Thursday 29 July 2010

A licence to print money?

My oh my, the good people that make up the Article 29 Working Party have been busy bunnies recently. Data retention, RFID, standard contractual clauses – it’s enough to give any serious privacy blogger repetitive strain injury.

Their latest offering goes by the innocent name of “Opinion on the principle of accountability” and Matron would surely have dismissed it (and hence missed it) as some sort of administrative porn had the term not cropped up recently in a number of submissions to the European Commission’s online consultation on the future of the EU data protection framework. And indeed, the opinion is designed to put ideas into the heads of those folks at the Commission who are currently trying to figure out what needs to be done to bring the existing EU data protection regime into the 21st century. Since Matron closely follows everything relating to the long-promised review of the EU Data Protection Directive, she decided to take a peek and what a revelation it has been.

Accountability, you see, describes (very inadequately, Matron feels) what could well be a completely new way of “doing” data protection. As the Working Party itself readily admits, the term has real meaning only in the English language, so heaven knows what the EU translators will make of it. But, in essence, it is the very simple idea that if you are supposed to do something, you should not only do it, but also put processes in place that ensure that you do it well and provide evidence to prove that you have done it properly and in accordance with those processes. In practice, this usually amounts to a whole lot of dead trees and I am sure that, if this blog is read by any members of the health, social services or teaching professions, they will by now sagely nod their heads.

Matron has always had a difficult relationship with the whole accountability concept, partly on account of the dead tree issue, but partly because she can’t help thinking that the time spent on recording what one has done would, in most cases, be better spent on actually doing more of it. At the very real risk of sounding like a Big Society Tory, noting on a patient file – as has happened in the case of Mrs. Matron's grandmother – that “Lily Rose is dehydrated” is not much help when there is then no one who has the time to bring her a glass of water and make sure she drinks it. But putting such petty prejudices aside for the moment let us look at what the Working Party actually has to say.

It starts with making a few salient points that we would all do well to remember even though they are, to the informed privacy wonk at least, rather obvious. Namely, that the growth of information and communication systems and the increasing capability for individuals to use and interact with technologies has changed the rules of the game for the processing of personal data. In a digital world where more and more companies hold more and more of our data and in an on-line environment where personal data has “become the de facto currency in exchange for on-line content” we have to make sure more than ever before that those who use personal data implement “real and effective internal mechanisms” to protect that data. So far, so much Matron is in agreement.

Also, data protection breaches have the potential to be much more devastating in a networked environment where – as Matron's pal Pangloss once put it – it is no use shutting the stable door once the data has bolted. And it is by no means only the data subjects who should worry. With increased penalties (both monetary and custodial) coming into force in many EU member states, data controllers should have a good enough incentive to play by the rules. And that says nothing about the potential damage to their reputation.

However, despite these threats, experience has actually shown that many data controllers pay little or no attention to data protection provisions. In fact, by and large they seem to rely on the –possibly correct - notion that the national data protection authorities are so underfunded and so overworked that the odds of them ever being caught are miniscule. Rogue data controllers are all too often able to vanish in the crowd and unless our cash-strapped governments pump vast amounts of money into enforcement activities (a likely event!), we will all have to live with the consequences.

Which is why, for example, the Information Commissioner’s Office here in the UK has long been engaged in what can only be described as a battle for the “hearts and minds” of data controllers. Publication after publication was produced intended to convince data controllers that there is some commercial or economic benefit to be had from implementing data protection rules. Their latest attempt, a document called “The Privacy Dividend”, makes this point on a seam-busting 93 pages. That’s almost as long as the iPhone Privacy Policy and that’s saying something. No matter, the CEOs aren’t buying it! Data protection costs money, and money is what we all have too little of at the moment.

So, if they won’t come by crook, maybe it is indeed time for the hook, in this case in the form of a “revised legal architecture of accountability-based mechanisms”. But what should these systems look like? Well, for a start they are supposed to consist of a two-tier system with the first tier comprising a legally binding statutory accountability requirement and the second tier including a number of additional, but voluntary accountability systems. Ignoring for the moment the point that any “voluntary” systems are likely to go the way of all St Augustine dilemmas (“make me pure, but not yet”), Matron wishes to pay particular attention to the general accountability principle which, so the Working Party, should be inserted into the revised directive as an additional principle with which data controllers have to comply. It has even proposed concrete wording for such a new Article, which Matron is happy to share with you:

Article X - Implementation of data protection principles
1. The controller shall implement appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with.
2 The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.


