EY forensic investigator comments on the considerations required in rethinking EU data protection proposals across borders
Sanjay Bhandari, Partner in EY’s Forensic Technology and Discovery Services team assists companies in complex cross-border disputes, fraud, bribery, corruption or competition investigations, involving data privacy compliant strategies for handling electronic evidence across borders. He says more needs to be done to understand the challenges involving differing interpretations of European data privacy law.
Commenting on the EU’s proposed data protection proposals Sanjay Bhandari says:
“It is a good thing to rationalise data protection law – the current problem with the Directive is just that: it is a Directive. So it is up to Member States to implement and it means we have as many laws as there are member states of the EU. You then cannot get two lawyers in the same jurisdiction to agree on the interpretation of that local law.
“Having a Regulation will add certainty. Effectively adopting a German mindset (as the most stringent country in the EU) is always going to be difficult for English practitioners to get used to but everyone will adapt.”
Better technological solutions are possible when law is harmonised
Sanjay continues: “One benefit of having a truly harmonised law is that it gives a chance to create technological solutions to the compliance problem - this is practically impossible when you have 30 or more different, often conflicting laws. Even if the law is more stringent, the fact that it is more predictable gives the technology a chance.”
Need to consider impact on companies of compliance
Sanjay continues: “Nobody seems to have considered the impact of this on companies who need to comply. Many businesses have very diverse infrastructures, particularly those that have grown by acquisition. How are they meant to give effect to an individual's right to be forgotten under the proposed regime? Do the lawmakers understand the potential cost of that? ”
Baby Boomer privacy concerns could already be out of date for Gen Z
Sanjay concludes: “Moreover, there is an inter-generational conflict here. This is legislation made by Baby Boomers based on their fears. By the time any such laws are implemented (2-4 years), around 50% of the workforce will be Net Natives (Gen Y or Gen Z).
“They simply do not care so much about privacy. They are naturally collaborative and open in their communications. Clearly, their views may change as they mature and they may care more about privacy as they start looking for jobs and worry that prospective employers are going to look at their photos on social media sites to assess their characters. But the genie is already out of the bottle. One has to wonder whether a lot of time has been spent on considering how to change the privacy laws without thinking why do we need to do it and for whose benefit are they being changed?”
Ultimately privacy and data protection is dependent on context
Emma Butler, EY Information Security team, added: “One of the main aims of the current EU proposals to update data protection is to harmonise national laws and avoid different interpretations by the Member States. That leads to the Regulation being more prescriptive than it maybe should.
“Privacy and data protection are so context dependent that it makes it difficult to prescribe all the circumstances in which something is or isn't allowed.
Think of the case of sensitive data for example. Most people in the UK consider financial information to be sensitive, but it is not on the list of sensitive data categories. However, in Finland they release everyone's tax details annually. The EU Regulation will only be able to harmonise national laws to a certain extent. There always has to be room to accommodate the differing legal traditions, social norms and cultural values of the 27 Member States.”