Corporate Data Protection Responsibility
Do corporations indeed feel responsible for the protection of our personal data?
By Konstantinos Kakavoulis
In the contemporary world, corporations play a significant role in Greece, but also in the international plane. This role is constantly increasing. Certainly, they do not operate freely, but they are subject to obligations according to the rules and regulations of the legal orders in which they operate in.
In the past, corporations were considered –and also considered themselves- to be closed systems, which did not have any link to persons, the environment and society. They existed and operated with the sole purpose of producing profit. During the last two decades, they have realized –at least the majority of them- that their role in a rapidly changing world entails corporate social responsibility, which is much broader than the obligations, to which they are subject to under the rule of law.
There is no uniform definition for corporate social responsibility. According to the definition of the European Commission it is “the responsibility of corporations for their impact on society”.
Of course, corporations did not perceive their responsibility in their own. A series of scandals with corporations being liable for massive loss of lives, for gross violations of human rights and for environmental disasters, have augmented public awareness regarding these topics. The latter resulted in a huge amount of pressure directed to the corporations in a local, national or international level –depending on the size of the scandal and the corporate activities.
Their reputation was severely damaged and their profits fell steeply in many occasions. The media started monitoring their functioning systematically. The corporations had to promote a socially sensitive profile in order to protect their reputation and, consequently, their existence.
Corporate social responsibility costs a lot. The corporations have to undertake expenditure and make commitments to the public. Nonetheless, they know that strong competition by other corporations with a socially sensitive profile, makes the promotion of such a profile –if not an even more sensitive one- an imperative need for them.
Nike constitutes an important example of a corporation, which saw its reputation collapse in one night in the beginning of the 90s. This occurred when evidence for gross violations of labour rights and child labour in Asian countries (Indonesia, China and Vietnam) came into light. The protests against the corporation did not decrease not even when world-class sports stars, such as Michael Jordan, took a position for the corporation. The damage in the reputation, sales and consequently the profits of the corporation was immense and lasted for at least a decade.
In 1999, the masterminds of Nike realized that they had no choice but adopting a socially sensitive profile regarding labour rights. They created the Union for Fair Labour, with the objective of adherence to specific labour requirements by an independent authority. Subsequently, many corporations and organizations dedicated to the protection of human rights acceded to the Union.
The first factories that were inspected belonged to Nike. Even today, Nike is still charged for human rights violations. Nonetheless, now the corporation itself publishes reports regarding human rights violations within its premises, reprimanding them and announcing ways it intends to use in order to combat them.As a result, the public trusts again the corporation, which sees an unprecedented raise in its profits. Moreover, working conditions in its premises are ameliorated. In this case, corporate social responsibility worked in favour of everyone: the corporation, the consumers, the employees.
Corporate responsibility for labour rights, which was the dominant form of corporate responsibility in the 90s, was succeeded by corporate environmental responsibility. Since the beginning of the 21st century, consumers turn to more “ecological”, “organic”, “biodegradable”, “recyclable”, “renewable” products.
To this end, corporations compete for being the leader in “green growth”. All these notions were unknown prior to 2000. Nowadays, everyone knows them and the rules of the market are formed by them.
Today, it seems that the concept of corporate responsibility is changing once again. The new General Data Protection Regulation signals an era in which persons appear to be interested more than ever for their personal data. Correspondingly, corporations face for the first time a new form of corporate responsibility, the corporate responsibility for data protection. Nonetheless, the Regulation and the new legislative framework, which will be created in the Greek legal order, is not enough.
The only non-legal means, which is universal and powerful enough to cause a significant turn in the corporate functioning is human conscience. The latest developments in legislation seem to have raised the awareness of transnational and big Greek corporations. These corporations have already amended their structures and will continue to adapt their operation to the requirements of the new legal framework.
The new Regulation provides corporations with the opportunity to receive certifications, which will “prove” their compliance with the prerequisites set by the law. These certifications have as an objective the promotion of a corporate profile, which will show compliance with the data protection legislation and will give the green light to persons to show trust and share their data with the certified corporation.
It remains to be seen whether these certifications will indeed constitute an ally of the persons or will confine in being a void stamp, which will be acquired through a typical procedure and will be renewed almost automatically and without meticulous monitoring.
If persons do not show their interest, if nobody realizes the value of his/her personal data, the new legislation will become void and corporations will do only what is absolutely necessary in order to comply with the few prerequisites set by the State.
Furthermore, corporations of medium or small size have not shown the same sensitization regarding the new legal framework. Notably, data violations by these corporations might be of equal importance. If these corporations realize that apart from the strict legal framework, Greek citizens are indeed interested in their personal data, it is highly probable that they amend their functioning as well.
Corporations seem to realize that they have a grave responsibility for data protection. However, we must all realize that our personal data are, above all, personal. This means that each one of us must personally care about them. Corporations appear to be ready to undertake their responsibilities. Are we ready to demand from them to do so?
 European commission (2011),A renewed EU strategy 2011-14 for Corporate Social Responsibility, COM(2011) 681 final, Brussels