Regulators, technology experts, and privacy campaigners all had plenty to say at the International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana, Albania, this week. Below are just some of the key points that came out of the sessions:
1. Big Tech firms “need to get used to the idea that they can be prosecuted by more than one regulator, and by more than one law, for the same practices.” So warned Rohit Chopra, commissioner at the U.S. Federal Trade Commission.
Tech firms are subject to scrutiny from data, competition, and e-Commerce/digital markets regulators around the globe—but their investigations often focus on different parts of the same problem. For example, competition authorities are concerned about how firms exploit the number of users they have, as well as the ubiquity of their platforms, to coerce people into accepting services or be barred from them. Data regulators, on the other hand, are more interested in the fact these practices put users’ personal information at risk because they have been forced into agreements that give tech firms license to sell it to anyone.
Data commissioners suggest there could be more joined-up, cross-regulator approaches taking place in the future as part of their investigations (as a way of pooling resources, if nothing else).
2. Accountability is key in addressing data privacy, and it is not just the responsibility of a regulator to hold companies to account—they have to be proactive and do it themselves. Christopher Docksey, honorary director general at the European Data Protection Supervisor (EDPS), defines accountability as “actively developing compliance and being able to demonstrate compliance.”
Regulators say—for the most part—companies have good intentions about preserving data privacy and for being accountable: The problem, however, is policies and procedures often have gaps in them, and they are not properly implemented, understood, monitored, or revised. “True accountability means ensuring that the measures you say are in place to ensure data privacy and consumer protection are working. The only way to make such a claim is to constantly check and review, and not enough organizations do this,” said Daniel Therrien, Canada’s privacy commissioner.
Companies say one of the reasons why they may not be deemed truly accountable, however, is they don’t understand what regulators regard as being “accountable” from a data protection standpoint, which they say is “vague.” They want prescriptive, internationally agreed definitions of what regulators mean by the concept of accountability (and whether it refers to corporate, individual, or collective accountability), and what they need to do internally to comply—an issue data regulators admit they are struggling with.
3. Effective data protection depends on companies having a “eureka” moment. In an anecdote given by Docksey at the EDPS, a few years ago Apple CEO Tim Cook invited the late Giovanni Buttarelli, Europe’s then-head of data protection, for a 15-minute meeting to explain what the EU’s dogged determination with the General Data Protection Regulation (GDPR) and privacy was all about. Buttarelli obliged, but asked Cook a question in response: “Can you tell me the name of your chief privacy officer?” Legend has it the meeting then lasted a further hour as Cook recognized the significance and his company’s responsibilities.
4. Regulators—both data protection authorities and competition watchdogs—need to do more to protect citizens’ data and privacy rights. Sally Hubbard, director of enforcement strategy at U.S.-based campaign group the Open Markets Institute, said that “the only true way to measure a regulator’s effectiveness is to ask: ‘Have we stopped the harm? Have we stopped the business models that allow the harms to take place? Have we prevented these abusive practices from happening again?’ The answer to all of these questions is ‘no.’ ”
Competition authorities also need to reflect on their role and their failure to proactively prevent Big Tech firms from becoming dominant in the first place—and from abusing that position subsequently. Hubbard took aim at the FTC’s $5 billion settlement with Facebook, saying it was “an abdication of the regulator’s power” because “the deal does nothing to protect consumers and does not change the way the company operates.”
5. Regulators accept they need to find new and better ways to regulate data-driven business models, whose services are often geared at hooking users into their experiences while profiling them at the same time. “Ubiquitous connectivity equals constant surveillance,” warned United Kingdom Information Commissioner Elizabeth Denham.
Data authorities complain they are reacting to problems—and outright abuses of personal information—because tech firms are failing to check their own activities. New Zealand Privacy Commissioner John Edwards told delegates of a microfinance app available in the Philippines that facilitated $500 loans to people so they could start up their own business. So far, so good. Buried deep in the app developer’s contract terms, however, was a clause that enabled the app to access the user’s contact list and send out e-mails saying the person was a credit risk if s/he did not keep up the necessary repayments. “How on earth could any tech firm think that should be allowable in any form and then put it on their app store?” asked Edwards. “It shouldn’t be left to regulators to flag up such obvious problems.”
Perhaps tech firms and app developers should bear in mind an observation Buttarelli said at last year’s ICDPPC conference in Brussels: “Not everything that is legally compliant and technically feasible is morally sustainable.”
6. Handing out eye-watering fines to companies for data protection failings isn’t going to make them comply in the long run—it is just one option among many to deter and punish, say regulators. Denham told Compliance Week hitting companies with large fines “will not always be the most effective remedy.” Instead, she said she would prefer tech companies to use the ICO’s regulatory sandbox to test product safety or for them to only roll out services when they know they are compliant.
Alternatively, Chopra says authorities (both data and antitrust regulators) should consider ways of opening up the market for innovative new entrants to gain a foothold and flourish. “Increased competition ensures a fairer market and better consumer choice, so we should look at ways of making that happen,” he says. To increase competition, Chopra suggests regulators need to look at what technology is available via open source; have clear rules and bans on some practices by tech companies; and push for individual liability when prosecuting tech firms for data misuse.
7. Data regulators agree there is no need to try to create a global common standard on data protection and privacy—one already exists. Human rights organization the Council of Europe’s Convention 108—agreed on in 1981 and updated last year to bring it in line with the GDPR—apparently suffices, despite a lot of countries not signing up to it. Even though many have the necessary data protection legislation or frameworks that would make them eligible to join all the EU member states that have to implement it, so far only eight non-EU countries, including Mexico, Uruguay, and Tunisia, are signatories. Large economies, like that of the United States, are notably absent.