Eduardo Ustaran's Blog
January 8, 2014
In search of global privacy compliance
In the same way that most activities involving data are global, complying with the rules and regulations affecting those activities is a markedly global endeavour. Whether we are talking of multinational corporations with hundreds of thousands of employees or of a humble start up with a clever idea, an app or a website, the ambitions are the same: tapping into the opportunities of the global marketplace. A digital marketplace that is free from the physical constraints attached to distance, cultures and infrastructure. A marketplace that is huge and that has already turned college dorm ideas into some of the most successful and influential businesses on the planet. But, we must not forget that going global and using personal information collected from all over the world carries equally huge responsibilities which expand well beyond filing forms and sweet talking regulators.
One of the challenges faced by anyone operating globally is the fragmentation of legal regimes affecting the handling of personal information. Today, there is no leading privacy model that has arisen as the one to follow universally. Some regimes take an all encompassing approach throwing principles, obligations and rights to all possible activities involving personal information. In some cases – think Europe – this approach is not only comprehensive, but unashamedly strict. Other regimes go for a more down to earth, but still meaningful approach to regulating privacy, allowing users of data a greater degree of discretion in terms of the precise compliance steps to take. There are jurisdictions where the use of data within some sectors is firmly regulated whilst other sectors are entirely off the hook. This colourful variety of legal regimes and data privacy obligations contributes to make the challenge of managing privacy on a global scale even more challenging.
An obvious route to take is to look at things on a country by country basis and simply try to do whatever it takes to get it right within each jurisdiction, whatever the differences. The trouble here is that compliance often becomes a matter of running a prohibitively expensive exercise where the only advantage is not falling foul of each local law. The reality is that only a very limited number of organisations have the energy, resources and budget to do this. An insurmountable drawback of this approach is not just the cost of compliance, but the inability to operate globally in a truly consistent way. It is frustrating to see how valuable resources are devoted to tailoring practices to local demands, which contributes to an inefficient and unproductive way of addressing global privacy needs.
This is exasperated by the limitations on international data transfers and the finicky ways in which such transfers are meant to be legitimised. Take the standard contractual clauses approved by the European Commission for these purposes, for example. Although the clauses have the seal of approval of the Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. That is simply absurd. Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving data flows. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – hardly a solid ground on which to build a compliance programme.
Against this background, an unfortunate, but popular, choice is to do nothing. Lawyers and regulators will cringe at the thought of thousands – if not hundred of thousands – of situations where nothing is actually done to properly address the legal restrictions affecting international data flows. Some organisations manage to spend a little fortune legitimising transfers of data across jurisdictions – both within their own international structures and to third parties – but I have the suspicion that these are a minority in the whole scheme of things. Amongst that minority, only a select group will actually get their act together and implement a workable set of global privacy safeguards. The system seems to tolerate this and regulators appear content with their ability to scrutinise those who do something about it. But, this cannot be right. Global data privacy compliance is neither optional nor a pastime for those selected few with the guts and stamina to go public about their practices. It is an essential need that requires a combination of fresh thinking, a workable global framework, a team approach and the right tools.
This article was first published in Data Protection Law & Policy in December 2013 and is an extract from Eduardo Ustaran’s book The Future of Privacy.
One of the challenges faced by anyone operating globally is the fragmentation of legal regimes affecting the handling of personal information. Today, there is no leading privacy model that has arisen as the one to follow universally. Some regimes take an all encompassing approach throwing principles, obligations and rights to all possible activities involving personal information. In some cases – think Europe – this approach is not only comprehensive, but unashamedly strict. Other regimes go for a more down to earth, but still meaningful approach to regulating privacy, allowing users of data a greater degree of discretion in terms of the precise compliance steps to take. There are jurisdictions where the use of data within some sectors is firmly regulated whilst other sectors are entirely off the hook. This colourful variety of legal regimes and data privacy obligations contributes to make the challenge of managing privacy on a global scale even more challenging.
An obvious route to take is to look at things on a country by country basis and simply try to do whatever it takes to get it right within each jurisdiction, whatever the differences. The trouble here is that compliance often becomes a matter of running a prohibitively expensive exercise where the only advantage is not falling foul of each local law. The reality is that only a very limited number of organisations have the energy, resources and budget to do this. An insurmountable drawback of this approach is not just the cost of compliance, but the inability to operate globally in a truly consistent way. It is frustrating to see how valuable resources are devoted to tailoring practices to local demands, which contributes to an inefficient and unproductive way of addressing global privacy needs.
This is exasperated by the limitations on international data transfers and the finicky ways in which such transfers are meant to be legitimised. Take the standard contractual clauses approved by the European Commission for these purposes, for example. Although the clauses have the seal of approval of the Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. That is simply absurd. Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving data flows. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – hardly a solid ground on which to build a compliance programme.
