Last month I wrote about the privacy wins and unanticipated challenges resulting from the European Union’s General Data Protection Regulation (GDPR), which took effect on May 25. The GDPR has led to an unprecedented level of transparency and awareness and has affected countless individuals and businesses across the globe.
The question currently on everyone’s mind: What do these impacts mean for privacy regulation in the future? Speaking as the Director of Symantec’s GDPR Strategy: embrace ‘GDPR-level privacy’ because chances are we will see more of it in more places around the globe. Here’s why:
GDPR as de facto Standard
Given the sheer size of the European digital market and the extraterritorial scope of the GDPR, the GDPR is likely to successfully spread its principles and stringent requirements to other regions.
The European Union is resolutely pursuing its efforts to export its model through the so-called adequacy principle, whereby non-European countries who want to do data business with Europe are incentivized to import European grade privacy protection into their national laws.
While this trend intensifies, with countries like Japan, South Korea and India contemplating the benefits of GDPR adequacy, European regulators are pushing further ahead: The next generation of privacy regulation for electronic communications, also known as ePrivacy, is already in the works. The ambition is clear: build on the GDPR baseline to further increase privacy protections for the Internet of Everything era.
APJ Focuses on Mandatory Reporting
Data protection law continues to develop swiftly in other regions as well, with notable developments in the Asia-Pacific region. In Australia, the Privacy Amendment (Notifiable Data Breaches) Act 2016 came into effect this February, establishing mandatory reporting obligations for any organization that suffers an eligible data breach. Companies operating in Singapore are also preparing for the likely adoption of a mandatory breach notification law and for a possible new Data Protection Trustmark certification.
California Passes First U.S. Consumer Privacy Law
California’s governor signed the California Consumer Privacy Act of 2018 into law last month. This law is considered the strongest, most aggressive privacy protection measure in the U.S. and takes effect on January 1, 2020. Similar to the GDPR, it requires that companies tell Californians what information they are collecting, such as name, IP address, email address, postal address, etc., as well as how that information is being used. Sherrie Osborne, Symantec’s Director of US Privacy, will provide more information on this development in an upcoming blog post.
Privacy regulation will continue to evolve and Symantec will continue to play an integral role in making the world a better and safer place. We’ll stay as focused as we have been on advocating in favor of privacy and security in public policy making, upholding our own privacy compliance efforts accordingly, and striving for privacy excellence in the products and services we create.
Our most crucial objectives will be to stay focused on preserving our users’ and business partners’ trust by helping our customers and users protect their privacy and their data as best possible.