It is a truth universally acknowledged, that a single person in possession of the Data Protection Act, must be in want of someone to explain it. And of someone to explain the explanation. An understandable regulatory response to this situation is the one taken by the Information Commissioner – the promotion of a common sense approach to data protection regulation. Does this really work?
When we say that the DPA is difficult to understand, what we mean is that it is difficult to follow the rules. If it is difficult to follow a primary rule, do we get any further by introducing another simpler rule apparently easier to follow? While it may be easy to follow a rule that says “use common sense” it may not be easy to know in what circumstances the rule is to be applied. In fact, to know that you need to apply an understanding that is quite removed from common sense – which is what the Information Commissioner has done in his guidance, by using an expert understanding of the rules to say that in certain situations you can use the simple common sense rule. But this doesn’t, on examination, really solve the larger problem.
Why is it difficult to follow Data Protection rules?
If it is difficult in the actual processing situation to identify and apply a relevant rule, then is it because (i) it is difficult to align the situation with a rule, or (ii) because even if the rule can be identified the outcome of applying the rule is ambiguous, or (iii) because it is difficult to know how many different rules apply to the same processing situation (including both positive rules and negative exemption rules). At the same time, the complexity encountered when applying the rules removes intuitive contact with the interests that are being balanced by the rules, thus creating a rigid regulatory environment where strict formal compliance is the only way out. However, if formal compliance is the only way out, it is also only too likely you don’t understand the rules by which compliance can be achieved. This is Kafka rather than Jane Austen; no room for English common sense here.
The regulatory situation is further complicated by the fact that there are some very general rules – say the Data Protection Principles, or the definition of Personal Data – and a very wide range of particular circumstances to which they apply: a range which is obviously extended by the development of Information Technology and global connectivity. This is a recipe for regulatory expansion of an uncontrollable kind (more rules, more regulators), in an attempt to bridge the gap between the general rules and the particular circumstances. We can see this happening at the moment, and it cannot succeed.
What is the answer? I wish I knew, but one approach would be to take a wide range of ordinary processing situations out of the scope of the regulations altogether, on the basis that the potential harms involved are so minimal that there is little to be lost by doing so. It would also remove the paralysis that is often created by the current rules when applied to very ordinary processing circumstances, because of the sense that there must be more at stake then there appears to be, because why otherwise would there be a need for rules in the first place – which is why, incidentally, the mere existence of rules often defeats the counter-application of common sense.