Fallout from the largest data leak ever is currently dominating news bulletins around the world. The Panama Papers data breach (which itself sounds like the title of a John le Carré novel) consists of an unprecedented leak of 11.5 million internal documents from the database one of the world’s biggest offshore law firms. The 2.5 terabytes-worth of documents, which span almost 40 years of information, detail the data of approximately 214,000 entities and over 14,000 clients. Those named in, or associated with, the data leak range from Vladimir Putin to Jackie Chan to former Rehab chairman, Frank Flannery.
The firm at the centre of the data breach, Mossack Fonseca, is a Panama-based law firm whose services include incorporating companies in offshore jurisdictions such as the British Virgin Islands. It then administers these offshore companies in return for an annual fee. The firm’s other services include wealth management. The firm itself is Panamanian, however it runs a globally-franchised operation consisting of 600 people working in 42 countries. The data were obtained from an anonymous source by a German newspaper which then shared the data with the International Consortium of Investigative Journalists which in turn shared the data with a large network of international partners, including the Guardian newspaper and the BBC.
One of Mossack Fonseca’s founding partners has, of course, attacked those behind the revelations, arguing that the firm has been caught up in an international anti-privacy campaign. Ramon Fonseca stated "(W)e believe there's an international campaign against privacy. Privacy is a sacred human right (but) there are people in the world who do not understand that and we definitely believe in privacy and will continue working so that legal privacy can work. Each person has a right to privacy, whether they are a king or a beggar.”
The data breach, while fascinating in its capacity to provide an insight into the secretive world of offshore finance, demonstrates the ongoing conflict between the right to privacy and the right to freedom of information. As such, the obvious question must be asked; do the people named in the Panama Papers deserve to have their private affairs splashed over the pages of the media for us all to observe, analyse and judge? Of course, legally-permissible tax evasion may be regarded as morally dubious at best and at worst downright shameful, especially when it involves public figures who must adhere to a higher standard of accountability that the rest of us. Nevertheless, irrespective of in the absence of any actual proof of wrongdoing, such a large, indiscriminate quantity of data that is exposed to the public will invariably produce casualties who will remain guilty until proven innocent in the court of public opinion.
Transparency in practice is at the heart of data protection and is one of the core principles of the forthcoming General Data Protection Regulation (GDPR) which is set to become law across the EU in two years’ time. Moreover, keeping data safe and secure is also a core principle. It fosters confidence in data sharing and processing operations which is necessary to ensure confidence in the institutions which store and process our personal data.
Recital 6 of the GDPR states:
“Technological developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Individuals should have control of their own personal data and legal and practical certainty for individuals, economic operators and public authorities should be reinforced.”
Article 30 of the GDPR further states that a data controller “shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”.
These clearly defined rules outline how important data security is to processing operations. A data breach on the scale of the Panama Papers is therefore at odds with a fundamental principle of EU data protection legislation as well as the Article 7 of the EU Charter of Fundamental Rights, Article 8 of the European Convention on Human Rights and Article 16 of the Lisbon Treaty; all of which safeguard the right to information privacy.
There is no doubt that the debate will rage on as to whether such a data breach serves or diminishes the public interest, not unlike the aftermath of the Edward Snowden revelations which ultimately led to the abolition by the European Court of Justice of the Safe Harbor data sharing agreement between the EU and the USA. Whether the Panama Papers has such repercussions remains to be seen. However, in the absence of a black and white scenario, the grey area in the middle regarding privacy and information rights in the digital age will continue to be fought over for a long time to come.