Just over one year after the General Data Protection Regulation became law, the European Union has published a report that gauges its efficacy. The report concludes that most but not all member states are complying with it fully. Meanwhile, copycat laws are springing up in the USA and cyber-posture scorecards are emerging.

The EU is making much of the GDPR as a champion of "individual rights," although it allows police forces and other governmental bodies a free pass to look at personal data and use it as they please. Nevertheless, Vera Jourova, one of the 39 unelected European commissioners who have a collective monopoly on the introductory drafting of the bloc's laws, has said: “The General Data Protection Regulation is bearing fruit. It equips Europeans with strong tools to address the challenges of digitalisation and puts them in control of their personal data. Beyond Europe, it opens up possibilities for digital diplomacy to promote data flows based on high standards between countries that share EU values, but work needs to continue for the new data protection regime to become fully operational and effective.”

The GDPR has made EU citizens increasingly aware of data protection rules and of their rights, according to a recent study, but only 20% of people in the EU (the EU, which has two-thirds of Europe's population and less than half of Europe's land, mystifyingly refers to them as "20% of Europeans") know which public authority is responsible for protecting their data. The European Commission, meanwhile, has launched a new campaign to encourage people to read privacy statements and to optimise their privacy settings.

According to the EU, compliance with the regulation has helped companies increase the security of their data and develop privacy as a competitive advantage. The GDPR has given national data protection regulators more powers to enforce its data protection rules and it has set up a European Data Protection Board which seems to be co-ordinating them. There is also a "co-operation mechanism" that has managed 516 cross-border cases.

National legislative efforts

EU regulations take effect in the laws of EU countries automatically without any need for national legislative involvement. That said, the GDPR obliged EU countries to take a number of legal steps of their own, setting up and allocating powers to their own national data protection authorities, laying down rules for various things such as the reconciliation of the protection of personal data with freedom of expression and information, and amending or repealing sectoral legislation with data protection rules. Three EU countries – Greece, Portugal and Slovenia – have still not done this job of updating their national data protection laws in line with EU rules.

The EU wants to ensure that when the laws of its constituent states "specify the GDPR in national laws," in its words, they remain in line with the regulation. The European Commission, the nearest thing that the EU has to an executive branch, has stated that it wants national laws on the subject not to be "a gold-plating exercise." It also says, somewhat alarmingly, that it will not shrink from "using...infringements" to make sure that EU member-states transpose and apply the rules correctly.

A case of data imperialism?

The EU is proud that its data protection rules are a "reference point" for stronger data protection standards across the globe. The GDPR came into force on 25 May 2018. Since then, nearly all member-states have adapted their national laws in the light of it. The EU is claiming that the new data protection rules have achieved many of their objectives. In a recent 'communication' (paper) entitled Data protection rules as a trust-enabler in the EU and beyond – taking stock, the European Commission appears to voice a desire to conquer most of Europe by inventing the extraordinary slogan "one continent, one law."

Disappointment in New York

One of the most significant follow-ups to the GDPR outside the European Union - the New York Privacy Act - failed to become law last week. This would, according to some observers, have introduced a more stringent data protection regime in New York State than that of the California Consumer Privacy Act 2018, the first major piece of data protection law in the US which comes into effect on the first day of next year. Neither piece of legislation, however, is anywhere near as stringent as the GDPR.

The New York law, if passed, would have allowed private individuals to take court action against firms that mishandled their data, only with a cap of US$10,000 per person - an echo of the GDPR but a departure from California's law. It would have imposed a fiduciary duty of care on firms that collect information on people as well - always taking care to exempt the authorities. Lobbying from small businesses, which have the most to lose from the legislation, killed it.

Cyber-posture

Compliance Matters spoke to Fouad Khalil (pictured), the compliance man at SecurityScorecard, about the fact that the GDPR is the inspiration for American state laws.

He said: "They recently passed a Washington State [not to be confused with Washington DC] privacy law, which has the most stringent definition of personal data I've ever seen. The New York legislation failed yesterday, however.

"Regarding privacy legislation along the lines of the GDPR, there's nothing federal brewing. Trump ruled it out."

Most front-rank financial regulators in the world have cyber-security policies that affect personal data, among other things. Compliance Matters asked Khalil whether he knew of any countries with "super-equivalent" rules, i.e. rules that forced a company in one well-regulated country to impose its cyber-security rules on all its operations throughout the globe.

He replied: "In the US, it's hard to see super-equivalence in cyber-security. When privacy laws come in, though, it'll have to happen even without a super-equivalence rule because the personal data will be bouncing around between jurisdictions and not just staying in those with lax rules.

"When we look at cyber, we're putting the G in GRC. The authorities can't split hairs between who owns privacy and who owns security.

"If we go into the realm of science fiction, one day I hope that even before I visit a website my phone will tell me what its cyber-posture score is. I don't want my personal data being abused. If I go to Amazon and get an F, I don't want to visit their site!"

The concept of cyber-security ratings, which is 5-6 years old, is SecurityScorecard's stock-in trade. Khalil added: "We're doubling our revenue year after year, so the field is growing rapidly. There are 2 to 3 players in the market already but even now we're barely scratching the surface."