In his speech at the 2018 International Conference for Data Protection and Privacy Commissioners conference, European Data Protection Supervisor Giovanni Buttarelli stated that the European legislator did not think about ethics when drafting the EU General Data Protection Regulation. The GDPR is clearly a law that establishes a data protection compliance framework, but should the practice and interpretation of the GDPR include an ethical dimension?
There’s been much discussion about this relationship between the law and morality over the years.
On the one hand, data protection law is just another branch of law. Why should adherence to data protection law be required to embrace ethical principles more than, say, compliance with real estate law or corporate law? And yet, data protection law regulates a vast array of activities. As our world becomes increasingly dominated by technology, data — and who has control over it— shapes the present and the future. So, does that mean that data protection professionals (like doctors practicing medicine) should sign up to an ethical framework agreeing to ‘do no harm’? How would such a framework be delineated and monitored? What kind of enforcement would there be?
In any event, the GDPR arguably does contain certain controls on how personal data can be used, which reflect a sort of ethical dimension: The introduction of rules around data protection by design and default, data protection impact assessments and data protection officers. All these provisions act as an internal check within an organization to require additional steps be taken before embarking on a processing activity or, potentially, to “think again.” The GDPR also introduces a risk-based approach. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of individuals. And, an organization is only required to appoint a DPO where certain processing operations occur. Like many checks and balances, to be effective these tools require that the people responsible understand data protection principles and behave in an appropriate way. After all, what good was a bank’s chief risk officer in 2008 if they didn’t know how to identify and manage risk in the run up to the financial crisis?
But what’s the evidence that an ethical and principled approach to privacy actually matters to individuals generally? It’s not clear that consumers or customers will vote with their feet when an organization is considered to have failed to comply with data protection requirements. While Facebook reportedly lost over a million European users in the immediate months following publication of details about the Cambridge Analytica scandal, it still has today around 2 billion users worldwide. It seems that individuals’ affection for convenient apps and connectivity often take precedence over concerns about abuses of their or others privacy; all part of the privacy paradox. And while there are privacy-protective alternatives available, extant and being developed, they seemed dwarfed by the power of the incumbents.
But organizations should be careful about assuming individuals will remain disengaged. The rise of privacy activists and the inevitable increase in class-action lawsuits will force organizations to rethink their strategy.
The last 12 months in privacy have certainly renewed the focus on good governance within organizations, and particularly within tech companies. Most recently, an influential committee within the U.K. House of Commons published a report calling for tech companies to adhere to a compulsory code of ethics, partly (but not only) prompted by privacy concerns. Uber and Salesforce appointed chief ethics officers last year for the first time and doubtless many others will follow.
The challenge may well be one of perception — i.e. to demonstrate that these appointments have real teeth. Significantly, controllers and processors required to appoint a DPO under the GDPR must ensure that the DPO reports to the highest management level of the organization. Additionally, the DPO’s independence must be protected, and they benefit from enhanced protection from dismissal. The GDPR does not specifically state that an organization must comply with what the DPO advises, but the implication is that a data protection authority will give organizations a hard time when they choose to deviate from what a DPO advises without a very good reason. That certainly gives DPOs appointed under the GDPR a degree of influence which, on the face of it, chief ethics officers do not automatically have.
Assuming an organization appoints a DPO and/or ethics officer, how will it measure the impact that these appointments have? How do you measure the effect of good privacy practices and that your use of personal data is having a positive impact? It could be that you measure it by the lack of certain incidents; a reduction in both valid complaints from individuals and data security breaches. Or, perhaps it’s measured by an uptick in consumers/members wishing to register and engage with your organization. Alternatively, an organization might appoint a third party to audit its compliance with certain principles (possibly expressed in a GDPR approved code of conduct). One of the ways that an organization can show that having a positive privacy impact is central to its core would be to embed the concept into governance processes. In other words, giving any ethics officer and/or DPO real recognition within the organization and setting out publicly those restraints and redlines that an organization is going to measure itself against.
We’re in need of good privacy practices in 2019. We hear constantly of innovations coming down the track which will have an impact on our privacy — robots, AI and blockchain to name just a few. Just as an organization can choose to adopt sustainability measures (such as reducing its carbon footprint) to demonstrate a positive impact on the environment, so too should an organization be able to adopt measures to demonstrate a positive impact on privacy. Initiatives such as the B Corp movement, which has an international reach, or Purposely, which is directed at U.K. entities, are examples of how organizations are including purpose driven governance structures into their constitutional documents. Organizations wishing to promote positive privacy practices should consider implementing governance structures that place privacy as an essential feature of their management and strategic decision-making. In doing do, they’re more likely to have a social impact for good.
This article originally appeared in the March 2019 edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals. To read the article as originally published, please click here.
This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.
All content on this page is correct as of February 27, 2019.