Privacy Advisor

Warning Bells for an Enforcement Tsunami? Regulators and CPOs Weigh In

July 17, 2013

By Angelique Carson, CIPP/US

In recent weeks, various European regulators have come down on Google for its policy on data collection. The UK’s Information Commissioner even went so far as to tell the company it had until September 20 to revise the policy or face “formal enforcement action.” Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar has said his office will join European regulators, including those from France and Spain, in taking action against the company.

We are expecting a tsunami of privacy enforcement. News of the NSA's global surveillance activities, coupled with the pending investigations of Google in Europe and the ongoing interest in updating privacy laws on both sides of the Atlantic, has created a perfect storm.
EPIC’s Marc Rotenberg

As a result, “We are expecting a tsunami of privacy enforcement,” the Electronic Privacy and Information Center’s Marc Rotenberg told The Privacy Advisor. "News of the NSA's global surveillance activities, coupled with the pending investigations of Google in Europe and the ongoing interest in updating privacy laws on both sides of the Atlantic has created a perfect storm."

CPOs working on the Continent agree. To a point.

“I don’t know whether I would call it an enforcement tsunami, but he made a good point that there’s a stricter focus on enforcement and less focus on cooperation and letting things go,” said Siemens’ Florian Thoma, CIPP/US, CIPP/E, CIPM.

Stephen Deadman, group privacy officer and head of legal for privacy, security and content standards at Vodafone Group, agrees with Thoma that “tsunami” may be too strong of a word. “I think it’s more of a rising tide,” he said. “A gradual increase in enforcement action from regulators.”

Deadman said tsunamis are too expensive.

“What I think is happening and will continue to happen unless something changes in terms of funding is that they are going to have to be very strategic in enforcement activities,” he said. “Never before has the issue been so high profile for politicians and in board rooms that they now think, ‘How do I use my resources most effectively?’ To my mind, there’s nothing that’s going to change that in the near future. I don’t see how the tsunami is going to happen because I don’t know where the money for it is going to come from.”

While international cooperation is certainly an increasing trend, Thoma notes DPAs are not only working together, they’re getting tougher, too.

I think that this is overall a sign of some of the authorities turning more toward enforcement and less toward discussion.
Siemens’ Florian Thoma

Thoma said the writing was on the proverbial wall two years ago: Dutch DPA Jacob Kohnstamm said at a gathering of DPAs that DPAs shouldn’t just be good friends with companies, but they should “bark and bite, and I think that this is overall a sign of some of the authorities turning more toward enforcement and less toward discussion,” Thoma said.

European Data Protection Supervisor Peter Hustinx confirms this. While he agrees that terminology is important and “tsunami” may be a bit strong—he suggests “flurry” may be a more accurate description—he says it’s more than just international cooperation, though that is also on the rise.

“There is a general sense that enforcement should be increased, and this is because these activities are having more impact and also because, perhaps, there has been too much emphasis on theory and not enough on practice.”

Scott Hutchinson, spokesman for Canadian Privacy Commissioner Jennifer Stoddart, said based on experience and conversations with other DPAs, “there appears to be, generally, an increasing interest in enforcement actions.”

Stoddart recently recommended reforming Canada’s personal Information Protection and Electronic Documents Act to include stronger enforcement powers, among other provisions.

Such enforcement powers are “critical to DPA success,” Hutchinson told The Privacy Advisor.

Hustinx said while increased enforcement won’t only affect the big brands, DPAs will prioritize major wrongdoing or structural problems according to appropriate needs. However, they may make examples of middle or small-sized companies to send a message to industry, he said.

Strength in Numbers

Citing announcements from regulators in France, Spain, the UK and others on Google’s privacy policy, Hustinx said more will come. He also notes other recent collaborations between DPAs, including the Dutch and Canadian authorities coming together over WhatsApp and most recently the collaboration between Canadian and Irish forces over Facebook.

