The European Union’s proposed General Data Protection Regulation and transatlantic disharmony were explored by Stewart Room, a Partner in the Privacy and Information Law Group at Field Fisher Waterhouse.
The now stalled European GDPR is not only an issue for European businesses, but for any organization doing business in Europe, and it has caused a rift of opinions between business and government leaders in the US and Europe.
Business leaders need to rebalance their focus from data protection issues, toward privacy, Room asserted, highlighting the stark differences that exist when it comes to issues of data protection and privacy on each side of the Atlantic.
The conflict can be summed up simply by the US style of data protection, which is very much ‘opt-in’, whereas Europe takes an ‘opt-out’ attitude. “The American approach to cybersecurity is a ballet dance; the European approach is a head-banging”, Room commented. He further explained that the US regulatory environment encourages positive incentives toward compliance. On the other hand, Europeans take a punitive regulatory approach. US regulators offer more carrots by way of access to (or lack of for non-compliance) government contracts, with European regulators far more willing to wield sticks for violations.
“Don’t be distracted over all of the noise” around compliance, he recommended. Instead, Room said, businesses should focus on the things that cause regulatory pain, mainly the security and confidentiality of data.
Another key issue within existing and proposed data protection regulations – especially in Europe – is that of transparency, especially mandatory reporting. Noting that the UK’s Information Commissioner’s Office (ICO) has handed out twice as many fines than it originally anticipated, Room highlighted that private sector organizations have received the majority of these fines in the UK over the past two years.
The reporting issues create a security paradox: transparency about threats creates a funnel toward sanctions, he explained, “leading to a disincentive to be transparent.” It’s what he labelled a “regulatory bear market”, borrowing an analogy from Wall Street.
Further complicating the data protection regulatory landscape are divergent regimes put forth locally. In the US, there are 50 states, all with their own data protection laws (or lack of). In Europe, a data protection directive exists, but puts rulemaking into the hands of local regulators; the GDPR is meant to replace this directive with a pan-European standard. “Businesses need to escape the silos, replacing them with good behaviors”, Room advised. “But a single global model for compliance is impossible.”
Issues around data protection regulation and compliance will be high on the educational agenda during this year’s Infosecurity Europe conference and exhibition, according to the show’s content manager, Victoria Windsor. This year’s Infosecurity Europe will take place from April 29 to May 1, in Earl’s Court, London.