“Dude – Want to use a Pop’s identity?”

Not a phrase that will be common to many people, but I understand that it’s catching on among the boys at Eton College.

Yes, really!

Now for the background – earlier this week I attended a very interesting meeting of the the Real Time Club which, founded in 1967, is believed to be the world's oldest IT dining Club. This meeting was quite special, as everyone gathered at their usual venue - the National Liberal Club – to consider how young people, "yoof", actually use technology. It was explained to us that young people relate to technology in different ways than their elders, more messaging via social networks than email, new values on privacy, more awareness of media and cost.

No evening like this would work without the personal testimonies of some of these “yoofs” – and the Real Time Club really did its members proud. No, it didn’t ask anyone from the local secondary schools in Westminster. We didn’t get the opportunity to hear from the "yoofs" attending the local Westminster City School, nor the "yoofs" from the equally historic Grey Coat Hospital, founded in 1666, after the Great Fire of London, when many inhabitants of the Old City of London moved to the medieval town of Westminster.

Instead, we got Liam Maxwell, Head of Computing at Eton College, (founded in 1440 by King Henry VI), who spoke about identity and young people's interactions with the internet and society. And to demonstrate the generational gap that spans more than just techniques and privacy practices, he brought along a selection of Eton's finest to explain what it actually meant to them in their own daily lives. The students at Eton College are generally known as Oppidans, if someone is paying their full college fees; or scholars, if their education is being subsidised to any significant extent. They had a profoundly different approach to privacy and one which older adults may not, and perhaps should not, be able to fully comprehend.

Just how media literate are they? Impressively so, actually. They are not as wrapped up in cotton wool as one might imagine. I should explain that, according to its website, Eton College, with a compliment of some 1300 boys, "is a full boarding school with no day or weekly students. Typically there are about 50 boys in a boarding house, ten in each year group. This offers a distinctive balance between small houses, which give a strong pastoral base, within a large, varied and challenging school. A new boy to the school will come to know the people in his house community very well indeed – especially his house master who is principally responsible for him, and his dame, who looks after his domestic well-being. They offer support and encouragement in every aspect of a boy’s life but without unnecessary intrusion. It is a delicate and important balance: boys are encouraged to share problems with those that can help but are steered towards mature resolution of them through their own thought and effort. From the very beginning, each boy has his own study-bedroom, there are no shared rooms. Boys thus have their own private space and are required to organise themselves and to develop self-discipline in meeting tasks and deadlines.”

So, when someone is paying the full whack of over £28,850 per year in college fees, what sort of protections do they get from the evils that lurk in cyberspace? Each boy has their own log-on access to the internet and, depending on their age, controls are in place to prohibit access to the murkier areas of the internet. I expect the controls are designed to enable them to access the occasional bit of smut, but not porn.

The younger Oppidans are not (officially) allowed to access websites such as Facebook. And the older Oppidans, whom Liam Maxwell had brought along, explained that their own "Facebook" profiles showed off their better sides, rather than their complete personas. No-one wanted everything, “warts and all”, to be on public display. A "Facebook" profile portrayed an image of someone one wanted to be, rather than perhaps the totality of what one actually was. They were all well aware of the foolishness of placing material on-line that might later come back to haunt them. They were concerned at the implications of photos of them in high spirits, but were assured by their “beaks” (their Eton schoolmasters) that there would be no long term adverse implications, unless of course the images were of activities that were unlawful. (Perhaps, I thought to myself, it was acceptable for Oppidans to publish images of themselves spraying coke over each other, but certainly not snorting it.)

Well, we were all assured then.

And were there ever any suggestions that the "Pops" (the school prefects, see the accompanying picture which has been lovingly borrowed from the official Eton College website) might consider allowing any of the younger boys to use their identity for the purpose circumventing Eton’s age controls on the internet? "You mean so that the younger boys could also maintain their own facebook pages? Surely not!" the Oppidans replied, blushing and grinning from ear to ear...

