Centre for Information Policy Leadership
  • Home
  • About
    • CIPL Principals
    • Quarterly Reports
  • Membership
  • Events
    • Past Events
  • Projects
    • AI Project
    • Brazil AI Project
    • Organizational Accountability
    • Protecting Children's Data Privacy >
      • Policy Paper I: International Issues & Compliance Challenges
    • EU GDPR Implementation >
      • Global Readiness Benchmarks for GDPR
    • Enabling Data Driven Innovation and Big Data >
      • Privacy Risk Management
      • Transparency and User Controls
      • Updating Core Privacy Principles
    • Role of the DPO
    • Enabling Global Data Flows
    • Regional Focus and Outreach >
      • Effective LGPD
  • Resources
    • CIPL White Papers
    • Public Consultations
    • CIPL Articles
    • Hunton Andrews Kurth Privacy & Information Security Law Blog
  • CIPL Blog
  • Media
  • Contact Us
  • Home
  • About
    • CIPL Principals
    • Quarterly Reports
  • Membership
  • Events
    • Past Events
  • Projects
    • AI Project
    • Brazil AI Project
    • Organizational Accountability
    • Protecting Children's Data Privacy >
      • Policy Paper I: International Issues & Compliance Challenges
    • EU GDPR Implementation >
      • Global Readiness Benchmarks for GDPR
    • Enabling Data Driven Innovation and Big Data >
      • Privacy Risk Management
      • Transparency and User Controls
      • Updating Core Privacy Principles
    • Role of the DPO
    • Enabling Global Data Flows
    • Regional Focus and Outreach >
      • Effective LGPD
  • Resources
    • CIPL White Papers
    • Public Consultations
    • CIPL Articles
    • Hunton Andrews Kurth Privacy & Information Security Law Blog
  • CIPL Blog
  • Media
  • Contact Us

A Fresh Start for Data Protection

1/20/2022

3 Comments

 
By Richard Thomas CBE 
Former UK Information Commissioner


Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
What would data protection look like if we started with a blank sheet of paper? This is a fantasy. It will never happen. Even the dream gets clouded by what already exists. But dreams are healthy and sometimes gives valuable insights.

Let’s start with the basics. The New General Data Protection Law (NGDPL) must be short, clear and simple. It must not be incomprehensible to the general public, let alone the organisations (small and large) which are supposed to observe its requirements. There must be something wrong when a law needs 173 Recitals and 99 Articles and still gives rise to uncertainty or confusion, even amongst its regulatory bodies. It should be written in Plain Language and require all information provided to data subjects to be in Plain Language. And my fantasy gets rid of the jargon. Certainly no more “data subjects” - meaningless and subjugating to most people. Let’s stick to men, women, children, consumers and citizens.  

And let’s aim to keep the paperwork (or digital communications) to the absolute minimum. Transparency is fundamental, but bombarding people with gobbledegook privacy policies serves little purpose, especially where the small print effectively obscures dubious activities. Worse still, creating a complete world of liars who confirm they have read and understood the garbage. The “notice and consent” approach to data protection should long since have been dead and buried.

To be less prescriptive and less process-based, NGDPL must be crystal clear with its Objectives. It must set out what it intends to achieve. Better still, it should state what it seeks to avoid. Good laws prevent evil, rather than promote virtue. This largely means that the new Law should be based on Harms from the misuse of personal information. This is a great deal more concrete than abstract references to fundamental rights and freedoms which prove actually not to be fundamental at all.

What harms? Any unlawful, unfair or deceptive use of personal information should be outlawed. So too should any sharing or use which breaches confidentiality or exceeds the person’s reasonable expectations. Beyond that, the risk-based approach provides most of the answers. Inaccurate, out-dated or wrongly-obtained personal information which leads to tangible harm - whether physical or economic – should clearly be prohibited. This includes bodily harm, loss of liberty or freedom of movement and financial loss. Intangible harm covers such matters as reputational damage, personal, family or social detriment, chilled freedom of speech and other unacceptable intrusions into private life. Societal harm which damages democratic values must also be covered, for example excessive state or police power and loss of social trust.

The important point about a harms-based approach is that it will send clear signals to everyone about what the Law is aiming to achieve. It also shifts attention to outcomes. Organisations should stop things going wrong or harms occurring – unacceptable outcomes - and be held accountable if they fail. This is better than lots of detailed procedures (e.g. on international transfers) which are driven by what might go wrong. Accountability for outcomes is better than accountability for “demonstrating compliance” with largely procedural requirements.

NGDPL will of course recognise that the digital world is global and so have worldwide application, or at least cover all liberal democracies. (I repeat this is a fantasy.) It will especially target governmentally-held data (including police and security forces). This recognises that governments have wide mandatory powers to obtain data, hold much more than commercial bodies, are not restrained by competitive pressures and can cause much greater harm when things go wrong.

The top priority for Supervisory Authorities should be to help organisations to “get it right”. The new Law needs to give them strong enforcement powers, but expect these to be concentrated on deliberate, high-risk or repeated non-compliance with the Law or situations where substantial harm actually has resulted. And all complaints should be diverted to Ombudsmen or similar institutions, rather than distracting from normal regulatory functions.

The blank sheet of paper does not exist. NGDPL will never be enacted. Perhaps a dream may be a nightmare for others. Or, perhaps a fantasy could at least be a starting-point for simplifying existing laws.
3 Comments
Hielke Hijmans
1/24/2022 02:34:20 pm

Dear Richard, a great attempt to regulate. I believe in simple solutions, in regulators being the friend of organisations, not the policemen, and and regulators setting their own priorities (not driven by complaints).
However, two themes I would not agree to; that regulators should focus on governments, and that we do not need a stick. Hielke

Reply
mboobi9824 link
11/25/2022 02:32:51 pm

https://www.informationpolicycentre.com/cipl-blog/a-fresh-start-for-data-protection#comments

Reply
Jackie Lou link
12/6/2022 01:51:57 am

Amazing post! Full of information, you guys are making huge progress, keep it up! I look forward to reading your work in the future.

Reply



Leave a Reply.

    Archives

    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2020
    June 2020
    April 2020
    March 2020
    December 2019

    Categories

    All
    Accountability
    Data Processing
    Individual Rights
    Legitimate Interest
    Transparency
    US Privacy

    RSS Feed

Copyright © 2022 by the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP.
Disclaimer | Privacy Policy | Cookies Policy | Contact
Picture
Picture