In a year when COVID-19 has stress-tested privacy protections and where mutual recognition of global data protection regimes has been called into doubt, our rights and regulations have ultimately remained resilient. The question is whether and how we rebuild on those foundations.
“A man’s house is his castle and each man’s home is his safest refuge”. In 1628, the lawyer and parliamentarian Sir Edward Coke set out one of the first codifications of privacy and security in UK common law, asserting the inviolability of one’s private living space. In 2020, COVID-19 pushed our public sphere into our private one by turning our homes into offices and schools overnight. It was the first of many privacy conundrums.
How were we to make sure employees and their data were properly protected, and their environment secured, in the explosion of use of new remote work technologies? When tracking the path of the virus was imperative, and the rush was on to develop contact-tracing apps, how would the balance be found between freedom and unjustified surveillance?
Despite these pressures that could have led governments to cut corners, Cisco’s 2021 Data Privacy Benchmark shows that many individuals didn’t back down on their privacy expectations during the pandemic. 36 per cent didn’t want any privacy laws changed, and another 26 per cent would only envisage specific exceptions to privacy laws.
Businesses were well aware of the potential for privacy pitfalls, with 93 per cent of security and privacy professionals saying their companies turned to their privacy teams to help coordinate a pandemic response. In fact, businesses doubled their spending on privacy. If the pandemic has been a catalyst for digitisation, it seems privacy has gone hand-in-hand with that transition.
The positive views on privacy investments spill over into business views on data protection laws. Four out of five organisations believe that privacy regulations are having a positive impact on their business, seeing it as a standard baseline that helps bring confidence that data is being treated in the right way.
Interoperability and diminishing returns
A note of caution before we get carried away with congratulating ourselves as privacy professionals, policy makers and citizens. While privacy laws provide important guardrails and customer protections, it can only work if they are interoperable across countries and if investments do not buckle under the law of diminishing returns.
Cisco’s annual privacy benchmark study allows us to draw comparisons over time. Return on investment was 1.9x in 2020 but it decreased from 2.7x the year before. While this may in part be driven by unexpected costs relating to the pandemic, it may also be driven by increased costs from overlapping laws and data localisation pressures.
The Schrems II court case and Brexit have created substantial turmoil around international data transfers this year. Setting aside any questions of legal rights and wrongs, the significant costs ushered in by these turbulences have brought limited to zero gain in terms of commensurate business benefits.
The answer to this isn’t disputes over the equivalence of protections. No, it’s a race to the top in ensuring the right protections are in place. We need comprehensive data protection legislation around the world ensuring fairness, transparency and accountability.
The stand-off over data protection between different regions and countries is not primarily driven by concerns over how commercial and public organisations handle data and the protections that are established in law. While the importance of getting that right is undeniable, the global trend is heading in the right direction and governments recognise that progress.
The primary source of friction is government data demands and the framework of protections that surround them. Governments are not seeing eye-to-eye over the practices in one another’s jurisdictions and the sense of frustration is leading to continued practice of unilateral (and even extraterritorial) measures.
Companies can, and do, use technical, contractual and organisational measures to shield themselves from cross-fire that comes their way. But ultimately it takes political will and governments to sit-down for ‘peace talks’.
Signs of renewal
Thankfully there are green shoots to nurture. The European Commission is working over-time to patch up its international data transfer mechanisms. There have been extensive efforts to bring the Standard Contractual Clauses up to date with the GDPR and in-line with the Schrems II ruling. And, just today, the European Commission published its draft adequacy decision for cross-Channel data flows.
The US Department of Justice and the Commission are in negotiations for an EU-US agreement to facilitate access to electronic evidence. They are looking to find common ground not only on when and how governments can access data but on what protections should be in place.
Last week, negotiations between the European Commission, Parliament and Council began on the draft e-Evidence Regulation, that can also contribute to setting the foundations for international agreements.
Privacy as a fundamental right
The privacy journey isn’t an easy one nor is the destination always clear. But after a year in which privacy protections have been challenged and the transfer mechanisms that underpin our global system questioned, what stands out is the continued resilience of our laws and practices. Citizens continue to value their rights and businesses continue to see the benefits.
This is not just an EU-US issue. As Sir Coke would no doubt have it, each of us deserves a private sphere – a metaphorical castle. If privacy is a fundamental right then principles of transparency, fairness and accountability will hold true; whoever is accessing or processing personal data and wherever they are.