Sunday 30 January 2011

The MoJ gets our views on a new DP Directive

I celebrated Data Protection Day 2011 the same way as I did 2 years ago – by attending an event at One Great George Street. That first bash was hosted by the Information Commissioner, who used the occasion to launch the Personal Information Promise. I was so determined to ensure that my company was recorded as the first to sign the thing that I made sure that the document our Chief Executive signed was actually dated the day before the date of the formal launch!

This year’s event was hosted by our chums at the Ministry of Justice, who use the occasion to publish the response to their Call for Evidence on the current data protection legislative framework in the UK. That consultation exercise ran from July to October 2010, generating a series of workshops, 163 responses and an awful lot of paperwork. The event was also used to gather more views on the position the MoJ should take as it embarks on the latest review of the Data Protection Directive. Well done MoJ. It’s got those officials well up to speed, and they must be better briefed than any other national delegation.

What worries me slightly is what happens next. Our team may know what they want, and the priority in which they want to negotiate the points away, but who will they be negotiating with, and what demands will those other teams be bringing to the table?

I sense that there is just one other national team that’s gearing up for the review, and that’s the Germans. Why? – Because German politicians have only recently reviewed German Data Protection Law, and no doubt they will be very keen to ensure that whatever European Directive is passed will allow them to keep the very high standards that the Bundestag (German Parliament) has legislated for. These standards are not the same as British standards. Oh no. I think it’s fair to suggest, though, that many responsible German data controllers are finding it hard to adopt their business systems to meet these new standards. I sense a growing unwillingness among my German colleagues to introduce new types of information services simply because it’s so hard to work out how to make them comply with the new law. But how hard will the Germans negotiate to protect something they can’t work with already?

Why does this stuff matter? Because surely it would be in no-one’s interest (in the EU) to make compliance so burdensome that the only people to benefit were global companies based outside the EU. Thanks to cloud computing and the internet, you don’t need a physical presence in a Member State to do business there. We know what the trend is. We know what happens when internet betting companies realise its more tax efficient to operate from Gibraltar rather than Glasgow. They transfer their operations there. And the same could happen in a global context should the Data Protection review result in another legal instrument that wasn’t fit for its purpose.

This point was brought home to us all very clearly at the MoJ’s event on Friday. In a brilliantly astute move, both David Smith (Assistant Information Commissioner) and Baroness Sarah Ludford MEP had been invited to address the assembled gathering of about 100 of the usual data protection suspects.

David was his usual self, demonstrating his deep understanding of the fault lines in the current legislation, but taking care to point out its considerable strengths too. We often gloss over the extent to which the current Directive has helped raise standards, influenced other jurisdictions to develop similar standards, with rules that have (generally) been capable of being applied to new technologies, and how it has even encouraged EU regulators to harmonise their opinions about many issues. And David was also crystal clear in what the ICO wanted in future: greater clarity (and simplicity) in the scope of the law, a high level of protection, a better level of accountability by data controllers, with a focus on risk reduction not bureaucratic form filling, and simple but effective rights for individuals, and (finally) sensible rules on international data transfers.

The regulators have got it.

Job done? No. No way.

As Baroness Ludford spoke, I sensed a new atmosphere in the room. We were now hearing from an MEP, a person who passionately believed that the European Parliament had a voice in these things too. It is clear that we ignore these creatures at our peril. My most valuable insight into the day was the extent to which we all have to redouble our efforts to make sure that these powerful people actually know what they are talking about, and that they fully appreciate the consequences of any amendments they may propose. Sarah freely admitted that she and her fellow European Parliamentarians needed more assistance as they crafted amendments that could well make their way into the final text of European Directives. They don’t have parliamentary draftsmen available to help them get the words right. "We are amateurs and there is not good enough impact assessments of amendments put by MEP’s, only the Commission", she said.

So, the prospects of the European Parliament creating a legal instrument that is clear and simple, given the political bargaining that will inevitably go on until the very last minute, are slight. Let alone a legal instrument that will meet the needs of both people who wish to have greater control of their own personal information, and companies who also see this very same information as their own property (because it they acquired it in a fair and transparent manner).

Our call to arms is simple. Support our MoJ negotiators. Because if we don’t, we could have an awful lot to lose. Our political masters may glide through the Ministry of Justice en route to another political appointment every now and again. But Belinda Crowe, the MOJ’s Information Director, and Kevin Fraser, the Head of EU/International Data Protection, are unlikely to be so lucky. They should be in their posts for the whole ride – so let’s make sure we brief them until we’re blue in the face.

And at the same time we need to brief the other national delegations about our concerns. Oh yes, and we must not forget the importance of briefing the MEP’s, who think they already know a bit about data protection, too.