Back in May 2023, Meta (formerly Facebook) became the biggest casualty of GDPR enforcement and was handed a record-breaking fine of $1.3 billion. The sanction, which has been appealed, was for the inappropriate transfer of the personal data of EU citizens to the United States.
Regardless of whether the appeal is successful or not, the case itself highlights the dynamics of data protection legislation today, which is most characterized by cross-border enforcement and big tech violations. These and others are some of the issues addressed in this article as we explore the legislative progress of personal data protection in 2023.
Increasing Data Privacy Regulations
Since the EU launched its General Data Protection Regulation, several governments have followed suit. In the last five years, 137 countries have authored legislation to protect data privacy while a further 17 countries have draft legislation in the works.
This progress follows a prediction by Gartner that, by 2024, 75% of the global population will be subject to data privacy regulations. The world seems fast on course to achieve this. And organizations are responding in kind by rolling out compliance efforts.
As such, it is also estimated that organizations globally will increase their cybersecurity spending by 11.3% this year with data privacy and security (combined 31%) being the leading factors for the growth.
Certainly, the increasing number of legislation concerning data privacy around the world has forced companies to re-examine their policies, practices, and tools and align them with public concern.
Cooperation in Europe; Discordance in the US
Perhaps the biggest challenge to compliance with data protection regulations is the lack of international synergy. The GDPR had a groundbreaking launch not simply because it was the first of its kind but also because of its applicability across European territories.
Compare this with what is happening in the US, where, with the lack of an overarching federal law guarding privacy, organizations are left to grapple with a patchwork of laws being formed by each state across the country.
It should be noted that while most data privacy regulations are formed around the same philosophical values, such as consent and transparency, they often differ in terms of how these principles should be applied.
Thankfully, on an international level, there is some progress in cooperation. The EU-US data privacy framework has now been adopted to regulate data transfers between the two regions. The UK has a similar international data transfer agreement in place. Recently, the EU adopted a new law to ensure cross-border cooperation on relevant cases that involve two or more member states and strengthen enforcement.
Artificial Intelligence Governance
Artificial intelligence has steadily grown in adoption and popularity over the last few decades. But the introduction of ChatGPT dramatically changed the game like never before. In only its first week, it recorded 1 million new users and now has 100 million.
However, the success of ChatGPT has, at the same time, reawakened negative sentiments concerning human-computer interaction. There are serious concerns about the propriety of data being collected and processed for training language learning models and other AI algorithms.
Also, there are also fears of AI ‘taking over the world’ as it grows in sophistication. Even if machine learning algorithms don’t take over literally, we have started seeing misinformation being carried out as well as phishing attacks enhanced by generative AI capabilities.
Presently, there is no comprehensive law specifically regulating AI data privacy. However, the EU has one in the works – the AI Act – that aims to assign controls to AI applications and systems based on defined risk levels.
Compliance and Enforcement
While big tech companies have been hit with huge fines following the introduction of various data protection regulations, it has become clear that compliance is, for the most part, not their goal. And this creates a challenge for law enforcement.
For one, despite the sanctions that these large organizations have faced, they still engage in questionable practices that put consumers’ data at risk. In fact, it is now clear that some big tech companies, rather than comply, would prefer to circumvent the rules and pay a fine.
To take data privacy seriously, organizations need to think beyond mere compliance and must develop in-house robust policies based on conventional ethical principles. It is the responsibility of each company to implement privacy controls and security strategies.
For organizations struggling with insider threats, for instance, investing in a data detection and response solution will help them to combine intelligent behavioral analytics with strong incident response capabilities to prevent data loss (DLP).
Consumer Reactions and Enlightenment
It is commonly believed that consumers do not really care about data privacy and would willingly sacrifice some of their privacy information if they can access better services or be served more personalized ads.
While this is true to some extent, it has wrongly been used to justify inordinate practices by organizations who, without consent, sell customer data to advertisers for profit. However, is it really true that consumers are not bothered about where their data goes and how it is used?
IAPP’s international survey shows that 68% of consumers are concerned about their privacy online, thus challenging the conventional opinion about this. While most consumers may be helpless in protecting their personal information, the onus rests on governments and organizations to continue to work to enforce data protection across the board.
As research shows, there is convergence around the following ethical principles: transparency, justice and fairness, non-maleficence, responsibility, and privacy. These should be non-negotiables in order to serve consumers appropriately and safeguard citizens.
Today, there is no more valuable resource than data. And the voices of all stakeholders must be heard. As governments pull resources into enforcing legislation, organizations must rise to a higher level of responsibility and hold themselves accountable.
Meanwhile, consumers must also demonstrate their concern for data privacy by reading the fine lines whenever a cookie acceptance popup appears on their screen. To make the laws work, there’s a role for everyone to play.