So, if, despite their very best endeavours, Eton College can’t totally control a young person’s access to the internet, then what hope has a modern day parent, who lets their child surf the web from the privacy of their own bedroom, rather than from the living room where they may be more readily supervised?

As the evening drew to a close, one extremely distinguished Real Time Club member rose to his feet to fondly reminisce about his schooldays at Eton, just after the Second World War. Back then, according to Wikipedia, junior boys had to act as fags, or servants, to older boys. Their duties included cleaning, cooking, and running errands. A Library member was entitled to yell at any time and without notice "Boy, Up!" or "Boy, Queue!", and all first-year boys had to come running. The last boy to arrive was given the task. These practices, known as fagging, were phased out of most houses in the 1970s and completely abolished in the 1980s, although apparently first-year boys are still given some tasks by the Captains of House and Games. Anyway, the extremely distinguished member explained that the fagging system was most useful as it got the younger boys to quickly familiarise themselves with many of the older boys.

“Oh, but sir, we use emails for all that these days!” trilled an Oppidan.

What will BigBrotherWatch be watching out for next?

Earlier this week I was invited to the launch of a new pressure group run by Alex Deane, a campaigner with a mission. And he’s got influential friends too – the launch was attended by Mark Littlewood (Instiute of Economic Affairs), Shane Frith (Progressive Vision), Philip Booth (No2ID), Simon Richards (Freedom Association), Eamonn Butler (Adam Smith Institute), Jill Kirby (Centre for Policy Studies), Simon Clark (Taking Liberties Blog) various bods from the Taxpayer's Alliance - and many more. I spent a good 15 minutes chatting to someone who had worked in President Nixon’s administration, back in the 1970s. So you get the idea of the sort of crowd that Alex had attracted.

The opening speeches were pretty interesting, as we all got our first glimpse of what it was that the pressure group was trying to address. Tory MP David Davies (a latter day “Norman Tebbit “ of the Tory Party) introduced a fellow blast from the (recent) past, former Cabinet Minister Tony Benn. Just what do these prominent politicians have in common, occupying very different positions on the political spectrum? Well, the right and the left have met to agree on a common concern about freedom and abuse, and most particularly the extent to which a person’s civil liberties are capable of being abused by the misuse of the information which is compiled by a database state.

To get us all in the right mood, Tony Benn recalled: "I was on my way in my car to the House of Commons recently and, just outside, I was stopped on the street by a young policewoman, so I pulled over as she asked me too."

"She said "What's your name? (so I told her), and she said "How did I spell it? (so I told her), and she went through my car looking for bombs. And I asked, as I was very polite as I was not in favour of having a dust up, just why she had done that."

"She said that I was approaching a building of great sensitivity, and she was sure that I would understand why she was stopping me under the Prevention of Terrorism Act."

"That’s the first proper use of it I’ve heard of!" David Davis retorted.

Tony Benn was quite persuasive as he presented his own personal example of the speed with which technologies were being developed. His basic point was that we can’t control the speed of technological developments, but more importantly it was incredibly hard to prevent the misuse of such developments.

When Tony Benn’s great grandfather was born in 1821, railway trains had not been invented. When his father was born in 1850, telephones had not been invented. When his mother was born in 1897, no planes had left the surface of the earth. When Tony himself was born in 1925, there was no television. When his children were born, there was no internet. And when he left the House of Commons in 2001, there was no Internet Modernization Programme.

As I reflected on this later, there could have been no possibilities of terrorist outrages similar to the (2004) Madrid railway bombings when Tony's great grandfather was born; no remote detonations of bombs by telephone when his father was born; no 9/11 style atrocities when his mother was born; no live (1989) images of the brave students in Tiananman Square when he was born; and no need for an Internet Watch Foundation when his children were born. New technologies need new types of protective measures.

