GDPR is an acronym we now know only too well. One year after it arrived (with a flourish) in our inboxes and webpages, the ethos behind it has now traveled outside EU borders. We look at three countries who are also taking steps to protect their people's data, in their own way...
While these policies do sometimes extend beyond the EU, because of the way people and businesses interact, more and more countries are now trying to take control within their own borders. They're creating their own legislation to regulate data privacy locally, but with some differences. Here's what you can learn from how three countries have approached a post-GDPR world.
United States: state by state (for now)
The closest analogy to the GDPR in the US is the California Consumer Privacy Act. Effective as of 2020, it will see changes such as:
- Allowing users to opt out of their data being sold
- Requiring companies to disclose information on the data they collect
But, as the name suggests, these laws apply only to one state. Other states have begun planning their own legislation, albeit with variations. The New York Privacy Act, for instance, is similar but would:
- Give users the right to sue over privacy violations
- Prevent businesses from using data in ways that harm users
In an effort to avoid a jumble of conflicting rules across different states, the nation’s tech giants have begun calling for a single set of regulations on a federal level.
China: surprisingly secure
In contrast to its controversial use of a surveillance-based social credit system, China’s 2018 data privacy standards are designed in many ways to favor its people – and are often more stringent than GDPR:
- More liberal about the kind of information that's considered potentially harmful (and thus needs to be protected from misuse)
- More strict about the anonymization of data
- Demand security assessments for third parties accessing user data
The regulations, however, are less strict on user consent over data collection, raising concerns over the type and volume of information that can be accumulated by companies and governments. But overall, the policies are closely aligned to the GDPR.
Brazil: like GDPR, but with greater reach
Not long after GDPR, Brazil passed its own bill on data protection. Given the timing, it's not surprising that its rules are heavily influenced by those introduced in the EU, but there are some significant differences:
- The rules apply not just to residents of Brazil and businesses with a local digital presence, but also to companies that offer goods and services in the country, substantially increasing the geographic reach
- Even though there are more specific protections around health and credit information, an individual’s consent over their own data can be invalidated if they’re deemed to have made it public in other ways
Are regulations enough?
In a 2018 global consumer study on privacy and location data, 80% of 8,000 people surveyed said they lacked confidence in how businesses handle location data, and 84% of people lack are unsure if laws and regulations will ensure their location data is not intentionally misused. And yet, only 22% said they check and update their location data settings proactively.
It's clear that it's up to both regulators and businesses to improve this situation, and win back consumer confidence. But how? As Philip Fabinger, Global Privacy Counsel at HERE, says: "Control and transparency are the first steps for building consumer confidence in sharing location data."
Yes, it's about taking privacy seriously and complying to regulations. But, in an ever more suspicious world, it's also about going beyond the laws to further secure the anonymity of your users. And communicating to people what you're doing. Privacy is no longer something to be buried in your terms and conditions: it's fundamental to the future success of your business.
Meanwhile, for consumers, while you're waiting for everyone else to catch up, what can you do? First, educate yourself. Then take steps to proactively safeguard your data. Finally, give your information only to companies you trust. You can read more about how your location data is handled, and what you can do about it, in our two-part series, "The truth behind location data anonymity:" part 1 and part 2.