By Julie Brill
Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel for Global Privacy and Regulatory Affairs at Microsoft​

Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP

The European Union's Global Data Protection Regulation (GDPR) took effect on May 25, 2018, and since that day, the law has had a tremendous impact on the world of privacy. Indeed, it is not a stretch to call GDPR the most impactful global privacy development since Justice Brandeis' treatise on "The Right to Privacy", published 128 years earlier, at the end of the 19th century. 

If we step back and look at how the world has changed since 2018, we see a rapidly evolving regulatory environment, one in which GDPR has become the de facto global standard for privacy. Several countries, including Brazil, Canada, China, India, Japan, New Zealand, South Korea, and Thailand, have passed or proposed new laws, or are considering changes to existing laws, that are inspired by GDPR. These countries and their domestic businesses are working towards meeting the adequacy standards set out by GDPR or renewing their adequacy status. This has led these jurisdictions and many others to more closely align with some of GDPR's strong protections.

For example, Brazil's data protection law became effective in 2020, bringing with it the creation of the Data Protection National Authority (ANPD), a new authority charged with building out the law's requirements through rulemaking. Inspired by the GDPR, the Lei Geral de Proteção de Dados Pessoais (LGPD) imposes new requirements on companies, government agencies, non-profits, and other organizations that use data in Brazil, offer goods and services to people in Brazil, or collect and analyze data tied to people in Brazil, regardless of where the organization is located. Similarly, in India we have seen legislators pursue the Personal Data Protection bill, with provisions inspired by GDPR, including requirements supporting individuals’ control over their data, company accountability, and robust enforcement through a new data protection regulator. 

In total, more than 130 jurisdictions around the world have enacted privacy laws.

In spite of all the activity to ensure that individual privacy is protected and companies are held accountable, there is a critical and noted absence: the United States. Home to nearly a quarter of the world's Fortune Global 500 companies and the headquarters of many of the largest technology companies, the United States does not have a comprehensive privacy law in place. 

In contrast to the role it has traditionally played on global policy issues, the U.S. is not leading the discussion over privacy protections and common norms. The absence of U.S. action does not mean the absence of policy; instead, it means that the U.S. will continue to have little or no voice in the global conversation around what the rules of the road should be for American companies. That is a bad result for American businesses and organizations seeking to innovate and thrive in an ever-increasingly connected global economy. 

These global laws are going to shape how the world adopts new technologies like artificial intelligence, biometrics, and ambient data collection through an ever-expanding Internet of Things. They are also going to help guide how we use technology and data to address some of the world’s biggest societal challenges like climate change, racial inequality, and public health crises. The U.S. must enact a comprehensive privacy law in order to better protect people in the United States, and to join the global conversations to shape this rapidly evolving landscape. It will be difficult for the United States to continue to argue for interoperable global standards that can improve innovation and benefit society when it doesn’t have a comprehensive standard of its own.

If the United States doesn’t enact privacy legislation soon, it risks seeing the balance of power on these issues shift away from Washington, D.C. to Brussels, New Delhi, and other capitals around the world that recognize the growing consensus that people's data must be handled with respect. There are new norms and rules coming to govern technology and data. The key question is whether the U.S. will have a hand in shaping them and defining the next wave of responsible innovation. 

By Christopher Docksey
Hon. Director General, European Data Protection Supervisor
Member, Guernsey Data Protection Authority
Advisory Board Member, European Centre on Privacy and Cybersecurity (ECPC) at Maastricht University

Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP

For many years regulators, legislators and powerful influencers such as CIPL and the IAF have been working on how to encourage accountability.  At the 2019 ICDPPC, in my Keynote on Accountability, I argued that top management and in-house privacy professionals should be addressed first. 
 
Whilst staff have a key role, they tend to be addressed under the rubrics of “training and education” (per the second “common element of accountability” identified by the Galway Project in 2009).  Along the same lines, global regulators resolved at the 2019 Conference to address the role of human error in personal data breaches and committed themselves to “building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees.”

The Guernsey ODPA has launched a wholly new approach aimed at promoting cultural shift by individuals themselves.  Project Bijou addresses individuals across the whole of Guernsey, whatever their function or status, as persons who are themselves affected by good or bad data processing.  It is a social initiative that encourages its participants to positively influence outcomes in how personal data are treated. 

The method is quite unique - people telling stories.  Participants are encouraged to talk about their personal experiences inside their organisations, about the benefits of getting data protection right, or the risks and harms of getting it wrong.  The first stories were heard and seen in the videos and blogs produced for the project launch in May 2021.  Why stories?  First, because humans respond to stories, which connect us to each other in ways that data, information and other delivery methods do not.  And second, because of the powerful “ripple’ effect of trusted human-to-human contact, which can engage our emotions and drive positive behavioural change.  If someone we know and trust tells us something, we are very likely to listen, to trust them, and to think about following the same course. 

The Bijou project turns the conversation to the human, encouraging a sharing of information, support and advice, and a consequent mainstreaming of good data governance.  The culture shifts as participants connect with their colleagues and share their values and behaviours.  Stories that resonate with people can illuminate the fundamental principles of fair and lawful data processing, in a way that laws, policies and strategies - no matter how carefully crafted - cannot.  The aim is to normalise privacy, data protection and ethics within the culture of the organisation. 

The project particularly contemplates people who are dis-engaged from data protection.  We know that many data breaches are accidentally caused by such persons and can be avoided by simple changes in approach.  Similarly, many external hacks can be avoided by basic data hygiene inside the organisation.  The people involved are not wilfully negligent but are unaware of the values at the heart of data protection, to protect the dignity of the individual and to prevent them suffering harms.  Project Bijou empowers individuals to give their fellows the opportunity to understand what happens to personal data, and how their decisions and their practices can have an impact, not just on themselves but on others too.  
​
Guernsey is a small community, where word of mouth can often have more of an impact than any marketing campaign, and is thus an ideal place to initiate the Bijou project.  But it is none the less a test bed for a radical new tool in the accountability toolbox.  It is a true accountability initiative, aimed at proactively changing the culture by influencing individual behaviour, rather than by simply enforcing compliance.  It sends an original and powerful message to the global privacy community that education and training are not the only paths to accountability in the workplace.
 
See Bijou for yourself, together with the stories by local and international contributors at:  https://www.odpa.gg/project-bijou/