Against this background, an unfortunate, but popular, choice is to do nothing. Lawyers and regulators will cringe at the thought of thousands – if not hundred of thousands – of situations where nothing is actually done to properly address the legal restrictions affecting international data flows. Some organisations manage to spend a little fortune legitimising transfers of data across jurisdictions – both within their own international structures and to third parties – but I have the suspicion that these are a minority in the whole scheme of things. Amongst that minority, only a select group will actually get their act together and implement a workable set of global privacy safeguards. The system seems to tolerate this and regulators appear content with their ability to scrutinise those who do something about it. But, this cannot be right. Global data privacy compliance is neither optional nor a pastime for those selected few with the guts and stamina to go public about their practices. It is an essential need that requires a combination of fresh thinking, a workable global framework, a team approach and the right tools.
This article was first published in Data Protection Law & Policy in December 2013 and is an extract from Eduardo Ustaran’s book The Future of Privacy.
In defence of principles-based regulation
When the European Commission published its proposal for a new regulation aimed at rejuvenating the 1995 Data Protection Directive in 2012, there was one major feature that stuck out above everything else. Beyond the obvious objective of tackling the data privacy challenges of the 21st century, all of the novelties proposed by the Commission had one thing in common: the principles, rights and obligations were far more prescriptive in nature than under the Directive. This was perhaps a natural consequence of having to draft a directly applicable regulation, but it represented a fundamental change from the way European data protection had operated until now.
The bulk of the proposed regulation was meant to introduce a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus, of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also a new way of demanding practical compliance in the black letter of the law. If one is looking for legal certainty, there is nothing like a law which says do A, B and C, and do not do X, Y and Z. It almost makes lawyers redundant, which may well be a good thing! But aside from the risk of distorting the technological neutrality principle, it makes that law much more dissimilar from any other law in the world regulating the same thing.
The balance between principle-based regulation and laws with clear instructions is a fragile one. Go for high level principles with woolly words such as ‘fair’, ‘reasonable’, ‘relevant’ or ‘adequate’ and you are risking inconsistency of interpretation and a lack of understanding of what the law requires. Tilt the scale towards prescriptive instructions and what you gain in legal certainty you lose in much needed flexibility. Here is the thing: clear and prescriptive obligations are helpful in the sense that they do not leave room for ambiguity. But let us not forget that privacy protection is linked to the evolution of technology, an unpredictable world requiring flexibility and quick thinking. A prescriptive law will always be constraining, not because it is strict, but because it is rigid.
Now, shift this balancing exercise to a global stage and the risk of rigid laws becoming practically ineffective is exponentially multiplied. Instructions and checklists are immune to cultural and political differences, but those who need to follow those instructions and go through those checklists, are not. People and organisations are revealing and accessing the same information at a global scale. The protections and norms that affect that relationship must, therefore, be geared to cope with the situation in a way that specific legal instructions cannot be. Some data privacy and security principles may be imprecise, but they have proven to pass the test of time and distance. Prescriptive norms are bound to fail that test because they lack the elasticity needed to make global privacy protection workable. Relying on principles to safeguard something so important may not be the perfect solution, but we should be looking for effectiveness, not perfection.
This article was first published in Data Protection Law & Policy in October 2013 and is an extract from Eduardo Ustaran’s book The Future of Privacy.
The bulk of the proposed regulation was meant to introduce a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus, of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also a new way of demanding practical compliance in the black letter of the law. If one is looking for legal certainty, there is nothing like a law which says do A, B and C, and do not do X, Y and Z. It almost makes lawyers redundant, which may well be a good thing! But aside from the risk of distorting the technological neutrality principle, it makes that law much more dissimilar from any other law in the world regulating the same thing.
The balance between principle-based regulation and laws with clear instructions is a fragile one. Go for high level principles with woolly words such as ‘fair’, ‘reasonable’, ‘relevant’ or ‘adequate’ and you are risking inconsistency of interpretation and a lack of understanding of what the law requires. Tilt the scale towards prescriptive instructions and what you gain in legal certainty you lose in much needed flexibility. Here is the thing: clear and prescriptive obligations are helpful in the sense that they do not leave room for ambiguity. But let us not forget that privacy protection is linked to the evolution of technology, an unpredictable world requiring flexibility and quick thinking. A prescriptive law will always be constraining, not because it is strict, but because it is rigid.
Now, shift this balancing exercise to a global stage and the risk of rigid laws becoming practically ineffective is exponentially multiplied. Instructions and checklists are immune to cultural and political differences, but those who need to follow those instructions and go through those checklists, are not. People and organisations are revealing and accessing the same information at a global scale. The protections and norms that affect that relationship must, therefore, be geared to cope with the situation in a way that specific legal instructions cannot be. Some data privacy and security principles may be imprecise, but they have proven to pass the test of time and distance. Prescriptive norms are bound to fail that test because they lack the elasticity needed to make global privacy protection workable. Relying on principles to safeguard something so important may not be the perfect solution, but we should be looking for effectiveness, not perfection.
