Sunday 31 October 2010

Who can save us from the decline and fall of EU data protection regulation?


“Laws rarely prevent what they forbid.”

I’ve been mulling over the implications of this phrase for some time, and I have to thank Alun Michael MP for reminding me of it.

Where does it come from?

The classical scholars among us will instantly recognise it as a quote from “The History of the Decline and Fall of the Roman Empire”, written by Edward Gibbon and published in six volumes between 1776 1789.

Wikipedia reports that “As far as Gibbon was concerned, the Roman Empire succumbed to barbarian invasions in large part due to the gradual loss of civic virtue among its citizens. They had become weak, outsourcing their duties to defend their Empire to barbarian mercenaries, who then became so numerous and ingrained that they were able to take over the Empire. Romans, he believed, had become effeminate, unwilling to live a tougher, "manly" military lifestyle. He further blames the degeneracy of the Roman army and the Praetorian guards. In addition, Gibbon argued that Christianity created a belief that a better life existed after death, which fostered an indifference to the present among Roman citizens, thus sapping their desire to sacrifice for the Empire. He also believed its comparative pacifism tended to hamper the traditional Roman martial spirit.”

Interestingly, (and again according to Wikipedia) “Gibbon saw the primary catalyst of the empire's initial decay and eventual collapse in the Praetorian Guard, instituted as a special class of soldiers permanently encamped in a commanding position within Rome, a seed planted by Augustus at the establishment of the empire. As Gibbon calls them at the outset of Chapter V: The Praetorian bands, whose licentious fury was the first symptom and cause of the decline of the Roman empire... He cites repeated examples of this special force abusing its power with calamitous results, including numerous instances of imperial assassination and demands of ever-increasing pay.”

Such behaviour would obviously have diminished them in the eyes of the populous of the ancient regime.

But am I making a cheap point of associating, say, the Article 29 Working Party with the Praetorian Guard of Ancient Rome, and then arguing that any lowering of respect that the general populous of the EU has with that august body is the primary catalyst of the demise of data protection regulation?

No, I am not.

For me, the Praetorian Guard is the individual Member State of the EU – and it’s the failure of each Member State to protect the basic concept of international data protection regulation (to facilitate the free flow of information around the EU – and then the globe) which has caused the disengagement we see today.

So how have Member States failed to protect the basic concept? They need to tread very carefully in this area, if they are to be taken seriously.

I think the failings are in 3 areas, none of which will come as a surprise to people who are deeply involved with the practice – and the theory- of internet regulation. And these are areas that Alun Michael spoke about at the “Fourth Internet Governance Forum”, held at Sharm el Sheikh, Egypt, in November 2009.

The issues relate to the pace of change, the consultation process and the fallacy that legislation provides a solution in itself.

On the pace of change, we have to accept the speed with which the internet develops guarantees that our perceptions of “the future” are increasingly inaccurate. And, we have to acknowledge that the current management techniques of industry, government, and the international community are too slow to keep up with changes on the internet. Some people are bemused that not even the most basic concepts are sufficiently clear. Is an RFID tag an item of personal data? Does it become “personal data” even though the data controller has no idea who is using the umbrella with the RFID tag on it, or whether a number of people may be sharing that umbrella? Or is an RFID tag about an object, rather than a person? As we embrace an internet in which the majority of stuff being recorded relates to objects rather than individuals, its getting ever harder to work out just whether (or to what extent) the current definitions of “personal data” matter any more.

On the consultation process, we have to accept that decision can’t any longer be made just by technogeeks and regulators. Cities are not made by architects, they are made by people. And increasingly, by young people. So we must engage with young people, and create solutions that take more account of their needs than of the needs of older people. Soon, we’ll be handing it over to young people. They talk about the issues in a completely different way and there’s a real and powerful opportunity to use that talent and engagement in a positive way. But more than that – if we genuinely believe that data protection regulation is that important, we will have failed if we can’t find a language to communicate with people who simply aren’t interested in this stuff.

And it’s not just young people we need to consult with properly. I sense that the data protection community also needs to communicate to legislators who do not take an interest in this process in any way. Policymakers are overwhelmed by the issues of the day, but rarely have the luxury of feeling free to devise a proportionate response. Too many legislative proposals appear ill thought out, barely capable of surviving a cursory examination by a critical elite - who will then, like a pack of wolves, turn their attention elsewhere.

And, finally, on the legislative process, I despair of the tendency of politicians to feel that their job is done once a law has been enacted. As if many people really care (or even know) what’s on the statute book. As I remarked at the beginning of this blog, “Laws rarely prevent what they forbid.” Laws need to be accompanied by behavioural change before they can be considered a success. There are plenty of laws that we all freely ignore – and will continue to ignore. Even lawyers ignore some laws. And how do we achieve this behavioural change – as the veteran comedian Ken Dodd used to explain, by wooing an audience, not just by expecting them to find him funny. And what I really despair of a number of legislators – and some regulators too- is their misguided belief that the data protection managers of this world will do “their” work for them, by enforcing regulations that contain so much gobbledegook that lawyers have to be asked to help explain it in terms that Homer Simpson, rather than Albert Einstein, might comprehend.

Perhaps instead the regulators might take it upon themselves to "rebel" if they are expected to enforce stuff that they don't properly understand either. Wouldn't it be nice if European Parliamentarians could occasionally receive a letter pointing out the inconsistencies of the legislation they had passed, together with a polite indication that the regulators would ignore this tosh until the legislation had been simplified and the inconsistencies ironed out. That would be a turn up for the books. Perhaps we should demand that the European Parliament should always make decisions and approve laws that can be understood by a European citizen of average educational ability.

The forthcoming review of the data protection directive will give the EU an opportunity to shine. But, given its sorry history of trying to create general laws which always take account of local characteristics, I doubt that the resulting legal instruments will change the general direction of travel.

I predict that “barbarian invasions” (in terms of the influx of internet services from global data controllers whose mindsets are more attuned to the west coast of the USA rather than Europe) will continue to engulf the “Praetorian Guard” of the individual EU Member States. Remember too that Gibbon argued that Christianity created a belief that a better life existed after death, thus fostering an indifference to the present among Roman citizens, thus sapping their desire to sacrifice for the Empire. Perhaps the time has come to consider whether Google has created a belief that its services provide a “better life” to that which the EU regulators might wish to allow, thus fostering an indifference to current restrictions among Europe’s citizens, and sapping their desire to sacrifice convenience for the EU’s data protection standards.

"I want my gratification and I want it now," I hear many say.

I predict that, in my lifetime, we will see the demise of European data protection regulation, in order that global standards can take their place.


.