Just four months into the General Data Protection Regulation (GDPR), thejury is in: Europe has seized a first-mover advantage and set theterms of the global privacy debate. Whatever its virtues or flaws,the GDPR is now the de facto global standard that othercountries' privacy regimes are measured against, and countriesaround the world are adapting their own laws accordingly.

As the United States begins a meaningful dialogue about anational privacy law, the GDPR will likely dominate theconversation once again. Ensuring rough equivalency (or, in GDPRparlance, “adequacy”) with data protection standards in theEuropean Union (EU)—and protecting lucrative cross-border dataflows—will be a critical function of any U.S. data privacy law. Atthe same time, the process of crafting a comprehensive law presentsU.S. lawmakers with the opportunity to recapture a globalleadership role on privacy norms and to promote a template thatwill reduce barriers to international business.

Europe Has Planted Its Flag

The GDPR was big and radical, and now we're stuck with it. Basedon a conception of data protection as a fundamental right, itapplies globally to uses of European citizens' personal data andempowers regulators to apply steep fines for noncompliance—up toEUR 20 million (approximately US$23 million) or 4 percent of acompany's global turnover, whichever is higher.

The GDPR sets up a legal obligation for organizations thatcontrol and process personal data of any European citizen. It laysout strict standards of notice, consent, purpose limitation, anddata minimization. It also grants European citizens whose data isbeing collected, stored, or processed affirmative rights to access,rectification, erasure, and data portability, and enables them torestrict or object to processing of their data.

In theory, these rights should change the nature of dialoguebetween users of online platforms and service providers, and shouldgive the users more control over how their data is used. Inpractice, though, the benefits of the extra information arequestionable. The onslaught of opt-back-in emails sent the weekbefore the GDPR took effect on May 25 is a prime example: Mostusers simply clicked “accept” without reading the terms andconditions; thus, the disclosures didn't actually provide them witha better understanding of, or control over, how their data isused.

Under the GDPR, organizations are accountable for implementingappropriate technical and organizational measures to comply withthe law, including the appointment of a data protection officer(DPO). The GDPR also sets a strict standard for data transfers,which is fast becoming the global benchmark. It requires that anyjurisdiction receiving European data subjects' personal informationhave substantively similar data protection regulations—it mustreceive an “adequacy” finding by the European Commission. So far,only a handful of countries have achieved this, but more are movingin that direction, lest they be left out of business processoutsourcing (BPO) markets.

See also:

• How GDPR May Actually Be Good for You
• Final Preparation for GDPR
• How GDPR Is Affecting Business
• Cybersecurity: Protective Measures TreasuriesShould Be Taking

Cumulatively, these obligations are placing a significant burdenon businesses. Several studies have documented that largebusinesses are spending tens of millions of dollars to get tocompliance. The burden is likely heavier on small to midsizeenterprises, which can't afford teams of lawyers to work out thedetails. Even more significant than one-time compliance costs isthe chilling effect the GDPR is having on business uses of personaldata. Many companies—spooked by the law and its fines, but lackinga deep understanding of what is and is not permitted—have simplywalled off data that they could be using legally andproductively.

One more impediment to doing business in the EU is the GDPR'shigh bar for transferring personal data. But the new barriers totransfers of EU citizens' data are just part of the story. As moreand more countries adopt this approach, obstacles to internationaldata transfers are multiplying, threatening to seriously hamper howglobal businesses are run.

An Idea That Is Spreading

The GDPR has already demonstrated an attractive power far beyondEurope. In offering an all-encompassing framework which, for allits flaws, is comparatively easy to understand, it's rapidlybecoming the first reference point for any country that is lookingto write or rewrite a national privacy law. And what regulatorwould refuse the power to levy fines worth 4 percent of a company'sglobal turnover?

Politically, the content of the GDPR is almost irrelevant tothis attraction. Impact on business aside, proposing a GDPR-likelaw offers a policymaker in a non-EU country certain benefits:

• instant prestige and global respectability,
• unimpeachable credibility as a supporter of individual privacyrights, and
• a tough stance on “foreign” (particularly American) bigbusiness.

We are starting to see the impact, as other countries alignthemselves to the GDPR regime. The recent passage of legislation inBrazil and India's proposed Personal Data Protection Billillustrate how the GDPR has become the global norm.

