In previous posts I have tried to suggest that, on one reading, far from it being difficult to comply with data protection rules, it is actually difficult not to comply with them -the First Data Protection Principle in particular. The problems that arise come from the gap between normal rational behaviour, common sense assessments made by people processing data, and the rules which apply to these ordinary circumstances and assessments. The data protection industry is based on this gap, showing not how ignorant people can become knowledgeable and compliant, but how their original understandings do or don’t fit into the rules. The difference between the two is pretty considerable.
In my post on Gulliver (December 2009 Blog Archive), I attempted to illustrate and satirise something like this, by describing a regime based on regulating the weather, the weather of course following natural (common sense) rules which the legislators then got into a mess about by pretending that they were somehow controlling the weather by introducing rules about what was permissible and what wasn’t – the weather going its own way. But I wanted to suggest as well that when people are faced with a conflict between common sense understanding and formal rules, they will do something odd and counter-productive to indicate they are following the rules rather than using common sense – thus using an umbrella to collect rain rather than protect themselves. My purpose may have been a bit obscure and not entirely successful anyway.
This perspective also accounts for why I am sceptical about the actions of the Regulator as soon as he becomes anything more than educational, because it is not the fault of ordinary people if they are misled by rules into abandoning their common sense and ordinary rationality. Of course if there is persistent offending, then measures are appropriate. But I am still inclined to think that there has been a great deal of talking up of the Regulator on the back of rather specific physical data problems which have little or nothing to do with the basis of the rest of the regime.
While I doubt that this point of view is likely to surface at all in the review of the Directive, I think the implication is that the current regime should be assessed by a test balancing the risks which result from including processing in the regime against the risks arising from leaving it outside the regime. The trouble with the present regime is that is based upon an inclusive approach which suggests that it is always beneficial to have processing within the regime, and I think it is clear by now that that simply isn’t true.