Annette Hogan, McCann FitzGerald
One-shop stop provision has created great excitement at IT companies
One-shop stop provision has created great excitement at IT companies
You either fix current data protection rules or start from scratch – you can’t do both at once
‘The guidance we are giving is to say: “Look, it is a great big black cloud, and I cannot tell you whether it is coming this way. Doing anything really significant right now is potentially a waste of money.”’
It is difficult to argue against the one-stop shop but politics play a part
A lot of regulators are exploiting the vagueness of data protection rules
There is concern that gold standard data protection rules in the EU could prove too expensive
Data security in Europe is at an impasse with member states in conflict over how proposed cross-border rules should work. In our latest round table with McCann FitzGerald, data and privacy specialists debate the key barriers to success
Depending on your world view, the timing was either fortunate or a sign of the stifling red tape of modern life. The fifth annual Legal Business round table with leading Dublin law firm McCann FitzGerald, tackling the increasingly contentious issue of data protection and privacy, was held just two days after ‘Data Protection Day’ in Europe. A clutch of the City’s most experienced data protection and privacy specialists gathered at McCann’s London offices in Tower 42 to discuss the progress of the proposed EU Regulation on Data Protection, which has been beset by delays and controversy. EU Justice Commissioner Viviane Reding declared in January that she wanted to see ‘full speed’ progress on the deadline of the end of 2014 for the Council of Ministers to approve the draft regulation – a date that has been pushed back consistently since legislative reform was seriously mooted two years ago.
With this in mind, we invited guests from a range of different firms: Magic Circle, transatlantic giants, US firms and City firms with respected practices in the TMT arena – even the former Information Commissioner in Hunton & Williams’ Richard Thomas. The group debated the likely progress of the EU regulation in the coming months, as well as the major sticking points that could thwart the reform’s passage through Europe further still.
Paul Lavery, McCann FitzGerald: When the draft regulation was first published in 2012 there was a lot of fanfare and talk about early adoption, but the latest news does appear to suggest further delays. Certainly, from discussions with the Office of the Irish Data Protection Commissioner, they are sceptical about early adoption. They are now talking about later in 2014. Most people agree that there needs to be some change and updating of the law, but the timing is another question.
Richard Thomas, Hunton & Williams: I would be more pessimistic – or optimistic, I am not sure which – than Paul. Yes, it was announced earlier [in February] that the end of 2014 is the current target, but I am sceptical that that is going to be hit, frankly. A change of European Commission and a new European Parliament are both coming in the early summer. The view is that the new Parliament is more likely than not to have a quite strong share of eurosceptics of one sort or another; not just UKIP, but France and Germany and other countries will produce MEPs who are less well disposed towards the Commission than the current Parliament. That may create further issues as we go into the autumn and beyond.
‘The online terms and conditions for iTunes has 19,972 words; Macbeth only has 18,110 words.’
Richard Thomas, Hunton & Williams
There are a lot of issues still to be resolved. Most of the current resistance is coming from inside the member states in the Council; it is not just the UK, it is Germany and France as well. There is a lot of ground yet to be covered.
The irony is that the subject of data protection has absolutely mushroomed in the last ten years. It has shot up the public, media and political agendas. It used to be a rather nerdy, abstract, remote subject; now it’s mainstream. That creates more interest, but also it is seen to be more complicated, and getting the balance right is a challenge. There is also some concern about the balance between the implications of data protection and economic regeneration across Europe. With unemployment rates as high as they are in Spain, France and elsewhere, people do not want to do anything to interrupt economic regrowth.
Richard Cumbley, Linklaters: That discussion plays out differently in different member states. I am glad you mentioned Germany, because the way that the German attitude to the regulation is reported in the UK has not been great. There seems to have been an assumption that because Germany has tough data protection rules generally, German business and politicians must like the Data Protection Regulation. In fact, if you are sat in Berlin, the idea that all your EU competitors are suddenly going to have the same quality of privacy standards that you do removes a USP for German IT companies. That is a good reason why the German government may not want the regulation quite as much as people think here in the UK.
Annette Hogan, McCann FitzGerald: One of the key sticking points is the one-stop shop provision [to introduce a single data regulator for the EU]. That is something that, certainly in Ireland, we have been looking at very closely, because so many of the large IT companies have chosen Dublin as their main place of establishment. There was great excitement about the one-stop shop provision and maybe some consternation on the part of the Office of the Irish Data Protection Commissioner that it might not have adequate resources to deal with being the main regulator for a significant number of large IT companies. Certainly you can see why the one-stop shop could be very beneficial to companies in terms of having greater legal certainty and decreasing the administrative burden. However, obviously there is a very significant concern around data subjects and whether the one-stop shop would give them an effective means of redress or whether the difficulties of pursuing a data protection issue with an authority in a different country would make the process too complicated.
Richard Cumbley: That is a really fundamental point. The one-stop shop is right at the core of the cost-benefit analysis of the whole regulation. If it folds, does that not undermine the whole logic for the regulation full stop?
