So, the task that I’m setting myself is to identify (1) the reason for enforcement activity (i.e., the alleged contravention of the DPA) in each individual case and (2) the corresponding remedial action that the regulator has required (say, train your staff on the need to put medical reports in the right envelope, so they are sent to the right person, which is at the heart of the most recent financial penalties case).

A very interesting picture emerges – basically, in MHO, the time investment that the regulator perceives is required to “be compliant” will act as a major drag on productivity if the controller follows what the regulator is saying to the letter.

Add to this is all of the compliance objectives that flow out of other aspects of data protection that are not currently enforced (say, compliance with the Data Sharing Code of Practice, or the performance of “Privacy Impact Assessments”, or cookies) and you are left with a picture of an overwhelming compliance burden for data controllers within the current regime.

This does not bode well, particularly when you add the effect of the DP Regulation, which seeks to micro-manage far too many aspects of data processing.

And on top of this we have all the other regulatory regimes (health and safety, anti-bribery, AML and so on); its a wonder that there’s any time left to do any real business!

This is a great topic, giving hope to the idea that an adequate level of respect for privacy can be achieved operationally within big organisations, by focusing rigourously on process and production. The result is that handling privacy can work like a factory production line. Achieving that state will require a Eureka-moment from someone, similar to the one Henry Ford must have had when he realised quality control and continuous improvement was the future for the car-making industry which could only be achieved through his production line!

Continuing with the car production line, I wonder about innovation. I don’t know much about Ford, but I imagine that mass car making didn’t actually exist until he innovated. In other words, he changed the World. We can argue about whether it’s ultimately worth the price (the environmental effect) but for privacy, engineering a production line of compliance being into the organisation’s structures and operations can only be a good thing.

For the very first time we have an environment that is actually full of potential for Eureka moments in the field of privacy, from which a Ford-type person or idea may spring. The catalysts are the fact that technologies can provide a huge part of the solution, that people are starting to see that they have the “tools” and “raw ingredients” to improve privacy protections, that the case for more rigour is proved and – critically – more organisations are starting to invest. Indeed, we’ve already got to a stage where we are thinking through complex ideas.

And this brings me back to Engineering Privacy. What do we mean by this? What’s the idea?

The answer lies in the title, in the verb “to engineer”. From here we are invited to think about engineers, what they do and the job of engineering. When we think about basic engineering principles, we soon realise that Ford could not have built his production line without understanding those principles. He must have had a plan, a blueprint for solving the problems that he set out to cure through his production line. So we understand that we are trying to build a blueprint for achieving the outcome of better privacy in our organisations.

To a large extent engineering is the achievement of quality control through the rejection of randomness. But what are the structures within this new field of engineering? What circumstances will be present at the Eureka moment?

I cannot claim to be having a Eureka moment, so all I can give are some observations on things that may be important.

I’ve mentioned already having access to tools and raw ingredients – we have to be realistic about the resources required to improve privacy within our organisations and these may not all be available. For instance, the never ending news story that is “security breaches” tells us that many organisations are facing a steep and costly road to compliance. Privacy comes with a price and we have to recognise the economic fundamentals. People have to want to invest, understanding that investment needs time for R&D, testing, trial and error. They have to “value” privacy, which means that in some fields, they will need to be able to make money out of personal data; privacy can’t always be about cost of doing business.

If the environment shows these features, engineered solutions are achievable. And not surprisingly, because the basic engineering principles are the same, from here you can rattle off a whole list of requirements; “privacy impact assessments”, “privacy by design”, “privacy enhancing technologies” …

Hold on a second, what’s this list telling us? Well, the answer is part of the reason why we can be hopeful that engineered solutions will be achieved. You see, we already have names and labels for key concepts, which tells us that a huge amount of thought is going into this area.

However, we are still quite some way off that Eureka moment, because in the end an engineered solution needs something to be built. So, we have to take the next steps from talking to action. Of course, there are many credible examples of elements of engineered solutions being built, like BCR in the data-transfer field, but we have nothing truly holistic. The truth is that even in organisations that are doing well on privacy we are only talking about success in a relative sense and those organisations will inevitably have pockets of weak or bad practice that could, in theory at least, be engineered out. At best, our state of evolution is the testing and trial-and-error stage.

The role played by the law, by regulators in particular, in bringing on the engineered solutions is vital. In my view, one of the biggest drags on the evolution of good behaviours is bad regulation. I am also particularly struck by how the current process of law reform seems to be rejecting the disciplines of engineering, in the sense that it seems to be so random; there’s no successful blue print for the EU’s proposals for data protection as far as I can tell; of course the law needs space to experiment too, but it carries a very high duty not to make things worse.

