Privacy in Brussels & Beyond; 5 uncomfortable GDPR truths
I’ve been travelling alone, on business — a relative rarity these days.
Studying the departure boards from St Pancras to destinations across Europe — Amsterdam, Paris, Lille and beyond — it struck me how much the world has opened up in the course of my adult life. Journeys which were the preserve of inter-railing or a career change are now treated as a casual, high-speed excursion.
Meanwhile, current political debate in the UK runs along a single axis of distancing ourselves from the mainland’s political, legal and cultural norms — Europe is drifting out of reach.
Working as a technologist in privacy can evoke similar feelings for me.
18 months on from GDPR, the direction of travel remains clear — towards greater oversight and regulation of digital marketing, platforms and data commerce itself. So why do I keep asking myself the question — are we there yet?
The power players in data can still write their own rules, regulators are outgunned and remain a lightning rod for collective frustration. The media waves and corporate budgets around GDPR have now crashed upon the beach, and ‘business as usual’ in privacy is dominated by reporting obligations and paralegal processes. Massive breaches are usually the first any of us know about how well organisations perform as custodians of our data.
What’s changed is awareness among the public that something is not quite right, which mirrors that felt in this age of political ‘fake news’. This growing concern is manifesting itself in the first attempts by people to use data rights as weapons against those they distrust, and data collectives as shields against the powerful.
This challenge dominated at the IAPP Data Protection Congress in Brussels, an opportunity for regulators, trade bodies, brands and privacy practitioners to meet in a ‘safe space’ and share ideas.
From my personal notes, here are the top 4 themes:
- Data ethics is a mirage — practical steps should be towards transparency, ceding control to the individual and fairness. This last principle is something which can be translated to the public in terms which we can all understand.
- Compliance isn’t working — while knowledge of, and adherence to, legal requirements may have a comforting clarity, it’s a shrinking island in the sea of accountability and fairness. Operationally, it’s like playing a continuous game of ‘whack-a-mole’.
- Consent on the web is broken — cookie notices have mutated into barriers to choice, without support for new (old) models for content monetisation like subscriptions. Because people are clicking, not complaining in large numbers doesn’t mean an indifference to privacy in general.
- “A code of conduct for marketers is a no-brainer” — a quote from the UK’s data trade association the DMA, echoed by brands and regulators present. Movements by regulators to support codes of conduct based on fairness are progressing in France and Germany.
Is the UK being left behind? Not yet, but it can feel like an uphill battle for data subjects, privacy activists and new technological entrants lacking a strict compliance remit in the privacy space. Momentum behind the ICO sandbox seems to have dissipated, and the latest draft guidance on SARs appears to enshrine current, inconsistent processes around data rights which mean they may never meet the principles and potential that the GDPR promised.
A prominent in-house privacy lawyer said onstage in Brussels; “the law is generally the least reason to do something”. As an optimist, I’m hopeful that transparency, fairness and operational agility will allow the business to step up and own privacy. Here’s to 2020!
