On Data Protection Day, we take stock of a particularly hectic year. The pandemic has forced us to strike a balance between the right to data protection and other fundamental rights, such as public and individual health.
Since March last year, many companies and organizations have had to face the challenge of balancing the right to health of their employees and users with their expectation of privacy, without a clear legal framework. Whether to take temperatures, monitor symptoms and trace contagions within the company, or leave it in the hands of overwhelmed public services. All this in a context in which both health and data protection authorities have been anything but clear, preferring to make use of recommendations or guidelines, sometimes contradictory to each other, rather than clear and legally enforceable rules.
Many companies and organizations have had to face the challenge of balancing the right to health of their employees and users with their expectation of privacy, without a clear legal framework
Then came July, bringing even more uncertainty to an already complicated picture. The European Court of Justice invalidated, for the second time in five years, the agreements between the European Commission and the US Government which allowed companies on both sides to transfer data on Europeans to the United States. Six months have passed since then and, despite new guidelines and recommendations, in this case from the European Data Protection Board, companies still do not have a realistic legal and technological way to comply with the existing legal framework for international data transfers.
In December, a Brexit deal was agreed in extremis, which has not yet clearly resolved the problems posed by the transfer of personal data between the United Kingdom and the continent. It remains to be seen whether an agreement will be reached before summer to regard the UK as a territory with a personal data protection level equivalent to that of the EU. If not, the problem that still exists with the United States could be replicated with our former partner, adding more chaos to the mix.
2020 will also be remembered for being the year in which European regulators increased the level of their sanctions. In the last few weeks, our Spanish Data Protection Agency has imposed the highest fines in its history (€5 million euros for BBVA and €6 million for Caixabank), punishing minor infringements with €2 million fines, without the legal framework having changed from previous months, where similar infringements had deserved a punishment of only a few thousand Euros.
Our economy has much at stake, and a highly formalistic atmosphere with little legal certainty means excessive costs which impact on our total productivity. Its not about failing to safeguard citizens’ rights to Data Protection, the challenge is to do it better and without so much public and private spending. .
To us, all this insecurity seems to make clear is that data protection has become part of that frequently repeated concept of “liquid modernity,” identified by sociologist Zygmunt Bauman. Private organizations that process personal data (virtually all of them) will have to get used to increasingly rigorous sanctions, while the rigor of legislators and regulators in defining the offence and providing clear and unambiguous interpretation of obligations decreases.
Organizations must invest in creating their own compliance model and policing themselves, at the same time reserving significant amounts of money for fines, assuming that all these measures will be insufficient. There can always be a cybercriminal attacking the organization’s information systems, or an employee acting alone, or a misinterpreted rule. All of this may be condemned as a failure in that proactive duty of responsibility that requires going beyond mere formal fulfillment.
The challenges of innovation, digitalization and Artificial Intelligence lie ahead. We cannot change these areas of potential economic development, where the use of personal and non-personal data is essential, into new sources of uncertainty and regulatory risk.
Beyond the cost to organizations themselves of trying to comply with this right to “liquid privacy,” the question is whether, as a society, we will continue to be able to afford the luxury of having such an expensive and inefficient compliance model. The pandemic-induced crisis that Europe will experience in the coming years has only just begun. Our economy has much at stake, and a highly formalistic atmosphere with little legal certainty means excessive costs which impact on our total productivity. It’s not about failing to safeguard citizens’ rights to data protection. The challenge is to do it better and without so much public and private spending.
The challenges of innovation, digitalization and artificial intelligence lie ahead. We cannot change these areas of potential economic development, where the use of personal and non-personal data is essential, into new sources of uncertainty and regulatory risk. The public and private sectors must collaborate in the development of clear, transparent and efficient rules of the game, which punish the offender harshly and help everybody else.
In any event, the debate about the suitability or otherwise of the regulatory model should not be associated with less recognition of the right to data protection. Organizations have a responsibility to continue investing in the protection of the privacy and rights of the people they interact with, as part of the increasing role that society requires of them. The culture that each entity has around data protection, irrespective of one regulatory context or another, will increasingly determine their market positioning. The challenges in this area can only be adequately managed with greater analysis and care, to develop a data protection management strategy integrated with organizations’ other management areas.
Raúl Rubio is specialized in IT/IP Law, Privacy and Data Protection. Raúl Rubio has participated in multiple projects for clients in different sectors assisting clients in their adaptation to the data protection legislation, leading data protection audits, providing legal advice in administrative and legal proceedings related to data protection and privacy and offering ongoing advice about technological risks, among others. Raúl Rubio has participated in the drafting of BCRs for a major Spanish bank and has provided advice to a consultancy firm in the design and implementation of the necessary legal mechanism for the international transfer of personal data. Additionally, he has participated in Big Data projects analyzing the legal implications of worldwide projects from a privacy perspective and has represented clients before the Spanish Data Protection Agency on a regular basis.
Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.