Regulating cyber security and privacy - not so easy
Introduced in 2018, the General Data Protection Regulation (GDPR), was expected to revolutionize how companies and organizations in the EU treat data and address cyber security in order to minimize incidents. From privacy activists to bureaucrats, everybody was happy. Since then, many other countries have followed a similar path, as GDPR has inspired new data privacy legislation worldwide: from Bahrain, Canada, South Africa and New Zealand, an increasing number of countries are adopting new laws putting privacy at the first place, in the hope that lax cybersecurity practices would be eliminated (aided by hefty fines).
More than four years since the GDPR introduction, cyber attacks are growing relentlessly and customer records are leaking on a daily basis. From SMB businesses to critical infrastructure, it seems the foundations of technological society are threatened by malicious actors using increasingly sophisticated techniques. Threat actors range from state sponsored organizations to business-like entities providing ransomware-as-a-service, just as it were a legitimate subscription service. The situation is so dire that Gartner, a consultancy, now expects first human casualties due to accidents resulting from cyber security attacks by 2025.
At the same time privacy regulations and especially GDPR have spawned many unintended consequences, that even the most ardent proponents now acknowledge.
First, there is increasing evidence privacy laws are being used (especially in SEE region) to protect identities of corrupt or inept government officials. Transparency initiatives and disclosure requests are often thwarted by citing personal data protection under GDPR. Of course, GDPR states clearly to carefully balance the public interest and data protection, but to no avail.
Furthermore, as the Economist reports, GDPR is being used against journalists investigating corruption practices of various individuals, most often Russian kleptocratic oligarchs. "Powerful claimants are increasingly aware of the power of GDPR. In 2021 nearly 300 cases against the media were brought in British courts under data-protection rules – more than half the total number of media-law claims that year", writes Oliver Bullough.
It is somewhat ironic that a privacy law is being used as a weapon against journalists, effectively to silence free speech.
Second, data protection regulation is now often confused with data protectionism, i.e. a thinly disguised attempt to protect local industry players and keep data inside the country. The data sovereignty concept is being used by policymakers trying to lock down domestic data, as if it will be more protected inside a country (it will not, of course). Autocratic regimes will certainly be more enthusiastic about data protectionism as it allows them an easier access to citizen data inside the country. However, even democracies such as Australia and India are not immune to this muddled thinking, confusing data privacy with data protectionism in their policies and action plans.
Data protectionism inevitably leads to several adverse outcomes: poor service and less innovation, more government corruption and cozy cronies, and of course higher prices for consumers, who foot the bill for the costs incurred to handle regulations and less scalability.
Third, regulations (mostly GDPR with its heavy fines) are disproportionately affecting small and medium businesses. Although GDPR declaratively does not distinguish between large and small companies, fact is only large ones can afford expensive lawyer teams and consultants to tackle the complex regulation. GDPR is now an effective barrier against smaller companies trying to dent the dominance of large market leaders. The only SMBs positively affected by GDPR are really a cottage industry of privacy consultants that spawned since its introduction.
And finally, there are many technical adverse consequences of GDPR and other privacy regulations. Consider the legislations forcing web sites to acknowledge the usage of cookies. Annoying pop-ups are now featured on every website on the planet, so that we've all learned to automatically click "I accept", "Ok", or "Yes, I'm happy", just to get rid of the banner. The consequence is the so called cookie consent fatigue. It has clear security implications - users are now more prone to click on prompts without reading or examining the content. And this is exactly what phishing attackers are looking for: less attentive users carelessly clicking on pop-ups means the attackers are more likely to gain unauthorized access to IT systems and steal personal data. The exact opposite of data privacy.
Privacy regulations are also impacting marketing practices in unintended ways. By elevating consent as the foremost prerequisite (consent driven marketing), it's easier for companies to use the implicit consent provided by social media platforms to distribute content and reach customers. The consequence: email and direct marketing are out, in goes social media marketing. And so counterintuitively, privacy regulations benefit and increase the power of Big Tech companies, the same ones being the initial triggers for privacy regulation. Meanwhile, few wonder why is the processing of mostly public data (such as a business email) being elevated to the same level as handling sensitive health records or police dossier data.
If history is to judge, future attempts at regulating the digital economy will be equally muddled. Regulation attempts are now moving from privacy as a driver to focusing on cybersecurity incident reporting in specific industries such as aviation and pipeline transports. As an example, look at the recent attempt in the US to force the aviation sector companies to mandate that all cybersecurity incidents are reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. It is unclear what is to be gained from such burdensome requirements, other than confusion and an incentive for companies to be less transparent. A better approach is to focus on segmentation, access control, monitoring and other best practices.
A novel approach is being tried in Finland: the government is to help companies fund improvements to their cybersecurity through a voucher scheme. The proposal would fund cybersecurity training, tools, assessments and tests at companies in sectors considered critical. The scheme would target both SMB and large companies. The potential for misuse of funds looks large, but it's worth following the experiment.
Truth is, the greatest motivator for organizations to adopt a more serious approach to cyber security is the threat of going bust, losing money or having a damaged reputation due to business disruption. It seems the rising costs of cyber insurance but also ways to bring insurance policy prices down are a good indicator. The global ransomware threat is certainly increasing awareness at many organizations, both affected by attacks or those watching their competitors getting burned.
However, those that are not under threat to go bust, such as government institutions and organizations, will be the least motivated to get their act together. At the same time these are the entities with the most valuable and private citizen data such health, biometric, criminal and other types of sensitive records. Worryingly, it is precisely here that regulators and privacy activists are mostly mute, preferring to focus on US Big Tech and other popular targets for regulation.