Emerging Technologies Law is a blog by William Ting which examines 21st century legal, business & Social tech issues.

Comply but Advocate (Strategic Privacy Part 1)

Comply but Advocate (Strategic Privacy Part 1)

Strategic privacy management means conducting both privacy compliance (defensive in nature) & advocacy (offensive in nature) effectively. (Getty Images license)

Strategic privacy management means conducting both privacy compliance (defensive in nature) & advocacy (offensive in nature) effectively. (Getty Images license)

When the U.S. Securities & Exchange Commission was tasked with the unenviable task of making a rule to regulate the use of conflict minerals in the global supply chain, I was responsible for designing its compliance procedures & policies for the world’s largest semiconductor maker. I was also responsible for advocating for the abolishment of such rule because it would be disruptive for business. I was educating internal business teams on how to comply with the proposed rule while also plotting its downfall. Eventually, my comment letter to the U.S. SEC was cited by the American Chamber of Commerce to support the only winning argument that prevailed on appeal to strike down the heart of the rule. It is not easy to do both compliance and advocacy, but in an increasingly politically charged business environment, legal professionals must protect their clients’ interest from unfair laws and regulations and their uneven enforcement.

Much emphasis in the privacy community is placed on “compliance” which is important to defend the client from accusations of regulatory violations. But if the law or rule demanding compliance is unfair, burdensome, would lead to arbitrary or capricious enforcement (or simply confused, as discussed in Section A below), then privacy professionals need to conduct offensive advocacy to either change it in their client’s favor (through lobbying efforts) or get rid of it (usually by filing a legal challenge). Often times, defensive compliance (that leverages the most efficient tools to help the client satisfy applicable regulatory requirements) and offensive advocacy (that requires changing or abolishing the unfair or business unfriendly rule) need to be conducted together in a responsible manner so as to shield the client from liability and advance its corporate objectives. This is the essence of strategic privacy management: understanding when and how to comply but advocate.

iStock-615824520.jpg

“comply but advocate” is the guiding principle to protect corporate interests.

(Getty Images license)

iStock-687810196.jpg

Are DPAs lost or very lost in the fragmented GDPR landscape?

(Getty Images license)

  • The top EU privacy watchdog is basically asleep. The report criticizes (albeit rather indirectly) the European Data Protection Board (“EDPB”) sitting at the tippy-top of the EU privacy regime for not doing its job! It says “the EDPB could also play a more proactive role in driving true consistency in the way DPAs interpret and approach data protection rules, compliance and enforcement”. In other words, yo! EDPB get off your butt and start showing some leadership!

  • Other EU non-privacy regulators are cutting into the privacy dance making compliance even more complicated. “[S]ome other regulatory bodies (such as competition authorities or consumer bodies) have made decisions regarding privacy and data protection issues, where the DPAs (and in cross-border cases the lead DPAs) should be the competent authorities.” How many chefs do we need in the proverbial kitchen? Do DPAs report to their competition colleagues? Having multiple regulators bossing data monetizers around unnecessarily complicates privacy compliance. What if a compliance procedure satisfies competition requirements but not privacy requirements, or vice versa. What happens then?

  • Get ready for a free-for-all DPA feeding frenzy. Bring out the shark tanks because “[t]here is still ambiguity over the functioning of the One Stop Shop…local DPAs are not respecting the One Stop Shop mechanism.” The EU promised businesses that they would not need to defend litigations, investigations or inquiries from 28 EU DPAs. The GDPR designates the supervisory authority of the EU member state in which a data monetizer has its "main establishment" as the "lead supervisory authority" to prosecute cross-border violations. This lead SA would act as the main contact window vis-a-vis the regulatee so that it would not need to respond to 28 different sets of investigative questionnaires. Obviously that is a nightmare for any in-house general counsel. But the nightmare already is happening. In the first GDPR enforcement action, the French privacy regulator CNIL gave the middle-finger to the Irish privacy regulator when the CNIL fined Google around 50 million euros when the Irish Data Privacy Commission and not CNIL had jurisdiction under the “One Stop Shop” rule. There is enormous economic incentive for a national DPA to go after potential violators because GDPR fines are big money and is an easy way for cash-starved EU member states to generate much needed revenues. The GDPR is another tool for EU member states to monetize the business of regulation. Expect to see a free-for-all feed-frenzy against British Airways, Marriott (and Facebook) the first three companies to make GDPR headlines this month (and other defendants in the months to come) as each DPAs start going after them in individual enforcement actions for more money and turf jockeying.

shark feeding frenzy.jpg

Breakdown of One Stop Shop rule will lead to DPA free-for-all feeding frenzy.