But, back to the point, the really big issue is about what “else” the state does with the powers (and the information) it has acquired. Civil liberties are very important because of the way these powers (and this information) can be misused. Tony Benn didn’t mind if his medical symptoms were on a hospital database, so that the doctors could look after him properly when he was ill, but he was not in favour of the establishment of databases for the control of people. He looks forward to the day when no one thinks it’s necessary to keep all our details on a database and watch everything we do. But I suspect we may have a long wait before that day eventually arrives.

And his thoughts gave me a lot to chew on as I attended (yet) another meeting of the “former” Interception Modernisation Programme a few days later. So you thought the IMP was dead? Well, Home Secretary should think very carefully before repeating some of those immortal lines of Monty Python star John Cleese, in the sketch where Mr Praline returned to the shop with his dead parrot:

“'E's not pinin'! 'E's passed on! This parrot is no more! He has ceased to be! 'E's expired and gone to meet 'is maker! 'E's a stiff! Bereft of life, 'e rests in peace! If you hadn't nailed 'im to the perch 'e'd be pushing up the daisies! 'Is metabolic processes are now 'istory! 'E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-PARROT!!”

Hmmmmmm, I would expect the Home Scretary to use another line in the sketch, perhaps the line where the owner of the shop said “ No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue, idn'it, ay? Beautiful plumage!”

I’ll probably return to the examine the plumage of the revamped IMP in another blog. I won't use its new name yet just in case I'm not supposed to. But, if you creep along past bits of the Home Office today and listen very carefully, just every now and again you can hear the faint refrain:

“The IMP is dead. Long live the CCD!”

Checking up on the “Personal Information Promise”

This time last year, just before International Data Protection Day 2009, I was among a small group of people who were approached by the Information Commissioner’s Office and asked whether I would support this initiative. On the day itself, a photo call at One Great George Street recorded the small band of people who had been able to get their Chief Executives to agree to associate themselves with it. I was able to present ours to Richard Thomas, the then Information Commissioner. The evening before the photo call, I had been in deepest Stoke Newington calling on an emergency calligrapher (yes, such people exist – it’s not just your plumbing that you may need sorted out 24 hours a day) making sure that the certificates, having been duly signed by the boss, had the right corporate name on them.

I was so keen for our company to be among the first to sign up that I actually forgot to ensure that the right date was appended to the certificate – so ours is actually dated the day before International Data Protection Day 2009. Accordingly, my formal “claim to fame” is that my company was the “first” to have signed the promise. If anyone has documentary evidence of another Chief Executive’s signature on an official ICO certificates which is dated before 28 January 2009 then I’ll eat (a section) of my copy of the Data Protection Act.

Given the 10th "Personal Information Promise", I thought I might just as well have a quick review of all of the promises to see if I have acted or behaved differently over the last year as a result of the initiative. After all, that small band of signatories has grown to an army of several thousand, and it might not be too long before someone asks for evidence of compliance or behavioural change.

So here we go.

I
on behalf of
promise that we will:

1.Value the personal information entrusted to us and make sure we respect that trust;

Some improvements here. I think I’ve always tried to value the stuff. But a tsunami of intensive media coverage about corporate data breaches has really focussed corporate minds on the need to respect personal information.

2. Go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;

Not much change here, as I’ve always aimed to adopt good practice standards.

3. Consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;

Not much change here, as I always make privacy impact assessments. I don't always write them down, but it's my job to think about the privacy implications of everything the business does. Thankfully, given a security review following the breach tsunami (see promise 1 above), even more people within the company now follow the established rules, which are to involve me at an early stage of product development.

4. Be open with individuals about how we use their information and who we give it to;

Not much change here, as I’ve always aimed to adopt good practice standards.

5. Make it easy for individuals to access and correct their personal information;

Not much change here, as I’ve always aimed to adopt good administrative standards. Of course there are the odd slip ups – mostly in ensuring that the credit reference agencies get the correct updates about an individual’s credit history. But on the whole I feel my team does a really excellent job. If it didn’t then I would have expected to have received many more letters of complaint from the case handlers at Wilmslow.

