Working the Law Part 1 - Personal Data Regulation
The other day, I was watching Who Do You Think You Are?, a genealogy programme, where famous people research their family history. In this episode, the comedian Jack Whitehall, and his father, and occasional TV sidekick, Michael, were researching their ancestor, Thomas Phillips, in 1830s Monmouth, in Wales.
This was the Chartist period in British history, where the modernising Chartists wanted democratic reform so that suffrage would be widened significantly beyond the very wealthy large landowners. The Tories, the right-wing conservative party, opposed such moves, whereas the reformist Whigs supported it. It turned out that Thomas was a vehement Tory who believed that the Chartists were rebels who threatened the security of the country. As a prominent solicitor, he prosecuted any Chartists who broke the law. Ironically, John Frost, perhaps the most prominent Chartist in the whole area, literally lived next door to Thomas and their unneighbourly battle came to a head after an armed insurrection in Monmouth after which many Chartists were killed by troops. Thomas was the leading figure in John’s subsequent trial for treason, after which John and his fellow Chartist leaders were hanged.
This led the two celebrity researchers to have noticeably different ethical reactions to their ancestor. For Michael, Thomas had been upholding the rule of law, and was just doing his job in following and interpreting it to the letter, during an unprecedented period of social, industrial and electoral change. For Jack, Thomas was an elitist, heartless bully, who stopped at nothing to destroy those reformers whose democratic principles were clearly in the right. In the way the story was presented, the ethics were similarly black and white; history appears to favour John - he is now remembered with the secondary school named after their celebrated local hero, whereas Thomas is the forgotten evil villain of the piece.
But of course, ethical debate is never as black and white as these stories, and indeed, most people, would like to make out. We are facing some significant ethical dilemmas in the digital world right now; at the moment, the legal interpretation seems to be as clear-cut as our story above, but it is being presented as vehemently and stringently as Thomas might have done nearly 200 years ago. Given that the story above didn’t exactly end well, it feels like there needs to be better consultation and discussion on this point with industry bodies.
It might not seem like it, but we also live at a turning point in the history of the rights of the individual. After a quarter of a century of almost unique speed of change in the history of communication (the World Wide Web, the Internet, mobile devices and so forth) – akin perhaps only to the years after the invention of the printing press in late fifteenth-century Europe – there are fairly profound questions to answer about the right to privacy, compared to how much information on the individual can and should be shared with organisations providing services to them.
But the last 25 years have also been revolutionary in how businesses work. The last quarter of a century has also seen a massive change in how businesses operate, as they keep up with the demands of customers using these new communication channels. Led by pioneers like Tesco with its Clubcard in the early 1990s, and Amazon and others after the advent of the Internet, companies have learnt that in order to satisfy their customers, they need to know more about them. As a result, they have become increasingly data-driven; given the demands of the global population, living in a genuinely data-driven society is generally regarded as a good thing. This has not only enabled businesses and organisations to serve customers better, but also to become more efficient businesses themselves, reducing their use of resources in an increasingly resource-depleted world.
The challenge facing lawmakers and interpreters is therefore how to balance both the privacy of the individual and the legitimate attempts of organisations to measure and improve their performance through data.
For most of the last 25 years, the law has been fairly laid-back in relation to the development of the new communication technologies. To be fair, that makes a lot of sense – there’s no point legislating for “flash-in-the-pan” innovations, it’s best to wait until the important ones take hold. However, this did allow some organisations to start to abuse the customer data they were collecting, and so regulation was both inevitable, and welcome.
The GDPR law, introduced across Europe last year, is therefore a very sensible addition to the statute book, and puts in safeguards for the individual in relation to personal data, but also with a certain balance for the reasonable requirements of organisations to hold some data about them in order to provide the best service for the individual. However, in the shadow of the Cambridge Analytica scandal, it seems legislators are vying with each other to demonstrate how “in-tune” with the people they are by taking a more extreme position than had previously been the case. This risks data-driven companies either being taken back a few stages in their existing capability, and so losing their competitive advantage; however, the bigger risk is that they find other legal justifications for their current position, which therefore starts to undermine the excellent work that GDPR is doing.
Now, it’s worth saying that this is only guidance, and not actual advice from the ICO. But it does imply a direction of travel, and it also comes from an organisation that has the ear of almost all businesses at the moment, having recently implemented eye-catching fines on Marriott and British Airways in recent months. So, this comes from an organisation that people will listen to right now.
Whilst the guidance is undeniably privacy-focused, it’s also an extreme view of that. Under GDPR, anonymous data does not require consent, because it’s not personally identifiable. According to this new interpretation, however, anonymous data captured in analytics cookies would require consent. This doesn’t appear to be a consistent interpretation of the same law. By the same people. Which is somewhat baffling. There is, of course, the argument that whilst analytics cookies themselves are anonymous, when joined up with other data, they are pseudonymous, and become partially identifiable. We will explore this argument in more depth in the next article in this series. In spite of that, as Brian Clifton points out in his excellent blog piece on this subject, this is a retrograde step, and it suggests that the ICO have not thought it through, which is out of character from an organisation that is one of the leading data regulators in Europe.
Moreover, the implications of this potentially would represent a significant change to how data-driven businesses would need to operate. And it leads to the fact that large organisations and their lawyers will look for alternative justifications in law for why an organisation’s existing set-up is essential and reasonable. In turn, this means that it almost becomes inevitable that this is decided by case law – that is, by someone being taken to court and finding out whether their interpretation or the ICO’s is correct. Given the background in the data-driven economy and world we live in, it seems difficult to see how such a position could prevail.
And this would affect the UK digital and data sector. As arguably the most advanced data economy in Europe, or even the world, the UK has often benefited from the pragmatism of the legislators and those who interpret the law. If the ICO – rightly regarded as one of the best in the world – starts to make confused and inconsistent suggestions such as this, the UK data economy will be hindered, at a time when there will be plenty of other macroeconomic hindrances in the way as it is!