May 25, 2020 marks the second anniversary of the implementation of the General Data Protection Regulation (GDPR) in Europe. Arguably the most important piece of legislation on personal data in recent years, GDPR was designed to ensure the privacy of those living within the EU. Two years on, we’ve seen a substantial increase in awareness around data privacy and protection, with additional regulations being implemented across the world. Threats against privacy have never been greater, with continued efforts by cybercriminals highlighting the value of data as currency – and the importance of not dropping the ball when it comes to securing personal information.
Over the past two years, it has become clear that GDPR is not a magic cure for all data privacy issues. Since May 2018 we have seen huge fines for companies that consistently fail to protect their customers’ data, including a £189 million (US $230 million) proposed fine over a British Airways data breach in 2018. Although these fines may help organizations to become more accountable over how they store users’ information, there is still some way to go to ensure complete data privacy.
How does GDPR measure up?
While it may have been one of the first, GDPR is not the only piece of data protection legislation in place across the globe. California’s Consumer Privacy Act (CCPA), signed into law in June 2018, contains many provisions that are similar to those of GDPR. While the geographical scope of these regulations may seem limited, they actually affect any market doing business in the EU or the Golden State.
Meanwhile, Brazil’s Lei Geral de Proteção de Dados (LGPD), expected to come into force in August 2020, will give citizens the right to request the deletion of data held about them, among a number of other privacy regulations. Brazil boasts one of South America’s largest economies, so this legislation will have a tangible effect on the world. The LGPD creates a set of new legal concepts and generates specific obligations for data controllers, making them more accountable in the eyes of the law.
Japan’s Act on the Protection of Personal Information (APPI) was introduced in 2003, with substantial revisions made in May 2017. These revisions included extending the application of the law even to foreign companies that hold data on Japanese citizens, meaning that this act goes further than many others of its kind.
The future of GDPR
Recent months have posed an even greater challenge for data privacy. In the face of the coronavirus lockdowns, data that would have previously remained private, such as medical information, has been shared in less than ideal ways. Apps to help monitor the spread of COVID-19 have been designed to track individuals, providing warnings if users may have come into contact with those infected with the virus. How do data protection regulations provide for increased tracking?
As lockdown measures started to be put in place in Q1 2020, the European Data Protection Board (EDPB) issued a statement clarifying that the GDPR allows public health authorities to process personal information without individual consent for the sake of protecting public health. In terms of using location data, the statement further clarified that public authorities must adhere to the ePrivacy Directive. Article 15 of this directive opens the possibility for EU member states to introduce legislative measures that would allow the use of location data. As much as possible, such data should be processed in an anonymous way.
One of the most significant effects of GDPR is that it has sparked a global conversation about data protection. By putting the privacy of our data on center stage, GDPR has highlighted how important it is to be in control of how personal information is stored and shared. Who knows what the next two – or 10 – years may hold for data protection legislation, or how technology will continue to change the world. But one thing’s for sure: data privacy will not slip off the global radar anytime soon.