“This is part of the gradual coming of age. It’s simply the privacy frameworks becoming more effective in a very digital world. And the European review is going to make it ever more true because part of that review is also allowing for much more robust enforcement, stronger rights, and stronger responsibilities with enforcement, including big fines,” Hustinx said.

Christopher Kuner, Wilson Sonsini senior of counsel, said DPAs are certainly becoming more strategic in the ways they enforce against large and multinational companies.

“Enforcement is becoming more globalized and regulators are pooling their resources and finding there’s strength in numbers,” Kuner said. “Individually, they don’t have much enforcement power, but if they pool their powers, it’s much stronger. I think we’ll see more and more of that.”

Noting that recent NSA revelations packed a punch, Thoma, who lives in Germany, notes that over the couple of years there’s been “an increased wish of DPAs to join forces, particularly on enforcement actions because they felt rather weak and rather alone and have realized that data flows span the globe and that, for example, a local authority in any of the German states or particular smaller member states don’t have the power and the possibility to bring enforcement actions against, in particular, those Internet giants like Amazon, Google, Facebook, Apple and others who collect data.”

“We have reached a point where there is almost universal recognition that enforcement cooperation is essential to protecting privacy rights around the globe, and increasingly, we are finding ways to work together,” said Hutchinson. “In a world of rapidly expanding privacy challenges and limited resources, coordinating efforts is an effective way to ensure that people’s privacy rights are respected.”

Hutchinson added that Stoddart’s office recently took part in the Global Privacy Enforcement Network’s privacy sweep, in which 19 privacy enforcement authorities studied the privacy policies of a number of popular websites. The results of that sweep will be announced in coming weeks, he said.

Should Small Companies Be Afraid?

Siemens’ Thoma said he doesn’t believe small startups need to worry about DPAs knocking on their doors just yet.

The conclusion is to prepare. Accountability is required, and the big and small should prepare.
EDPS Peter Hustinx

“I think the focus will first of all be on the big ones, because the smaller ones somewhat have a chance to fly below the radar. The reason why we see this increased level of enforcement is first of all European regulators feel that they must do something to limit the amount of data collected, and not only limit the use of it, and that’s why they bundle forces, as we’ve seen with Google,” he said. “I think in Europe, many of those startup kinds of businesses are less well known, or maybe less used by Europeans, and are not so much perceived as being a threat to European-style privacy and the privacy of European citizens as Google and Facebook.”

Deadman agrees. Vodafone, a global company, has always sensed “that we’ve always been a much bigger target for investigations and enforcement arms for regulators for a number of different factors, but mainly because we’re a big-brand name, so I think that’s what’s happening with regulators with small budgets. They are recognizing that if they are picking on faces not well understood by consumers, they are going to find it harder to justify how they are using their resources.”

Deadman said the corner shop and the grocery store don’t have much to fear, but if you’re an Internet-based company that can scale from 20 users to 10 million users in a matter of weeks, “it’s going to catch attention of the regulators, and we’re seeing that in their recent behavior.”

Canada’s Hutchinson said when data regulators take action against big companies, “it gets peoples’ attention, but it doesn’t mean we are not looking at smaller companies, too. For example, our office along with the Dutch Data Protection Authority earlier this year to complete a joint investigation of WhatsApp.”

By international standards, WhatsApp is a small company, but it was found to be violating internationally accepted privacy principles.

“Ultimately, the size of the organization is not the issue. It is the number of individuals affected and the seriousness of the violation—or apparent violation—that is of concern,” Hutchinson said.

“The conclusion is to prepare,” Hustinx said, “not for an onslaught, but this is a constitution to make things enforceable. Accountability is required, and the big and small should prepare.”

Read More by Angelique Carson:
Facebook’s White Hat Program Helped Uncover Glitch
Former U.S. Rep Bono Joins Leibowitz to Co-Chair New Privacy Coalition
If Nine of 10 Employees Knowingly Breach Policy, How Is Privacy Possible?
Rich Appointed Head of Consumer Protection