Most of the attention so far has been focused on the losers post-GDPR, which can be broadly summarized as “advertising networks.” Indeed, as Jessica Davies at Digiday reported over the weekend, programmatic advertising in Europe plummeted post-GDPR this weekend, potentially threatening profits at product lines like Google’s DoubleClick network (at least temporarily, until they figure out all the compliance issues).
However, the more interesting analysis is around who the winners of these laws will be (besides the lawyers of course). To me, it’s clear that the complexity around these data sovereignty laws ultimately benefits highly scaled service providers who can manage the nuanced regulations around these laws in an automated fashion. That means, ironically, that Google likely will win long-term on its cloud side, along with other major cloud providers like Amazon and Microsoft Azure.
That free market in data is rapidly disintegrating as governments increasingly take an interest in data, not just for privacy reasons, but also for population thought control and economic growth purposes. For software developers writing applications, that portends a complicated world for managing global and even potentially national data laws — a context that is going to be deeply enriching for service providers who can successfully help clients navigate this new world.
These new laws can be broadly grouped under the term “data sovereignty,” which is one of those terms you say at the World Economic Forum to sound like you are in the know. The goal of these laws is to move data away from the geographically agnostic world of cyberspace, and plant those records directly under local jurisdictions. In short, data sovereignty is where data and meatspace connect, and it is something we have covered on TechCrunch for some time.
While the European Union’s GDPR regulation has gotten the most press (probably because of the several dozen emails you received about it), the EU is hardly the only government enhancing its data sovereignty. China placed into force a law requiring all cloud computing and Chinese customer data to be hosted on China-based servers, and Russia has also been blocking Google and Amazon cloud services in an increasing war with Telegram. Many other countries have laws affecting how data can be stored and transmitted as well.
These laws are quite different, but they all serve the same purpose — to bring data back home and ensure that the desires of a country’s people (and, of course, its leaders) can be imprinted on how that data is used.
Here’s the challenge: These laws are enormously complicated and completely incompatible with one another. For all the questions about GDPR, it is perhaps the easiest one of the batch to handle. China’s regulations around the cloud are so opaque, it’s not even clear that the Beijing government knows exactly what its law entails. As Samm Sacks, a senior fellow at the Center for Strategic & International Studies, put it in a lengthy analysis:
Even as the [Chinese] government pushes to put in place a new regulatory framework around how data is managed and shared, there does not yet appear to be a higher-level consensus around how to do this in practice. From issues around cross-border data flows and what constitutes “important data,” to how to balance development of emerging technologies like AI with growing demands by Chinese users for data privacy, there is still unresolved internal debate in China about what this all should look like.
Multiply that complexity by dozens of governments around the world creating their own standards. Even within the United States, data laws are increasingly being drafted at the state level. California’a legislature is debating a bill that could bring a sort of GDPR-lite protocol to the Golden State. These laws force startups and large companies alike to potentially adapt to dozens of variations just to stay legal.
Once simple, data is now ridiculously complicated. What data to collect, where and when it can be stored, and what it can be used for are increasingly questions that require significant legal work to answer. Startups and even Fortune 500 companies are in no position to be able to handle these complexities without significant assistance.
That’s where I think the cloud providers are going to strike even more gold. Storing your own data isn’t just risky from a security perspective, it is also increasingly untenable in the fast currents of this data sovereignty world. Is every Fortune 500 company going to start building data centers in countries throughout the world just to stay legal? In the past, that answer was perhaps a bit more blurry, but today it is obvious: Everything is going to have to move to the cloud; the sooner the better.
That’s not to say that Google and Amazon have great data governance products — quite the contrary, in fact. But don’t be surprised when they announce features this year that increasingly handle these data sovereignty problems. The winners in complexity are always the abstraction layers — the Stripes of the world that simplify the development of a company’s core product. While there are startups in that space today, it’s the largest tech companies that are going to have the comprehensive data services required to manage this new terrain effectively.
GDPR has been described as an anti-Google law, but it may turn out to be the greatest-forcing function to drive adoption of Google Cloud. The irony may be that the supposed losers may well turn out to be the biggest winners after all.