Is the CCPA the Beginning of a Move to Supra-National Legislation?

Over the past two years, data privacy has become one of the world’s most widely regulated and closely followed areas of the law. The General Data Protection Regulation (GDPR) appeared on the scene in 2018, dramatically changing the privacy landscape not just within Europe but also globally given its extra-territorial application.

More recently, the California Consumer Privacy Act (CCPA), which came into effect on 1st January 2020, has been introduced to safeguard the people of California’s privacy. Much like GDPR, the CCPA is predicted to have a significant impact on those businesses which must comply in a number of ways. It also has extra-territorial application meaning any organizations that ‘do business in the state of California’ must comply with no physical presence required.
 
So, with legislation such as the GDPR and CCPA being highly influential on a global scale, are we seeing the beginning of a move to supra-national legislation? Is this even viable and would it be advantageous? 

Is a federal law the next step?
While the CCPA has extra-territorial application, it remains a single state law. However, its creation alone, not to mention scope of application, has led many influential figures within the data, technology and legal world to question whether it could be the start of a movement to create a federal law for the US regarding data privacy.

Many have lauded the possibility this would give to instilling a degree of consistency across the US when it comes to data privacy: the disparity currently existing between the various state laws as to notification requirements for instance in the event of data breaches, leaves many businesses confused and struggling to comply.

Until the implementation of the GDPR, there was a similar issue across Europe in that national laws of the Member States often took different approaches to matters such as personal data breaches as well certain Member States taking a notably stricter stance in relation to data compliance generally.

The transition to the GDPR has arguably made compliance with privacy laws a clearer task for businesses, especially those which operate in multiple European Member States, so there is absolutely merit in considering creating a federal law for US data privacy.

In support of the theory, California, which is largely recognized as the leader in the US privacy arena, is not the only state to show movement in the direction of data privacy legislation. For example, as of March 2018, all 50 states had enacted laws requiring notification of security breaches involving personal information. Further, there are currently federal laws which relate to privacy including the Federal Trade Commission Act (15 U.S.C. §§41-58), the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.), the Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§6801-6827) and others. 

However, it does appear that some states in the process of looking at data privacy legislation seem to be building in individual variants or particular focus areas – this does not suggest a huge willingness for a federal law.

For example, the Washington Privacy Act, which is currently in draft form, includes particular provisions regarding facial recognition, requiring companies to allow third-party testing for accuracy and bias, something that remains at debate stage for other countries considering such regulation.

Supra-national legislation  
So, with the implementation of the CCPA and other legislation globally (for example in Brazil) similarly with undertones of the GDPR principles, along with clear advantages of federal data privacy law in the US and the positive views commentators have on its creation, could we begin to see movement towards supra-national legislation, or perhaps the development of a form of standard to be applied globally regarding the protection of individuals’ personal data? Could the acceptance of a key set of principles globally have the same effect? Would it be more practical and achievable?

Harmonization of laws is always desirable in order to eliminate the varying requirements that currently exist between states’ and other countries’ laws and facilitates compliance for businesses to operate in. However, in reality, it is not something that countries often agree to.

There have been several areas of the law over the years that have been considered for a global legislative regime but have been unsuccessful. It would be wishful thinking to believe that data privacy would be an area that countries would consider regulating globally. Notwithstanding the different levels of protection countries currently offer, the sheer number of practical concerns are enough to sway someone away from the idea, for example, how would creation and ultimately enforcement of any such global regulation be funded? Would there be one global regulator and would one country take the lead on its operation?

In a progressive and fast-moving area such as data, the time it would take to agree a standard would likely result in the rules being out of date. For these reasons, any many more, at this stage and for the foreseeable future, supra-national legislation appears extremely unlikely. 

Global principles 
As a similar but less radical possibility, another option for countries and businesses wishing to see a more standardized approach to data privacy laws would be for countries to adopt principles the same as, or very similar to, the GDPR within their national legislation. This would hopefully mean that when preparing legislation, the obligations would, to the greatest extent possible, manifest from the principles and ultimately reflect the GDPR.

For businesses subject to the both the GDPR and the new legislation (and compliant with the GDPR), they would not be required to comply with an entirely regime and/or have to implement a new set of rules, policies and procedures in order to ensure compliance with the new regime. This was the stance taken by many GDPR compliant businesses which found themselves caught within the requirements of the CCPA.

Whilst a few amendments to such businesses’ operations, policies and procedures were still required, the changes were very small in comparison those likely arising from an entire compliance transition program started from scratch.

Immediate outcomes
The CCPA and GDPR have both greatly helped to strengthen data privacy in their respective regions, but it’s unlikely that a global standard could be implemented quickly or easily in the current geopolitical climate. Nevertheless, the CCPA does constitute significant step forward, and, together with GDPR, could well play an instrumental part in instigating any such future change. 

What’s Hot on Infosecurity Magazine?