Privacy

From Today to 2030: A Vision for Data Privacy

By Wong Wai San, Tham Shen Hong, Tomoko Naoe, Joseph Whitlock, Venkatesh Krishnamoorthy, Kate Goodloe, Thomas Boué, Olga Medina, and Irma Gudžiūnaitė

Data Privacy Day offers a fitting time to reflect on the future of data privacy. With many significant elections taking place globally in 2024, it is natural to think about what the next five years might bring. What does an ideal world look like, and what needs to happen now to achieve it? 

In the TechPost below, the BSA global team shares their perspective on the evolution of data privacy. Their insights highlight key priorities, including the importance of simplifying regulations, aligning frameworks across jurisdictions, and enabling responsible innovation while safeguarding privacy. 

Cutting Through the Red Tape

In five years, I envision a world where data privacy regimes are more streamlined and easier to implement. As privacy laws mature, they must meet core objectives without imposing unnecessary burdens on businesses or consumers.

Overlapping regulations and inconsistent requirements remain significant challenges. For example, privacy, cybersecurity, and sectoral rules may require companies to report incidents differently, wasting resources. Similarly, the proliferation of data-related laws indirectly targeting personal data adds to organizations’ regulatory burden. For instance, Vietnam’s recently enacted Data Law requires government approval for data affecting national security to be transferred overseas. While the Data Law does not directly govern personal data, certain types of personal data fall under this requirement.

This complexity intensifies across jurisdictions, and operating across borders becomes increasingly difficult for global organizations.

By 2030, privacy frameworks should be implementable, interoperable, and fit for purpose. Policymakers should align privacy regulations and remove inconsistencies with other legal frameworks, such as cybersecurity and sectoral laws. They should continue to consult with industry and civil society to simplify obligations, develop interoperability between jurisdictions, and establish mechanisms that allow secure, seamless data transfers. Such efforts will meet the twin objectives of protecting consumers and supporting innovation in the digital economy.

Wong Wai San, Senior Manager, Policy — APAC, based in Singapore

Harmonizing Frameworks for a Connected Asia-Pacific

Tham Shen Hong

In an ideal world, we would see further harmonization between the privacy frameworks of different countries. This would reduce compliance complexities for businesses, foster greater trust in cross-border data flows, and create a more consistent and user-friendly experience for individuals managing their privacy across jurisdictions. Regulatory alignment and harmonization can really make a difference in Asia-Pacific, where diverse cultures and different operating languages already present significant challenges for businesses seeking to expand and invest in the region.

When developing or amending privacy legislation, policymakers should adhere to global best practices and international standards as much as possible. They should prioritize multilateral dialogues to bridge any gaps and invest in capacity-building initiatives to help businesses develop robust data protection practices.

– Tham Shen Hong, Senior Manager, Policy — APAC, based in Singapore

Japan’s Role in the Digital Future

Japan has established a sensible privacy law that serves as a model for other governments in the Asia-Pacific region. In the next five years, we hope to see Japan further enhance its efforts to create consistency among like-minded nations, as it will help to prepare for a future that maximizes the benefits of emerging technologies with the appropriate privacy safeguards.

In this respect, it was encouraging last year to see Japan’s Personal Information Protection Commission begin discussions with stakeholders on the existing principles of Japan’s privacy regime. This included efforts to identify a legal basis other than consent to enable data to be processed for purposes beneficial to society.

As Japan considers the amendment of its Act on the Protection of Personal Information in 2025, we encourage its government to address efforts to support data utilization broadly, instead of restricting only to public interest activities or research. As businesses continue to develop and use artificial intelligence (AI) services, it will become increasingly important to enable the use of personal data for product and service improvement while ensuring appropriate consumer protection.

― Tomoko Naoe, Director, Policy, — Japan, based in Tokyo

Opportunities for Stronger, Interoperable Frameworks

In the next five years, global economies will likely see their ongoing efforts to create greater interoperability among national data protection frameworks bear significant fruit. In 2024, for example, over 80 economies arrived at a “stabilized” version of a new World Trade Organization (WTO) Agreement on Electronic Commerce that contains significant new provisions on personal data protection, which is a significant accomplishment.

