Sunday, 19 February 2012

Taking the compliance costs seriously

I’ve started to think about the potential costs of complying with “that” Regulation. And, in looking at the areas that are potentially very expensive to implement, my mind keeps on harping back to that phrase John McEnroe used so often on the world’s tennis courts: “You cannot be serious”.

And, the more I think about it, the more I realise that the European Commission is not that serious about the additional costs that might conceivably be imposed on data controllers who try to fully comply with the current draft.

This is because these costs will never actually be required to be met, as the Commission simply can’t impose a Regulation that could financially cripple so many data controllers in the ways provided by the current text.

Not only that, but I also think it’s unlawful.

Let me explain.

Turning to the lawfulness bit first, let’s not forget that if we’re playing the “fundamental rights” game, then it’s not just individuals who have fundamental rights. Data controllers have fundamental rights too. And before anyone scoffs too loudly at this assertion, let me point them to the Human Rights Act, and in particular to Article 1 of Part II of Schedule 1.

Here it is, in all its glory:

“Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law. The preceding provisions shall not, however, in any way impair the right of a State to enforce such laws as it deems necessary to control the use of property in accordance with the general interest or to secure the payment of taxes or other contributions or penalties.”

For my money, this means that the property rights of legal persons (such as data controllers) must be respected, just as the privacy rights of individuals are to be respected. So, I think this means that the compliance costs which fall on to data controllers must be necessary and proportionate, otherwise they are unlawful.

And we all know what the European Court of Human Rights likes to do against Members States that propose measures that aren’t sufficiently necessary and proportionate.

Do I have any examples of potentially disproportionate and unnecessary costs?

Well, I hope to be offering the Ministry of Justice some examples shortly – but none of this stuff is rocket science, and we can all anticipate the really contentious areas, where the privacy activists will be ready and waiting to take action against recalcitrant data controllers. They relate to, in no particular order:

1. An unconditional right on the part of an individual to make a Subject Access Request, at no cost to them, regardless of the reason for the request (ie to pursue a legitimate complaint or just because the applicant is mildly curious). This can impose significant costs on the controller in dealing with the request (and redacting unnecessary information from the body of work searched) within the statutory period, on penalty of facing a grotesque fine for non-compliance, even when the individual suffers no adverse consequences as a result of the delay.

2. An obligation to inform the regulator of the most minor of data breaches, even when the individual suffers no adverse consequences as a result of the incident. This can impose significant costs on the controller in adding new members to the response teams who are already dealing with the incident, to satisfy the Regulator that as much as possible to being done to remedy a situation that no-one wanted to experience in the first place.

3. An obligation to develop Privacy Impact Assessments in respect of certain types of processing activities, and to discuss them with individuals or their representatives, before such activities are to commence, will cause havoc within companies that keep their commercial intentions close to their chest, for fear of having the “first mover advantage” mitigated by those involved in stealing others’ commercial secrets.

4. A requirement to appoint a suitably experienced Data Protection Officer, in the absence of any guidance as to what qualifications and experience is considered “sufficient”, could lead to a rash of bogus institutions emerging, selling worthless qualifications that don’t adequately prepare Data Protection Officers for the responsibilities and accountabilities they will be expected to assume.

5. But even trying to cost these measures pale into significance when you try to cost the implications of the powers that the Commission has reserved to itself to create new data protection standards that will have uniform application. In the UK, Parliament rebelled against such measures when King Henry VIII tried to give his ministers an unacceptable level of discretion to pass and repeal laws. Cummon, it’s simply not going to happen. Who in their right mind is going to vote for such a turkey? Especially in the UK? Remember, the cleverest of the Ministry of Justice bods are currently working on the possibility of draft ”Devo Max” legislation that will devolve as much power as is possible from the Westminster Parliament to the Scottish Assembly, to reward the people of Scotland for not voting for Independence. So, our very own Justice Minister is hardly likely to look kindly on a set of provisions that takes even more power away from Westminster and dumps them at the door of the European Commission. That's entirely the wrong direction. He may think that power should be flowing down to the people, not deeper into European institutions.

So, it is for these reasons that I’m certain that the European Commission can’t really be serious about its current published plans. That’s what happens when someone takes a decision to launch a proposal on a particular day, rather than when sufficient internal consultation has been carried out to satisfy everyone that it is actually fit for purpose.

Image credit