Data authorities around the world are poised to reconfigure their data protection laws. At last year’s International Conference of Data Protection and Privacy Commissioners, privacy authorities unanimously agreed that serious challenges “have convinced legislators all over the world to review the rules and laws governing privacy and data protection.”1 In particular, current privacy laws are criticized as being too inflexible to adapt to new technology, too inconsistent to be applied uniformly across borders, and too focused on imposing narrow obligations that fail to incentivize holistic data protection solutions. As European Data Protection Supervisor Peter Hustinx stated, “there is a need to update the present rules … updating in this case means making them much more effective for the present environment.”2
Not only do data authorities agree that current laws need improvement, but they also agree on the approach that the next generation of laws must take. As President Chairman of the International Conference Jacob Kohnstamm explained, “when looking at the bigger picture, you indeed can detect a trend that data protection and privacy rules across the world are getting closer to each other, for example with regard to principles of transparency and accountability.”3 The principle of accountability dictates that every organization be responsible for the protection of information. Flowing from this principle is the requirement that every organization be able to demonstrate that it succeeds in protecting information. By adopting an accountability approach, data authorities declare that organizations cannot simply react to their privacy obligations on an ad hoc basis, but must instead take ownership over their information practices and take into account all applicable privacy risks associated with their operations.
This paradigm shift has begun to manifest itself through regulatory and administrative developments worldwide. The EU’s proposed General Data Protection Regulation (GDPR), which is expected to be adopted in 2014, is firmly rooted in the concept of accountability. If adopted in its present form, the GDPR will impose documentation obligations on organizations to assist data authorities verify that such organizations effectively protect the information under their control. Moreover, the GDPR will require data processors to undergo data protection impact assessments before they conduct operations that present certain prescribed categories of risks. The results of such assessments will determine whether or not data authorities authorize the proposed data processing operations. Non-compliance with the GDPR could result in fines of up to €1 million or 2% of an organization’s annual worldwide turnover.
The U.S. has also incorporated accountability into its privacy framework. Last year, the White House proclaimed that “privacy protection depends on companies being accountable to consumers as well as to agencies that enforce consumer data privacy protections.”4 Similarly, the FTC recently described accountability as one of the “principles embodied in the FTC’s framework.”5 This year, the Health Insurance Portability and Accountability Act was amended to ensure that organizations are answerable for their health information practices. The amendments require every privacy complaint to be formally investigated if a preliminary review indicates that there is a possibility that the organization violated the act due to wilful neglect. Penalties for non-compliance include fines of $50,000 USD per violation, even if they were made inadvertently.
While accountability has been a key principle in Canadian privacy laws for many years, Canadian data authorities are increasingly emphasizing the need for organizations to be able to demonstrate their compliance upon request. According to policy guidelines published last year, Canada’s Privacy Commissioners “expect that organizations can demonstrate that they have an up-to-date, comprehensive privacy program in place. Evidence of an effective privacy management program assists Commissioners in determining whether or not the organization has reasonable safeguards in place, and has complied with the accountability requirements under law.”6 Canada has also played an important role in developing the concept of Privacy by Design, which became a mainstream privacy concept when a resolution by Ontario’s Information and Privacy Commissioner Ann Cavoukian was approved unanimously at the 2010 International Conference of Data Protection and Privacy Commissioners. Privacy by Design and accountability go hand-in-hand by requiring organizations to take privacy risks into account when designing their business operations.
These privacy trends hint that a paradigm shift is on the horizon, which will result in further changes to privacy legislation and enforcement regimes around the world. Organizations must therefore shift the way in which they assess their privacy obligations. Where it may once have been adequate for organizations to simply identify and implement safeguards prescribed by relevant legislation, privacy authorities will soon expect organizations to be able to prove that they responsibly manage their privacy risks and successfully live up to their privacy commitments.
There will be no universal solution for achieving accountability. An organization’s privacy obligations will invariably depend on its business model and infrastructure. Moreover, advances in technology and amendments to legislation will make achieving accountability a moving target. This is not to say that there is no value in enumerating the elements of an effective privacy management program. Indeed, the results of a ten-month global study of organizations with strong privacy programs have helped to define what it would look like if an “organization was 100% compliant and the privacy program was 100% implemented.”7 Nevertheless, it is imperative that organizations approach the components of effective privacy management from the perspective of an organization that wants every element of its operations to demonstrate effective data protection. To understand how this new perspective will recast an organization’s approach to privacy compliance, consider the following questions:
- Planning: what can my organization do to show that we approach all of our operations with the goal of minimizing privacy risks?
- Databases: what features of our information systems demonstrate that they are secure, accurate and compliant?
- Training: what documentation should we store and release when training our personnel to be privacy compliant?
- Security: do our security measures reflect the importance that we ascribe to protecting information under our control?
- Third-Party Transfers: are our business partners just as accountable as we are for their information practices?
- Monitoring: what evidence should we collect and use to verify that members of our organization successfully discharge their privacy responsibilities?
- Audits: how efficiently and completely can we compile evidence of accountability in case we are audited by a data authority?
In a subsequent article, we will discuss how some forward-thinking global companies are overcoming organizational and infrastructural challenges and successfully shifting to an accountability approach to privacy compliance. We will also discuss how these businesses are managing business and legal risks while containing the costs associated with expanding privacy compliance obligations. Finally, we will report on insights gained from the 2013 International Conference of Data Protection and Privacy Commissioners.