After California, now the Washington State senate has adopted a data protection and privacy act that takes the EU General Data Protection Regulation (GDPR) as an example to emulate.

This is definitely a hoped for effect of the GDPR when it was launched. European environmental and food safety standards have had similar global norm setting impact. This as for businesses it generally is more expensive to comply with multiple standards, than it is to only comply with the strictest one. We saw it earlier in companies taking GDPR demands and applying them to themselves generally. That the GDPR might have this impact, is an intentional part of how the EC is developing a third proposition in data geopolitics, between the surveillance capitalism of the US data lakes, and the data driven authoritarianism of China.

To me the GDPR is a quality assurance instrument, with its demands increasing over time. So it is encouraging to see other government entities outside the EU taking a cue from the GDPR. California and Washington State now have adopted similar laws. Five other States in the USA have introduced similar laws for debate in the past 2 months: Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.

US Congress just before leaving for Christmas has voted to approve a new law, that mandates two key elements: public information is open by default and needs to be made actively available in machine readable format, as well as that policy making should be evidence based. In order for agencies to comply they will need to appoint a Chief Data Officer.

I think while of those two the first one (open data) is the more immediately visible, the second one, about evidence based policy making, is much more significant long term. Government, especially politics, often is willingly disinterested in policy impact evaluation. It’s much more status enhancing to announce new plans than admitting previous plans didn’t come to anything. Evidence based policy will help save money. Additionally government agencies will soon realise that doing evidence based policy making is made a lot easier if you already do open data well. The evidence you need is in that open data, and it being open allows all of us to go look for that evidence or its absence.

There’s one caveat to evidence based policy making: it runs the risk of killing any will to experiment. After all, by definition there’s no evidence for something new. So a way is needed in which new policies can be tried out as probes. To see if there’s emerging evidence of impact. Again, that evidence should become visible in existing open data streams. If evidence is found the experimental policy can be rolled out more widely. Evidence based policies need experiments to help create an evidence base, not just of what works but also of what doesn’t.

A great result for the USA’s open government activists. This basically codifies the initiatives of the Obama Presidency, which were the trigger for much of the global open data effort these last 10 years, into US federal law.

Today is the day that enforcement of the GDPR, the new European data protection regulation starts. A novel part of the GDPR is that the rights of the individual described by the data follows the data. So if a US company collects my data, they are subject to the GDPR.

Compliance with the GDPR is pretty common sense, and not all that far from the data protection regulations that went before. You need to know which data you collect, have a proper reason why you collect it, have determined how long you keep data, and have protections in place to mitigate the risks of data exposure. On top of that you need to be able to demonstrate those points, and people described by your data have rights (to see what you know about them, to correct things or have data deleted, to export their data).

Compliance can be complicated if you don’t have your house fully in order, and need to do a lot of corrective steps to figure out what data you have, why you have it, whether it should be deleted and whether your protection measures are adequate enough.

That is why when the law entered into force on May 4th 2016, 2 years ago, a transition period was created in which no enforcement would take place. Those 2 years gave companies ample time to reach compliance, if they already weren’t.

The GDPR sets a de facto global norm and standard, as EU citizens data always falls under the GDPR, regardless where the data is located. US companies therefore need to comply as well when they have data about European people.

Today at the start of GDPR enforcement it turns out many US press outlets have not put the transition period to good use, although they have reported on the GDPR. They now block European IP addresses, while they ‘look at options’ to be available again to EU audiences.

From the east coast

to the west coast

In both cases the problem likely is how to deal with the 15 or so trackers those sites have that collect visitor data.

The LA Times for instance have previously reported on the GDPR, so they knew it existed.

A few days ago they asked their readers “Is your company ready?”, and last month they asked if the GDPR will help US citizens with their own privacy.

The LA Times own answers to that at the moment are “No” and “Not if you’re reading our newspaper”.