Back in the 1980s very few people, apart from me, seemed to take any interest in data protection. My first seminar on the subject attracted just 7 people. Things hotted up a little immediately after the passing of the EU Data Protection Directive in 1995. Then, in 1998, I was asked to draw a report for the UK Data Protection Registrar (now Commissioner) on privacy at work. My resulting 12-page draft code of practice was approved by the British Security Industry Association, CIPD, and everyone who really mattered. The problem was that the Assistant Registrar realised one day that its copyright lay personally with me. Overnight my near-VIP status turned into ‘persona non grata’ and committees were formed. The several resulting codes of practice soon stretched to hundreds of pages long.
Ever since then the little grey men have never stopped elaborating ways to make business life as uncomfortable an experience as possible. If any company, for instance, followed the GDPR to the letter, it would seize up completely. But now, of course, there is a whole army of overnight experts to guide (or scare) a company through its protracted nonsense.
There is, of course, at the heart of data protection, a serious issue about who can keep, process, and communicate personal data – and to whom. Personal privacy has never been more under attack than in our advanced, digital age. But unfortunately our societies have left the development of these essential rights to those with a traffic warden mentality. It is not an essential right to be left alone that is being guarded, but a minefield of needless impositions in which the primary concern is clearly to make those generating economic wealth be faced with the ever- present threat of punishment and public exposure.
The latest twist in this painful saga has been the recent decision by the High Court of Ireland to refer a challenge to EU international data transfer rules made by a Mr Maximilian Schrems to the European Court of Justice for a preliminary ruling. The outcome of this decision could impact on the whole way that data is transmitted, especially between companies in the USA and European Union member states.
Then, just as it seemed that business life could not get any worse, the US Government and European Union have come up with other data management torments – the US Cloud Act and a dual EU bundle of Regulation and Directive, which jointly create an expensive, frustrating, and time- consuming raft of cross-border data disclosure obligations. These are not just aimed at internet service providers and instant messaging companies, but anyone running a digital market place. They will force companies to understand in detail privacy laws of numerous other countries. It will also oblige them to ignore the elaborate checks and balances established to comply with general data protection rules and such legislation as the US Stored Communications Act (SCA).
There does, of course, already exist a system allowing for official cross-border data access, called MYLAT. This permits disclosure to authorities in another country without breaching privacy safeguards in both jurisdictions. The problem with MYLAT is that it is slow because it involves state- administered judicial oversight. The new approaches would leave companies with the job of determining if an access request is lawful and genuine. Bring on the wet towels.
But perhaps we in business are all to blame, by letting the data privacy issue be taken over by the wrong people unchallenged and not lobbying enough when there was time to curtail the consequent excesses. Maybe I, in particular, was at fault. For what I produced back in 1998 was the world’s first national code of practice on privacy at work. If my copyright clause had not been there, maybe a simple 12-page guideline would still suffice?