Listen to this article
For years, citizens and consumers across the world have cheerfully handed over vast amounts of personal information to business and state organisations. The flow, exchange and monetisation of data underpin much of the digital economy and have made tech companies some of the most valuable and powerful global businesses.
But regulators are cracking down on how organisations store, process and share personal data, in an effort to hand back at least some control to ordinary people — and, in some cases, ensure the authorities can keep a close eye on citizens.
The challenge for multinationals is to navigate competing and often divergent regulatory regimes without incurring huge costs, whether in the form of compliance measures, or financial penalties if they are deemed to have broken the rules, or in reputational damage from a public rebuke by a state watchdog.
“Some [businesses] have the perception they can be compliant with all the data privacy regulations around the word,” says David Zetoony, head of consumer protection at law firm Bryan Cave. “But full compliance is more myth than reality. The real question is what level of compliance you want to achieve.”
High on the business agenda is the General Data Protection Regulation, a new EU-wide regime that will introduce tougher rules on processing and storing personal data, as well as on obtaining customer consent.
Crucially, GDPR, which comes into force next May, will affect not just companies operating in the EU but any business outside it offering products and services to EU customers or employing EU workers. As such, the regulation has global reach — and with fines of up to 4 per cent of annual turnover, penalties for the most serious breaches, such as failure to protect personal data from hackers, could pose a serious threat to a company’s ability to operate.
The advent of the new regulation has caught out many businesses, especially small and medium-sized enterprises not used to worrying about data protection even if they do business across borders. It has also highlighted how organisations of any size might struggle if they are faced with a patchwork of regulatory environments.
Businesses could spend vast sums on trying to keep on the right side of every existing data protection regime, says Mr Zetoony, turning them into “compliance companies” rather than real businesses. “There is a spectrum and, like any other business decision, you have to weigh the pros and cons and make a decision based on risk.”
Because there is so much trade between the EU and the US, the two sides have implemented a system called Privacy Shield. More than 2,400 US companies, including Microsoft and Google, have signed up to this data-sharing agreement — by which they agree to adhere to EU data protection standards — allowing them to transfer anything from pictures to payslips across the Atlantic without breaching EU laws on personal privacy.
Yet Privacy Shield is far from perfect. The deal was done in a hurry after the European Court of Justice struck down its predecessor, Safe Harbour, in 2015 following the Edward Snowden revelations about mass surveillance by the US National Security Agency.
Those concerns have not gone away. Brussels has voiced concerns that the Trump administration has yet to appoint an independent ombudsman to deal directly with data complaints from EU citizens, amid fears that the US president will prioritise national security and American commercial interests over data privacy.
Privacy Shield also faces two legal challenges, from France and Ireland, where campaigners claim the pact does not adequately protect EU citizens from snoopers
The EU-US tensions stem partly from procedural differences. While GDPR bolsters already broad laws on personal data covering almost every sector, such overarching legislation does not exist in the US.
“We do not have a comprehensive data protection law in the US — we have a common law tradition of enforcing privacy in different contexts, and a robust Federal Trade Commission that enforces company obligations,” says Kendall Burman, Washington DC-based cyber security and data privacy counsel at law firm Mayer Brown, and a former deputy general counsel in the US department of commerce. “Different sectors have different data protection laws, and states have their own laws on collection and use of data.”
EU and US regulators also focus on different issues. In the EU, much of the emphasis post-Snowden is on surveillance and how personal information is transferred beyond the bloc’s borders; in the US, cyber attacks and data leaks are the bigger concern. Ensuring that you satisfy regulators on both sides of the Atlantic is “not inexpensive”, says Mr Zetoony.
The more regulators there are with their own regimes, the harder — and costlier — full compliance becomes.
In June, China introduced its first cyber security law, ostensibly another post-Snowden effort to protect its people from prying American eyes. For instance, it requires data relating to Chinese citizens or national security to be held on Chinese servers. Russia has a similar law stipulating that the personal data of Russians must be stored within the country.
The autocratic nature of those two governments means the suspicion is that the regulations are in place to assist monitoring of citizens, rather than enshrine their data privacy.
Either way, such a hodgepodge of rules presents multinationals with a dilemma: to apply a one-size-fits-all policy to data protection and keep out of jurisdictions where this does not work, or take a segmented approach and keep data from specific regions in localised hubs, with all the infrastructure and expertise costs that this entails.
“It is not ideal compared with having a universal approach, but because there isn’t an international consensus on [data protection], it’s a problem businesses are going to have to continue to address,” says Ms Burman.