Thursday, 8 March 2012

ISEB Accreditation: Chapter 2

The third formal day of the course of instruction that ought to lead to my ISEB qualification (out of five) has been completed in Manchester. Two more days to go. Not much more black letter law to become reacquainted with. Sue Cullen really knows her stuff. The course gets lighter in tone from now on, as the participants learn more about how the law is actually applied in practice, rather than just what the law is.

I use data protection law as I would a musical instrument. I add a bit of common sense to generate a satisfactory response, rather than simply use it as a noise box to overwhelm everything else in earshot.

A Home Office official, some 20 years ago, really wasn’t lying when he observed that Data Protection legislation was specifically designed to be a cumbersome process. It will be interesting to see whether people are any more able to exercise their rights when the revised proposals see the light of day.

Someone suggested a few days ago that the new proposal (in whatever form it’s going to end up as) could quite radically change the current equilibrium between the legitimate interests of data controllers and the legitimate interests of individuals. This is because the current Directive focuses on protecting certain types of information about individuals, while the new thing is going to focus on protecting individuals. It needs to refocus if it is to be true to its “fundamental rights” agenda, because fundamental rights attach to individuals, not their information.

Is this an important distinction? For some people in the European Commission, I think it must be – which is why they must keep on harking on about the need to protect individuals at all costs. They seem to be less concerned at making sure that public institutions (and private companies) are able to flourish and innovate. Rather than roll out the red carpet when a data controller fancies doing a spot of innovating, some would prefer to smother these new initiatives in red tape.

Such an approach to prescribing the role of public authorities, when they, as data controllers, want to do a spot of innovating, might be fine in Member States whose citizens live under formal constitutions. In such states, the powers of these public authorities are formally laid down, so the limits of their authority are clear. But the situation in countries like the UK is different. We don’t live with the benefit of a formal constitution. (Not unless the European Commission has slipped one through and no-one has noticed, that is). In the UK, many powers of local authorities appear to derive from an exercise of the Royal Prerogative, rather than constitutional law. And British Governments have not, in recent generations, had an unhappy history like some former Governments of other European states, where citizens have found that their rights have been abused by the State.

But, in strictly prescribing the powers of the state institutions (in case they can’t be trusted, again), the Commission seems to wish at the same time to prescribe the powers of data controllers in just as strict a manner. But, tell me, which European data controllers have had a history of abusing the rights of individuals? And before anyone spits out the G word, or the F word, let me remind them that these examples aspire to be global data controllers not just European data controllers.

No, a cynic might suggest that the Commission is really trying to get tough with global controllers it knows it can’t tame, anyway.

Note to the Commission: Forget about Google and Facebook for a bit. They are big enough and well resourced enough to look after themselves and their customers. Focus on European data controllers for once. And try not to make life so tough for them that they cease really caring about developing new innovative privacy enhancing services and techniques. If life is made too challenging, they’ll just start to employ people to tick privacy boxes. Which won’t be much fun for those of us who want to work on the new and innovative services.