6. Keep personal information to the minimum necessary and delete it when we no longer need it;

Not much change here, as I’ve always aimed to adopt good retention standards. I’ve worked hard behind the scenes, given evidence to a Parliamentary Committee, assisted a “People’s Enquiry”, and even been quoted in "The Register" and “The Daily Mail” on the problems faced by companies such as the one I work for when tensions arise as we want to delete records, but others want them retained on the basis that they might come in useful to someone sometime in the future. And this issue will remain just as important this year as it did last year. I can see myself spending a lot of time this year at the Home Office, with various law enforcement agency representatives, and traipsing around the corridors within Parliament and Portcullis House, as I try to get those who matter to fully appreciate the consequences of what they think they believe in.

7. Have effective safeguards in place to make sure personal informationis kept securely and does not fall into the wrong hands;

I try. I really do try. And, thanks to the breach tsunami, lots more people within the company are trying too, and more resources have been provided to ensure that we can maintain a level of security that is commensurate with this promise.

8. Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly;

Oh yes. Plenty of training going on around here. And I’ve developed guidance for managers to assist them when their reports can’t meet the standards that are both expected of them and also which they have acknowledged they should meet.

9. Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises;

Oh yes – thanks to the breach tsunami, resources are not that hard to come by any more. Even in a recession.

10. Regularly check that we are living up to our promises and report on how we are doing.
Oh yes – and how’s this report, for starters?

So I claim another first –I believe this to be the first annual review of a Data Protection Promise.
And again, if anyone has documentary evidence of an earlier annual review, then I’ll eat (yet another section) of my copy of the Data Protection Act.

How can I delete embarrassing stuff from the Internet Archive?

Have you ever tried to locate something on the internet you know you previously read, but can’t because it’s no longer there?

I’ve recently come across a website that will be very useful when I try to recall stuff that had been posted, but was subsequently taken down or otherwise removed by the website owner. Is it a British site? Come on, you must be kidding. No, it’s based in an office somewhere perhaps around 300 Funston Ave, San Francisco, CA 94118. This is the address that appears in the Archive’s privacy policy. The funny thing is, however, that when you use the Google Maps “Streetview” tool, what you get when you ask to visit 300 Funston Ave is an image of a Christian Science Church, not an office block.

So is the Internet Archive run by a charitable organisation, a church, or by some higher power?

Ok, so I have no idea who really runs this site. But I do know that it’s “Wayback Machine” can be used to locate and access archived versions of the web site. Although the public facing version of the site explains that “we can't guarantee that your site has been or will be archived. We can no longer offer the service to pack up sites that have been lost. We recommend using the Warrick Tool.”

I wonder what would happen if any of the staff have done some moonlighting and archived other pages that have appeared on the web. Or if any of the staff have been given an order by the US Department of Homeland Security, perhaps citing the PATRIOT Act, requiring it to archive a bit more stuff. Dunno, and I shouldn’t ask, really. I don’t like asking questions if I haven’t already got a hunch about the answers.

The Archive assures people who want to have their site's pages excluded from the Wayback Machine by explaining that it “is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.”

The Archive explains that it “collects Web pages that are publicly available the same ones that you might find as you surfed around the Web. We do not archive pages that require a password to access, pages tagged for "robot exclusion" by their owners, pages that are only accessible when a person types into and sends a form, or pages on secure servers.”

So, if I were an Internet Archive employee and wanted to be a bit naughty and do some moonlighting, I suppose all I would need to do is re-write the computer program to delete the bit about ignoring pages tagged with robot exclusions. That bit might be simple. Not sure about unencrypting material placed on forms or pages sent to secure servers, though.

