Comply but Advocate (Strategic Privacy Part 1)
When the U.S. Securities & Exchange Commission was tasked with the unenviable task of making a rule to regulate the use of conflict minerals in the global supply chain, I was responsible for designing its compliance procedures & policies for the world’s largest semiconductor maker. I was also responsible for advocating for the abolishment of such rule because it would be disruptive for business. I was educating internal business teams on how to comply with the proposed rule while also plotting its downfall. Eventually, my comment letter to the U.S. SEC was cited by the American Chamber of Commerce to support the only winning argument that prevailed on appeal to strike down the heart of the rule. It is not easy to do both compliance and advocacy, but in an increasingly politically charged business environment, legal professionals must protect their clients’ interest from unfair laws and regulations and their uneven enforcement.
Much emphasis in the privacy community is placed on “compliance” which is important to defend the client from accusations of regulatory violations. But if the law or rule demanding compliance is unfair, burdensome, would lead to arbitrary or capricious enforcement (or simply confused, as discussed in Section A below), then privacy professionals need to conduct offensive advocacy to either change it in their client’s favor (through lobbying efforts) or get rid of it (usually by filing a legal challenge). Often times, defensive compliance (that leverages the most efficient tools to help the client satisfy applicable regulatory requirements) and offensive advocacy (that requires changing or abolishing the unfair or business unfriendly rule) need to be conducted together in a responsible manner so as to shield the client from liability and advance its corporate objectives. This is the essence of strategic privacy management: understanding when and how to comply but advocate.
“comply but advocate” is the guiding principle to protect corporate interests.
(Getty Images license)
As previously discussed in the intro of this series (here), in July 2019, we’ve seen record fines being issued to British Airways, Marriott and Facebook: GDPR (and some other privacy regimes) threatens to expose data monetizers to unprecedented liabilities. The vast majority of privacy professionals and consultants are simply focused on complying with the GDPR accepting without challenge its many disparate (and futile as later explained) requirements. Compliance with the law is important but insufficient and sells short corporate interests if the law itself is unfair or if its enforcement is lob-sided. Privacy professionals also need to think of ways to conduct offensive advocacy to limit and contain the absurdities arising from its unfair provisions and uneven enforcement.
The key theme of this entire series on Strategic Privacy Management focuses on the need to create an independent private industry association called the ‘Fair Privacy Institute” that will lobby (on behalf of its membership fee-paying global public and private corporate constituencies) for the creation of balanced privacy laws and the fair, even enforcement of such laws, including the filing of strategic administrative lawsuits and promoting industry codes of conduct applicable to all key sectors to attain such goals.
Part 1 of this series describes the sad state of the GDPR.
Sad State of the GDPR
GDPR Clown Car?
I think it is an understatement that the current state of affairs for GDPR is a (complete?) mess. The Centre for Information Policy Leadership a data privacy think tank issued a report about the GDPR after its first year in May 2019. The reports does list some good the GDPR has done such as raising awareness about data privacy and increased operation transparency. These benefits are described in flowery, verbose language. (I get the feeling that the report is struggling to find substantive redeeming benefits and hype these up with pretty words to give face to the EU regulators.) But these benefits are completely outweighed (in both magnitude and severity) by the grim “unfulfilled promises” and “challenges” of the GDPR cited in the report. In other words, there are big problems. The report is blunt but not straight-talking enough.
Get ready to deal with all 28 privacy regulators in the EU. The report notes there is a “fragmented privacy landscape in the EU Member States”. Translation: data monetizers cannot get clarity on legal requirements and their enforcement because there are “differing rules (e.g. age of consent, processing of sensitive and biometric data, scientific research)”. What’s the point of having an EU-wide GDPR if EU member states will just do their own things on privacy?
