Data Privacy Laws: Perfect Storm for Non Compliance
25 May 2018 marks the entry into application of the General Data Protection Regulation, the most comprehensive data privacy regulation in two decades at European level. A lot has been written about this new piece of legislation, which is said to completely upset the way businesses, individuals and public authorities go about data protection (look here on Medium and on the European Commission site for more details).
Staying on top of data privacy rules should be a priority for data controllers, i.e. entities handling personal data from their customers, suppliers or members (whether for profit or non profit). Sifting through the 88 pages long regulation, I quickly developed the intuition that businesses processing personal data, especially small and medium enterprises (SMEs), would have a hard time reaching compliance with the new data privacy provisions.
To test out my working hypothesis, I decided to reach out to the managers from a 20+ sample of SMEs in Belgium (the place where I live), gauging their compliance levels with the current and upcoming data protection legislations.
3 interesting trends emerged from these conversations.
1) Little Awareness among Data Controllers
“Businesses are not of the impression of breaking the law”
Despite this, none of the surveyed managers felt that their businesses were openly violating the rules in place. “We are not of the impression of breaking the law” was a sentence I heard many times over and “those practices are common in our business” was a recurrent theme, especially in the context of marketing related activities. The fact of the matter is that I usually ended up revealing to data controllers the existence of current data privacy obligations as well as disclosing some of the impacts of the General Data Protection Regulation.
2) Little Awareness among Data Subjects
If I may inadvertently indulge you in a quick interrogation, I would kick off by asking you this question: “According to you, how many organisms are currently processing your personal data?”
Assuming that you have computed a ballpark idea of the number of entities processing your personal data on a daily basis, the next question would be: “How many data controllers would you be able to identify and contact to inquire about your personal data?”
In the midst of you sorting out the countless online providers with whom you are currently registered (I personally have 33 providers registered through my Facebook account and 15 through my Google account), the final question would be: “Do you actually care about all this?”
“Allowing businesses to process personal data is part of the game”
If you are like the overwhelming majority of data subjects, i.e. the physical persons whose personal data is being processed, your answer to the last question would most probably be: “all right, I don’t really care”. The truth is that data subjects usually consider the processing of their personal data as “part of the game” and end up not caring as much as they ought to be.
3) Little to no Consequences for Non Compliance
Given that (1) data controllers do not seem too pressed to comply with data privacy obligations and (2) data subjects are relatively indifferent as to the processing of their personal data, surely public authorities are stepping up?
In each member state of the European Union, a supervisory authority is tasked with the monitoring of the data privacy rules within its borders. In Belgium, such supervision is carried out by the Privacy Commission hinted at the beginning of this post. Intrigued, I had a look at their 2015 annual report (available in French and in Dutch) to check their regulatory records.
“The (Belgian) Privacy Commission did not start any legal proceedings in 2015”
The Privacy Commission, which opened only a few hundred files concerning compliance with the general data protection rules last year, appears to mainly resort to mediation to solve conflicts (most of the time following up on a data subject’s complaint), which explains that it did not start any legal proceedings (although technically entitled to) despite having found a breach in a majority of the cases. Data controllers, at least when operating from Belgium, should therefore not fear many nasty regulatory consequences would they be caught up in breach of their data protection requirements.
A Perfect Storm for Non Compliance
The combination of (1) too little awareness among data controllers about their obligations, (2) too little awareness among data subjects about their data privacy rights and (3) the practical inconsequences from a regulatory standpoint in case of a breach of data protection rules creates a “Perfect Storm for Non Compliance” in the context of data privacy and thus a non-issue to tackle at the level of SMEs.
This is very hard to avail for lawyers (including myself) as they have been dogmatically trained to consider (the risk of) non compliance as a (business) issue by definition. My take on this is that SMEs should not expect many practical consequences as a result of their non compliance with the current data privacy obligations.
The General Data Protection Regulation: an Opportunity to bring Winds of Change?
The General Data Protection Regulation (being applicable as from 25 May 2018) certainly has the potential to affect the dynamics underlying the perfect storm for non compliance observed in today’s data privacy landscape.
More precisely, the regulation empowers data privacy supervisory authorities (such as the Belgian Privacy Commission) to impose administrative fines in case of a breach by a data controller of one or more data protection provisions. Depending on the extent to which supervisory authorities across Europe will rely on their new competences, data controllers may find themselves suddenly embracing data privacy compliance so as to avoid ridiculously high penalties (amounting up to €20 million or 4% of their global annual turnover).
In addition, the General Data Protection Regulation creates a new set of data privacy rights (such as a right to be forgotten, a right for data portability or a right to request a copy of personal data in machine-readable format). It is however doubtful that the mere existence of those new rights will have by itself the effect to dramatically raise awareness among data subjects. A more likely scenario for data subjects making actual use of their new prerogatives involves the occurence of one or more data privacy scandals with big data controllers, resulting in a new privacy landscape whereby only those data controllers facilitating the exercise of data privacy rights are being trusted by data subjects.
Obviously, those ways forward for data privacy compliance are hypotheses and it remains to be seen what the future of data protection in Europe will look like.
Turning to you, what is your take on the issue?
Do you agree that non compliance with data protection laws at the level of SMEs appears to be the rule (instead of the exception)? Do you believe that the General Data Privacy Regulation is likely to bring Winds of Change (or will it only marginally affect today’s Perfect Storm)?
If you are interested in the issue, please leave your thoughts below and join the discussion.
If you enjoyed this article, please recommend and share.