Why was I looking at this in the first place? Well, towards the end of last year I was (professionally) involved in an incident which, within 24 hours, had pushed the war in Afghanistan, the model Katie Price and the media personality Jordan completely off the front pages of all the serious newspapers and media outlets in the UK. (I now know what Gordon Brown must feel like on a bad day). And today I’ve been surfing the net to locate some colourful images to supplement the inevitable set of PowerPoint presentations that I’ll be delivering about the incident. What surprised me was the amount of information still available about the bloody thing. And what shocked me was the coverage given to it in Wikipedia. I thought to myself, just how will anyone be able to rescue their reputation if this stuff is never to be allowed to die? I mean, I work for a large company, and yet almost one fifth of it’s Wikipedia entry has been taken up by information about that one single incident. Outrageous.

If anything, the internet has totally re-written the rules about the dissemination of digital media, and the rights (or lack of rights) that people have to remove content which has been given undue prominence. If I were a criminal, perhaps I could rely on the provisions on the Rehabilitation of Offenders Act, which allows certain criminal convictions to be spent, or ignored, after a set period. I wonder whether the Internet Archive will adopt an equivalent policy?

On the one hand, I hope it won’t. Because try as hard as I can, I still don’t want anyone to forget people like Lord Jeffrey Archer, and what he got up to in the past. Perhaps if he were to renounce his peerage, I might be persuaded of the view that private people deserve a private life. But I don’t hold to the view that celebrities should automatically be entitled to airbrush out of their past material which is of a commercial disadvantage to them.

But on the other hand, where an individual (or a company) has been caused embarrassment of damage to its reputation in a wholly inappropriate way, then I fail to see why the internet should be allowed to make a permanent record of it. They may publish, but I may perish – and if I did, I might be very very, sore about that.

Should the ICO be presumed to have the competence to fine miscreants?

I’ve spent some time over the past few months mulling over whether the ICO should be given powers to fine miscreants, and if so, what maximum fining powers should be available.

My first inclination was to assume that the ICO should be viewed in a manner similar to that of the Financial Services Authority. But I quickly realised that they were very different organisations. Citizens of Canary Wharf and and the People's Republic of Wilmslow are not the same. Lots of bling in both locations, but different breeds of regulators. In Wilmslow, you can expect to see the WAG driving the Porsche. Around Canary Wharf, it’s more likely to be the bread winner.

The FSA plays two quite different roles simultaneously. On the one hand, 750,000 individual complaints are assessed by the Financial Ombudsman Service each year, by the staff of some 860 people, who can deal with cases up to the value of £100,000. And on the other hand, the FSA itself can deal with cases that may not be raised by a specific individual, for example when an unencrypted lap top is lost, and can fine the miscreant £ millions. I have heard complaints that the FOS does not understand the issues it judges on and lacks suitably qualified and experienced staff. Former Chief Ombudsman Walter Merricks has explained that the service employs professionals and graduates from different backgrounds and moves them between different areas to build experience.

I’ve often wondered whether it’s much easier to recruit and employ qualified and experienced professionals and graduates from a central London pool of talent than it is to attract people with the necessary range of skills to Wilmslow. But people obviously do wish to work in Wilmslow. And the “Wilmslow culture” is certainly different to that of Canary Wharf. Think “Guardian reader” rather than “The Financial Times”.

Whether the ICO can keep people for a sufficiently long period in Wilmslow (so they can make a really significant contribution to the organisation) before other employers make them offers they would find hard to refuse is another matter. In a recession, private industry may feel constrained in making too many generous pay offers. But, when the consequences of getting Data Protection “wrong” are as serious as they currently are, the market for Data Protection professionals is comparably strong. (Most companies fear the loss of their reputation following a data breach far more than any ICO sanction). And, given pressures over budgets within the public sector, will the ICO really be able to compete with the demand for people who think they know what they are doing?

So, this takes me back to my original point. Financial institutions have come to accept the jurisprudence of the FSA, and have come to accept that it has the competency to fine miscreants £ millions when mistakes are made. They also accept the awards made by the FOS, generally without question. And this is because a bond of trust and competence has been built up between the regulators in the FSA’s compliance function and the regulated.

