The past five years have seen huge changes in global data protection; since 2019 the proportion of the world's population covered by privacy regulation has risen from 10% to almost 80%. This reflects the increasing importance of data as an asset, as a mechanism of control and as a medium of exchange. However, the spread of privacy laws has not always been matched by robust enforcement, which in turn leads to very variable levels of compliance. By the same token, a lack of case law has meant that even though most privacy laws share basic principles globally, interpretations and implementation approaches differ widely.
Naturally the next five years, in terms of data protection, are being seen as pivotally about AI. We have a new wave of legislation in force, coming into force and being drafted, and a seemingly unstoppable tsunami of economic forecasts, opinion pieces, opportunistic startups and investor hype. Whatever reality emerges as the hype succeeds, it’s certainly inevitable that more personal data will be collected, processed and transferred by more people (and machines) in more places more often. It also seems probable that the consequences of all this processing for “data subjects” – you and me – will become ever more meaningful. If nothing else, AI allows decisions to take much greater volumes of data into consideration in an eye-blink, opening a door to even the most apparently inconsequential information forming part of life-affecting decisions.
Which is to say that the next five years will also have to see a step-change in the application of data protection laws, not just in their approval and proclamation. Yes, we expect to see most of the rest of the world’s population brought into scope – and there are major updates coming in, for example, India – but we should really be mapping the proportion of the population with effective regulators and the average degree of compliance in public and private sectors. In particular the extraterritoriality of data protection faces a degree of make or break – for the layman, this is the principle that your rights as, for example, an EU resident apply even when your data is being collected and processed by a controller outside the EU, and that the European regulators and courts have power to fine that control and compel their behaviour. Pretty well all global privacy laws include this provision for extraterritoriality, and the Irish regulator in particular has issued some very large fines to US tech firms as a consequence – but while billions of euros have been demanded, a handful of millions have been paid and there is scant evidence that behaviour has changed.
What’s becoming evident is the development of two very different approaches to regulation of data and AI; you could call them Atlanticist and Eurasian. Trump and Musk are leading a charge to deregulate in pursuit of growth, particularly with regard to AI – as we have seen for instance with both the investment decisions and the repeal of Biden’s Executive Order 14333. The UK is also ostensibly aligning itself to that light-touch approach, asking regulators to adopt a “pro-growth” outlook and avoiding explicit regulation of AI. However, the country is also establishing new regulators and standing firm on the Online Safety Bill, so it’s not clear that it is as comfortable with unfettered use of data as the US appears to be. The general position of Atlanticism is that AI represents an opportunity to overcome significant economic headwinds and that regulation must not act as a brake on innovation; the risks to individuals are secondary to this economic opportunity.
The EU, the major Asian economies and indeed a good number of what one might call non-aligned states are going the other way, with stronger legislation: the AI Act, the Digital Markets Act, the Digital Services Act to name but three in the EU, but also China and Singapore adopting formal AI regulation, while Japan considers it and India moves towards enforcement of its new Digital Personal Data Protection Act. Africa has also seen an uptick in legislation, as has the Caribbean and much of Latin America. On the Eurasian side there is a more cautious view of the AI goldrush and a stronger concern for the impact on individuals and the dangers of allowing very large corporations to increase the power asymmetry between them and their customers through the use of data.
Our belief is that growth comes from good decisions based on sound data, and from the establishment and preservation of trust – between consumers and suppliers, and between governments and the governed; as we have seen in financial services over the past decades, effective and interventionist regulation is an essential part of that trust-building. As data becomes even more central in all aspects of life and business, countries must grasp the nettle of regulation if they wish to lay proper foundations for their economies and proper protections for their populations in the coming age of AI. Our concern is that the fear of missing out on the AI goldrush which seems to be consuming – in particular – the US and UK will lead their governments to act in haste; it will be their people who will be forced to repent at leisure.