Two years on from GDPR, privacy regulators are still in a challenging position, because “their strategy could be seen as chasing headlines,” according to Tim Hickman, partner at White & Case LLP and renowned data protection law expert.
Why? Because it’s all about money.
Following the money
Almost all of the privacy regulators in the EU are funded by their respective national governments.
The Information Commissioner’s Office (“ICO”) in the UK is primarily funded by organisations paying the data protection fee, which accounts for around 85% to 90% of the ICO’s annual budget. This is supplemented by grant-in-aid from the government to fund the ICO’s regulation of various other laws.. The ICO will spend that money carrying out investigations, issuing monetary penalties and, where necessary, fighting court cases.
At the end of the year, the ICO has to account for how it has spent that money and make an argument for why should get more money next year.
Data Protection authorities in the EU generally do not get a direct benefit from any of the fines that they issue — “the idea being that a regulator should not have a financial interest in the outcome of the cases that it investigates,” explained Hickman.
But, a problem arises. How can a data protection authority persuade its national government that it deserves more money? The answer, according to Hickman, is that the data protection authorities are under pressure to demonstrate the value of their work, and one way to do that is to take on newsworthy enforcement actions — the larger the fines that are issued, the more the government is likely to take note.
How can businesses navigate the increasingly complex EU compliance landscape?
The challenge is that large penalties are likely to be challenged in the courts. “If the ICO issues a fine of £10 million or more, it’s likely that the affected company will hire lawyers to fight the ICO’s interpretation of the law, in an effort to reduce the penalty,” continued Hickman.
But, regulators don’t have the financial freedom to hire armies of lawyers and it’s hard to justify spending what is effectively taxpayer funds on multinational law firms. “On the other hand,” he added, “if you don’t issue large fines as a regulator when you have the power to do so, then you are limiting yourself lower level enforcements and cases that are easier to win or less likely to be challenged.”
This regulatory scenario means that non-compliance is going unchallenged in many areas at the moment, because, it appears, data protection authorities are often unwilling to commence enforcement actions where they are likely to face a legal battle.
Regulators are focusing on a very narrow scope of enforcement
Competition and Markets Authority
“In the UK, arguably the closest analogous model for this is the Competition and Markets Authority,” said Hickman.
“Over several decades, the CMA has become experienced at issuing sizable penalties to large corporates in cases where the CMA has concluded that a breach of applicable law has occurred.
“The CMA will carry out investigations, and issue penalties, and it knows that those penalties are likely to be contested in court, but — similar to the European Commission — it’s comfortable with that.”
Data protection authorities aren’t there yet and, as a result, there remain big gaps in the field of enforcement.
Will privacy regulators find their teeth?
Data protection authorities will likely find their teeth, as the political agenda and public priorities evolve.
At the moment, however, more funding for data protection authorities does not appear to be a political priority. Announcing spending increases for public services will often garner voter support, whereas announcing an increased budget for a data protection authority will frequently be met with indifference by the general public.
Despite the huge increase in media attention and national conversation surrounding data protection, the truth is citizens care less about this area than other issues.
“People don’t yet care enough about their personal data to vote for parties that promise to give more money to the data protection authorities,” he added.
Has Brexit made UK data protection and the right to privacy more uncertain?
Brexit has complicated the UK’s stance on data protection and consumers’ right to privacy. Where the country goes now will depend on a deal with the EU — will politicians stick with a strong stance on a right to privacy or will they pivot? Read here
The Collective Redress Directive: a solution?
The Collective Redress Directive may create a different path to resolving critical privacy issues through the courts, according to Hickman.
“The EU is in the process of writing this Directive, which will govern how collective claims can be made against organisations that process personal data.
“Certain Member States want data protection claims to be brought within the scope of this Directive, and this is interesting because it could provide a parallel avenue for individuals to bring claims against organisations that hold their data.”
A parallel avenue for enforcement
He explained: “Under the GDPR, in most EU Member States, if you want to create class action, the individual claimants have to intentionally mandate the entity that will represent them in the class — in other words, those entities have to find individual claimants and get them to sign up.
“The Collective Redress Directive (in its current draft form) would remove this obstacle — a qualified entity would be able to represent individuals without first needing to be mandated.
“This will potentially allow representative actions to be brought on a for-profit basis within a single EU Member State, subject to national law.”
In this scenario, private litigators could fund the court cases needed to establish important precedents, rather than relying on cash-strapped data protection authorities to do so using public funds.
Having said that, however, “class actions are less common in the UK than in certain other jurisdictions, in part because the UK is conscious of the risk of ambulance chasing. In addition, it is likely that the Directive will not come into effect before the end of the Brexit transition period. Therefore, to a large extent, what happens next will depend on where the UK ends up in terms of regulatory alignment with the EU on data protection matters,” Hickman concluded.