A very wise person has recently reminded me why it is so hard for
European policymakers to agree on just what should replace the current Data
Protection Directive.
The fundamental problem can be boiled down to differences in the way
that policymakers in different European countries legislate.
Essentially, the argument goes, there are a number of different
approaches:
There is the precautionary approach. This is where it is considered that
actions should not be taken if the consequences are uncertain and potentially dangerous.
Or, there is the risk-based approach. This is where the likelihood and the
consequence of an incident are considered, as a way of rationalising the
resources that are available, so that the areas more prone to fault are
addressed first.
Also, there is the harm-based approach. This is where the likelihood of actual
damage to an individual is taken into account, when prioritising an inspection
or compliance regime.
There are plenty of other approaches too, but these are enough for the
purposes of the argument I’m making today.
In some sectors, it’s pretty obvious which approach should be adopted.
In aviation safety, for example, I would expect regulators to adopt the
precautionary approach. Hundreds of lives, after all, are at risk, each time an
airplane flies.
But what about in the field of data protection?
Can it really be said that hundreds of lives are at risk each time a new
processing operation occurs? I say no. Or when a webmaster does not seek the
user’s consent before cookies are placed on a user’s laptop? Or when a data
controller makes a late notification of a data breach to victims? Or when an
already complicated privacy policy fails to explain yet another disclosure of
information to some obscure third party? Or when a cursory, rather than a comprehensive,
privacy impact analysis is carried out?
This is where the main fault lies.
While the current proposals for a new regime fall squarely within the principles
set out in the precautionary approach, they are very much at odds with
countries whose Governments have a different appetite for risk.
And, as so little discussion seems to have taken place on the type of approach
that is considered necessary to address the issue of data protection, I’m not
surprised at the uproar that the detailed drafting proposals have raised. The “fundamental
rights” brigade appears to argue that absolutely all of this stuff is so
important that the European Parliament can only adopt the precautionary
approach.
I don’t think that argument has been properly tested. Yes, in the eyes
of some regulators, some global data controllers have behaved particularly
badly in some respects – but does that mean that every European data controller
needs to be tarred with the same degree of suspicion? I say no.
Where do we go from here?
In a sentence, it could be back to the drawing board. It would be more
than helpful if everyone was absolutely clear as to what menace was being
tamed. The only bad boys I know of are a
few extremely small players, who will certainly ignore whatever laws are
implemented, and (in the eyes of some regulators) a few extremely large players,
whose resources will dwarf those of whatever regulator is minded to challenge
them.
There will always be stupid boys too (such as those that can’t get the
basics right, like encrypting data in transit), but tougher laws are unlikely
to effect behavioural change among the stupid.
Image
credit:
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCCkoWR1kFOx0EbyfTsqvnEEeKzRz1xxiLqaMOaK1ij-OwRivcN6DfPWyzfyHWFytkVcpcaonfx9jdja6CiaBXl58Et29zCa89mmtztUDrJY3WyUzv0-S4rAX1vzJ1zGNBbgp0DEwLBpA/s400/6a00d8341bf89d53ef00e54f4503ce8834-640wi.jpg
.