Calls for federal legislation alongside US president Joe Biden’s artificial intelligence (AI) executive order and some 12 different regimes in the country alone highlight a global regulatory environment on data privacy that’s set to remain something of a hodgepodge.
Different regimes continue to emerge both in and across different nations, with worldwide rationalisation or consensus highly unlikely, says Alex Hazell, head of UK privacy and legal at cloud marketing platform supplier Acxiom, and organisations need to pay close attention.
“Achieving full compliance is extremely challenging and complex,” he says. “You only have to look at Amazon Web Services’ [AWS’s] suite of paperwork for General Data Protection Regulation (GDPR) transfer and processing – many documents, containing links to other documents, and so on and so forth.”
By 2021, according to the UN, at least 137 countries had legislation in force.
Matching practice, policy and specific regulation may mean deeper engagement with lawyers and compliance professionals to dig out detail on the two main approaches – something unlikely to be music to companies’ ears.
“You can go to the highest legal standard, sticking to that as an internal compliance measure,” says Hazell. “The problem with doing that is that you lose competitive advantage in those countries with a with a looser approach. Or you can comply with the legal standard in each country.”
The latter approach may be the only option if and when legal standards in one relevant jurisdiction differ radically from another, especially when the differences hinge on national philosophies, politics and “value judgements”. Of course, this can also make compliance not only more costly and complicated, but even prohibitive for smaller companies or startups.
Risk-based approach
However, he adds that the “reality on the ground” is that organisations sometimes take a risk-based approach not only to how they do business, but to aspects of compliance, especially when there are grey or “undecided” areas.
“If, for example, a law is seldom enforced and widely ignored – a so-called ‘bad law’ – some may, as it were, follow the crowd, assuming safety in numbers,” says Hazell.
“One business might take one view, another a different one. As long as that’s reasonable, absent judicial verification, organisations will continue to play in that grey area.”
In the European Union’s (EU’s) General Data Protection Regulation (GDPR), for example, judicial precedent is being set, but there are still some areas where practice might be undecided, even before you start to think about new EU law such as the Digital Services Act, where there is yet to be any judicial precedent.
Are organisations risking a “mega-fine”, as in GDPR’s percent of maximum global turnover penalty, or just an informal rap on the knuckles? What is the likelihood of class action, for instance, off the back of a regulator sanction?
When developing your compliance regime, also look at the potential to cause problems. “Put the individual front and centre of all internal policy considerations,” says Hazell. “Is there real harm that could be potentially caused by a piece of processing, and if so, what are the mitigations to put in place?”
Jonathan Joseph, head of solutions at data privacy software company Ketch, broadly agrees,
but maintains that data privacy should be formally recognised worldwide somehow, even if only outlined in a bill of human rights-type approach ...
Comments