This fragmented landscape was not what the European Commission had promised to companies doing business in the EU. The Commission promised that there will be “[o]ne continent, one law” for privacy, “a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28.” Don’t hold your breath for the situation to improve: most likely it won’t…
EU DPAs are tripping over each other. Another problem is the diverging “national interpretation, guidance and enforcement by DPAs”. DPAs are not working (well?) together. A data monetizer cannot rely on getting fair treatment across the EU especially if the decision of one DPA does not bind another DPA. Again, what is the point of having an EU-wide law? How can data monetizers get clarity on the law to structure internal compliance procedures. If the DPAs cannot align their thinking, how is it fair for data monetizers to design compliance programs?
The European Commission (wrongfully) promised businesses already operating in the EU that everyone will play by the same rules, even those businesses operating outside of the EU. It said “companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market.” Well good luck to some overseas Indonesian e-commerce platform trying to figure out what the heck is going on inside the EU when none of the DPAs can interpret things consistently. Its CEO may very well drop the EU and focus on the booming ASEAN e-commerce market.
Are DPAs lost or very lost in the fragmented GDPR landscape?
(Getty Images license)
The top EU privacy watchdog is basically asleep. The report criticizes (albeit rather indirectly) the European Data Protection Board (“EDPB”) sitting at the tippy-top of the EU privacy regime for not doing its job! It says “the EDPB could also play a more proactive role in driving true consistency in the way DPAs interpret and approach data protection rules, compliance and enforcement”. In other words, yo! EDPB get off your butt and start showing some leadership!
Other EU non-privacy regulators are cutting into the privacy dance making compliance even more complicated. “[S]ome other regulatory bodies (such as competition authorities or consumer bodies) have made decisions regarding privacy and data protection issues, where the DPAs (and in cross-border cases the lead DPAs) should be the competent authorities.” How many chefs do we need in the proverbial kitchen? Do DPAs report to their competition colleagues? Having multiple regulators bossing data monetizers around unnecessarily complicates privacy compliance. What if a compliance procedure satisfies competition requirements but not privacy requirements, or vice versa. What happens then?
Get ready for a free-for-all DPA feeding frenzy. Bring out the shark tanks because “[t]here is still ambiguity over the functioning of the One Stop Shop…local DPAs are not respecting the One Stop Shop mechanism.” The EU promised businesses that they would not need to defend litigations, investigations or inquiries from 28 EU DPAs. The GDPR designates the supervisory authority of the EU member state in which a data monetizer has its "main establishment" as the "lead supervisory authority" to prosecute cross-border violations. This lead SA would act as the main contact window vis-a-vis the regulatee so that it would not need to respond to 28 different sets of investigative questionnaires. Obviously that is a nightmare for any in-house general counsel. But the nightmare already is happening. In the first GDPR enforcement action, the French privacy regulator CNIL gave the middle-finger to the Irish privacy regulator when the CNIL fined Google around 50 million euros when the Irish Data Privacy Commission and not CNIL had jurisdiction under the “One Stop Shop” rule. There is enormous economic incentive for a national DPA to go after potential violators because GDPR fines are big money and is an easy way for cash-starved EU member states to generate much needed revenues. The GDPR is another tool for EU member states to monetize the business of regulation. Expect to see a free-for-all feed-frenzy against British Airways, Marriott (and Facebook) the first three companies to make GDPR headlines this month (and other defendants in the months to come) as each DPAs start going after them in individual enforcement actions for more money and turf jockeying.
Breakdown of One Stop Shop rule will lead to DPA free-for-all feeding frenzy.
For data monetizers operating internationally, they are in for an even bigger treat. The report notes there are “open issues leading to legal uncertainty about the GDPR’s territorial scope.” The EU and its national DPAs are confused about formulating a clear set of rules that global businesses can rely upon for guidance on international data transfers; the role of the Article 27 representative; and whether certain temporary activities would trigger GDPR liabilities and duties.
