The GDPR at five
The canonical privacy law’s impact outside Europe
Critical insights on regulatory trends
As the EU's highly influential General Data Protection Regulation reaches its fifth birthday, MLex journalists examine its impact across the globe to date — and what the future might hold for business as exposure to digital markets grows.
Scroll down for a taste of our expert reporting, or start your MLex® trial today to empower your organization with our specialist news and predictive analysis in real time.
The GDPR resonates globally, perhaps even more outside Europe than in it
By Mike Swift
Chief Global Digital Risk Correspondent
From Ulaanbaatar to Muscat and from Quito to Sri Jayawardenepura Kotte, the privacy lexicon developed by the drafters of the EU’s General Data Protection Regulation in Brussels has resoundingly echoed through a forest of new data protection laws that now nearly blanket the globe.
If the GDPR revolutionized data protection in the EU’s member states, the more than 40 countries in Asia, Africa and Latin America that enacted new data protection laws in the five years since the GDPR took effect testify to the canonical privacy law’s impact outside Europe.
Looking back further to the passage of the GDPR in April 2016 and the years of drafting and negotiation that preceded it, roughly 100 countries have passed data protection laws over the past dozen years. Most drew inspiration and specific legal concepts from the GDPR.
Some of the new national data laws since 2018 were in relatively small countries, such as Mongolia, Oman, Ecuador and Sri Lanka. But new legislation that also drew heavily from GDPR have also passed or are close to approval in some of the world’s most populous nations, including Brazil, Indonesia and Nigeria.
Graham Greenleaf, a professor at the University of New South Wales, Australia, who is a recognized expert on the evolution of global data protection laws, counts 42 nations that have passed laws since 2017, just before the GDPR took effect.
“Almost all of those 42 countries’ laws are strongly GDPR-influenced and are outside Europe,” Greenleaf said. Virtually every article he writes about the global expansion of data protection law, he says, "concludes that the single most important influence on the country’s new/revised laws, or those of a region, is the GDPR. However, which bits of the GDPR are emulated varies a great deal.”
Considering laws passed or revised by countries in the years just before the GDPR took effect in May 2018 that anticipated concepts such as data portability “gives you up to 67 countries outside Europe showing significant GDPR influence,” Greenleaf said. For context, the United Nations has 193 member states.
Other key data protection concepts that have been exported to other countries include the need to minimize collection of data, limitations on using data for the purpose it was collected and giving people rights to see and scrutinize the accuracy of data collected about them. The GDPR defined concepts such as data subjects, data controllers and data processors.
While the US remains an outlier among developed democracies in failing to pass a national commercial data protection law, GDPR concepts such as “data controller” and “data processor” were incorporated into privacy laws passed by at least nine US states from Connecticut to California. And when the US Congress debated privacy legislation last year, it clearly looked to the GDPR for inspiration by using broad definitions of personal data to bring as much personal information and data activity as possible under regulatory supervision.
With India, the world’s most populous nation, developing data protection legislation that contains legal concepts drawn from the GDPR, and existing laws in large nations such as Brazil and Indonesia, it’s a strong argument that more people living outside of Europe have had their privacy and data security rights by GDPR-based legal principles than the roughly 500 million people living in it.
“Leaving numbers aside,” said Gabriela Zanfir-Fortuna, Vice President for Global Privacy at the Future of Privacy Forum, “I can say with certainty that the GDPR has been wildly influential in jurisdictions around the world in, first of all, having them pay attention and adopt data protection laws, and second of all, providing inspiration about the type of rights such laws should include.”
Fundamental right
Canada is another country where lawmakers are currently considering an update of national privacy law, in part to harmonize it with the GDPR and maintain data transfer adequacy with the EU. As part of that legislative debate, Philippe Dufresne, the Privacy Commissioner of Canada, has been campaigning to make privacy a fundamental and quasi-constitutional right for Canadians, as it is in Europe.
To say that lawmakers around the world noticed the GDPR over the past five years and said, “Hey, great idea! Let’s pass our own!” would be an oversimplification. The GDPR itself did not spring to life out of whole cloth in 2018; it is a more developed version of concepts contained in the EU’s Data Protection Directive passed in 1995 to govern data protection and data transfers.
More correct would be to say that the current state of global data protection in the world’s democracies has been a 50-year journey — one that remains unfinished — toward making privacy a fundamental human right backed by a series of specific laws. In that gradual global evolution, the GDPR in more recent years has been like an orchestra conductor unifying a host of different sounds into a coherent musical movement.
To zoom in on the story of each country’s legislation, though, is to see why lawmaking is often compared to sausage making for the sometimes unsavory and surprising nature of its ingredients. The GDPR was a key element of the mix, but not the only one.
That was the case in Brazil, a country of more than 200 million people that passed its version of the GDPR — the Lei Geral de Proteção de Dados, or LGPD — just after Europe’s law took effect in 2018. The LGPD became effective in 2020, and in this past year, Brazil added data protection as a fundamental human right protected in its national constitution.
In the view of Rafael Zanatta, director of the Data Privacy Brasil think tank, the LGPD might still be unpassed legislation today without a series of other events, including the global eruption of Facebook’s Cambridge Analytica privacy scandal in the spring of 2018, an impending presidential election, and another surprising connection with Brussels related to football’s World Cup.
