We are seeing the introduction of new or updated “GDPR-inspired” data protection regulations across the Middle East and Africa. Although the European Union’s General Data Protection Regulation (GDPR) is driving an element of much needed global harmonisation, the GDPR also has the potential to restrict the vital free flow and aggregation of data in the region. This is something which is critical to many countries seeking to develop knowledge economies or establish international technology hubs. Depending on your perspective, countries are either aspiring to achieve a global highwater mark set by the GDPR, or they are responding to the extra-territorial requirements being imposed by the EU on the cross-border data transfers that underpin the international trade in goods and services. In this article I intend to share my thoughts on the importance of data protection enforcement in our region as countries seek to implement these new data protection regimes.
As a generalisation, we probably have less emphasis in the Middle East and Africa on establishing data protection laws because of a strong belief in championing the fundamental human right to privacy. The driving force is currently more often compliance driven and/or commercial in nature. If we accept that broad generalisation, then I think it is accurate to state that that the need to be in compliance with a local law and/or the contractual obligations of a data processing agreement, are likely to be the primary motivating factors – at least initially – for companies investing in the development of data protection programs in the region.
What can history teach us
I started my legal career in Intellectual Property Rights (IPR) protection. If you are familiar with this field, then you will be aware that the motivation behind IPR protection is to encourage and then reward innovation i.e. if you invent or create stuff you should benefit accordingly. You may also be familiar with terms such as the Berne Convention, WIPO and the Agreement on Trade-related Aspects of Intellectual Property Rights, or TRIPS, which requires WTO members to “make available effective, balanced and fair procedures that provide for necessary remedies while guarding against their misuse and the creation of obstacles to legitimate trade.” The point I want to make in this instance, is that practically everyone has signed them. To be slightly facetious, you will not find a list of signatory countries, but rather a list of the countries who have not signed up. A short list.
Further, a decade in the trenches of IPR protection has taught me that international agreements and local IP laws and good intentions mean very little beyond the initial buzz of MoUs and PR if anti-piracy and anti-counterfeiting is not prioritized by local law enforcement agencies, and then supported by a judicial process that delivers effective deterrence.
In the past, I would talk about the 3E’s. Education, Engineering and Enforcement. Each is a critical component of any successful IP protection program. Based on my own experience, I could argue that the private and public sectors did a reasonable job with the first two elements, but Enforcement remains very challenging, and the courts have generally failed to deliver any meaningful deterrence. Criminal or civil IP judgments are rare. Deterrent IP judgments, even those delivering minimum statutory requirements, even more so.
Which brings me to the seatbelt
Car manufacturers began to install seatbelts in the 1950’s. They were commonplace by the 1960’s and yet by the early 1980’s seatbelt use rates were still below 15%. It wasn’t until the mid-1980’s that laws were introduced in countries like the US and UK. Comprehensive national and state programs then drove usage to 90%+ by the 1990’s. It might not sound impressive today, but we forget that in those days you simply did not wear seatbelts. Having them in the rear of the vehicle was inconceivable to most of us. To change that cultural mindset, widespread Education (awareness) initiatives were implemented. Anyone of that vintage in the US or Europe will vividly recall growing up with them. It speaks to the impact that messaging can have if it is well crafted and then well executed. Slogans like “Click it or ticket” or “No Belt. No Brains” became commonplace, and many were accompanied with very graphic TV adverts to shock people into action. Watermelons and pizzas and windscreens.
This was supported with Engineering efforts. We saw more comfortable and functional seatbelts being developed, coupled with new cutting-edge innovation (it was!) like beeping to remind you to buckle up. And finally, we had very visible Enforcement campaigns. It is widely accepted that the most effective way to get drivers and passengers to buckle up was to issue them with fines. You literally had police officers regularly stopping cars and issuing small fines. The result? Today you have many US and European travelers refusing to get into a taxi in Turkey or the Middle East if it does not offer rear seatbelts. That was incomprehensible in the 1980’s and clearly demonstrates how governments changed the way their citizens thought about seatbelt usage. The 3E’s.
The lesson for data protection
The global seatbelt campaigns offer a few notable lessons which I think could apply to data protection today. The adoption of seatbelt usage in many countries illustrates what can be achieved when a government decides to carry out a well-funded, sustained, and holistic program. Without intending to sound judgmental, the cautionary lesson is perhaps that seatbelt usage rates and IPR protection are not yet what they should be in the Middle East and Africa. The lack of meaningful Enforcement is undeniably a major reason, particularly in a region where citizens typically tend to act only if there are consequences.
Many countries in our region will have the ambition of seeing the European Commission adopt a decision of adequacy to further facilitate data transfers and differentiate them from regional competitors. Whether the EC will recognise adequate levels of protection until those jurisdictions are seen to be actively enforcing their local data protection regulations remains a key question, even more so after the recent Schrems II case verdict. Which begs the question, how will regulators across the region approach Enforcement of their new or updated laws?
The role of enforcement
My experience with IP protection is that taking Enforcement action is never enjoyable. It is costly, time consuming and it impacts people. But it is necessary. The goal is generally to bring public cases (or cases that become public) against the few to create a level of deterrence and increased risk for the many. In the very recent H&M Hennes & Mauritz Online Shop A.B. & Co KG case where a fine of 35m Euros was issued for the unlawful monitoring of several hundred employees of the H&M Service Center in Nuremberg by its management, the Commissioner for Data Protection and Freedom of Information, noted “The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.” Enforcement should not only be about punishment. To the contrary. In my opinion, it should be about effective deterrence.
It is also very important to level the so-called playing field. This has always been true for IP. Why sell genuine goods if those selling counterfeit next door prosper without consequences? It is essential that companies who invest in data protection and improvements in their compliance postures benefit accordingly, otherwise there is less of an incentive to do so in the first place. A data protection program involves people resources and budget and leadership involvement. Every boardroom or small business owner will consider the return on investment (RoI) for compliance. The likely question will be: What is the consequence if I don’t do this? Regulators must play their part to helping to make that RoI calculation easier with visible data protection enforcement.
As is always the case with IP, there will be different perspectives when it comes to data protection enforcement. We may not have debates about overpriced luxury brands, but we still have large multinationals collecting incredible volumes of data and concerns with the monopolies that currently exist. Technologies like cloud, IoT and AI mean that smaller companies are now also capable of collecting and reasoning over vast quantities of personal data. And we have nation states too, all seeking to regulate the transfer of personal data as it becomes an increasingly valuable national asset. Add to that the ongoing global debates about where to draw the line on appropriate government agency surveillance for national security, and now national health.
As with any new technology throughout history, the advent of digital transformation (big data, hyperscale cloud, AI, 5G) has the potential to do enormous good, but also to cause harm and increased inequality. Our hope at White Label Consultancy is that privacy, and an effective data protection regime that enables the secure transfer of personal data across borders, will be viewed as a force for good, helping to facilitate and safeguard the international trade in services and goods, and helping to enhance the privacy of local citizens in our increasingly digital world.