2014 has kicked off in very dramatic fashion on the privacy law regulatory enforcement front; the French data protection regulator, CNIL, has just fined Google €150,000 for alleged Privacy Policy failings, an amount described as 'pocket money' by the EU politician who is in charge of toughening up European data protection law, European Commissioner Reding; the FTC, the US consumer protection regulator, has just taken disciplinary action against a number of US companies that have breached the ‘Safe Harbor’ agreement between the EU and US on the export of personal data from Europe to the US. So, what's going on here?
Looking at the bigger picture of privacy law enforcement, penalties and sanctions, the climate has been getting worse for businesses year-on-year; the cycle of tougher regulatory responses to privacy problems began around 2006. The regulatory rhetoric has also been getting stronger and darker over the cycle.
The bigger picture tells us that there is a ‘Regulatory Bear Market’ right at the beating heart of the international privacy law system. Like a financial bear market, this is the consequence of negative sentiment, pessimism and a loss of confidence, in the sense that privacy law regulators are downbeat about the performance of businesses when it comes to compliance with their privacy law obligations. This leads to negative and adverse outcomes, including the imposition of large financial penalties and negative rhetoric in press statements, television appearances and guidance and policy documents.
In Europe, the most visible fruit of the Regulatory Bear Market is the current law reform process led by Commissioner Reding, which will toughen up data protection law in ways that most businesses have not yet adjusted to. For instance, fines of up to 5% of the annual worldwide turnover of the business may be imposed. Translating this threatened change into real monetary values has been hard up until now, but Commissioner Reding has just said that the Google fine might be as much as $1bn under the new regime, a staggering sum, which is sure to water the eyes of Chief Financial Officers everywhere.
If that wasn't bad enough, it seems that the business community may be forced to pay the price for the government failings revealed by Edward Snowdon. There is plenty of evidence out there already to suggest that the corporate world is becoming the football in the political game that is being played out between the EU, other countries and the US as a result of Snowdon’s disclosures.
One piece of evidence is the 'Euro Cloud' idea, which seems to be very popular in certain parts of the European Parliament. This idea says that in order to prevent US snooping on online activities and electronic communications, personal data of European citizens should be kept in European data centres. Regardless of whether Euro Cloud could ever stop snooping, which many experts doubt, the key significance of the idea is that businesses will have to change their business models because of the actions of governments over which they have had no control. The capital cost of doing this will be born by business, not the policitians who back the idea, or the governments who are carrying out snooping. The underlying threat, of course, is that businesses that do not play ball will be faced with sanctions. Governments commit the crimes, businesses pay the fines.
Another example is the FTC action mentioned earlier. How very convenient it is to make examples of businesses at exactly the time when, due to the Snowdon disclosures, the Safe Harbour data export rules that they are accused of breaching are being re-examined by EU politicians for fitness for purpose. It might look to some observers as if the US regulator is willing to sacrifice some US companies on the altar of European political opinion simply to sate the lust for blood.
The corporate world has always been the football in critical political games and business leaders will be resigned to this as being a natural and inevitable facet of being in business. What they may not have factored in to their business plans and balance sheets is that the game is now playing out over personal data and privacy. If not, they need to re-adjust quickly, otherwise the Regulatory Bear Market will bite them.
2014 has kicked off in very dramatic fashion on the privacy law regulatory enforcement front; the French data protection regulator, CNIL, has just fined Google €150,000 for alleged Privacy Policy failings, an amount described as 'pocket money' by the EU politician who is in charge of toughening up European data protection law, European Commissioner Reding; the FTC, the US consumer protection regulator, has just taken disciplinary action against a number of US companies that have breached the ‘Safe Harbor’ agreement between the EU and US on the export of personal data from Europe to the US. So, what's going on here?