Data Protected – Refreshed and updated

It is now 20 years since we launched Data Protected. Our very first survey of data protection laws was released on 1 May 2004 to celebrate the accession of 10 new Member States to the European Union. This was the fifth enlargement and by far the largest in the history of the European Union.

To mark that date, we decided to compile the data protection rules of all the 25 EU Member States of that time, calling upon our offices as well as friends in other law firms. Over the years, this survey has been updated and expanded well beyond the borders of the Union, to cover more than 50 countries. It has become a successful reference work for many of our clients and contacts across the world.

We are proud to release a complete refresh and update of its content,  which considers all changes to data protection laws in the last 18 months in 55 countries worldwide.

Highlights from the last 18 months

The last 18 months has seen slow and incremental strengthening of the global framework of data protection laws with the following key highlights:

• The U.S. (here) – Perhaps the most exciting change to Data Protected is the addition of a new U.S. chapter late last year. While the U.S. has had privacy laws for some time, the rules have grown more and more complex in recent years due to the overlap in federal laws imposing sector specific obligations (such as HIPAA, GLBA, COPPA, TCPA and VPPA) and comprehensive state privacy laws (such as CCPA, VCDPA, CPA, CTDPA and UCPA), all alongside state UDAP laws and state laws imposing specific requirements (such as Illinois BIPA and NYC’s AI Bias Law). Finally, each state has its own statutory framework governing notification obligations for data security breaches. The absence of a single comprehensive federal law has made the U.S. market increasingly disjointed and difficult to navigate.
• The EU – In contrast, there have been more limited changes in the EU over the last 18 months. The combination of using an EU regulation (which is directly effective in all EU states) and the coordinating influences of the European Data Protection Board and the European Commission means that data protection law is much more closely harmonised across the EU than in the US, perhaps with some limited exceptions such as for employee data. This has created a much more cohesive digital single market than the U.S. However, the increasingly absolutist approach of the European Data Protection Board and Court of Justice make the EU a challenging jurisdiction with very strong sanctions for non-compliance (as evidenced by recent enforcement in Ireland and some other Member States).
• The UK (here) – Four years on from leaving the EU, there have been limited changes to UK data protection laws. Bold ambitions to tear up EU data protection law have been replaced with modest reforms by way of the largely unloved Data Protection and Digital Information Bill, which is making slow progress through the UK Parliament. The UK looks to remain in the EU’s regulatory orbit for some time to come.
• India (here) – India finally passed a general data protection law in August 2023, reflecting the status of data protection laws as a global regulatory norm. That law resembles the GDPR in some ways but with specific Indian characteristics. For example, it does not contain the concept of special category personal data (perhaps reflecting the conceptual problems in trying to deal with it in practice) and contains very liberal rules on transborder data flow (again, perhaps recognising this has been increasingly problematic in other jurisdictions and reflecting the role of India as a strong offshore location for IT and business process outsourcing).
• Vietnam (here) – Finally, like a number of other Asian and Latin American countries before, Vietnam also passed a data protection law, which came into force in July 2023. That law is strongly aligned to the GDPR, though again with some Vietnamese characteristics. The passing of this law means that all of the 55 jurisdictions covered by Data Protected have comprehensive data protection laws (or multiple federal and state laws in the case of the U.S.).

Reflections on the last 20 years

While the changes in the last 18 months have been incremental; the changes over the last 20 years have been profound and mirror society’s wider approach to technology.

The first edition of Data Protected in April 2004 arrived in a period of “techno-optimism”. Despite the dot.com boom and bust, it was clear that the “Internet” was going to be big. More generally, the world was experiencing a period of globalisation as companies expanded into new markets, triggering rapid economic growth.

Reflecting this wider confidence that technology would change the world for the better, data protection was very much a sport for “enthusiasts”. Few jurisdictions had general data protection laws and those that did applied the law in a gentle and flexible way – more a means to guide good business practice than strictly control their activities. This was also an era of limited enforcement and minimal sanctions. The first edition of Data Protected contained only a short section on sanctions (with the largest potential fine being €601,012 in Spain) and no actual examples of enforcement.

Much has changed since the heady days of 2004, including attitudes to new technology. The explosive growth of generative AI in the last two years has triggered just as much concern as excitement – with governments immediately looking to introduce new laws to regulate this area. This caution is mirrored by increasing geopolitical tension.

This “techno-scepticism” and a more cautious approach to globalisation permeates through to the regulatory environment. Within the EU, the core principles in GDPR are much the same as in the old Directive but their interpretation has been hardened by both suspicion of new technology and the fundamental right to data protection in Article 8 of the EU Charter.

As a result, data protection laws are starting to become a ruler and not a guide, and to pose existential challenges to some businesses. For example, by restricting the advertising models available to businesses or their ability to operate a global service. It is no surprise this has resulted in much more emphasis on contentious data protection advice, and the increasing professionalism, formalism and industrialisation of privacy compliance. Data protection is no longer a field for enthusiastic amateurs.

How should we approach this new reality? Ultimately, the job of a data protection professional hasn’t changed fundamentally in the last 20 years. Identify the needs of the business and respect the data protection rights of individuals – then try to marry the two in a way that complies with data protection laws. The last bit is harder than ever. But with a healthy dose of creativity and pragmatism, you can still find the way.