This article was first published in Data Protection Law & Policy in October 2013 and is an extract from Eduardo Ustaran’s book The Future of Privacy.
Incentivising compliance through tangible benefits
The secret of compliance is motivation. That motivation does not normally come from the pleasure and certainty derived from ticking all possible boxes on a compliance checklist. Although, having said that, I have come across sufficiently self-disciplined individuals who seem to make a virtue out of achieving the highest degree of data privacy compliance within their organisations. However, this is quite exceptional. In truth, it is very difficult for any organisation – big or small, in the private or public sector – to get its act together simply out of fear of non-compliance with the law. Putting effective policies and procedures in place is never the result of a sheer drive to avoid regulatory punishment. Successful legal compliance is, more often than not, the result of presenting dry and costly legal obligations as something else. In particular, something that provides tangible benefits.
The fact that personal information is a valuable asset is demonstrated daily. Publicly quoted corporate powerhouses whose business model is entirely dependent on people’s data evidence the present. Innovative and fast growing businesses in the tech, digital media, data analytics, life sciences and several other sectors show us the future. In all cases, the consistent message coming not just from boardrooms, but from users, customers and investors, is that data fuels success and opportunity. Needless to say, most of that data is linked to each of us as individuals and, therefore, its use has implications in one way or another for our privacy. So, when looked at from the point of view of an organisation which wishes to exploit that data, regulating data privacy equates regulating the exploitation of an asset.
The term ‘exploitation’ instinctively brings to mind negative connotations. When talking about personal information, whose protection – as is well known – is regarded as a fundamental human right in the EU, the term exploitation is especially problematic. The insinuation that something of such an elevated legal rank is being indiscriminately used to someone’s advantage makes everyone feel uncomfortable. But what about the other meaning of the word? Exploitation is also about making good use of something by harnessing its value. Many responsible and successful businesses, governments and non-profit organisations look at exploiting their assets as a route to sustainability and growth. Exploiting personal information does not need to be negative and, in fact, greater financial profits and popular support – and ultimately, success – will come from responsible, but effective ways of leveraging that asset.
For that reason, it is possible to argue that the most effective way of regulating the exploitation of data as an asset is to prove that responsible exploitation brings benefits that organisations can relate to. In other words, policy making in the privacy sphere should emphasise the business and social benefits – for the private and public sector respectively – of achieving the right level of legal compliance. The rest is likely to follow much more easily and all types of organisations – commercial or otherwise – will endeavour to make the right decisions about the data they collect, use and share. Right for their shareholders, but also for their customers, voters and citizens. The message for policy makers is simple: bring compliance with the law closer to the tangible benefits that motivate decision makers.
This article was first published in Data Protection Law & Policy in September 2013 and is an extract from Eduardo Ustaran’s book The Future of Privacy.
The fact that personal information is a valuable asset is demonstrated daily. Publicly quoted corporate powerhouses whose business model is entirely dependent on people’s data evidence the present. Innovative and fast growing businesses in the tech, digital media, data analytics, life sciences and several other sectors show us the future. In all cases, the consistent message coming not just from boardrooms, but from users, customers and investors, is that data fuels success and opportunity. Needless to say, most of that data is linked to each of us as individuals and, therefore, its use has implications in one way or another for our privacy. So, when looked at from the point of view of an organisation which wishes to exploit that data, regulating data privacy equates regulating the exploitation of an asset.
The term ‘exploitation’ instinctively brings to mind negative connotations. When talking about personal information, whose protection – as is well known – is regarded as a fundamental human right in the EU, the term exploitation is especially problematic. The insinuation that something of such an elevated legal rank is being indiscriminately used to someone’s advantage makes everyone feel uncomfortable. But what about the other meaning of the word? Exploitation is also about making good use of something by harnessing its value. Many responsible and successful businesses, governments and non-profit organisations look at exploiting their assets as a route to sustainability and growth. Exploiting personal information does not need to be negative and, in fact, greater financial profits and popular support – and ultimately, success – will come from responsible, but effective ways of leveraging that asset.
For that reason, it is possible to argue that the most effective way of regulating the exploitation of data as an asset is to prove that responsible exploitation brings benefits that organisations can relate to. In other words, policy making in the privacy sphere should emphasise the business and social benefits – for the private and public sector respectively – of achieving the right level of legal compliance. The rest is likely to follow much more easily and all types of organisations – commercial or otherwise – will endeavour to make the right decisions about the data they collect, use and share. Right for their shareholders, but also for their customers, voters and citizens. The message for policy makers is simple: bring compliance with the law closer to the tangible benefits that motivate decision makers.
This article was first published in Data Protection Law & Policy in September 2013 and is an extract from Eduardo Ustaran’s book The Future of Privacy.
