By Andrea Little Limbago, Chief Social Scientist, Virtru
Limbago presented during the Governance, Risk and Compliance track at the 2019 (ISC)2 Security Congress in Orlando. The session, Global Factors Driving Data Privacy Regulation, explained data localization, how it is progressing and what that means for organizations. In two parts, Limbago recounts the information covered in her session.
On October 29, the internet turned 50. Despite original aspirations of a free and open internet, the modern internet is increasingly segmented and shaped by political boundaries. Included within broader technological shifts such as 5G, artificial intelligence, and the internet of things, these technologies offer great potential for ground-breaking societal innovations. This also enables governments across the globe to pursue digital sovereignty, a complete information control within their borders.
The growing push for digital sovereignty has resulted in a Balkanization of the internet, or Splinternet, and reflects the diffusion of two competing models: digital authoritarianism and a counter-movement in favor of individual digital rights shaped by the European Union. Absent a coherent federal data protection framework, security and privacy in the United States is increasingly influenced by these external forces. This first of two blog posts will describe these two competing frameworks, while the second will detail additional global forces shaping U.S. data protection. Given these growing forces, there is significant need for American leadership to reignite the original aspirations of a free, open and secure internet.
The Two-Competing Frameworks
Freedom House recently highlighted this diffusion of digital authoritarianism as the core threat to internet freedom, with direct implications for fundamental human rights and conflict globally. The authoritarian playbook is a holistic strategy that marries cyber attacks, disinformation and automation, and machine learning for complete information control. While each of these is often treated as independent silos, they comprise a holistic strategy which is increasingly adapted by both state and non-state actors. This playbook – which consists of bots, trolls, and warriors as the leading cast of characters – is already contributing to global instability, privacy infringements, and significant power shifts, and will do so for the foreseeable future.
The European Union’s General Data Protection Regulation (GDPR) is the most prominent democratic approach to counter digital authoritarianism by prioritizing individual data security and privacy rights. The GDPR is a far-reaching data protection framework that impacts everything from marketing to artificial intelligence to breach notification. This framework is gaining traction with other democracies. As soon as the GDPR came into effect, the European Union quickly signed an agreement with Japan for secure data flows and reciprocal data protection. Brazil’s upcoming data protection law shares many similarities with the GDPR, and goes into effect in August 2020. The GDPR has also influenced California’s Consumer Privacy Act which will be effective in January.
But Wait, There’s More
As the global battle for information control heats up, these distinct approaches to privacy and data protection are manifesting in both local and global forums. In the next post, we’ll discuss the rise of data localization and its impact on security and privacy, as well as the global forums that are further shaping privacy and security policies. We’ll conclude with a brief look at the state of data protection regulation in the United States and detail why an American approach is needed to stem the tide of digital authoritarianism.