Could U.S. pushback on foreign data laws recast global business operations?

Terry Gerton The Trump administration has formally directed U.S. diplomats to push back on foreign data sovereignty and localization rules. This seems to me a change in strategy, a change and focus. Let’s talk about what those changes mean. From your perspective, how significant is this direction?

Robert Cruz I think it’s fairly significant considering what’s happening in the world today. And I think that’s really highlighting the importance of data. The fact is for a lot of technology, access to information is really what drives innovation. And so the message here that I’m interpreting is we really need access in order to ensure that our data models are complete and accurate, are powerful, and localization and sovereignty rules just make that much more complex.

Terry Gerton We’ve been discussing this issue for a while now. I mean, the GDPR in Europe was sort of the introduction to the conversation. Europe has passed its AI Act and some others. As you think about this guidance, it talks about raising costs, limiting AI and cloud services. How real are those risks and what’s the impact for U.S. firms?

Robert Cruz I think the costs are real, because when firms have to make a decision of where information can live and how it needs to be accessed, that just creates much more complexity when they look to deploy solutions that have a global footprint. So, sorting out the complexity takes time, it adds cost. But I think the likelihood is very real that it’s reflecting a divergence in philosophies across different regulatory bodies, for one, some of which are more prescriptive in nature, like the EU AI Act, and others are more principles-based. And that’s one division you’re starting to see for things like AI regulation — just a lot of different points of view and perspectives that firms have to reconcile across different jurisdictions.

Terry Gerton Speaking of governance bodies, the cable invites people to participate in the Global Cross-Border Privacy Rules Forum. Is that a real organization? Tell us about that.

Robert Cruz I don’t know what the formal structure is behind it. I think it’s one of the things that, collectively, trading partners have tried to implement as replacements to existing frameworks to make it easier for individuals and firms to be able to transfer and leverage information across borders. This is something that I know that’s being addressed as well through the EU AI Act, which basically is trying to make costs associated with transfers go away. I think this body is another one in that effort to make sure that there’s greater transparency and fluidity of information as it moves across borders. What are its enforcement mechanisms and is that going to be comparable to what we see with GDPR and other regulatory bodies? Unclear, or at least I have not seen prescriptive guidance or any kind of clarity on how this would actually be implemented.

Terry Gerton You implied that at the core of this are really diverging philosophies about privacy and handling data. The EU has really been tightening its grip on cross-border data movement with those laws that we mentioned, the GDPR and the AI Act. So if you’re a multinational firm and you’re thinking about different governance structures in different regions, how do you balance, how do make sense of these different philosophies?

Robert Cruz I think reconciliation is very complicated and the horizon-scanning that firms have to do to make sure that they know what the developments are in the markets they choose to serve is vital. You can’t shortcut that process. So as we talk to a company that says, we’d like to deploy in these markets in Europe, these markets in Asia, it takes a lot of homework up front to know not only are there jurisdictional requirements, how severely are the penalties if you violate those provisions, and what are the mechanisms to work with those, so that if you need to provide access, you can do that without having to store the data physically within those jurisdictions? So it’s adding complexity and time, but I think a lot of firms that have done this realize that it’s a very fluid picture that they have to pay attention to, make sure they’ve got resources in those markets or advisory staff that can keep them apprised of developments.

Terry Gerton I’m speaking with Robert Cruz. He’s vice president for regulatory and information governance at Smarsh. The European approach seems to be very focused on protecting the privacy of the individual. China’s approach here seems to a little bit different, more focused on industrial competition. Talk to us a little about the scope of those differences.

Robert Cruz Ultimately, that is in some cases countries saying, we will be a leader in AI as a nation and we’re going to protect the innovation and the data that’s going to help us to get there. So you see that from China; you also see that in markets where focus is more around, how do you identify and mitigate risks — much more than it is trying to free up innovation and a very aggressive use of AI. You see that difference, even within the EU and the UK, a difference in philosophy. So if you’re working in markets that also have AI innovation centers, it’s really making sure that you can understand how they are trying to grow that industry to see if that aligns with the perspectives of those countries you serve here, whether you’re headquartered in the U.S. or elsewhere. It’s really knowing what is the objective that the government brings, because those are being directly translated into regulatory obligations in industries. So, you really need to get a picture of that overall objective that those nations have before making these investments.

