Reflections on the consequences of the US elections and General Data Protection
This year has presented the world with many surprises and changes, from Covid-19 to the election victory of Democrat party candidate Joe Biden in the US this month.
However, the world of data protection has gone against the grain in a more positive vein than the job losses, company failures and uncertainties that the restrictions and lockdowns in the United States and Europe have caused.
There was a period when many websites simply blocked access unless you didn’t accept their cookies. This is now illegal thanks to the European Data Protection Board (EDPB). So, with the ending of the Privacy Shield there is no longer a legal basis for cross border data transfer.
Stiff fines for those e-commerce companies that break GDPR regulations have shown, even for big multinationals, that the EU means business, and that the protection authorities will pursue infringements, even during the distracting pandemic period, and that of the colourful performance of Donald Trump throughout the US elections.
But what can be expected now from a Biden/Harris White House, and will the US, traditionally more loose in its data protection regulations, adopt a new, stricter EU version of its own rules?
In the webinar event ‘Brexit, the US election and the rise of the Lisbon startup ecosystem’
organised by Bridge In, the British-Portuguese Chamber of Commerce and Invest Lisboa, John Graham, CTO of Cloudshare and Rosa Jimenez Cano, Chief Ecosystem Relations at The Venture City discussed how general data protection would be an inevitable part of doing E-commerce business from 2022.
“From the practical side there is a general acceptance around the world that Joe Biden has been elected president and Kamala Harris as vice-president. What’s happening from a business perspective is businesses are thinking about what a Biden presidency will look like, how things might change on the assumption that he becomes president, as well as the repercussions in the very unlikely event that Trump remains president, much of which we already know,” said John Graham.
Rosa Jimenez Cano, a Silicon Valley expert, pointed out that Kamala Harris is a very well known person in Silicon Valley, had been the attorney general of California for two terms, from 2010 and then 2014 onwards, and made a law in California that could equate to the General Data Protection legal requirements in Europe, and which could also lead to the new administration having an important impact on tech.
California voters approved Proposition 24, a proposal to adopt tighter data protection regulations, by a 55-44% margin with 71% of precincts reporting. The decisive win at the ballot box was in spite of opposition from privacy advocates who claimed it did not go far enough.
The California Privacy Protection Agency (CPRA) more closely aligns California’s data privacy laws with the European Union’s General Data Protection Regulation (GDPR) by making sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), which took effect on January 1, 2020.
The new requirements that businesses face under the CPRA do not take effect until January 1, 2023.
In addition, the law will give businesses more time — until January 1, 2023, — to comply with most CCPA requirements applicable to personal information about company personnel and business-to-business contacts.
Other provisions with immediate effect establish and fund the California Privacy Protection Agency (CPPA), a new regulatory body tasked with enforcing the CPRA, and give rule-making authority under the CPRA first to the California Attorney General, and ultimately, to the CPPA.
“I think what will happen in 2021, regardless of what happens in the US presidency, is that consumer and individual privacy and data sovereignty in different countries are going to come to the fore and may be rolled out across the US,” says John Graham, who adds that GDPR is a reality for international firms, some of which have found it easier to comply and apply globally across their companies.
It shows, he says, how people in Europe are able to think about their rights, and that the story of the internet in 2021 is going to be about individual privacy, and about states and regions making laws about where their citizens’ data can be processed and end up.
Rosa Jimenez Cano recalled that Mark Zuckerberg found that while what he was doing regarding data was not forbidden, there hadn’t been a clear framework, so introducing GDPR in the US could be a way to “start building a consensus for the entire tech industry” with a law that could be used as a yardstick.
John Graham says the good thing about GDPR from a tech standpoint in Europe is that it is “well understood now”. It has been in law and practice for a long time and is well understood by tech companies around the world that operate in Europe and makes it fairly easy to adopt each country’s ‘twist’ on GDPR.
“Whether there will be a single overriding international consensus on what GDPR should look like is a different question,” he says.
“Countries like Brazil, India and Russia, and the EU as a whole are talking about data sovereignty and privacy, and there will be different takes on this,” he explained, adding that the question was if the US would remain isolated because of its freer way of dealing with private data, which is somewhat loser than the European model. “GDPR is coming and will be the reality of the internet in the next year or two,” said Graham.
In Portugal, the national rollout of GDPR came into force from August 2019 after being made law in the EU on 25 May 2018 which also made it applicable in Portugal as an EU Member State.
On Wednesday the speakers turn to the consequences of Brexit…