Privacy Compliance in a Grain of Sand
Next May will herald the effective date of what many believe is a once in a lifetime legislation: the European GDPR. To be fair, the GDPR has received a disproportionate amount of the media coverage. In fact privacy law and practice within the Asian economies is just as lively and dynamic. But whether it is helping a company that does business in the EU or Asia comply with local privacy regimes, one thing is certain: regulated firms will need to proactively engage privacy regulators in this fast changing field. In fact developments in the privacy arena are moving so fast that the UK’s information commissioner has compared the privacy regulator’s work to “changing tyres on a moving car”.
There are two major difficulties facing privacy compliance: multiplicity of privacy laws and adequately complying with consent and accountability requirements. Many industry experts have called for the use of regulatory sandboxes to help businesses and individuals develop innovative compliance programs that drive business models. But this essay argues that regulatory sandboxes, though an important tool in the privacy compliance toolbox, will only create more unresolved issues.
Part I: Lack of Consensus in Privacy Law & Practice
I had the honor of attending the premier privacy conference in the world. This year, the 39th International Conference of Data Protection and Privacy Commissioners was held in Hong Kong during October 25-29, 2017. It was attended by hundreds of data protection authorities (“DPAs”) from most of the world’s key jurisdictions. I met new friends from several European, Asian and North American regulatory agencies (you know who you are). Hundreds of companies of all types also attended ranging from hi-tech, social media and financial firms. Even a few NGOs were represented. There simply wasn’t enough time to chat with everyone given the densely packed schedule of events, presentations and of course social hours.
The last general session on October 28th was called “Bringing It All Together” which attempted to summarize the consensus to be reached on a variety of key privacy topics like notice & consent, consent as accountability (which explored using accountability as the basis for governance when consent is insufficient) and the details of a “post consent world” when consent is no longer needed. The curious thing was that the moderator admitted it was not possible to reach any consensus on these basic issues. That got me kind of alarmed because if a panel of privacy experts, regulators and academics who spent a lifetime studying this area sitting in an air conditioned luxurious five-star luxury hotel venue could not agree then what are the chances for regulated firms to see eye to eye with their respective regulators on issues that will be far more contentious in far more inhospitable environments?
Without a fundamental shift in attitudes on privacy regulations in the following two problems areas, the prospect of reaching any meaningful consensus is remote. This will lead to in the words of one noted panelist “overwhelmed and ineffective DPAs, inadequately protected individuals and frustrated regulatees".
A) Multiplicity of Privacy Regimes Facing Regulatees
Almost every jurisdiction in the world has some form of privacy or data protection legal regime that varies in their degree of enforcement and rigor. Given the existence of many privacy regimes, it is conceivable that a company or individual subject to these laws would be faced withthe challenge of designing privacy programs that need to comply with dozens of separate legal regimes. This could be very daunting for small to medium businesses.
To help facilitate cross-jurisdictional compliance for example, various regulators have agreed to certain multilateral regimes. For example, participating APEC economies may choose to enroll in the APEC Cross Border Privacy Rules (“CBPR”) system which requires regulated entities to design and implement data privacy policies compliant with the APEC Privacy Framework. An Accountability Agent (an independent APEC approved public or private entity) needs to assess these policies under the minimum CBPR requirements. This summer APEC held high level discussions with the EU authorities about formulating standards to make CBPR certifications interoperable with EU GDPR’s requirements. But based on the comments of the EU’s head of International Data Flows and Protection Unit during the DPAs’ conference, the EU needs to explore the synergies between CBPR and GDPR before any progress can be agreed upon. This is regulatory speak for “it will take a lot more time until we sort this issue out, so you guys will just need to tough it out in the meantime.”
B) “Consent is a nightmare”
The situation for agreeing on some sort of consensus on the concept of “consent” is equally lackluster. I was invited to a side event called the 6th Asian Privacy Scholars Network hosted by the University of Hong Kong Law School to present my whitepaper on the personal data currency (which can be used as the basis for a potential ICO that you can see here. More money has been raised from ICOs on far less.) While listening to the other panelists speak in the morning session, a noted privacy scholar from Europe Dr. Clarisse Girot stated with a defeatist apologetic air that “consent is a nightmare”. Again, if professional privacy scholars cannot define and agree on how regulated entities can comply with the consent requirement of privacy law, then what are the chances of understaffed, overwhelmed and underpaid DPAs being able to do so?
