By José Alejandro Bermúdez
Former Colombian Superintendent for Data Protection
Partner, Bermudez Durana Abogados
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Former Colombian Superintendent for Data Protection
Partner, Bermudez Durana Abogados
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Criminal law theorists and academics have argued extensively on when and what to prosecute and the long-term effects of excessive criminalization policies. Should all misdemeanors be prosecuted? Should scarce resources be directed to strengthening cases with a higher societal impact? What is the social impact of obtaining visible results in high profile cases at the expense of choosing selectively?
These questions should probably be considered in enforcement of privacy cases.
In recent decades, we have witnessed an explosion of new privacy regulation, a formidable advance in technology and a correlated increase of enforcement by DPAs, triggered by new business models, advanced analytics and innovative uses of personal data. As a former regulator, tasked with the then new Colombian regulation, we advanced awareness and engaged proactively with stakeholders, but probably could have done things better. In hindsight, the question remains: could we have looked more intensely at the forest instead of focusing on a few trees? Could we have tackled more big problems instead of losing focus with minor violations of the law? Some of the restraints could be blamed on the regulation (many laws mandate regulators to process every single claim), and some were probably a combination of lack of experience, of precedents and of a robust data protection culture.
But even at that initial stage, with a nascent DPA, there was a need to identify the building blocks that would lead to enhanced compliance and to an enforcement that resulted in more protection for individuals - an enforcement that got closer to achieving the results regulators are tasked with. I would argue still that the answer is in a concept now widely deployed in data protection laws and guidelines all across the globe: maintain a focus on accountability.
Since its inception in the 1980 OECD Privacy Guidelines, accountability, a simply worded yet hard to implement principle, has found its way to multiple legislations and guidelines, including the GDPR, LGPD, APEC’s Privacy Framework and the Iberoamerican Standards. Practical implementation, however, remains fuzzy, and an important objective of enforcement policy should focus on how to translate accountability provisions into workable practices.
Mandating companies that process data to implement comprehensive privacy management programs (that is, that they materialize the accountability principle through the implementation of effective and demonstrable privacy measures) is the best way of stepping away from a merely compliance approach (where following the law is reduced to ticking boxes in rigid, outdated checklists) towards a model where data protection is embedded in the corporate principles of ethically driven, enthusiastic and responsible organizations.
The task for regulators is ever more complicated. New technologies, an unexpected global pandemic, scarce resources and mandates to look into every complaint, to name a few, are hurdles in the way of practical implementation of the law. I strongly believe that a successful and influential DPA should embrace an accountability centered approach, one that privileges organizations which fully commit to the implementation of comprehensive privacy programs, which go above-and-beyond mere compliance, and which actively engage with their stakeholders and the authorities to work together towards the common goal of protecting the rights of the individuals.
Companies that consciously opt for the hard path, that decide to focus on being transparent, present better choices to individuals, hold true to their promises, commit to drafting in clear language and facilitate the exercise of subject rights, deserve recognition. Some legislations, including Colombia’s, have specifically provided that companies who can demonstrate their good practices are rewarded with a favorable approach in enforcement actions. Mistakes can happen, and some situations may result in non-compliance, but the priority should always be in focusing on actions that cause real harm to individuals.
Effective DPAs -- and examples are abundant throughout the world -- devote much of their time and efforts to actively promoting the adoption of accountability-based approaches. They are uniquely suited to act as guiding partners in the interpretation of the law. Their role should then ideally continue to focus on better understanding trends and technologies and generating discussions that lead to better policies and targeted and strategic enforcement. This strategic approach, centered on a continued analysis of the evolving nature of a fundamental right that needs to be balanced with the beneficial uses of data, is a major piece of the puzzle in the search of lawful and responsible uses of data while minimizing risks and avoiding harm and discrimination.
These questions should probably be considered in enforcement of privacy cases.
In recent decades, we have witnessed an explosion of new privacy regulation, a formidable advance in technology and a correlated increase of enforcement by DPAs, triggered by new business models, advanced analytics and innovative uses of personal data. As a former regulator, tasked with the then new Colombian regulation, we advanced awareness and engaged proactively with stakeholders, but probably could have done things better. In hindsight, the question remains: could we have looked more intensely at the forest instead of focusing on a few trees? Could we have tackled more big problems instead of losing focus with minor violations of the law? Some of the restraints could be blamed on the regulation (many laws mandate regulators to process every single claim), and some were probably a combination of lack of experience, of precedents and of a robust data protection culture.
But even at that initial stage, with a nascent DPA, there was a need to identify the building blocks that would lead to enhanced compliance and to an enforcement that resulted in more protection for individuals - an enforcement that got closer to achieving the results regulators are tasked with. I would argue still that the answer is in a concept now widely deployed in data protection laws and guidelines all across the globe: maintain a focus on accountability.
Since its inception in the 1980 OECD Privacy Guidelines, accountability, a simply worded yet hard to implement principle, has found its way to multiple legislations and guidelines, including the GDPR, LGPD, APEC’s Privacy Framework and the Iberoamerican Standards. Practical implementation, however, remains fuzzy, and an important objective of enforcement policy should focus on how to translate accountability provisions into workable practices.
Mandating companies that process data to implement comprehensive privacy management programs (that is, that they materialize the accountability principle through the implementation of effective and demonstrable privacy measures) is the best way of stepping away from a merely compliance approach (where following the law is reduced to ticking boxes in rigid, outdated checklists) towards a model where data protection is embedded in the corporate principles of ethically driven, enthusiastic and responsible organizations.
The task for regulators is ever more complicated. New technologies, an unexpected global pandemic, scarce resources and mandates to look into every complaint, to name a few, are hurdles in the way of practical implementation of the law. I strongly believe that a successful and influential DPA should embrace an accountability centered approach, one that privileges organizations which fully commit to the implementation of comprehensive privacy programs, which go above-and-beyond mere compliance, and which actively engage with their stakeholders and the authorities to work together towards the common goal of protecting the rights of the individuals.
Companies that consciously opt for the hard path, that decide to focus on being transparent, present better choices to individuals, hold true to their promises, commit to drafting in clear language and facilitate the exercise of subject rights, deserve recognition. Some legislations, including Colombia’s, have specifically provided that companies who can demonstrate their good practices are rewarded with a favorable approach in enforcement actions. Mistakes can happen, and some situations may result in non-compliance, but the priority should always be in focusing on actions that cause real harm to individuals.
Effective DPAs -- and examples are abundant throughout the world -- devote much of their time and efforts to actively promoting the adoption of accountability-based approaches. They are uniquely suited to act as guiding partners in the interpretation of the law. Their role should then ideally continue to focus on better understanding trends and technologies and generating discussions that lead to better policies and targeted and strategic enforcement. This strategic approach, centered on a continued analysis of the evolving nature of a fundamental right that needs to be balanced with the beneficial uses of data, is a major piece of the puzzle in the search of lawful and responsible uses of data while minimizing risks and avoiding harm and discrimination.