Extra-jurisdictional Impact

The ability of the EU to punish multinationals who don’t have a base on the continent is debatable, but the regulations are having an effect overseas. It’s not unusual to see U.S. websites, for example, publish a disclaimer that “This site is not meant for users in Europe.”

Rules-making bodies have also taken note, and several new pieces of legislation around the world have drawn inspiration from GDPR. The California Consumer Privacy Act (CCPA), for example, is not quite as broad reaching as GDPR (it only applies to larger companies) but bears many similarities and was passed unopposed by the California state Legislature in July 2018. Indian lawmakers have drawn up a GDPR-inspired Data Privacy Bill, which is currently working its way onto statute books. Brazil’s General Data Protection Law (LGPD) was passed in August 2018 and comes into force in 2020. It also follows many provisions of GDPR.

One place where the future is slightly less certain, however, is the U.K. The ICO and government have committed to keep the current GDPR-compliant Data Protection Act 2018 in force after Brexit, but there are questions that multinational firms will need to deal with. GDPR restricts the transfer of data from within the EU to other countries, and no current provision exists to exempt Great Britain from this rule. Likewise, the EU-U.S. data sharing agreement, Privacy Shield, won’t automatically cover the U.K. post-Brexit.