Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel for Global Privacy and Regulatory Affairs at Microsoft
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
If we step back and look at how the world has changed since 2018, we see a rapidly evolving regulatory environment, one in which GDPR has become the de facto global standard for privacy. Several countries, including Brazil, Canada, China, India, Japan, New Zealand, South Korea, and Thailand, have passed or proposed new laws, or are considering changes to existing laws, that are inspired by GDPR. These countries and their domestic businesses are working towards meeting the adequacy standards set out by GDPR or renewing their adequacy status. This has led these jurisdictions and many others to more closely align with some of GDPR's strong protections.
For example, Brazil's data protection law became effective in 2020, bringing with it the creation of the Data Protection National Authority (ANPD), a new authority charged with building out the law's requirements through rulemaking. Inspired by the GDPR, the Lei Geral de Proteção de Dados Pessoais (LGPD) imposes new requirements on companies, government agencies, non-profits, and other organizations that use data in Brazil, offer goods and services to people in Brazil, or collect and analyze data tied to people in Brazil, regardless of where the organization is located. Similarly, in India we have seen legislators pursue the Personal Data Protection bill, with provisions inspired by GDPR, including requirements supporting individuals’ control over their data, company accountability, and robust enforcement through a new data protection regulator.
In total, more than 130 jurisdictions around the world have enacted privacy laws.
In spite of all the activity to ensure that individual privacy is protected and companies are held accountable, there is a critical and noted absence: the United States. Home to nearly a quarter of the world's Fortune Global 500 companies and the headquarters of many of the largest technology companies, the United States does not have a comprehensive privacy law in place.
In contrast to the role it has traditionally played on global policy issues, the U.S. is not leading the discussion over privacy protections and common norms. The absence of U.S. action does not mean the absence of policy; instead, it means that the U.S. will continue to have little or no voice in the global conversation around what the rules of the road should be for American companies. That is a bad result for American businesses and organizations seeking to innovate and thrive in an ever-increasingly connected global economy.
These global laws are going to shape how the world adopts new technologies like artificial intelligence, biometrics, and ambient data collection through an ever-expanding Internet of Things. They are also going to help guide how we use technology and data to address some of the world’s biggest societal challenges like climate change, racial inequality, and public health crises. The U.S. must enact a comprehensive privacy law in order to better protect people in the United States, and to join the global conversations to shape this rapidly evolving landscape. It will be difficult for the United States to continue to argue for interoperable global standards that can improve innovation and benefit society when it doesn’t have a comprehensive standard of its own.
If the United States doesn’t enact privacy legislation soon, it risks seeing the balance of power on these issues shift away from Washington, D.C. to Brussels, New Delhi, and other capitals around the world that recognize the growing consensus that people's data must be handled with respect. There are new norms and rules coming to govern technology and data. The key question is whether the U.S. will have a hand in shaping them and defining the next wave of responsible innovation.