Over the past decade, policy development in the data protection field has been very robust, with some good and bad results and some results that are a muddle. Yet, with all this activity, there still seems to be a sense that there is a policy vacuum that cries to be filled. In the simplest terms, people need to be protected while digital innovations need to work. Policy has a way to go to meet those dual objectives. The IAF explicitly heard this when I was in Europe in early September. A key question is how should policy innovators respond to this dilemma?
For analysis purposes, policy innovation may take place in any one of four domains – legislation, regulatory guidance, business innovation, and think tanks and academic centers. Some examples, broken down by domain, include:
- Legislation – Policy innovation may
be driven by the actions of legislators who drive policy innovation through the
requirements they create:
- The GDPR and privacy laws in various jurisdictions, including Brazil and Japan;
- U.S. state legislation in California and Nevada.
- Regulatory guidance – This may be in
the form of regulations that are an extension of the law or guidance that
informs best practices:
- Canadian 2012 guidance on accountability;
- Interpretations of the GDPR;
- Future looking reports and workshops by and from agencies such as the EDPS and the FTC.
- Business innovation – organizations may
drive the definition of fair practice based on the actions they take to
- New corporate tools such as privacy dashboards, automated assessment tools, and tools to map data within an organization.
- Think tanks and academic centers – These
organizations may create innovative policy solutions that then may be adopted
in one of the other three domains above:
- Think tank papers from FPF, CIPL, IAF and professional associations;
- Scholarly papers from academics in law, computer science, and public policy.
There is no question that the domains impact each other. For example, the law generates base requirements that are then interpreted by regulation. Further guidance may be influenced by regulators seeing best business practices and participating in think tank projects. For example, there is a direct relationship between the essential elements of accountability developed by the Global Accountability Dialogue and the 2010 Article 29 Working Party opinion on accountability.
Greater clarity, while desired, has not generally been the result of all this work in all four domains. Organizations in the vanguard of new data driven business models are still making decisions with little confidence that the decisions are based on a firm sense of what will be considered acceptable. Even worse, a great deal of data processing that would benefit people is not being done because of an inability to derive what will be acceptable. The IAF refers to this as reticence risk. Lastly, “edge riders” push through solutions that create a trust deficit because muddle may indeed reward those that take advantage of the uncertainty around what is acceptable. Many policy thinkers thought that the big fines in the GDPR would help resolve this muddle, but there is little evidence that it has. The muddle just gets worse as the technology continues to facilitate an observational world that drives advanced analytics in all forms. There is no shortage of new compliance requirements, but they are not responsive to the challenges related to purely data driven research, AI application, Internet-in-Things and virtual reality. In part, this is because the policy developments are informed by what we know, history, rather than by what we anticipate, the future, because anticipation may be seen as being speculative. So trustworthy data practices are informed by the past rather than in anticipation of the future. Therefore, the means for establishing that new data practices in highly digital ecosystems are reasonable are still very uncertain.
This uncertainty has existed since the consumer Internet made observation fairly easy. Yet business seems to feel the policy vacuum more now. Why is there a sense the vacuum is increasing now? Some of this unease is fed by technology’s fast migration. However, there are current conditions in many of the domains mentioned above that impede solutions and lead to uncertainty and thus the growing vacuum. Grouped geographically these conditions include:
- The European Data Protection Board is focused on operational issues, and that is expected to be the case for the next few years.
- The European Data Protection Supervisor often has been where new issues get analyzed and conceptual frames clearly articulated. A policy innovator, Giovani Buttarelli, recently passed away, and the appointment of a new EDPS is necessary since the current mandate for his assistant expires in December. Some uncertainty has been added since there does not seem to be a timeline for that appointment.
- The new EU Commission has an uncertain digital policy structure, and there is a lack of experience at many of the leading EU enforcement agencies.
- Brexit is absorbing ICO resources, and Brexit removes the UK ICO as a key regulatory agency within the EDPB.
- There are inconsistences in guidance issued by various countries on numerous GDPR provisions, leaving companies to struggle with which guidance to follow.
- There are provisions in the GDPR that require political decisions at the country level (for example research), and the decisions that have been issued constrain innovation.
- There is a sense that some businesses are playing shell games with their GDPR programs.
- North America
Canadian political process is signaling new legislation in the next legislative
- There is friction between the digital roadmap and the legacy consent-based system with stretched consent.
- Because an ombudsman regulator exists under the Personal Information and Electronic Documents Act, a debate is occurring about whether greater enforcement powers are necessary. The tension about regulatory powers is exacerbated by the fast evolution globally of data driven business models.
- Canada’s adequacy will soon be reviewed by the EU Commission.
is a growing consensus the United States needs a new policy approach, but cross
cutting cleavages make a consensus on what that might be very problematic.
- Tension exists between the desire for innovation and the need to curb excesses
- The internet knows no boundaries so bridges to international interoperability need to be built.
- The second California ballot initiative is an example of a state solution due to a federal failure to act.
- The policy ecosystem feels most comfortable with incremental change, but the U.S. has no history of comprehensive privacy law.
- The Canadian political process is signaling new legislation in the next legislative cycle
- There is a desire for European adequacy
- Singapore, and maybe others, want to forge a new Asian way
- There are conflicting drivers in China
Given the previous policy developments and the current conditions, the question is which challenges should each of the four domains in policy innovation address first to get the best chance of creating a model for protecting innovation in evolving data and analytic ecosystems, reducing reticence risk, and creating a roadmap for ethical data use where data serves people. The IAF cannot answer this question for the other policy innovators, but for itself, the IAF’s current endeavors are designed to be both strategic – a new fair processing legislative model to address future issues not past – and opportunistic – a change to Canadian privacy law that will help inform other jurisdictions. The answers to the questions of what projects and in which geographies will help the IAF define where it operates geographically and which projects it pursues in order to have the right impacts pursuant to its research and education mission. Continuing to be strategic and opportunistic should enhance the likelihood of innovation in evolving data and analytic ecosystems being protected, reticence risk being reduced and a roadmap for ethical data use where data serves people being created.