Terry Gerton If we could posit that the EU approach and the Chinese approach are sort of the opposite poles on the spectrum of how regions or governments are handling data movement, data portability and privacy, where would you put the United States on that spectrum given this new cable and guidance?

Robert Cruz Oh, it’s clear. I think the U.S.’s perspective, at least with this administration, is to encourage innovation. They want firms to move faster, not just in AI but also in crypto. And so the regulatory philosophy and approach is going to be, provide some principles but ensure that firms can move quickly, and being able to consume and leverage this technology. You see the regulatory philosophy directly tracking back to what the administration is trying to accomplish, which is to be the leader in AI as well as within crypto. That’s a stated mission. So you see on the U.S. on the side of, let’s free the administrivia and all the constraints that just cause firms to have to wait, and encourage them to innovate and move faster.

Terry Gerton That seems to present two problems. One is a lack of guidance and governance, and two is a risk to individual privacy. How do you see those two concerns getting balanced out in the U.S. approach?

Robert Cruz It’s very intertwined. If you look at what’s happening with AI, it’s very similar to the whole process we saw following GDPR. Firms have to make a decision. What are the controls I need to build? Do I take a very least common denominator, or do I look at the most rigorous standard and apply that? We see firms moving in that direction. If I’m doing business with a citizen of the EU, they have rights and I need make sure I understand what those are and that has to be reflected in the way that I’m building up my control set. So, you know, I think the privacy exercise, it’s not ideal. Nobody likes the fact that we’ve got this complex patchwork at the U.S. state level that has to be reconciled internationally. But I feel like we’re heading down the same course with AI, with state level regulation and just the need to try to balance all these conflicting ways that states, nations, allies and enemies are thinking about this.

Terry Gerton We touched at the beginning of our conversation on the costs of this variability, right? So there is a cost for choosing the most extreme compliance and thinking that that will cover you in any exigency. There’s a cost of not having clear guidance and the friction that comes from that. So if you’re a corporation, whether you’re U.S.-based or based somewhere else, how do you balance these costs and your strategy for navigating all of these different frameworks?

Robert Cruz That’s the magic ball sort of outcome here, because it’s the cost complexity, but I think the bigger challenge is just the uncertainty. Because of what’s happening in the world today, the question becomes, can you really trust your trading partners? Can I be confident that the rights mandated in a privacy regulation are going to be adhered to by my trading partner? I think that’s the biggest question firms are faced with right now. And really there’s no answer other than we need to see how our alliances will work together to make sure that if I say that I’m going to adhere to a privacy regulation elsewhere, that we follow through and actually do that. So I think the trust element and just the confidence that I’m going to do what I say I’m going to do is probably where firms have to be thinking today. But the complexity part of this is you need to have systems that are very agile and responsive to change because that’s inevitable, these things will continue to evolve.

Terry Gerton Assuming that you were providing guidance, then, to those firms in light of the situation that we’ve just discussed, what would be the first step that you’d tell a multinational corporation to take right now to make sure they’re not caught in the clash between these competing privacy and data regimes?

Robert Cruz Well, it’s always great, you know, operational planning and what is plan B? What is your fallback if this doesn’t materialize the way you expect? So just looking at different scenarios — if there is a country-level mandate for jurisdictional assurance, and if that is implemented, then how else might you be able to manage your obligations at a regional level? Is there another approach that you can provide access to data? You have to think through those contingencies. But I think the other element is making sure that you know who you’re doing business with, because so many firms are dependent upon others The third-party risk management here is huge, and if I have partners that work with me to deliver a solution in a particular geographic market, what are those third-party capabilities? Do they have the flexibility, the agility to respond to change? And particularly in the era of AI, there’s a lot of shiny objects. There’s lot of tools that may or may not have an understanding and capacity to deal with things that are happening at a regional level. So that third-party risk management thing really hits me as an area that firms have to be very aware going in that you have the right partners.