Dear Commissioner Reding,
Iâ€™m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. Iâ€™m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.
I am writing to you about the new Data Protection Regulation. In particular Iâ€™m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I donâ€™t think theyâ€™ll have the effect that you think they will have. Iâ€™m basing my opinion on a number of bases:
- I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
- Iâ€™m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this â€œtheory of psychologyâ€ is important in the world of Information Quality.
- I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
- Iâ€™m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations Iâ€™ve worked with.
Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. Itâ€™s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.
Firstly, no-one will believe that they and their organisation will be penalised to that level for a breach. The track record simply isnâ€™t there for one. It is outside the normal sphere of experience. In my experience, when faced with the notional prospect of a monstrous penalty, executives start discounting down on the basis of what is likely to happen. Now, as someone with a light dusting of legal training, I know that that is just gambling. But senior executives gamble all the time. Small business owners gamble all the time. Itâ€™s called entrepreneurship though in that context, so thatâ€™s OK.
Also, humans are hardwired it seems to be really bad at assessing risks that fall outside their actual experience. So, that â‚¬2million/5% of global turnover amounts to a mountain on the horizon to most executives. Yes itâ€™s big and impressive, but it seems so far away that it can be discounted. And hence the â€œSo, what are we realistically going to have to pay outâ€ conversation starts and it then becomes an NPV calculation for the bean counters to determine if there is enough revenue being generated from the breach of the rules to justify breaking the rules.
Hence telcos overcharge because the penalties levied have, by and large, been a lot less than the revenue uplift generated so the breaches became a cost of doing business and there was no incentive to improve processes and quality (which would have reduced costs to the telcos, arguably allowing them to increase profitability on a lower revenue base.. but I digress).
Similar behaviours can be seen in Financial Services, Oil and Gas exploration – any industry where the revenue uplift of flouting regulation is greater than the likely financial penalty for breaches.
Add to this the fact that in most organisations the focus is short term, booking revenue today is a bigger driver than worrying about an as yet not crystallised penalty at some date in the future. People focus on the thing that is in front of them annoying them.
Which brings me to my toddler.
As someone who strives to be a good parent I know that I have to instil values and principles in my child so she will grow up to be able to make smart choices of her own. She acts up and answers back and does things I donâ€™t approve of on a regular basis. Sheâ€™s a toddler. Thatâ€™s her job. As her parent Iâ€™ve realised that Iâ€™m more effective when I am providing regular minor â€˜course correctionsâ€™ to her, gently shaping her behaviour as opposed to massive acts of discipline. And, if you can recall your childhood, being deprived of a beloved toy or being kept in when your friends play on the street outside is the toddler equivalent of a â‚¬2million fine.
My approach: smaller penalties, careful lectures, engaging on a more direct basis to develop values, reward good behaviours and discourage less desirable antics. This works more effectively I find than the approaches of other parents I might see in the supermarket engaging in â€œmassive acts of disciplineâ€, issuing warnings and threatened penalties, while all along their child mentally discounts the warnings and asks â€œSo, what are you really going to do?â€.
(Many of those children I fear will go on to become successful company managers).
My approach to parenting is mirrors in part by the approach that many European governments have taken to promoting improved driver safety and improved compliance with Road Traffic laws. These schemes impose a structured sliding scale of sanctions for different categories of offence. They often go hand-in-hand with the â€˜nuclear optionâ€™ penalties of substantial fines and loss of driving licenses etc. My approach also mirrors the â€˜Zero Defects Policingâ€™ that famously made New York a safer place. And penalty points systems for road safety do allow an increased discretion for law enforcement between a stern talking to and on-the-spot fines or harsher penalties.
They also allow for lesser offences to be cumulative towards a larger penalty. This means that there is suddenly a constant pressure on the motorist to change behaviour. I link here to the Penalty Points scheme that operates in France. And here is the system from Ireland. And (so they donâ€™t feel left out) the one from the UK. All of these systems operate on the basis that drivers who commit even small offences can have penalty points levied against them which add up and which stay levied against them (often with a financial penalty as well) for a period of time after each offence. This encourages longer term thinking. Because if you are on 9 points on your license in Ireland you will think twice about using your mobile phone while driving and having your license to drive revoked for a number of years.
With my daughter, there are some offences she commits as a toddler that will stay on her record until she is a teenager.
So, what has this got to do with Data Protection and proposed penalties that suck?
Penalty points schemes in motoring allow for a low impact, high frequency penalty for repeat offenders. The days of drivers taking chances with drink driving are now, gladly, fading in the rear view mirrors of most EU member states because there is a mechanism for wider enforcement of a range of offences in a quick, easy to understand way. Drivers take more care for fear not of a massive penalty but for fear of building up an accumulation of offences that will trigger a massive penalty over time.
By extending the application of the penalty over a longer period, it encourages more long term cultural change in driver behaviour to a more compliant set of habits and behaviours. And they are relatively easy to understand and communicate. If I drive while talking on my mobile phone in Ireland I know that I will get 2 points on my license and a â‚¬60 fine. I know I can challenge that in court but if I lose, Iâ€™ll have double the points and a â‚¬120 fine and I will be on my way to being disqualified from driving.
So I donâ€™t use my mobile phone when driving.
In a Data Protection context a similar scheme could be implemented setting out minimum applicable penalties for a range of Data Protection offences such as failing to have a Privacy Statement/Fair processing notice on a website or failing to take appropriate measures to obtain verifiable consent for direct marketing, or failure to properly outline the fact and purposes of recording CCTV images. The list could be quite long.
This standard bill of offences and penalties could be standardised across Europe and could be at a low enough level that organisations would not be put off by the fines, but equally would be cumulative in nature so that a â‚¬480 fine for failing to apply a request to opt-out of direct marketing could quickly add up to a catalogue of offences that result in a â‚¬2million fine without any discretion on the part of the Data Protection Authority.
This scheme would give decision makers and Data Protection Officers in organisations a familiar framework to operate in when engaging in mental discounting and would put a floor on the penalty for breaches, just as the Regulation has raised the ceiling. This would change the dynamics of the economic discounting that we all do when faced with the risk of a penalty.
If the list of organisations against whom penalty points was levied in a given year was published (as part of the Annual Reports of Data Protection Authorities) it would also help organisations assess risks involved in choosing suppliers or partners. If an organisation is working through a large number of penalty points then perhaps the management culture isnâ€™t mature enough to do business with, for example. Just like â€˜boy racerâ€™ drivers often rack up penalty points (and insurance costs) through immature driving habits.
While it would not bring the mountain any closer to the Data Controllers, it may bring them closer to the mountain.
This suggestion has featured in a number of reviews of the Regulation I have been involved in in Ireland and I wrote about it first as a thought experiment back in 2010. I hope you consider this as a transparent and flexible mechanism for the operation of administrative sanctions by Data Protection Authorities in the EU as part of the development of EU standards as a benchmark approach.
Combined with the enhanced penalties at the upper end of the scale (which repeat penalty point offenders would eventually reach), I believe this would be a fair, transparent, relatively easily administered system that would be easy for even the most ardent mental discounter to get their head around.
Daragh O Brien