“There was this very, very intense period in 2018 in the combination of the Cambridge Analytica scandal and the enforcement of the GDPR. This was this big thing. This changed everything,” Zanatta told MLex “There was this political momentum, this opportunity to take advantage of the Cambridge Analytica scandal and to take advantage of the GDPR effect, to say, ‘This is the opportunity: We must approve this now.’ ”
Lawmakers knew the LPGD window might not open again for a long time, because the legislation had the support of outgoing President Michel Temer, who would leave office that year after the election of the retired military officer and mercurial populist politician Jair Bolsonaro.
Outgoing President Temer ultimately signed the LGPD into law in August 2018, but Zanatta believes Brazil’s Congress would not have voted to pass the law the previous month but for Brazil’s 2-1 defeat at the hands of Belgium in the quarterfinals of the 2018 World Cup.
If Brazil had won the World Cup, there would have been a national holiday that would have preempted less important activities in Brazil, such as national lawmaking — including the vote on the LDPD.
“The only way we could convince the congressmen to vote was to do the voting the week before Brazil lost the game. Which was very, very good, because it was the only opportunity,” Zanatta said.
Long arc
Back in 2011, when Greenleaf did his first global data protection law survey during protean early days of efforts to update the 1995 EU directive into what would become the GDPR, just 76 countries had a national privacy law.
Greenleaf noted that while the United States and India both had notable setbacks last year in trying to pass national data protection legislation influenced by the GDPR, 17 countries have passed laws in the past two years and at least 20 countries without a data privacy law have legislation in the works.
Greenleaf believes the GDPR has been particularly influential in Asia, where countries such as South Korea have updated or passed laws to achieve privacy adequacy to allow international data transfers with the EU, followed by Africa and then Latin America.
Five years after the GDPR took effect, there are now just 36 UN member states, by Greenleaf’s count, without a data privacy law — about 19 percent of the UN’s membership. “It seems likely that most of these countries without laws or bills will eventually develop them, resulting in data privacy laws becoming ubiquitous across the globe, probably within this decade,” Greenleaf concluded in a recent article.
Observers such as Zanfir-Fortuna and Zanatta say it’s important to view the evolution of data protection law around the world as a continuum that spans decades, part of the so-called “Brussels effect” in which Europe has exported its legal culture around the world. The GDPR was a key inflection point, but in the context of a much longer movement.
“So this phenomenon started earlier,” Zanfir-Fortuna said, referring to the 1995 EU directive. “But what the GDPR did is that it absolutely revived and gave a boost of energy, an impact was that was very significant, for new jurisdictions to consider data protection laws. And they were very much inspired by the GDPR structure and significant fines.”
For Brazil and other countries of Latin America that are also passing or updating their data protection laws, those changes were proceeded by many years of the close legal scholarship connections between thinkers in Portugal and Spain and their counterparts in Brazil and the rest of Latin America, Zanatta said.
Without the preceding years of cross-pollination, even the unprecedented events of 2018 might not have been enough to pass Brazil’s law, he said. Europe wants “to export legal culture, and they want to export legislation,” Zanatta said.
If California prides itself on exporting its popular culture and technology to the rest of the planet, with the GDPR, Europe has succeeded in exporting its legal culture to California in another example of the Brussels effect.
Later this year, the state of California will begin enforcement of the California Privacy Rights Act, a law voters passed in 2020 in a state that claims to be the world’s fourth-largest economy. Alastair Mactaggart, the San Francisco Bay Area real estate developer who led the campaign to pass that law, has said many times that he modeled California’s law on the GDPR.
In the view of Mactaggart — he is now a member of the board of the first US standalone data protection regulator, the California Privacy Protection Agency — the Brussels effect also runs through US state capitals such as Sacramento before projecting back to Washington, DC.
“If we pass a strong comprehensive law, that will absolutely help other states and the country to get a good privacy law,” Mactaggart said in a public forum before the 2020 vote. “People want this.”
GDPR BY THE NUMBERS
GDPR enforcement remains a subject of deep relevance to businesses, and increasingly so as their exposure to digital markets grows.
The number of fines has steadily increased year-on-year since it came into force in May 2018. That year there were just 13 fines, but in subsequent years 172, 455, 544, 697, and 176 so far in 2023. The cumulative value of those fines has also grown each year, from 2018's total of 557,380 euros to 60 million euros, 172 million euros, 1.08 billion euros, 1.26 billion euros, and 1.23 billion euros so far this year.
The figures are skewed hugely by a few large fines in the tech sector, most notably 746 million euros against Amazon in 2021, and now Meta's 1.2 billion-euro fine this year — the first billion-euro fine to be imposed. Meta has been by far the most-fined company, with previous chart-busting fines including ones of 405 million euros, 390 million euros and 265 million euros.
Before Meta's record fine, 2023 had been shaping up as quiet, with the total value of fines in the first quarter almost seven times less than the same period last year and four times less than in 2021, according to the MLex GDPR enforcement tracker, hosted by LexisNexis.
Cumulatively, there have now been a total of 2,057 GDPR fines, totaling 3.8 billion euros. The Spanish data protection authority is by far the most active regulator, issuing 748 fines — although mostly at a low level: they add up to just 56 million euros.
Data research conducted by Giorgi Dvalishvili
Researcher
Activate your MLex® trial today to access comprehensive reporting on Data Privacy & Security developments.
Related content from MLex
An independent news agency, MLex® provides exclusive market insight and real-time reporting on regulatory risk from 15 bureaus across the globe.
See for yourself why we're trusted by the world’s leading law firms, corporations, consultancies and regulators.