Part II: Building Castles in the Sand?
In the face of regulatory uncertainty, one of the panelists in the mid-morning Friday session recommended that regulators adopt the concept of “constructive engagement”. This means that regulators give as much practical guidance as possible for different sorts of regulatees, provide incentives for good faith compliance and create space for responsible innovation like regulatory sandboxes.
The term “sandboxes” was used much throughout the DPAs conference. Even I asked several questions about this. Sandboxes are used in other regulatory contexts like fintech and digital banking. So what does this term mean and are there any risks in their use?
The type of sandbox which most people know about is the type in which kids play and build with sand packed within the confines of a boxed area (not the type used by firemen to put out fires). When used in the regulatory context, it means that regulatees are allowed to experiment with novel ways of doing business or complying with a legal regime (like playing with sand) segregated (as in a box) from the rest of the economy such that neither will be affected by the actions of the other. This is the type of sandbox that regulators and regulatees have in mind. Sandboxes are beneficial because they allow regulatees the chance to test out compliance programs designed for a particular legal regime. For example, many firms have been championing the “privacy by design” concept. But until a compliance program built upon such concept is actually tested out in a live market situation, regulatees will not know how the program will work under a “live-fire” exercise, except that in a sandbox, the bullets are not made out of steel but soft foam and the supervising regulator more accommodating.
There is no question that sandboxes also benefit regulators because they allow regulators a chance to see how a particular innovation interacts with real-world factors.
Because sandboxes are a good thing, they are used by many regulators throughout the world. But a popular thing may become a victim of its success and wide adoption. There is a relative lack of analysis in the literature on the risks inherent in regulatory sandboxes used in the privacy contexts. Let’s take a look at them now.
Part III: From Sandboxes to Sandstorms
There are several unexplored issues surrounding sandboxes.
A) What happens if not every sandbox applicant can be selected?
The first is how will understaffed and overwhelmed DPAs choose which sandbox applicants to accept for supervision? Sandboxes require more time from DPAs because DPAs become more like coaches or mentors than supervisory entities. They can’t use their big stick and must (due to the experimental nature of the whole exercise) instead resort to persuasion and guidance. If not every regulatee may be accepted for special treatment, then the selection process may be subject to criticisms of being biased and subjective. Smaller regulatees may even level accusations that the sandbox treatment is limited to larger well capitalized companies.
If not every regulatee applicant can be selected then will the sandbox testing results of those applicants who were selected bind those who weren’t selected? Would it be fair if some regulatees had the experience earned from testing out their privacy compliance regimes (making them better prepared to handle future enforcement actions, inquiries or complaints) while others do not? Could regulatees who did not have the chance to participate in a sandbox experiment claim some sort of enforcement mitigation? Many claim that good privacy compliance improves the market competitiveness of regulatees. If some regulatees are allowed the chance to test out their programs and others not, are we giving the former group an unfair commercial competitive advantage? These are some of the practical issues arising from the limited ability of DPAs to accept the sandbox applications of every regulatee.
Acceptance may not be a good thing
B) Interoperability of Regulatory Sandboxes
Second, interoperability has been popular in privacy speak in the international context. We have seen how regulators are trying to establish interoperability of GDPR and CBPR. However the concept of interoperability needs to be explored both domestically and internationally.
1) Domestic Interoperability of Sandboxes
Assume a country with a progressive DPA is actively promoting its regulatory sandbox program to its regulatees. What would be the relationship of sandboxes operating concurrently or separately in time? Would the beneficial results being produced in one sandbox apply by force of administrative law to other sandbox experiments running concurrently? If yes, would this be fair for the other sandbox experiments if they are required to change their privacy compliance programs in response to the positive effects of another unrelated experiment? Could a DPA require multiple changes of sandbox experiments based on the beneficial results of other sandboxes running concurrently? If regulatees are asked to make too many "real-time" changes to their testing parameters, then this may cause regulatees to feel that they have lost control over the testing of their own respective privacy programs.
