Monday, 13 February 2012

Should the Commission, or should Member States, protect our fundamental rights?

Another group of some of England’s data protection finest gathered at the London offices of Field Fisher Waterhouse today to share a few more insights about “that Regulation” and to raise a toast to those wonderful bods at the European Commission. Yes, it really appeared to be true. We data protection professionals (once suitably accredited) really will have careers for life. We can almost name our salaries, too. Woe betide any large data controller that fails to hire an independent Data Protection Officer, protected from dismissal, on a 2 year contract. If a regulator gets to hear about such an omission, the controller could face a fine of a million Euros. That is an awful lot of money. So, a Data Protection Officer needs to be suitably paid to help the controller avoid grotesque fines for minor indiscretions.

Not only that, but the rules that the Data Protection Officers will be accountable for upholding could be so desperately complicated that only the very finest legal minds in the country will be capable of giving quality advice to the data controllers. So there’s going to be no significant push back from our learned friends at this initiative, I suspect. In these days of economic austerity, fee earners just love initiatives like this.

The mighty Eduardo Ustaran chaired a panel of distinguished speakers, many of whom assured those of us in the audience that there was still an awful lot to play for before the Regulation would become a reality. Was a uniform, prescriptive approach to the problems had been identified, actually too ambitious given the political circumstances that the European Commission finds itself dealing with today?

I pondered that question as today’s events unfolded.

A Commission official offered some very interesting insights into the workings of his organisation, and we had a glimpse into the Commission’s vision for the future. Let’s be quite clear about this. The Commission is promoting societal change. We are in the midst of a digital revolution, and so it’s vitally important that, just as the Commission promotes digital growth, citizens’ fundamental rights are also properly protected. And, it is the Commission’s view (on the record) that the current Regulation is sufficiently balanced between the rights of individuals and of data controllers.

What I had not fully understood until tonight was that this is actually the first time that the Commission has proposed a Regulation as a means of safeguarding an issue as sensitive and as significant as citizen’s fundamental rights. So, these days, fundamental rights are apparently too important to be left to the discretion of Member states. No, to prevent the Member States from “getting it wrong”, as it were, Europe’s citizens are to be better protected by being regulated directly from the centre.

That sort of language is likely to be used these days in many ways by people whose interests are not simply of the data protection kind, but also of the “Subsidiarity” and the “Nation State” kind. We’ve only too recently seen reports of unrest in Greece because Greek citizens were wary of what they perceive as a shift of political and economic control from the Greek State to European institutions.

Will such sentiments be expressed in other Member States when citizens realise that their “data protection” controls are being tweaked to reflect more readily the needs of some central co-ordinating authority? I’ve already detected differences of views from some regulators as to the desirability of the Commission reserving so many rights to impose a common interpretation about so many key issues above the heads of local regulators.

But, there’s nothing much to worry about. At least, not yet. A few members the awkward squad gathered in the corner of the conference suite during the drinks session after the proceedings, and wondered about the prospects, in reality, of the chances of some central co-ordinating authority emerging.

Let’s be honest, some murmured to themselves. Sometimes, the only people who find it harder than solicitors to come to an agreement, following a dispute, are regulators. Ironically, both are supposed to have skills that are highly honed in conflict resolution, but the truth can sometimes be very different. They can express firmly entrenched views, too. Will we ever see a love-in at a meeting of all the members of the European Data Protection Board?

Perhaps – should I ever get appointed to that august body, that is. But I’m not counting on it.

I will end this posting by pointing out that the attendees – and the speakers – were all desperately keen to achieve an outcome that truly was fit for purpose. We’re all digital citizens, these days, and we all have a self interest in trying to get things right. But, of course, getting things as right as we can at a cost that can be afforded by most. We are in the business of risk management, not risk elimination. No responsible data controller wants to find that the reduction of administrative burdens in terms of notification, etc, is simply replaced by a disproportionate amount of other forms of gold plating and internal form filling and retrospection. This is especially the case given that so much of the real digital economy will increasingly operate on an internet beyond the political, legal and administrative control of the European Commission.

I will also end this posting by pointing out that almost no blood was spilt on the (freshly laid) carpet in Field Fisher Waterhouse’s new conference suite this evening. The only blood that was spilt was my own – I had a nosebleed - but that was due to a sudden rush of blood to my head, rather than being assaulted by a speaker – or by a fellow attendee.

Image credit:
European Court of Human Rights