Regulating 'as if': it's a taxing affair
March 04, 2015
The national Data Protection Authorities (DPAs) are acting 'as if' the General Data Protection Regulation (GDPR) is already in force. What I mean is there is an abundance of evidence to show that when they perform their regulatory duties (which build upon the current Data Protection Directive) they are adopting standards and imposing requirements that are reflective of the key innovations with the forthcoming GDPR. For instance, the UK Information Commissioner's Office enforces the Data Protection Act 'as if' it contains a requirement for security breach disclosure, one of the most important innovations in the GDPR. Likewise, in their treatment of certain actors, the UK and French DPAs have acted 'as if' the law already requires compulsory Privacy Policies, another key innovation in the GDPR. Likewise, the decision of the Court of Justice of the EU (CJEU) in the Google Spain case was received by some DPAs 'as if' the 'Right To Be Forgotten' requirement of the GDPR was being enforced within current law. Other 'regulating as if' examples involve regulatory cooperation, in the form of 'one stop shops', again another major innovation within the GDPR.
The latest pronouncement of the Article 29 Working Party, the group of national DPAs, further cements the impression that they are 'regulating as if'. At the beginning of February the A.29 Working Party published WP230, their statement on inter-State exchanges of personal data for tax purposes.
The underlying data processing operations addressed by WP230 are about international endeavours to combat tax evasion. Pursuant to a number of national schemes in major industrialised countries, such as FACTA in the US, there are requirements for data controllers to deliver tax data to the authorities. Building upon these schemes, countries are entering into cooperation agreements, whereby the national tax authorities can share personal data with one another.
The A.29 Working Party recognises the legitimacy of these operations, but it foresees a potential for disproportionate developments and purpose creep, so it has raised the spectre of the Data Retention Directive, which was chopped down by the CJEU last year for these very reasons. In other words, the A.29 Working Party foresees the potential for international schemes against tax evasion to spiral out of control. Or, using other language, they see these operations as high risk, from a data protection perspective.
So, how does this amount to 'regulating as if'? The answer lies in the mechanisms that the A.29 Working Party identifies to address the risk. These include the possibility of governments seeking 'opinions' from DPAs (pre-clearance, in other words), the performance of 'Gap Analysis' by the DPAs (akin to regulator audits) and the performance of Privacy Impact Assessments (PIAs) by governments.
These proposals reflect some of the other main innovations within the GDPR. Inch-by-inch, step-by-step and day-by-day the spirit of the GDPR is being embedded into the functional enforcement and operation of current law, 'as if' the GDPR was already in force.
The taxing question for data controllers is how will they adjust to the new reality? Or will they simply leave this question over until the GDPR is formally rubber-stamped?
It is our experience that many organisations have already understood the new reality and some are quite advanced in their thinking about the adjustments that need to be made to their businesses to meet the heightened expectations of data protection law. Those organisations will be best placed to avoid the many extremes of the GDPR when it finally comes into force.
Other organisations are simply treading water, leaving over the difficult questions to a later day. They will feel much more pressure when the sprint to the finish line begins.
Others are simply in denial, or operating in ignorance. They will provide rich pickings for regulators equipped with mega fines and the legal powers to demand root-and-branch operational change.