As a matter of fact, one should rather say don’t leave it only to the lawyers; just that we were told that tag-lines should be the shortest possible. First, let’s quickly recap what brought us to this 4-letter word. Next, let’s understand how the system has been rigged to benefit mostly to the lawyers; of course, officially for the Common Good. Then, let’s see how to fix the situation for bringing back the Spirit behind highly welcome changes at the expense of the Letter.
Back in the late nineties, existing legal frameworks pertaining to data protection proved to be total jokes.
Take the European Data protection Directive (1995) or the International Safe Harbor Privacy Principles, translated in 2000 into the EU Safe Harbor Decision; it was indeed hiding a massive imbalance of power leveraged especially by American West Coast companies — to simplify -, companies accessing quasi unlimited funding from non risk-averse Venture Capital firms without having to break-even neither in the short nor in medium run. Likewise, in 2016, in the context of “a renewed and sound framework for transatlantic data flows”, the EU-US Privacy Shield was yet another mockery. Overall, it led to the incredible global growth and unquestioned leadership of, among others, the Big Four, also called GAFA providing us with vast amount of “free services”. People started to take the free bit with a grain of salt and understand that if they were not paying for the product, they were the product.
Besides, for many years, the USA have been distorting international commercial laws against their European supposedly partners for attacking companies such as BNP Paribas, Crédit Suisse or UBS so as to gain competitive advantage while, at the same time, being extremely flexible with their national companies in particular those having triggered the 2008 financial crisis. Caveat closed.
Basically, around 2010, the main outcome of the aforementioned elements is a situation of total mistrust between the USA and Europe; what a lawyer would describe as a lack of factual elements of trust, wouldn’t zhe? Hence the need to reshuffle legal foundations. Despite having been for decades pro-globalisation, pro-market and pro-America, the European Commission this time came up with the General Data Protection Regulation(GDPR in short) which after a two-year transition period became enforceable on 25 May 2018.
Data protection and more broadly Privacy is a highly complex matter covering clearly legal as well as technical, societal, economical, philosophical and even ethical aspects. However, slowly but surely, lawyers took control of the debate. Would you trust your own lawyer for ethical questions? Probably not.
GDPR certifications do require to have a very good legal background when not asking for specific diplomas in Law. The recommendations on European Data Protection Certification released by the European Union Agency for Network and Information Security (ENISA) focuses only on legal and technical matters.
Specifically on Data Protection Officers (DPO), we have to split the short analysis of the prominent GDPR-related role between private and public sector. In the private sector, the DPO are just fuses; somehow like Corporate Social Responsibility (CSR) or Greenwashing; they act as a smoke screen. If sued, companies will have plenty of time to negotiate penalties with the help of… lawyers.
In the public sector, it’s even weirder. In Switzerland, for the record largely abiding by the GDPR, the confederation and states (Cantons) hired lawyers as DPO and, believe or not, there is no conflict of interest for them to concurrently sell highly demanded and expensive services. We call it the grey zone here; one could say indeed a #A9A9A9 zone just to show to the lawyers that we can also use cryptic language just to say “very dark grey”!
Let’s illustrate how rigged is the system as it currently is; first looking at one use case before enforcement, then glance through a post-May 25 case. The Article 20 of the GDPR is about Data Portability. Pure lawyer output; check it out: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. Now, we suggest that you try to export your Google data, quite straightforward process by the way. Take your Hangout data for example: you will get a nice little file in… json format, ideal for data portability but, without gigantic efforts, you will not be able to get a clue of what’s in. For sure, you will find lots of json file readers; however, it does not mean that as a human, you will have a convenient way to read the data. HTML is much better as human readable format; too late! Both format should be proposed in the export.
Now, first effects of the implementation of the regulation start to surface. Today, we heard that the EU Court of Justice confirms the position of Schleswig-Holstein data protection authority, namely Administrators of Facebook Pages are controllers under EU Data Protection Law. Without entering into what lawyers would dare to call “logic”, the reasoning is complete BS. For years, Facebook has pretended that it was not responsible for the content making the paragon with letters going through the Post Office. Though the overall trend is that Facebook should also be responsible for content, the key is that they never ever denied having been fully responsible for the platform; lawyers managed to open that Pandora’s box; just less than two weeks after the enforcement of the regulation. Well done!
Beyond these examples, it is worth keeping in mind that lawyers are like the bank at the casino; either side they are, they always win. Moreover though not specific to GDPR, they do not have time constraints or benefits to provide; the longer it takes to resolve issues, the better is it for their bank account.
Before looking at possible ways forward, rest assured that we have nothing against lawyers — sincerely -; they are instrumental to a sound and optimal development and implementation of data protection frameworks.
This being said, in lieu of VLP, Very Legal Persons, seasoned executives should steer all data protection-related initiatives and take the lead as CXOs in companies. These individuals will have very transverse profiles covering finance, digital, human resources, legal, procurement, marketing and other bodies of knowledge. They will programme manage the successful transformation from a “You’re the product” paradigm towards a “Value Your Data Your” environment helped in that crucial mission by teams of specialists, using expertise when needed and balancing input for helping us, the People, the regain control over our data.