For a lot of people running small businesses, charities, and other small organisations, GDPR has sometimes felt like yet another imposition, another layer of restraint on running their organisations. Most, though, recognise that it addresses real issues around the misuse of personal information and, while it does have its flaws, it is seen around the world as the gold standard when it comes to the protection of personal information. There has been less discussion than there should have been on the subject, but the potential loss of this gold standard is now coming into view as another casualty of Brexit.
I am usually disciplined enough not to mention my political views in a business blog but, as well as knowing my way around the subject of information protection, I do have both an undergraduate and a postgraduate degree in politics and sometimes it is just too hard to resist.
Dominic vs the GDPR: One brave boy’s story.
An exciting new front has opened in the UK’s pantomime war on the EU. Exciting, that is, if you find the subject of information protection interesting. Dominic Cummings has published a consultation framework for a post-Brexit ‘National Data Strategy’. The document, which you can read here, has been very well ghost written by the Department for Digital, Culture, Media & Sport. It is a clear and easy read but still very Cummings, not so much a strategic discussion document as a wish list wrapped up in ever more lavish claims about the almost magical power of data. For a Cummings inspired document, it is light on crackpot theorising: his influence breaks through now and again though in ridiculous phrases like, “data is knowledge”. Leaving the occasional silliness aside, it is a very clear document that sets out how Cummings hopes to attack the UK’s data protection environment. Acknowledging that it is ostensibly a discussion document intended to stimulate debate around the formulation of a strategy, it doesn’t have a great deal to say about strategy. The theme is the awesome power of data and the need for government to be unconstrained in its use.
There are resentful acknowledgements throughout the document that the UK needs the EU to make an adequacy decision about its data protection regime before the end of 2020 in order not to block the flow of personal information from the EU to the UK. If the EU does not grant this adequacy finding, UK businesses face an even heavier regulatory burden than the one already weighing on them as the end of transition out of the EU approaches. Nevertheless, Cummings has decided that this is a good moment to tweak the EU’s tail about data protection. His objectives are not hard to decipher:
- Above all, he wants what has often been called ‘joined up government’, with personal information shared across all departments and UK subjects assigned a persistent digital identity across all their interactions with government. This should horrify the libertarian loony wing of the Conservative party, but it is very unlikely they have noticed or, if they have, understood what he is up to.
- He would rather there were no constraints on the flow of personal information between favoured big business (e.g. Serco), charities (as defined in the UK, these are often far from charitable institutions), and government.
- He wants to remove restrictions on the flow of personal information out of the UK, most importantly to the United States, though it may also be worth remembering his obscure relationship with Russia in this context.
Some collateral damage
To sweeten all this he proposes, as usual, to lift the regulatory burden on small businesses. In fact, like his Brexit crusade in general, his scheme would hugely add to this burden, as companies would lose the benefits of the overarching data protection structure provided by GDPR and be forced to fend for themselves in terms of satisfying their consumers and making individual contractual arrangements for all data flows. The evidence, since he emerged into the light after 2016, indicates that Cummings has no interest in SMEs, so adding to their burdens is unlikely to restrain him.
It is not that difficult to work out the motivation behind all this, not that motivation really matters. Have a look here for Cummings’ plan for a NASA-style (of course) nerve centre in, or probably beneath, Whitehall. The most important feature of the Cummings Control Centre is a lot of big screens on the wall, scrolling through – what else could it be – yes, of course, data. One possible way to make sense of his wet dream of dismantling the UK’s data protection environment is to try, if you can, to put yourself into the mind of a 1980s schoolboy who has managed to escape the social isolation of his bedroom long enough to see the latest James Bond film and come away with fantasies about ‘literally controlling everything’. Then they’ll listen to me!
