The collusion of citizens, regulators and the judiciary in a kind of ‘privacy activism’ presents a major threat to businesses across the EU and abroad. This was the pronouncement from Stewart Room, global head of cybersecurity and data protection at PwC legal, speaking this morning at Cloudsec London.
Room explained that it is not rogue, criminal hacktivists that firms should be most worried about when it comes to disruptions to their business operations. Instead, it is some of the most “pukka” people in society, in many cases “the Establishment,” that are now posing a threat through activism, with serious financial implications for major organizations.
He highlighted the citizen, regulators both statutory and professional, and the judiciary: “When these three get together they can have a devastating effect on our business models.”
These groups could be “Potentially more disruptive than the bad guys out there.”
As evidence, Room invoked a number of high profile legal cases of recent years – the Google Right to be Forgotten in Spain, the cases of Max Schrems, the activism of Digital Rights Ireland, and even the UK DRIP act and subsequent challenges to it.
In these cases activists came together to cause a “devastating effect” on how the defendant businesses operate. Usually, as in the Spain case, a citizen disgruntled at a perceived breach of privacy complains to the regulator, who escalates it up to the EU Court of Justice.
“Google’s search model changed because of these activists,” Room said. He added that the Spain Right to be Forgotten case was just one of many examples of judges siding with privacy activists – another, transatlantic example being the post-TEMPORA litigation in the US.
“Something massive has changed in the economy and we need to factor this into our cybersecurity preparedness,” Room argued.
The main storm brewing on the horizon in EU terms is the forthcoming General Data Protection Regulation, which will mandate breach disclosure – a rule Room paraphrased as “you shall wash your dirty laundry in public.”
Of course in the breach disclosure chain, the regulators must be informed of breaches – and in Room’s terms, these are activists who fight for the citizen (other activists in the triumvirate).
This culture is going to create a “sausage factory” of claims, disputes and litigation, “Creating a bigger effect in cyber than any other actor in my view,” Room added.
In addition he highlighted the EU’s move towards a US-style system where class actions can be brought against companies on citizens’ behalf without consent of those affected will “create a massive amount of empowered activists with the power to sue in classes.”