In the third part of our series on the slow moving world of regulatory plate tectonics, our EMEA Associate and roving expert on all things to do with privacy, cybersecurity and digital ethics looks to the future:
- Part 1: Narrowing the Atlantic Gap: the EU and US are drifting together. An Executive Order signed this week promises to narrow the transatlantic regulatory gap. But will this be enough?
- Part 2: Britain Adrift (again): meanwhile the UK’s post Brexit relationship with the EU is being tested as it proposed to rip up red tape, water down GDPR and cooperate more with the US. As English Channel widens and the UK drifts towards the US, will this leave the EU out of reach?
- Part 3: Crossing the Divide: where are we headed and how can the data sharing and data protection conundrum be resolved to (almost) everyone’s satisfaction?
Why do we even bother with data protection regulations?
In our recent review of GDPR as it reached its fourth anniversary we looked at ‘the Good, the Bad and the Ugly’. Th fact that it has not only set a standard for data privacy and been copied across the globe, is no small achievement. It has certainly spawned many similar regulations in other jurisdictions, as other markets either seek equivalence with GDPR, or attempt to refine it in some way or other. CCPA in California, POPI in South Africa, LGPD in Brazil and countless other regulations in other nations or US states – with more emerging all the time – all owe their genus to GDPR.
Collectively these regulations are having an impact. Public awareness of data protection and privacy is at an all time high, as is corporate spending on compliance. Great – job done! ….. not so fast.
Unfortunately, we have learned a few hard lessons along the way:
- Regulation without enforcement is not just pointless, it’s counterproductive – while honest companies incur the cost of complying, dishonest ones, knowing that there is no enforcement and little chance of getting caught, gain a competitive advantage by not bothering to comply and even actively abusing people’s privacy to their own advantage.
- Fines add cost but are a lagging indicator of misfortune rather than misbehaviour – rather than proactively identifying and prosecuting abuse, under-resourced regulators hand out fines to those that were not inly unfortunate enough to suffer an incident, but were also responsible enough to report it.
- At scale, some firms see an actual business case for non-compliance – arguably some of the largest data abusers have been the tech giants whose business model relies on data exploitation. Some such as Facebook, when challenged and found to be in breach of GDPR has faced a choice between investment to re-engineer their systems to comply with the law, or instead spending money on lawyers, fines and lobbyists. They went with the second option and have been very effective at it.
So, how can things be improved? And what’s the real problem here?
Expecting companies like Facebook to act responsibly and abide by the law when politicians are unwilling to provide adequate resources for regulation and enforcement, is unrealistic. Expecting this to change is possibly also unrealistic. Privacy and GDPR are never going to be a vote winner or therefore a political priority.
“The emperor has no clothes; and data regulation has no red-dress”
With the regulators either underfunded, in-effective or both, much of the responsibility for holding data abusers to account, especially the largest ones like Facebook, has fallen to motivated privacy activists like Max Schrems. While his campaigns in the EU courts have overturned both Safe Harbor (Schrems I) and Privacy Shield (Schrems II), he was not actually seeking to undermine transatlantic data sharing. He was simply seeking meaningful protections such as proportionality in surveillance, independent judicial oversight, and an effective means of redress – all of which are enshrined in GDPR. They are also supported by the right to privacy or private life which is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7).
So where are we going wrong?
- In the US: As we saw in the first article in this series, there is a new Executive Order that is seeking to resolve the transatlantic data sharing dilemma. And while it is a good first step, it is just an Executive Order and therefore not enshrined in law, and it does not resolve the very different interpretations of ‘proportionality’ or provide real independent judicial oversight or an effective means of redress. However progress is being made at a federal level on agreeing the American Data Privacy and Protection Act. And while EU citizens may lack any real means of redress from actions in the US, US citizens can rely on a well developed system for seeking redress via class action law suits.
- In the UK: As we saw in the second article in this series, the UK has data protection arrangement s that are currently deemed being adequate in their alignment with the EU’s GDPR (although that may change in the event of significant divergence). There is also nominally a means of redress via the UK’s own collective legal arrangements – known as representative actions. However while the first big representative action on data protection taken against BigTech, Lloyd vs Google, was initially successful on appeal, it was finally overturned in the supreme court. In a second pivotal case, Warren vs DSG, a claim was brought on the basis of Breach of Confidence (“BoC”); Misuse of Private Information (“MPI”); Breach of the Data Protection Act 1998 (“DPA”); and Common law negligence. All but the Breach of the Data Protection Act were dismissed while this remaining claim was transferred to the small claims track of the County Court. It is important to note that while it is possible to reclaim costs in the high court, this is not possible in the county court. This undermines any prospect of brining a representative action. This leaves no real means of recourse for any kind of representative action on data protection in the UK.
- In the EU: Citizens have the advantage of having both regulatory protection via GDPR and means of redress via an emerging system for class action law suits. Unfortunately recent rulings have undermined the ability to obtain any meaningful compensation or redress. The Advocate General (AG) of the Court of Justice of the European Union (CJEU) recently issued an opinion, aiming to limit one of the last potential avenue for users to enforce their privacy rights under the GDPR. While GDPR explicitly enables claims to be made for non-material damages, the ruling (which is expected to be ratified by the CJEU) limits compensation by introducing an additional “threshold” to overcome to grant non-material damages. It recognises that plaintiffs undoubtedly have the right to bring claims, it is typically impossible to remedy past violations or recall illegally shared data. The new threshold could limit redress to nothing more than a declaration of fault, nominal damages (usually €1) or an injunction. Such limited redress would make the prohibitively expensive process of bringing a claim almost pointless.
Ironically the recent EU AG Opinion mentioned above saw no real need for litigants to seek redress as responsibility for action was the job of the respective Data Protection Authority (DPA) in each country. The reality however is that many DPAs still take the view that they have no duty to enforce the rights of users. Some DPAs currently believe that users are not even a party in any procedure before them. Indeed the EU AG Opinion goes on to argue that more civil court cases would “deprive” DPAs of complaints, when in fact many DPAs lack either the resources or the intention to process the current number of complaints before them, or both.
The combination of a lack of action or enforcement by DPAs and the limits on means of collective redress are creating an environment where GDPR and other similar data protection regulations are effectively meaningless.
If governments are unwilling to adequately resource and/or task DPAs to enforce these regulations then they need to get out of the way and allow citizens to do so by enabling them with effective, collective means of seeking redress.