This returns me to that list of requirements. There are many good ideas here, developed by a wide group of stakeholders. And the regulators have made a vital contribution. I personally remember my earlier engagements with regulators like Jonathan Bamford, who did really good work on PETs, and officials like Phillippe Renaudiere at the Europe Commission, who would have made a super EDPS, which were overwhelming positive. But, I believe that newer regulators have lost their way a little, with an unhealthy focus on enforcement activities being the main problem.

The problem is the development of the Regulatory Bear Market. I keep going on about this, but as far as Engineered solutions are concerned, this is the worst environment possible; it is trying to achieve behavioural change through coercion. It is a classic example of nannying by unelected officials and bureaucrats and it is not going to get us far. Law making with a blunt weapon!

But, the good folk at the ISF pay a decent annual fee to be involved, so it’s worth finding a substantive basis for my talk.

Impacts are hard to assess at this stage. The EU is obliged to make a stab at this when new legislation is proposed, but few people really believe that the EU has modelled all the consequences of the proposals. So, perhaps one way of looking at impact is to consider the impact of the EU regime from 1995 to 2009, ie from the adoption of the Data Protection Directive to the Citizens Rights Directive. Taking a high-level view, no one can deny that the impact of privacy legislation has been monumental.

To scale this, I reflect back on when I started my career at the Bar, as a young lad straight out of Uni and Bar School. Back then, there was no expectation of privacy as a legal concept. Yes, we had the Data Protection Act 1984, but it was a classic toothless tiger. I doubt that many people entering the legal profession back then were thinking about how they could make a career in this area. But now, privacy and data protection is a real favourite of would-be, trainee and newbie lawyers, as I can attest for from my own experience at FFW, where we are swamped with applications from bright young things hoping to get into this area.

And the key point here, of course, is the classic sharks-are-circling point; lawyers are getting into this area because they sense blood in the water. Of course, you can express the point less graphically; basically lawyers know that they can make a career in this area, which they couldn’t do not so long ago. Take the point again; to get to this stage in half a career of this lawyer is incredible.

So, returning back to the question, what will be the impact of the DP Regulation, well we can’t be precise, but we can be accurate in our assessments. And I believe that we are going to see this area elevate to such a level of heightened importance that it will be impossible to ignore.

Yes, new ideas like “the right to be forgotten”, compulsory DPOs, new consent obligations, compulsory risk assessments etc will have their individual impacts, but even these measures are not enough, collectively or individually, to take things to the next level. No, the big impact flows from the heightened transparency agenda and the focus on sanctions, penalties, litigation and regulatory enforcement actions.

These measures will inject the critical volatility of “contentious” legal business into the mix. And privacy – data protection will become about disputes, argy-bargy and litigation. It will be about suing, prosecuting and holding to account, about compensation and fines.

Look at this way and do you scent the blood in the water?

The beginning of the story is Recital 25, which tells us that consent means explicit consent. This consists of a “freely given”, “specific” and “informed indication” of the data subject’s wishes. This can be achieved only via the routes of a “statement” made by the data subject, or by “clear affirmative action” on their part that shows that they are aware that they are giving consent. This can be achieved by the indicative approaches of “ticking a box” when they visit a website, or by similar statements or conduct. Silence or inactivity cannot amount to consent. The recital continues by saying that “electronic requests” for consent “must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided”, with the implication being that electronic systems should not be designed to badger the individual into giving consent, such as by making repeated requests for consent.

What is unclear is whether a data controller can make the provision of a service conditional upon the giving of consent to data processing operations which are not strictly necessary for the provision of the service, such as direct marketing, OBA or data sharing, but it is possible that the anti-badgering provision can be interpreted this way, if a refusal of consent results in a service disruption, in the sense that access to the service is blocked. If this is the correct interpretation, then it may have worrying implications for business innovations that require data monetization to survive.

Perhaps the answer is found in Recital 32, which sets out a new burden of proof rule for consent. The recital begins by saying that the controller bears the burden of proving that the subject has consented and then continues with “in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given.” This may suggest that it will still remain lawful to put clauses around consequential data processing in contract terms and conditions, provided that the relevant clauses are highlighted and the effect explained. To understand what I mean by consequential processing (which isn’t a term used by the Regulation by the way), in a contractual situation it is lawful to process personal data that are necessary to fulfil the contract (so, for example, payment card details can be processed prior to delivery of a good or service) but anything beyond that point needs its own legitimacy. So, referring back to the earlier example, processing for direct marketing or OBA will not be legitimatised in a contractual situation by the “contractual necessity” ground; these activities will be consequential to the main contractual ambitions. In other words, I am referring to secondary processing.

Anyway, returning to Recital 32, what might be being outlawed is the burying of processing terms within the small print, not compulsory consequential processing. If that’s the focus, then it is hard to argue against it; in the UK at least consumer law has required a “Denning big red hand” for unusual clauses impacting on consumer rights for many years now.

