Meaningful consent and privacy-washing
Attending the Global Privacy Assembly in Istanbul with Laura Linkomies, our Editor, we were pleased to be once again at the centre of the international privacy law community of around 130 countries, the first in-person GPA since Albania in 2019.
Professor Colin Bennett, our Canada correspondent, cited his mentor, the late Dr David Flaherty and followed in his footsteps. At the DPAs’ conference in Quebec in 1987, Flaherty challenged the assembled Data Protection Authorities to do more to protect individuals’ privacy. Bennett rejected the idea that it is possible for DPAs to achieve a balance between companies and individuals. He declared “there is more monitoring than at any time in history….Surveillance will continue. With companies so powerful, there cannot be a balance between companies and individual rights…It is a matter of control. The problem of mass surveillance is contextual. In reality, consent is not a constraint on privacy which is a nebulous concept. Risk is often cited but not defined carefully.”
Bennett called the DPAs to action reminding them “The GDPR has many tools. All are necessary but none are sufficient.” The DPAs are not using them effectively. They need to know which tool to use for a specific issue. Bennett argued that a stronger civil society would lead to better complaints resulting in better regulatory results. He declared that there is a “mythological privacy equilibrium – you would not know if you have reached a balance.”
Erik Neunschwander, Head of User Privacy, Apple, stated that his company does not do tracking, as it erodes customer trust. “Tracking is parasitic, as it has a negative impact on load times, using the device’s battery in a very invisible way.” Instead, Apple conducts audience management without using individual tracking. The company keeps user data private by data minimization, transparency, and security. Apple does not sell data to third parties but, logically, it does need to track personal data for 'Find My iPhone' location tracking to be enabled.
Luis de Salvador Carrasco, Director, Technology, AEPD (DPA) Spain, explained that there is a need to regulate online services more closely. His agency had carried out 400 audits of websites providing digital marketing services. He reported “Cookie notices are not functioning…consent is not actually consent” and so warned of “privacy-washing.”
I have reported in this edition on the session organised by the European Commission on interoperability of contracts for international transfers within Latin America. There was a sense at the conference that the EU GDPR provides an inspiration rather than a rigid blueprint. The wording of the Model Contract Clauses in Latin America suggests a less rigid approach than the Standard Contractual Clauses in the EU. Crucially the Latin American version is designed to be linked to the EU version so companies can trade across international borders more easily. Bruno Gencarelli, Head of Unit, International Data Flows and Protection, stressed the importance of a multilateral approach emphasizing value for business and the protection of individual rights. I asked Belén Rodríguez Quiroga, Data Privacy Manager, Mercado Libre with its HQ in Argentina, to expand on the benefits of the Model Contract Clauses to help all sizes of companies to integrate into the international digital world. She gave some details of how her company implements the Model Contract Clauses.
PL&B is running a Binding Corporate Rules (BCRs) Workshop which will re-assess the benefits and costs of aiming for the “gold standard” for international transfers of personal data. Often companies regard BCRs as time-consuming and expensive. But both the EU and the UK’s Information Commissioner’s Office are working to simplify the process. This in-person workshop, hosted by Hogan Lovells, in London next Monday 12 December will bring companies and their legal advisors together with the BCR leaders at Ireland’s DP Commission and the ICO. What is the potential for a common approach or, at least mutual recognition? The output from this event will be a memo to policy makers and regulators drafted by Hogan Lovells lawyers and PL&B, and will provide a record of the participants’ policy recommendations.
PL&B’s 36th International Conference at St. John’s College, Cambridge
3-5 July 2023 is six months from now. We have now extended the deadline for speaker applications until 15 December. Registration will open later this month.
Sponsorship is welcome but is not a pre-condition for becoming a speaker.
We are always open to your suggestions on how we can ensure that our publications and events closely match your information needs.
From all of us at PL&B, we wish you a Happy and Healthy Holiday Season and 2023
Publisher, Privacy Laws & Business