Is Digital Governance the New Standard?
Following the first year of life under the EU's General Data Protection Regulation (GDPR), and with only months to go until the California Consumer Privacy Act (CCPA) goes into effect, 2019 feels more like Waiting for Godot than Hallelujah Chorus. Everyone says they want US federal privacy legislation but there is considerable contention as to whether it should emulate the GDPR, pre-empt the CCPA or stake out a new track to protect people's privacy and digital rights against genuine abuses. Unless policy makers around the world make a real effort to identify the actual privacy risks people face, we will see more of the same in 2020 – an incessant barrage of tedious cookie notices, overwrought haranguing against tailored advertising and more blaming of victims of cybercrime for governments' failure to protect their economies from electronic attack by sophisticated state actors and criminals.
Accordingly, uncertainty abounds in the digital realm. In addition to policy stasis in Washington, the long-awaited Indian data protection law continues to elude finalisation. The application and interpretation of China's Cybersecurity Law, draft privacy requirements and potential enforcement appear designed to confound international business. And the future of the EU's next shoe to drop – an ePrivacy Regulation for the communications sector – remains equivocal.
Having said that, some highly consequential digital developments have occurred in the last year (in addition to the CCPA earthquake out of California). Canada's mandatory data breach notification requirements went into effect in November 2018. Spain's Data Protection Law introduced a slate of new 'digital rights' relating to new technologies – rights that are distinct from privacy or data protection rights. In particular, the new law imposes a duty on providers of information society services and social networks to rectify misinformation on the internet. This new duty for tech companies would appear to be similar to what the UK proposed in its April 2019 'Online Harms' White Paper (which was open for public comments until July 2019). Interestingly, the new Spanish law also introduced a 'digital disconnection right' designed to guarantee that workers and civil servants will be able to stop looking at their work devices during break time, leave and holidays.
While the UK and France have imposed or proposed massive fines of £99 million for a data breach and €50 million for 'lack of transparency, inadequate [disclosure of] information and lack of valid consent regarding the ads personalization', the biggest enforcement developments did not emanate from the EU under the GDPR's new authority to issue penalties of 4 per cent of annual global revenue. Instead, US federal and state regulators imposed hundreds of millions of dollars in fines on companies that suffered data breaches. But it was the FTC that imposed the largest fine by any privacy regulator ever on Facebook in the aftermath of Cambridge Analytica. The Federal Trade Commission's (FTC) fine of US$5 billion was 200 times larger than the FTC's previous high for a privacy penalty, 20 times larger than any prior privacy penalty anywhere in the world and amounted to approximately 9 per cent of the company's global annual revenue in the previous year.
Nonetheless, privacy advocates claimed this unprecedented penalty was still too low. Perhaps such analysts were simply channelling FTC Commissionner Rohit Chopra, who explained, candidly, that he dissented from the agency's settlement because it would do 'little to change the [behavioral advertising] business model.'
In contrast, FTC Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S Wilson issued a statement supporting the settlement in which they said that 'the magnitude of this penalty resets the baseline for privacy cases . . . and sends a strong message to every company in America that collects consumers' data: where the FTC has the authority to seek penalties, it will use that authority aggressively'.
Perhaps most significant, though, was the FTC's imposition of a highly regimented and rigorous new privacy governance structure. The FTC described these new governance requirements as 'overhaul[ing] the way the company makes privacy decisions by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance.'
The company itself appeared to accept the agency's perspective that the new mandate for privacy governance 'will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company.' The company also noted that the 'accountability required by this agreement surpasses current US law' and expressed the hope that the settlement agreement will 'be a model for the industry,' noting that 'it introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements'.
In announcing the settlement, the FTC highlighted the following governance elements in its announcement of the settlement.
- '[G]reater accountability at the board of directors level', including the establishment of an independent privacy committee of Facebook's board of directors, with an independent nominating committee responsible for appointing the members of the privacy committee and a supermajority of the Facebook board of directors required to fire any of them.
- Improved 'accountability at the individual level', including by requiring Facebook to 'designate compliance officers who will be responsible for Facebook's privacy program' and by requiring the CEO and designated compliance officers independently 'to submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order', with false certification subjecting them to individual civil and criminal penalties.
- 'Strengthen[ed] external oversight of Facebook', by enhancing the 'independent third-party assessor's ability to evaluate the effectiveness of Facebook's privacy program and identify any gaps'.
- A mandatory 'privacy review of every new or modified product, service, or practice before it is implemented, and document[ation of] its decisions about user privacy'. This means that:
- compliance officers must generate a 'quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency';
- Facebook must 'exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook's platform policies or fail to justify their need for specific user data';
- Facebook must 'implement procedures designed to ensure that Covered Information entered by the User (such as User-generated content) is deleted from servers under [Facebook]'s control, or is de-identified such that it is no longer associated with the User's account or device, within a reasonable period of time (not to exceed 120 days) from the time that the User has deleted such information, or his or her account' subject to certain exceptions;
- Facebook must give 'clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users'; and
- Facebook must 'establish, implement, and maintain a comprehensive data security program'.
Finally, the global data protection community lost a great man and leading privacy philosopher when Giovanni Buttarelli passed away in August. Giovanni, an Italian jurist and scholar, served as European Data Protection Supervisor at the time of his death. In October 2018, Giovanni chaired the brilliantly successful 40th anniversary International Conference of Data Protection and Privacy Commissioners in Brussels. The themes of the conference were 'Debating Ethics: Dignity and Respect in a Data Driven Life' and 'Choose Humanity: Putting Dignity Back into Digital.' In his opening speech, Giovanni explained:
. . . that we are now living through a new generational shift in the respect for privacy. This shift is towards establishing a sustainable ethics for a digitised society. It is driven by the globalisation of the economy, and the socio-technological forces . . . It is driven by the digitisation of almost everything in our economy and services sector, our social relations, politics and government. Above all, it is driven by the prospect of human decision-making, responsibility and accountability being delegated to machines. Digitisation respects no geographical boundaries. Digitisation is not sensitive to human boundaries between what we want to be public, private or something in between. It injects itself into our most intimate spaces – relationships, communications and attention. The so-called 'privacy paradox' is not that people have conflicting desires to hide and to expose. The paradox is that we have not yet learned how to navigate the new possibilities and vulnerabilities opened up by rapid digitisation. What do I mean by ethics? Ethics is the sense we all have, often subconscious, of right and wrong in different circumstances. Philosophers on this stage will shortly explain how ethical consensuses have emerged in the past. In today's digital sphere, however, there is no such ethical consensus. We do not have a consensus in Europe, and we certainly do not have one at a global level. But we urgently need one.
Whereas today's privacy rules and regulations – especially from Europe – may in fact be more burdensome than is necessary or desirable, they may still not get to the heart of the matter: as Giovanni opined, we must seek an ethical consensus of right and wrong for the digital sphere. It is no small undertaking to achieve this at a global level. And now it will be that much harder without Giovanni Buttarelli to help lead the way.
1 Alan Charles Raul is a partner at Sidley Austin LLP.