Laurence Eastham wants to see a constructive reaction to the current data protection fever to combat dangers that may arise once that fever has subsided.
This is not necessarily a once-in-a-lifetime moment - but it might be. The timing of the Facebook revelations – most of which were hiding in plain sight – to coincide with peak-GDPR has created a level of data protection awareness that is unparalleled in my working life. The SCL Data Protection Hackathon on 16 June could not be better timed. It may be a fever and it may pass shortly. The challenge for SCL members and data protection professionals generally is to use this fevered period to ensure that the framework on which data protections rests is strong enough to withstand changes in the political mood, and challenges from new fevers, so that it is sufficiently robust to protect privacy in the next decade.
Three obvious threats occur to me.
First, Brexit is likely, in the short or long term, to mean that we cease to be required to share the higher priority given to data protection and privacy by those of our fellow Member States which have endured periods of State surveillance and restrictions of freedom. Of course, we do not have to relinquish the link with EU regulation and all the noises, including pretty comprehensive government commitments, suggest that we will firmly link to its standards. But there are background comments that might suggest a slackening of standards that will make us ‘more competitive’ and more attractive to data-focused start-ups and there are those in support of any change that will ease us free from what they see as being dictated to by the CJEU. And those who believe that we will happily amend the Investigatory Powers Act 2016 to achieve adequacy may be delusional. The danger is that, post-Brexit, we will embrace GDPR and developing standards with all the enthusiasm and sincerity of Mark Zuckerberg. That is not just some technical issue for the DP-obsessed but a very real danger that will have ongoing impact on every individual and this is a good time to make sure it has no respectable advocates.
The second danger arises from inadequate funding. I hope that the Information Commissioner’s Office is taking the opportunity that the current data protection focus provides to up its demands for funding. It has already been given a certain lassitude with regard to salaries but the recruitment crisis that arises from the need for larger businesses to have a Data Protection Officer in place by 25 May has meant that anyone who can spell ‘GDPR’ and remember that the R stands for Regulation in in the singular is currently ordering a gold-plated Rolls financed by their signing-on bonus. It’s tough for the ICO to recruit all the staff it needs in that climate. Ensuring that the ICO has the staff to carry out its full remit – its awareness and educational role and its enforcement role – is not going to be easy. Mere numbers will not tell the full story because a level of expertise needs to be available from D-day and staff who gain experience need to be retained. I sincerely hope that Elizabeth Denham is taking every opportunity to get that message across to obtain solid increases in ongoing funding and continue to regret that there seems no mechanism for the very high costs of investigation and enforcement to be clawed back from miscreants.
The third danger is more subtle but this may be the only opportunity to combat it. I am instinctively supportive of anything with ‘open’ in its title or which includes among its objects increased control by data subjects (in a technical and non-technical sense) of the data that pertains to them. So, for example, I like ‘open banking’ and I like the idea of patients having access to their data and so on – utilities data via smart meters is a Good Thing and so on. But I am not sure that control and openness will have quite the effect I want. We have an environment in which the vast majority of the population have little understanding of the uses to which data can be put. The temptation is to agree to sharing data with all who ask us to share because we have got used to agreeing by ticking boxes (life really is too short to read T&Cs) and ‘sharing’ is good. Surely, many may feel, our bank and our medical practitioners have our best interests at heart and that other nice man asked nicely even if we cannot quite grasp what he was on about. So this should be the Spring to sow seeds of suspicion across the population in the hope that we can embed the same level of healthy cynicism about the motives and competence of those seeking to get a share of our data that I see among most SCL members. (If I was to list all the bodies I fully trust with my data, I would still have room for a scrawly signature on the stamp on which I compiled the list.) If we cannot sow the seed of the need for great care in sharing data in this climate, we can never hope to do so in the future.