Brazil Adopts “GDPR-Lite”

After nearly eight years of development, a new General DataProtection Law (LGPD) passed the Brazilian legislature in July andwas signed by President Michel Temer on August 14. The new lawdraws heavily on the GDPR in structure and standards: Therelationships it outlines between data subjects, data controllers,and data processors are similar to those found in the GDPR. Itsframework is also fundamentally consent-centric and uses standardscomparable to the GDPR. And although its cross-border transferconditions are somewhat looser, the framework is fundamentally insync with the EU approach, centering on adequacy and standardcontractual clauses.

Due to some quirks in the Brazilian constitutional system andproclivities of President Temer, Brazil's regime—at least in thenear term—will differ from the GDPR in one important respect:Brazil will not have an independent data protection authority(DPA). Originally included in the law, the DPA was removed by apresidential line-item veto. In Brazil, the enforcement,implementation, and regulation-writing functions that the GDPRassigns to the DPA will instead be assumed by the Ministry ofJustice. This difference will likely keep Brazil from receiving anadequacy decision from the EU, at least in the short term,maintaining barriers to data flows between Brazil and the Europeanbloc.

Brazil is likely to get a DPA eventually, but it will have to beproposed separately by Temer or (more likely) his successor.Pressure will be great to do so sooner rather than later.

India Drives Toward Something Both Lighter and Heavier

Like Brazil, India is on the “GDPR-lite” track, but with someimportant differences. A government committee recently released thedraft Personal Data Protection Bill, which mimics the structure andstandards of the GDPR, including:

• tripartite division of data subjects (or data “principals”),data controllers (or “fiduciaries”), and data processors—each withobligations comparable to those in GDPR;
• stronger notice and consent requirements for the processing ofpersonal data, purpose limitation, and “explicit consent” for theprocessing of sensitive personal data;
• international jurisdiction, though defined in terms of legalincorporation, not an Indian citizen's fundamental rights; and
• cross-border transfer of personal data through a combination ofuser consent and one of the following: a country adequacy decision,use of standard contractual clauses, or an intragroup scheme akinto EU binding corporate rules (BCRs).

However, India's proposed framework differs from the GDPR inseveral ways. The draft has somewhat vaguer standards for lawfulprocessing of data, as well as lighter notification obligations inthe event of a data breach. More fundamentally, Indian policymakersclearly understood the costs the GDPR would impose on the Indianeconomy, so they exempted small firms from the law and reservedparticularly onerous measures—including impact assessments,recordkeeping, auditing, and appointment of a DPO—for just aspecial category of “significant” data fiduciaries. The BPOindustry also received a generous carve-out for firms that processonly foreign data.

On the other hand, these reprieves from certain GDPRrequirements are paired with measures that will make the law muchmore costly. It requires that all personal data be stored locally,and completely bars cross-border processing of specially notified“critical personal data.” In addition, the definition of “sensitivepersonal data”—for which notice, consent, and compliance standardsare heightened relative to other personal data—is expansive,encompassing passwords and financial data.

Expect More of (Not Quite Exactly) the Same

There is no indication that the global privacy rush is slowingdown. In Latin America, for example, several countries—includingMexico and Chile—recently updated their privacy laws for thedigital economy. Now that their legislatures are well-versed inthese issues, they may decide to come up with new models that aimfor a local interpretation of GDPR-style strictness. WhileArgentina already has EU adequacy, it needs to do more work to giveits DPA the latitude and independence of an EU DPA. As oftenhappens in the region, Brazil's passage of the LGPD may spursimilar laws in surrounding countries.

In Asia, while nations like Japan and Malaysia have relativelyrecent personal data protection laws, many shoes are left to drop.Thailand is actively preparing legislation that is more lenientthan the GDPR but nonetheless bears its mark. New Zealand is duefor a new privacy law, as well, and recently opened trade talkswith the EU. Its new left-leaning government may decide the time isright to align with Europe on privacy, too.

In Africa, Zimbabwe has a data protection reform bill waiting inthe wings for when the nation's political turmoil can be resolved,and the Kenyan government recently opened debate with a proposednew privacy law. The continent is also reeling from a series ofsocial media control laws—including Uganda's social media tax lawand Kenya's cybercrime law. It is easy to foresee the rollout of araft of bills regulating content on social media platforms underthe banner of privacy.

