The Red Menace

Just before New Year, the pro-Brexit, anti-single market pressure group Change Britain published a report about the possible savings that could accrue to the UK if we cut all ties with the EU. Keen observers of current politics will be astonished to learn that the amount is in the multiple billions. One of the top savings is from repealing the Data Protection Act 1998, which Change Britain claims costs the economy a whopping £1,058,830,000, while (if I am reading the table right), giving a benefit of precisely nothing. It’s a prime example of ‘harmful EU red tape‘ that Change Britain is very much against.

Curiously, the report doesn’t include any mention the General Data Protection Regulation, despite the fact that the Government announced several months before its publication that GDPR will apply in the UK, reflecting the reality that it will come into force before we leave. The report does not hint at any cost in repealing the DPA and replacing it with something else, or the wasted effort currently being expended by organisations large and small in preparing for GDPR, all of which they want to cancel out. The economic benefit of being able to share data across EU borders isn’t priced in at all, even if we accept the £1 billion cost at face value. Inevitably, Change Britain’s report has the mindset of an Oscar Wilde cynic, knowing the price of everything and the value of nothing. Although the DPA is clunky and badly enforced, the benefits of saying that personal data should be obtained fairly, used transparently, kept in good order and processed securely are enormous.

I emailed Change Britain just before New Year asking the questions outlined below. I would like to express my gratitude to the Change Britain staff member who took the time to give me two courteous replies when many people were probably on holiday or hung-over.

Can you confirm that Change Britain believes that the GDPR should not be implemented, as well as advocating the repeal of the Data Protection Act? Can I ask what analysis you have done into the effects of repealing DP, in terms of its effects on the security and quality of personal data, and the rights of UK citizens to know how their data is used, and to get access to it on request?
Can you also provide me with any proposals Change Britain have for replacing the Data Protection Act / GDPR, or is the idea to remove any controls or protections on the way personal data is used in the UK post-Brexit?
Finally, can you give me any analysis on the effect of repealing the DPA / not implementing GDPR on the ability of UK companies to exchange personal data with EU countries, and how this would affect the UK’s adequacy for Data Protection purposes? As I am sure you already know, not having adequate data protection provisions would make it virtually impossible for EU and UK companies to do business with each other, because no personal data could be shared outside the EU.

In their reply, Change Britain didn’t explain why they hadn’t mentioned GDPR in the first place, but noted that the Coalition Government said in 2013 that the GDPR could ‘impose unnecessary additional costs on current businesses‘, a comment made on a version of the GDPR which is quite different to the one we’re actually getting. The emphasis was on ensuring that “expensive red tape is cut so that the burden on business is reduced“.

They didn’t really answer the questions, but the thrust of their preferred approach seemed to come here: “We believe that it is possible to secure a new relationship that allows ongoing data sharing between the UK and the EU and gives UK policy makers an opportunity to deal with the issues they have identified with EU laws and – in so doing – reduce the burden of red tape on British businesses“. They didn’t mention the fact that the current government has announced that the GDPR will apply or what the implications of that might be for their proposal. Crucially, while they clearly wanted to “reduce the burdens”, they did not explain to me what these burdens were.

It seemed to me that Change Britain were describing the Mother of Worst Case Scenarios: repeal of the DPA with a UK only replacement instead of adopting the GDPR, some kind of negotiated deal over EU data sharing with all the fragility that entails in the world of Max Schrems, a situation which could well mean UK businesses with EU customers separately adopting GDPR for their customers. Of course, there are many who think that an adequacy finding for the UK post-Brexit is going to hard to achieve, and so some kind of UK Privacy Shield arrangement (AKA Daragh O Brien‘s Privacy Brolly) is the likely outcome. But I’m not aware of anyone in the DP world who thinks this is a good idea – it’s just what we might end up with.

I emailed them again. I asked whether they were proposing what I thought they were proposing (making it sound as complicated and horrendous as I did just now). I wondered whether they had a list of the specific burdens that they objected to. I also asked if they had an analysis of the costs of reversing the current position on GDPR, given all the time and money that is currently going into preparing for it precisely because the government has said that we should. Finally, I asked whether a Privacy Shield arrangement was should be the aim, given the fiery death of Safe Harbor and the fact that the prognosis for Privacy Shield is somewhat toasty (to paraphrase).

They were kind enough to reply again, but with a striking lack of detail. “Brexit is an opportunity to repeal laws that don’t work and introduce better versions” they told me. They did not dispute my interpretation of what they want, which is astonishing. They are “aware of the legitimate issues that you have raised, however we also believe that the concerns raised about the impact of the EU’s data protection regime on small businesses should also be given equal weight when the Government considers the opportunities that come from Brexit”. They didn’t explain how reversing current government policy and forcing UK businesses to operate at least two different DP systems, no matter how large or small they might be was in the interests of anyone, and especially, how this would save a billion pounds. There is no reason why a small business wouldn’t be one of the enterprises running Change Britain’s UK DP at home, and the GDPR abroad, notwithstanding the *increase* in red tape that their proposal would involve. Change Britain want two laws in place of one, after all.