Teenage revenge fantasies to one side, the document does set out two justifications for what otherwise looks like another intensely retrograde step. The first would be laughable were it not for the official death toll so far of 43,025 (as of 26/09/2020): this is that the UK’s exemplary handling of the Coronavirus crisis through the innovative use of data, shows what can be achieved if only government were unconstrained in its use of, and ability to share personal information across borders. The second justification isn’t based on anything at all, it just asserts that the UK leads the world in everything to do with data, will be even more world leading if the government is less constrained in its use of data and this will result in the UK taking a leading global role in the coming economic recovery. Both justifications are repeated throughout the document.
More collateral damage, but it’s all about the data
The document, entitled National Data Strategy, is careful to avoid straying into territory that might make its meaning too obvious. In particular, the term ‘personal information’ is conspicuously missing: it occurs only once in the main text and once again in the glossary (where it explains its occurrence in the main text). Even more absurdly, the term ‘GDPR’ occurs only once in the text, and nine times in the glossary (because many of the terms used in the document are defined in the legislation that dare not speak its name). By avoiding such contentious language, the document steers the reader away from concerns about trivialities, such as the protection and control of personal information. Instead the focus is on data. But not the sort of data that has always existed. In Cummings’ imagination, data is something novel: a newly discovered commodity, poised to rock and revolutionise his world. Just as steam engines, running on coal, powered the industrial revolution (and made Britain world leading), this time it is computers running on data that will create the upheaval. And only Cummings and the chosen few he follows on Twitter have spotted the coming tsunami.
Can he pull it off, a mind bending puzzle?
So, will he succeed in sweeping away the UK’s personal information protection regime? Almost certainly not, at least in the immediate term. The UK does need that adequacy finding from the EU. Publishing the document now could be just about making faces on the assumption that the adults in the room would find it more irritating to reprimand you than to ignore you. Cummings’ aims are incompatible with GDPR. Incompatibility with GDPR means the EU cannot grant an adequacy finding (or can withdraw it at any time). In the modern, cloud-based, connected world, the UK cannot function if it isolates itself from the flows of data which Cummings wants to control. Therefore, the UK must get that adequacy finding and, if Cummings were to get his way, that finding would be withdrawn. It’s tough to be a megalomaniacal amateur boffin these days: Cummings’ dilemma is that he wants to control all data, everywhere but, the EU will cut off his, and the UK’s, supply of data unless he agrees to behave himself. Considering the whole Brexit mess, this might seem, to lesser people, a dilemma too far. But let’s not forget that this is a man who can get ministers to push a law through parliament to legalise breaking the law. Impossible logical conundrums are food and drink to him.
Some track record doubts
The UK’s access to data and personal information protection rules are probably safe for now, but in the more medium term it is likely that he will try to pick away at the GDPR and its transposition into British law. He has shown some talent for breaking things and he may well succeed in, at least, weakening protections around personal information. Opposing him will be the many businesses that will want to keep to a minimum the disadvantages being piled on them by Brexit. Citizens rights groups and others can also be expected to notice what he is up after a while and, hopefully, will put up a fight. If he tries to move forward with his ‘joined up government’ idea, the libertarians who get all a flutter about ID cards may put two and two together and, for once, not make five. The IT project management, though, that would be required to even think about ‘joined up government’ is way beyond anything Cummings could put together. Think about the Covid tracing app shambles or the Ealing comedy-style story of the UK’s alternative to the Galileo satellite system. There is no danger that Cummings and his data wranglers will produce the data dystopia of their fantasies, even with a top secret nerve centre.
But, in the longer term …
Nonetheless, it is dangerous to let his ideas go unchallenged. Even if the capability doesn’t exist in this government to give expression to these ideas, such seeds, once planted, tend eventually to germinate, and may catch the eye of future, more capable, governments. Individuals in the UK, along with the rest of the EU, have enjoyed genuinely world leading protection of their personal information since 2018 and this protection is now firmly in Cummings’ sights. Judging from the National Data Strategy document, he hasn’t begun to work out how to sweep away the protections currently in place, but he does intend to get the process started.
If you would like to know more about information security for your business in the context of GDPR, Brexit or otherwise, I’m always happy to talk: email@example.com