Posted on

GDPR, China, and data sovereignty are ultimately wins for Amazon and Google

The Great Privacy Policy Email Deluge of 2018 may have finally petered out, but we are just starting to build an understanding of who the winners and losers will be in this newly regulated data economy.

Most of the attention so far has been focused on the losers post-GDPR, which can be broadly summarized as “advertising networks.” Indeed, as Jessica Davies at Digiday reported over the weekend, programmatic advertising in Europe plummeted post-GDPR this weekend, potentially threatening profits at product lines like Google’s DoubleClick network (at least temporarily until they figure out all the compliance issues).

However, the more interesting analysis is around who the winners of these laws will be (besides the lawyers of course). To me, it’s clear that the complexity around these data sovereignty laws ultimately benefits highly-scaled service providers who can manage the nuanced regulations around these laws in an automated fashion. That means, ironically, that Google will likely win long-term on its cloud side, along with other major cloud providers like Amazon and Microsoft Azure.

Data used to be much simpler. Gone are my experimental teenage years of collecting user information on a school website and storing it on a MySQL database hosted on my personal computer in my home office with nary a privacy policy in sight (site uptime was about 80%, since I turned the computer off at night). Hosting your own data was easy, fast, and pretty much the Wild West when it came to any kind of legal or policy enforcement, as any startup in its early days can attest.

That free market in data is rapidly disintegrating as governments increasingly take an interest in data, not just for privacy reasons, but also for population thought control and economic growth purposes. For software developers writing applications, that portends a complicated world for managing global and even potentially national data laws — a context that is going to be deeply enriching for service providers who can successfully help clients navigate this new world.

These new laws can be broadly grouped under the term “data sovereignty,” which is one of those terms you say at the World Economic Forum to sound like you are in the know. The goal of these laws is to move data away from the geographically agnostic world of cyberspace, and plant those records directly under local jurisdictions. In short, data sovereignty is where data and meatspace connect, and it is something we have covered on TechCrunch for some time.

While the European Union’s GDPR regulation has gotten the most press (probably because of the several dozen emails you received about it), the EU is hardly the only government enhancing its data sovereignty. China placed into force a law requiring all cloud computing and Chinese customer data to be hosted on China-based servers, and Russia has also been blocking Google and Amazon cloud services in an increasing war with Telegram. Many other countries have laws affecting how data can be stored and transmitted as well.

These laws are quite different, but they all serve the same purpose — to bring data back home and ensure that the desires of a country’s people (and, of course, its leaders) can be imprinted on how that data is used.

Here’s the challenge: these laws are enormously complicated and completely incompatible with one another. For all the questions about GDPR, it is perhaps the easiest one of the batch to handle. China’s regulations around the cloud are so opaque, it’s not even clear that the Beijing government knows exactly what its law entails. As Samm Sacks, a senior fellow at the Center for Strategic & International Studies, put it in a lengthy analysis:

Even as the [Chinese] government pushes to put in place a new regulatory framework around how data is managed and shared, there does not yet appear to be a higher-level consensus around how to do this in practice. From issues around cross-border data flows and what constitutes “important data,” to how to balance development of emerging technologies like AI with growing demands by Chinese users for data privacy, there is still unresolved internal debate in China about what this all should look like.

China’s new cloud law remains as opaque as the Beijing atmosphere.

Multiply that complexity by dozens of governments around the world creating their own standards. Even within the United States, data laws are increasingly being drafted at the state-level. California’a legislature is debating a bill that could bring a sort of GDPR-lite protocol to the Golden State. These laws force startups and large companies alike to potentially adapt to dozens of variations just to stay legal.

Once simple, data is now ridiculously complicated. What data to collect, where and when it can be stored, and what it can be used for are increasingly questions that require significant legal work to answer. Startups and even Fortune 500 companies are in no position to be able to handle these complexities without significant assistance.

That’s where I think the cloud providers are going to strike even more gold. Storing your own data isn’t just risky from a security perspective, it is also increasingly untenable in the fast currents of this data sovereignty world. Is every Fortune 500 company going to start building data centers in countries throughout the world just to stay legal? In the past, that answer was perhaps a bit more blurry, but today it is obvious: everything is going to have to move to the cloud, the sooner the better.

That’s not to say that Google and Amazon have great data governance products — quite the contrary in fact. But don’t be surprised when they announce features this year that increasingly handle these data sovereignty problems. The winners in complexity are always the abstraction layers — the Stripes of the world that simplify the development of a company’s core product. While there are startups in that space today, it’s the largest tech companies that are going to have the comprehensive data services required to manage this new terrain effectively.

GDPR has been described as an anti-Google law, but it may turn out to be the greatest forcing function to drive adoption of Google Cloud. The irony may be that the supposed losers may well turn out to be the biggest winners after all.

Read more: