The new privacy regulations that will govern our data

The European General Data Protection Regulation (GDPR) full entry into force only one year and a half ago. It has been a worldwide revulsion in terms of how to deal with data management and privacy. However, almost three out of four people ask their governments to further increase regulation on big technology companies to protect their personal data. And it is not only the users of those companies that ask for greater regulation, but even the CEOs of big data platforms such as Mark Zuckerberg (Facebook) join the appeal. In this context, a new generation of regulations regarding personal data is already being developed, whose objective will be, on the one hand, to complement the existing European regulations and, on the other, to fill the current legal in the United States.

The situation in Europe

While in Europe we are still trying to assimilate the potential impact of the GDPR and ensure a greater degree of implementation, the president of the European Commission - Ursula von der Leyen - has requested the Internal Market Commissioner - Thierry Breton - to establish a new European data strategy, committed to innovation through data while protecting the digital identity of people. For the moment, and while this strategy is not completed, we are still waiting for the new digital privacy regulation (ePrivacy) regarding the processing of personal data and the protection of privacy in the electronic communications sector, currently in progress. It is called to complement the GDPR, replacing the current directive - whose latest version has been in force for more than 10 years (since 2009), a whole world in the field in which we move.

This highly anticipated new regulation, which will be directly applicable to all member countries, continues to develop after almost a dozen drafts submitted and two years of negotiations between the different parties contributing to its development. This regulation, also known as the law of cookies for being responsible for the warning messages that appear on the websites we visit, is of vital importance precisely because it affects one of the most used (and sometimes also abused) mechanisms to access to online user data. Although it is still uncertain what the final result will be, during the negotiations we have seen how it shift from a more protectionist initial text, in which the importance of explicit consent was reinforced, including the possibility of configuring our browsers to automatically oppose any treatment of unauthorized data (the famous "do not track" mode), to the current draft that is practically committed to maintaining the status quo with only a few minor changes.

The situation in the United States

If we cross the puddle and take a look at what is happening in the United States - the current reference market for the development of the online platforms that manage our data -, we have started the year with the entry into force of the Consumers Privacy Act (CCPA) in the state of California, and several states also have their own legislative initiatives in the field. A very relevant milestone because it is not only the first complete law of this kind in the country, but also start in the state in which the Silicon Valley is located, which saw the birth of a large part of these big platforms.

While it is true that the CCPA has received some criticism for being behind the GDPR in some aspects, and that the federal legal framework does not finish arriving while the voices that claim it continue, at least a great start number of federal legislative initiatives in the country have started, and they could considerably set the bar in terms of demand - even going beyond the requirements established by the current European legislation. These initiatives include, for example:

• The Consumer Online Privacy Rights Act (COPRA Act), whose objective is to increase control over personal data, prohibiting harmful uses and establishing specific and strict rules for the collection, use and sharing of consumers´ personal data.
• The bill for Augmenting Compatibility and Competition by enabling Service Switching (ACCESS Act), whose main objective is to enable data portability between different platforms, thus fostering competition and innovation in services offered by big companies.
• The bill for Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data (DASHBOARD Act), whose purpose is to increase transparency regarding the use of personal data by big companies, including an objective economic estimate of the value obtained through said data.
• The program for the end of unauthorized tracking (Do Not Track Act), whose objective is to considerably limit the online tracking of personal data of those who request it, similar to how it is already done with the telephone advertising exclusion records (such as the Robinson List in our country)
• The law to take responsibility for own business (MYOBA Act) aims to end radically with the potential abuses of privacy and personal data by making company CEOs directly and legally responsible for serious breaches of existing regulations.

It is also important to note that, with the aim that all this set of laws in the United States does not mean an obstacle to innovation, in general its scope has been reduced to the big consolidated companies, with a high number of users and large volumes of billing, although specific margins vary from one law to another.

In any case, the great challenge now - both in Europe and in the United States - is on the one hand to clarify the terms and limits of application established in all these laws and see how they are finally consolidated and, on the other hand, to determinate how to achieve convergence between all these initiatives to avoid a legislative mosaic that supposes a headache for globalized companies and also a possible discrimination between the rights of some people and others depending on what legislation applies to them.