Tuesday 7 December 2010

Have you heard the one about the former Information Commissioner and the accountants?

Last night, former Information Commissioner Richard Thomas delivered the annual lecture to the IT Faculty of the Institute of Chartered Accountants in England & Wales. “Private Lives in a Database World”. Strong stuff – and greatly appreciated by the invited guests. As was the dinner, held afterwards. Can it really be eight years since he took over from Elizabeth France? Well, yes it can. And since that day, when he could remember the ICO in Wilmslow as having just one personal computer that was linked to the internet – and thus to the outside world - things have changed hugely.

A couple of points really stood out from his very thoughtful speech. And I’ve reinterpreted them, giving my own gloss on what those remarks meant to me.

First, in an area where technological advances are developing faster than even the geeks at Google can keep up, we have to be wary of legislators and regulators imposing their views on society. The old privacy controls weren’t designed to deal with the way we presently interact with each other. We have to recognise that social norms are evolving ever faster, especially with regard to the internet, and “we” need to be careful of “them” imposing their values on “us”. There is a disconnect between the digital natives, to whom a laptop is the very lifeblood of one’s existence, and those of an older “mainframe generation” for whom computing is a useful, but not necessarily an essential, part of everyday living. There really is a generational divide out there. People under 30 are far more likely to appreciate the risks associated with poor data processing practices than people over 60.

Given half a chance, legislators will prescribe standards that are unrealistic, outmoded and dated. That’s all they know. So we, the great governed, must be wary of awaiting the imposition of regulations by an elite that reacts with less subtlety than one would normally prefer. Instead, we ought to engage with the legislators before it’s too late. Otherwise, we’ll end up with unenforceable laws that most people ignore, causing the more enlightened regulators nightmares when being told off for allowing sensible people to do what they think is right, rather than rigidly practising what the law prescribes.

If there were to be a single word that accurately reflected the most practical way forward, it would be “accountability”. This digital world has become far too complex, too interdependent and frankly, too global, for national regulators to really think they can regulate it by themselves. The most logical way forward is for the data controllers themselves to step up to the mark, and assumer a greater degree of responsibility for the processes which they themselves cause. It means that they need to face the red-hot anger of the victims when things go wrong. And it means that they will have to accept that, thanks to the internet, campaigns “against” a data controller can spread like wildfire, and cause real harm to that data controller. Let’s just hope that the mob rules with a degree of common sense, then.

Richard was equally passionate about the publication of the European Commission’s recent cunning plan to amend the general Data Protection Directive. It’s fair to assume that a great deal more work will be needed to whip this incoherent shopping list of proposals (my words, not his!) into a regulatory vehicle of which the Commission can be proud. Of course, the cunning plan contained some good ideas. Especially the proposals to replace the current registration scheme with a simpler notification scheme, the promotion of privacy impact assessments and the implementation of a “privacy by design approach”. And possibly the intention to improve and streamline the binding corporate rule concept as a means of legitimising data flows between group companies. And the idea to improve police & judicial co-operation was a worthy, but dull, proposal.

But, will an enhanced breach notification process bring any meaningful redress to victims? And will it reduce the volume or significance of data breaches in future? And what’s this “right to be forgotten”, if it’s not something about ensuring that proper data retention standards exist? And why nothing significant about recognising that global data flows do and will continue to exist and that they can’t be easily regulated? Even King Canute got that point (at least as it concerned tidal flows, rather than data flows) almost exactly one thousand years ago. Or have you heard the one about the EU drafting its own “standard” privacy notice for every controller to use? Or why hardly any mention of the new principle of adequacy?

Hmmmmmm. I sense that the poor official at the Commission who has been charged with getting this Directive “sorted” will be pulling his hair out with frustration at the difficulties inherent addressing the requirements of so many different stakeholder groups. And I believe it is just one Commission official. Or perhaps one and a half. You might have thought that something this significant might have a whole army of European Commission experts busting their guts somewhere in deepest European Commissionland. But no. They’ve obviously got more important stuff to get on with.

Will history repeat itself? I recall that the first version of the original Data Protection Directive was drafted by a German (Frau Una Ihnen). And such was the uproar (mostly from the direct marketing community) that the powers that be took it away from Una and gave it to a lady from France (Madame Marie Georges). The uproar turned into a wail of anguish. And finally, the EU’s rapporteur was a Brit (An politician eager to make his mark, Geoff Hoon). By which time people were getting pretty tired of the whole affair. What a slog that was. I wonder who has the energy to face up to the European Commission this time.

But, this time it’s really important that we get it right. It’s no longer just a division of opinions between some mild mannered academics and the odd firm of international lawyers, or ten. And the direct marketing community. This time the data controllers should be willing to engage as well. The data controllers want sensible regulation – and they sense that, this time, many of the regulators are very much on their side. Many of the regulators know what's wrong with the current regime. But they do have to do what he legislators tell them.

Now, whether the legislators really “get it”, however, is a moot point. I don’t have enough evidence to persuade me that they have “got it” yet – but there is time.