In an issue dominated by reflections of the stellar June SCL Conference and July’s wonderful Online Courts Hackathon, Laurence Eastham chooses to moan about government incompetence in dealing with the GDPR.
The Statement of Intent covering the proposals that will be included in the Data Protection Bill (expected to be presented to Parliament in September) was published just before this issue of the magazine was signed off for print. As many have commented, the DCMS tried to claim credit for many of the good things in the GDPR and this left a sour taste; it reminded me of the child proudly displaying a school project build that was clearly the work of a parent. It was just a little bit pathetic – and the media who swallowed that message should be ashamed of themselves.
Though it takes a little effort, one should push that sourness aside and judge the Statement of Intent on its merits. It has some merits. I fear though that two obvious demerits stand out.
First, it is not a Data Protection Bill and is not even a draft Data Protection Bill so, in an area where detail is all-important, we cannot adequately judge the effectiveness of the measures proposed.
Secondly, echoing comments I have made in past editorials, it is so late in arriving as to have already outstayed its welcome. It is now August 2017. The GDPR was finalised about 18 months ago – you could quibble about official texts and the like but the reality is that most of the content that had to be coped with was known 20 months ago. What’s more the GDPR did not fall out of a clear blue sky; its coming was foretold by Nostradamus in 1550 (I exaggerate mildly) – in short, we knew it was coming, we knew its broad terms and yet the government appears to have thought it unnecessary to have machinery in place to deal with it. Consultations on derogations should have been ready to go in May 2016. It is a sad comment on our expectations of government competence that nobody is surprised by these failures and the ICO must surely bear some blame for failing to convince government of the need for earlier action.
You cannot blame Brexit as the inaction precedes Brexit. Indeed, Brexit should have been the accelerator not a brake as the need for perceived ‘adequacy’ is rightly regarded as crucial. Had we led the way by being first to implement the GDPR, we could have pointed to a history of good practice that must surely have helped when seeking a declaration of adequacy. Without agreement on a considerable period of transition to full Brexit, it’s now going to be a very short history and the uphill struggle to be seen as offering adequate protection will be that bit steeper.
You cannot blame complexity. Germany has managed to publish, amend and enact the relevant legislation; we are just, finally, publishing a ‘Statement of Intent’.
Since the legislative machine in Westminster does not always run smoothly (and we haven’t had an election for weeks), there is now a distinct possibility that the GDPR will be in force before the Data Protection Bill receives Royal Assent. The alternative of a Bill rushed through its latter stages does not appeal much either. The chances of some detailed disconnect between the Bill and the GDPR and/or the Data Protection Law Enforcement Directive are considerably increased by a lack of detailed examination of the Bill by those (very few) Parliamentarians who have the required knowledge and interest. Quite how the Data Protection Bill’s timetable will fit with that of the European Union (Withdrawal) Bill remains to be seen; since the Withdrawal Bill aims to make existing EU law (which surely includes the GDPR) part of UK law, that could give rise to some interesting post-Brexit disputes concerning the chicken and the egg.
All of which prefaces my closing call for yet more guidance on the coming data protection revolution – GDPR, Data Protection Law Enforcement Directive, Data Protection Bill and all – to add to the admirable piece from Olivia Whitcroft that features on p 35. And, bearing in mind my preceding complaints, the sooner we get it the better.