As the opening speaker here in London at the IAPP Europe Data Protection Intensive, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.”
He outlined three areas where that balance should be most closely watched. First is with the balance between innovation and regulation. “Nobody,” he emphasized, “nobody wants to stifle innovation…but innovation needs effective data protection to increase trust, and some of the innovation we’ve seen was perhaps not all welcome. We need to push back, scale back to allow space for appropriate innovation.”
Second is the balance between unnecessary red tape and effective regulation, he said. “Where there is an excess (of red tape), it needs to be scaled down,” Hustinx said, pointing to the introduction of the “one-stop shop” into the regulation and saying “self-regulation and self-certification are some of the subjects the council is looking into.”
Finally, there is the balance between the responsibilities of the public and private sectors. “I believe horizontal consistency is very important,” he said. “We need to avoid unnecessary exceptions (for the public sector), but we need some exceptions.” The current language essentially excepting most European governmental bodies “will be fixed,” he assured the assembled crowd.
There is very little equivocation around one central fact, though: Accountability will be emphasized. “We will see continuing and enhanced emphasis on consent,” Hustinx said. “My guess is explicit consent, but this consent will only apply where it is needed in a larger framework of flexible alternatives, and that will be balanced with a legitimate interest exception.” And that is where “there will be an increased need to explain why that basis is appropriate.”
That is where companies will be accountable for the decisions they make and will need to effectively show why data was collected and for what legitimate purposes and use.
Otherwise, the consequences could be dire.
“In terms of supervision,” he promised, “there will be some changes.” Authorities will have stronger uniform powers and what he called “effective sanctions but not only fines. Also remedial sanctions—sometimes very, very strong. And the combination of the two requires much more flexibility.” Hustinx said more collaboration with the FTC in the United States has been ongoing and to look for sanctions to resemble the sorts of penalties the FTC has been handing down.
That means companies need to pay more attention to the role of the privacy/data protection officer, regardless of where the threshold for who must have a DPO comes down. Too much emphasis has been placed on the threshold, Hustinx said, and not enough on the role and power of the DPO. Further, “who is doing privacy if the threshold has not been reached,” he asked. Just because a DPO is not mandated doesn’t mean privacy and data protection can be ignored.
Accountability extends to the data processors, as well, he said. “Responsibility is now more and more shared,” he said. “There will be provisions (in the regulation) building on this idea of common responsibility between controllers and processors. More and more processors are not just executing instructions. They have more responsibility, and that will be translated into accountability.”