Paul Lavery: You would have thought so, because if the one-stop shop falters, multi-jurisdictional organisations will still be regulated in each individual jurisdiction. While you could say it is all being governed by the one regulation, you are looking at whether it gives different interpretations in different jurisdictions and different levels of pragmatism, or less pragmatism. Certainly the big IT companies are pro the idea from an administrative perspective.
Nick Graham, Dentons: It is difficult to argue against the one-stop shop. The idea that we can have the US with the Federal Trade Commission but in Europe we are going to have 28 different regulators with 28 different opinions doesn’t really work. However, there is a certain amount of politics at play as well, because if you apply the one-stop shop, where does all the regulatory work go?
Stewart Room, Field Fisher Waterhouse: What the regulation fails to grasp is how there are a wide variety of incentives that can encourage people to comply and behave in the desired way. For example, codes of conduct can be really important. Codes of conduct are mechanisms that could be used much more intelligently in order to deliver incentives: so if you think about the topic of e-mail encryption as a professional conduct issue, say for accountants, doctors or solicitors, not just a data protection issue, there might be these added incentives for compliance by articulating encryption as a code of conduct matter. That intelligence is missing in some of the regulation.
‘The idea that we can have the US with the Federal Trade Commission but in Europe we are going to have 28 different regulators with 28 different opinions doesn’t work.’
Nick Graham, Dentons
Richard Thomas: The majority of commercial organisations actually want to get it right. Perhaps in the old days they ignored it or tried to just turn their back on it, but now to a large extent – this has not been fully understood by probably most of the regulators – most corporations adopt a policy of enlightened self-interest. They do not want the reputational damage that comes with getting it wrong.
The law hasn’t quite caught up with that sort of approach. The law needs incentives; it needs to nudge people to keep them on the right track. However, there is something of a dual track now where companies have to get people to tick the boxes to ensure legal compliance, but they also do different things in parallel to make sure they are getting it right in terms of actually ensuring consumer satisfaction. If we can bring those tracks together, that would be a far better solution.
Nick Graham: One of the other issues we are finding with the regulation – this whole principle of accountability and the drive towards having a privacy governance engine as opposed to just ensuring that you do not leak the data or breach – is that there does seem to me to be a disconnect between what is envisaged and what is needed to make that a reality.
Paul Lavery: I know it is a frustration for some of our clients who are keen to be privacy compliant in the true sense of the word, but know that in terms of our existing legislation it is almost impossible to be 100% compliant. The last thing they want as a result is to be criticised for in reality being materially compliant but, because there is a particular provision that is just too onerous, they cannot possibly comply.
Richard Thomas: You are bringing me onto my favourite topic, which is too many words in data protection. Let me quote from an article last year in Which? Computing magazine, which counted how many words there are in privacy statements. For example, the online terms and conditions for iTunes has 19,972 words; Which? compared that to Macbeth which only has 18,110 words. PayPal’s privacy and acceptable use policies, shipping and billing terms, has 34,798 words; Shakespeare’s longest-ever work, Hamlet, has a mere 30,066. That is leaving aside the legalese used and the small print. People then have to tick the box ‘I have read, understood and accept these terms and conditions’. Well, that is creating a Europe of 503 million liars, because they have not read and understood; they just tick it because they have no choice. It is not good public policy.
Paul Lavery: The 1995 [Data Protection] directive was laudable; it has done pretty well. There has probably been differing implementation in different jurisdictions. In some jurisdictions the commissioner’s office can levy direct fines – in Ireland we do not have that ability – and there are just different interpretations of the legislation as well. That needs to be rectified, but also the directive dates back to 1995. If you were to go back to 1995 and say the words ‘social media’, people would not know what you meant. While I think the regulation – or some type of new legislation – is needed, it is for the purposes of updating everything, and hopefully looking back at the experience of the 1995 directive and saying: ‘Well, let us look at what did work, let us look at some areas that we do not think worked, and let us try to improve this in a new environment.’
I know that some countries would prefer a directive instead, but at least with the regulation it is implemented across the board with the exact same words in each different jurisdiction, except maybe for the odd translation difficulty. I would be interested in your views, because I am aware of maybe just four or five countries where the suggestion is they would prefer to see a directive.
Stewart Room: With a new regulatory environment, as EU data protection law was in 1995,
20 years to bed down is not outrageous. My feeling is that we gave up too soon on too much of the current regime in order to write this massive new one and this might be setting everyone back. If the European Commission had been more focused with its tinkering – giving regulators the right powers and tools to get the job done – we would not need the amount of change that we are now proposing, and potentially not going to get. The expansive approach of the Commission has created hiatus and a vacuum.
Richard Thomas: The failure at European level was not having a fundamental view of ‘what are we trying to do here?’ They could have just said: ‘We will focus on what is working well and get rid of a few glitches.’ But what they did is take the existing model and just go straight into tinkering with the language, without really sitting back and saying: ‘What are we trying to do?’ It’s not enough just to say: ‘We are protecting fundamental rights and freedoms.’ You end up with probably the worst of all worlds.
Daniel Cooper, Covington & Burling: Do you think in a way that they are not guilty of being a little bit overambitious, that they have just bitten off more than they can chew? If this had been something a bit more restrained, we may be talking about an actual regulation rather than something proposed.
