In the same way that most activities involving data are global, complying with the rules and regulations affecting those activities is a markedly global endeavour. Whether we are talking of multinational corporations with hundreds of thousands of employees or of a humble start up with a clever idea, an app or a website, the ambitions are the same: tapping into the opportunities of the global marketplace. A digital marketplace that is free from the physical constraints attached to distance, cultures and infrastructure. A marketplace that is huge and that has already turned college dorm ideas into some of the most successful and influential businesses on the planet. But, we must not forget that going global and using personal information collected from all over the world carries equally huge responsibilities which expand well beyond filing forms and sweet talking regulators.
One of the challenges faced by anyone operating globally is the fragmentation of legal regimes affecting the handling of personal information. Today, there is no leading privacy model that has arisen as the one to follow universally. Some regimes take an all encompassing approach throwing principles, obligations and rights to all possible activities involving personal information. In some cases – think Europe – this approach is not only comprehensive, but unashamedly strict. Other regimes go for a more down to earth, but still meaningful approach to regulating privacy, allowing users of data a greater degree of discretion in terms of the precise compliance steps to take. There are jurisdictions where the use of data within some sectors is firmly regulated whilst other sectors are entirely off the hook. This colourful variety of legal regimes and data privacy obligations contributes to make the challenge of managing privacy on a global scale even more challenging.
An obvious route to take is to look at things on a country by country basis and simply try to do whatever it takes to get it right within each jurisdiction, whatever the differences. The trouble here is that compliance often becomes a matter of running a prohibitively expensive exercise where the only advantage is not falling foul of each local law. The reality is that only a very limited number of organisations have the energy, resources and budget to do this. An insurmountable drawback of this approach is not just the cost of compliance, but the inability to operate globally in a truly consistent way. It is frustrating to see how valuable resources are devoted to tailoring practices to local demands, which contributes to an inefficient and unproductive way of addressing global privacy needs.
This is exasperated by the limitations on international data transfers and the finicky ways in which such transfers are meant to be legitimised. Take the standard contractual clauses approved by the European Commission for these purposes, for example. Although the clauses have the seal of approval of the Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. That is simply absurd. Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving data flows. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – hardly a solid ground on which to build a compliance programme.
Against this background, an unfortunate, but popular, choice is to do nothing. Lawyers and regulators will cringe at the thought of thousands – if not hundred of thousands – of situations where nothing is actually done to properly address the legal restrictions affecting international data flows. Some organisations manage to spend a little fortune legitimising transfers of data across jurisdictions – both within their own international structures and to third parties – but I have the suspicion that these are a minority in the whole scheme of things. Amongst that minority, only a select group will actually get their act together and implement a workable set of global privacy safeguards. The system seems to tolerate this and regulators appear content with their ability to scrutinise those who do something about it. But, this cannot be right. Global data privacy compliance is neither optional nor a pastime for those selected few with the guts and stamina to go public about their practices. It is an essential need that requires a combination of fresh thinking, a workable global framework, a team approach and the right tools.
This article was first published in Data Protection Law & Policy in December 2013 and is an extract from Eduardo Ustaran’s new book The Future of Privacy.