Can You Blame Them?

Although the GDPR is quite radical, it is easy to see why manycountries are turning to it as their model: There are few(palatable) alternatives anywhere else in the world.

Chinese data protection regulations are a confusing patchwork,deliberately designed to erect protectionist barriers and safeguardthe government's ability to exercise oversight of society and toconduct extensive surveillance. Few other foreign governments areprepared to take such an aggressive approach.

The United States privacy regime is difficult for many outsidethe U.S. to understand. It combines a profoundly laissez-faireethos in some areas with strict curbs on some specific types ofsensitive data and on government access. This patchwork has fueledmisperceptions of the U.S. as a sort of Wild West for privacyprotection. Our Canadian neighbors are not much better off.

More positively, the APEC Cross-Border Privacy Rules (CBPRs) areconstructive. Developed by the 21-member Asia-Pacific EconomicCooperation, the rules offer a useful model from a cross-bordertransfer perspective. However, vis-a-vis the GDPR, they fail toprovide a fully elaborated legal framework that policymakers caneasily leverage. Much like the NISTCybersecurity Framework, the APEC CBPRs are easy to customizebut don't satiate regulators' lust for checkboxes.

The regulatory framework in Japan may land somewhere close tothe sweet spot that other countries should emulate. Japan'srelatively recent personal data protection law (an amendment to theAct on the Protection of Personal Information—APPI) offers analternative approach by a large, prosperous, and digitally engagedstate. While ratcheting up standards in a manner approaching theGDPR, or at least enough to achieve reciprocal adequacy with theEU, the law still facilitates cross-border data flows, which havestrong political backing by Japanese policymakers.

The Champion We Need

As countries gravitate toward the GDPR, their orbits are farfrom concentric. The strict approach of the GDPR may appeal tolawmakers, but they still want to tinker with the details andadjust standards and compliance obligations to suit local tastes.This is just about the worst-case scenario for industry, since theonly thing worse than worldwide implementation of the GDPR would bea fragmented hodgepodge of laws that are just as stringent the GDPRbut different enough that companies cannot cross-apply theircompliance efforts.

The business community needs to push back against the globalmultiplication of overly burdensome and trade-distorting privacyrules. But in order to do so, it needs a better model to point tothat won't multiply barriers when adopted in new markets. TheJapanese regime has some potential to be this model, but thegovernment is inching too slowly toward more assertive externalpolicy engagement to be an effective champion.

The serious prospect of comprehensive U.S. privacy reform is animportant opening for building such a model. For a new privacyregime to be attractive enough to serve as a counterweight to theGDPR, it must also offer attendant political benefits:

• It must be easily understandable and coherent.
• It must plausibly allow policymakers to claim they areprotecting and empowering consumers.
• It must put meaningful guardrails on uses of data, while alsosupporting innovation, entrepreneurship, and growth ofbusinesses.
• It must proactively enable engagement with the world.
• Finally, this is an opportunity to one-up the GDPR by buildinga strong narrative around the U.S. tradition of limiting governmentaccess to, and uses of, personal data.

If U.S. lawmakers can do the hard work of framing acomprehensive privacy law, they can remake the global privacydebate and promote a model that isn't as anti–global-business asthe GDPR, but that still protects individual rights to privacy. Forglobal businesses' sake, let's hope U.S. lawmakers can do it.

Ryan Johnson issenior manager, international public policy, at AccessPartnership, the world's leading technology public policyconsultancy. Johnson leads Access Partnership's cybersecuritypractice from Washington, D.C. He consults on international ICTpolicy issues for a range of clients, developing strategies toshape global policy discussions and access new markets. His areasof expertise include cybersecurity, data protection, cryptography,and Internet governance, especially in developing countries andmultilateral institutions.

Logan Finucan issenior analyst, international public policy, at Access Partnership.Based in Washington, D.C., he analyzes and advises on policy in theUnited States, India, and key markets in the Asia-Pacific region,supporting campaigns to shape emerging technology policies. Areasof expertise include international trade regulations, privacy anddata protection, cybersecurity, and multilateralprocesses.