Wednesday, 11 June 2014

Pointless data protection practices

The Crouch End Chapter of the Institute for Data Protection held its summer party yesterday.  Tall tales of data protection heroism were recanted, then as the alcohol continued to flow, the conversation turned into a good-natured argument about the most pointless bit of data protection practice.

Could anything beat the futility of registering all of your data protection processing purposes with the ICO, and creating lists of classes of recipients for each purposes?

After about half an hour, there was general agreement on what was the most pointless bit of data protection practice. Someone mentioned that when contracts were negotiated at their workplace, the data protection team ensured that, stuffed inside one of the schedules, were the EU model clauses that relate to data controller – controller or data controller – processor relationships.

Just in case anyone has forgotten why these clauses are considered important, they are used, in Eurospeak,  “to ensure that the contracts provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals as regards the exercise of their corresponding rights.

Yeah, right.

Let’s put it another way.

The Controller / Controller clauses were originally introduced in 2001, and were revised in 2004. The Controller / Processor clauses were originally introduced in 2002, and were revised in 2010. They involve the creation of a standard template, which then (usually) needs to be formally agreed by way of an exchange of paper documents, as lots of lawyers don’t trust the authenticity of the electronic versions.


I’m not sure who reads them before they are agreed, or who audits them to offer an assurance about compliance after they have been agreed. I’m actually not sure if there has ever been any litigation that tested or was based on any of these clauses.

If anyone knows of any occasion where anyone has ever taken action to enforce compliance with any of these clauses, please let me know and I’ll ensure that their fame spreads across the globe.

It was the unanimous view of everyone still standing at the end of the summer party that the clauses were, in practice, worthless. They might well have given someone the impression that the relevant protections were in place, but these protections are virtual, rather than real.

There was a grudging acceptance, though, that the standard contractual clauses were of value in that they gave data protection teams something to do. If clauses were required, then they needed to be inserted into contracts, and formally agreed. All good work for the working man to do. Anecdotal evidence suggested that some global companies actually employed teams of people whose sole purpose was to ensure that the right words were in place for the relevant agreements between all subsidiary companies, and others. Is this a complete waste of money, or simply a cost of doing business in the EU?

Given the lack of any evidence of any effort to do anything once the contracts have actually been signed, it appears that the administrative burden of inserting the relevant clauses in the relevant contracts is simply a cost of doing business in the EU.