The Good, the Bad and the Good Enough
Chairman's Introduction to our 38th International Conference
Good morning everyone both here in Cambridge and online from all over the world, to The Good, The Bad and the Good Enough PL&B’s 38th International Conference. Thank you for joining us. You have just seen the Danish National Symphony Orchestra playing and singing their outstanding version of this year’s theme tune The Good, the Bad and the Ugly.(1) We are sure that you enjoyed it, and will be delighted by every aspect of the conference.
Welcome to you all. I’m Stewart Dresner, Founder and Chief Executive of Privacy Laws & Business (PL&B). We are the world’s longest established company on privacy laws worldwide and their impact on business. Now in our 39th year running events and publications.
There is a world of difference between describing privacy laws as ugly and describing them as good enough, or to use the EU term “adequate”. However, we rejected as our conference title “The Good, the Bad and the Adequate” because that would frame the conference in a Euro-centric way. This would not be appropriate when we always include jurisdictions outside the European Economic Area (EEA). At this year’s conference we have speakers from 11 of them, and are covering privacy law developments in Asia, the Arab region, the Caribbean and Europe.
Should we describe a “bad” law as one which is poorly drafted, or not enforced, or both? Where there is the political will, even a badly drafted law can set the baseline standard which can be developed when the time is right. After all, virtually every national law has been adapted over time to meet changing political priorities and each society’s needs.
There are parallels here with other areas of life. For example, no-one would describe my personal fitness programme as good, but maybe taking into consideration my work/life balance, I should be content with good enough!
From laws to your company’s compliance programme. There is a difference between describing it as ugly and describing it as good enough.
Privacy laws set a common standard for everyone which require The Good and action against The Bad. But many organisations aim only for The Good Enough.
This conference will help you:
- Reach the Good standard, or
- Assess the risks of aiming for, at least, a Good Enough standard.
Good Enough depends on your perspective.
Some organisations work towards high data standards driven by a combination of ethics, law and reputation.
Others aim for “good enough” in some areas which can lead to concerns about crossing lines:
- Concern about your reputation with consumers and employees?
- Concern about avoiding Data Protection Authorities’ attention?
- Concern about keeping compliance costs within budget?
This conference brings you presentations by 24 company managers and in-house lawyers from many sectors and countries on how they manage the internal politics, the practical challenges, and sometimes grey areas represented by a “good enough” policy.
We learned at our Ireland conference in Dublin in February this year, that Ireland’s Data Protection Commissioner, Dr Des Hogan, has decided to help companies move in the right direction at an early stage of developing products and services, rather than taking enforcement action at a later stage. He said, “We always remain open to discuss companies’ plans in a confidential setting.” He told us that he expects better compliance from big tech companies which have large privacy teams, compared with smaller organisations.
In most, if not all jurisdictions, regulators work towards organisations reaching a high level of compliance with the law. But a good enough standard is more realistic.
Faced by a daunting list of different types of privacy laws and legal duties, it is not surprising that some companies accept the EU “gold standard” as “good” and apply it to their business everywhere. Other companies make an assessment of the low risk of sanctions, consider it low, and go for good enough.
Whatever your type of organisation, it is clear that most of you now have to wear many types of hat. These hats now often also cover Artificial Intelligence issues. We recognise this challenge at our two sessions directly addressing AI issues today, two tomorrow and one on Wednesday.
Laws everywhere set the standard expected in each jurisdiction. At this conference we will meet and hear from regulators and policy makers from 9 jurisdictions: Bermuda, France, Gibraltar, Guernsey, Ireland, Isle of Man, Jersey, Malta, and the United Kingdom.
Off the record, some EU national Data Protection Authorities have told me that they are looking with interest at the modest divergence from the EU GDPR provided by the UK’s new law.
The new Danish Presidency of the EU has published its programme for the 6 months of their Presidency which started last week on 1 July.(2)
The title of this programme is A strong Europe in a changing world. It reveals their proposal to transform EU data protection law policy.
Until this year, the conversation around data protection law in Europe has emphasised the framework of “fundamental rights.” But this is a time of transition.