As the legally astute will quickly divine, the new principle has two elements: a requirement to take appropriate and effective measures to implement data protection principles and a requirement to demonstrate upon request that appropriate and effective measures have been taken (sound familiar yet?).

Although the Working Party shies away from postulating the incorporation of specific types of measures into the revised directive, it’s reticence does not go so far as to prevent it from making a number of suggestions. Among other things, it thinks that in the future data controllers should:


  • adopt internal policies and processes necessary to implement data protection principles;
  • appoint personal data protection officials;
  • map procedures to ensure proper identification of all data processing operations and maintain an inventory of data processing operations;
  • set up procedures to manage access, correction and deletion requests which should be transparent to data subjects;
  • establish an internal complaints handling mechanism;
  • set up internal procedures for the effective management and reporting of security breaches; and
  • perform privacy impact assessments.

And here is where Matron is in two minds about this noble endeavour. On the face of it, all these activities sound very useful and, indeed, if fully embraced by data controllers they would vastly improve the way in which personal data is processed in this country. This is what data controllers should be doing anyway and Matron is forever frustrated, if she comes across a company that happily goes ahead with some harebrained business scheme without giving any thought to the potentially disastrous data protection implications (in fact, in some cases, the term “harebrained” is an insult to the proud species of hare!). But the way Matron sees it, the introduction of such a principle would in no way solve what is the real problem here: the complete lack of oomph behind the enforcement actions by national data protection authorities.

Admittedly, some of this enforcement would be “outsourced” to the data controllers themselves through an additional requirement to have the effectiveness of the accountability measures verified regularly through monitoring and internal and external audits. The Working Party also, possibly correctly, claims that these requirements would strengthen the position of data protection authorities which would have the power to request evidence of compliance from the data controller. This, so the Working Party, would provide the authorities with “very relevant compliance related information”. And if such information was not forthcoming, data protection authorities would have an immediate cause of action against data controllers, independently of the alleged violation of any underlying data protection principles. All true, no doubt, BUT IT WOULDN'T GIVE THEM ANY MORE MONEY TO DO THIS VASTLY MORE DEMANDING JOB!

Also, the latter argument sticks in Matron’s craw. In fact it reminds her (yet again! Does life forever imitate art?) of a particular Yes Minister episode, where an Under-Secretary patiently explains to Hacker that a local council which failed to return its annual statistics was nevertheless highly effective (virtually all its children could read and write, even though they had a progressive education!). They just didn’t like sending bits of blue paper to Whitehall.

Maybe Matron is unfair in this instance (if so, please make coherent arguments as to why this is so in the comments section). Maybe this would turn out to be more than just a paper exercise. But, as the Working Party itself admits, compliance with an accountability requirement does not automatically ensure compliance with the actual data protection principles. And surely that is what counts? But for that to be achieved, we need people to take ownership of data protection, to realize what insufficient protection could mean for them as individuals, to close the gap between the privacy haves and have-nots.

Is this plan going to help achieve that objective? Maybe. Is it going to make a lot of lawyers a lot of money? Almost certainly. Matron, who make a living out of drafting the sort of documents companies would be required to adopt is already secretly compounding a portfolio of materials in her head that might allow her to retire to some place warm and appealing rather earlier than she had previously hoped. In fact, this almost seems to be one of the Working Party’s desired side effects when it states that the introduction of the accountability principle will “contribute to the development of legal and technical expertise in the area of implementing data protection requirements as highly knowledgeable individuals with technical and legal understanding in the field of data protection, with abilities to communicate, train staff, set up and implement policies, and audit will be indispensable in this area”. You’re not wrong there mates! Just let me get a shovel for all that dosh.

Overall, the whole approach seems to owe a lot to the concepts already tried in relation to Binding Corporate Rules (BCRs) (see here for the Working Party’s guidance on those to verify this statement). To date, the uptake of BCRs has been spectacularly slow because the immense effort and cost involved in putting them into place has meant that they were only ever economically viable for big global groups of companies. Is it really a proportionate approach to extend these sort of requirements to all data controllers in the EU? And will it win those hearts and minds or will in alienate data controllers further? Answers on a postcard, please!

No comments:

Post a Comment