How’s Data Protection Doing In Your Country?
The categories of drivers for good data protection behaviours are not unlimited in number, or equal in power, but they include legal drivers, consumer pressure, activism, operational failures, corporate governance and more esoteric ideas such as reputation, ESG, enlightened self-interest and business purpose.
Of course, in practice, drivers can overlap and combine and when that happens, they can become more powerful in aggregate.
Operational failure isn’t the best strategy
For example, take the situation of a serious operational outage, say a cyber security breach that damages the confidentiality, integrity and availability of personal data. The incident might also impact the organisation’s ability to fulfil a business contract, or expose other entities in a supply chain to risk. A range of legal duties might be engaged in consequence, while the internal wash-up might reveal governance problems within the root cause. The incident might also stain the organisation’s brand and reputation. So, we see in the aftermath of a breach the potential for multiple drivers to coexist that should push the organisation towards a state of better data protection, or at least that’s the theory.
It would be a strange world, however, if we were to be totally reliant on operational failures to catalyse good behaviours. The real goal is for organisations to adopt enough good behaviours so as to reduce the risk of failure events occurring. Likewise, we have to be realistic about the strengths and limitations of consumer drivers, activism, enlightened self-interest and things like business purpose and ESG. You only need to look at the issue of Climate Change to understand this: we know what’s good for us and what we need to do, but the status quo has powerful, vested, economic self-interests, tied up with political sway, while the better path is obscured with immense complexities and need for massive disruption. Therefore, we stay in the fast line to chaos, bewildered by our inertias and default-biases.
Strong legal foundations needed for good behaviour
We know for a fact that very complex problems generally need strong legal interventions to create the momentum for behavioural change within the zone that is being addressed. Elements within these legal interventions include legislation, ex ante regulation and ex post enforcement that spans the regulatory arena and the judicial arena. These legal interventions set the expectations, they drive behavioural change in a direct sense and they provide a foundation stone and footings for other drivers to build upon and leverage off, such as the exercise of individual rights and processes of activism.
In this sense, the law stands loco-parentis the other drivers, but like parents it should create the conditions for the offspring to thrive and mature into adulthood. In theory at least, if law does it job well, it can start to stand back. But if it stands back too soon, the offspring may not be strong enough to stand on their own two feet. Therefore, the law has to be present until the offspring have reached adulthood, being prescient and protective until they come of age.
Against this backdrop, how do we feel about the state of data protection law at this moment in time? And how does the UK compare against the EU?
The UK position
A significant challenge to face up to is the reality of Brexit. This concept was sold as a pathway for the UK to achieve sovereignty over its laws and it was always part of the plan that the EU GDPR would be replaced or altered. The process of law reform began in September 2021, with the publication of the government’s consultation paper “Data: a new direction”, which culminated in draft legislation, The Data Protection and Digital Information Bill, introduced in Parliament in July 2022. A visit to the government’s website shows that the Bill is in stasis. It is so deep frozen, that the website still shows Nadine Dorries as the sponsoring Minister, but she was replaced by Michelle Donelan in September 2022, who herself was replaced by Lucy Frazer in February 2023. It seems remarkable that a legal framework of such significance, with so much hanging off it, would be handled in this way. The legislative trajectory needs to be clear. When it is not, the implication is clear: data protection is not an important priority for the UK.
In the regulatory system, the tone is about prioritising advice and guidance over formal regulatory action, but where action is taken it will be targeted and strategic. There are many good arguments that can be made for this strategy, but on the other hand, there is also the issue of how the strategy is perceived. Whisper it quietly and behind closed doors perhaps, but up and down the land the perception appears to be growing within the data protection community that regulatory action could be dismissed as a countable risk. I wouldn’t agree, but if that perception embeds more strongly in the wider data controller and processor community, some of the progression of the GDPR-readiness years could be lost. Conversely, the ICO’s strategy of publishing a reprimand following a finding of contravention might provide a boost to compliance, if it triggers news reporting, for example.
Then there is the judicial system. As all students of the common law appreciate, litigation is necessary for our understanding of rights and obligations to progress. If we study more ancient legal frameworks than data protection, say land law (real estate), we must conclude that a healthy litigation culture is a thing to celebrate. However, in the data protection field in the UK, this is dying on its feet. The judicial push-back against data protection litigation, while understandable perhaps on a case-by-case basis due to the poor formulation of cases, adds to the overall sense of legal impoverishment that some people are feeling.
If this is a fair case to make, then the impacts for the other drivers for momentum are profound. For example, where does the consumer take their complaint if it falls on deaf ears? How will the activist take forward their position? Without a strong legal backbone, will the progression of data protection in the UK halt altogether?
I hope this is not the case, but only time will tell.
EU in contrast
In contrast, the legal framework in the EU seems to be thriving, as its three pillars – legislation, regulatory action and litigation – are working in tandem. Now, almost 5 years on from its introduction, the GDPR is delivering concrete and tangible results that have the real potential to flow down influence much more broadly, holding real promise for technological innovation, strengthening of competition and more consumer choice, in a data protection-consistent manner.
Backing-off from the legal driver is generally conducive to the maintenance of status quo. But the status quo does not always mean the best. Weak analogies are possible – such as we don’t put kids up chimneys any more – but instead look at the very heart of data processing and technological development itself. You can do your own homework on this, but as a hint, what do you think the interventions were that moved the world on from sclerotic voice telephony to a much more advantageous world of data processing?