Under Article 16, the participating WTO members agreed on a common definition of “personal data” to mean “any information relating to an identified or identifiable natural person.” These WTO members also committed to adopting or maintaining a legal framework that protects the personal data of users of electronic commerce, taking into account privacy principles and guidelines of relevant international bodies or organizations. The agreement also contains commitments reflecting core WTO principles of nondiscrimination, transparency, mutual recognition, and regulatory interoperability.

This WTO agreement is just a start, and the next five years of international negotiations will open many new opportunities for collaboration among like-minded economies to reflect their shared commitment to stronger and more interoperable personal data protection frameworks.

Joseph Whitlock, Director, Policy and Executive Director, Global Data Alliance, based in Washington, DC

Privacy, Sovereignty, and Innovation: India’s Path Forward

In the next five years, governments and businesses worldwide will deepen the implementation of their respective privacy policies. I would like to see the development of software products and applications that are privacy-friendly and designed specifically for user needs, while improving the overall user experience. While there will be more opportunities for shared global learning and collaboration, calls for data sovereignty will not be far away. I would like to see political leaders manage these differing forces effectively.

In India, the implementation of the Digital Personal Data Protection Act should be fully underway by 2030. Ideally, the effects of a central (Federal) legislation will trickle down to different industry sectors, states, and institutions.

This year policymakers in India should continue to stay on track by ensuring that the implementing rules remain consistent with the objectives of the privacy legislation, which is to promote trust, security, and innovation in the digital ecosystem.

— Venkatesh Krishnamoorthy, Country Manager, India, based in New Delhi

Rethinking Privacy Laws for a Data-Driven Future

In five years, I hope to see more global privacy laws move away from the “notice and choice” model for protecting privacy. Under that model, a person is assumed to consent to having her data processed if a company tells her how they will process it — and it can leave everyone unsatisfied.

The reality is that companies don’t like designing elaborate consent requirements that cover every scenario in which they process data. Consumers also don’t like being inundated with consent requests, even for processing their data in routine ways. Privacy laws need to shift toward other protections, including expressly allowing processing that consumers expect, so new guardrails can focus on more sensitive data and uses.

To do this, policymakers need to dig into big issues, like developing an effective and workable data minimization standard and recognizing that companies may handle data for a range of legitimate interests. We already see regulators focusing on these questions, particularly at the intersection of existing privacy laws and new models for developing and using AI systems. That work must continue to ensure privacy laws protect consumers and create meaningful guardrails for the businesses that process their data.

Kate Goodloe, Managing Director, Policy, based in Washington, DC

The EU’s Plan for Data Without Borders

Thomas BoueIn five years, data privacy could be a shared global achievement, with the European Union as one of the key architects of a system that balances privacy protection with security, innovation, and trade. Imagine a world where personal data moves freely and securely, protected by interoperable frameworks that respect both privacy and the demands of a digital economy. No more siloed systems, no more arbitrary borders for data — just a foundation of trust that powers progress.

To get there, policymakers in 2025 must think bigger. Instead of addressing this challenge piecemeal, the EU should push for practical, future-proof tools, such as expanded adequacy deals, streamlined transfer rules, and better guidance for businesses navigating complex laws. Rapidly advancing negotiations with like-minded partners on key initiatives, such as Data Free Flow with Trust, would be a good start. Also, resolving the thorny issue of legitimate government access to data would certainly be a welcome development. In this regard, bold partnerships, like an EU-US Cloud Agreement, could set the tone for global cooperation.

Thomas Boué, Director General EMEA, based in Brussels

Toward Consistent and Balanced US Privacy Laws

Olga Medina

In five years, as the number of US states with comprehensive privacy laws continues to grow, I hope to see broad consistency in the approach toward the promotion of consumer privacy. In recent years, we’ve seen some states take an interest in adopting substantive requirements that would disrupt coherence on topics such as data minimization.

