One of the key topics at the forthcoming international conference of privacy and data protection commissioners in Mexico City will be the role of enforcement. Given that the conference is organised by the Mexican supervisory authority for data privacy, this is obviously not surprising. However, one of the reasons why this topic features prominently on the agenda right now is that never before have privacy regulators focused so intensely on devising the ideal strategy to achieve their objective. Let’s not forget, enforcement is not an end in itself, but a means to an end – ensuring compliance with the regulatory framework. But it is a hard fact that effective regulation depends entirely on the supervision and enforcement mechanisms in place.
Traditionally, a combination of carrot and stick has been seen as the right mix in the area of data privacy regulation. The idea behind this approach is that regulators should split their efforts between assisting those who wish to comply with the law and punishing those who don’t. That makes good sense in an area like privacy and data protection where the combination of technology, human rights and law create a complex and demanding framework. In the past, thanks to this dual approach, regulators have been able to make up for the general lack of judicial input in a fairly prolific way whilst trying to get citizens to understand the importance of the issues involved. Not an easy task by any measure.
However, increasingly some privacy regulators have abandoned the carrot side of things to focus on sharpening their stick. The rationale behind this change is that non-compliance with privacy laws is so endemic that firm corrective intervention has become the top priority. This hard line approach has its merits but it also has one major flaw. It encourages a defensive attitude amongst those who are targeted – particularly if the legal arguments are not rigorously construed and solidly tested. That may well be a battle that regulators are gearing up to fight, but playing tough is a great responsibility and even more so with taxpayers’ money.
In any event, even the most carefully devised and best researched enforcement strategy faces a great challenge: the resources available to data protection authorities are far from unlimited. In fact, even the mightiest authority will tell you that they can barely cope with volume of complaints, requests for advice and many other tasks within its remit. So here is an alternative: turn every citizen into a regulator. Imagine if data subjects were able to take the law into their own hands and start suing perpetrators of data privacy and security breaches. That is something that European law already contemplates but has hardly happened. Time for a legislative tweak perhaps?
Strengthening enforcement is of course one of the priorities of the legislative reform currently taking place in Europe. Once again, let’s hope for some creative thinking there but something that may contribute to make enforcement fairer and more consistent is the concept of the lead authority. Here’s a simple way of managing limited resources: avoid duplication and appoint one single authority as the primary regulator for pan-European organisations. That would be an easy win and possibly, the single most important step towards achieving effective data privacy enforcement on an international basis. In other words, an inconsistent enforcement regime is a weak regime and a lead authority approach would prevent that.
Effective enforcement is a sign of a mature and well functioning regulatory environment. Without enforcement any system of rules, rights and obligations collapses, creating an unfair unbalance between those who comply and those who don’t. Therefore, it is in everyone’s interest that the enforcement mechanisms in place work in a fair and robust manner, which combines positive encouragement with firm action based on solid and accurate legal arguments. In the same way that perfect, continuous compliance with all data protection rules is hardly achievable, perfect enforcement is only a goal, but one that is worth aiming for.
This article was first published in Data Protection Law & Policy in October 2011.