I don’t think that a similar bond exists in the Data Protection world. I have not had (believe it or not) a particularly high level of interaction with the compliance function of the ICO. I’ve been deeply involved in the policy development function for many years, but I can honestly say that I have not yet had the time to build up a comparable level of trust with the ICO’s compliance team. I’ve dealt with a wide range of people who make assessments, but none of them appear to have remained in their post for very long. Perhaps they get promoted or are relieved of the duty to deal with me when they have completed their probationary period...

Anyway, for that reason, I won’t yet be supporting suggestions that the ICO be given powers to fine miscreants at a level which is similar to that of the FSA. I first need to have confidence in their experience and competence. Let them start with a maximum of £500,000 and let’s see what they do with that. For these days, it’s someone’s track record, rather than their promise or potential, which is so very important.

"It’s time to behave more like Jim", commands the Commissioner

Whats all this about?

Last week I attended the Commissioner’s conference at the Lowry Hotel in Salford (a suburb of Manchester), which launched the public consultation stage of the ICO's proposed "Personal Information Online Code of Practice". The first speaker was Christopher Graham, who reminded us of the achievements of a former local MP, Hilaire Belloc. Between 1906 and 1910 he represented the constituency of Salford South.

More commonly remembered as the Roald Dahl of his day, Belloc’s cautionary tales serve to remind us all of how we ought to behave. And Christopher Graham took the opportunity to refer to the regulatory landscape and to remind us of two elephants in the room, the Article 29 Committee and the European Commission, both of whom were struggling to apply an outmoded Data Protection Directive to the business needs of a world which simply did not exist when the Directive was agreed.

The inference was that the pragmatic approach adopted by the ICO was at risk of being challenged of it, or UK data controllers, were to be seen to be overstepping the mark too blatantly. So, it appears that, as a body, we all need to agree which parts of the law we should apply rigorously, and which parts deserve to be glossed over (because they are unduly onerous, burdensome and simply don't make any sense any more). The inference was that unless we moved as a body in deciding which bits to ignore, the Commission might well take it upon themselves to pick off the stragglers.

So we have been warned. We must all pull together – and then we’ll be permitted (as they say in sailing terminology) to shift our course away from that adopted by the rest and tack away in another direction.

But Christopher Graham didn’t use nautical terms. Instead he used medical terms, by referring to the story of “Jim” – which advises us that we should

“Always keep a-hold of Nurse
For fear of finding something worse”

So, if the main players within the ICO are to be cast in medical terms, then just who are the key characters at the re-jigged Wilmslow Information Hospital? I hear that there’s just been another reorganisation up there, and perhaps soon we’ll learn who’s now in charge of what. But, in the meantime, my suggestions for new job titles are:

Information Commissioner --- Matron
Chief Operating Officer --- Midwife Higher Level (Research Projects)
Director of Human Resources --- Health Visitor Specialist
Deputy Commissioner Data Protection --- Health Visitor
Director of Comms and External Relations --- Nurse Team Manager (Learning Disabilities)
Assistant Commissioner Freedom of Information --- Theatre Nurse
Head of Regulatory Action --- Nursery Nurse (Communities)
Corporate Governance Manager --- Clinical Support Worker

Other suggestions would be welcome until the official structure is known.

Oh, and by the way, for those really interested in “Jim”, Hillaire Belloc’s poem about the boy who ran away from his nurse and was eaten by a lion is set out below:

There was a Boy whose name was Jim;
His Friends were very good to him.
They gave him Tea, and Cakes, and Jam,
And slices of delicious Ham,
And Chocolate with pink inside
And little Tricycles to ride,
And read him Stories through and through,
And even took him to the Zoo--
But there it was the dreadful Fate
Befell him, which I now relate.

You know--or at least you ought to know,
For I have often told you so--
That Children never are allowed
To leave their Nurses in a Crowd;
Now this was Jim's especial Foible,
He ran away when he was able,
And on this inauspicious day
He slipped his hand and ran away!