Despite claiming that Data Protection doesn’t work, Change Britain have not carried out any analysis on the burdens associated with it to underpin their demand that it should be abolished. They have not calculated the cost of abolishing it and replacing it with something else – indeed, I would go as far as to say that they showed no evidence of having thought about it. They could only point me to the previous government’s (now outdated) view of GDPR, and reports produced by the British Chambers of Commerce in 2005 and 2010. It seems to be a case of UK good, EU bad, even as the GDPR is being scrutinised around the world as a model to emulate, or at least react to.

Change Britain’s abolition of the DPA and the abandonment of the GDPR is an economically illiterate idea on a par with Vote Leave’s NHS Bus Promise. It makes no sense except as a sound-bite in a press release designed solely for headlines and incapable of surviving serious analysis. Change Britain’s idea is the opposite of what the Government has told UK businesses to prepare for. It is a recipe for confusion and uncertainty. It is utterly irresponsible.

Whatever you think of Brexit, it has wiped the future clean. Anyone who confidently predicts what the UK will look like in 2020 or 2025 is a fool or a liar. I think it will be a disaster, but other opinions are equally valid. The UK Government’s confirmation that GDPR will apply is a small strand of certainty. Even though the Secretary of State left the door open for change at some stage (which she has every right to do), we know what’s coming next for Data Protection, despite Brexit. In their antipathy towards the EU and all its works, Change Britain want to murder even this tiny certainty. They have no original thoughts on why they think it’s a good idea beyond money-saving that they cannot possibly stand up. They cannot offer any hint of what they want to replace DPA / GDPR with, except that it must be homegrown. It cannot be European in origin. I very much hope that their proposal gets the shortest shrift that the DCMS has in stock.

Make no mistake, compliance with GDPR will be difficult for some, but I suspect that many of the organisations most keen to decry the GDPR would struggle equally to comply with the 1984 Data Protection Act, produced by the Thatcher Government, which even now has parallels with both our current DP Act and the GDPR. The GDPR is clearer, less technical and more understandable than the DPA. It is in most ways an improvement. Change Britain’s proposal is vandalism, and we should wash it away.

FULL DISCLOSURE: I voted Remain, I wholly accept that the UK is going to leave the EU as a result of the referendum, I am more convinced than I was before that it is a stupid idea, and in a free country, you should defend my right to say so.

Any last requests?

A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:

“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”

I believe that this statement is untrue.

After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.

A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:

Screen Shot 2016-08-26 at 09.07.02

The revised version is identical to the statement that you’ll find here on the ICO website.

The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.

However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?

Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

Whereas, what it should say is:

At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.

This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.

Age of Consent

Ever since the Daily Mail first started to report on the nefarious fundraising activities of certain large charities, confusion and contradiction have reigned supreme. We have had fundraising codes of practice confused with the law, constant claims that the ICO has changed the law (which is something they haven’t done, and couldn’t do anyway), and the bizarre spectacle of undertakings being signed publicly by organisations who, according to Wilmslow, haven’t done anything wrong.

One might hope that the General Data Protection Regulation, designed as it is to clarify the mess of DP across the European continent would come to our aid. But no, sadly and inevitably, people are just as determined to misunderstand the GDPR as they are the Data Protection Act.

John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association was speaking at a fundraising event organised by Third Sector magazine, and he passed comment on the apparent confusion over opt-in and opt-out rules on marketing. I don’t know exactly what he said because I wasn’t there. However, he is reported as saying that charities would not need consent for postal and phone marketing, unless a person was on the telephone preference service. The GDPR requirement for unambiguous consent did not change this position. Mr Mitchison also apparently said that he didn’t understand where all the confusion in the charity sector was coming from.

I think I can tell him. Enter Daniel Fluskey, head of Policy and Research at the Institute of Fundraising (yes, the organisation responsible for much of the confusion with their diabolical fundraising code). He wrote an article on the UK Fundraising website following up on Mitchison’s comments, including this statement.

“Our understanding is the same as the DMA’s and what we’ve heard from solicitors – that ‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box. Consent will be able to be given ‘unambiguously’ through an ‘opt out’ mechanism. So, statements that ‘opt in’ is coming in through law seem likely to be misleading – what’s coming in is a requirement that the consent is ‘unambiguous’

Fluskey then invents his own test for unambiguous consent:

To me, ‘unambiguous’ consent seems like a three-stage test:

  1. Did someone give their information freely?
  2. