Data protection is a fundamental right which is expressed in different ways around the world. David Reed found out how global practitioners view developments in the EU and beyond and what their impact will be on global businesses
Europe is not the only region of the world to be discussing new data protection laws. In the United States there has been a race between competing legislations to gain approval, while other countries, such as India, have also been playing catch-up.
To get a global perspective on data protection, DataIQ interviewed two leading practitioners: Jennifer Glasgow, chief privacy officer for Acxiom Corporation (JG) and Brooks Dobbs, chief privacy officer for KBM Group (BD).
DIQ: Is there any global trend in the nature of the laws which countries are adopting, for example a move towards the European Union model?
BD: There is clearly a global trend. Europe is ahead of the curve - that makes it difficult to transfer data to jurisdictions without an adequacy finding. Many other countries are trying to model their legislation after the EU’s, whether because they see it as a good model or to get an adequacy finding is an open question.
In the US, there is a completely different paradigm for regulation. We have safe harbour, which is nice, and model contracts are challenging. An adequacy finding is something everyone would like to see. The question is how to get there.
JG: While Latin America traditionally follows Europe (usually their parent country) as a model, we are seeing more countries like Brazil and Colombia also looking to the US and Canada for workable examples. Mexico, for instance, worked closely with the US Department of Commerce in developing its law.
Asia is something of a mixed bag. Since Europe has the longest-standing laws, it’s usually the first place to look. However, Asia is introducing privacy laws to build confidence in e-commerce with citizens. China seems to be following the US down a more sector-specific path, regulating email marketing, financial services and healthcare industries without an overarching law or regulation.
Overall, we expect all economically-developed countries - with the exception of the US and China - to have a broad privacy law by 2015.
DIQ: Data controllers in the European Union are very concerned about the potential impact of the proposed Data Protection Regulation on their data assets. What do the proposals look like to a non-EU privacy expert?
BD: When you look at the letter of what is being proposed, it flies in the face of reason. If you were to send an email to 11 people with their email address in the “To:” line, you would have to ask each of them if you can do that.
The concern is about fines of 2 per cent of global turnover. If you are running a website and collecting IP addresses, then you throw away the hard drive, that is a data breach. I can’t imagine that Christopher Graham wants to treat it that way. But what if it was a medical website? There is a continuum and it is difficult to see where the proposals are setting the line.
I liken it to setting the speed limit at 4 mph. It gives the police broad authority to pull over whomsoever they want. But it doesn’t make you feel any better when driving your Honda if a Ferrari gets pulled over, because you are in violation, too. It puts interpretation into the hands of the regulator, not the judicial system.
Many US states already have data breach notification laws, but they have a higher standard of definition for personal information, for the most part based on California 1386, which is last name, first name and a combination of other data that might allow an identity thief to impersonate you. That is a long way from a cookie or IP address.
JG: We certainly share the concerns expressed by both business and many of the data protection authorities. They have a long way to go with the regulation to get something that is workable for all.
DIQ: If passed, the Regulation will put businesses in the EU on a very different data protection footing from other global organisations. How do you expect non-EU businesses to react and is there any risk of triggering a trade war?
BD: I could be at risk of not looking far enough into the future, but I don’t think so. Most global companies are already thinking about how to stay on the right side of the Regulation. That is not about saying that certain services will only be available in the US and not the EU.
One risk is that, if there is a low standard for violation, will we see more enforcement against US companies? It seems that even under the current legislation, you can’t help but notice that Europe is taking on companies which it says are in violation that are US-based.
JG: If the regulation passes, EU business will be at a disadvantage because of the resulting negative economic impact. Perhaps rather than a trade war, it might drive changes to the enacted Regulation once the EU authorities have the opportunity to assess its impact.
DIQ: Consumers currently have to do quite a lot of work to understand what data is being collected on them and how they can manage their privacy (for example, by reading lengthy privacy notices or adjusting privacy controls with dozens of options). Is it right to place this onus on the consumer or will there be a move towards automation of these actions in some way?
BD: Data collection online is a layered, obfuscated, difficult process to follow. Is it this way because companies have designed it to hide things or is it just the way the technology works? This is a new industrial revolution that creates challenges as well as helping solve problems. Everything fits together seamlessly on the Web, but that creates complicated data capture processes.
The industry has not really done enough to explain what is happening. Various bodies are doing a yeoman’s job in providing information in the body of ads, but they need integrating. I don’t think anybody set out to do something harmful. They are just using the technology the way they want to and are then trying to match consent notices to compliance requirements.
JG: We do not believe the burden placed on consumers is effective today and it gets less effective every year as we embrace big data initiatives.
There are three excellent articles, one by the World Economic Forum and two by the Centre for Information Policy Leadership about accountability and analytics that provide good background on the challenges. [http://goo.gl/Iv1wK, http://goo.gl/7jXvw, http://goo.gl/3tx5Q]
DIQ: If you had to point to a country that had the ideal balance between the data protection interests of the consumer and those of business, where would it be? (Assuming such a paragon exists...)
BD: I have not found any place even close to perfect. I do have a concern about onerous regulations that become too prescriptive. The US system works very well in the same way that Churchill said of democracy: “It is the worst system in the world, except for all the other ones that have been tried.”
What you need for successful protection is active self-regulation, an active regulator like the FTC and clear regulations so that companies know what’s right or wrong.
JG: As markets, policies - and consumers - continue to evolve, it is difficult to point to a model law. This is the vivid proof of how challenging it is to bring to life a workable model and how much the close co-operation between policy makers, business and civil society is necessary.