He hadn't gone a yard when--Bang!
With open Jaws, a lion sprang,
And hungrily began to eat
The Boy: beginning at his feet.
Now, just imagine how it feels
When first your toes and then your heels,
And then by gradual degrees,
Your shins and ankles, calves and knees,
Are slowly eaten, bit by bit.
No wonder Jim detested it!
No wonder that he shouted ``Hi!''

The Honest Keeper heard his cry,
Though very fat he almost ran
To help the little gentleman.
``Ponto!'' he ordered as he came
(For Ponto was the Lion's name),
``Ponto!'' he cried, with angry Frown,
``Let go, Sir! Down, Sir! Put it down!''
The Lion made a sudden stop,
He let the Dainty Morsel drop,
And slunk reluctant to his Cage,
Snarling with Disappointed Rage.
But when he bent him over Jim,
The Honest Keeper's Eyes were dim.
The Lion having reached his Head,
The Miserable Boy was dead!

When Nurse informed his Parents, they
Were more Concerned than I can say:--
His Mother, as She dried her eyes,
Said, ``Well--it gives me no surprise,
He would not do as he was told!''
His Father, who was self-controlled,
Bade all the children round attend
To James's miserable end,
And always keep a-hold of Nurse
For fear of finding something worse.

How can we ditch EU data protection standards in favour of global standards?

It looks as though more and more people are asking this question, and it’s possible that quite a bit of background work has already been done.

And the more I think about it, the more sympathy I feel for the regulators, who are charged with creating solutions to problems that are extremely hard to resolve.; These people must know that the more complicated they make the solution, the greater will be the likelihood that it will fail. All of us dread solutions that are so convoluted you need a brain like Albert Einstein’s to understand them. And we all know that we’re basically doomed unless we can develop an approach that even Homer Simpson can grasp.

So I was really surprised recently to come across a document that actually managed to spell out, in simple language, a set of principles which might well have global application. They were developed by stakeholders from some 50 countries, and first saw the light of day at the recent international privacy conference in Madrid. For those who want to have a close look at them, try the following link - https://www.agpd.es/portalweb/canaldocumentacion/common/estandares_resolucion_madrid_en.pdf

The text uses reasonably plain language and tries to avoid the trap that the EU dug itself into, by focussing on ensuring transparency and fairness, rather than convoluted procedures that so few of us really understood in the first place. Could it result in the demise of the ridiculously complicated contracts that were created to “regulate” international data flows? I have a feeling they might.

The problem, though, will be that there will be countries who pride themselves on high internal data protection standards, either for local cultural reasons (say, to protect people from what is perceived to be a pressing harm in that local country) or for purely protectionist reasons, as they are frightened of the globalisation of trade and hope their initiatives will prove to be more effective than King Canute’s gestures in turning the tide back (which occurred almost exactly one thousand years ago).

Will these countries give up their gold plating, or will they finally acknowledge that they need to live in a real world? I’m sure that some will try to hang onto their gold plating for as long as they can, while many of the companies operating inside them will be finding it ever harder to develop commercially attractive propositions to their customers. Thanks to the globalisation of the internet, if customers don’t like local rules they can simply download a service from a country that operates under more favourable rules. It’s just like the climate change debate – these carbon particles don’t respect political boundaries any more. And neither do the acquirers of electronic services. If it’s hard to download from Germany, you might as well get it from Sweden.

An interesting emerging principle is one of accountability. The Madrid Resolution requires “the responsible person” to make available verifiable evidence that they have actually taken the measures necessary to meet their obligations – and this evidence should be made available both to regulators and individuals. It’s a neat idea – as it now places a greater onus on the company to establish it is behaving responsibly, rather than await an allegation that it had not behaved responsibly.

And this new “accountability principle” might well give the Data Protection Officers the stick they need to remind their companies that, in the event of transgressions, there will be fewer places to hide. And it might also give them an opportunity to point out to regulators that mistakes sometimes happen in spite of the efforts that the companies make to behave properly.