Data Protection – Entering The ‘Post-Regulatory’ Age by Stewart Room
The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there is a greater sense of optimism around that the reform agenda will complete fairly soon, i.e., in the medium term, say by the end of 2015. The European Parliament elections depressed sentiment for a while, but they are now history. And the reform agenda has received a considerable boost from the CJEU decisions in the Google Spain case and the Digital Rights Ireland case, by Snowden’s disclosures and by the growth of citizen and pressure group litigation (e.g., Max Schrems’ cases against Facebook and the pressure group litigation about Prism and Tempora). People connected into the political scene are detecting clear shifts in policy formation too, as the political classes tune-in to the pro-privacy vibes in the air.
That is all ‘big picture’ stuff however. As I was discussing with a close friend in the privacy community the other day, I sense that we are entering the ‘post-regulatory’ phase of data protection, ironic as that sounds.
What I mean by this, is that when the phenomena of regulation is viewed for what it is – basically a mechanism to cure imperfections in market behaviours – a time should be reached when regulation has done its job. Take telecoms regulation from the 1980s. The core aim was to liberalise the markets, by breaking up monopolies. Clearly, that regulatory goal was successfully achieved. Thus, for that aspect of telecoms, we are in a post-regulatory age. No one seriously believes in telecoms monopoly anymore, although people used to.
Data protection as a concept has moved past the initial regulatory goals, of creating principles-based norms for good behaviours. I believe that we no longer need regulation to teach the economy that data protection is important. The case has been proved and accepted. Only foolhardy businesses will think that shoddy attitudes will be good for the bottom line.
Thus, the nature of the conversation that professional services providers (like me) have with businesses has changed. Scanning back five years or so, the argument might have been described as a ‘fear sell’ in some quarters, because the argument was ‘bad data protection has bad consequences’. Now the conversation is about how good data protection adds value.
This transition is the hallmark of a post-regulatory environment. The status quo, or the norm, is now about data protection as a positive. This includes security too. Good security adds value and enables business. We should not be talking about how security strangles or suffocates business. That would be stupid.
For business, the evidence is building up. There a number of factors at play and they are all interrelated. The newsworthiness of data protection and cyber security is clearly a huge part of the picture. The more the story is played out in public, the greater is the impact on the minds of individuals. Of course, regulatory actions have been another big factor. But, the real drivers of change are the positions of ordinary individuals. We all wear many different hats. We are customers, employees, business partners, shareholders (and so on), so we hold all the power. Cumulatively, the effects that we are having on business and corporate minds is profound. Principally, we are causing businesses to look at data protection and security in terms of trust, confidence, brand and reputation.
This translates into something in economic terms. We sometimes try to define the effect as ‘goodwill’, but it is hard to put a pound-value on goodwill. Yet that doesn’t matter, because businesses instinctively understand the connection between goodwill and profit.
This explains why, if you work in the space that I do, you find significant shifts in attitudes towards data protection compliance in business. Sure, lots of businesses are performing sub-optimally, but the improvements in recent years have been immense.
Hence, we have entered the post-regulatory age. Of course, this is not to say that we do not need regulation or a new Data Protection Regulation. Market imperfections change, develop and evolve. Oversight, sometimes light touch, sometimes heavy, is a thing to embrace, welcome and support, provided that the regulators themselves act properly, proportionately and fairly.