Legislating for the Tiresome

I wasn’t going to do a #DataProtectionDay post. But the discussion we had on the podcast this week got me thinking again about why data protection matters and why how we conceptualise and operationalise governance around the use of personal data matters. After all, aren’t all these rules tiresome and bureaucratic overhead? Aren’t the proposed changes in the EU Digital Omnibus a good thing?

Structure vs Practice

I’d like to say that Simon McGarr’s comment above was a throwaway comment. But I’ve known Simon for many years and he chooses his words with care when in front of a microphone. And in this is one of those moments. For context, we were discussing how, when we look through the lens of decentred governance theory at the Digital Omnibus, there are profound implications for how individuals involved in making decisions about the use of personal data in organisations will need to address their roles.

Simon’s blunt assessment echoes the famous line, credited to Upton Sinclair, that “it’s difficult to get a man to understand something when his salary depends on not understanding it”. Simon encapsulates the difficulty posed by the structural framing of things like DPIAs, Data Protection Notices, and Registers of Processing Activities as ‘overhead’ that organisations can do without.

Reality versus Theory

In an ideal world organisations of all sizes would have a handle on how they are using data and would voluntarily do the kinds of things that are needed to govern data effectively, ensure its quality, and ensure that it is being obtained and used transparently and with appropriate safeguards to ensure people’s fundamental rights are respected.

But we don’t live in that kind of world. Often we require nudges of various kinds to make us do things that we know we need to do but don’t always want to do. Like eating broccoli or writing down the things we do as an organisation and what data we need to have to do those things (the core element of a ROPA). So, we find ourselves having to legislate to put some rules in place. Those rules guide behaviour and influence (to borrow some terminology from governance theory) the traditions and webs of belief that are applied to decision making as well as establishing baselines of ‘local knowledge’ that individuals who are taking actions and making decisions on a day to day basis can apply.

Simple things like: “Is this personal data?” Or: “Why are we asking people for their shoe sizes? We’re a newsagents.” And: “Where are we storing all this stuff we have about the children in the gymnastics club anyway?”

Rights and Harms

Those legislated rules also include ideas that address and rebalance classic problems of information asymmetry that can impede people in asserting or benefiting from other rights or services. So the right of access under Article 15 GDPR gives effect to a fundamental right under Article 8 of the Charter of Fundamental Rights that allows a person to get a copy of the data held about them by a Data Controller that might then in turn allow them to exercise another fundamental right or identify where that right is being infringed.

The discussion on the podcast of collective rights and collective harms with Blessing brings this into focus. My ability to exercise my right of access allows me to identify if a company is processing images of me and, for example, running an AI process to tag me as one of the ginger-headed brethren. If I have found that this inferred piece of information is then used by the company (for example an insurance company or someone I’ve applied to for a job) to prevent me from accessing a service or being considered for a job because of my inclusion in the grouping of “Ginger Brethren”, and that that processing affects all my copper-topped kin alike, then the individual right serves to address a collective harm.

The fact that the rules say people can ask for copies of data means that organisations should think about what data they have, why they have it, and how and were they are storing it. Doing that and introducing intentionality into the governance of the data may actually serve to reduce the overhead in complying with the request for data but with the added benefit of the data itself being managed better and associated costs and risks of poor quality or poorly curated data being mitigated.

If the web of belief, the regulatory tradition, is that data protection compliance is a burden results in dilution of protections against harm to homeopathic levels, then we will have done a disservice to society and will have forgotten why we have all these rules in the first place.

Trust us, we’re good people

Of course, we don’t need all these rules in the ideal world because we’re all good people and our organisations or governments aren’t going to do bad things to people as a result of how their data is handled. At least not all the time. We can ignore things like the Dutch government’s use of AI to infer that people were defrauding the State, or the UK’s Post Office scandal.

Good men don’t need rules. I think I’ll leave the last word on that thought with The Doctor:

The EU’s Data Protection rules were born out of a generational understanding of how data about people had been used to single individuals out for collective harm and the potential for unintended consequences to happen if people were not nudged by the law to do things they might think tiresome.

Tweaking the rules in a way that undermines the fundamental traditions and webs of belief that underpin the governance of data relating to people in the EU has the potential for significant unintended consequences. If data is an asset, it should be governed as an asset. If personal data is an asset organisations use on behalf of people to do things that benefit individuals or society then the governance of that asset must be grounded on common traditions that support individual good people making decisions on a day to day basis.

Legislating for the tiresome is sometimes necessary. Just like eating broccoli.