In May 2014, the European Court of Justice issued a ruling against Google in which it found that private citizens essentially have a “right to be forgotten” on the Internet. More specifically, the court found that individuals should be able to petition Google, or any search provider, in order to change what websites display when someone searches for that individual’s name.
The decision was heralded by privacy champions as a victory for individual rights, bemoaned by technology companies as added regulation that will stifle innovation, and met with trepidation among social scientists who cautioned about the censoring of the web. Google and other search companies scrambled to comply with the ruling, creating systems for users to request the suppression of search results and processes for adjudicating those requests. And around the globe, general counsels and compliance officers began to wonder what will come next.
The EU court’s ruling was just the latest example of the fragmentation of global data privacy laws, and as a result, the already significant burden of compliance for companies that do business internationally could grow worse. It is already difficult enough for international organizations to maintain robust anti-corruption and anti-money laundering compliance regimes with expansive know-your-partner expectations while also protecting employees’ and third-parties’ personal and data privacy rights in multiple countries.
And yet, more and more countries are passing privacy laws, or changing laws already on the books, and few of them are wholly consistent from jurisdiction to jurisdiction. Earlier this year, Brazil’s Congress debated but eventually dropped a provision in its data privacy law that would have required all Internet service providers to store data from Brazilian users on Brazilian soil. In March, the European Parliament passed a non-binding resolution calling for the cancellation of the U.S.-EU Safe Harbor framework that facilitates transatlantic data transfers — particularly in legal cases. Much of the new lawmaking follows a protectionist bent — fueled in part by Edward Snowden’s disclosure of U.S. surveillance activities — that could be downright disruptive. Should such laws actually come to fruition, compliance would certainly be costly, and possibly even contradictory to regulatory requirements in other countries.
At the same time individual nations are eyeing more stringent privacy laws, the international community has renewed a debate over the basic governance of the Internet itself. The rules of the Internet have always been written with U.S. government oversight; but in March of this year the United States announced it will relinquish control over the Internet Corporation for Assigned Names and Numbers (ICANN), the private body that manages the Internet’s domain registry. The repercussions of this decision are unclear, although it is unsettling that the country with the least restrictive privacy laws that also acts as the epicenter of web-access innovation would give over to more restrictive governance. While it is quite possible that the status quo will persist, if the same protectionism that has characterized the privacy debate also permeates decisions about Internet governance, it could lead to the Balkanization of the worldwide web, complicating even the simplest international communications.
If there is solace in any of this, it is that the methods of compliance remain largely the same regardless of how fractured the regulatory landscape becomes. To be sure, there may be one-off requirements like the ones search engines in Europe are currently grappling with, but by and large compliance begins with careful oversight of information. Knowing what types of information an organization has, where it is stored and how it is handled will enable the organization to manage most regulatory curveballs that come its way. Organizations that have already mapped their data can quickly apply new safeguards to respond to shifts in the legal landscape.
Of course, as the web of privacy laws grows more complex, it may become necessary to seek help from local experts with experience negotiating specific countries’ regulatory hurdles. At a minimum, global companies will need to be proactive and creative in the way they view this rapidly evolving compliance landscape. Monitoring political debates in different countries, for example, can provide indications of what types of new regulations might soon emerge, allowing organizations to anticipate changing environments.
New wrinkles remain inevitable as new protections emerge and transnational regulatory frameworks increasingly conflict. Most organizations will probably stumble as they navigate the new maze, but those that have diligently reviewed what information they hold and how they hold it have a better chance of coming through more or less unscathed.