Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This article is part of an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.
This "thought for the week" reflects on the geopolitical risks on global data, cyber and AI and explores what it means for organizations navigating an increasingly complex risk landscape.
I recommend a recent Bloomberg article on how increasing geopolitical risks impact the price of gold and silver. The article is interesting because it ties together geopolitical risks associated with Venezuela, Greenland, China, Russia, and other hot spots. It explains how geopolitical uncertainty has driven gold to post its best annual performance since 1979 and caused silver to rally even more. As of this writing, gold is up 71% and silver is up 176% year over year. The Bloomberg strategists note that, "Geopolitical tensions risk reviving the speculative frenzy in precious metals that began late last year, increasing the potential for heightened volatility."
So, what does the price of gold and silver have to do with global data, cyber, and AI regulation?
I can illustrate it best with a short story. A few years ago, on a vacation in Florida, I splurged on a golf lesson where the golf pro walks the course with you. On the first hole, my approach shot to the green ended up about 20 feet past the hole. As we reached the green and I peered from behind the ball looking at the hole, I could see the ground slanted slightly to the right, suggesting the ball would probably break left to right as it approached the hole.
Bill, my leather-skinned golf pro, asked, "How much do you think that will break?" I looked closely and said, "I think about 12 inches."
He laughed, "Look up and around the green. You're just looking at the narrow path in front of you, but this entire green is on a plane that is slanted to the right." I looked up, and indeed, behind me to the left was a high point on the corner of the green, and in front to the left was another. To my right, the green dropped off toward the ocean. As I took all of this in, Bill said "There's a lot more break than you think."
I recalibrated and planned for about three feet of break. I bravely putted the ball, and it and it still cut in front of the hole, so I still didn't plan for enough break, and it ran about 6 feet past the cup, so I hit it too hard. Oh well. Next time.
Data, cyber, and AI professionals need to take account of the bigger picture trajectory on geopolitical risks when advising our organizations
If we look narrowly at any regulatory development, we might only see a small part of the overall trajectory. For example, by all accounts, the U.S. Department of Justice's Final Rule on Protecting Americans' Sensitive Data from Foreign Adversaries was a significant development last year. It is a first of its kind cross-border transfer restriction in the U.S., motivated by national security/geopolitical interests, and backed by criminal penalties. Depending on your organization's geographic footprint and business operations, it could be somewhat brutal.
However, when we take a step back, we should anticipate that things are likely going to get more difficult. When you look up and at the bigger picture with geopolitical risks, you see the larger risks with U.S. efforts to consolidate influence and authority in the Western Hemisphere, China's initiatives in Southeast Asia and other locations, and other developments add complexity.
What is stopping China from responding to U.S. actions and adopting more harsh interpretations of its cross-border transfer restrictions and data localization measures under the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law? For that matter, what would really stop the U.S., China, and other jurisdictions from the adoption or development of entirely new and more aggressive cross-border and data localization restrictions in pursuit of geopolitical goals? With the diminished influence of the World Trade Organization, and increased geopolitical risks, we would do well to anticipate that the overall trajectory is more steep than any one development might suggest.
Geopolitical risks
We need to keep geopolitical risks top of mind as we advise our organizations on global data, cyber and AI issues.
Evaluate how increasing cross-border and data localization restrictions could impact your organization. There is no one-size-fits-all answer here. The more your organization depends on cross-border data flow and access, particularly across geopolitical hotspots, the more you should evaluate how restrictive regulations could unfold and impact your company, and what you can do now to plan for it.
Consider whether 'data islands' and other features could reduce some risks and still meet business goal. Global enterprises will need to communicate and work together across the planet, but are there opportunities to limit cross-border access to certain aspects of customer, employee, patient, user, or other data? Could the business still achieve its goals if access controls applied more restrictively, or if network segmentation was more broadly adopted in certain respects?
Build flexibility into your third-party vendor relationships. Assess whether or how you can incorporate flexibility into your third-party vendor relationships to keep the data and systems closer — near shore — to the operations that rely on them. The closer the data and systems are to these dependent operations, the less likelihood that such data would be impacted by geopolitical risks.
Advise senior leadership on potential risks, suggest possible options and alternatives, but leave them with plenty of space to make the ultimate decisions. Although geopolitical issues present real risks, many senior leaders will be able to identify potentially sizeable opportunities in the current environment.
As data, cyber, and AI professionals, we typically do not have the full perspective on the opportunities and are not in a good position to evaluate risks and rewards. We should provide our best advice to senior leadership about the current data, cyber, and AI regulations and issues, and equip them with the knowledge that they need from our space to make the decisions.
So, what do you think? Too pessimistic? Not pessimistic enough?
Brian Hengesbaugh, CIPP/US, is the global chair of data and cyber at Baker McKenzie.
