The Emerging Multilateral Order in Privacy Regulation

Note from Lionel: Welcome to the fourth and final post in our Future Insights 2025 series. In this post, Field CTO & Director of Strategic Business, APAC Nick Savvides tackles privacy regulation and the forces that will impact it looking ahead. Click to read previous posts in the series.

###

Two years ago, I gave the first in a series of forward-looking talks examining the impact of geopolitics and demographics on the global cybersecurity landscape. One of my key predictions was that a more multilateral world order was coming into being, with significant ramifications for cybersecurity. From consuming technologies to building them; from hiring cyber-warriors to implementing AI automation; from financing start-ups to complying with regulation—all of this would become significantly harder, more complex and more expensive.

Here I’m going to take a closer look at one part of this big picture: Namely, how the balkanization of global privacy regulation will impact data security. I see AI adoption accelerating this trend, leading to major developments and challenges in 2025.

An old trend, picking up speed

Privacy regulations are not new, having been around in one form or another for decades. We’ve had regulations at the national, sub-national and super-national levels, all covering different and overlapping areas. 

This has always been a complex area, but the internet era enhanced this complexity as regulators all scrambled to modernize. We saw significant changes and the introduction of new laws in every major jurisdiction throughout the 1990s and 2000s. In some jurisdictions, we even had competing regulations, typically around collection and retention, where complying with one meant you were not compliant with another.

By the mid-2010s, companies struggled to maintain compliance with the myriad of rules, and things would get even more complicated with the extra-jurisdictional implications of the European General Data Protection Regulation (GDPR), which expanded regulatory capture to anyone processing EU citizen information.

For some time there appeared to be concerted efforts to streamline regulations, aiming not necessarily at harmonization but rather at mutual recognition. This was based on how cross-recognition has helped other highly-regulated areas, such as telecommunications, electronics and aircraft and automotive manufacturing.

It is well understood that over-regulation has a significant negative impact on economic growth and innovation. Regulators in all fields look to strike a balance between regulation and innovation. Unfortunately, it is the nature of rules that they constantly grow. It takes major shakeups and real effort to streamline and optimize them, and for a while I was hopeful this would happen here.

But presently there is a nexus of forces working against this, all against a backdrop of businesses collecting, processing and storing more data than ever but also now feeding their data-hungry AI models.

Regulatory expansion and balkanization

I no longer think we should hold out too much hope when it comes to streamlining regulation. One major reason for this is the geopolitical shift to a multilateral world order.

My prediction here is that we will see some streamlining, but it will be in clusters, aligned with geopolitical groupings of countries. When I say this, I usually get asked, “But isn’t that still good, if it reduces the burden of compliance?” The big issue is that I believe there will be enforced lack of cross-recognition and intentional introduction of differences between the clusters. Friction and complexity will be by design.

I also believe we will see significantly conflicting regulation, where what is obligated in one jurisdiction is explicitly prohibited in another. For example, companies might be forced to collect some information in one jurisdiction but prohibited from collecting it at all in another. Some collected information may be allowed for some purposes in one jurisdiction but prohibited for those same purposes in another.

Companies operating across these market jurisdictions are going to need to know what their obligations are, to which regulators, to which users, to which data, where that data is stored, how this data is being used downstream and how this data is managed throughout its lifecycle. 

All of this sounds expensive and complicated, because it is. It will likely result in duplicated infrastructure and services, bigger compliance problems, significant residual risk and a myriad of policies and procedures operating inside organizations.

The AI revolution

This wouldn’t be a contemporary discussion if we didn’t discuss AI. We have businesses scrambling to use it, and governments scrambling to regulate it. AI has captured the imagination not just of creators, but of regulators as well.

We are still very early in the era of generative AI and of outsourcing decision-making to AI, but regulators are moving quickly. We have already seen significant new regulation and proposed regulation around AI. Unfortunately for innovation, we are also seeing regulation in some jurisdictions that ranges from mildly excessive to cripplingly onerous.

A few weeks ago, I was invited to contribute to a panel at GovWare discussing data security considerations when adopting AI. Now, GovWare is the biggest cybersecurity conference in Asia-Pacific, with over 13,000 attendees. It’s probably superfluous to say, but the massive show floor was absolutely covered with the letters “AI.” Even with all of that, I still don’t think we’ve hit peak AI hype.

The panel was on the second day of the conference, and the attendees had already been inundated with AI content and messaging. You’d think the audience would be tired of the topic, but they couldn’t get enough. After a wide-ranging conversation, we were bombarded with questions, not about AI technology, but rather about governance and security, with a real focus on how to manage all the data that AI demands.

And here is what leads us to the multilateral problem. Vast volumes of data are required for AI to be effective, productive and generative.

This is a problem when this data is covered not just by balkanized and conflicting data privacy regulations, but also AI regulations.

We are facing the prospect of organizations only being able to use AI with data collected in certain jurisdictions. Derivative works—the generative output—and business outcomes may have be different in different jurisdictions. Commingled data that may be acceptable for a human to access may not be allowed for AI.

Even worse, what happens to models based on data, where permission for use by AI can be revoked by the data subject at any time? 

These are not just design-time considerations; these are operational, ongoing considerations.

AI has become a proxy for geopolitical strategic goals, and I expect that the current challenges around access to semiconductors, AI tools and software are going to spill over into the data protection environment.

We can’t give up on data privacy regulation

After reading all of that, it’s easy to say that we will all just struggle along: Some will get breached, some will violate laws, some will receive massive fines and some will spend years in court. And while there is a little bit of truth to this, there are things we can do to be prepared.

A rubric that has served me well in this area has been to ask and answer two questions:

1. “Am I a good custodian of the data that I hold?” 
2. “Am I doing what is expected of me to protect data?”                                                                                                            

These questions are still very valuable today, even in a multilateral world. Typically, on an individual regulator level, when something goes wrong, reasonable regulators and authorities will measure you against these questions and use them to determine follow-up actions. 

I deliberately chose the word custodian because so much follows from it. To be a good custodian you must know what data you hold, where it is, what it’s regulated by and who has access to it. From protection follows observability and controls of data usage.

This is a good start, but the multilateral order demands that we also prioritize efficiency. This may come as a surprise with so many other considerations to choose from, but I believe efficiency will make or break everything else.

Organizations must embrace technologies that will allow them to scale their data security and privacy practices to cover this new complex environment. If this doesn’t happen, the programs will collapse to deal with their core jurisdictions, and the others will fall by the wayside. In the past this might have been unfortunate, but now it could be catastrophic.

From efficiency flows tooling, empowering end-user employees to quickly identify what regulations apply to the data they are using. This must be paired with revamped education programs to elevate users’ understanding and management of data.

While some may disagree with my thesis here, I think we can all agree that data security, privacy and regulation problems are only going to get bigger and more challenging. It is our task to identify and implement solutions that will keep these problems from spiralling out of control.