Criminal law theorists and academics have argued extensively on when and what to prosecute and the long-term effects of excessive criminalization policies. Should all misdemeanors be prosecuted? Should scarce resources be directed to strengthening cases with a higher societal impact? What is the social impact of obtaining visible results in high profile cases at the expense of choosing selectively? 

These questions should probably be considered in enforcement of privacy cases. 

In recent decades, we have witnessed an explosion of new privacy regulation, a formidable advance in technology and a correlated increase of enforcement by DPAs, triggered by new business models, advanced analytics and innovative uses of personal data. As a former regulator, tasked with the then new Colombian regulation, we advanced awareness and engaged proactively with stakeholders, but probably could have done things better. In hindsight, the question remains: could we have looked more intensely at the forest instead of focusing on a few trees? Could we have tackled more big problems instead of losing focus with minor violations of the law? Some of the restraints could be blamed on the regulation (many laws mandate regulators to process every single claim), and some were probably a combination of lack of experience, of precedents and of a robust data protection culture. 

But even at that initial stage, with a nascent DPA, there was a need to identify the building blocks that would lead to enhanced compliance and to an enforcement that resulted in more protection for individuals - an enforcement that got closer to achieving the results regulators are tasked with. I would argue still that the answer is in a concept now widely deployed in data protection laws and guidelines all across the globe: maintain a focus on accountability. 

Since its inception in the 1980 OECD Privacy Guidelines, accountability, a simply worded yet hard to implement principle, has found its way to multiple legislations and guidelines, including the GDPR, LGPD, APEC’s Privacy Framework and the Iberoamerican Standards. Practical implementation, however, remains fuzzy, and an important objective of enforcement policy should focus on how to translate accountability provisions into workable practices. 

Mandating companies that process data to implement comprehensive privacy management programs (that is, that they materialize the accountability principle through the implementation of effective and demonstrable privacy measures) is the best way of stepping away from a merely compliance approach (where following the law is reduced to ticking boxes in rigid, outdated checklists) towards a model where data protection is embedded in the corporate principles of ethically driven, enthusiastic and responsible organizations. 

The task for regulators is ever more complicated. New technologies, an unexpected global pandemic, scarce resources and mandates to look into every complaint, to name a few, are hurdles in the way of practical implementation of the law. I strongly believe that a successful and influential DPA should embrace an accountability centered approach, one that privileges organizations which fully commit to the implementation of comprehensive privacy programs, which go above-and-beyond mere compliance, and which actively engage with their stakeholders and the authorities to work together towards the common goal of protecting the rights of the individuals. 

Companies that consciously opt for the hard path, that decide to focus on being transparent, present better choices to individuals, hold true to their promises, commit to drafting in clear language and facilitate the exercise of subject rights, deserve recognition. Some legislations, including Colombia’s, have specifically provided that companies who can demonstrate their good practices are rewarded with a favorable approach in enforcement actions. Mistakes can happen, and some situations may result in non-compliance, but the priority should always be in focusing on actions that cause real harm to individuals. 

Effective DPAs -- and examples are abundant throughout the world -- devote much of their time and efforts to actively promoting the adoption of accountability-based approaches. They are uniquely suited to act as guiding partners in the interpretation of the law. Their role should then ideally continue to focus on better understanding trends and technologies and generating discussions that lead to better policies and targeted and strategic enforcement. This strategic approach, centered on a continued analysis of the evolving nature of a fundamental right that needs to be balanced with the beneficial uses of data, is a major piece of the puzzle in the search of lawful and responsible uses of data while minimizing risks and avoiding harm and discrimination.

​In simple terms, the purpose of business is to promote prosperity. It does this through creating and selling products and services in markets to people who find them useful. The justification for business goes through cycles of theory and policy, influenced by political ideology and public sentiment depending on events and the social context. One theory is that the purpose of business is solely to make profits, and that profits trickle down to deliver social good like employment, innovation and lifting people out of poverty. This is strongly associated with a political ideology that individuals and markets should be free. The argument goes that markets are always right, self-police, and need no intervention from the state through regulation, in the same way that individuals should be allowed personal freedom. After all, capitalism defeated communism, didn’t it? That was the end of history. Leave us alone. 

That model was vulnerable to rumblings of the misbehaviour of executives and corporations, such as Enron, WorldCom and Ponzi schemes like that of Madoff. But the wheels came off in the 2008 global financial crisis when the selling of mortgages to people who were unlikely to be able to repay them (sub-prime), and their bundling and on-selling as CDOs, was revealed when interest rates turned and the entire banking system was shown to have wholly inadequate asset buffers, leading to the entire system crashing and having to be bailed out by states using taxpayers’ funds. Blame was placed at the use of targets, remuneration practices and a constant focus on stock values and reporting driving short-term profits. Short-termism was again held up when it became clear that unconstrained market behaviour on carbon emissions was likely to render all “valuable” assets as irrelevant as the world warmed through human activities. 

This is a very short and simplistic account. But it highlights the need for society to take steps to protect itself. So we see changes such as in regulation of activities, corporate governance, concepts of stakeholder value, corporate responsibility, stewardship and so on. 

This background provides a warning against complacency and establishing systems that are insufficiently robust. The opportunities for use of data in a new digital and AI world are immense―but they are opportunities for good and bad purposes and outcomes. So we need to think carefully about the design and operation of effective systems that balance prosperity and protection. Those tasks essentially involve employing technical expertise, ethical values and principles, effective governance and transparency, objective scrutiny and opportunities for legal intervention. 

Is it inevitable that prosperity and protection are opposing objectives and forces? They need not be. Many sectors achieve successful outcomes and balance. The findings of behavioural and social psychology are underpinning fresh and effective approaches to motivated, effective people in commercial organisations, to basing activities on ethical values, and to engaging so as to increase performance―in outcomes that deliver both economic success and compliant protection. An inspiring example is the global aviation industry that achieves safety through ensuring open and just culture throughout the sector. 

We are in the early stages of using and understanding uses of data, some corporate actors are young and huge, many people face difficulties in engaging and complying with new rules, and regulation is new. All of these people and systems will need to evolve. For example, new forms of regulation, engagement and intervention will be required. Protection is not negotiable; it’s what society needs, wants and has a right to expect.   

I believe that the key concepts in framing the future are: ethical values; cooperation in sharing ideas, information, experiments, learning and making changes; independent oversight; accountability; sharing knowledge, building confidence and increasing trust; and delivering outcomes.