The A5103 is a dual carriageway near my house that connects the M56 at the bottom with the city of Manchester at the top. People come racing off the M56 onto it, many barely slowing before hitting the M60. However, immediately afterwards, the A5103 goes through a series of residential areas: West Didsbury, Whalley Range, Moss Side, and Hulme. Whatever you’ve heard about these places (much of it probably nonsense), thousands of families live there. Just off this huge road, kids are playing, people are riding their bikes, and at regular intervals, people are crossing it.
A few years back, the speed limit was dropped. As you zoom off the M56, it goes down to 40; once you get to the first housing estates, it’s 30. Despite this being a big arterial route, despite it feeling like it would be a big, fast road (especially if you’ve exited either motorway to reach it), it’s slow and steady all the way. There’s a simple reason why the speed limit is observed. There’s a genre of LinkedIn post which would be all about the sensible, ethical approach of the drivers, knowing that to plough through these residential places at speed would put lives at risk.
But that’s sentimental bollocks. People drive at 30 on the A5103 because there are speed cameras, and you might get fined.
All you need to know about human beings and the law is to watch them drive without speed cameras. Some drive below the speed limit (and everyone else hates them), some drive at the absolute maximum allowed, and some go above, some wildly and dangerously over. Data Protection law works in a similar way. Some willingly go further than the law requires, some do what is strictly necessary and no more, and many flout the rules, some in a dangerous way.
The existence of Data Protection speed cameras is a myth. There has always been a notional speed camera in the shape of the Information Commissioner’s Office. It didn’t do anything significant, but you could see it and it created the illusion of an enforcement regime with a trickle of penalties and enforcement notices. That illusion is over. Their failure to enforce the GDPR is plain to see. Pair that with the recent revelation from Jon Baines that when faced with a council who refused to communicate with them, the ICO buckled. Ignoring enforcement powers they have used into the past (especially for favoured friends like Professor David Carroll), they told the applicant to sue. The UK’s Data Protection regulator is a speed camera that has not been switched on. It’s one of those fake burglar alarms that is just an empty box with a battery to make the light blink on and off.
Of course, even as I write this, there is the possibility that the long awaited penalties against BA and Marriott will land. We already know that they are likely to be massively reduced, and moreover, they were delayed for more than six months before Covid made an airline and hotel chain almost satirical targets for big fines. There was obviously something wrong with these penalties in the first place, hence the long delay; unless the ICO pitches them at a level that both companies can pay painlessly (reducing their impact still further), appeals seem inevitable, even wise. Finally, issuing BA and Marriott may produce a mirage of achievement for Liz Denham to ride out the dying embers of her term, but I am willing to bet that neither will ever be paid.
But the last four years have hollowed out the ICO. Denham has recruited a cushion of Deputies, Directors and Heads, focussed her attention on fringe issues like AI and the Kid’s Code, and she has refused to create a culture of regular, meaningful enforcement on bread and butter DP issues. The next Commissioner will effectively have to start again with GDPR, just about the time that – plague allowing – the Johnson government may decide to dismantle it.
I have been working on information rights for nearly 20 years – it was late in 2000 that I applied for a job at an organisation I was dimly aware of called the Information Commissioner’s Office, and because of multiple interviews and various HR shenanigans, it was 2001 before I started. Looking back on Data Protection as it was then, and how it is now, it saddens me to say that progress has been intermittent, haphazard, and slow.
And currently, Data Protection compliance in the UK is optional.
You don’t do it because there are legal consequences if you don’t. In that sense, all data protection law in the UK is guidance. You follow it because you want to, because you think there is some direct advantage to you if you do. I’m sure many in the sector, if they read this, will howl in my direction with arguments that organisations should or will do whatever and data ethics and all that stuff, but I don’t care. I have one word: speeding. We know what people are like. We know what happens on roads where there aren’t speed cameras. The UK, about to enter a Brexit / Covid Combo Crash, is on that road for data protection.