Privacy laws develop at a faster pace when driven by economic incentive
The two articles on the front page of this 35th Anniversary edition of PL&B International Report show a contrasting approach to adopting a new privacy law. The United Arab Emirates (UAE), a federation of monarchies with a limited form of democracy, adopted its Federal Decree-Law in November last year, copying many of the requirements of the GDPR so its main provisions follow a familiar pattern. Ruling by decree has achieved an efficient and quick result for the UAE with its population of around 10 million people. This is the model in the region with a new law in Saudi Arabia (PL&B International Report October 2021) and a bill in Kuwait.
For most of the time since the first data protection laws was adopted at regional level in Hesse, Germany in 1970 and at national level in Sweden in 1973, the underlying idea has been that they represent an aspect of a democratic society, a human right, a fundamental human right at European Union level, or a consumer right in the US.
By contrast with the UAE, successive Indian governments have spent around 20 years considering an Indian version of data protection law. When I visited India in 2004, I learned that the government had rejected a narrow approach to draft and apply a new law solely to the data processing sector, central to the valuable outsourcing sector (PL&B International Report April 2004 p.1). This would have been a much easier target than now trying to win adequacy with the EU Commission. Instead over the following years, India’s government aimed to cover all sectors and all of its 1.4 billion population by entering into the EU GDPR orbit, but tracing a rather erratic course, as Professor Graham Greenleaf explains.
The United Kingdom seems to be steering away from a ‘rights approach’ to an ‘economic’ approach. The job specification for the new Information Commissioner clearly stated that the newly defined role would include a dimension of being an economic regulator. We shall follow with great interest the extent to which the UK steers away from a ‘rights approach’ to an ‘economic’ approach. With the UK’s EU adequacy status assured for four years, we shall monitor the government’s possible drift away from the EU GDPR. This trend can be seen in terms of the law’s impact on management, for example, the role of the Data Protection Officer (PL&B UK Report January 2022). To what extent is this shift a response to the government’s Brexit sentiment, or more substantial?
Shining a bright light on dark patterns is now an active battleground
On 2 February, Belgium’s DPA, in co-operation with DPAs across Europe, sanctioned the Internet Advertising Bureau Europe for the way it operates online personalised advertising, the eco-system where dark patterns flourish. This issue is also part of the government’s Discussion Paper in Australia 9.
We hosted a webinar on 3 February on these issues. We discussed how does an organisation’s top management balance commercial gains against winning its users’ trust and keeping it? What is the role for regulation? The European Union is currently finalising the Digital Services Act. The European Parliament has approved prohibiting deceptive and nudging techniques to influence users’ behaviour through dark patterns, such as using colours and design to push users towards specific consent options and repeatedly asking for consent for the sharing of personal data with the company. In the United States, the influential California’s Consumer Privacy Act states “agreement obtained through use of dark patterns does not constitute consent.” The recording is now available.
Future PL&B events
Our next scheduled webinar, again sponsored by Meta, will take place on Wednesday 16th March when the subject will be Helping young people to better protect their privacy and safety online.
The dates for Winds of Change, PL&B’s 35th Anniversary International Conference, are 4-6 July 2022 at St. John’s College, Cambridge. We look forward to meeting you there in person, although this year, we are also offering an online option. Keep watch as we update the speaker list. Registration will open soon. Let us know if you want to propose a session, be a speaker or become a sponsor.
The 35th Anniversary edition
As I started Privacy Laws & Business in February 1987, this 175th issue is the 35th Anniversary edition of PL&B International Report.
I wrote in February 1987: “You will get maximum value from your subscription if you use Privacy Laws and Business as a forum for sharing your data protection experience with other companies in what is for everyone a non-competitive area.” Now data protection can be a competitive area for companies seeking to earn and retain the trust of their customers and staff. Dark patterns is the latest part of the marketing eco-system to attract the attention of consumer, competition and data protection regulators.
You will see that in February 1987 Merrill Dresner was the first Editor, and remains as Assistant Editor; Professor Graham Greenleaf, Asia-Pacific Editor, joined the team in 1991; and Laura Linkomies, Editor, started with PL&B in 1997. Tom Cooper, Deputy Editor, has been on the team for more than 10 years. Together with our many correspondents I am truly grateful for their support and passionate dedication to excellence which has been our mission from the start.
Publisher, Privacy Laws & Business