By Richard Thomas CBE
Former UK Information Commissioner
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Former UK Information Commissioner
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
What would data protection look like if we started with a blank sheet of paper? This is a fantasy. It will never happen. Even the dream gets clouded by what already exists. But dreams are healthy and sometimes gives valuable insights.
Let’s start with the basics. The New General Data Protection Law (NGDPL) must be short, clear and simple. It must not be incomprehensible to the general public, let alone the organisations (small and large) which are supposed to observe its requirements. There must be something wrong when a law needs 173 Recitals and 99 Articles and still gives rise to uncertainty or confusion, even amongst its regulatory bodies. It should be written in Plain Language and require all information provided to data subjects to be in Plain Language. And my fantasy gets rid of the jargon. Certainly no more “data subjects” - meaningless and subjugating to most people. Let’s stick to men, women, children, consumers and citizens.
And let’s aim to keep the paperwork (or digital communications) to the absolute minimum. Transparency is fundamental, but bombarding people with gobbledegook privacy policies serves little purpose, especially where the small print effectively obscures dubious activities. Worse still, creating a complete world of liars who confirm they have read and understood the garbage. The “notice and consent” approach to data protection should long since have been dead and buried.
To be less prescriptive and less process-based, NGDPL must be crystal clear with its Objectives. It must set out what it intends to achieve. Better still, it should state what it seeks to avoid. Good laws prevent evil, rather than promote virtue. This largely means that the new Law should be based on Harms from the misuse of personal information. This is a great deal more concrete than abstract references to fundamental rights and freedoms which prove actually not to be fundamental at all.
What harms? Any unlawful, unfair or deceptive use of personal information should be outlawed. So too should any sharing or use which breaches confidentiality or exceeds the person’s reasonable expectations. Beyond that, the risk-based approach provides most of the answers. Inaccurate, out-dated or wrongly-obtained personal information which leads to tangible harm - whether physical or economic – should clearly be prohibited. This includes bodily harm, loss of liberty or freedom of movement and financial loss. Intangible harm covers such matters as reputational damage, personal, family or social detriment, chilled freedom of speech and other unacceptable intrusions into private life. Societal harm which damages democratic values must also be covered, for example excessive state or police power and loss of social trust.
The important point about a harms-based approach is that it will send clear signals to everyone about what the Law is aiming to achieve. It also shifts attention to outcomes. Organisations should stop things going wrong or harms occurring – unacceptable outcomes - and be held accountable if they fail. This is better than lots of detailed procedures (e.g. on international transfers) which are driven by what might go wrong. Accountability for outcomes is better than accountability for “demonstrating compliance” with largely procedural requirements.
NGDPL will of course recognise that the digital world is global and so have worldwide application, or at least cover all liberal democracies. (I repeat this is a fantasy.) It will especially target governmentally-held data (including police and security forces). This recognises that governments have wide mandatory powers to obtain data, hold much more than commercial bodies, are not restrained by competitive pressures and can cause much greater harm when things go wrong.
The top priority for Supervisory Authorities should be to help organisations to “get it right”. The new Law needs to give them strong enforcement powers, but expect these to be concentrated on deliberate, high-risk or repeated non-compliance with the Law or situations where substantial harm actually has resulted. And all complaints should be diverted to Ombudsmen or similar institutions, rather than distracting from normal regulatory functions.
The blank sheet of paper does not exist. NGDPL will never be enacted. Perhaps a dream may be a nightmare for others. Or, perhaps a fantasy could at least be a starting-point for simplifying existing laws.
Let’s start with the basics. The New General Data Protection Law (NGDPL) must be short, clear and simple. It must not be incomprehensible to the general public, let alone the organisations (small and large) which are supposed to observe its requirements. There must be something wrong when a law needs 173 Recitals and 99 Articles and still gives rise to uncertainty or confusion, even amongst its regulatory bodies. It should be written in Plain Language and require all information provided to data subjects to be in Plain Language. And my fantasy gets rid of the jargon. Certainly no more “data subjects” - meaningless and subjugating to most people. Let’s stick to men, women, children, consumers and citizens.
And let’s aim to keep the paperwork (or digital communications) to the absolute minimum. Transparency is fundamental, but bombarding people with gobbledegook privacy policies serves little purpose, especially where the small print effectively obscures dubious activities. Worse still, creating a complete world of liars who confirm they have read and understood the garbage. The “notice and consent” approach to data protection should long since have been dead and buried.
To be less prescriptive and less process-based, NGDPL must be crystal clear with its Objectives. It must set out what it intends to achieve. Better still, it should state what it seeks to avoid. Good laws prevent evil, rather than promote virtue. This largely means that the new Law should be based on Harms from the misuse of personal information. This is a great deal more concrete than abstract references to fundamental rights and freedoms which prove actually not to be fundamental at all.
What harms? Any unlawful, unfair or deceptive use of personal information should be outlawed. So too should any sharing or use which breaches confidentiality or exceeds the person’s reasonable expectations. Beyond that, the risk-based approach provides most of the answers. Inaccurate, out-dated or wrongly-obtained personal information which leads to tangible harm - whether physical or economic – should clearly be prohibited. This includes bodily harm, loss of liberty or freedom of movement and financial loss. Intangible harm covers such matters as reputational damage, personal, family or social detriment, chilled freedom of speech and other unacceptable intrusions into private life. Societal harm which damages democratic values must also be covered, for example excessive state or police power and loss of social trust.
The important point about a harms-based approach is that it will send clear signals to everyone about what the Law is aiming to achieve. It also shifts attention to outcomes. Organisations should stop things going wrong or harms occurring – unacceptable outcomes - and be held accountable if they fail. This is better than lots of detailed procedures (e.g. on international transfers) which are driven by what might go wrong. Accountability for outcomes is better than accountability for “demonstrating compliance” with largely procedural requirements.
NGDPL will of course recognise that the digital world is global and so have worldwide application, or at least cover all liberal democracies. (I repeat this is a fantasy.) It will especially target governmentally-held data (including police and security forces). This recognises that governments have wide mandatory powers to obtain data, hold much more than commercial bodies, are not restrained by competitive pressures and can cause much greater harm when things go wrong.
The top priority for Supervisory Authorities should be to help organisations to “get it right”. The new Law needs to give them strong enforcement powers, but expect these to be concentrated on deliberate, high-risk or repeated non-compliance with the Law or situations where substantial harm actually has resulted. And all complaints should be diverted to Ombudsmen or similar institutions, rather than distracting from normal regulatory functions.
The blank sheet of paper does not exist. NGDPL will never be enacted. Perhaps a dream may be a nightmare for others. Or, perhaps a fantasy could at least be a starting-point for simplifying existing laws.
RSS Feed