More answers may be provided by Recital 33, which clarifies that consent needs genuine and free choices and the right to change one’s mind. This might have the effect of building a distinction between services that are non-essential and those which are. But, if this is the idea, you are moved to the question where do you draw the line? If utilities are essential, like gas, water and electricity, then it might be unlawful to make the provision of services conditional on the acceptance of consequential processing, because the effect would be to deprive the user of a choice. If you follow this through, do you put online banking in the same category? And what about social networking? Or online retailers? In my mind an Amazon is less of a utility than, say, a mobile phone network operator, but why should an Amazon enjoy more commercial privileges with data and a less rigid regulatory environment?

Clearly, there is a need for clarification around these questions, because many data controllers have made consequential processing a condition of service provision. If they can no longer pursue this business strategy, they may be faced with serious business remodelling.

And this is the point at which a form of despair sets in about the Regulation. The EU has had years to think through the issues, but the more time you spend with the Regulation, the more obvious it becomes that it raises more questions than answers. This does not make for an encouraging environment for the achievement of the ambition of increased legal harmonisation. Perhaps it might be fair to opine that the Regulation actually puts us back, because we have a whole new series of unanswered issues to contend with …

So what else do we learn about consent? These are the other headlines:

Consent cannot be given where there is a clear imbalance in the power relationship between controllers and subjects. This rule is set out in Recital 34, which explains that a power imbalance will exist where the subject is dependent on the controller, such as in an employment situation, a point that has been made often by the Article 29 Working Party. So, this position will not come as a surprise to informed privacy pros, but it is disappointing nonetheless, as many have argued against the position that it is inherently impossible for employees to give valid consent in the workplace. For instance, what about workplace emoluments? Are we saying that the employee cannot consent to dedicating their benefits pot to one particular benefit in a range of employer provided packages, or that they can’t consent to giving over their family details for life assurance purposes, or that they cannot exercise a choice on taking up workplace based training? If that’s what the EU is saying its awfully patronising to employees, but let’s wait and see.

Another area of power imbalance is in the relationship between subjects and public authorities, where the public authority has the power to “impose an obligation”; these seems to be less problematic than the employee context example.

As far as children are concerned, for the purposes of provision of information society services (web based services essentially), for those under 13 consent means parental consent (and custodian’s), which needs to be “verifiable”. This is similar to the US approach in COPPA.

So, there you are. For further reading, check out the Articles 4, 6, 7, 8 & 9.

A couple of friends raised the adequacy issue with me – why does the EU still consider US to be “inadequate” when there is so much here addressing the major harm issues?

The easy answer is that the EU regulates everything, but US does not, so there you go. But scratch at the surface and you soon see that the flimsiness of the argument; yes, EU legislates for everything, but privacy protections aren’t really that more effective at home. At least in the US you get a sense of greater accountability.

On a micro level the debate plays out well within the area of cookies. Both regimes require transparency and consent. The only difference seems to be whether it’s tick the box or untick the box. And if this is the difference, where’s the harm, where’s the foul? You get to the same end result with both regimes and surely that is what matters. So the US is adequate on cookies.

But try telling that to the EU …

So, Dulles here we come. Apologies for the typos and the hangover …

- Posted using BlogPress from my iPhone

Location:16th St NW,Washington,United States

Basically, you don’t want to see a RBM if you are a controller of personal data, because you’ll be at risk of “heavy touch” regulation.

RBMs come and go. Generally speaking, they arise when there is heightened public interest in the subject matter of regulation, in this case privacy issues. The last RBM emerged after the Gov revealed the loss of the HMRC data disks in late 2007. It was over by 2009, when the new Info Commissioner was appointed, with his belief that “enlightened self interest” was the key driver to being compliant. Now he’s wielding a stick.

This RBM emerged last year, in the wake of renewed public, press and political engagement with privacy issues consequent upon phase 2 of the NOTW phone hacking scandal.

What you see in a RBM are clear indicators of a negative regulatory mindset, such as campaigning for new powers and penalties, heavy touch regulation and trumpeting of scalps.

Check out the ICO website and you’ll see the evidence for yourself in recent press releases; calls for gaol sentences for blaggers, action against de minimis infringements (see the Durham Uni case) and boasting about the quantum of fines imposed (good news tax payers, they’ve topped £1m from public authorities).

So, campaigning + heavy touch + rhetoric = RBM, with the catalyst being a high profile privacy event.

There is more within the phenomenon, which I’ll write about in due course, but a key point is why does the RBM correct itself after a period of time? Essentially, this is because the RBM is conceptually, philosophically and legally flawed, so it collapses.

But pending the return of equilibrium data controllers need to careful, alert and on their guard, because this RBM still has a while to run.