Data death censorship outrages, but consensus will emerge

I had the great privilege to debate the pros and cons of ‘The Right To Be Forgotten’ at The Law Society this evening, the home… Read More

Data death censorship outrages, but consensus will emerge

I had the great privilege to debate the pros and cons of ‘The Right To Be Forgotten’ at The Law Society this evening, the home of the Solicitors’ Professional of England and Wales. One of my sparring partners was Mark Stephens, a true great on the UK legal stage. I was in a tag team with the Information Commissioner’s Jonathan Bamford, a good man and friend. Mark’s partner was Jodie Ginsberg, a fine and intelligent advocate against censorship on the web.

The decision of the Court of Justice of the European Union in the Google Spain case is controversial due to its subject matter, the result and the quality of the judgment. The balance between privacy rights and freedom of expression is polarising by it’s very nature. These are cherished human rights after all and it would be odd if they did not arouse passions. Scrub that: it would be sad if they did not arouse passion. Scrub that again: the passion they trigger is to be applauded and celebrated.

But back to the point.

The controversies within the judgment are multiple. Is it right to demand ‘data death’ at the search engine, when the original publisher of the offending content is left free to continue publication? Is it right to burden (or empower) a private sector internet giant with censorship obligations, rights and powers, which are exercised in private rooms and corridors outside of public scrutiny? Is it right to execute judgment on a publisher who is not consulted or given a right of defence or reply? Does it make sense to promote a legal regime that can be easily bypassed through out-of-jurisdiction search and IP address masking?

These are all legitimate concerns in my humble opinion. And I agree that it is a shame that the Judgment of the Court isn’t deep or instructive. It is regrettable that so much of the law is still opaque and uncertain. Many lawyers would not have written a judgment so as important as this one in the same or similar terms.

But this doesn’t mean that the decision is wrong. The critical legal issues of controllership and establishment are intellectually sustainable on the face of the wording of the Data Protection Directive. In an economic, organisational and functional sense, global web search looks very much like data controllership to me, as defined by the Directive. Likewise, for establishment.

So we are where we are. What is important from here is the next step. This is acceptance of the judgment and building an acceptable model for its operationalisation, which needs a calmness of mind, maturity of thought and certainty of purpose. I expect that these virtues will be the foundation stones for success. Simple cries of outrage and blanket denial or disagreement do not provide a solution to the problems and challenges that the Judgment has thrown up. We have to get on with it and make the Judgment work.

We are living during the time of the Digital Industrial Revolution. These are uncertain times, but exciting too. There will be big winners and losers and the win/lose gap of this Industrial Revolution will be bigger than it’s predecessors. But the Google Spain case is not a loss for anyone. It is not sinister censorship. It is not the death of media, newspapers, journalism, criticism or honest debate. It is simply an inevitable step in the development of the law during a Revolutionary age, one that understands the basic truth of cyber space, Digital and the Internet, which is that due to the functional performance of advanced technology the barrier between the private space and the public space is thinner than ever before. Therefore, the private space must acquire better legal protections. The decision of the Court of Justice was an inevitable and logical progression.

Posted on October 15, 2014

Technical privacy regulation here, but are you gambling?

Here’s a link to a blog that was recently posted on IAPP’s ‘Privacy Perspectives’ blog, where I consider the idea that privacy regulation is now… Read More

Technical privacy regulation here, but are you gambling?

Here’s a link to a blog that was recently posted on IAPP’s ‘Privacy Perspectives’ blog, where I consider the idea that privacy regulation is now in a technical age. The core point that I’m trying to make is that the regulators have acquired skill, experience and expertise through their years of engagement with controllers and other regulated entities, so that they now pose a significant threat during the course of investigations and enforcement actions. This leaves regulated entities with a simple choice: up your game. If you don’t you’re just gambling.

IAPP blog

Posted on October 13, 2014

Data protection – entering the ‘post-regulatory’ age

The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there is a greater sense… Read More

Data protection – entering the ‘post-regulatory’ age

The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there is a greater sense of optimism around that the reform agenda will complete fairly soon, i.e., in the medium term, say by the end of 2015. The European Parliament elections depressed sentiment for a while, but they are now history. And the reform agenda has received a considerable boost from the CJEU decisions in the Google Spain case and the Digital Rights Ireland case, by Snowden’s disclosures and by the growth of citizen and pressure group litigation (e.g., Max Schrems’ cases against Facebook and the pressure group litigation about Prism and Tempora). People connected into the political scene are detecting clear shifts in policy formation too, as the political classes tune-in to the pro-privacy vibes in the air.

That is all ‘big picture’ stuff however. As I was discussing with a close friend in the privacy community the other day, I sense that we are entering the ‘post-regulatory’ phase of data protection, ironic as that sounds.

