The Valetta Effect: GDPR enforcement for Gikii Vienna 14 Sept
1. The Valetta Effect
(formerly Portarlington Effect
but they told us on t’Twitter
they’re really serious about
enforcement now)
Gikii Vienna 14 September 2018
Chris & Michael
2.
3. Portarlington? Irish DPC since 2006
Now shared with Dublin
Max Schrems’ video
Tractors/DPC/corner shop
Unprepossessing
28 pubs & no cinema
Pebbledash
Zuckerberg’s choice of DPA
8. Not another Brexit
presentation…
Though will apply after 29 March
UK a 3rd party like China
Our golden neo-imperial future
They don’t hold a grudge?
9. Regulatory Arbitrage: “Race to the Bottom”
Academic literature on subject from 1970s to 1990s: public choice theory
In a world of 220 nation states with 220 sets of rules
50 US states too – e.g. Nevada/Delaware for tax evaders
Multinationals get states to ‘compete’ for business with lighter rules
Or less enforcement of existing rules, accompanied by ‘self-regulation’
10.
11. Though pushback by New Institutional Economics:
“It is no accident that economic models of the
polity developed in the public choice literature
make the state into something like the mafia ”
North, Douglass C. (1990) Institutions, Institutional Change and Economic
Performance, Cambridge University Press at 140
12. Continued interest by regulatory scholars
John Ruggie (2017) Multinationals as global institution: Power, authority and
relative autonomy, 12 Regulation and Governance 3 Pages: 317-333
https://onlinelibrary.wiley.com/toc/17485991/2018/12/3 (open access!)
Charles Sabel, Gary Herrigel, Peer Hull Kristensen (2017) Regulation under uncertainty: The
coevolution of industry and regulation, 12 Regulation and Governance 3 Pages: 371-394
This is where much of net neutrality regulatory theory comes from
You know, that information law area Gikii used to feature when it was sexy….
But now that we’re all GDPR
Time to look at DPAs not telco regulators!
15. Malta: a case study
GDP 146th/ 200 in world
475,000 people
15th in income per capita in EU
Like Iceland in pop. Size/wealth but sandwiched between Italy and Tunisia
Originally benefitted from British traditional exports: Piracy and kidnapping
Heroic resistance to Luftwaffe in WW2 – George Cross
Now a major off/onshore financial centre
Cross-over of financial homes and DP homes (e.g. famous Irish and Dutch tax efficiencies).
16.
17. Is there equivalency inside the black box of
national info surveillance and sousveillance?
Or are our private lives all Schrodingers’ cats,
poking each other invisibly and intangibly?
Frankly, is anyone going to enforce GDPR?
21. Proactive investigation of infringements is a pipe-dream in
most jurisdictions.
Some higher capacity actors (e.g. NL) trying random
sectoral spot-checks.
Some countries have Art 80(2) ‘class action lite’
Most agencies will be chasing data breaches, data rights
problems or media cataclysms.
Some sectors and actors more immune to these pathways.
Many case-workers simply do not understand the law
(e.g. ICO); likely to be challenging everywhere.
All DPAs can take complaints, will often pass them to a
‘lead supervisory authority’, which may be of low capacity
Identification
23. Investigation
Exact powers of DPAs subject largely to MS law
Joint Operations
DPAs have “right” to be involved, yet have to be formally invited. Seconding staff is at
the discretion of the host DPA, and they must always work “under the guidance and in
the presence” of the host DPA.
Mutual Assistance
DPAs shall “put in place measures” to accept requests to carry out investigations… but
with what skill, particularly where data is encrypted and difficult to understand.
Investigating
together
25. Regulatory cooperation under the EDPB is more ‘binding’ than
similar instruments.
Ultimately, through the consistency mechanism, binding rather than
advisory decisions can be made by vote by the EDPB. How this
interacts with member state law (e.g. claiming that mutual
assistance may not be sufficient) may well be a future CJEU area.
Likely only the case for the very largest players as it stands: providing
the largest players don’t relocate to Valetta.
Deciding together
26. Amidst underfunded and undersized regulators for the task at hand,
EDPB needs to develop significant expertise and investigative power
for dealing with arcane and technologically complex complaints (geek law….)
Few experts will complain about occasional work stints on Mediaterranean islands.
Who are these investigators that knock down doors to find data harms?
What skills do they have,
particularly when most large-scale processing is and will be done in the cloud?
Likely need for cooperation with large cloud ‘processors’: but what provision for that?
Doom and gloom? Send for the geek lawyers!
30. Panama Papers and EU27
Pilatus Bank: short client list includes Kieth Schembri, the chief-of-staff of
Malta's prime minister, and members of the ruling Azerbaijani regime.
Political operatives, Keith Schembri and Konrad Mizzi, Iranian-owned Pilatus
Bank, accountancy firm called Nexia BT,
exposed by the Panama Papers and reports from Malta's anti-money
laundering agency (the FIAU) as involved in money laundering.
Governing party suppressed the work of investigators to prevent Maltese law
from being enforced
Assassination of investigative journalist Daphne Caruana Galizia
31.
32. Daphne Project
Schembri and Mizzi were planning to receive €150,000 per month into their
once-secret Panamanian companies from a Dubai company called 17 Black.
Mizzi and Schembri behind Malta's new gas-fired power station
gas-supply agreement with Azerbaijan: Malta pay €40m above market rates for gas.
This archipelago is a full EU member
Exposed by David Casa MEP https://euobserver.com/opinion/142642
33. What has this to do with data protection?
Horrendous breach at Mossack Fonseca 2016
Led to final closure of law firm in Panama in 2018
https://www.theguardian.com/world/2018/mar/14/mossack-fonseca-shut-down-panama-papers