The changing face of data protection: new environment vs. established principles

Our commissioner, Emma Martins, marks the start of 2020 by reflecting on the need for a well-informed public conversation about data, and the role data protection professionals must play in it.

‘Data protection legislation has been around for many decades. Despite the fanfare that greeted the General Data Protection Regulation (GDPR) in May 2018 (and it was beyond doubt a hugely significant step), at its heart, the new Regulation is similar in shape and form to its predecessor. But we continue to be faced with a problem. This problem is not one of new principles but of a new environment. Data has taken on a new life in recent years and we are struggling to keep up. The speed of technological change in this digital age means that the culture and norms that inform our attitudes and behaviours have insufficient time to evolve. So it is therefore unsurprising that, despite its relatively long history, there remains much that is misunderstood and misinterpreted about the legislation; its origins, its aims, and the legal and ethical principles which underpin it.

There does, however, seem to be change in the air as we are being increasingly exposed to the often shocking reality of the scale and impact of data use and misuse. The crucial role of public discussion; feeding better awareness and understanding of what good data protection means, cannot be overstated. All parts of society have a part to play, but as with so many other areas of our lives, journalists do perhaps shoulder a greater responsibility.

I was reading this article about the GDPR in the Financial Times recently (which in itself must be welcomed, data is as much a financial issue as it is legal and social).  The article itself was well-written, as you would expect, and it highlighted a number of important areas such as wider privacy harms of certain processing, and some of the innovative developments in areas such as data trusts. But I was struck by how persistent the notion is that the law is a clinical tick box exercise, an administrative burden and something you can almost wash your hands of as long as you can evidence some sort of consent from the individual or individuals concerned. It is easy for data protection professionals to be judgemental and critical in the face of misunderstandings or misinterpretations. But if data protection is to be better understood and embraced, we need to be part of a cultural shift towards enlightened compliance rather than tick box approaches. Part of that requires us to try and rebalance the conversation, not to criticise but to inform. With this fresh in my mind, I wrote the letter below to the FT, which they published on 3 January.’ (reproduced here with their permission).

Letter: Conversation about our data must involve us all
From Emma Martins, Guernsey, CI
January 3, 2020 12:00 am

There is much to agree with in your editorial “Protecting data privacy needs constant evolution” (December 27); data and its protection has become a pressing social and economic issue. It is therefore extremely important to think about the way it is regulated. It is also helpful to highlight the need for regulatory rethinking in the face of increasing overlap of data protection and other regulatory regimes such as antitrust/competition.

But the way our personal data are collected, created and used goes well beyond notions of data privacy. In our digital age, it goes to the heart of what it is to be an autonomous and free citizen. Despite recent exposés of certain big tech giants, we remain in blissful ignorance of the actual scale of manipulation and how it is changing us and the world in which we live.

The General Data Protection Regulation is a good starting point but I dispute the suggestion that it presents companies with a list of tick-box demands. Approaching it in such a manner serves no one. Nor is consent enshrined as its core principle. Equally perplexing is the suggestion that principles of “privacy by design” are “encouraged” by the GDPR when in fact such an approach (together with accountability) is a legal requirement.

I am not suggesting that the law is perfect, especially in the face of such unprecedented technological developments. But I would like us to learn to approach it differently. To expect any one law, or any one regulator, to be the sole arbiter of the handling of personal data is to condemn both to failure. Neither I, nor any of my regulatory colleagues across Europe, has the ability to effect legal or ethical change on our own. We need to look wider and deeper because this is a conversation that must involve us all. Legislation has to be understood as a form of safety net, not as an ethical baseline.

Only by moving society forward in a way that deliberately and intelligently engages with the realities of the data-driven digital world can we effect real change; change that ensures we are seen as human beings, not as data points.

Emma Martins
Data Protection Commissioner,
Office of the Data Protection Authority,
Guernsey, CI
Copyright The Financial Times Limited. All rights reserved. Please don't copy articles from FT.com and redistribute by email or post to the web.