Recent events have raised concerns about how money affects legal and compliance matters. These can be succinctly described as paywalls, private deals and parity. By Rupert Brown, chief technology officer at Evidology Systems.


This story will probably be less familiar to the readership of this publication than the other two, so let’s start by examining it. Initially it was highlighted by The Register. At the heart of this issue are the challenge standards bodies face in being sufficiently funded to create and maintain new standards via consistent processes, and how much revenue they can derive from publishing/dissemination of the material.

For software standards, this is particularly challenging because many of them evolve via wholly online open-source processes, and can be contributed to by individuals rather than large corporations.

There is, however, a clear boundary between the formal definition of a specification or a statutory text and how it is subsequently tested/verified.

Standards work when there is a series of conformance tests, much like the specifications used in transaction reporting regulations — these cost money to develop and maintain. The USB standard is probably the best example of the value of this approach, given its ubiquity and longevity.

Private deals

The recent settlement of the British Airways’s data breach class action has been widely reported. It is, however, surprising that there has been little or no comment on the fact that the settlement amount has remained secret. I am sure that consumer lobby groups and those who drafted the General Data Protection Regulation (GDPR) would have wanted all sanctions incurred as a result of non-compliance to have been made public in order to deter future potential miscreants.

It would be interesting to poll members of the class action as to whether they wanted the settlement details to remain confidential, but somehow, I doubt it. The lack of visibility provides a handy segue into the third topic for discussion.


Most recently we have seen the imposition of a fine of $885m on Amazon by the Luxembourg Data Protection Commission.

We are still in the early days of this legal arm-wrestling match, but it is worth observing that the initial sanction sought is more than 15 times higher than previous fine levied against Google by the French information commissioner, the Commission Nationale de l’Lnformatique et des Libertés.

This is not the first GDPR ruling that has raised questions over how consistently fines are being applied; the only fines of similar magnitude to be levied to date were for large-scale data breaches materially affecting thousands of consumers through theft of credit card information, for example, which has not occurred in this case.

The common factor

All three of these issues raise significant concerns as to how money distorts the intent and efficacy of legislation and regulatory governance. The problem arises because of two key factors:

  • The decline in real terms of general taxpayer funding for legal and regulatory bodies, and hence the need to raise funds by direct or indirect levies.
  • The multiplier effect that successful internet businesses have enjoyed since the start of the 21st century, where the marginal cost of acquiring and servicing new customers has diminished to almost zero. This has made them a natural target for envious competitors and regulators who feel they have gained an unfair advantage on other sectors by methods that need to be “scrutinised”.

Another largely hidden issue which is hinted at by the paywall issue is a shift from adversarial approaches between regulators/standards bodies to a more continuous/collaborative operational pipeline akin to modern software development practises.

This shift can also be seen to a limited extent in the ‘sandbox’ initiatives being promoted by financial services regulators around the world, although many of these remain rather stuck in the ‘fashionable innovation’ phase.

However, I do not believe any regulators currently have the skills or operating models that could manage a group of third parties to provide continuously evolving analytical tool sets over the longer term. How would new providers be selected and onboarded, let alone be paid for the use of their toolsets?

If regulators do start to evolve along this path, it raises the spectre of a private club as hinted at in the British Airways settlement deal — once again quis custodiet comes into play: regulators and regulations must be wholly open and transparent at all times.

Without sustained visibility into the methods and processes of all regulators, there is no prospect that consistent parity between regulatory interventions can be achieved. Until then, the temptation for regulatory bodies to focus on headline-grabbing sanctions that try to garner public support for more funding will remain the norm.

We will see even more pressure on public funding following the pandemic, with the value of effective regulation being further challenged. Until there is progress on paywalls, private deals and parity, regulators run the risk of being further marginalised.