Most people have little routines that they enjoy on a Sunday. Doing a spot of gardening, going for a run – I know one person who relishes his Sunday trip to the tip. For me, a minor weekend pleasure is the masochistic ritual of reading a maddeningly ill-informed article about Data Protection in the Guardian or Observer. This weekend did not disappoint, despite a surprising break with tradition in that the piece in question was not written by John McNaughton.
This time, we have Stephanie Hare, expressing sentiments summed up in a headline that gets two things wrong before the article even gets going: “These new rules were meant to protect our privacy. They don’t work.” No, the GDPR is not meant to protect anyone’s privacy. The word ‘privacy’ is mentioned once in a footnote that refers to another piece of legislation (which isn’t supposed to protect our privacy either). The purpose of the GDPR is to maintain the European model of data protection i.e. a deal between commerce and individual rights. It’s an asymmetric and imperfect deal, but the idea is the internal market requires the use of personal data in order to function, especially across International borders, and so there needs to be a regulated system to allow governments and businesses to use data. The language of the GDPR, like the directive before it, makes absolutely clear how the deal works. The organisation that gathers and uses the data is the ‘controller’. That tells you all you need to know. The individual is no more than the ‘subject’, given some rights and a limited amount of control over how their data is used.
I think the GDPR does a better job than its predecessor of making those rights work meaningfully – it’s free in most cases to exercise them, the fairness provisions explicitly acknowledge transparency and clarity, the right to be forgotten (if that’s what we have to call it) puts more of an onus on the controller than the subject. More subtly, the GDPR recognises power imbalances and automated processing of all kinds as being inherently high risk because of the lack of control that the subject suffers. This is all good stuff, but GDPR doesn’t protect your privacy, and complaining that it doesn’t is like complaining that a decent quality car will not float. It’s pointless to criticise the GDPR as ‘not working’ when you think it should be doing something it isn’t designed for. Hare is letting the regulators and companies completely off the hook by implying that it’s a free for all, rather than a situation where the law is clear and people aren’t following or enforcing it.
It gets worse. Hare’s first assertion is “Who owns your data? This is one of the toughest questions facing governments, companies and regulators today and no one has answered it to anyone’s satisfaction.” The answer to this question is actually really easy: the person who holds the data owns it. You don’t own the data about you held by HMRC or Twitter or Facebook. They do. They probably have intellectual property rights over it, but for all practical purposes, they decide what happens to it, who receives copies of or extracts of it, and when it is deleted. The subject plainly doesn’t own it. They have rights over it sometimes, and they own a copy of any data they request, but that’s it. Asking about ownership is really asking the wrong question – apart from the fact that activists and campaigners are never going to get an answer they like, what’s worse is that by accepting that the debate should be about ownership rather than rights and control, you’re accepting the IAB and Mark Zuckerberg’s approach to data. I’m not an activist, and even I can see that you’re debating The Man on his terms. If we want to stop the commodification of data, we could start by talking about the problem in a better way.
I don’t doubt Hare’s sincerity for a moment, but some of her most basic assertions are wrong which makes it very difficult to agree with her. She says that under GDPR, “we gained the right to find out what data is held on us and to request its deletion“. This is completely incorrect. These rights have existed (and have been used) since at least 1995. It’s true that they have not been not well-enforced, and that GDPR expresses them more effectively, but in my experience, people who present GDPR as a sea change in rights are those who think Data Protection started in 2016. Apparently, it’s a problem that individuals have to exercise their rights, and “the GDPR could have solved this easily by making privacy the default and requiring us to opt in if we want to have our data collected“. If I was being charitable, I would assume that Hare was talking only about commercial uses of data for advertising purposes but she doesn’t say so. We can’t run the NHS, social care, taxation or criminal justice on the basis of consent. You can’t protect vulnerable children from abuse if their parents have to agree to their data being processed. You can’t collect income tax only from those who consent for their data to be collected. Talking about personal data exclusively in terms of consent is ignoring all sorts of processing, legitimate or otherwise, that takes place because of statutory or contractual justifications. It’s almost aggressively unhelpful.
Hare describes “a grotesque game” of consent where people are pushed into consenting or alternatively diverted into a maze of confusing privacy policies. The GDPR that she claims doesn’t work explicitly outlaws this sham consent. There is no doubt or debate about this: GDPR consent must be freely given, specific and informed, or it is not consent. Nobody who understands GDPR has any doubt about this – the question is whether regulators like Helen Dixon and Elizabeth Denham are willing to attack business models that are built on such flagrant GDPR breaches. So far, the jury is out on Dixon, but Denham has shown her hand by dodging enforcement on Real Time Bidding and fining Facebook for entirely imaginary events, ultimately settling the case in a way that leaves Facebook’s business model entirely untouched. The problem here is not the GDPR – it is the people who are supposed to be implementing and enforcing it.
Worst of all, Hare’s summary quotes Edward Snowden’s ill-informed speech at the Web Summit last week, picking out the stupidest thing he said and presenting it as her trump card: “He thinks that legislation should address the collection of our data, not its protection after it is collected.” Just to be clear (because I always italicise quotes on this blog), the article emphasises the word ‘collection’ with italics. Hare clearly feels that this is a vital insight, instead of evidence of total ignorance. Like a lot of security people, Snowden has seen the word ‘protection’ and worked from there. The foundation of EU data protection law for more than 20 years is that the use of data must be lawful, and lawfulness can only be achieved by justifying the collection of data. This is the skeleton of Data Protection, this is what holds it up, and Hare’s use of the Snowden quote is, in my opinion, evidence that she does not know this. It is utterly irresponsible to use a platform like the Guardian to mislead people in this way, no matter how strong your concerns might be. The GDPR is inherently and irrevocably concerned with data collection, and if Hare (and Snowden) do not know this, they need to educate themselves before pontificating. By the way, if you were one of the dozens of Data Protection people who retweeted that Snowden quote as if it was some amazing revelation, all you did was demonstrate your ignorance.
There are other depressing things within the article – like a lot of people, Hare cites warnings from the recent Human Rights Committee report into online privacy, and in particular, picks up their patronising conclusion that 13 – 15 year olds are incapable of consenting. This writes off hundreds of thousands of young people and robs them of autonomy (something which people who believe in privacy should be very wary of doing). Anyone who has read the Human Rights Committee report will know that it recommends creating a single repository of all information held about every person, updated in real time. Aside from ID cards, I cannot think of a more dangerous, privacy-invasive proposal than taking *everything* about you and putting it in one place so that the Government (and every hacker in the universe) can get access to it.
It is not enough to care. It is not enough to express your concerns about an admittedly voracious and parasitic internet business model. You need to know what you’re talking about. Pulling apart a clearly sincere and well-intentioned piece from someone who I probably agree with about a lot of things is not a good look, and will probably lose me even more friends and admirers than ever before. But this isn’t good enough. I’m not taking the piss out of someone because they said ‘Regulations’ when they meant ‘Regulation’. This whole article is based on a completely flawed understanding of the law and what it sets out to do. If you have the platform, you have to use it responsibly, and I think Hare and the Guardian have let down a cause which both claim to uphold.