What happens when you bring 100+ years of collective experience together to unpack regulatory developments happening globally around cybersecurity and data privacy? We found out at the NetDiligence Cyber Risk Summit in Santa Monica this October. I had the pleasure of moderating two sessions featuring six top-tier experts who delivered detailed insights on how regulation is playing out in key regions across the globe. The two sessions—one on the UK, EU and the Americas; the other on Asia Pacific—are a must-watch for any organization doing business across borders.
Here are just a few highlights. Links to the live sessions are below.
UK and EU
All eyes are on Brexit and how the UK and EU will manage international data transfer and cross-border breaches in the post-Brexit era, said Clyde & Co partner Ian Birdsey. Already, a patchwork of jurisdictions, legislation, case law and common law are emerging. Meanwhile, the EU has issued 850 fines related to GDPR to date, including an eye-popping €746 million fine for Amazon. Look for a rise in regulatory investigations, challenges and appeals, along with a tougher litigation environment.
Two major pieces of legislation in Canada may bring regulations there closer to GDPR. Progress on Canada Bill C-11 is tabled following the recent national elections, but a Quebec bill has already been adopted, with enforcement expected in the next two years and other provinces taking note. Alex Cameron of Fasken also reports significant rulings in Canada’s “very active” class action environment, including the finding that plaintiffs may not bring a case against a defendant who’s been hacked.
California’s CCPA still leads the U.S. on the regulatory front, but Cinthia Motley of Dykema sees a “strong push for federal law” that could provide a more consistent regulatory landscape. Watch for the FTC to get more involved at the urging of the Senate. Outside the U.S., regulatory activity is ratcheting up in Peru, Colombia and Brazil.
Australia and New Zealand
According to John Moran at Clyde & Co both Australia and New Zealand are taking a more energetic role in regulation and enforcement. New Zealand’s new “incredibly active” privacy commissioner has been involved and even “hyper-involved” in breach response, while Australia’s Office of the Australian Information Commissioner is ushering in a “new environment of enforcement.”
China and Hong Kong
“Tensions between China and the U.S. will lead to more regulatory control,” Mun Yeow of Clyde & Co predicted. In fact, China’s two major pieces of legislation taking effect this fall—a data security law regulating the cross-border transfer of data and a personal information protection law with extra-territorial application—are a response to recent U.S. actions on international data access. A new anti-doxxing law in Hong Kong is a concern for Facebook, Twitter, Google and other U.S. companies.
“Southeast Asia is undergoing rapid digitalization across markets, particularly around fintech and ecommerce, bringing data protection and cybersecurity to the forefront,” said Sonia Ong of Wong & Partners. Countries in this region are in the process of developing new data privacy regimes, making this an area to watch. Singapore continues to lead the charge.
“Regardless of which sector you’re operating in, you need to continuously assess, implement, sustain or put in place robust compliance frameworks,” Wong concluded. “There’s going to be even more attention given to practical, innovative approaches to compliance going forward.”
Watch the full NetDiligence Cyber Risk Summit sessions on demand: