Schrems webinar shines light on small wins in supervision and enforcement
This article was jointly written by Richard Chudzynski, Data Privacy & Protection Legal Leader, PwC Legal Middle East; and Lori Baker, Vice President Legal and Director of Data Protection, DIFC Authority
Richard Chudyzynski and Lori Baker
5 min read
On 15 June this year, the UAE / GCC Privacy Professionals group was delighted to host Max Schrems, Founder of NOYB – the European Centre for Digital Rights. Max shared his views with the UAE data privacy community on the development of data privacy laws, the role of the regulator in respect of supervision and enforcement, interoperability, and even a bit on the Meta findings from the Ireland Data Protection Commission (DPC). NOYB conducts a wide variety of public policy and consumer advocacy work, sometimes to the chagrin but often to the delight of privacy professionals that keep the rights and redress afforded to data subjects at the heart of their practice. All advocacy organisations have a philosophy that drives their work and passion. As such, what, you might ask, are the objectives of NOYB projects that bring to life the tenets of a “Schremsian” philosophy? Here is a summary of what he shared with us on that very illuminating day to answer that very question.
Supervision and Enforcement
From the outset, Max zoomed in on automated enforcement. If he was to build a regulator’s office and function from scratch, the key things one would consider in maximising its effectiveness were – benchmarking, effective and practical enforcement, and amplifying the objective’s message via many small wins.
For example, looking at the number of decisions coming out of Spain as compared to Ireland, it is clear that Spain’s DP regulator appears to be far more efficient (and probably more effective) than those regulators who are not issuing as many decisions, mainly by focusing on varied yet less egregious infractions (and lots of them). In essence it is what comes out of these decisions that provides depth of insight, supports companies with compliance know-how, and improves privacy’s culture and frameworks. If a jurisdiction is only concentrating on a few big companies or data-heavy sectors, then others may experience the lack of a real driver to move forward with their privacy journey - they are effectively not on the regulator’s radar. Furthermore, those companies under the microscope are primarily data-driven and often have relatively endless resources and time to spend on regulatory investigations. This leads to delays in coming to a decision on important topics that may not ultimately get solved or if they do, the resolution is past its due date.
The corollary of this concerns companies who are plainly not implementing these laws. The Spain example shows effectiveness in driving better compliance across all sectors through many smaller fines. In other words, the law works most effectively with deterrence, according to Schrems. One point of view may be that many companies don’t necessarily see the ethical or practical value of data privacy laws, so deterrence really does need to be at the top of the list for all regulators.
Enforcement can also come in the form of hands-on, effective supervision by imposing tasks / admonishments on companies, providing support through templates, clear guidance and tools, ensuring board and senior buy-in, and of course education, will undoubtedly improve companies’ privacy postures. Giving companies action plans, a practical and achievable checklist or simply a letter imposing certain tasks, goes a long way and gets them thinking on what they need to do and how to go about it.
One topic that is much debated by regulators is automation. Automating enforcement may make it easier to ensure that companies have little choice, but to deal with a process or procedure, resulting in a more objective outcome. It may in turn ensure better compliance and also aids in supporting regulators with their own resource burdens around managing complaints. Pre-selected, common responses and documentation requirements mean little room for error and interpretation. It’s also very effective in relation to the complaints NOYB sends to companies. Once NOYB sends a notice to a company in breach of the regulations, there is usually a 42% return on compliant responses. Simply poking the company with what they may be doing wrong, followed by effective enforcement where warranted, helps them move the needle on real, practical compliance.
Multiple privacy laws combined data sharing obligations results in a tough and complex situation, but if the privacy law is defective, then interoperability is not necessarily possible in Max’s view. Regulators do not want to shut down the Internet, and companies would prefer to self-regulate through Standard Contractual Clauses (SCCs); however, it is clear that laws and frameworks are required to ensure that appropriate safeguards are in place. Max then used the example of the newly approved EU-US Data Privacy Framework and the US adequacy decision. NOYB’s position is broadly that it is very unlikely to be validated, until foreign data subjects are given effective rights equal to those of US Citizens. In this regard, the US laws that impact privacy are defective, and so the case for interoperability will remain defective. Cross border data transfers, their interoperability, safeguards and ensuring that an individual’s personal data is treated fairly and ethically are at the heart of NOYB’s objectives.
AI and Large Language Models (LLMs)
Max briefly touched upon the current impact of AI and LLM’s. It is imperative that for the protecting privacy around AI, regulators will need to look at how the processing takes place, which is something that is not currently covered under the GDPR or many other laws.
There is also a concern around the accuracy of much of the output LLM’s generate, although quality is getting better. Until this is solved companies should not be using LLM software which is not factually accurate. A number of companies already fell into this trap and have faced the consequences of the same. An accuracy principle will be key in ensuring this obstacle is overcome.
Does NOYB envisage a global framework for privacy
Max indicated it is absolutely necessary, but it is many, many years away and will need something more to drive it forward.
If our friend Max Schrems was considered a modern philosopher, which some may have already deemed him, the critical thinking and questions he raises to expose flaws as well as strengths in a legal and regulatory privacy framework are many. But what would his philosophy be called? Perhaps it is a blend of ethics and metaphysics (no pun intended to our colleagues at Meta) which deals with the first principles of thought, including abstract concepts such as being, knowing, identity, time, and space, combined with a dash of epistemology, the study of knowledge. Or perhaps it is pure logic with an overlay of politics.
What we do know from our chat with Max is that Schremsian philosophy is driven by a desire to see the nuances and subtleties of cleverly developed privacy law and regulation reach their true potential through methodical and objective testing, even to the breaking point of many regulators and privacy professionals.
While admittedly unpopular at times, and even quite frustrating for many, it is clear that NOYB is steadfastly pushing for a renewed approach to privacy and security practice by simply going back to basics – fighting for the individual through many small but important wins in a David and Goliath sort of landscape. Someone has to do it, right?