Skip to content Skip to footer

Loading Results

Privacy megatrend: Battles in a tripolar privacy world

Privacy regulatory programs will coalesce around the European, US or Chinese models.

Why will it happen?

Privacy practices gravitate toward one of three models depending on which one fits best with the prevailing national culture. The European model asserts the rights of individuals; the American approach is built around protecting consumers from specific harms, including data breaches and lack of transparency; and China’s model is built around well-defined controls. Over the next decade, countries will continue to pass new privacy regulations patterned after one of these models. 

Ongoing regional clashes on trade and monetary policy and state-based cyberattacks will reinforce constituents backing data-localization regulations and enforcement. 

But convergence around four of 10 baseline requirements for compliance with privacy regulation is occurring. Global requirements have 1% or less variance from our baseline controls, when it comes to strategy and governance, privacy by design, training, awareness and information security. Multinationals can operate these capabilities as global standards from their corporate headquarters. Meanwhile, there is much variance in two — privacy incident management, at 51%, and individual rights processing, at 41% — that operational capabilities and processes need to be highly localized to be effective.

“As countries such as in the Middle East who didn't previously have any data privacy regulation start to introduce it, the privacy pole they gravitate toward will significantly impact organizations operating there.”

Phil Mennie, PwC Middle East Privacy Leader

What’s driving the pace of this trend?

  • Data-intensive technology innovation.
  • Public concerns over personal and societal harms of technology and data-use impact.
  • Heightened pressure on politicians for results.
  • Heightened nationalism and calls for fair or ethical data processing and technology adoption.

How will it impact business? 

Addressing the varying regional requirements and enforcement of the three privacy poles will require multinationals to redesign cloud migration, data center consolidation and supply chain optimization initiatives. 

The convergence of privacy regulation with antitrust enforcement, particularly in technology, is expected to further incentivize the unbundling and regionalization of business models. 

What should CEOs do?

  • Alter the balance in the global business operating model between centralized and regionalized functions to address data localization requirements.
  • Consolidate the data governance, data analytics, data privacy and information security functions, and assign accountability in all operating regions and the three lines of defense.

“Developing countries are being forced to abide by worldwide standards, which can be complex to legislators and regulators.”

Astrid Schudeck PwC Chile Privacy Leader

Here are your seven privacy megatrends

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Mir Kashifuddin

Mir Kashifuddin

Principal, Cyber, Risk & Regulatory, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Sean Joyce

Sean Joyce

Global Cybersecurity and Privacy Leader, US Cybersecurity, PwC US

Follow us