For many years, speakers from the European Commission and the EDPB, the European Data Protection Board at this PL&B conference have stated firmly that the GDPR will not be opened up for amendment. The four-point rationale has been that:
- The GDPR took several years to develop from the previous Data Protection Directive
- It attracted 3,000+ amendments for discussion in the European Parliament,
- It was a political compromise, and
- It would be too exhausting and time-consuming to start this process again.
However, in the Danish document, I believe this is the first time an EU Presidency’s agenda has proposed “amendments to the GDPR.”
In a section headed “Simplification and burden reduction” the EU’s motivation is explicitly innovation and economic growth.
Here, on Wednesday, to mark this turning point, we will have a speaker from the EDPB. She will report to us the hot news from the EDPB’s plenary meeting discussing this issue.
So, we are on the point of change. Until now, the Member State DPAs in the EDPB have supported a modest move towards fewer legal duties for Small and Medium Enterprises Now, as of 3 July, the EDPB is embracing wider reform.
The document title The Helsinki Statement on enhanced clarity, support and engagement shows that the EDPB is taking a new path.(3)
There is also data protection and economic growth dimension to the G7. At its meeting in Alberta, Canada in June, they declared the importance of respecting the principle of data protection by design, to encourage responsible innovation.(4)
We can now see a trend towards economic factors playing a more dominant role at national level. I am pleased to welcome here M. Bertrand du Marais, the CNIL Commissioner who was there at the G7 in Canada, and is with us here to speak this afternoon on the CNIL’s work on privacy and mobile apps. Also, in another initiative emphasising economic growth, the CNIL published only two weeks ago a policy paper on Cybersecurity: The Economic Benefits of GDPR.(5)
In my judgement, economic factors have led to climate change, a concept which I am applying here not to the weather, but to privacy laws.
Turning to the UK …
Certainly, the UK government aimed at the Good so that the new Data (Use and Access) Act 2025 would be compatible with the Council of Europe Convention on Human Rights. Although this is normal practice, some ministers in the previous government wanted the UK to withdraw from the Convention.
The UK’s new 3 weeks old data law comes at the perfect time for this conference! And the July edition of PL&B UK Report!
Will the European Commission see the new law as “adequate”?(6)
There is a risk of losing EU adequacy status if the new law diverges too far from the EU norm. How far is too far? For now, the UK government has the confidence that the new UK law is good enough. However, EDRi, a coalition of European Civil Rights groups, has declared that the new UK law is not good enough.(7)
Privacy Laws & Business is more than this annual conference.
We cover data law themes, the legal requirements, regulatory interpretation, and company implementation.
We publish the blue International Report, where we cover 170+ countries: laws, bills, court decisions, and interviews with companies and regulators, from which we distil practical advice and checklists of good practice.
We also publish the red UK Report in alternate months. They are available in pdf and html formats. See benefits of subscribing on page 15 in your programme and take advantage of our Introductory offer by becoming a subscriber.
Laura Linkomies, Editor, Tom Cooper, Deputy Editor and Merrill Dresner, Assistant Editor (and my wife) are here and will be happy to talk to you about the Reports. If you would like us to feature your company, please speak to any of us.
Sponsors
Thank you also to our generous sponsors for supporting this conference in many ways. In alphabetical order they are: Cooley, Dastra, Dentons, Freshfields, Latham & Watkins, Linklaters, Meta, Morrison Foerster, Phaselaw, Slaughter and May, TikTok, Westbrook Data Protection Services and White & Case.
Feedback welcome
Please respond to our feedback survey while you are here. Tell us the subjects and countries you would like PL&B to cover in future.
Future PL&B Events
You can see information in the conference programme (page 13) on our next two PL&B in-person events in London: in October on the UK, and in November on the USA. If you are a subscriber to either or both PL&B Reports and register early, these events are free!
Thank you to my PL&B colleagues named on page 2 in the programme.
Everyone tells us they enjoy the social and networking side of this conference, our meals together in the medieval hall, the walks, floating downstream in traditional punts tomorrow evening. This evening at dinner, I am sure you will enjoy The Guildhall Jazz Singers.
Thank you for listening. I declare this conference open.
Stewart Dresner
Chief Executive, Privacy Laws & Business