Data privacy and security have entered a new phase of regulation and control. The EU’s ePrivacy regulations come into effect later this year, broader in scope than the EU’s General Data Protection Regulation (GDPR) which took effect in May and raised digital privacy and security issues on the global agenda. They are joined by the 2018 U.S. CLOUD Act, which raises similar issues of extraterritoriality. Both data privacy and security are and have been ongoing concerns for businesses everywhere, and the developing regulatory environment formalizes this process.
European action in this area highlights a basic assumption of European law: privacy is a right that every individual is entitled to by birth. In practical terms, this means individuals should have complete control over their information, from credit card to medical/biological data. The individual alone determines how and where such data may be used and by whom, how it can be processed, and so on. In the U.S., we do not define data ownership as definitively, but I’ll put a pin in that because California has recently introduced a law that many people consider “GDPR 2.0,” because it is similar in purpose and intent to GDPR. It is significant that both Apple and Facebook have expressed support for wider data privacy legislation at the U.S. federal level that can potentially integrate with initiatives established or being created in the global market.
From a business perspective, GDPR has made doing business in Europe much harder. Companies must consider whether it is worth it to transfer data in and out of Europe—and if so, how? Do you end up with more siloed corporate entities, transferring information only when absolutely necessary? Or do you go through burdensome processes to allow data flow to go back and forth, knowing there will inevitably be mistakes and other issues. It has become a much harder, more expensive proposition for companies trying to do business in Europe. Nonetheless there are a large number of European consumers, and firms of every size, with whom non-EU companies want to do business. That gives outside companies strong incentives to find ways to comply and continue the commercial dialogue.
By contrast the U.S. privacy schemes are still very segmented and sectoral. Inevitably, some states have jumped into the discussion—most notably, as mentioned, California. Legislators there decided to make Californians’ data protection more structured; they introduced requirements ensuring that people doing business in this huge market operate with more European-style controls. Assuming that goes through—and there likely will be a number of iterations before January 2020 when it is due to come into force—California will set the bar for the rest of the country. Given companies’ preference for having one scheme across the U.S., it is likely that the Californian model of regulation will migrate elsewhere.
The Cloud provides a great illustration of this. While its operation is ultimately subject to a number of jurisdictions, in practical terms the major players adhere to the most stringent of these because it gives them the ability to act across the cloud for clients in multiple locales. The real issue here is around the cloud’s security protocols. People using cloud services assume providers are compliant with the law and regulatory controls. They are more concerned about security. The critical questions are: How is my data taken care of? How readily can I access and retrieve my data?
This year’s passage of the CLOUD Act is a reminder there are no boundaries anymore. You can’t stand behind a wall saying, “I live here, I work here, most of my systems and exposures are here,” because the law makes clear that—in the U.S. view—that is not the case and data must be turned over. Businesses can no longer sit behind their current country laws and say they only have to be thoughtful and conscious and cognizant of those laws.
Where there is still some way to go in U.S. and global regulation is around the Internet of Things and evolving AI devices. There needs to be a comprehensive evaluation of the current, outdated regulatory landscape and how it can be adapted to offer data protection for individuals while also allowing the innovation that needs to happen within companies and industry. The newest of devices simplify our lives, and that is where consumers are: they want regulation that nonetheless protects that simplicity without compromising their security.
Here, I would argue that industries can do a very good job of self-regulation and should drive the process. If industry can agree on some common protocols, that is probably the best way to advance, rather than relying completely on regulators who do not always have the whole picture or a full understanding of the technology and its unfolding future.