BSA supports the general objective of data minimization, but these provisions need to be drafted in a way that does not inadvertently restrict a company’s ability to improve and develop new products and services. We all benefit when companies can improve our day-to-day products and services — from software to create and edit documents to video conferencing tools to collaborate with co-workers. To do this, states can advance laws that enhance privacy while allowing products and services to continue evolving in the way consumers have come to expect. Fourteen states have shown us this is possible and can serve as a guide for similar efforts.

Olga Medina, Director, Policy, based in Washington, DC

UK’s Vision for Privacy and Innovation in a Post-GDPR Era

Irma GudziunaiteFollowing the United Kingdom’s elections in July 2024, the new Labour government promised to leverage technologies like AI over the next five years. The UK’s ambition to become a leading destination for advanced technology development aligns with its proactive data flow policies.

In an ideal world, in five years, UK data privacy would feature adaptive regulations, international alignment, numerous newly established Data Bridges, and technologies that protect privacy and support innovation.

In 2025, the UK is expected to diverge from the European Union’s General Data Protection Regulation with privacy reforms. This divergence, however, will likely be moderate to retain EU adequacy decisions, which are up for renewal in the coming months.

This year, policymakers in the UK should prioritize harmonizing regulations across regions, addressing the environmental impact of data localization, and advancing innovation in privacy technologies. For instance, promoting advanced encryption methods or privacy-preserving AI could keep the UK at the forefront of the privacy-tech race. By tackling these challenges, the UK can secure its competitive advantage and set a global benchmark for data transfers and technological progress.

Irma Gudžiūnaitė, Director, Policy, based in Brussels

Artificial Intelligence, Privacy

A Legitimate Interest in AI Training

Privacy regulators worldwide are examining how existing privacy laws apply to companies that create and use AI systems. One key question regulators confront is why companies process personal data for AI-related activities — and if they do so for a reason recognized in their country’s privacy law, such as if it is based on consent, necessary to perform a contract or if the company has a legitimate interest in the activity. Read More >>

Privacy regulators worldwide are examining how existing privacy laws apply to companies that create and use AI systems. One key question regulators confront is why companies process personal data for AI-related activities — and if they do so for a reason recognized in their country’s privacy law, such as if it is based on consent, necessary to perform a contract or if the company has a legitimate interest in the activity. Read More >>

Artificial Intelligence, Cloud Computing, Cybersecurity, Data, Global Markets, Intellectual Property, Privacy, Procurement

BSA’s 2024 Year-in-Review

In 2024, BSA | The Software Alliance continued its work with policymakers worldwide with a focus on driving responsible artificial intelligence (AI), cybersecurity, data privacy, government procurement, and international data policy. Check out some of the highlights from our exciting year as we prepare for 2025. Read More >>

In 2024, BSA | The Software Alliance continued its work with policymakers worldwide with a focus on driving responsible artificial intelligence (AI), cybersecurity, data privacy, government procurement, and international data policy. Check out some of the highlights from our exciting year as we prepare for 2025. Read More >>

Artificial Intelligence

TRANSFORM Dialogue: Building Trust in the AI Era

During a featured panel at BSA’s TRANSFORM Dialogue, leaders in AI policy described how they are helping to build trust in this technology through business practices, partnerships, and regulations. Read More >>

During a featured panel at BSA’s TRANSFORM Dialogue, leaders in AI policy described how they are helping to build trust in this technology through business practices, partnerships, and regulations. Read More >>

Artificial Intelligence, Cybersecurity, Privacy

Q&A: Cisco on Enhancing Privacy and Cybersecurity With AI Tools

Cisco Executive Vice President and General Manager, Security and Collaboration Business Units Jeetu Patel answers questions from BSA’s SVP of Global Policy Aaron Cooper about how AI tools and systems can help companies like Cisco, develop products for its customers that put privacy protection first and enhance cybersecurity abilities.  Read More >>

Cisco Executive Vice President and General Manager, Security and Collaboration Business Units Jeetu Patel answers questions from BSA’s SVP of Global Policy Aaron Cooper about how AI tools and systems can help companies like Cisco, develop products for its customers that put privacy protection first and enhance cybersecurity abilities.  Read More >>