Countless blog articles have been devoted to explaining the upcoming PSD2 and e-Privacy regulations other ways for the EU to regulate the digital economy. The report cautions that these “sectoral laws (either due to lack of understanding of the GDPR or inconsistent interpretation of the GDPR by other regulators) may undermine the GDPR” and cause “conflicting requirements and [un]clear rules as to which standard prevails and which authorities will be responsible for enforcing these laws.” Translation: it is futile to design compliance protocols for these “sectoral laws” each carrying their own penalties when the EU regulators themselves are disorganized about formulating clear rules applicable on a consistent basis.
If you are a venture capitalist investing in emerging technologies in the EU, then note that the future of technology in the EU is gloomy. Why? Well, the report points out that “the GDPR is not entirely adaptable to new developments in the digital economy”. In other words, the GDPR cannot accommodate changes in tech and based on the above problems, some of its regulators may not even care. The law will strangle the research and development of new digital technologies that may bring “real benefits for individuals and society at large”. I will write more about this issue in Parts 6 and 7 of this series. Stay tuned.
The report notes there is too much emphasis on seeking data subjects’ consent when there are 5 other grounds for processing/collecting data. Unfortunately DPAs have been construing these other 5 grounds narrowly. The consent regime under the GDPR does “not function well for many modern day data processing contexts and do not provide effective protection for individuals.”
DPAs are holding data monetizers strictly liable for GDPR violations ignoring the risk-based approach based on reasonable measures to protect data privacy. “DPAs don’t seem to refer to the risk-based approach in their guidance and interpretation or first GDPR enforcement actions.” The report does not explicitly discuss this important development, but I will in Part 4 of this series.
And the hits keep on coming. There are no industry code of conduct to guide market practice on privacy compliance and no credible industry certification system to validate privacy management systems. “One year after the GDPR went into effect, the regime surrounding GDPR certifications and codes of conduct – which serve as tools for demonstrating organisational accountability – has still not been effectuated.” I will discuss how an independent trade association can help set these industry standards and certification systems in Part 5 of this series.
The entire global monetization and transfer of data is about to come to a crashing halt. Almost all data monetizers rely on model clauses or the Privacy Shield to transfer data cross borders. But thanks to a legal challenge filed by populist activist Max Schrems and a group of French NGOs in the EU Court of Justice, these mechanisms may be ruled illegal! This will cut off the flow of data between the EU and nonadequate countries like the U.S. The report expresses this risk in a more positive manner: other ways to engage in cross-border data transfers have “not been developed and little progress has been made to expand or improve existing cross-border data transfer mechanisms.”
For those who don’t know who Max Schrems, he filed a legal challenge about Facebook’s transfer of his personal data to the U.S. which torpedoed the Safe Harbor data sharing agreement. This underscores the importance as to why data monetizers need to unite and pool their substantial resources into an advocacy-driven industry association to fight against these attacks on the pillars of 21st century data monetization.
We are screwed if Schrems wins again. A decision is expected early 2020, around the effective date of the California Consumer Privacy Law, another ticking time-bomb waiting to explode, discussed in Part 2 of this series.
2. Time to Get Off the Clown Car?
These are some of the major problems threatening data monetizers under the GDPR.
I have never seen a compliance program that can be successfully design, implemented and updated in the face of the above unmitigated chaos and just plain regulatory craziness. To borrow an apt phrase from U.S. Senator Ted Cruz: “the clown car is broken, there is no brake and it only steers left.” Things are out of control. The sad thing is that compliance professionals are forced to sit in this clown car in their efforts to keep track of (and in some cases mind-read) the disparate interpretations of DPAs (who are not working well together) and non-privacy regulators who are butting into the game (on a power trip?) in a leadership vacuum left by the EDPB (who might as well be asleep at the wheel). This is why data monetizers should also start thinking about protecting themselves from this craziness by conducting strategic advocacy as discussed in Part 5. Otherwise, data monetizers will be stuck (without any seat belts) in a regulatory white-knuckled ride to nowhere but crazy town…
time to get off the clown car?
(Pixabay image license)