The governance of organizations’ handling of consumer information has been a prominent topic ever since the EU’s General Data Protection Regulation went into effect a year ago, but recent privacy-related activity hasn’t provided much focus.

Grabbing the news cycle on May 1, the shareholder suit filed in the Delaware Chancery Court against Facebook chief executive Mark Zuckerberg and five of the company’s board members accuses them of sacrificing the firm’s reputation and long-term prospects by mishandling users’ data and then lying about it.

The complaint also alleges Zuckerberg and two other board members violated securities laws by selling their stock holdings, while urging investors to vote against corporate governance measures that would have enhanced privacy oversight.

Facebook is already under a consent decree with the Federal Trade Commission that it expects could involve a fine of as much as $5 billion, and the violations alleged in the latest suit could expose it to sizable penalties from the EU, according to Bloomberg Law.

The FTC has an arrangement in place with European data regulators, referred to as the Privacy Shield program, under which the agency oversees the movement of EU citizen data to the U.S. It’s not clear, however, whether that will protect U.S. companies from GDPR fines, which could go as high as 4 percent of revenue.

The director of the FTC’s Bureau of Consumer Protection, Andrew Smith, told Bloomberg Law in an April 26 interview that the agency wasn’t reaching its desired level of enforcement actions because of the difficulty of bringing such cases.

For its part, the EU Data Protection Board raised questions in January about whether its citizens’ information was being adequately protected under Privacy Shield. It also voiced concern about whether the FTC was vested with sufficient powers to enforce protection of European data.

The data privacy legal environment in the U.S. still hangs heavily on the unlikely prospect of federal legislation and the fact the California privacy statute will go into effect next January.

A privacy bill introduced by Sen. Ed Markey (D-Mass.) is the most comprehensive yet to be seen at the federal level, but it does not expressly preempt state privacy statutes, and it authorizes attorneys general to bring civil enforcement actions on behalf of state residents. Any such arrangement is likely to make compliance efforts challenging, according to Bloomberg Law.

Six other privacy-related bills were introduced in the Senate in the four-week period ending April 15.

As the legislative picture in Washington remains unfocused, a bill introduced in the California Senate could expand significantly the expected impact of the state’s Consumer Privacy Act. SB-561, which was introduced in March, would dramatically widen the private right of action that could be brought under CCPA, eliminate a business’s right to seek guidance from the attorney general, and do away with the 30-day safe harbor provision for actions brought by the attorney general.

At an April 9 open hearing on the bill, opponents raised the prospect that its provisions would offer a strong incentive for plaintiffs’ bar.

The interplay of widely disparate forces, and the fact the California statute is still evolving, will mean continuing uncertainty on the data privacy front.