Data protection authorities come in all shapes and sizes, with various budgets, staffing levels, and remits. Some also oversee freedom of information. Some are wholly independent bodies. Some have fining powers. Some do not.
Nowhere is this diversity more in evidence than at the annual International Conference of Data Protection and Privacy Commissioners, being held this week here in Hong Kong.
It’s no wonder, then, that the Center for International Policy Leadership took this opportunity to release its new “Regulating for Results,” a white paper examining how DPAs can maximize their effectiveness.
Emphasizing that the point of the paper is to stir discussion, and not to tell DPAs how to do their jobs, former ICO Richard Thomas kicked off a panel focused on the paper’s topic by noting that effective regulation in the privacy space has got to be results-based: “It’s got to work, not just be there on paper.”
The paper outlines 21 separate tasks that DPAs are generally accountable for, broken into four broad categories: Leadership, policing, complaint-handling, and authorization. First and foremost, the paper argues, should be leadership.
“Leadership should have the top priority,” Thomas said. “It involves very much the giving of guidance, engaging with accountable regulatees, helping them get it right.”
“The police officer should not be the first port of call,” he argued. “That should be reserved for deliberate or seriously negligent conduct.”
In privacy and data protection, as in many regulated industries, “prevention rather than cure should be the motto,” Thomas said. Effective regulators should focus on providing incentives for organizations with good-faith compliance efforts and try to create constructive engagement.
They should also be proactive, the CIPL paper argues. If an office spends its time simply responding to complaints, it will always be chasing bad actors without showing what it is that good actors should be doing.
Irish DPA Helen Dixon noted the paper was welcome to start an international discussion. “There’s an inference in the paper that there isn’t consistent regulation and there aren’t consistent strategies,” she allowed. “If the hat fits, we have to wear it.”
Dixon agreed that those in a regulated environment have to feel like they’re being fairly dealt with, but they also have to agree with the underlying principles of the law. When those two things come together, a healthy regulated environment can thrive.
Noting that Article 83 of the GDPR gives guidelines to regulators about focusing on the nature and gravity of an offense when imposing sanctions, she also said some have pointed to the “FTC-ization” of enforcement, where “one big player is picked out by example. … It’s a conversation that EU DPAs need to think about. We can’t pick a flavor of the month Internet company and ignore other companies creating harms.”
In response, the U.S. Federal Trade Commission’s Hugh Stevenson laughed, “FTC-ization seems like a good thing to me! Sometimes you need illustrative cases to let people know what they need to deal with, so they modify their behavior.
“But,” he agreed, “we don’t want to modify to the point where we kill innovation. We want to send a message prioritizing the problem we’re addressing.”
EDPS Giovanni Buttarelli recalled that in 2006 Thomas, himself, said a DPA needs to be “selective to be effective.” Now, with the GDPR, “we’re about to be more powerful, and perhaps better equipped,” he said. “We need to be more effective and extremely severe depending on the case, and where needed. To be strategic and flexible doesn’t mean you’re weaker, but rather much more credible.”
Further, both Dixon and Buttarelli noted that, in some cases, a DPA’s effectiveness can be governed as much by the courts and the legislature as by a DPA’s leadership. Without proper legislation, or where courts guide enforcement powers, a DPA’s hands can be effectively tied.
“We have tried to be an effective enforcement officer,” said Stephen Wong, playing host to the conference this week as Hong Kong’s DPA, “but the results have not been that encouraging. The maximum fine is about 4,000 U.S. dollars … we have spent more than 10 times that in taking the case to court. We don’t have administrative fines as they do in so many jurisdictions. I would love to have administrative fines in my hands.”
Ultimately, argued Stevenson, DPAs need to ask themselves, “Where is there the harm that we have to make sure we do address? That’s the most significant thing wee need to do to address the question of legitimacy: Pick important problems, fix them, and tell everyone.”