GDPR went into effect less than a year ago. And still, the era of conducting global business with limited legislative obstructions already feels like some free-spirited, far away past. Right now the global landscape of data protection law is littered with obstacles and exceptions. GDPR has been the loudest but there are plenty of other regions and countries with regulations in place. Even within the E.U., countries like Germany and Switzerland have their own unique protection regulations. Russia and China have very draconian laws, and they're changing quickly. There are around 120 countries now with data protection laws in place.
The point is that today's data protection laws offer plenty of challenges, and they're just the beginning. In five years these data protection laws will seem as quaint as VHS tapes. The stakes for global businesses will increase proportionally as regulations become stricter and enforcement becomes ubiquitous (and not just aimed at Google).
I'm going to read the tea leaves now, and offer some conjecture about how data protection laws will evolve in the future and what companies can do to prepare.
GDPR To Become More Draconian
Something I've recently realized (and perhaps the EU has also realized), is that people will trade their privacy away without batting an eye. Without a second thought, they'll trade their privacy away for something as small as a single Instagram follower. Privacy means so little to most people because it's an often complex abstraction. But it can become a very concrete problem just as quickly as you can trade it away. Privacy is worth a heck of a lot more than people routinely value it. But you can't convince someone of that until it's been violated.
GDPR has huge enforcement potential (super steep fines), but the actual regulations don't really grapple with the fact that the people they're trying to protect are much too prone to casually sacrificing their personal data to any interested company offering a marginal incentive. GDPR tries to balance protection with informed user consent. I may be a cynic, but acquiring explicit, informed consent is difficult when the burden falls on the user to become informed. What sleazy or incautious companies end up with is explicit, uninformed consent, but it's indistinguishable from the "informed" variety, so long as the legal boilerplate is observed.
This is where GDPR will likely be amended in the future. If the goal is to protect user privacy, policymakers cannot escape a coming showdown with the inconvenient fact that people will eagerly trade their privacy for a chance to look at "10 Celebrities Who Didn't Age Well."
I know the direction of this logic is headed towards a 'nanny state.' I don't think the E.U. will ever look like what we see in China or Russia (a juicy topic for another day). But the existing GDPR regulations are short-circuited so easily by this user consent problem. I just don't know what solution there is, except to become more draconian.
Is The United States Next?
The United States, to this point, has not meaningfully entered the fray. But it feels like change is imminent. Governor Andrew Cuomo began steering New York towards data protection laws with his cybersecurity regulations back in 2017. California's data privacy law will go into effect in 2020. If the U.S. is going to move forward with disparate state-by-state data protection regulations, the challenge of compliance would be massive.
Today, companies are being severely taxed worrying about compliance with regulations in countries and regions. To imagine requiring compliance with different US state sovereignty regulations makes the head spin. The cost to businesses could be astronomical.
In January of this year, the Government Accountability Office published a report recommending that the United States Congress consider the implementation of data privacy legislation. This kind of legislation will likely take years to coalesce. But if you're not worrying about it to some extent, you probably should be. It's coming.
In the meantime, more states will continue constructing their own data protection laws. It's possible that the whole country could be covered in this strange, unbalanced scaffolding of state-specific data regulations.
Data Protection Stress & Silver Lining
The only certainty for the future of data protection laws is that they will proliferate. To what degree is uncertain. But you can hang your hat on the fact that at some point your business will need an architecture that can adapt to evolving regulations, wherever you do business.
I read this really interesting report recently, by Accenture, in which they showed that CTO's and CIO's are, in large part, worried about the future of global business because of data protection regulations. The upshot is that many companies are planning to punt on doing business in –or expanding to– certain countries because of the laws.
CIO's, CTO's, Chief Architects, and other business decision makers are asking themselves questions like:
'Is it worth it to become compliant in India, China or the E.U….?'
"Can we even do that technically? Can we adhere to this new set of regulations in such a way that we are in compliance?"
Those are the right questions to be asking. If you're the Chief Architect and your job is to make the decisions about how to move forward you don't have a lot of options.
Most data sovereignty laws are specific about the requirement that data is stored locally. With any monolithic database architecture (this includes virtually every mainstream, traditional vendor from Oracle and SQLServer to MySQL and Postgres), this means you'd need to run a version of your business or service in each region with strict data domiciling regulations.
This is an expensive cost structure, as your operating costs cannot achieve economies of scale. Technically, this often requires application-level balancing of database connections, loss of transactionality across siloed services, and complexity which accrues cumulatively. You'll have to weigh that cost with the market opportunity and make a decision. Or, consider updating your architecture.
To comply with regulations and to flexibly adjust to future regulations, you need a truly global data architecture. The world is more connected than ever; customers move, customers travel, and customers interact across regional boundaries. The right data architecture should reflect that reality.
The foundation for building a global data architecture is a database capable of partitioning data geographically according to domiciling constraints. This infrastructure allows services to be deployed once and expanded as necessary to meet demand, even as new regions have differing data sovereignty requirements. This enables economies of scale for your operational costs. It also manages complexity by pushing difficult problems (like transactional guarantees and queries across regions) from the application layer into the database's domain.
While this blog entry has had a bit of a gloomy tone, we can end on a lighter note. Rapid advances in available tech have set into motion an industry-wide migration to the global cloud, and with it a transition to cloud-native, distributed architectures. And as with every historical technological shift, new database architectures have arisen to tackle expanding business requirements and opportunities by exploiting new resources and capabilities.
With a globally spanning CockroachDB cluster, for example, you can pin user data to a particular country/region using geo-partitioning. Pinning the data will have the added (and not insignificant!) virtue of decreasing the user-experienced latency (think of this as the revenge of the Aussies).
Additionally, CockroachDB is cloud-neutral. Which means that you can avoid being locked into one specific cloud provider. The promise of the global cloud encompasses more than trading your current deployment environment for the AWS monoculture. The reality for most businesses is to build a bridge to a cloud-first future via a hybrid embrace of the public cloud. Once there, flexibility to use a combination of providers will be the key to agile adjustments required for the data protection laws of the future.