Plenty To Chew On
This article originally appeared in Outsource Magazine Issue #28 Summer 2012
At the end of May, Outsource partnered with law firm Stephenson Harwood to produce an exclusive dinner and roundtable debate on the topic ‘Outsourcing and the Inexorable Rise of Extraterritorial Regulation’. Some of the finest legal minds in outsourcing gathered to discuss one of the hottest and most complex topics in the space. Here, we share some of the thoughts and insights to emerge from a wide-ranging, forthright and frequently provocative debate…
With the recent announcement by the European Commission of a new draft Regulation on data protection, the issue of extraterritorial regulation and compliance – never too far from the minds (not to mention the nightmares) of many outsourcing professionals – has once again been shoved to the fore. The Regulation – which, it should be pointed out, still has around two years to go before it even becomes law, and then a further two years before its various components come into effect – aims to unite what Stephenson Harwood’s John Buyers describes as “a patchwork of various national data protection laws” into “a single set of European rules for data protection valid everywhere across the European Union; one rule for twenty-seven member states and for 500 million people” – the words of Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner who oversaw the creation of the draft Regulation (and who claims the reforms will save businesses some €2.3bn annually).
The proposed Regulation formed the backdrop against, and a point of origin for, a remarkably wide-ranging (and at times controversial) roundtable debate held by Outsource and Stephenson Harwood at the latter’s London HQ at the end of May. Some 16 general counsels, heads of legal and other similarly senior representatives of various corners of the outsourcing space gathered for a dinner and debate entitled ‘Outsourcing and the Inexorable Rise of Extraterritorial Regulation’; as well as the new EU proposals, the host – the aforementioned John Buyers – invited guests to consider factors such as US copyright enforcement measures “and the increasingly aggressive way in which US authorities are prosecuting under the Digital Millennium Copyright Act”; and “the tendency towards increased regulation in the cybersecurity space [and] the inevitable rush by national authorities to implement cybersecurity measures in the wake of terrorist attacks”.
Before dinner was served, and by way of setting the scene, Marie-Madeleine Kanellopolou of the European Commission presented some details of the new draft Regulation and explored some of the drivers behind it, pointing out that the current EU data protection legislation dates back to 1995, since when both technology and the global socio-economic picture have evolved significantly. She explained that during the consultation procedure which preceded the formulation of the draft proposals some 72 per cent of Europeans questioned said that they were concerned that their personal data may be misused; and at the same time, companies operating within the EU have to take into account 27 different – sometimes very different – national legislative frameworks around DP. This legal fragmentation, she said, was of great concern: “For the Commission, this is not only an extra cost for business, it’s also a missed opportunity: it holds back economic growth and innovation.”
With dinner served and the debating juices beginning to flow, it became clear relatively quickly that many present felt a degree of unease over whether this new raft of regulations – indeed, extraterritorial regulation generally – would in fact go much beyond being “an extra cost of business” themselves. The extra administrative burden placed upon organisations (in particular the requirement for all organisations employing more than 250 staff to have a full-time data protection officer) was described by one attendee as being “potentially the straw that breaks the camel’s back for some companies” struggling across a particularly desolate economic landscape.
This concern – echoed by many of those present – led to a number of different attendant points being raised. Firstly, one guest opined that if data protection legislation is in fact necessary, the onus should be on the legislative body to make its legislation as easy and as affordable as possible to implement – and that part of that process should be to ensure that only appropriate data should come under the legislations terms of reference. He asked rhetorically: “Why should the data you are happy to give away on your business card be considered absolutely sacrosanct in other formats?” If the cost burden being placed on organisations isn’t in fact warranted when it comes to much of the kind of data being protected, another guest asked, shouldn’t it be the person whose data is being protected who pays for its protection (directly rather than indirectly in the form of higher fees and charges)?
The point was then made that in the case of organisations using and transferring data to and from third parties – especially those offshore outside the EU – the cost burden is still greater as the responsibility for ensuring the integrity of that data ultimately rests with the former rather than the latter, so the former must not only protect its data but must also stand as guarantor for the best behaviour of its supplier: “The obligation is on the data controller to secure your data. Ultimately a bank, for example, is on the hook to ensure that their provider is looking after customer data,” stated one guest.
One of the guests present, a representative of a provider company, pointed out that this means a hideous burden in the form of audits of great regularity – made even more hideous by the fact that his company has clients from multiple geographies, thus requiring compliance with US regulations too; all these costs had to be passed back to his customers and thence to the end users, often consumers. There was a danger of throwing the baby out with the bathwater in the sense that many of the cost savings which can be made by outsourcing, and offshoring especially, could be nullified in part by the resources needing to be devoted to compliance.
