The Statement of Intent covering the proposals that will be
included in the Data Protection Bill (expected to be presented to Parliament in
September) was published just before this issue of the magazine was signed off
for print. As many have commented, the DCMS tried to claim credit for many of
the good things in the GDPR and this left a sour taste; it reminded me of the
child proudly displaying a school project build that was clearly the work of a
parent. It was just a little bit pathetic – and the media who swallowed that
message should be ashamed of themselves.
Though it takes a little effort, one should push that
sourness aside and judge the Statement of Intent on its merits. It has some
merits. I fear though that two obvious demerits stand out.
First, it is not a Data Protection Bill and is not even a
draft Data Protection Bill so, in an area where detail is all-important, we
cannot adequately judge the effectiveness of the measures proposed.
Secondly, echoing comments I have made in past editorials, it
is so late in arriving as to have already outstayed its welcome. It is now
August 2017. The GDPR was finalised about 18 months ago – you could quibble
about official texts and the like but the reality is that most of the content
that had to be coped with was known 20 months ago. What’s more the GDPR did not
fall out of a clear blue sky; its coming was foretold by Nostradamus in 1550 (I
exaggerate mildly) – in short, we knew it was coming, we knew its broad terms
and yet the government appears to have thought it unnecessary to have machinery
in place to deal with it. Consultations on derogations should have been ready
to go in May 2016. It is a sad comment on our expectations of government
competence that nobody is surprised by these failures and the ICO must surely
bear some blame for failing to convince government of the need for earlier
action.
You cannot blame Brexit as the inaction precedes Brexit.
Indeed, Brexit should have been the accelerator not a brake as the need for
perceived ‘adequacy’ is rightly regarded as crucial. Had we led the way by
being first to implement the GDPR, we could have pointed to a history of good
practice that must surely have helped when seeking a declaration of adequacy.
Without agreement on a considerable period of transition to full Brexit, it’s
now going to be a very short history and the uphill struggle to be seen as
offering adequate protection will be that bit steeper.
You cannot blame complexity. Germany has managed to publish,
amend and enact the relevant legislation; we are just, finally, publishing a
‘Statement of Intent’.
Since the legislative machine in Westminster does not always
run smoothly (and we haven’t had an election for weeks), there is now a
distinct possibility that the GDPR will be in force before the Data Protection
Bill receives Royal Assent. The alternative of a Bill rushed through its latter
stages does not appeal much either. The chances of some detailed disconnect
between the Bill and the GDPR and/or the Data Protection Law Enforcement
Directive are considerably increased by a lack of detailed examination of the
Bill by those (very few) Parliamentarians who have the required knowledge and
interest. Quite how the Data Protection Bill’s timetable will fit with that of
the European Union (Withdrawal) Bill remains to be seen; since the Withdrawal
Bill aims to make existing EU law (which surely includes the GDPR) part of UK
law, that could give rise to some interesting post-Brexit disputes concerning the
chicken and the egg.
All of which prefaces my closing call for yet more guidance
on the coming data protection revolution – GDPR, Data Protection Law
Enforcement Directive, Data Protection Bill and all – to add to the admirable
piece from Olivia Whitcroft that features on p 35. And, bearing in mind my
preceding complaints, the sooner we get it the better.