What I mean by this, is that when the phenomena of regulation is viewed for what it is – basically a mechanism to cure imperfections in market behaviours – a time should be reached when regulation has done its job. Take telecoms regulation from the 1980s. The core aim was to liberalise the markets, by breaking up monopolies. Clearly, that regulatory goal was successfully achieved. Thus, for that aspect of telecoms, we are in a post-regulatory age. No one seriously believes in telecoms monopoly anymore, although people used to.

Data protection as a concept has moved past the initial regulatory goals, of creating principles-based norms for good behaviours. I believe that we no longer need regulation to teach the economy that data protection is important. The case has been proved and accepted. Only foolhardy businesses will think that shoddy attitudes will be good for the bottom line.

Thus, the nature of the conversation that professional services providers (like me) have with businesses has changed. Scanning back five years or so, the argument might have been described as a ‘fear sell’ in some quarters, because the argument was ‘bad data protection has bad consequences’. Now the conversation is about how good data protection adds value.

This transition is the hallmark of a post-regulatory environment. The status quo, or the norm, is now about data protection as a positive. This includes security too. Good security adds value and enables business. We should not be talking about how security strangles or suffocates business. That would be stupid.

For business, the evidence is building up. There a number of factors at play and they are all interrelated. The newsworthiness of data protection and cyber security is clearly a huge part of the picture. The more the story is played out in public, the greater is the impact on the minds of individuals. Of course, regulatory actions have been another big factor. But, the real drivers of change are the positions of ordinary individuals. We all wear many different hats. We are customers, employees, business partners, shareholders (and so on), so we hold all the power. Cumulatively, the effects that we are having on business and corporate minds is profound. Principally, we are causing businesses to look at data protection and security in terms of trust, confidence, brand and reputation.

This translates into something in economic terms. We sometimes try to define the effect as ‘goodwill’, but it is hard to put a pound-value on goodwill. Yet that doesn’t matter, because businesses instinctively understand the connection between goodwill and profit.

This explains why, if you work in the space that I do, you find significant shifts in attitudes towards data protection compliance in business. Sure, lots of businesses are performing sub-optimally, but the improvements in recent years have been immense.

Hence, we have entered the post-regulatory age. Of course, this is not to say that we do not need regulation or a new Data Protection Regulation. Market imperfections change, develop and evolve. Oversight, sometimes light touch, sometimes heavy, is a thing to embrace, welcome and support, provided that the regulators themselves act properly, proportionately and fairly.

Posted on September 3, 2014

Marketers beware: ‘irritation’ fines being called for

The Information Commissioner’s Head of Enforcement has published a blog about financial penalties that shines a bright spotlight on the ICO’s thinking around how to… Read More

Marketers beware: ‘irritation’ fines being called for

The Information Commissioner’s Head of Enforcement has published a blog about financial penalties that shines a bright spotlight on the ICO’s thinking around how to deal with nuisance marketing. The backdrop to the story is the overturning of the record Monetary Penalty by the Information Tribunal, which the ICO imposed on two company directors who were sending out spam SMS marketing messages on an industrial scale. The basic problem in the case – as far as the Tribunal is concerned – is that the financial penalty regime requires ‘substantial’ harm to be caused by the offending practice before a fine can be imposed. In the Tribunal’s judgment, a spam SMS causes only minor irritation. To get around this problem the ICO argued that the aggregate affect of many thousands of irritating texts amounts to a substantial harm. The Tribunal was having none of this, and the fine was unwound.

So where does this leave the ICO? In a nutshell, ICO is saying that the financial penalties regime for direct marketing problems has been destroyed by the judgment. In the ICO’s view, the law is now ‘bad’. There is only one thing that can be done to restore the law to a credible state, which is to amend it, to lower the threshold for fines.

I’m not going to tackle the substance of ICO’s arguments here. It’s the insights that the blog gives into the mind of the regulator and the likely impacts for marketers (if the law is amended) that are most interesting to me.

If the ICO’s case for amendment of
the law is accepted by Parliament, it will place marketers into an unprecedented zone of legal peril. Nuisance level fines are unprecedented in this country. The triggers to fines will be so low that every business that engages in electronic direct marketing will be at risk if the recipients of their messages complain en mass.

Do people complain en mass? Sure they do. ICO tell us every year that complaints are increasing. And, of course, it would be easy for pressure groups to drum up significant volumes of complaints. The initiative launched by Max Schrems in his Austrian litigation against Facebook is a good example of this dynamic. There are plenty of others.

And where should the lowering of the threshold end? If it is right to lower it for directing marketing, what about for other data protection matters? Security breaches are more serious than direct marketing problems, aren’t they? Well that depends on your point of view, but why not impose nuisance fines for them? What about data accuracy? Or how about international data transfers? Aren’t many thousands of people irritated by the transfer of their data to foreign jurisdictions?

The ICO might be right in its case. Or it might be wrong. That’s not the point of this analysis. What is sure, if the ICO is right, is that data protection regulatory risk will increase exponentially. That’s something that data controllers everywhere ought to be aware of. This is part of the ‘Regulatory Bear Market’ that I keep talking about.