It was mentioned that the proposed Regulation aimed specifically at reducing some of the administrative burden being so despised by simplifying the excessively complex status quo within the EU at least – at which point the conversation took a more fiery tone as one of the guests brought into question the entire European project…: “Sovereign states will implement things they want to implement, when it comes to European edicts.” A flurry of points were raised regarding the gap between intention and implementation, the danger in assuming all nation-states are keen to “play fair” and whether the competitive advantage to be found in operating in less judicially stringent geographies would be outweighed in accordance with the laws of the market by customers’ unwillingness to entrust such organisations with their data.
Two especially salient points arose here. The first was that the greatest value of the new Regulation – and indeed of data protection regulations full-stop – could be that it would act as a normative guideline for the invisible hand of the market: in other words, without such legislation in place customers would have no guidance on how to discriminate, in that area at least, between good and bad organisations. “Had there been no legislative protection in the first place, how would we understand reputational damage? Because there would be no norm against which we could say ‘that’s acceptable’ or ‘that’s unacceptable’…”
The second was that the overwhelming complexity of different legislative frameworks, when combined with the geographical promiscuity of much data – especially when transfers between different organisations are involved, and with one eye on the advent of cloud computing provision and the mind-boggling ramifications of virtualised data storage – mean that in many cases companies simply exist in a de facto state of non-compliance. As two of the guests mused:
“You absolutely have no clue where to start and where to end; you don’t know whether when your subsidiary is in India it’s compliant or not, because you don’t know whether you’re complying with the UK regulations, the EU regulations, the US regulations – which regulations are you complying with?”
“The only thing you know for certain is that you’re not compliant!”
And there were plenty of murmurs of agreement… One guest quoted an Indian proverb – “For a thief there are 99 days of bliss and one day of reckoning” – and said that even though many organisations are trying very hard not to be “thieves” and spending vast sums in the process, a day of reckoning in the form of the full weight of the various regulatory frameworks is eternally just around the corner because of the sheer volume of data involved and the number of different points of potential failure (especially in a multi-geography, multi-sourced environment).
India was brought up by one guest as an example of a geography which has perhaps had a less than rigorous approach to data protection in the past, which initiated another fiery chat about the various merits or otherwise of the major offshore sourcing destinations: one attendee opined that “China is the most challenging state when it comes to data protection – along with copyright and patent infringement”, while another pointed out that with the rise of KPO and the emergence of big data the costs for offshore providers of sticking to the numerous different legislative frameworks were snowballing – “data analytics houses in India and China are facing huge costs in compliance.”
John Buyers pointed out that a less-cynical perspective towards offshore destinations, the EU proposals and data protection legislation generally could be to say that regulations in one place have been seen to have beneficial legislative ramifications in others: “What you find is that the Indian regime is moving towards the EU regime… Parallel measures are actually being enacted by Indian states. And this is happening in other outsourcing jurisdictions as well: Australia has enacted a Data Protection law which is very similar to the EU regulations; Canada has done the same.”
Another guest believed that, similarly, the adoption of data best practices by one organisation encouraged their rapid adoption by others – both because of the market requirement to stay above the normative benchmark mentioned earlier, and also because service providers and software vendors create products in accordance with organisational needs, and so cutting-edge versions of various products would tend to conform to the latest legislation globally. The idea was then mooted that, far from being merely a painful burden, regulation could be a force for driving innovation – indeed, could be a society-critical economic engine in its own right. The existence of regulation, and the requirement for compliance, creates a commercial ecosystem which simply wouldn’t exist otherwise and this in turn generates both economic activity and philosophical innovation of the sort which has contributed a great deal to the ongoing evolution of the outsourcing model, for example.
Towards the end of the evening a debate arose over the question of whether or not there was the need for a global association to be formed which would create a body of knowledge which could be used as reference by companies involved in data transfer, on two levels: a global level, outlining generally accepted global requirements and obligations; and a local level, detailing the specific legislative requirements of each country of activity. One of the guests pointed out that the various legislative bodies were often less than adept at ensuring that those organisations which would be affected by their legislation were fully informed about it, and that an association able to provide such a “global companion” and “local companions” to data protection and extraterritorial regulation would be in an excellent position to assist organisations struggling with the compliance burden. If nothing else, it could act as a repository of information on breaches of the legislations in question to provide organisations with lessons hard learned.
Of course, the above is nothing more than an abridgement of the discussion over dinner. A multitude of other points were raised during what was both a fascinating and an extremely entertaining evening, and guests left with both minds and bellies suitably replete. The fact that such wide-ranging conversation emerged from the topic is indicative firstly, of course, of the calibre of the minds assembled – but secondly, of the complexity of the topics under discussion. It may well be that there is scope for an association of the kind posited towards the end of the meal; at the very least, there is certainly enough confusion and ongoing concern – about both the scale of the challenges posed by data and the methods currently being deployed to overcome them – to warrant much more discussion and engagement from all corners of the outsourcing space and beyond.
To read a description by Stephenson Harwood’s Jonathan Kirsop of the significance of the new EC draft Regulation, click here.