Editorial – April/May 2018

April 22, 2018

This is not necessarily a
once-in-a-lifetime moment – but it might be. The timing of the Facebook
revelations – most of which were hiding in plain sight – to coincide with
peak-GDPR has created a level of data protection awareness that is unparalleled
in my working life. The SCL Data Protection Hackathon on 16 June could not be
better timed. It may be a fever and it may pass shortly. The challenge for SCL
members and data protection professionals generally is to use this fevered
period to ensure that the framework on which data protections rests is strong
enough to withstand changes in the political mood, and challenges from new
fevers, so that it is sufficiently robust to protect privacy in the next
decade.

Three obvious threats occur to me.

First, Brexit is likely, in the short or
long term, to mean that we cease to be required to share the higher priority
given to data protection and privacy by those of our fellow Member States which
have endured periods of State surveillance and restrictions of freedom. Of
course, we do not have to relinquish the link with EU regulation and all the
noises, including pretty comprehensive government commitments, suggest that we
will firmly link to its standards. But there are background comments that might
suggest a slackening of standards that will make us ‘more competitive’ and more
attractive to data-focused start-ups and there are those in support of any
change that will ease us free from what they see as being dictated to by the
CJEU. And those who believe that we will happily amend the Investigatory Powers
Act 2016 to achieve adequacy may be delusional. The danger is that,
post-Brexit, we will embrace GDPR and developing standards with all the
enthusiasm and sincerity of Mark Zuckerberg. That is not just some technical
issue for the DP-obsessed but a very real danger that will have ongoing impact
on every individual and this is a good time to make sure it has no respectable
advocates.

The second danger arises from inadequate
funding. I hope that the Information Commissioner’s Office is taking the
opportunity that the current data protection focus provides to up its demands
for funding. It has already been given a certain lassitude with regard to
salaries but the recruitment crisis that arises from the need for larger
businesses to have a Data Protection Officer in place by 25 May has meant that
anyone who can spell ‘GDPR’ and remember that the R stands for Regulation in in
the singular is currently ordering a gold-plated Rolls financed by their
signing-on bonus. It’s tough for the ICO to recruit all the staff it needs in
that climate. Ensuring that the ICO has the staff to carry out its full remit –
its awareness and educational role and its enforcement role – is not going to
be easy. Mere numbers will not tell the full story because a level of expertise
needs to be available from D-day and staff who gain experience need to be
retained. I sincerely hope that Elizabeth Denham is taking every opportunity to
get that message across to obtain solid increases in ongoing funding and
continue to regret that there seems no mechanism for the very high costs of
investigation and enforcement to be clawed back from miscreants.

The third danger is more subtle but this
may be the only opportunity to combat it. I am instinctively supportive of
anything with ‘open’ in its title or which includes among its objects increased
control by data subjects (in a technical and non-technical sense) of the data
that pertains to them. So, for example, I like ‘open banking’ and I like the
idea of patients having access to their data and so on – utilities data via
smart meters is a Good Thing and so on. But I am not sure that control and
openness will have quite the effect I want. We have an environment in which the
vast majority of the population have little understanding of the uses to which
data can be put. The temptation is to agree to sharing data with all who ask us
to share because we have got used to agreeing by ticking boxes (life really is
too short to read T&Cs) and ‘sharing’ is good. Surely, many may feel, our
bank and our medical practitioners have our best interests at heart and that
other nice man asked nicely even if we cannot quite grasp what he was on about.
So this should be the Spring to sow seeds of suspicion across the population in
the hope that we can embed the same level of healthy cynicism about the motives
and competence of those seeking to get a share of our data that I see among
most SCL members. (If I was to list all the bodies I fully trust with my data,
I would still have room for a scrawly signature on the stamp on which I
compiled the list.) If we cannot sow the seed of the need for great care in
sharing data in this climate, we can never hope to do so in the future.