Businesses should not wait for EU data protection law, says PwC lawyer

Businesses waiting for the EU General Data Protection Regulation before taking action have already missed the boat, according to a PwC Legal partner

Businesses waiting for the EU General Data Protection Regulation (GDPR) before taking action have already missed the boat, according to partner at PwC Legal, Stewart Room.

Versions of the new European Union data protection regulation to replace the outdated 1995 directive have been approved by the European Commission and the European Parliament.

However, a version is yet to be formulated by the Council of Ministers, and only then will the final version by hammered out by all three groups. This is not expected to be done before January 2016.

But Room believes it would be a mistake for businesses to wait until then to decide how to protect the use of personal data in their business and prepare for compliance with the new regulations.

“Much of the objective of the reform has already been achieved because regulators are already regulating as if the new legal framework were already in place,” he told Computer Weekly.

Read more about proposed European data protection laws

According to Room, most of the eight landmark issues or big innovations that were highlighted when the proposed reforms were first published in 2012 are already informing actions by regulators in Europe.

“Three years on, if you go through that list of eight things, you find that regulators are acting as if these principles were enshrined in the law already,” he said.

Breach disclosure, for example, is not part of the UK Data Protection Act or current EU Data Protection Directive, yet the Information Commissioner’s Office (ICO) considers it to be either a mitigating or aggravating factor when considering monetary penalties in data breach cases.

“So to all intents and purposes, the UK regulator is acting as if breach disclosure is the law,” said Room.

Similarly, compulsory privacy policies are not required by current UK or EU data protection law, but at the end of January 2015, Google signed up to undertakings with the ICO about the company’s privacy policies..

In January 2014, France’s privacy watchdog, CNIL, fined Google €150,000 over its privacy policies. Both regulators are already acting as if compulsory privacy policies were already part of law.

Another example is the controversial right to be forgotten, with the European Court of Justice issuing a landmark ruling in May 2014 against Google in support of the right to be forgotten.

Creating a one-stop shop for regulators

Creating a one-stop shop, where all the regulators would work together and there will be a central function to ensure regulators take a consistent view, is another key innovation of the proposed GDPR.

The Global Privacy Enforcement Network (Gpen), which was set up in 2010 to foster cross-border co-operation among privacy regulators, is now effectively the global forum for regulators to work together, said Room.

In September 2014, regulators around the world signed a memorandum of understanding about how they will work together and co-operate, and in October 2014, the ICO announced the launch of The Common Thread Network, which is the network of Commonwealth regulators for data protection.

“In other words, regulators are already working as if there is a legal requirement for a one-stop-shop approach to data protection,” said Room.

There are similar examples of this trend in the five other key innovations proposed by the draft GDPR, he said, which means that in a policy sense and a substantive sense, EU data protection reform is already done.

“The danger is that companies do not recognise this reality, and are waiting for the new piece of legislation to get a rubber stamp,” said Room.

The only significant part of the proposed reforms that cannot be achieved until the law is rubber-stamped concerns the fines that can be imposed on companies for failing to protect personal data.

“The new regime will allow fines of potentially up to 5% of annual worldwide turnover, and clearly that cannot be done under the current regime. We will need the regulation to come through to deliver that,” said Room, but he argued the most important aspects of reform are already covered.

Work around compliance frameworks beyond 2016

Looking beyond 2016, Room expects for the first few years as things “settle down” there will be a flurry of work around compliance frameworks.

“Things like privacy impact assessments, privacy by design and privacy policies, which are all about governance and paperwork,” he said.

Security breaches will still occupy the lion’s share of things because breach disclosure will keep breaches at the top of the agenda

Stewart Room, PwC Legal

This activity will seek to create a managerial structure, formulate some rules and embed it into operations.

As the new regime matures, this initial burst of activity will move into a steady state around the theme of security breaches and the theme of monetising the consumer.

“Security breaches will still occupy the lion’s share of things because breach disclosure will keep breaches at the top of the agenda,” said Room.

“Monetising the consumer refers to the whole range of activity within selling consumers stuff or selling their data, including direct marketing, advertising profile and behavioural analytics.”

After the initial burst of activity around the frameworks, governance, policies, and procedures, Room believes the bulk of activity and concern will be around data breaches and monetising the consumer.

Looking at these two themes in a sectoral sense, he said the retail community is likely to attract an increasing amount of attention, and in a thematic sense, wearables are likely to become prominent.

“These two issues are likely to occupy around 75% of all activity around personal data protection once we have moved into a steady state,” said Room.

The power of the citizen

The other big differences from now, he said, will be the virtually unlimited fines and the power of the citizen.

“At the moment, the citizen does not have a huge amount of power to get things done under data protection law, but activist citizens can do quite a lot,” said Room.

As an example, he cites Austrian privacy activist and law student Max Schrems who has led a class action that claims Facebook violates user rights by tracking internet use on external sites, and Mario Gonzalez of Spain, who won the landmark ruling on the right to be forgotten after complaining that an auction notice of his repossessed home on Google's search results infringed his privacy

“Clearly the citizen can do things when they are really motivated, but most people do not fall into this category and find it too difficult to get things going,” said Room.

However, he believes this will change under the coming European data protection regime, and the citizen activist will potentially become a bigger problem for business than regulators.

“This is the interesting dilemma or philosophical issue that most data controllers should be thinking about, but they are not,” said Room.

Ultimately, he believes the rise of the citizen activist who is empowered to use the legal system could lead to a frenzy of litigation, which could potentially be the biggest impact of the EU reforms.

“In the UK, where there is only one information commissioner, with just a few hundred members of staff, it could take relatively few citizen activists working together in pressure groups to change the data protection and privacy landscape,” said Room.

For this reason, he said, businesses need to understand they must prioritise their capabilities to handle complaints, because litigation typically spins out of badly handled complaints or an unresolved grievance.

“Businesses may end up with a regulatory compliance agenda where they are spending more time on their callcentres or complaints handling than they are on security, because failure to resolve a grievance is a red-hot potato, but one that most businesses are not appreciating in the context of data protection and the reform of the data protection agenda,” said Room.

Businesses must focus on risk-based approach to data protection

He believes too many businesses are focusing on things like policy building that are not connected to the real business environment and are not capable of delivering real value.

Just as companies are beginning to take a risk-based approach to information security, they need to start taking a risk-based approach to privacy and data protection

Stewart Room, PwC Legal

“Instead, they should be working on complaints resolution by doing things like drawing up a playbook on how to respond to a letter of complaint from the data protection regulator,” said Room.

Yet very few organisations are working on such strategies, despite the growing focus on regulatory reform and vastly increased fining capability of data protection authorities.

“There is a sense in my mind that not many businesses have really understood what EU data protection reform is really about,” said Room.

“Businesses should be focusing on the big picture, they need to reflect on their business and their environment, decide what is important to them, and come up with a list of priorities.”

Those priorities, said Room, may include focusing complaint resolution or it may be something else that reduces the risk the most for that particular business considering what it does and the resources it has.

“Just as companies are beginning to take a risk-based approach to information security, they need to start taking a risk-based approach to privacy and data protection,” said Room.

He believes the reason so few organisations are approaching privacy in this way is because they are opting for a legalistic approach instead.

“Data protection is still seen as a legalistic issue because it is a compliance issue, but risk and business decisions are not legal issues and that is what many businesses are failing to understand,” he said.

Read more on Privacy and data protection