Friday, 23 July 2010

The hangman cometh


I was working in Chester earlier this week (don’t ask why) and found that, much to my delight, my hotel was, very conveniently, sited right next to one of Chester’s more notorious public houses. It was the Chester Hangman (pictured), where the wrong ‘uns obviously went to meet their maker once the courts had dispensed whatever justice was available at that time. This set me thinking about something I had recently read about the wisdom of giving more powers to data protection regulators as they are currently established.

And who had written this stuff? None other than the respected LDRP Kantor Ltd, in association with the Centre for Public Reform. I hadn’t heard of them either – but I had – as we all have – heard of the core experts, who are extremely respected priests of the data protection universe: Douwe Korff, Professor of International Law at the London Metropolitan University, and Ian Brown Senior Research Fellow at the Oxford Internet Institute. And they were assisted by a panel of special experts and advisors, including Peter Blume Professor of Legal Informatics University of Copenhagen, Ross Anderson Professor of Security Engineering at the University of Cambridge, Caspar Bowden Chief Privacy Adviser for Microsoft UK, and Paul Whitehouse former Chief Constable of Sussex Police.

These are not people whose views ought be dismissed with a mere shrug of the shoulders. And, having read their final report to the European Commission (strangely, on the very issues that the Commission is now consulting about significant changes to the Data Protection Directive), I am betting a photograph of a £50 note that, unless significant evidence is adduced to the contrary, the vast majority of the recommendations will end up as EU data protection law in the not too distant future.

I really mean that. Given the speed with which the EU appears to wish to publish it's proposals for a revised Data Protection Directive, I am expecting that these recommendations will form the basis for that new Directive.

One of the many interesting points the report made was to challenge the traditionally held view that the current crop of data protection regulators need more powers. To quote (selectively) from paragraphs 104 – 108 of the report:

DPAs have great insight and knowledge, and provide helpful guidance on the law - but they are not effective in terms of enforcement: “Policing” of data protection compliance by DPAs is generally weak and ineffective. To quote the conclusions from a major report for the EU Fundamental Rights Agency, drawn up in parallel with the present report:

"Shortcomings are identifiable in the lack of independence, adequate resources and sufficient powers of some Data Protection Authorities. Compliance with data protection legislation in the praxis of several Member States also raises concerns. Legislative reforms are needed also in the field of sanctions and compensation to ensure a higher degree of enforcement of the relevant legislation and protection of the victims of personal data violations."

We ... note that weak enforcement in many countries was already noted in a much earlier study, and does not appear to have improved much.

[But] we feel that too often, DPAs are brought in too late: they are asked to give a view on systems that are already largely “cast in stone”, especially in the public sector. This can even apply to soi-disant “prior checks”, if those are only carried out once the system has already been finally designed (with major cost implications). A second problem is that a number of DPAs are still lacking in core technical competence: there are still too many lawyers, and not enough system- and computer specialists in the authorities.


The key point can be found in paragraph 106: There is ... a more fundamental question about the - in our view, to some extent incompatible - functions of the DPAs. They are advisers and guides. They are also interpreters of the law - and sometimes even quasi-legislators. They are supposed to be advocates on behalf of data subjects. And they are supposed to be law-enforcers. We feel that this is too much to ask of any single body. One danger is that as regulators, they become “captives” of those they regulate, industry and government agencies in particular. That phenomenon is far from limited to data protection authorities: it has been observed in many modern regulatory bodies. But it too serves to underline the tensions between the different functions of these authorities.

We feel that ... consideration should be given to separating the “soft” advisory and guidance functions of the authorities from the “hard” role of law enforcement, with the latter placed basically in the hands of the courts (also acting in cases brought by individuals) and (in respect of more serious or general breaches) the prosecuting authorities. Of course, DPAs, as experts on the issues, could still always be asked to advise the court; they could even be given a right to submit their opinions ex officio and to have rights of appearance ex officio in any case raising data protection issues. In any case, to the extent that data protection issues are placed in the hands of the courts (or special tribunals, as in the UK), there should be equal access to them for data subjects and controllers.


So here we have it. Perhaps it’s best not for us to expect a single regulatory creature to perform so many functions. Perhaps it would be better if there were an organisation with a “confessional”, and seperate organisation with a “courthouse”, rather than a single body trying to operate both at the same time.

Has anyone got a cleaver sharp enough to hack the newly built office in Wilmslow in half then?

The final report, submitted by LRDP Kantor, in Acssociation with the Centre for Public Reform was published on 20 January 2010. It’s available somewhere on the internet – try searching for “a comparative study on different approaches to new privacy challenges, in particular in the light of technological developments, under contract number JLS/2008/C4/011 – 30-CE-0219363/00-28.”