From America to Zimbabwe: 3 global data privacy trends to be aware of right now

As the US inches closer than it has come in years to passing a comprehensive federal data protection law, concerns over data transfers heat up in Europe and some of the most populous countries in the world including India and China grapple with proposals for new personal data legislation, it’s clear that we’re in the midst of a cultures-wide reckoning.

The Drum surveyed top data privacy and policy experts on the biggest trends unfolding in data protection globally. Here’s what they said.

1. A legislative deluge

Though the EU has led the charge on data privacy reform since it passed the far-reaching General Data Protection Regulation (GDPR) in 2018, it’s not done regulating consumer data. The European Commission has proposed two key legislative frameworks — the Digital Services Act and the Digital Markets Act — that are currently being considered. Together, the two bills aim to create a safer digital ecosystem by introducing new consumer protections while also helping to “establish a level playing field to foster innovation, growth and competitiveness," per the Commission’s website.

But it’s no longer the EU alone taking up air in privacy policy conversations. In the US, a handful of states — California the most notable among them — have drawn inspiration from Europe’s General Data Protection Regulation to pass comprehensive, consent-based data privacy legislation in recent years. Amid growing pressure from consumers and privacy advocates, US Congress is now considering a federal bill that would codify new protections, including a private right of action — an individual’s right to bring legal action against organizations that misuse their personal information.

What these changes mean in practice? New hurdles for businesses. “Starting next year… new US state laws will require companies to give consumers the ability to opt-out of targeted advertising,” says Austin Mooney, a global privacy and cybersecurity associate at international law firm McDermott Will & Emery. “Virtually every US company engaged in targeted advertising will be impacted by these developments, including advertisers and publishers. While many companies have already implemented cookie banners and similar consent mechanisms, they are not always compliant and can be difficult to implement correctly. To minimize business disruptions and legal risk, marketing professionals will need to work their legal teams to implement sufficient consent mechanisms to meet these emerging standards.”

Meanwhile, India’s government today scrapped its highly-anticipated data privacy bill, but clarified that it intends to introduce a new “comprehensive legal framework” for data protections in the near future, per the country’s junior IT minister Rajeev Chandrasekhar.

In China, two major data protection laws — the Personal Information Protection Law and the Data Security Law — have gone into effect within the last year. Rolled out alongside a number of implementation and administration regulations, the laws have created an entirely new framework for managing individuals’ personal information in China. Namely, the changes require consent as a principal basis for collecting and handling consumers’ data. The laws have introduced new limitations on cross-border data transfers, making it more difficult for businesses and judicial systems around the world to access information about Chinese citizens.

In South America, Brazil is the definitive leader in privacy. In 2020 the country enacted a wide-reaching legal framework for regulating consumer data collection and use. The General Data Protection Law draws much of its structure from Europe’s GDPR — and in some areas, its coverage is broader than GDPR’s. Brazil’s National Data Protection Authority is working to continue evolving the parameters of the law.

In recent years, African countries including Kenya, Mauritius, Nigeria, Rwanda, South Africa, Uganda, Zimbabwe and others have either implemented new consumer data privacy laws or reformed older legal frameworks to include new protections. Other countries including Canada and Australia are also working to reform existing data privacy protections.

The proliferation of different frameworks around the world is complicating things for businesses everywhere. “There is a lot to navigate,” says Jessica Lee, partner at law firm Loeb & Loeb and co-chair of the company’s privacy, security and data innovations. “We talk about a patchwork of privacy laws in the US, but the real patchwork is a global patchwork that has created different standards and requirements for data that make it very challenging to run a global privacy program.” For advertisers, publishers and developers who make a living dealing in consumer data, she says, “tracking both the trends in cross-border restrictions and the broader evolution of global privacy laws is critical.”

2. Data localization in the spotlight

Among growing worries about international data transfers, a number of jurisdictions around the world are increasingly focused on data localization through various measures including executive orders and security regulations.

“Data localization is a legal obligation that doesn't allow any sort of transfers — [it means] keeping the data within a country’s borders,” says Dr Gabriela Zanfir-Fortuna, vice-president for global privacy at the Future of Privacy Forum, a Washington, D.C.-based think tank and data privacy advocacy group.

