The relationship between regulators and the regulated is founded on cooperation, not fines
I may have mentioned it once or twice before, but I used to work in a data protection regulator, so - as you can imagine - I have some fairly strong views about the importance and role of regulation in protecting and vindicating the data protection and privacy rights of individuals. The commentary around privacy regulation can often be very black and white, with a fixation on fines or antagonistic relationships between regulators and businesses.
The focus on fines is understandable, but as you can imagine, the reality is a bit more complicated, and regulation in this area is most effective when it also involves cooperation and proactive steps by industry. When done right, privacy should ultimately benefit all parties involved, regulators and industry as well as individuals.
The regulator and the regulated
Fines are, for the most part, a fairly new phenomenon. Most European privacy regulators had less in the way of tangible, robust enforcement powers before the advent of the General Data Protection Regulation (GDPR). My old workplace, the Irish Data Protection Commission, as with a number of other data protection authorities (DPAs), did not actually have the power to impose fines for breaches of the old Data Protection Directive, but were granted new powers under the GDPR.
Whilst losing money can be a powerful motivator for change, in my experience, administrative fines are often focused on a bit too much in public discourse, and we sometimes miss that (a) they’re not always the most effective or appropriate way to enhance compliance, and (b) other powers, such as to order processing to be brought into compliance, to delete collected personal data, or to cease processing operations altogether, can be even more effective. Not to mention, that the calculation of fines that are effective and dissuasive, but also fair and proportionate is a tricky task for regulators, and one that will be challenged by businesses if they think the regulator has got it wrong.
Ultimately, regulators have neither the inclination, nor the budget, to repeatedly get bogged down in arguments with businesses over the minutiae of interpretation of privacy laws, going through often costly and lengthy challenges and appeals mechanisms. Nor do the businesses. In some cases, important decisions on how to interpret and implement data protection and privacy laws will have to be decided by a court, and this can add great clarity to contentious issues, but in the majority of cases this just isn’t an efficient or effective way to ensure individuals’ privacy rights are protected in the near-term.
Thus, in most cases - and, unsurprisingly, these are the less dramatic, headline-grabbing stories - improved privacy practices are driven by (either binding or voluntary) recommendations from regulators, which can come as part of a formal investigation, as part of a consultation between businesses and regulators, or even as guidance produced by regulators.
Regulators will sometimes work with businesses to mitigate risks before new services or products are rolled-out - taking a proactive rather than reactive approach to addressing privacy risks. For example, the Irish DPC did this recently with Facebook’s new ‘Facebook Dating’ service, where concerns about privacy implications were raised and discussed with Facebook during the planning and development of this service, which ultimately resulted in the launch of the service in Europe being delayed until they could be addressed.
In a more close-to-home example, Avast has worked with the Czech DPA over the last couple of years on a review of our personal data processing for our antivirus product, which was an instructive and useful exercise. Recommendations from the DPA were actioned to further enhance privacy protection at Avast, with the processing ultimately found in October 2020 to meet the standards required by the GDPR. Even before concerns were raised by the public over the nature of the processing of personal data by Avast’s subsidiary Jumpshot - which was closed in January 2020 in response - this cooperation with the DPA had already led to improvements in the transparency and user choice around this processing, with new wording and options introduced in late 2019 to better explain what that processing involved, and to give greater choice to customers about opting-in to that processing.
So, that’s why I can honestly say that I see the period of reflection that was brought on by the concerns raised about Jumpshot and the decision to cease Jumpshot’s processing operations, was also an opportunity. An opportunity to receive further feedback from the regulator, to reflect on the reactions and expectations of our customers, and to remind ourselves that even with good intentions (trying to design a more privacy-preserving form of trend analytics) you can get the balance wrong. It doesn’t mean I think it was good that these particular concerns arose, but I do think that opportunities to constantly question and re-evaluate decisions around the processing of personal data are valuable, and ultimately a normal part of a healthy regulatory regime.
Cooperation in practice
Recently, there was a flurry of media attention about a ‘fine’ which the UK DPA, the Information Commissioner’s Office (ICO), had levied against Experian, the credit reference agency (CRA). The interesting thing about this story to me was what wasn’t mentioned. First of all, the step the ICO took in October 2020 was actually to issue an ‘enforcement notice’, which really more of a warning that a fine could (and likely would) be imposed if the company failed to make suggested changes to their practices.
Secondly, and more interestingly, the ICO actually investigated three CRAs, with Equifax and TransUnion being investigated in addition to Experian. The ICO noted that all three of CRAs worked with investigators to address problems during the investigation, but TransUnion and Equifax went further in addressing the ICO’s concerns, including by actually withdrawing certain products and services they had offered, in order to become fully compliant, and thus they were not issued with enforcement notices.
The fact that the ICO didn’t need to issue notices to TransUnion or Equifax in this case, because the cooperated more thoroughly with the DPA’s recommendations, is why neither firm was at risk of being fined.This is a good example of the significant power DPAs have to effect positive changes in privacy and data protection practices, beyond just the power to issue administrative fines. Naturally, the possibility of a fine certainly helps recommendations be taken seriously, but this case does illustrate the nuance in the regulatory relationship, and how regulatory action met with cooperation can lead to mutually beneficial results.
Even where privacy issues aren’t or can’t be solved just through guidance and cooperation, but result in more formal sanctions, there is actually something of a ‘silver lining’ attitude taken by industry even when a regulatory decision goes against them. At the end of the day, a clear decision, particularly one that has been challenged in court and decided upon, at least gives you a clear answer about what is and is not permitted. This can be a welcome bit of clarity for companies who have to operate within rules which can at times be open to multiple interpretations. A solid regulatory decision, even one which necessitates you changing your practices and involves a certain cost to you as a business, is all the more clear for having been adjudicated.
Some argue, or worry, that companies might simply see potential fines for breaches of the GDPR or other privacy laws as just the cost of doing business; however, the spectre of DPAs’ other powers, such as to essentially order a company to stop using personal data in a particular way, cannot be ignored. Therefore, I think it’s the wiser and more responsible approach for businesses to work with regulators, and their own privacy teams or advisors, early on to address any privacy risks that might be identified, rather than to wait for regulatory enforcement to escalate, and then be forced to rebuild processes from scratch.