By Elysia Lampert
British Airways, Marriott, Google. What do these entities have in common? Each organization has been fined under the GDPR[1], or General Data Protection Regulation. It has been nearly two years since the GDPR came into effect,[2] and though enforcement has been relatively gradual[3], the regulation has proved that it has teeth. A fine of up to 4% of global turnover or €20 million Euros awaits any organization that is found in violation of the GDPR.[4] Thanks to its extra-territorial application, the GDPR has sparked significant concern among U.S. based companies that offer goods/services or monitor the behavior of people in the EU.[5] Authorities have shown they are not afraid to tackle American tech giants and corporations. Over $417 million dollars in fines have been administered collectively,[6] and several of the largest penalties have been imposed against US companies, Google ($57 million)[7] and Marriot ($123 million)[8]. The GDPR is proving to be a formidable piece of legislation, but is it an isolated beacon of hope for stricter data privacy regulations?
Maybe not. Though the United States and many other countries don’t have national laws that offer comparable protection to consumers, some governments are seeking to strengthen data privacy regulations in the wake of the GDPR. California recently passed the California Consumer Privacy Act (CCPA),[9] which gives individuals much greater control over their personal information.[10] Similar to the GDPR, the CCPA can apply to businesses outside of the state if the company meets one of several criteria related to income and amount of data controlled.[11] A Personal Data Protection Bill is also being considered in India[12] which mirrors many GDPR provisions such as the right to be forgotten[13]; however, the bill faces some criticism regarding government access to personal data.[14] While these laws still appear to be relatively progressive in comparison to most of the world, it begs the question of whether the GDPR has inspired change in the data privacy field. Though it’s difficult to pinpoint the exact motivations and catalysts behind these new laws, the fact that the regulations mimic some of the same language and structure as the GDPR indicate it has played an influential role in the creation of this legislation.
[1] Ryan Browne, Europe’s Privacy Overhaul Has Led to $126 Million in Fines — but Regulators Are Just Getting Started, CNBC (Jan. 19, 2020), https://www.cnbc.com/2020/01/19/eu-gdpr-privacy-law-led-to-over-100-million-in-fines.html.
[2] Arjun Kharpal, Everything You Need to Know About a New EU Data Law That Could Shake Up Big US Tech, CNBC (May 25, 2018), https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html.
[3] See Browne, supra note 1.
[4] Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, 2016 O.J. (L. 119).
[5] See Kharpal, supra note 2.
[6] Brian Daigle & Mahnaz Khan, One Year In: GDPR Fines and Investigations Against U.S.-Based Firms, U.S. Int’l. Trade Comm’n (Sept. 2019), https://www.usitc.gov/publications/332/executive_briefings/gdpr_enforcement.pdf.
[7] Adam Satariano, Google is Fined $57 Million Under Europe’s Data Privacy Law, NY Times (Jan. 21, 2019), https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html.
[8] Kate O’Flaherty, Marriot Faces $123 Million Dollar Fine For 2018 Mega-Breach, Forbes (July 9, 2019), https://www.forbes.com/sites/kateoflahertyuk/2019/07/09/marriott-faces-gdpr-fine-of-123-million/#35ba71be4525.
[9] Brenda Stoltz, A New California Privacy Law Could Affect Every U.S. Business—Will You Be Ready?, Forbes (Sep. 7, 2019, 7:52 PM), https://www.forbes.com/sites/allbusiness/2019/09/07/california-consumer-privacy-act-could-affect-your-business/#2194823636ac.
[10] Id.
[11] Id.
[12] Alan C. Raul, William Long, Vishnu Shankar, & Sheri Porath Rockwell, Where does privacy go from here: California, EU and Indian data privacy laws and global compliance programs, Thomson Reuters (Aug. 5, 2019), https://datamatters.sidley.com/wp-content/uploads/2019/09/Sidley-privacy-article.pdf.
[13] Harichandan Arakali, The Personal Data Protection Bill Could Be a Serious Threat to Indians’ Privacy, Forbes India (Dec. 12, 2019), http://www.forbesindia.com/article/leaderboard/the-personal-data-protection-bill-could-be-a-serious-threat-to-indians-privacy/56623/1
[14] Id.