Sanjay Bhandari, a partner in Ernst & Young’s Forensic Technology and Discovery Services Team, assists companies in complex cross-border disputes involving fraud, bribery, corruption or competition investigations and data privacy-compliant strategies for handling electronic evidence across borders.
Bhandari firmly believes that more needs to be done in order to understand the challenges involving differing interpretations of European data privacy law.
Commenting on the EU’s most recent data protection proposals, Bhandari told Info4Security: “It’s a good thing to rationalise data protection law. The current problem with the Directive is just that: it’s a Directive, so it’s up to Member States to implement and it means we have as many laws as there are member states of the EU. This creates problems when it comes to two lawyers in the same jurisdiction agreeing on the interpretation of that local law.”
He added: “Having a regulation will add certainty. Effectively adopting a German mindset (as the most stringent country in the EU) is always going to be difficult for English practitioners to get used to, but everyone will adapt.”
Better technological solutions are possible when law is harmonised
Bhandari continued: “One benefit of having a truly harmonised law is that it affords a chance to create technological solutions to the compliance problem – this is practically impossible when you have 30 or more different and often conflicting laws. Even if the law is more stringent, the fact that it’s more predictable gives the technology a chance.”
He added: “Nobody seems to have considered the impact of this on companies who need to comply. Many businesses have very diverse infrastructures, particularly those that have grown by acquisition. How are they meant to give effect to an individual’s right to be forgotten under the proposed regime? Do the lawmakers understand the potential cost of that?”
The Ernst & Young professional went on to state: “Moreover, there’s an inter-generational conflict here. This is legislation made by Baby Boomers based on their fears. By the time any such laws are implemented [in two-to-four years’ time], around 50% of the workforce will be Net Natives – Gen Y or Gen Z. They simply do not care so much about privacy. They are naturally collaborative and open in their communications. Clearly, their views may change as they mature and they may care more about privacy as they start looking for jobs and worry that prospective employers are going to look at their photos on social media sites to assess their characters. However, the genie is already out of the bottle. One has to wonder whether a lot of time has been spent on considering how to change the privacy laws without thinking about two fundamentals: why do we need to do it, and for whose benefit are they being changed?”
Privacy and data protection: dependent on context
Emma Butler of Ernst & Young’s Information Security Team added: “One of the main aims of the current EU proposals to update data protection is to harmonise national laws and avoid different interpretations by the Member States. That leads to the Regulation being more prescriptive than it maybe should be. Privacy and data protection are so context dependent that it makes it difficult to prescribe all the circumstances in which something is or isn’t allowed.”
Butler continued: “Think of the case of sensitive data, for example. Most people in the UK consider financial information to be sensitive, but it’s not on the list of sensitive data categories. However, in Finland they release everyone’s tax details annually. The EU Regulation will only be able to harmonise national laws to a certain extent. There always has to be room to accommodate the differing legal traditions, social norms and cultural values of the 27 EU Member States.”
Article 27 of the EU General Data Protection Regulation (GDPR) requires organizations that are not established in the European Union (EU) to designate a representative in the EU if they are subject to the GDPR. Certain non-EU EY Network entities may undertake processing activities to which the GDPR applies.