As information flows ever more easily between jurisdictions, how can effective regulatory protections be put in place for the stakeholders?
This question applies equally to the protection of intellectual property (IP) as it does to the protection of personal information (PI) or any other valuable information assets held by an organisation. It also applies equally to organisations in the private sector, be they banks or online retailers, as it does to government agencies, be they policing agencies or anything else in various services (Customs, Immigration, national security etc) or even hybrid processes such as the exchange of Passenger Name Records between airlines and authorities or fulfilling anti money laundering obligations.
In the debate about the protection of personal information when it moves between jurisdictions, two camps have emerged – those who think that information should only move between jurisdictions that have "Adequate" laws in place (ie focused on the legal constructs) and those who think that a more direct approach should be taken towards the organisations involved in the movement based on ensuring the "Accountability" of the parties. The debate has often generated more heat than light. It has been documented in great detail by theAustralian Law Reform Commission in For Your Information: Australian Privacy Law and Practice (ALRC 108) at Chapter 31.
The strongest proponent of the adequacy approach, the European Union, has not developed a standardised and accepted way of assessing it. The EU has tended to determine adequacy through bilateral discussions with third party countries and to focus on the letter of the law, as they interpret it from a civil law perspective, to the exclusion of any other consideration such as the actual efficacy of the enforcement framework. This approach is reflected in the somewhat eclectic list of jurisdictions and programs which have achieved adequacyincluding: Canada, Switzerland, Argentina, Guernsey and the Isle of Man, Jersey, the US Department of Commerce Safe Harbor Privacy Principles and the 'transfer of Air Passenger Name Records to the United States Bureau of Customs and Border Protection'.
The adequacy approach is also hard for the consumer and regulator to work with. The adequacy approach does not provide them with a coordinated way of making and handling a complaint should a breach occur in another country. The adequacy approach provides the consumer with a number of accountability bodies to which they can complain. In effect, it leaves the responsibility on the consumer to do sufficient preliminary investigations, before they can make a formal complaint, to find the relevant accountability body in relevant jurisdictions where the alleged breach might have occurred. The regulator then takes over from there during the investigation, often suffering the same challenge.
The argument is also put forward that the "Accountability" approach doesn't work - it doesn't actually hold the organisations who move the personal information truly to account. Ad hominem examples are cited to imply that the approach can never work to provide protection.
But perhaps it is time to look over the fence into other arenas & see where the Accountability approach is successfully applied.
One is the recent enforcement action by the Australian Communications and Media Authority (ACMA). It has just fined an Australian based ISP, Dodo, because of persistent telephone marketing to individuals who had subscribed to the Australian Do Not Call register. The relevant point made by the Chairman of the Authority was:
"If you are in business and hire offshore call centres to make telemarketing calls, you need to be extremely diligent in overseeing what they do," said Mr Chapman. "You can't hide behind offshore call centres, because ultimately the calls they make are your responsibility."
As ACMA also points out, if a business decides to use offshore call centres to make calls, it will be responsible for the calls that those call centres make.
As APRA states in the standard:
"Although outsourcing may result in day-to-day managerial responsibility for a business activity moving to the service provider, the ADI [Approved Deposit Institution] remains responsible for complying with all prudential requirements2 that relate to the outsourced business activity."
The standard goes so far as to require that such an ADI ensures that APRA's reach is extended to the outsourced service provider, wherever in the world it is located.
Like any approach based on "adequacy", the effectiveness of an "accountability" based regime depends critically on the legal powers and financial resources available to the accountability agents involved, including the regulator. Unlike the adequacy approach, the problem of chasing down where a problem happened in a chain of data movement is not left to the regulator or the affected individual. That problem is assigned to the original collector of the personal information. As such, it has a better chance of becoming an enforceable approach as well as placing a stronger incentive on the transferor to ensure that appropriate information handling practices are safe in the first place.
1. The accountability approach is tried & tested in other regulatory frameworks. It certainly is not a trojan horse for avoiding responsibilities as it is sometimes portrayed.
2. The enforcement regime matters as much as the rules being enforced. And neither can be established on a 'set and forget' basis - that allows for gaming the rules as we see so often.
3. There is very little genuinely new in this world - look over the fence more often & seek analogies & insights to problems that otherwise appear intractable.
Food for thought.