Privacy Enforcement: “It’s a Two-Way Street”
By Sam Pfeifle
Here in Warsaw at the 35th Annual Convention of Data Protection and Privacy Commissioners, only one subject hangs over the event more than whistleblower Edward Snowden: The upcoming European Data Protection Regulation and what the future of privacy enforcement will look like. Nearly every presentation contained some disclaimer about how things will change once the regulation comes into place.
The form it will take in the end? No one can confidently predict that.
The fact that it’s needed? On that there is universal agreement.
Jan Philipp Albrecht, German MEP and rapporteur for the proposed regulation, was blunt: “The new regulation is needed daily. It’s already late. Even if it is passed before the May parliamentary elections, it will still be two years before it comes into force.”
If anything, he said, it would simply bring back to the forefront the privacy issues raised by the original Council of Europe Convention 108 and the original Data Protection Directive from 1995. “We need to get back to the individual rights of all humans,” he said.
Particularly, said Albrecht, the regulation would provide much-needed consistency. “No more of this 28 different laws,” he said. “Now citizens can say that everywhere in Europe, they can rely on the rights in the law … They can always take this regulation to their DPAs and ask for the enforcement of these rules.”
UK ICO Christopher Graham echoed that desire for consistency, but noted, “Consistency has to be in practice, not just in theory … The rules have to be proportionate and risk-based. The text as originally published 17 months ago was anything but.”
Now, Parliament has before it a big task. “The regulation is necessarily highly complex,” he said, “and we have to get it right in pretty short order over the next few weeks. It’s important that it’s done, but done right. That’s a great challenge. Data controllers need to be clear what’s expected of them.”
“If the regulation is effectively framed,” Graham said, “we will all have an instrument to get the job done … It’s a two-way street. It takes the controller working with the enforcer, and the controller has to believe the enforcer will enforce. It’s in their own business interests to demonstrate that they’re delivering effective protection and privacy … You have to believe the regulator will come to get you.” In fact, he said, the threat of enforcement is more important than overly proscriptive specifics about how to handle data. Some ambiguity is good, he said.
“I’m not interested in a to-do list and a tick box,” Graham said. “I lead an organization that wants to be effective in tackling the bad actors rather than filling out forms for people who are probably perfectly compliant anyway.”
Indeed, said Kostas Rossoglou, senior legal officer at EU consumer advocacy group BEUC, “I haven’t seen many companies who bother to comply with 28 national laws in practice. They comply with one law and count on the fact that there is no enforcement.” That’s why he supports what he called “private enforcement,” essentially the filing of lawsuits in various jurisdictions, until there is an all-encompassing regulation.
However, he cautioned, many companies do want a checklist, especially the small- and medium-sized businesses that are unlikely to have a compliance department. “They want legal certainty,” he said. “What do I have to comply with? There needs to be certainty. They need to know what’s expected of them. We shouldn’t simply say ‘accountability vs. accountability’.”
That’s why, said IAPP CEO Trevor Hughes, CIPP, the true nexus of compliance and regulation are privacy professionals, themselves, who have educated themselves about the various privacy regulations and bring that information back to their organizations. “I take Commissioner Graham’s point to heart,” he said. “It is a partnership. And the reason privacy doesn’t lend itself to check boxes is the dynamic nature of the field we find ourselves in. The global nature of our field means that the legacy legal structures we have are always straining to accommodate the next thing, the next use of data. We need people who are effective risk managers. The privacy professional has become one of the core tools in addressing the risks in the data economy.”
However, he said, we need to stop of thinking of the chief privacy officer or the data protection officer or even the privacy office as the single point of cooperation with a data regulator. “People have to do privacy work throughout the organization,” Hughes said. “We’re seeing huge growth in operational management of privacy. This is what accountability looks like. This is privacy by design. This is where decisions are made. We need risk managers who understand privacy so they see the problem as soon as an idea is thrown up on a whiteboard in a conference room.”
Uncertainty doesn’t help with that, obviously. This is something that Rafael Garcia Gozalo, head of the International Department of the Spanish Data Protection Agency, knows well. “Where are laws applied and which authorities shall have the authority to deal with cases,” he said, “these are the two issues that need to be figured out in the new regulation.”
Almost certainly, in whatever form the new regulation is passed (there seems to be agreement that passage will happen in some form before May), it “will call for close cooperation among DPAs,” Gozalo said. “It will be even more critical than it has been so far. This cooperation will be compulsory.”
That’s why DPAs are already focusing on this cooperation. “We’re actively looking for enforcement projects across territories,” said the UK’s Graham, “so we get more practice.”
Read More By Sam Pfeifle:
Data Protection and Privacy Commissioners Release Resolutions on Tracking, Profiling, International Cooperation
What NIST Is Hoping To Get Out Of Its Privacy Grant Program
PRIVACY IN POP CULTURE: Lexicon Makes Magic of Privacy
The End for DNT? Not So Fast