Getting privacy right needs more than laws

The front page of the April edition of PL&B International Report demonstrates the breadth of issues we cover in this 35th Anniversary year of PL&B International Report.

We report on the ever-expanding number of countries which have adopted privacy laws. These 157 countries have a very wide range of scope, rights and duties. Professor Graham Greenleaf, PL&B’s Asia-Pacific Editor, compiler of this list and supporting commentary, explains, for example, that Kuwait’s new law does not have sufficient scope in either the private or public sectors. Oman’s law has many exclusions. As always, there is more to legislation than the words on the page.

He comments on the Belarus law: “The inclusion of Belarus underlines that, while these 11 laws meet the minimum formal requirements for a data privacy law on their face, this says nothing about whether the laws are effectively enforced, or about the data surveillance context in which such laws exist and which may largely nullify their potential benefits.”

But these comments could equally apply to other countries.

The article on Apple, by contrast, shows how even they, proud of its privacy- friendly software making privacy a key brand differentiator, has dented, with its Air Tag product, its relatively good reputation. Abigail Dubiniecki writes that this product “has exposed a significant privacy blind spot …..AirTags have enabled stalking, car theft, and other safety risks. In a decidedly off-brand move, Apple’s AirTags have actually introduced new privacy risks and exacerbated existing social inequalities.”
This shows that getting privacy right demands more than laws with appropriate provisions to fit in with national legal culture. Getting privacy right also demands that the ideally diverse team tasked with compliance with national laws have an awareness of privacy values and how they impact their own organisation. So it is difficult to get privacy right even at Apple, a company whose CEO, Tim Cook, has publicly declared his adherence to the company’s privacy friendly credentials. It is much more difficult for top management in the countries with new laws to recruit people who have not only the legal knowledge but also the authority and interpersonal skills essential to make compliance with the spirit and letter of the law the norm.

Criminal Sanctions in China

The Peoples Republic of China has now put in place its own type of privacy law with a set of rights and criminal sanctions which cover the administration of Internet pop-up push notifications. The detailed list of prohibited information in draft regulations contain many rules which could apply in any country.

Collective Action in the Netherlands

While the Netherlands is more favourable to collective (class) action than some other European countries, it is clear that any cases pursued by representative bodies must prepare their cases carefully, a point which will certainly be noted by NOYB which has recently set up a joint venture there. Cases are pending against Facebook/Meta and TikTok who are, no doubt, preparing their defences.

Mounting a defence against DPA sanctions

While on the subject of defence arguments, the 20 million Euro fine by Italy’s Garante against Clearview, following sanctions in several other countries, provides in its 30-page 17,000+ word decision, in effect, an instruction manual on the detailed arguments presented by both sides in this case. Both corporate lawyers and students can learn a great deal from the prosecution and defence. The decision on the level of fine resulted from the Garante’s consideration of the following factors:

  1. The nature of the data processed;
  2. Severity and duration of the violation;
  3. The number of individuals involved;
  4. Degree of responsibility of the data controller;
  5. Measures adopted by the data controller;
  6. Degree of the company’s cooperation with the supervisory authority.

PL&B events in the next 3 months

Making your case in Europe: Defending against DPA inquiries and sanctions

  • Date: 18 May 2022
  • Host: Latham & Watkins, London, and Online
  • A half day event to help you negotiate with the DPAs in France, Germany, Ireland and Spain

Roundtable on proposed reform to UK data protection legislation

  • Date: 25 May 2022
  • Host: Norton Rose Fulbright, London
  • A Roundtable to enable companies and their advisors, to provide feedback and constructive comments to Julia Lopez, DCMS Minister, on the government’s proposals on reforming UK data protection legislation.

Winds of Change, PL&B’s 35th Anniversary International Conference

  • Dates: 4-6th July 2022
  • Location: St. John’s College, Cambridge, UK, and Online.
  • Related events include a student essay competition.

We look forward to meeting you at these events

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

April 2022

News & Blogs

April 2022 Report Contents