In the last week I’ve been to two events in which representatives of the Information Commissioner’s Office have spoken. First came the 16th March meeting of the Society for Computers and Law entitled ‘Privacy by Design: Grand Design or Pipe Dream?’ at which Steve Wood, the ICO’s ‘Head of Policy Design’ spoke to a mixed group of lawyers of various kinds, some representing companies in the computing business. Then, on 22nd March, the Information Commissioner himself, Christopher Graham, spoke to the Westminster Media Forum, which was discussing ‘Social media, online privacy and the ‘right to be forgotten’.
On both occasions, the representatives of the ICO had a pretty rough ride, one way or another. At the first meeting, Steve Wood was given a hard time by people working in or for the people providing online services for the way that the ICO has dealt with the ‘EU Cookie Directive’, about which the ICO has recently issued a warning, suggesting that ‘UK businesses must ‘wake up’ to new EU law on cookies’. To put it at its most basic, the ICO was being castigated for being too tough on the industry. Steve Wood’s primary defence seemed to be ‘don’t shoot the messenger’, and that all they were doing was following orders from the EU, though how well that defence went down with the audience seemed a little unclear.
At the Westminster Media Forum, the Commissioner himself had an equally rough ride – and I have to admit that I was one of those who asked him a question that was perhaps a little negative in angle, wondering why so little attention was paid to data minimisation by the ICO, despite it embodying some of the most fundamental principles of data protection. The reply I got was somewhat terse – but my question was one of the gentlest that the Commissioner had to answer. In effect, he was being challenged by privacy advocates, consumer groups and others (including Microsoft’s Caspar Bowden) for not being tough enough on the industry.
So what are the ICO to do? One week they’re attacked for being too tough on the industry, the next they’re attacked for not being tough enough? Are either forms of attack fair or justified? Is there anything that the ICO can do to meet the expectations of both sides? Is the problem just an intractable one that can’t be resolved?
As someone who’s on the privacy advocacy side of the debate, I have a lot of sympathy for the ICO. They do a lot of good things, provide a lot of good guidance, and generally say the right things. They try to tread a delicate path between the industry and the people – and do their best to tread that path with care and without causing too many fights – and have asked (and now received) for some more ‘teeth’ to punish those who transgress and deter those who might be tempted to.
Still, however, I find myself wanting to criticise them quite a lot of the time, and find myself in general agreement with NGOs like Privacy International who wondered in February whether the ICO was fit for purpose. Why? Mostly, because the role I think they should be playing does not seem to be the role that they think they’re playing. They shouldn’t be playing a kind of conciliation service, working out compromises between the industry and the people – they should be on the side of the people first and foremost, and supporting those people’s rights. We haven’t got anyone else on our side – while the industry has huge amounts of lobbying power, together with the support of great ministries of government to whom trade and finance is the be-all and end-all. They also have the tacit support of large parts of the security lobby, who’d like as much surveillance and data retention as possible, as many back-doors into websites and social networks as possible, and would be happy for the industry to do the building, gathering and retaining of data for them.
So does the ICO need to be so careful not to upset them? I don’t think so – they should be braver to speak out and upset companies when those companies need to be upset, and to challenge them when they need to be challenged. They shouldn’t be ashamed of this – Steve Wood seemed highly apologetic at the SCL meeting, as if he was ashamed to acknowledge that, deeply flawed though the Cookie Directive may be, it was introduced to address a real issue, and a real issue that the industry had failed to address themselves. If the ICO ends up caving in on this issue too, it really will be showing that it’s not fit for purpose…