When implemented in 2018, the European Union’s General Data Protection Regulation (GDPR) represented the most comprehensive privacy and data protection laws to date in the world. Its territorial scope is quite staggering. By its terms, the GDPR governs businesses based in the EU that process personal data, whether or not that data is physically stored or processed in the EU, and those that offer goods or services to or monitor the online behavior of individuals within the EU. Many non-EU citizens enjoy the broad protections guaranteed by the GDPR as well, through companies that voluntarily extend their GDPR-compliant policies to customers worldwide, albeit to varying extents. The significant fines imposed for infringement under the GDPR have encouraged widespread compliance with its provisions. However, there are still many parts of the world where the GDPR does not apply that need data and privacy protection too.
Countries such as Brazil and Japan have considered following the lead of the European Union’s efforts to protect privacy and data. The United States, however, has yet to enact data protection legislation of its own, at least at the federal level. For the time being, it is a state-by-state endeavor. California is currently the leader in this regard, with its California Consumer Privacy Act (CCPA), which was enacted in 2018 and went into effect at the beginning of this year.
The result of this patchwork system of data protection and privacy laws and regulations is that international companies must ensure they are compliant with each separate one to which they are subject (and with the borderless nature of the Internet, most companies today are international with a vast territorial reach and therefore subject to multiple such laws). While these laws and regulations have similar aims to protect individuals’ data and privacy, they do not all have the same requirements. In a fact sheet made available by the California Office of the Attorney General, it is specifically noted that the requirements of the CCPA are different in multiple respects from those in the GDPR. Compliance with one does not guarantee compliance with the other. The time and expenses companies spend trying to comply with the various requirements in this patchwork system could be greatly diminished if there were only one set of data protection rules they needed to abide by. They could then use the saved time and expenses to research even better ways to protect their customers’ data and privacy.
Consumers also lose out under the current system of various privacy and data protections because the different laws and regulations offer different levels of protection. As noted above, while some companies will apply new compliant policies for one set of laws worldwide, this is completely voluntary. Companies may choose to not do so, and they face no legal consequences for this decision. Where a company is based or where someone lives ultimately determines the protection afforded to an individual’s data. It simply does not make sense that the protection of something so important as one’s data and privacy should be so arbitrary. The solution to this problem is the creation of international standards or a set of rules for efficient and uniform privacy and data protection.
So how would we go about setting up international standards or a set of rules for privacy and data protection? A global issue of such import requiring a global solution may best be solved by the United Nations. A treaty negotiated within the UN and then implemented by every member state with appropriate domestic enforcement mechanisms would provide uniform protection to consumers and ease the strain of compliance with multitudinous data protection laws for companies. This is not to say that such a treaty would be easy to agree upon but it would likely yield a much better result that the patchwork system we have now.
* Kelsey McQuilkin is an Executive Editor on the Michigan Technology Law Review.