Saturday, 17 December 2011

What is the Commission really trying to achieve?

I’ve been very quiet this week as I’ve been trying to get to grip with a number of very different issues, all of which demand some pretty intensive focus and all of which have resulted in my needing to ask the same basic question. This question related not to the immediate and intimate details of each problem, but the bigger issue – ie what was it that the client actually wanted to achieve?

It’s the same with the leaked proposals for a new legislative framework – many of my legal and data protection friends have been pouring over the leaked text, and have been producing ever more detailed analyses of the proposals. Many of them must be rubbing their hands with glee. After all, given such a complicated set of proposals, what self respecting data controller could now not afford to pay heavily to ensure that they were moving to a state of compliance. As for data protection officers, well, they have a job for life – so long as all they want to do is turn into an auditor and enter an environment where the ticked box is king.

But I didn’t enter the data protection world just to tick a series of boxes. To me, fairness and transparency are qualitative concepts, not quantitative concepts. I love music, not mathematics.

My main problem with the proposals (yes, having read them, not just having read summaries of them) is that I really don’t fully understand the background narrative. Before we all get too bogged down in the detail, I want to have the bigger picture much clearer in my mind. After all, the very detailed proposals contained in the text (and to be further particularised in legal instruments to be created by the newly formed European Data Protection Board) have to be assessed in terms of the sort of society that the European Commission feels its citizens should live in.

And this is where I feel lost, as I simply don’t understand the Commission's vision about how this society will look like and feel like. I fear that bad things will come from an over-centralised, distant, powerful body, like the Commission or a European Data Protection Board. My heart tells me that this body will be staffed with people who care and who are just as honourable and decent as the friends I like to associate with. But my head tells me that it’s always possible that it will be perceived as an unloving, disengaged institution that fails to take sufficient time to show its stakeholders just how much it cares.

Perhaps, just as Mr Putin must today be fearing that a Russian Spring does not have similar outcomes to the recent Arab and African Springs.

But, back to the plot. The more I get lost in the detail of the draft proposal, the more I forget what the answers to the most basic questions ought to be.

They include:
• What is to be the role of the state and of public institutions in holding information about people it is responsible for, or accountable too? When can these people exert a “right to be let alone” from the state (if at all).
• What rights are data controllers to have, if they are not to be allowed rights that are equivalent to that of individual people?
• How can we expect society to function under a regime of extremely complicated data protection rules that will be ignored by huge numbers of citizens and controllers? Can this really be termed effective government? Is this a desirable outcome to the process?
• In quantitative and qualitative terms, what will the benefits to society be if these rules were to be fully implemented? Are the costs that will be imposed on all stakeholders fully commensurate with the perceived benefits?
• How will local practices and cultures be respected, given the fact that the overwhelming majority of data controllers are likely to provide services to a very restricted (in terms of geographic reach or social mix) set of customers.

I’m sorry that this blog makes such heavy reading as we're getting focused on the forthcoming holiday season. But that’s what happens when we only see half the story – what’s been leaked is really the roadmap to “Data Protection Nirvana”, not a proper description of what this Nirvana actually is, nor an explanation of what we will feel when we actually get there.

So where do we go from here?

I suspect that many people will disengage themselves from the process that will roll on for the next few years, as groups of people earnestly huddle together and try to build political alliances that will leverage changes to the texts that we see before us. I expect the campaign of attrition to continue for a few years, as ever more weary teams of negotiators try to keep their political masters interested in the tedious minutia of the subject.

But I also wonder, in practical terms, how this initiative is ever going to be passed, given the huge emotion that will be built up by stakeholders from all sides of the debate. If I were an MEP, I would want an easy ride, to be honest. I would not want to be too personally involved in a controversial legislative proposal, as I would expect to be vilified and abused as a result of being associated with it. I would expect my own character to be called into question, and for vested interests to do whatever they considered necessary to further their own objectives. So I would not want to be the Rapporteur or a committee member, or have my fingerprints anywhere near it. MEPs go to the European Parliament to do good, not to find themselves on the wrong side of a set of very public attacks.

I heard European Commissioner Viviane Reding speaking a few weeks ago, in Paris, describing a late Christmas present that the Commission will be delivering to the European Parliament. If this is it, then it’s some present.