A new fear is quietly stalking the land, haunting administrators of businesses, charities, schools and even political parties. It is called the EU General Data Protection Regulation 2016 (GPDR). It replaces our old friend the Data Protection Act 1998 with a set of regulations that are much more onerous. The usual experts are going back and forth gleefully stoking up fear, no doubt in the hope of consultancy fees and demand for training courses. But even allowing for their exaggerations, the change is significant. The politicians, meanwhile, are nowhere to be seen.
This is information politics in action. Loyal readers of this blog will know that I think that information politics should be, and will be, one of the most critical areas of political engagement, notwithstanding its current neglect. The political issues raised by this legislation illustrate that rather well – and the failure of the British political establishment.
To simplify gloriously, there seem to be three main approaches to data regulation: the American, the European and the Chinese. The Americans are giving general freedom to businesses, leaving privacy largely a matter for civil law to be resolved between businesses and citizens. They do, however, want to place limits on government abuse; many Americans are more worried about Uncle Sam prying on them than Google. The Chinese believe in complete government control, with no right to individual privacy. The Europeans believe in strong privacy rights backed up by criminal sanctions, and severe constraints on government agencies too. The GPDR, as its full title suggests, is very much in the European tradition. The purpose of the the extra regulations is to enhance individual rights to privacy, with rights to rectification, erasure and access. So citizens have a right to know what data is held on them, to correct errors and to be forgotten if they want. That means that the organisations have to know themselves how their data relates to individuals, and to make corrections and deletions accordingly. The new rules are altogether more thorough than their predecessors. They cover all data, not just electronic databases; political parties, which only caught the fringes of previous law, face much more onerous requirements, as do many charities.
What are the implications? It will put a lot stress on small organisations, something the British civil service will shed no tears about; they have always preferred to deal with a small number of big agencies. But some bigger businesses are going to find the going harder too – notably Google and Facebook. Mostly organisations will manage the risk by holding the minimum possible amount of data on their own behalf, digital and otherwise. Ironically this may be no bad thing for efficiency. Efficient people and organisations travel light. It’s an old trick of personal organisation: if you destroy everything, then you don’t waste time looking for things. Clever service businesses should be able to design inexpensive support systems that allow small organisations to comply with the regulations, once they have got into the habit of holding no paper records and regularly purging the digital ones. But until organisations realise that this is the new way, there is going to be a bumpy ride. The law may turn out to be almost impossible to comply with – and feel a bit like one of those Russian laws that are intentionally impossible, to give state agencies more arbitrary power.
But surely Brexit will come to the rescue? If there was an example of onerous European regulation that we can be freed from, then this must surely be it. Why can’t we now move to a more light-touch American regime? Alas no; the British government have made it very plain that this law is built to last after the country leaves the EU. Indeed, I understand, the law has been gold-plated to make it more onerous than the European standard. For what reason I’m not entirely sure; the government just seems to think it is a good idea.
Which it may be. These new rights do empower the citizen. Once explained to the public, they might very well like the new law. They would certainly not think that political parties, for example, should be given a free pass, and the rights to access and rectification look basic. The American way, where big businesses have excessive sway, is not necessarily the best. But it is a political choice, and there has been next to no political debate; if there was any, I missed it. This says a lot about how British politics works. A European regulatory proposal comes along; British officials decide whether they like the idea or not, and negotiate with other EU interests accordingly. They then present it to the British parliament as a fait-accompli, and promptly embellish it. And then it gets dumped on the British public with a shrug. It is no wonder that so many intelligent people became fed up with the EU. The British political establishment is using it as a way to bypass awkward political discussion; no doubt this happens in other European countries too. It is a colossal failure of the political class, but in a long British tradition. British institutions have long thought that secrecy over decision-making ensured its integrity.
Why wasn’t there more political debate? This could, or should, have happened at two distinct stages. The first was when the directive was being put together at EU level. The British government clearly had opportunities to intervene if it wanted to – and probably did, but with the minimum of consultation with its own people. And failing that there was the European Parliament. These institutions failed. Brexiteers will suggest that this is an example of arbitrary Brussels lawmaking; Remainers that it is a failure of the British political class to exercise their responsibilities properly. The second possible intervention was when the directive was translated into British law, when Parliament had a chance to scrutinise the proposals. If the directive was indeed gold-plated, then this would have been the appropriate moment to challenge it. But neither the popularly elected commons, nor the supposedly hard-working and expert Lords seem to have done very much.
Behind this there is a deeper failure. Who are the advocates of a different approach, easier for small organisations, profit or non-profit, to manage? Labour aren’t instinctively for enhancing individual rights, they aren’t very interested in making life easier for businesses either. Some on the left probably hanker after a more Chinese model of data regulation – but that is only hinted at in some dark statements on cracking down on tax evasion. The Lib Dems are not inclined to challenge European integration, which GPDR is part of, and anyway probably quite like the enhanced individual rights, in principle anyway. But you would have expected some resistance coming from the Conservative Party.
Alas no. The radical Brexiteers aren’t interested in detail. To them deregulation is a theoretical idea where somebody else has to do all the hard work subject to their backseat driving. The pragmatists are happy enough to go along with European integration. I have heard a bit of talk that there is fresh new thinking in the party, led by a crop of bright new MPs recruited in David Cameron’s tenure. If so you might expect that somebody would make the running and present a vocal challenge to the new regulations, and an alternative vision on how data regulation should work. But so far there is silence.
The truth seems to be that few British politicians have thought deeply about how me manage privacy and data, and therefore recognise the nature of the choices they are making. That is very disappointing.