The world's leading privacy pros talk GDPR with El Reg
US law, EU law and post-Brexit what'll UK do law
Interview You know, we know, everyone knows… the EU's General Data Protection Regulation goes into effect May of next year for every member of the European Union, and that will include the United Kingdom.
Of course, the UK will eventually leave the EU and what happens then will be a very interesting question according to Trevor Hughes, the president and CEO of the International Association of Privacy Professionals, and Omer Tene, IAPP's veep of research.
Speaking to The Register at IAPP's Europe Data Protection Intensive 2017 in London, Hughes acknowledged that “the expectation from all involved, and what has been said by the Information Commissioner at this point, is that after [Brexit] the UK is going to need a GDPR mirror bill.”
As a regulation [PDF] rather than a directive, come May 2018, GDPR will become the law of the land in the UK, but once Blighty departs from the EU's jurisdiction, we will need “a piece of legislation that mirrors GDPR carefully, so as to leverage the fact that GDPR was already put in place, and also allows for the greatest amount of harmonisation between European data trading partners and the UK.”
Making sure the UK meets the EU's adequacy agreements is common sense, said Hughes, as the market will have already had to adapt to GDPR and will have made investments in doing so. “It would be jarring to then try to install another policy framework after that.”
The dominating feature of coverage of GDPR has been its provisions for sanctions – allowing the data police to issue fines of up to 4 per cent of global turnover. Tene said: “Just having those sanctions and the toolbox is a game changer. Actually, they could just keep the data protection directive, add the sanctions, and it would have significant impact.”
Yet, he noted, “GDPR is a very detailed document and it adds a lot of language besides the sanctions. The ones that are going to be very interesting to follow are the new rights, the right to be forgotten, the right to erasure, and data portability. The research we've done at the IAPP – and are actually releasing a report today about UK implementation of Brexit – but you can also see there the challenges are presenting as the top two are not consent or data protection impact assessments, because that has already been part of the framework under the directive, it's those two new rights. I'm intrigued to see how they play out, and certainly the big sanctions will be front and centre.”
That recent survey by the IAPP on how privacy professionals in the UK were preparing for GDPR considering Brexit [PDF] found almost half (47 per cent) were investing in new technology to help them manage the data they were processing. The biggest compliance issues for UK privacy professionals were GDPR's compliance requirements on the right to be forgotten, data portability, understanding research allowances and gathering explicit consent.
The survey concluded that British “privacy professionals are clearly betting that GDPR compliance will meet almost any new standard the UK may adopt post-Brexit”, and Hughes explained why those standards were so important.
Data Data Revolución!
“We are at the nascent moment of the digital economy, the digital revolution,” said Hughes.
Privacy and data protection are the largest societal issues that we have found. We can ill afford to have an experience like the industrial revolution, where environmental concerns were not identified, not addressed, and really not even handled from a legislative public policy and operational perspective until about 150 years after the industrial revolution had begun.
The environmental movement in the middle of the twentieth century … we can not afford the digital revolution, the information revolution, to wait that long, and so investment needs to occur now, we need to pay attention to these issues now and that's not because we want to try and build a compliance industry, rather it's because we want to extract the massive amount of value that the information economy presents to us.
We want to gain the most that we possibly can from that economy and in order to extract that value doing it in a way that is data protection and privacy sensitive, that actually allows that market to move faster, to move in a way that's safer and more scalable.
A lack of foresight has threatened much interruption to the industry. For many years and despite much criticism, the European Commission stood by its claim that the US legal principles complied with those of its own Data Protection Directive, even doing so after a US National Security Agency (NSA) whistleblower provided documentary evidence to the contrary.
Thus, when rogue US sysadmin Edward Snowden made the activities of the NSA's PRISM programme (Planning tool for Resource Integration, Synchronization, and Management) known, it actually fell to Austrian lawyer Max Schrems to make a legal complaint about Facebook facilitating these extralegal abuses (at least under the EU's definitions of legality).
The European Court of Justice ultimately conceded that Safe Harbor was indeed invalid, and suddenly there was no legal basis for American megacorps to continue quaffing Europeans' data. Not that those companies cared, or agreed even. Facebook, Microsoft, and Salesforce have continued to shuttle Zuckabytes back home through "model clauses" contracts, a measure which is again being challenged by Schrems.
Even if this workaround is shot down during the ongoing court case in Dublin, however, both the EU and US share much about privacy in terms of cultural values regarding privacy, suggested Hughes.
Privacy is a cultural value and will necessarily differ between jurisdictions, said Hughes, “that conflict of laws … has existed for as long as laws have existed,” he added. “What's challenging now is that the global information economy ignores those jurisdictions and there really is very little recognition of national boundaries as data flies around the world so incredible quickly.”
“This significant friction that we see between Europe and the United States ... with regards to data transfers, that is indicative of a dynamic that will exist in many jurisdictions between many jurisdictions, in many ways, forever,” Hughes said.
I think that we see some significant concerns in the years ahead with regards to European adequacy in data transfers to the United States. The case currently going through in Dublin, certainly portends trouble ahead and the first Schrems case that went through the Safe Harbor case, if that's any indication I think that we will continue to see challenges to those data transfer mechanisms.
We will continue to see criticism of US data practices, particularly around intelligence community gathering of data in the private and public sectors, we'll continue to see those things. At the same time however, the massive value and utility of those data flows between Europe and the United States at some point needs to become part of that policy consideration. At some point those jurisdictions are going to step back and say, “We're part of the information economy now, and the data transfers between Europe and the United States are so incredibly important we simply cannot abide by not allowing these data transfers to occur.”
Safe Harbor and Privacy Shield were addressed by the private sector, suggested Omer Tene, IAPP's veep of research, and were not intended to address the government surveillance issue. He noted the "biggest economies in the world, the US and China, don't have an adequacy ruling, and yet this isn't going to stop – and I don't think even significantly impact – data flows to these jurisdictions.”
“There needs to be a clear and transparent assessment of how we want intelligence agencies to act with regards to data, data of citizens of that country, data of non-citizens of that country, data within that country, data without country,” said Hughes.
“Intelligence agencies in the US and Europe need to be transparently assessed on how their data practices are occurring,” he continued. “The battleground for that has been the media with Snowden, and also things like the Schrems cases. I'm not sure if a single court assessing a challenge to model contract provisions is the right place for us to have that full policy argument.” ®