The California Consumer Privacy Act of 2018 followed an unorthodox path to approval. It started as a ballot proposal set to be voted on during the November 2018 cycle. During the last two weeks of July 2018, in a flurry of activity, a deal was struck between the ballot proponents and Sacramento to pass a legislative version of the proposal, on condition that the ballot initiative be dropped. This history has now been enshrined under Cal. Civ. Code §1798.198 (b), which states that CaCPA will go into effect “only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.”
There were changes between the ballot proposal and the approved text of the law. One change was the deletion of a provision for whistleblower enforcement. It had stated that “[a]ny person who becomes aware, based on nonpublic information, that a person or business has violated this Act may file a civil action for civil penalties,” and provided for up to 50 percent of the proceeds from the action being allocated to the whistleblower.
We can only speculate as to why the provision was struck down during negotiations, but clearly the deletion benefits the industry potentially at the expense of dutiful data professionals who may have identified compliance issues and raised them internally, only to be disappointed by a refusal to act. Anybody who has been working on privacy and data protection for a while knows that this happens sometimes.
Almost no U.S. privacy laws include anti-retaliation or whistleblower protections – the Health Insurance Portability and Accountability Act is one of the few. However, under HIPAA, nothing is awarded to the complainant if the complainant prevails. That means the complainant will likely be forced to file the complaint without any legal representation because, no matter how meritorious the claim, few attorneys work for free. On the other hand, an organization against whom a complaint has been lodged has every incentive to “lawyer-up” and discredit the claims of the whistleblower to avoid unwanted publicity about its privacy practices that can damage its brand. A legal strategy to discredit is likely to include curated witnesses and choreographed testimony that supports the company’s narrative. Meanwhile, the individual would likely face retaliatory actions with no resources to fight back.
A whistleblower provision with effective monetary incentives is a game changer. The ability to invoke it while raising an issue internally greatly improves the chances of the issue being resolved. If it is not, a meritorious claim will enable the complainant to find legal representation that ensures the claim stands a fair chance against an organization that has chosen to “lawyer up."
Criticism against whistleblower provisions is not without merit.
They can spur frivolous litigation or unnecessarily empower disgruntled employees who can twist them to their personal financial benefit. They can generate or exacerbate mistrust between the business and the information security, legal, and compliance teams responsible for advising them and monitoring compliance. They also raise interesting and difficult-to-answer questions about attorney-client confidentiality when the potential whistleblower is legal counsel.
The EU General Data Protection Regulation does not include a whistleblower provision. It takes a different approach by requiring a data protection officer for certain entities, including those whose core activities require “regular and systematic monitoring of data subjects on a large scale” (GDPR Article 37). There has been a lot of discussion about the role of the DPO, who is not to receive from its employer “any instructions regarding the exercise” of his tasks and “shall not be dismissed or penalised” for performing them (GDPR Article 38). It has been speculated that DPOs will de facto be excluded from certain discussions that include sensitive information, and it is not yet clear to what degree making this role mandatory will ensure increased compliance. That said, its mere existence is a testament to the fact that standing up for data protection and privacy inside an organization and winning the battle can be difficult and risky. It often is.
We can debate what method should be in place to ensure meritorious claims by data professionals are addressed by organizations, but the fact is that, as long as there is no method to protect data professionals, data will not be effectively protected. This is especially true for CaCPA because CaCPA compliance will be a “black-box” from the perspective of the data subject. With no private right of action, an individual who exercises his right to opt out of data sales must rely completely on the effectiveness of the organization's data management policies and procedures and the ability of the attorney general to effectively drive compliance.
Yet CaCPA does not specifically require the creation and implementation of data management policies or procedures or the maintenance of auditable records, includes no protection for data professionals who may identify and raise instances of lack of compliance internally, and presents operational challenges for the AG (as noted in his August 22 letter to Assemblyman Ed Chau).
That does not sound like a recipe for compliance. Does that mean CaCPA needs the whistleblower provision back?
If you want to comment on this post, you need to login.