US legal eagle: Well done, you bought privacy compliance tools. Doesn't mean you comply with anything
From California state regs to Europe's GDPR: It's all just a 'veneer of protection'
Much-lauded privacy laws risk being undermined as compliance is outsourced to tech vendors and "toothless trainings, audits and paper trails" are confused for genuine protections, a New York Law School professor has said.
In a paper in the Washington Law Review, published online last week, Ari Ezra Waldman argued that recently strengthened privacy laws actually offer "false promises" for consumers.
He said that laws like the European Union's GDPR or California's state privacy rules are failing to deliver on their promised protections partly because of the "booming market" in tech vendors hawking privacy compliance tools.
"The responsibility for fulfilling legal obligations is being outsourced to engineers at third-party technology vendors who see privacy law through a corporate, rather than substantive, lens," he wrote.
"Toothless trainings, audits, and paper trails, among other symbols, are being confused for actual adherence to privacy law, which has the effect of undermining the promise of greater privacy protection for consumers."
The problem is heightened because, as they fear increasing fines under the new laws, organisations – particularly those without the cash to build tools in-house or hire in experts – are more likely to look for a quick fix.
However, Waldman warned that this could have knock-on effects for not only because organisations buying honky kit risk non-compliance, but also for both the long-term outlook of the vendors and consumers.
"Not all innovation is good innovation," Waldman said. "Companies that develop shoddy products may lose out in the market in the long term, but in the short and medium term, they risk putting millions of persons' data at risk."
'Symbols of compliance standing in for real protections'
The paper aimed to emphasise the importance of privacy laws by pointing to Facebook's "cavalier" approach to data protection, mobile app platforms that "routinely sweep in user data" because they can, and even academics' interest in hoovering up personal info as part of studies.
As the implications of such mass data hoarding, harvesting and hawking have come to light, a set of comprehensive international privacy laws have been drawn up – but Waldman said that, in reality, the law's "veneer of protection is hiding the fact that it is built on a house of cards".
He pins much of this on the burgeoning "privacy outsourcing market" and the idea that third-party tech vendors "instantiate their own vision of the law into their services" to fling at organisations desperate to avoid whopping fines.
The argument is based on a socio-legal principle of "legal endogeneity", first mooted by academic Lauren Edelman. This is when the law is shaped by ideas emerging from the space it seeks to regulate, rather than constraining or guiding those organisations' behaviour.
It occurs when "ambiguously worded legal requirements" allow compliance professionals on the ground to define what the law means in practice – and in the case of privacy laws, much of this comes down to tech vendors and compliance professionals.
Some of the law's most important premises – like privacy by design or consent – "are so unclear that professionals on the ground have wide latitude to frame the law's requirements, kicking endogeneity into high gear".
Tech can't save you – but everyone wants it to
Mixed in with this is the fact that both private and public bodies have (misplaced) faith in technology to solve their problems; meanwhile the threats of financial penalties make organisations "uniquely susceptible to promises that vendors can make their troubles disappear".
This opens the door to vendors selling compliance, and Waldman said that there are 200-plus firms that "instantiate their own interpretations of privacy law into the designs of automated tools, often marketing themselves as one-stop compliance shops".
The author – hoping to see off any "not all vendors!" comebacks – emphasised that he isn't saying every firm is part of the problem, nor that they alone are responsible for undermining the promise of privacy law.
Instead, Waldman said that the impact of privacy tech vendors on the legal frameworks is "both significant and under-explored" – and aimed to probe this by assessing the claims made by 165 companies listed in a 2018 report (PDF) from the International Association of Privacy Professionals.
He found that, at some point, almost three-quarters had at some point positioned their products and services as achieving GDPR compliance – when most are designed to meet just two or three of the GDPR's requirements, "if that".
'Privacy law can't be broken down into code-able pieces'
A further issue described in the paper is that, by promoting these tools for compliance, vendors are attempting to reduce the law into "code-able pieces" when the law is about more than just paper trails and data maps.
"Such under-inclusive compliance technologies may then have the effect of increasing corporate exposure to administrative fines if in-house constituencies confuse purchasing a compliance technology that does a few things with actually solving a problem," Waldman wrote.
He also posits the idea that this could lead to an imbalance between firms that have to outsource because they lack the money or time to recruit legal experts or build their own tools in-house, and those that can afford to do this.
Meanwhile, consumers are being disempowered because they are increasingly faced with tech-driven conversations about compliance based on black box algorithms. This also risks "erasing" traditional safeguards that sees the law interpreted in the open and on the public record.
Waldman proposed lawmakers edge away from "transactional visions of privacy law that are susceptible to symbolic structures", as well as calling on the US Federal Trade Commission to be "more active vendor regulators" with better audits.
For vendors, he called for "more modest approaches" that include hiring lawyers and professionals and establishing a closer relationship with regulators, possibly including certification.
Possible products and services include summaries and comparisons of legislation, training courses and tools that scan the data a company has to seek out personal information.
He also called for further research that puts vendors in an ecosystem of social forces that influence the implementation of privacy law on the ground, as well as work on the problem of privacy education for engineers. ®
Sponsored: Becoming a Pragmatic Security Leader