Navigating the Regulation Soup

Privacy regulations are a problem. The primary reason is that while they are increasing around the globe, they tend to have different priorities and conflicting motivations in different jurisdictions. While Europe’s General Data Protection Regulation (GDPR) is often the blueprint, other privacy regulations relax some and introduce other requirements.

GDPR itself affords an explanation for some of the difficulties. It originated as a European response to Edward Snowden’s revelations about NSA and GCHQ global surveillance practices. As a result, protecting European privacy from the US government is deep in the DNA of the regulation – but at a populist level delivered by the elected European Parliament.

The European economy, however, is run by the unelected European Commission (EC). And here’s the first conflict. GDPR wants to prevent European privacy information (generally known as personally identifiable information, or PII) from leaving Europe for jurisdictions where it might not be so well protected. So, European PII may not be exported to any country that is not recognized as having equivalent data protection.

Chief among these is the USA. GDPR basically says you may not export European PII to the USA. But the EC says both the US and Europe need the free flow of data between the two blocs for vital economic reasons. As a result, the history of GDPR demonstrates a ‘battle’ between the law (usually supported by the European Court of Justice) and the EC (which continually strives to ‘invent’ mechanisms to allow that export).

Currently, the most recent mechanism known as Privacy Shield has been declared unconstitutional by the European Court in a ruling known as ‘Schrems II’. The stumbling block is the US Foreign Intelligence Surveillance Act (FISA) which gives the NSA both the power and the requirement to monitor foreign nationals. The NSA is effectively required to investigate the PII of European citizens by law.

In short, it is difficult to see how the privacy requirements of GDPR and the surveillance requirements of FISA can ever be reconciled. This leads us to the concept of data residency. Some governments require by law that that national data must remain within their own jurisdiction. This particularly applies to the more authoritarian countries such as China, Russia, Iran and North Korea. The danger of data residency requirements is that it could lead to the balkanization of the global internet, breaking it into multiple small intranets.

It is important to note that GDPR does not have a data residency requirement – it just has restrictions on data export. There are several approaches to satisfying this: the first is to store and process European PII on servers within Europe; the second is to do the same but in jurisdictions that conform to the European data privacy adequacy requirements; and the third is to store and process the data anywhere in the world in a way unauthorized people (such as the NSA or any other government) cannot access the plain text data.

It would be a mistake, however, to think GDPR is simply about the movement and storage of PII. It is also about the use and protection of that data. A June 2022 paper (Investigating GDPR Fines in the Light of Data Flows) analysed 856 GDPR fines levied by European regulators since 2018. It found the top three failures are ‘unauthorized data processing’ (in 751 cases), ‘insufficient security measures’ (386 cases), and ‘data subject rights’ (182 cases).

The problem for business today is that GDPR is just one of a multitude of different regulations. These include regional (for example, state in the US and national in Europe), and international (for example, European, Canadian, Brazilian and Australian) data protection laws; sector specific regulations (such as the finance and healthcare sectors); and business regulations (such as PCI-DSS for the payment card industry). Any company that does business on the internet will need to monitor all of these since the majority don’t care where the business is located, but apply whenever their own citizens’ data is collected and processed.

This last point should not be ignored. Various regulatory bodies have acted against a US company called Clearview – including the UK ICO which fined it £7.5 million. Clearview scrapes images from the internet to provide a image database that can be bought and used by law enforcement. The ICO and other regulators have said ‘you cannot do that here’.

Clearview, however, is based in New York, obeys US data protection laws, and has no representation in Europe. It can simply ignore GDPR rulings, and there is nothing Europe can do about it. But sometimes it can.

Facebook repeatedly faces GDPR sanctions over its treatment of European PII, but mostly objects to and ignores them, or simply pays them and ignores them. On July 7, 2022, the Politico publication reported, "Facebook may be about to go dark in Europe. POLITICO had the scoop this week that the Irish Data Protection Commission intends to block Facebook owner Meta from sending user data across the Atlantic over concerns about U.S. surveillance practices." That almost certainly will not happen – but the point is, it could.

There are several processes that can be used to cover all regulatory bases. The first is almost a cop-out. It asserts that compliance with regulations does not ensure security, while successful security will almost always ensure compliance. This approach says, ‘concentrate on security and let compliance look after itself’.

There is a sort of logic. In most cases, companies are only found to be out of compliance during a post-breach investigation. If you are not breached, you will not be found to be out of compliance. But it is dangerous, because it would be foolish to say, “My security is so good, I will never be breached.”

The second approach is to select two of the most stringent regulations and just comply with them. If you are compliant with GDPR and ISO 27001, you will automatically be compliant with the greater part of the greater number of other regulations.

The third is to use a governance, risk and compliance (GRC) software solution. The software provider will stay up to date with existing and new regulations. The software will map your data use against the different regulations, effectively providing a list of what you need to do to be in compliance.

The key to all regulations is to remember that they are all about the data. Care over where and how data is stored – so that it remains accessible to your own business but no-one else – is the key.