Of course, a simple retort to these concerns is that no one acting lawfully will be fined. That’s correct, but the realities of direct marketing, data protection, regulation and enforcement are somewhat different from the purely theoretical aspects. When the totality of the situation is considered, a number of core realities become visible. For instance, there isn’t yet a bright line test to enable people to be sure whether they are acting on the right or wrong side of the law. Consider the recent debates about the meaning of consent for the setting of cookies and you’ll see that an authoritative consensus view hasn’t yet emerged. Also, consider the realities of databases and data acquisition: legacy systems, old data, aged consents, list broking, mergers and acquisitions, joint ventures. How many organisations are certain of their consent profiles for all aspects of marketing? Also, consider the corporate attitudes to monetisation. How many want to ‘push the envelope’, or want to abut the ‘creepy line’? These are just some of the many difficult aspects of data controllership that feed into assessments of lawfulness.

In other words, the organisations that will be vulnerable with a lower threshold for fining will be more much that the deliberate, industrial spammers.

Posted on August 14, 2014

The Privacy Bear Market in Europe – a treacherous ocean full of privacy litigation icebergs

The fact that the legal environment for privacy in Europe has become considerably more contentious over the past year or two will not have been… Read More

The Privacy Bear Market in Europe – a treacherous ocean full of privacy litigation icebergs

181929062The fact that the legal environment for privacy in Europe has become considerably more contentious over the past year or two will not have been missed by people who work regularly in the ‘privacy space’ (such as data protection officers, CPOs, privacy advocates and professional services providers). The Google Spain ‘right to be forgotten case’, the Google France ‘privacy policy’ fine, the Max Schrems anti-Facebook litigation in Ireland and Austria, the Prism and Tempora litigation in the UK and Strasbourg brought by the civil society organisations, the Digital Rights case against the Data Retention Directive, are just the visible tips of a massive privacy litigation iceberg that is drifting through the oceans of data controllership, internet processing, electronic communications, cloud computing and big data. The nature of things is such that ‘titanics’ in the waters will be holed when they come into collision with the ‘berg. That’s why people are saying that if privacy litigation can ‘get’ Google, it can get anyone.

What we are seeing in these cases is the next stage of development of the “Bear Market’ for privacy, data protection and security. A Bear Market is a time of negative sentiment, pessimism and loss of confidence, the opposite of a Bull Market, when optimism is rising. The negativity in the environment stems simply from a trust problem. People do not trust what is happening to their data. The first stage in the development of the Bear Market was the ‘Regulatory Bear Market’, when the cudgels against bad data processing were taken up by the data protection authorities and other regulators, who have made more frequent use of their powers of intervention, investigation and enforcement to challenge and censure bad data processing, while at the same time campaigning for more and tougher powers. As awareness levels around privacy issues and data breaches has increased, the regulators have been joined by pressure groups, individuals and businesses in the contentious aspects of the law.

This a natural part of the cycle of development of the law and we will reach a point relatively soon when disputes and litigation over privacy, data protection and security are just part and parcel of doing business, as has happened in so many other areas of the law.

Putting it another way, how many sane business leaders now scratch their heads, in ponderance about the risk of employment or health and safety disputes and litigation? Obviously, the answer is none. Everyone sane accepts that if you run a business, you will need to insure or protect yourself against employment and health and safety litigation problems. Eventually, the same attitude will prevail for privacy, data protection and security.

Yet despite knowing that they are sailing in treacherous waters, many data controllers are simply not yet ready for the contentious environment. There is a feeling that many will not see the iceberg before it’s too late to take evasive action. Reflecting again on the Google ‘right to be forgotten’ case, there is an increasing sense that they did not see the outcome as being remotely likely and that they were taken by surprise by the court’s decision. They knew they were in treacherous waters, but the first time they saw the ‘berg was at the point of the judgment being handed down, after which they were stunned into silence for a few days, which was followed by a defeated public sigh of compliance. Google’s positions on controllership and establishment had been truly holed by the privacy iceberg and the regulators are taking increasing advantage.

There are many steps that controllers can take to improve their positions and to lessen their exposures to contentious business. The way security and security breaches are handled in some organisations could not be worse if deliberately designed that way: smoking guns’ are liberally sprinkled around audit reports, internal reports and memoranda (and every regulator and litigator knows this and where to look) while the benefits of legal privilege are ignored, or shunted into the sidings. Really risky projects, like ‘Binding Corporate Rules’, are regularly undertaken without the slightest consideration of the contentious exposures that are created, such as grants of regulatory audits that, sooner or later, are going to be used against the controller.

The prudent captain of a ship traveling through treacherous water will keep a proper lookout for the icebergs ahead and around. In this Privacy Bear Market, the prudent controller will consider the contentious risks and will plot a course around them. Those that do not will hit the bergs and they will be holed. The fights around privacy and security are only going to be more frequent and tougher. It is best to be ready.

Posted on August 9, 2014