Monday 14 January 2013

Why it is so hard to agree on changes to the current Directive

A very wise person has recently reminded me why it is so hard for European policymakers to agree on just what should replace the current Data Protection Directive.

The fundamental problem can be boiled down to differences in the way that policymakers in different European countries legislate.

Essentially, the argument goes, there are a number of different approaches:

There is the precautionary approach. This is where it is considered that actions should not be taken if the consequences are uncertain and potentially dangerous. 

Or, there is the risk-based approach. This is where the likelihood and the consequence of an incident are considered, as a way of rationalising the resources that are available, so that the areas more prone to fault are addressed first.

Also, there is the harm-based approach. This is where the likelihood of actual damage to an individual is taken into account, when prioritising an inspection or compliance regime.

There are plenty of other approaches too, but these are enough for the purposes of the argument I’m making today.

In some sectors, it’s pretty obvious which approach should be adopted. In aviation safety, for example, I would expect regulators to adopt the precautionary approach. Hundreds of lives, after all, are at risk, each time an airplane flies.

But what about in the field of data protection?

Can it really be said that hundreds of lives are at risk each time a new processing operation occurs? I say no. Or when a webmaster does not seek the user’s consent before cookies are placed on a user’s laptop? Or when a data controller makes a late notification of a data breach to victims? Or when an already complicated privacy policy fails to explain yet another disclosure of information to some obscure third party? Or when a cursory, rather than a comprehensive, privacy impact analysis is carried out?   

This is where the main fault lies.

While the current proposals for a new regime fall squarely within the principles set out in the precautionary approach, they are very much at odds with countries whose Governments have a different appetite for risk.  

And, as so little discussion seems to have taken place on the type of approach that is considered necessary to address the issue of data protection, I’m not surprised at the uproar that the detailed drafting proposals have raised. The “fundamental rights” brigade appears to argue that absolutely all of this stuff is so important that the European Parliament can only adopt the precautionary approach.

I don’t think that argument has been properly tested. Yes, in the eyes of some regulators, some global data controllers have behaved particularly badly in some respects – but does that mean that every European data controller needs to be tarred with the same degree of suspicion? I say no.

Where do we go from here?

In a sentence, it could be back to the drawing board. It would be more than helpful if everyone was absolutely clear as to what menace was being tamed.  The only bad boys I know of are a few extremely small players, who will certainly ignore whatever laws are implemented, and (in the eyes of some regulators) a few extremely large players, whose resources will dwarf those of whatever regulator is minded to challenge them.

There will always be stupid boys too (such as those that can’t get the basics right, like encrypting data in transit), but tougher laws are unlikely to effect behavioural change among the stupid.

Image credit: