By Christopher Graham, Information Commissioner
Whether it’s buying a DVD from Amazon, a t-shirt from eBay or a song from iTunes – and then telling our friends about our new purchase on Twitter or Facebook – we are increasingly customers of multinational businesses.
This has many advantages for consumers, of course. But for data protection authorities it does bring the concern that any data breach will bring with it wide-ranging complications. It’s not easy to think global if you can only act local.
That’s exactly what we saw with the Sony case last year. One data breach, one company’s customers, but several different data protection authorities, each applying different domestic laws.
The people affected don’t care about the nuances of different international data protection rules. They rightly expect to see effective enforcement. And that means effective coordination and cooperation between the relevant authorities.
With that in mind, the progress we saw at an international conference of privacy commissioners last week is so important. A key agreement was reached to improve international enforcement cooperation when regulators investigate data breaches.
It means there is now a framework for how regulators can work better together following an international data breach. This should make investigations more effective and efficient.
That’s important because it means that instead of each data protection authority insisting that their way and only their way is essential for cooperating with others, we’ve secured a common set of rules to work together.
It should mean a route for cooperation that avoids the frustrations and delays of endless legal manoeuvrings around Memorandums of Understanding before anything useful can be achieved. It’s not compulsory, and any data protection authority that isn’t convinced doesn’t have to play. But, for those who want and need to cooperate, what was agreed last week (after years of patient work led by the ICO and Canada) should make it very much easier to cut to the chase.
This global response to a global threat is progress, and the same is true of another project we moved forward at last week’s conference: providing greater data protection support for Commonwealth countries with growing IT sectors.
There are clear benefits to this. Emerging economies not only benefit from the data protection expertise that the bigger Commonwealth countries like Canada, Australia, New Zealand and the UK can offer, but those bigger countries benefit too. How much personal data of UK citizens is being held by call centres in India, for instance? It’s good for UK consumers, then, that there should be greater understanding of data protection principles in India (something we’ve been working on with EU colleagues for some time).
There are political benefits too. Spending time with data protection authorities from around the world helps us to make the case for a proportionate, risk-based approach to data protection regulation. That will help us in the ongoing debates within Europe about the final shape of the EU data protection reform.
It all adds up to better protection for UK citizens and consumers. We already know the threats aren’t confined to the UK. It’s important we remember the solutions aren’t either.
|Christopher Graham, Information Commissioner, has a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws.|
Last updated 21/10/2014 12:00