I attended the Westminster eForum this morning. The subject was the new Data Protection Framework, and there was a stellar cast of speakers and panellists, from the estimable Peter Hustinx (the European Data Protection Supervisor), the MoJ’s Lord McNally and the ICO’s David Smith to representatives of Facebook, Google, the online advertising industry, computer security experts Symantec, Which, and top lawyers Allen and Overy..
Most of the forum was fairly predictable – strong and excellent stuff from Hustinx defending the new framework, even suggesting it might not go far enough in some places, to the expected (if carefully worded) attempts to undermine it from the politicians and most of the business people. The latter were generally disappointing in one particular way: very few of them seemed to grasp the ultimate purpose of the regulation, or the real reasons for its existences. They didn’t seem to have asked themselves two key questions: why has this regulation come about in the first place, and what is its underlying purpose?
Why has this regulation come about?
The two are of course linked – and missing the point of both is similarly linked. So why has this regulation come about? Well, we heard a lot of history this morning, all about how much had changed since the original data protection regime came into existence in 1995. All of it was undoubtedly true – the internet as it now exists was close to inconceivable back in 1995, and what we do now both as individuals and as businesses has completely changed. Is that why the regulation needed to change? In a way, of course it is – but thinking along those lines is missing the bigger point. Why was data protection regulation needed in the first place, back in 1995, and what was its intention then?
Ultimately, there were (and still are) two purposes. As Hustinx and other (including an excellent intervention from Douwe Korff) stressed, it is about what we (in Europe at least) consider to be fundamental rights. Ilias Chantzos of Symantec made the point that the original intention was to enable better cross-border data flow – and indeed it is clear that both are the case. Fundamental rights need protecting, and data needs to be allowed (or even encouraged) to flow, but in accordance with those rights.
All that is well and good – but still begs the underlying question: why was data protection needed? Regulation generally comes about because there is a problem – and that is the case here.
The problem was twofold: that data was not flowing as freely as it should had been, and that fundamental rights were not being protected. In particular, privacy was not being respected.
What has changed in the intervening period? Well, there doesn’t seem to be as much of a problem of data flowing as there used to be – but there’s still a problem of privacy not being respected. That, more than anything else, is what lies behind the need for the new regulation. That’s why the regulation is tough. If there aren’t big problems, there’s no need for tough regulation.
We have a tough regulation here – because there ARE big problems.
How do you comply with regulation?
This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it.
The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.
Protecting fundamental rights when those rights are being infringed does not mean filling boxes or writing reports. It means changing what you do. Let me repeat that. It means changing what you do.
The approach to regulations seems generally to be more like ‘we’re going to do this, now help us comply with the regulations’ than ‘what do the regulations suggest is inappropriate – let’s not do them’. That’s not the real point – the point is that compliance should come by doing the right thing, not by trying to shape your ‘wrong’ thing into a form that ticks the boxes. Only the impressive Anthony House from Google seemed to grasp that – and suggest that Google wants to do the ‘right’ thing about privacy not because the law says it should, but because it’s a good thing to do, and because its users want these kinds of things. Whether Google are actually doing this is a slightly moot point – but he did seem to understand.
Change is hard, everyone knows that – but the first stage is recognition that change is necessary. If you find that your business, or your government department, can’t seem to comply with the regulations, don’t complain about the regulations – ask yourself why your activities don’t seem to comply. Could it be that you need to change? It could, you know, it could….