The Privacy Bear Market in Europe – a treacherous ocean full of privacy litigation icebergs

The fact that the legal environment for privacy in Europe has become considerably more contentious over the past year or two will not have been… Read More

181929062The fact that the legal environment for privacy in Europe has become considerably more contentious over the past year or two will not have been missed by people who work regularly in the ‘privacy space’ (such as data protection officers, CPOs, privacy advocates and professional services providers). The Google Spain ‘right to be forgotten case’, the Google France ‘privacy policy’ fine, the Max Schrems anti-Facebook litigation in Ireland and Austria, the Prism and Tempora litigation in the UK and Strasbourg brought by the civil society organisations, the Digital Rights case against the Data Retention Directive, are just the visible tips of a massive privacy litigation iceberg that is drifting through the oceans of data controllership, internet processing, electronic communications, cloud computing and big data. The nature of things is such that ‘titanics’ in the waters will be holed when they come into collision with the ‘berg. That’s why people are saying that if privacy litigation can ‘get’ Google, it can get anyone.

What we are seeing in these cases is the next stage of development of the “Bear Market’ for privacy, data protection and security. A Bear Market is a time of negative sentiment, pessimism and loss of confidence, the opposite of a Bull Market, when optimism is rising. The negativity in the environment stems simply from a trust problem. People do not trust what is happening to their data. The first stage in the development of the Bear Market was the ‘Regulatory Bear Market’, when the cudgels against bad data processing were taken up by the data protection authorities and other regulators, who have made more frequent use of their powers of intervention, investigation and enforcement to challenge and censure bad data processing, while at the same time campaigning for more and tougher powers. As awareness levels around privacy issues and data breaches has increased, the regulators have been joined by pressure groups, individuals and businesses in the contentious aspects of the law.

This a natural part of the cycle of development of the law and we will reach a point relatively soon when disputes and litigation over privacy, data protection and security are just part and parcel of doing business, as has happened in so many other areas of the law.

Putting it another way, how many sane business leaders now scratch their heads, in ponderance about the risk of employment or health and safety disputes and litigation? Obviously, the answer is none. Everyone sane accepts that if you run a business, you will need to insure or protect yourself against employment and health and safety litigation problems. Eventually, the same attitude will prevail for privacy, data protection and security.

Yet despite knowing that they are sailing in treacherous waters, many data controllers are simply not yet ready for the contentious environment. There is a feeling that many will not see the iceberg before it’s too late to take evasive action. Reflecting again on the Google ‘right to be forgotten’ case, there is an increasing sense that they did not see the outcome as being remotely likely and that they were taken by surprise by the court’s decision. They knew they were in treacherous waters, but the first time they saw the ‘berg was at the point of the judgment being handed down, after which they were stunned into silence for a few days, which was followed by a defeated public sigh of compliance. Google’s positions on controllership and establishment had been truly holed by the privacy iceberg and the regulators are taking increasing advantage.

There are many steps that controllers can take to improve their positions and to lessen their exposures to contentious business. The way security and security breaches are handled in some organisations could not be worse if deliberately designed that way: smoking guns’ are liberally sprinkled around audit reports, internal reports and memoranda (and every regulator and litigator knows this and where to look) while the benefits of legal privilege are ignored, or shunted into the sidings. Really risky projects, like ‘Binding Corporate Rules’, are regularly undertaken without the slightest consideration of the contentious exposures that are created, such as grants of regulatory audits that, sooner or later, are going to be used against the controller.

The prudent captain of a ship traveling through treacherous water will keep a proper lookout for the icebergs ahead and around. In this Privacy Bear Market, the prudent controller will consider the contentious risks and will plot a course around them. Those that do not will hit the bergs and they will be holed. The fights around privacy and security are only going to be more frequent and tougher. It is best to be ready.