Data localization requirements are increasingly being baked into data privacy bills — India’s Personal Data Protection Bill, which was just nixed today, included a localization requirement for all sensitive data (data that falls within specific ‘sensitive’ categories concerning, for example, medical history or religious affiliation). Privacy laws in both China and Vietnam include some localization requirements that limit external parties’ ability to access certain data on its citizens.

Most recently, the EU has introduced a proposal that seeks to localize health data on citizens. The joint effort between the European Data Protection Board and the European Data Protection Supervisor — dubbed the European Health Data Space — would essentially manifest as “a big network of clouds where all of the health data will be stored in Europe,” according to Zanfir-Fortuna. Whether the European Commission will adopt the measure remains unclear.

Interestingly, Zanfir-Fortuna notes that there is ongoing debate surrounding the real value of these types of efforts from a privacy perspective. “Usually, the consensus is that it doesn't really ensure better protection — on the contrary, it [can sometimes lead to greater] security threats.”

And though many data localization frameworks remain mere proposals at this stage, businesses — and especially those who traffic in international consumer data — are in a precarious position as such measures come closer to becoming reality.

“As businesses continue to ‘go global’ in their operations, the ability for data to be able to flow across borders is critical,” says Loeb & Loeb’s Lee. She says that new and emerging restrictions on data transfers — including Biden’s recent executive order on limiting foreign adversaries’ access to sensitive data in the US — should be carefully considered “in any business’ planned global expansion.”

“I see cross-border data transfer restrictions and data localization requirements as one of the biggest global privacy trends that is likely to have impacts across the advertising ecosystem,” she says.

3. Privacy intersects with antitrust

Antitrust efforts around the world targeted at big tech companies play an increasingly integral role in the evolving data privacy conversation. “There are deeply woven threads between what is happening with antitrust and consumer privacy,” says Jessica Simpson, senior vice-president of global solutions consulting and verified technology at advertising agency Publicis Media.

Why is this? For one, "there has been a massive expansion of the digital world, and with it the ubiquity and economic importance of consumer data," explained Erika M. Douglas, an assistant professor at Temple University, in a 2021 report for the Global Privacy Assembly’s Digital Citizen and Consumer Working Group. "From search and social media, to online shopping, banking and health, data-driven services have become deeply ingrained in consumers’ everyday lives. In this new digital landscape, privacy enforcers are intensely focused on protecting individuals from unlawful data processing.”

At the same time, she went on to explain, antitrust law is gaining steam, with a focus on “the role of data in driving competition, particularly in the digital economy where technology giants have begun to wield power over data-driven markets.” Increasingly, governments and private action groups alike are taking aim at organizations over the centralization of power — often as it concerns consumer data — with major tech platforms like Google, Meta and Amazon under the gun in recent months.

Now, governing bodies around the world are considering the intersections between consumer privacy interests and antitrust efforts — rather than approaching each in isolation. In Europe, the Digital Services Act and the Digital Markets Act include frameworks for protecting consumers’ data while also incentivizing greater marketplace competition. In the US market, a growing number of competition bills aim to do the same.

It makes sense to see antitrust and data privacy as two sides to the same coin. “Antitrust and data privacy enforcers share many common policy interests, a focus on the digital economy and the ultimate goal of benefiting consumers,” Douglas wrote in her report. “This rapidly evolving intersection of law demands cooperation across agency bounds to develop cohesive, effective enforcement strategies for the digital economy. As these legal realms increasingly interact, siloed enforcement of antitrust and data privacy law will undermine enforcers’ shared interests, creating unnecessary or unintended gaps, overlap and tension between the two areas of law.”

For marketers, says Simpson, there’s no time like the present to adapt. “Start executing on how you can integrate privacy as a strategic element into your marketing framework, versus just a compliance box you need to check,” she says. “In the long term, it’s about making sure you have the right privacy-by-design framework and technology in place to support holistic consent orchestration and omni-channel experiences. Companies have an opportunity to use privacy as a competitive differentiator, and now is the time to get ahead of the curve.”

For more, sign up for The Drum’s daily US newsletter here.