The Race to Global Privacy Coverage
Safeguarding the World’s Trust, with Claude-Etienne Armingaud, Partner at K&L Gates
Five years after GDPR became law, legislators around the world have been passing a myriad of regulations with similarities and differences to the EU’s directive. As the world’s population becomes increasingly protected by a patchwork of laws, how can organizations that manage personal data keep up with new and changing regulations?
In a special session of The Privacy Collective, Zelda Olentia, Senior Product Manager, Regulatory Analysis & Content at RadarFirst, and Claude-Etienne Armingaud, partner at K&L Gates LLP and a coordinator for the Firm’s Data Protection, Privacy, and Security practice group, discuss the path to global privacy protection and tactics to scale operations for what’s to come.
Watch the recording to learn what’s driving this expansion and how to prepare >
GDPR Predictions Then and Now
GDPR was voted on in April 2016, giving privacy teams around the world two years before the effective date to digest GDPR’s provisions and interpret its message. In this study period, Claude-Etienne came to believe that at GDPR’s core, it was the start of a conversation about privacy as a fundamental human right.
For GDPR’s policy-makers, the idea was to nudge foreign countries to establish their data protection frameworks, and under the GDPR directive, several countries, such as Canada and New Zealand, benefited from an adequacy decision. Four short years later, adequacy decisions were reached among Korea and Japan, Northern African countries were getting data protection regulation, and Brazil passed LGPD, effectively bringing the discussion about data protection into the public eye.
However, as these regulations passed, they confirmed that data protection is a reflection of the cultural, economic, and political ideals of each country, with motivations rooted in their unique geo-political history.
“The only thing that can be said is that data protection laws are a true reflection of a country’s take on the aspect.”
This fragmentation creates a problem for organizations that manage personal data across jurisdictions. Chiefly, what legal basis do you use to justify your data processing? And how do global companies create policies that coincide with these regulations that are both compliant and efficient?
According to Claude-Etienne, the devil is in the details.
The Path To Global Coverage
Seventy-five percent of the global population will be protected under some form of global privacy law. How do you think we’re progressing? Do you think that this rapid expansion is having a good effect?
Gartner predicts that by the end of 2024, 75% of the world’s population will have its data covered under modern privacy regulations. This exponential increase from only 10% global coverage in 2020 raises the stakes for global organizations. The challenge for organizations that manage personal data will be to ensure compliance while safeguarding trust for an unprecedented volume of data.
In light of regulations from China and India, whose populations account for an astounding percentage of the world’s population, global coverage doesn’t shock Claude-Etienne.
Concerning a timeline for global coverage, our guest reminds us that each data protection framework faces intense lobbying on its path to legislation which impacts our ability to predict outcomes.
Despite the urgency to pass regulations addressing the privacy issues at hand, today’s regulators’ focus is on digital markets, the Digital Services Act, and AI.
In the calm before the AI storm, conversations around access and use of biometric data are taking a new form. One of Claude-Etienne’s students recently began a dialogue about virtual and augmented reality can sense emotion through eye movement, heart rates, perspiration, and more. What will the future hold for the regulation of such emotional privacy?
“Ifaugments your experience while playing or being in virtual words, it’s fine. But if it gets shared with your insurance company and your premium goes up, not so good.”
How subsets of privacy data such as personal information or biometric data impact legislative maneuvers remain to be seen.
Overcome Obstacles to Scale Privacy
How can organizations operationalize privacy for so many interconnected laws as they build a global privacy program?
Since regulations around the world bring unique perspectives on data privacy, they also require unique approaches to compliance.
“There’s one common trait among all the data protection regulations that I’m seeing, it’s accountability.”
In the early days of privacy compliance obligations, many organizations saw data protection as a hurdle to profitability. However, as GDPR’s influence proliferates around the world, the standard today for organizations now includes ESG policies that originated separately from privacy.
According to Armingaud, the goal is to operate virtuously and transparently. This approach to data privacy policies prioritizes ethical collection and use of data and lays a pathway for compliance by design. This begins with education and collaboration.
Perhaps due to the historic means by which privacy was enacted and implemented, data protection officers oftentimes operate in isolation.
“One of the intentions of GDPR, and I think that’s one of his shortcomings for the time being is that it was expected to create a corporate culture of detection so that everybody would be aware of their rights because usually, those people are also employees of the company.”
No matter where your organization is domiciled or which regulations you adhere to, data protection has become a relevant and prescient matter for organizations around the world. From data collection to employee records management, privacy has become an increasingly important and visible part of today’s world.
The best way to prepare your organization for growth and compliance with new and changing regulations includes shifting privacy operations from a reactive program to a proactive strategy that builds trust.