws, it had to introduce GDPR concepts, like requirements around transparency and fairness, and data security and limiting purpose for storing people's data — concepts captured in the GDPR quite elegantly."
Similarly, in June South Africa introduced a wide-ranging data protection and privacy act. It was a symbolic move by President Cyril Ramaphosa's that underscores his attempt to modernize South Africa's legal framework. Like the DIFC's new data law, South Africa's is designed to put the nation on an even footing with the GDPR.
Without data protection legislation, South Africans have been powerless to do anything when their privacy is violated, says Kelly Hutchesson, a lawyer at Eversheds Sutherland.
In introducing the Personal Information Act, she says that South Africa has "learned valuable lessons from the EU" regarding protecting people from data violations and granting them heightened powers for controlling their own data.
|Just the Beginning
Hutchesson believes other African countries are likely to follow suit and to "look to us for guidance on how to implement such first-world laws".
Indeed, as the parter at the U.S. firm says, "this is likely to be just the beginning."
He adds: "The GDPR has been so successful in enshrining into law elemental principles like data security, transparency and access that it was only a matter of time before other nations took their cue and introduced their own laws. We're seeing it across the U.S., and the EMEA region. And others will follow."
Another partner in the cybersecurity practice of a U.K. law firm echoes this point, suggesting that, while most of the principles enshrined in the GDPR are replicated elsewhere, for example in the Australian Privacy Act 1988, it is ushering in a "new era for data protection, where suddenly companies are having to give a damn about holding and using, and sometime abusing, personal data."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Foreign-Company Lobbyists Would Need to Register Under Proposed DOJ Regulation
- 2'Fancy Dress': ERISA Claim Accuses Plan Administrator and Cigna Affiliates of Co-Pay Maximizer Scheme
- 3The American Lawyer's Top Stories of 2024
- 4Semiconductor Component Maker Accused of Deceiving Investors About Market Downturn, Export Curbs
- 5Zuckerman Spaeder Gets Ready to Move Offices in DC, Deploy AI Tools in 2025
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250