Data privacy scandals could be ‘Snowden moment’ for business

As Brill notes, Snowden’s revelations sparked considerable debate about the need for greater regulatory reform and led to the implementation of the USA Freedom Act in 2015, which imposed new limits on the bulk collection of American citizens’ phone records by US intelligence agencies. She believes more reform could now be on the horizon: ‘As a result of the newest set of revelations, I believe there is a paradigm shift going on. The truth is it really is a conversation now about how you are treating your customers and their data and how you are treating end-users – that is your average consumer – with respect to data.’

In the UK the Information Commissioner’s Office (ICO) is currently carrying out an investigation into the use of personal data and analytics by 30 organisations, including social media companies like Facebook. Emma Bate, General Counsel for the ICO, who was also speaking on the panel, was more cautious in predicting the knock-on effect the scandals could have on business while the facts are still being ascertained. ‘I don’t think it’s clear yet what the outcomes are going to be for organisations like Facebook,’ she says. ‘Have people lost trust in Facebook or will everybody revert back to using Facebook? There’s been a move for people to stop using Facebook which has not been particularly encouraged by the ICO. The Commissioner herself has spoken publicly that she has Facebook and WhatsApp and she’ll continue to use them, but what’s going to be the long-term resolution to all this and where will Facebook end up, that’s still unknown.’

Even before the focus on Facebook and Cambridge Analytica the ICO was already carrying out a broader investigation into how political parties and campaigns, data analytics companies and social media platforms had been using people’s personal information to micro-target voters. Bate, who took up the role of General Counsel at the IOC in September 2017, says it is the most ‘wide-reaching investigation’ the Office has ever conducted. ‘It involves 30 organisations and it’s still growing as we discover more leaky apps out there,’ she says. Bate confirmed to Global Insight that the ICO hopes to publish an update on its investigation in the next few months.

Although many commentators think these scandals could result in further reform, Brill firmly believes the onset of the European Data Protection Regulation (GDPR), which takes effect on 25 May, has already marked a turning point for businesses and their need to comply with new privacy standards. ‘I think this moment could lead to regulatory reform even in the United States,’ says Brill. ‘It may not, but whether or not there is regulatory reform – and by that I mean law reform where regulators start enhancing their requirements – we already had a huge shift underway before the Facebook and Cambridge Analytica revelations and that is with respect to the General Data Protection Regulation.’

When Brill joined Microsoft in 2017 she was tasked with running the software giant’s global privacy and regulatory affairs programme, which included getting the legal team and Microsoft’s engineering groups to create a data supply chain that is accountable. ‘For the last two years at Microsoft we’ve had hundreds of engineers building the pipeline to ensure data can flow in an empowered way to our customers when they need to provide this data to their end-users and also to our end-users,’ she says. ‘Companies must empower their users and that’s something the General Data Protection Regulation has driven in a way that very few other laws have done. It’s putting the user or the customer in the driver seat in a way that hasn’t happened before.’

Martin Schirmbacher, a partner at Härting Rechtsanwälte and Co-Chair of the IBA Technology Law Committee, agrees one of the GDPR’s main advantages is that it allows users to take back control. ‘One of the major measures of the GDPR is the informed consent of the user,’ Schirmbacher told Global Insight. ‘When users voluntarily and freely choose to give away their private data when using apps on Facebook or elsewhere this is not primarily a Facebook issue. It is either a question of education or the wrong focus on consent as a means of justifying data processing.’

Johan Wisenborn, Head of Data Privacy Country Operations at Novartis, says new trends in technology and data continue to keep general counsel on their toes and this will be even more apparent once the GDPR comes into force: ‘Even three-four years ago, the data privacy function at pharmaceutical companies was very much focused on HR. We have seen unprecedented technological development; processing power is increasing, storage capabilities are increasing and we have new concepts such as Big Data, Artificial Intelligence, algorithms and new ways to handle data. All this leads to the conclusion that the handling of data is of such strategic importance to the pharmaceutical industry that we can no longer rely on the previous, heavily regulated environment, as it’s simply not catching up.’