The next issue is what would be the effect of a particular sandbox result vis-a-vis other sandbox participants and the general economy? Would particular sandbox testing results have preclusive legal effect or mere persuasive effect on other market participants within the DPA's territorial jurisdiction? It is much easier for a national DPA to formulate rules on the preclusive effects of sandboxes on regulatees within its own domestic jurisdiction. More serious problems of interoperability arise for sandboxes hosted amongst cross jurisdictional DPAs.
2) International Interoperability of Regulatory Sandboxes
There has not been much discussion on the Interoperability of sandboxes on a global level. What is the extent to which other privacy regulators would accord “safe harbor” status to a sandbox being hosted by another DPA. What would stop a DPA from kicking sand in the face of a company participating in a regulatory sandbox hosted by another DPA? In other words, how would different DPAs deal with the multiplicity of regulatory sandboxes hosted worldwide?
In theory, each DPA serves different national governments with varying degrees of political accountability. Ultimately, each DPA must account to its own political superior which in some countries can be a democratically elected legislature or prime minister or dictatorship. Granting recognition to the sandbox experiment conducted by another DPA may contradict the political prerogatives and objectives of the host national DPA.
Yet in other areas like law enforcement, anti-terrorism or anti-money laundering initiatives, cross-jurisdictional authorities often cooperate with each other. Privacy should be no different. If so, then would the statements and actions taken with respect to a particular privacy innovation being tested in a sandbox bind or have “preclusive effect” on other DPAs? If not, then the beneficial effects of sandboxes would be severely limited if there is no system of mutual recognition amongst cross-jurisdictional DPAs. The most highly likely result is that DPAs would only view the actions taken by another DPA with respect to a sandboxed privacy innovation as “non-binding” or persuasive.
C) From Sandbox to Desert
Regulatory sandboxes raise other issues which, if unaddressed, would present significant risks in their continued viability and relevance:
• what is the mechanism to apply for a sandbox? is it an informal process or formal process?
• to what extent is the application review process transparent and free from vested interests?
• is there a right of appeal if an applicant’s sandbox application is refused?
• how will the length of time for experimentation and scale of testing be determined?
• who decides if further extensions may be granted or whether the experiment is a success or failure? are there any right of appeal on these decisions?
• what is the legal effect of a successful or failed sandbox testing? will it bind other DPAs? will a failed sandbox testing from one jurisdiction preclude the applicant from applying to another DPA?
• what is the effect of a successful sandbox testing in a future enforcement action launched by the regulator (who tested the innovation)? will there be legal preclusive effect to estop such regulator from bringing a later enforcement action if such regulator approved the sandbox testing?
• what is the effect of a successful sandbox testing in a future enforcement action launched by a third party regulator (who was not involved in the initial testing of the innovation)?
• can a successful sandbox testing be used as a mitigating factor in a future related enforcement action?
• will other DPAs approve or grant safe haven status to innovations approved in a sandbox hosted by another DPA?
• will rulings made by a regulator with respect to a particular sandbox be deemed as legal precedent binding against that same regulator or a third party DPA?
The above issues would also apply to the interoperability of regulatory sandboxes to be hosted by the various DPAs operating within the European Union. For example, how would the sandbox testing results conducted by the Italian DPA be treated by the Irish or French DPAs or by any one of the 16 federal DPAs operating independently within Germany?
Part IV: Conclusion
The poet William Blake wrote:
“To see a World in a Grain of Sand, And a Heaven in a Wild Flower,
Hold Infinity in the palm of your hand, And Eternity in an hour.”
(from "Auguries of Innocence”)
In the privacy context, it is highly unlikely that cross-jurisdictional DPAs will see much in a grain of sand within the sandboxes of other DPAs, much less “a World” or “a Heaven”. For example, the EU is suspicious whether the APEC CBPR is as protective of individual privacy as GDPR principles which may render full interoperability of compliance regimes between the two system difficult. Differences in national laws, democratic processes, enforcement attitudes and consumer expectations will undercut efforts to achieve interoperability of regulatory sandboxes amongst cross-jurisdictional DPAs. If regulators and experts cannot agree at a posh hotel conference on core privacy principles, then how will the sandboxes they separately maintain do so? In the ensuing non-recognition of regulatory sandboxes hosted amongst conflicting DPAs, the frustration and delay of regulatees will feel like an “Eternity”.
#privacy #GDPR #regulatorysandbox