December 19, 2018
Data Policy Think Tank Grades Data Laws in Europe and California, and Proposed Legislation in India, Chile, and the United States
Policy thought-leaders assign scores to data privacy laws, highlighting successes and areas for improvement
Washington, DC – December 19, 2018 – The Data Catalyst Institute today issued analyses of five recently-enacted and proposed data governance laws. Europe’s GDPR achieved the highest overall score, followed by a comprehensive proposal in Chile, the so-called “Apps Act” in the United States, a comprehensive legislative proposal in India, and then California’s new data privacy law.
Scores were determined on a 100-point scale based on a set of key criteria, including clarity, implementation framework and impacts on free speech and government transparency. Data Catalyst, a new international policy institute, developed its scoring criteria and Report Cards to help policymakers evaluate their own proposals and compare their proposals to others. Data Catalyst’s goal is to improve understanding of data governance proposals and promote effective and comparative discussions among all stakeholders.
GDPR (Score: 81/100)
The EU’s GDPR earned a score of 81/100. Though Europe’s GDPR rule scored the highest of the five graded policies, there is room for improvement. Notable concerns include potentially confusing standards for “consent,” specific challenges associated with compliance and enforcement standards, and international data commerce challenges.
Chile’s Legislation to Protect Personal Data and create a “Personal Data Protection Agency” (Score: 76/100)
The Chilean Senate is considering legislation to protect personal data and create a data protection authority. Data Catalyst’s analysis and score reflects the Committee-approved Bill and also comments on amendments that may be considered by the full Senate. Though several provisions in the proposal create business uncertainty and risk, especially for small businesses and startups, Data Catalyst’s high score reflects the Bill’s thoughtful and comprehensive drafting. But there are also concerns, including with regard to extraterritorial jurisdiction and unfair revenue-based penalties.
APPS Act – H.R. 6547 (Score: 57/100)
The APPS Act, a bill that was introduced in the United States House of Representatives, would require mobile apps to get specific permission before collecting and using consumer data, and to delete consumer data upon request. Though the proposal provides for helpful “safe harbors” that can usefully guide companies’ data collection, its definitions are vague and required consent processes are clumsy.
India’s Personal Data Protection Bill (Score: 49/100)
India’s proposed Personal Data Protection Bill adopts European concepts of data rights and would establish a Data Protection Authority to audit and enforce. Though the Bill’s consent rules are reasonable, their positives are overwhelmed by burdensome and costly data storage and transfer provisions and dangerously unlimited law enforcement authority. The Bill’s small business exemption is essentially useless, as it excludes only the tiniest enterprises.
California Consumer Privacy Act of 2018 (Score: 41/100)
California’s Consumer Privacy Act of 2018 receives significantly lower marks than its European counterpart, mainly because it demonizes legitimate and beneficial data exchanges, defines almost all data as “sensitive” and threatens the livelihoods of small publishers that rely on advertising to generate revenue and pay the costs of their business.
Background and Commentary
In dozens of nations around the world, policymakers are proposing, considering, and even enacting data privacy and data protection regulations. Establishing a national, let alone a global, framework for data governance is complex and difficult. The evaluation of each proposal was made on a 100-point scale and measure ten criteria aimed at evaluating core tenets such as the clarity of a law and its ease of implementation. The following ten criteria were considered on a 1-10 scale for each law in order to determine the overall legislation score:
- CLEAR TERMS: Terminology should be clear to reduce confusion, inconsistency and disputes.
- SPECIFIC HARMS: Legislation should focus on specific harms and outcomes.
- HELPFUL PROCESSES: Required processes and notices should be clearly defined and helpful.
- NOT RETROACTIVE: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data.
- NOT HARMFUL: Legislation should not inhibit beneficial data models and uses.
- FREE SPEECH: Legislation should not inhibit freedom of expression or government transparency.
- SIMPLE CONSENTS: Consent Standards should be clear for organizations and promote clarity for consumers.
- INTERNATIONAL COMMERCE: International Commerce and cooperation should not be inhibited.
- FAIR ENFORCEMENT: Enforcement provisions should be responsible and trustworthy; not chilling or anticompetitive.
- SMALL ENTERPRISES: Small organizations should not be prejudiced by impractical or anti-competitive burdens.
The laws and proposals analyzed could have global implications on data collection, management, and utilization, but not all are created equally. Evaluating proposals and regulations using objective criteria – and in comparison to each other – enables stakeholders to compare and evaluate, to learn from others’ mistakes and follow examples of others’ successes. A collective commitment to careful thought and consideration is necessary to avoid unintended economic, social and cultural consequences.
Because legislation frequently evolves before and after enactment, Data Catalyst will monitor amendments, court cases, and other changes and adjust the analysis and corresponding score as needed.