(public image)

  • For data monetizers operating internationally, they are in for an even bigger treat. The report notes there are “open issues leading to legal uncertainty about the GDPR’s territorial scope.” The EU and its national DPAs are confused about formulating a clear set of rules that global businesses can rely upon for guidance on international data transfers; the role of the Article 27 representative; and whether certain temporary activities would trigger GDPR liabilities and duties.

  • Countless blog articles have been devoted to explaining the upcoming PSD2 and e-Privacy regulations other ways for the EU to regulate the digital economy. The report cautions that these “sectoral laws (either due to lack of understanding of the GDPR or inconsistent interpretation of the GDPR by other regulators) may undermine the GDPR” and cause “conflicting requirements and [un]clear rules as to which standard prevails and which authorities will be responsible for enforcing these laws.” Translation: it is futile to design compliance protocols for these “sectoral laws” each carrying their own penalties when the EU regulators themselves are disorganized about formulating clear rules applicable on a consistent basis.

  • If you are a venture capitalist investing in emerging technologies in the EU, then note that the future of technology in the EU is gloomy. Why? Well, the report points out that “the GDPR is not entirely adaptable to new developments in the digital economy”. In other words, the GDPR cannot accommodate changes in tech and based on the above problems, some of its regulators may not even care. The law will strangle the research and development of new digital technologies that may bring “real benefits for individuals and society at large”. I will write more about this issue in Parts 6 and 7 of this series. Stay tuned.

  • The report notes there is too much emphasis on seeking data subjects’ consent when there are 5 other grounds for processing/collecting data. Unfortunately DPAs have been construing these other 5 grounds narrowly. The consent regime under the GDPR does “not function well for many modern day data processing contexts and do not provide effective protection for individuals.”

  • DPAs are holding data monetizers strictly liable for GDPR violations ignoring the risk-based approach based on reasonable measures to protect data privacy. “DPAs don’t seem to refer to the risk-based approach in their guidance and interpretation or first GDPR enforcement actions.” The report does not explicitly discuss this important development, but I will in Part 4 of this series.

  • And the hits keep on coming. There are no industry code of conduct to guide market practice on privacy compliance and no credible industry certification system to validate privacy management systems. “One year after the GDPR went into effect, the regime surrounding GDPR certifications and codes of conduct – which serve as tools for demonstrating organisational accountability – has still not been effectuated.” I will discuss how an independent trade association can help set these industry standards and certification systems in Part 5 of this series.

  • The entire global monetization and transfer of data is about to come to a crashing halt. Almost all data monetizers rely on model clauses or the Privacy Shield to transfer data cross borders. But thanks to a legal challenge filed by populist activist Max Schrems and a group of French NGOs in the EU Court of Justice, these mechanisms may be ruled illegal! This will cut off the flow of data between the EU and nonadequate countries like the U.S. The report expresses this risk in a more positive manner: other ways to engage in cross-border data transfers have “not been developed and little progress has been made to expand or improve existing cross-border data transfer mechanisms.”

    For those who don’t know who Max Schrems, he filed a legal challenge about Facebook’s transfer of his personal data to the U.S. which torpedoed the Safe Harbor data sharing agreement. This underscores the importance as to why data monetizers need to unite and pool their substantial resources into an advocacy-driven industry association to fight against these attacks on the pillars of 21st century data monetization.

Data transfer regimes will be in trouble if Schrems wins again. A decision is expected early 2020, around the effective date of the California Consumer Privacy Law, another ticking time-bomb waiting to explode, discussed in Part 2 of this series.

2. What to Do?

These are some of the major problems threatening data monetizers under the GDPR.

I have never seen a compliance program that can be successfully design, implemented and updated in the face of the above unmitigated chaos and just plain regulatory uncertainty. Things are out of control. The sad thing is that compliance professionals are forced to sit in this skidding car in their efforts to keep track of (and in some cases mind-read) the disparate interpretations of DPAs (who are not working well together) and non-privacy regulators who are butting into the game (on a power trip?) in a leadership vacuum left by the EDPB (who might as well be asleep at the wheel). This is why data monetizers should also start thinking about protecting themselves from this frenzy by conducting strategic advocacy as discussed in Part 5. Otherwise, data monetizers will be stuck (without any seat belts) in a regulatory white-knuckled ride to uncertainty…

U.S. Privacy Regulation: Glimmer of Hope? (Strategic Privacy Part 2)

U.S. Privacy Regulation: Glimmer of Hope? (Strategic Privacy Part 2)

Strategic Privacy: Data Monetizers Assemble!

Strategic Privacy: Data Monetizers Assemble!