ptnphotof - Fotolia
Businesses should gear up for tougher privacy regulation as the rise of citizen activists drive greater powers for regulatory bodies, according to partner at PwC Legal, Stewart Room.
“In the past six months, state after state have been recognising the need to allow citizen-based litigation for privacy harm, and this support by courts of the citizen is probably the single most important development in data privacy in the past 10 years,” he told a seminar attended by business privacy representatives in London.
Citizen power in court is something that the judiciary in a growing number of countries is supporting when it comes to privacy issues, said Room.
“This is something businesses have got to get to grips with because if we empower the citizen with greater rights of access to justice, they are going to use it,” he said.
In a growing number of cases, said Room, there is recognition of the need for consumer protection via the tort (legal liability) route, where the individual is, in effect, acting as the regulator and gaining redress for the privacy harms they have suffered.
Towards the end of June 2015, the European Court of Justice (ECJ) is expected to rule in a case brought by privacy campaigner Max Schrems that could decide how Europeans’ data will be shared with US internet firms in future.
The case against Ireland’s Data Protection Commissioner was referred to the ECJ by the high court in Dublin for a ruling on whether the watchdog is bound by the safe harbour agreement, which provides a means for US companies to transfer personal data from the EU to the US that meets EU data protection requirements.
“The ECJ is the most activist court imaginable,” said Room. “And whatever the ruling is, it will have the effect of making regulators much more aggressive in their enforcement activities to avoid appearing to be weak.”
Citizens exercising privacy rights
Just as the UK’s Financial Conduct Authority has been tougher than the former Financial Services Authority, which was disbanded after the banking crisis, Room believes businesses can expect privacy regulators to be a lot tougher on them in future.
Stewart Room, PwC Legal
Regulators will want to appear tougher, he said, every time the citizen has a go in cases such as Vidal-Hall vs Google in which Judith Vidal-Hall won the right to sue Google in the UK courts for its activities in the UK, which signalled the end of immunity against local court action claimed by Google and the other US internet giants against users in the UK and Europe.
Hall’s action against Google relates to the discovery that despite agreeing to respect the “do not track” functionality in Apple’s Safari browser, some ads placed by a Google ad network contained script that caused Safari to operate as if the “do not track” option was turned off, enabling the ad network to set cookies to profile and track Safari users even though they had enabled the “do not track” option.
The Vidal-Hall vs Google case established that Google can be sued in the UK and that an individual does not have to suffer financial loss to be entitled to compensation for a loss of privacy.
“This means that unless the court of appeals ruling is overturned by the House of Lords, the citizens in this case have delivered unprecedented change in the UK, and the ripple effect is massive, because anyone can now sue any company for compensation for breach of their privacy,” said Room.
“What we see in this case and others like it is the citizen activist who is capable of delivering change that the regulators have been incapable of delivering in the past 20 years. The regulators have done shockingly little in that time compared with what citizen activists have done in the past 18 months,” said Room.
In 2014, a Spanish citizen, Mario Gonzalez, with his litigation powers and access to justice, forced Google to fundamentally rebuild the way it does web search in the EU, and in 2015 an Austrian citizen, Max Schrems, may fundamentally change how Facebook transports data across the Atlantic.
Regulators to respond with greater powers
Cases such as these could call into question the value of regulators, said Room, with a battle for relevance being the result. “If the citizen is tough, the regulator will have to be tougher to be relevant, so there is an upping of the ante,” he said.
According to Room, the big picture from these two cases is the movement to a “two-pronged onslaught” against the business community and the public sector as a result of the battle for power between citizen activists and regulators. “Whatever individuals try to do to get the likes of Facebook and Google to improve privacy will be met by increased aggression towards business by the regulators,” he said.
Room believes that the natural consequence of the battle between the citizen and the regulators will be that regulators will gradually become equipped with greater powers. “When they have this new power, they are going to use it, and companies are going to be audited to high heaven and inundated with demands to complete privacy impact assessments,” he said.
Read more about proposed European data protection laws
- More than half of European companies do not know about the legislation planned to unify data protection laws.
- European digital businesses say the GDPR text agreed by the EU Council of Ministers is a draconian, blunt instrument that threatens to hobble online advertising.
- Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
- The vast majority of cloud providers are not yet prepared to meet the requirements of the proposed EU General Data Protection Regulation.
Read more on Privacy and data protection
All EU states can take data protection cases against Facebook, says EU court
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement