On September 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Regulating for Results: Strategies and Priorities for Leadership and Engagement (the “Discussion Paper”). The Discussion Paper aims to stimulate dialogue about strategies and priorities for data protection authorities (“DPAs”) by putting forward a number of key questions. For example:
- How can DPAs maximize their effectiveness in the modern Information Age when their responsibilities are so numerous and their resources are so limited?
- Is constructive engagement with the organizations that DPAs regulate likely to be more productive than relying upon law enforcement through deterrence and punishment?
The Discussion Paper reflects on what we can learn about effective regulation from other spheres and argues that the leadership function, with emphasis on practical guidance, should have top priority. The paper concludes by putting forward high-level principles for a “results-based approach” to inform the setting of strategies and priorities for effective leadership and engagement.
The key takeaways from the Discussion Paper are highlighted below:
- A “results-based approach” benefits (1) individuals by making sure that they are protected in practice, (2) DPAs by ensuring they make the best possible use of available resources to achieve the best outcomes, and (3) regulatees through providing consistency, predictability and engagement with their DPA counterparts.
- While DPAs are prescribed a long list of tasks to perform, clear strategies—with hard choices— are needed to prioritize these tasks to best effect. The Discussion Paper provides a framework for grouping the different tasks by function—namely: Leader, Police Officer, Complaint-Handler and Authorizer.
- Although they can never be adequate, DPA resources are meager at best in the current regulatory environment. The latest figures for 26 DPAs in the EU suggest less than €0.41 per citizen or about €8 per business. There is evidence of some actual and potential upward movement but on the whole DPAs will need additional resources to be able to maximize their effectiveness.
- Studies of regulatory effectiveness in other sectors provide insights applicable to data protection. Many regulatory spheres now focus on an outcome-based approach focusing on engagement through information, advice and support rather than deterrence and punishment. Such a positive and proactive approach towards ensuring compliance is one way DPAs can achieve maximum effectiveness. Enforcement should be reserved for those engaged in deliberate, repeated or wilful wrongdoing.
- While the DPA has many functions and plays multiple roles, the leadership role and functions of DPAs should be treated as the top strategic priority. Policing and complaint-handling roles are important but must be well managed to avoid the swamping of a DPA and ensuring that a DPA does not rule by fear which is contrary to constructive engagement. Equally, the DPA’s role as authorizer must be carried out strategically as engaging such a role can be resource-intensive.
- Constructive engagement in practice involves engaging in many activities and techniques as outlined in the Discussion Paper but also involves creating a space for responsible innovation by accountable organizations. This can be achieved through a “Regulatory Sandbox” model which provides businesses with a supervised space to test innovative products, services, business models and delivery mechanisms in the real market with real consumers.
- Possible challenges and risks associated with a “results-based approach” include reluctance by DPAs to relegate functions, fears of regulatory capture if DPAs get too close to organizations which they regulate and resistance from the regulated community that excessive engagement with regulators could be problematic.
The Discussion Paper does not seek to impose solutions upon DPAs who must decide their own strategies but raises 10 key questions which can assist DPAs as they decide the best ways forward.