Friday, 3 August 2012

A plea for simple data protection rules

The first day back from my summer holiday was celebrated by having lunch with a prominent data protection academic / practitioner in the City of London.

The conversation touched on the different perspectives that practitioners and academics had to data protection. From my perspective, practitioners were those who tried to adopt relatively simple rules, so that compliance teams could more easily understand what was required. This involved having to make complex judgments about what language to use to ensure that normal people could understand what was meant by the difficult language that data protection law was so frequently cloaked in.

Some members of the academic community appear to focus on more on the balancing exercise that is necessary to ensure that the fundamental rights of individuals are fully observed, and that data controllers respect these fundamental rights as completely as possible. So, they can be less tolerant of the use of accessible language. For them, precision is king. And if that meant that the language has to contain a certain degree of complexity, then so be it.

I’m in the simple camp, myself. I reminded myself of this as I tried to refresh my memory by re-reading chunks of “that” Regulation, to get myself up to speed to develop some possible amendments to the current text. It’s amazing how quickly you can forget what some of the obscure drafting actually means, when you take a short break.

The realist, rather than the optimist, in me accepts that what the European Parliament will probably pass is a text that only the finest minds in the data protection community will actually understand. The largest and the most complex data controllers will inevitably have the resources to implement it, but I do worry how the vast majority of Europe’s data controllers (let alone Europe’s citizens) will react.

What can we do? Can we force European Parliamentarians to take a data protection test before they vote on the text, so we European citizens can be reasonably sure that they know what it is that they are actually doing? Probably not. They’re all busy people and it’s not possible to expect them to fully understand the implications of every legal instrument they are expected to vote on.

What we can do, hopefully, is expect that our chums in Wilmslow might prepare some Plain English versions of the new rules. They do have a great track record here. After all, remember the recent fears that the cookie rules as prescribed by the ePrivacy Directive were gobbledygook?

Well, take a look at the ICO’s blog, posted on 25 May, with its guidance which clarifies the following points around implied consent:

• Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
• If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Brilliant. Normal people (and SMEs) can understand that sort of language.

What a pity there isn’t a Plain Language Directorate within the European Commission, which might ensure that all proposals can generally be understood by those to whom they are intended to apply.


Image credit: