Travelling back from the Computers, Privacy and Data Protection conference in Brussels, I had a fascinating conversation with someone who was there right at the beginning of data protection. It was a conversation that revealed a great deal to me, first of all about the process towards the reform of the Data Protection regime, but more importantly about the whole process of reform.
The conversation was about the negotiations that led up to the adoption of the initial Data Protection Directive, back in 1995 – nearly 20 years ago – a process that has great parallels with the current, somewhat agonizing processes as we work towards a new data protection regime. This is something that needs proper academic study – but even at first glance the echoes are very strong. As it was outlined to me, the process had two very direct parallels with the current negotiations:
- Businesses were lobbying very heavily, and making predictions of total disaster: data protection was going to destroy business, ruin lives etc
- The UK government was supporting their lobbying – helping them directly in an attempt to undermine, weaken or possible destroy the directive.
Exactly the same seems to be happening this time around – the business lobbying is if anything even heavier and doom-laden, and the government has been laying on just as thick with speeches and reports coming thick and fast, most recently suggesting that the whole ‘regulation’ approach is inappropriate.
Now the first time around, despite the doom mongering, the business world didn’t come to an end. Data protection hasn’t brought about the end of the world as we know it – indeed, for something created nearly 20 years ago in a world where technology has been changing with incredible rapidity, data protection has, in my opinion, shown remarkable resilience and continuing relevance.
The world didn’t end….
If the world didn’t come to an end that time around, is it any more likely to this time around? It doesn’t seem likely – so we should take all the moaning, groaning and doom-mongering about the new regulation, and in particular about things like the right to be forgotten which is part of that regulation, with huge pinches of salt.
There are, of course, many other reasons that the world didn’t come to an end as a result of the introduction of data protection. The first, and perhaps most important, is that IT itself developed in such a way as to either circumvent the ‘disadvantages’ of data protection regulation, or as to make compliance with data protection easier. The latter could be said to be an advantage of the legislation – it brought about the beginnings of what’s now known as ‘privacy by design’. That is, systems were designed with compliance in mind – which is a good thing, if you believe in the aims of the legislation.
The former, that people found ways to circumvent the disadvantages, is also closely connected with the other main reason that data protection legislation didn’t cause the end of the world: many people simply ignored it, and went along their own merry way, either undetected or willing to take the consequences of any detection.
Will it be any different this time around?
All of these key factors – that systems will develop to make compliance easy or to avoid the legislation, or that people will just not bother to comply – are pretty much as likely to happen this time around as last time. IT will develop – it always does – and in all kinds of unpredictable ways. People will find ways to avoid, circumvent, or comply with the legislation in other ways – they always do. It will be the same cat-and-mouse story as before – as it is in pretty much all areas of law. Ultimately, though, life will go on.
Of course businesses moan – and of course they fear regulation, because regulation challenges them. It challenges them to change – because change is needed. That’s the real point. Regulation doesn’t arise in a vacuum, just because some bureaucrats have decided they want to wrap us all in a bit more red tape. Regulation arises, in general, because there’s a problem that needs addressing. Sometimes it arises because businesses or people have been behaving in ways that they shouldn’t, or ways that threaten the rights of others. Sometimes it arises because new technology or new situations demand it.
In the case of the new data protection regime, it’s a bit of both of these – some businesses are doing things they shouldn’t. They’re invading our privacy in ways that they really shouldn’t, and ways that do threaten our rights. And the technology has changed, and those changes need addressing. So we need a new regulation – and we shouldn’t be so afraid of it. Regulation isn’t all bad – indeed, it’s very often quite the opposite. Good, robust regulation helps those it regulates – as data protection has, in general, helped over the years.
Yes, regulation will challenge some business models – but business models NEED to be challenged. Some may even fail – but, frankly, some businesses need to fail. We shouldn’t be overly concerned by it – and shouldn’t bend over backwards to support them, as we seem to do all to often. Phorm is an example in this field which springs immediately to mind…
New regulation can help support new and better businesses – and businesses that are positive and forward-looking, that build business models that respect the privacy and rights of their customers, could find that new regulations offer new opportunities. Better businesses could get competitive advantages by behaving well, rather than by behaving badly. It’s all too easy for systems to support the unethical businesses over those that are ethical and supportive of their customers, as the last few years have demonstrated all too graphically.
…so let’s embrace regulation – even privacy regulation – and see how it can help us, rather than fighting it and fearing it. That doesn’t help anyone. The new proposed Data Protection Regulation has a lot going for it – and being more positive about it, working with it, trying to understand it rather than trying to undermine it, is much more likely to get a good result, both for people and for businesses.