Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
This article is part of an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.
I would like to first note that the odds that Indiana University would win the College Football Playoff National Championship were +10,000 — 100-to-1. You may know that last week, Indiana University did win the playoff, overcoming a tough Miami University opponent and those incredible odds from the start of the year.
I'd also like to propose another long-shot prediction: the U.S. government will pursue a multilateral treaty or arrangement on data, cyber/national security, and artificial intelligence. I know everything seems to be trending toward a disruption of longstanding multilateral arrangements. Let me explain why the circumstances might be right for such an apparently unlikely scenario.
For context, I recommend checking out this fascinating discussion at the World Economic Forum between Christine Lagarde, Larry Fink and Ken Griffin. You may recall Lagarde held the prestigious role of Baker McKenzie chair, and now is doing something else interesting, oh yes, president of the European Central Bank. Fink is the CEO of BlackRock, the largest money-management firm in the world with USD10 trillion in assets under management. Griffin is the founder, CEO and co-chief investment officer at Citadel, a multinational hedge fund firm that manages USD68 billion in assets.
Their discussion at the WEF touched on a wide range of topics including AI/data privacy, geopolitical fragmentation, sovereign debt, and comparisons between today and prior eras, most notably the 1920s. The part that caught my ear the most was related to Lagarde's comments on the promise of AI today and the differences with the innovations of the 1920s — the electrical grid, combustion engine, assembly lines, etc.
Specifically, while the advancements of the 1920s could progress within national borders, the promise of AI today can only truly flourish to its full potential on a broader scale that transcends borders in regards to data, capital and opportunities for commercialization. To get there, it will be essential to have a "minimal degree of cooperation" between and among countries to accept differences in cultures, paradigms and approaches. Only through such minimal degree of cooperation will countries find enough common ground to establish standards and allow for the necessary access, licensing and features to realize the full potential of AI.
A pivot toward a multilateral arrangement on data, cyber/national security, and AI
This has me thinking that the conditions may actually exist for a pivot toward a new multilateralism to develop a treaty or multilateral arrangement on data, cyber/national security and AI. Several factors would support this pivot, both for the U.S. and other trading partners, such as the EU.
A multilateral arrangement could remove cross-border barriers that limit access to data and growth of AI development. While retaining core substantive protections, the arrangement could address restrictions associated with cross-border transfer prohibitions, data localization requirements, and emerging AI and cyber regulations.
As one example, such a multilateral arrangement could be developed with a view to amending the restrictions in the EU General Data Protection Regulation that give rise to a need to develop bilateral, transatlantic solutions — such as the EU-U.S. Data Privacy Framework — that are subject to invalidation by judicial review.
Such an approach would help to establish more certainty for multilateral businesses and a high degree of data protection.
A multilateral arrangement could de-regulate AI within jurisdictional boundaries. This type of initiative could assist with goals of de-regulation within countries/unions to help unlock the potential of AI.
For example, within the U.S., more than 20 states have adopted comprehensive data privacy laws with different scopes of application, and substantive and procedural requirements. Increasingly, states are also adopting standalone AI laws, or AI regulations within privacy laws.
As state authorities proceed with the development of more detailed regulations, and embark on more aggressive state enforcement actions, companies have difficulties aligning compliance programs to these various and divergent standards.
On a parallel track, within the EU, there are de-regulatory initiatives, perhaps most notably the Digital Omnibus that aims, among other points, to streamline the implementation of the EU AI Act. A multilateral initiative could provide a framework for accomplishing those domestic goals.
New multilateral frameworks are already emerging. The U.S. government recently proposed the establishment of a multilateral Board of Peace. Originally intended to address Gaza, it appears that the focus could broaden to other arenas and pressing global concerns, with something like 20 to 35 countries expressing an interest in joining. We will see how and under what timeline this develops, but it is a sign that the U.S. administration has an interest in multilateral initiatives.
Multilateralism is dead. Long live multilateralism. All this suggests that, while the old models of multilateralism may be fading in some respects, the world still needs cooperation. A new form of multilateralism may be emerging between longstanding friends and countries with common interests.
Implications for global data, cyber and AI
The data, cyber and AI leaders for global businesses should be mindful of several threads related to the possibility of such a multilateral arrangement.
Retain a wide-angle lens on legal developments on data, cyber and AI. If anyone might be inclined to dismiss out of hand the possibility of a pivot as described above, I'd call your attention to at least a dozen developments in the recent past that no one would have predicted — beyond IU winning the national championship. I think everyone can agree these are uncertain times.
Remain attentive to the details. A key question for any such multilateral initiative would be the grouping of countries that would participate. I recently authored an IAPP article that suggests this type of multilateral arrangement might logically focus between and among liberal democracies.
I also spoke with IAPP Editorial Director Jedidiah Bracy on The Privacy Advisor Podcast expressing similar predictions. There are advantages and disadvantages to different scopes and approaches, including with respect to feasibility of achieving common goals. These issues need to be worked out, but would certainly impact multinational businesses seeking to do business globally.
Consider incorporating this possibility into discussions with senior business leaders. You might not wish to suggest to senior leadership of your organization that such a multilateral treaty on data, cyber/national security, and AI is "more likely than not," but I do think you can mention it. It may be a helpful data point for them and help them to adapt plans more readily if signs start to emerge that this is a direction of travel.
Brian Hengesbaugh, CIPP/US, is the global chair of data and cyber at Baker McKenzie.