Richard Thomas: Either you go down the radical route and start from scratch all over again, or you just fix the things that are not working too well and make improvements. You cannot do both at the same time. We need a more risk-based approach – looking at those areas where there really is a risk to consumers, data subjects, individuals – where you can actually see that there is some sort of harm to them. We need to focus on priorities, because resources are being cut back all the time; and we need pragmatism to make it work in the real world.
All this is not impossible, especially if there is a need of a fresh start after the European elections. I personally would go down the road of immediately tidying up the obvious deficiencies in the directive – whether that is done as regulation or as a new directive – and then doing some new thinking.
‘I do feel for clients who are used to very precise legal mandates and requirements, and you are basically telling them: “Here are some basic principles, do your best to comply and the regulator can only second-guess.”’
Daniel Cooper, Covington & Burling
Daniel Cooper: That is a really good point about the vagueness of elements of the directive, and I think the problem is that a lot of regulators have seen fit to exploit that. Take the notion of proportionality: that is just so obnoxiously big that any regulator who wants to can use it to barge into a company. When you are dealing with a lot of US clients they are used to very precise law, telling them that there is this principle of proportionality or other vague principles is extremely challenging to explain. What do you do to comply? How do you comply with something that is so open-ended? The regulation is not going to solve that. It is going to replace it with a new set of very open-ended principles, but I do feel for clients who are used to very precise legal mandates and requirements, and you are basically telling them: ‘Here are some basic principles, do your best to comply and the regulator can only second-guess.’
Richard Thomas: That has been one of the problems, and there has not really been a sufficient level of debate about the underlying policy. Privacy is an important value; it is elusive, not easy to define. But people do care about it and we have got to be able to define in legal terms precisely what we are trying to achieve. There has been a bit of a failure – and we are all guilty of this, perhaps – to have a real debate as to what we are trying to achieve. So we are starting with 40 or 50 years of the traditional European approach and adding a bit or taking away a bit, but without the fundamental discussion.
Richard Cumbley: We are building on 40 or 50 years’ experience of a relatively small subset of the economy as a whole, and it is a debate among lawyers and regulators and a small group of IT companies who passionately care about a very small set of privacy issues. Right now it would be great if some large European corporates stood up and said: ‘Actually, this is terrible for European business; we really need to focus on fending off competition from Korea and the US rather than fighting with our Luxembourg colleagues about how we are going to handle HR appraisal data.’ It is a near total waste of European resources, and there are much better ways of preserving the rights of individuals. If you are the general counsel of a large general corporate in Europe, you go to debates [on the data regulation] thinking, ‘This is terribly poor for my business and I need to tell people that’, and then you sit through two hours of discussion about pseudonymisation and think: ‘I have no clue what I’m meant to do with this information or how I can contribute.’ It is just not a debate that is accessible to most corporates, and the debate is skewed by a small number of parties as a result.
Kate Brimsted, Reed Smith: There is a delicate balance for the EU to strike. On the one hand, Commissioner Viviane Reding is saying, ‘The EU now has the chance to make its rules the global gold standard’, and even looking at ways of extending the reach of the regulation to those who are targeting EU citizens from outside. There’s then Commissioner [for Digital Agenda] Neelie Kroes, pushing the EU Cloud as a huge engine for economic growth. Some are concerned that this ‘gold standard’ could prove too expensive and drive business away from the EU, particularly non-EU customers.
Annette Hogan: The one-stop-shop will be the key commercial benefit.
Stewart Room: You can make a philosophical argument that it will be of enormous economic benefit in the sense that if all of the red tape in the regulation drives compliance, and the citizens’ position on data privacy continues towards a desire for better privacy protections, then ‘privacy USPs’ will become economically valued in the marketplace. You can see Microsoft has decided that it should nail its interests to the privacy mast, thinking that is going to give it a commercial USP.
If that is true and organisations in Europe become more ‘pro-privacy’ because of this forced change – then you can argue that potentially there is a huge amount of economic benefit for Europe downstream.
Paul Lavery: Pragmatism from the regulators and data protection advisers is the key for clients. It is extremely difficult to be 100% compliant with data protection obligations. There is always the potential to find a commercial entity in breach of some part of data protection; if you are 99% compliant, that is seriously compliant. It is pragmatism, focusing on the people who are really breaching people’s privacy.
Kate Brimsted: The regulation does not leave much scope for that as it currently looks. It is convoluted, and this could increase thanks to the large number of delegated acts in it for the commission to pass later.
Richard Cumbley: They are asking a lot. The guidance we are giving is to say: ‘Look, it is a great big black cloud, and I cannot tell you whether it is coming this way or going away from us. We just do not know; so doing anything really significant or substantive right now is potentially a waste of money.’ One area where we are encouraging clients to think quite seriously is around privacy officers and their teams, because at the point at which the regulation position on those becomes clear, clients of all our firms are suddenly going to be fishing in the same pool and it is not a very big one. So thinking about a good privacy officer and getting staffed up now is probably a good idea. As for the rest, if someone said, ‘What is going to happen with the right to be forgotten, or the one-stop shop?’ – you tell me. LB