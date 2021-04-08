In this photo illustration, Facebook CEO Mark Zuckerberg seen on a mobile screen as he remotely testifies during the hearing of U.S. Senate Committee on Commerce, Science, and Transportation titled "Does Section 230's Sweeping Immunity Enable Big Tech Bad Behavior?" on Capitol Hill in Washington, D.C., the United States.

As Europe's sweeping GDPR laws approach their third anniversary, other jurisdictions around the world are taking cues from it to develop their own frameworks.

The EU regulation (the General Data Protection Regulation) has helped put data protection front of mind for policymakers and businesses, especially with the specter of large fines.

"Definitely the GDPR has created a much bigger privacy awareness. A lot of companies are saying now that it's being discussed in boardrooms because of the potential amount of the fines," Estelle Masse, senior policy analyst at digital rights group Access Now, said.

One such law is the California Privacy Rights Act, which was passed in November 2020 and expanded upon 2018's California Consumer Privacy Act.

The law has drawn many comparisons from observers to GDPR in how it grants more control to the consumer and presents the possibility of fines for infractions and data breaches.

"I think there were similarities in the sense that they were both providing more rights and protections to the user, so they were quite user-centric in their approach," Masse said.

Other jurisdictions can look at the GDPR for inspiration on what does and doesn't work, though there are many nuances and European traits to consider that may not necessarily translate.

"But there are a series of core rights and core requirements. That people need to be protected, people need to remain in control over their information and an obligation needs to be put on companies if they want to use this information," Masse explained.

The major difference between California's law and GDPR comes down to enforcement. California is just one state while the EU is 27 nations with their own data protection authorities and their own challenges.

This has led to arguments among different data protection commissioners over who is pulling their weight in enforcement and who is not, with Ireland's authority attracting the most criticism.

"Our enforcement model is showing some cracks, so I think there is a big lesson learned for others who are looking at Europe," Masse told CNBC.

"I think the GDPR is a legislative success but so far it's an enforcement failure and we can learn from it."

The key to addressing those challenges is ensuring total independence for a data protection authority while providing it with ample budgets and resources to regulate the ever-growing data economy.