Archive for October, 2011

Perfect enforcement

Posted on October 28th, 2011 by



One of the key topics at the forthcoming international conference of privacy and data protection commissioners in Mexico City will be the role of enforcement.  Given that the conference is organised by the Mexican supervisory authority for data privacy, this is obviously not surprising.  However, one of the reasons why this topic features prominently on the agenda right now is that never before have privacy regulators focused so intensely on devising the ideal strategy to achieve their objective.  Let’s not forget, enforcement is not an end in itself, but a means to an end – ensuring compliance with the regulatory framework.  But it is a hard fact that effective regulation depends entirely on the supervision and enforcement mechanisms in place.

Traditionally, a combination of carrot and stick has been seen as the right mix in the area of data privacy regulation.  The idea behind this approach is that regulators should split their efforts between assisting those who wish to comply with the law and punishing those who don’t.  That makes good sense in an area like privacy and data protection where the combination of technology, human rights and law create a complex and demanding framework.  In the past, thanks to this dual approach, regulators have been able to make up for the general lack of judicial input in a fairly prolific way whilst trying to get citizens to understand the importance of the issues involved.  Not an easy task by any measure.

However, increasingly some privacy regulators have abandoned the carrot side of things to focus on sharpening their stick.  The rationale behind this change is that non-compliance with privacy laws is so endemic that firm corrective intervention has become the top priority.  This hard line approach has its merits but it also has one major flaw.  It encourages a defensive attitude amongst those who are targeted – particularly if the legal arguments are not rigorously construed and solidly tested.  That may well be a battle that regulators are gearing up to fight, but playing tough is a great responsibility and even more so with taxpayers’ money.

In any event, even the most carefully devised and best researched enforcement strategy faces a great challenge: the resources available to data protection authorities are far from unlimited.  In fact, even the mightiest authority will tell you that they can barely cope with volume of complaints, requests for advice and many other tasks within its remit.  So here is an alternative: turn every citizen into a regulator.  Imagine if data subjects were able to take the law into their own hands and start suing perpetrators of data privacy and security breaches.  That is something that European law already contemplates but has hardly happened.  Time for a legislative tweak perhaps? 

Strengthening enforcement is of course one of the priorities of the legislative reform currently taking place in Europe.  Once again, let’s hope for some creative thinking there but something that may contribute to make enforcement fairer and more consistent is the concept of the lead authority.  Here’s a simple way of managing limited resources: avoid duplication and appoint one single authority as the primary regulator for pan-European organisations.  That would be an easy win and possibly, the single most important step towards achieving effective data privacy enforcement on an international basis.  In other words, an inconsistent enforcement regime is a weak regime and a lead authority approach would prevent that.

Effective enforcement is a sign of a mature and well functioning regulatory environment.  Without enforcement any system of rules, rights and obligations collapses, creating an unfair unbalance between those who comply and those who don’t.  Therefore, it is in everyone’s interest that the enforcement mechanisms in place work in a fair and robust manner, which combines positive encouragement with firm action based on solid and accurate legal arguments.  In the same way that perfect, continuous compliance with all data protection rules is hardly achievable, perfect enforcement is only a goal, but one that is worth aiming for.

This article was first published in Data Protection Law & Policy in October 2011.

Cookie law latest – Dutch developments

Posted on October 21st, 2011 by



Draft legislation mandating ‘opt-in’ consent for cookies in the Netherlands was discussed before the Upper House of the Dutch Parliament earlier this month.  

An interim report of these discussions has just been published, and this makes clear that the Upper House raised several concerns about the Dutch proposals (with particularly vocal criticism from the Christian Democratic Party).  As a consequence, a large number of questions have now been referred back to the Dutch government for further consideration, with a response expected by 17 November 2011.

While it’s too early to say whether this means that the currently proposed strict opt-in requirements will get shot down, the level of concern voiced by the Upper House is, at least, an encouraging sign that a more pragmatic approach may eventually prevail in the Nethelands.  

Key highlights from questions asked of the government include:

  1. Will the cookie opt-in proposals put the Netherlands at a competitive disadvantage as against countries that adopt a more ‘lenient’ implementation of Article 5(3) e-Privacy Directive?
  2. What will the impact be on the user experience of Dutch internet users? What will the impact be of consent regimes adopted by other Member States on users’ internet experience?
  3. Which party has to obtain the unambiguous consent? Can responsibility to obtain consent be delegated from, say, a publisher to an advertiser?
  4. What cookies will fall within the scope of the proposed regulation? Are analytics cookies exempt?
  5. Can opt-in consent be given via browser settings?

Thanks to Nicole Wolters Ruckert at Kennedy Van der Laan who alerted us to this development and highlighted some of the (very valid) questions being raised.