GDPR and Information Security Arbitrage

As the countdown clock continues to speed toward the May 2018 imposition of the General Data Protection Regulation (GDPR) in Europe, many public and private sector leaders remain either oblivious or confounded by what may become the world’s most far-reaching privacy and information security standards.

GDPR sets out directives on data privacy and security, adopting a carrots and sticks approach to information security–the biggest stick being the EU’s ability to impose fines of up to 4% of global turnover or €20 million on firms that, in the judgement of regulators in Brussels, breach the new mandates or put the data of EU citizens at risk.

Today there is an array of inconsistent survey data regarding GDPR preparedness for both large corporate enterprises as well as small and medium-sized businesses that will be required to comply. Even among those companies that claim to be set for compliance, uncertainties will remain until EU auditors put the new regime into effect. In the face of ever-increasing technical cyber threats and potentially crushing fines, careful preparation for GDPR should be a significant agenda item for executives and board leaders of global businesses conducting commerce anywhere in the EU.

However, government leaders inside of and external to the EU should pay close attention to GDPR implementation as well. Will GDPR prove to be an example of regulatory overreach that will create a host of unintended consequences?

One primary concern is the likelihood that GDPR will create an information security arbitrage that will be deliberately exploited or inadvertently tripped as companies scramble to abide by these rules.

The concept of information security arbitrage, much like how financial or tax arbitrage opportunities emerge, is when data privacy and security standards follow the path of least resistance. For example, will global companies in the fear of losing a share of their worldwide revenues establish their base of operations and data centers in lax information security and privacy environments? Similarly, will companies no longer abide by cyber breach reporting requirements, that continue to labor under a culture of obfuscation and occlusion, as we saw with the now infamous Yahoo! breach? Executives must learn that bad information does not improve with time and GDPR ups the stakes substantially.

GDPR represents new privacy terrain for its ambition, particularly for the centrality of individual privacy and for putting the “right to be forgotten” at the forefront of 21st century cyber security regulations. Its principal challenge, however, is the lack of harmonization across major markets around the world, not least of which is the distinct gap between European privacy standards and the more laissez-faire US model. Some will argue that the punitive measures associated with GDPR are a de facto form of trade sanction, particularly in targeting American tech titans like Google, Facebook and others. Indeed, the punitive approaches EU regulators have taken to non-European firms must give executives pause as GDPR and its considerable and vague red card system will be wielded. The EU’s recent $2.7 billion fine against Google on antitrust grounds does not augur well for how major technology firms will receive GDPR (or how enforcement agencies will wield it), although they are not the only ones who will be affected.

Another complex challenge with privacy regulation and harmonization, is the extraterritorial nature of cyber threats. This will produce a raft of litigation and complaints about GDPR’s application, as questions will always remain as to the geographic provenance of cyber security breaches, attacks, or other events, raising the specter of legal challenges to GDPR’s jurisdiction. With the advent of this new body of privacy and security regulations, one must also ask questions of how GDPR and individual privacy will compete with the growing wave of physical security threats across continental Europe and the world. Rather than viewing privacy and security as trade-offs locked in a bitter contest, one must look at privacy and security as two critical aims locked in co-movement. Critically, the same set of stringent privacy standards that protect innocent individuals, can also be used to shield people with more nefarious motives, whether this is to carry out low-grade terror attacks, committing financial fraud or other crimes that benefit from the opacity of the internet and the blanket of privacy laws.

As we have seen with the forced solidarity that has often united the EU, especially in the post-Brexit era, abiding by and imposing GDPR inside continental Europe will also strain under the weight of growing Balkanization, even among historically staunch Europhiles. Financial hubs, such as Amsterdam, Paris and Geneva – all jockeying to fill the financial void left behind by Brexit – will be hard-pressed to levy such steep fines on global organizations that call their cities home. How notoriously discrete Swiss banking laws coexist with GDPR is but one of the many internal challenges with which EU privacy regulators will have to contend. These rules and the ensuing tension they will create may risk the flight of capital – human and financial – from Europe. Not unlike how banks made the now hallow threats to leave the city of London after regulators proposed caps on banking bonuses, the advent of GDPR may very well see companies threatening to dislocate their operations from the parts Europe where the standards are most stringently applied. Naturally, this will be a Pyrrhic victory, where on the one hand privacy advocates will see individual rights upheld and on the other firms will have to forgo market access to Europe, which will surely drive compromise as GDPR comes into force.

Laudably, GDPR seeks to establish key protections for EU citizens in an increasingly perilous digital environment. However, the punitive approach will likely create a rift between the public and private sectors, which now more than ever must collaborate on cyber security and privacy, as opposed to being pitted in a fierce tug-o-war, as we saw in the Apple vs. FBI case.

Not unlike the populist tit-for-tat era that we have entered, it is plausible to envision nationalistic responses to GDPR from countries around the world, including the US. This response would not only blunt the effect of these regulations, it would potentially trigger a veritable privacy or cyber security trade war as nations jockey for pole position as the most liberal places to conduct business in the digital age further eroding privacy standards and global coordination.

Just as the world has offshore tax havens, will the lack of global harmonization on privacy and cybersecurity see the creation of privacy havens? For a risk that requires abiding by the highest standards of care, a race to the bottom will not only be bad for business, it will be bad for global security. In short, in addition to worrying about technical counters to complex digital risk, contemporary leaders must be mindful of unintended consequences when establishing far-reaching cybersecurity and privacy regulations.