Locations
This article was first published in Data Protection Law & Policy in December 2012
Making predictions as we approach a new year has become a bit of a tradition. The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today's uncertain world are pretty low. Having said that, it wouldn't be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission's power to adopt 'delegated acts'. But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year's key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.
A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon. Like having a website in the late 90s, launching a mobile app has become a 'must do' for any self-respecting consumer-facing business. However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles. That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile. The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality. Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.
Mobile data collection via apps has been a focus of attention in the USA for a while but recent developments are a clue to what is about to happen. The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state's online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy. Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so. On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children's data. These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app. In fact, these cases are almost certainly the start of a trend that will extend to Europe in 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.
Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement. What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators' compliance expectations actually are. Will 'implied consent' become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices? Much would need to change for the latter to prevail but at the same time, the 'wait and see' attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law. Let that be a lesson for the future.
The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud. Much has been written on the data protection implications of cloud computing in the past months. Regulators have given detailed advice. Policy makers have made grand statements. But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors' data protection offerings. Let us hope that we can use this opportunity to listen to each other's concerns, agree a commercially realistic set of standards and get the balance right. That would be a massive achievement.
Eduardo Ustaran, Partner in the Privacy and Information Group at Field Fisher Waterhouse LLP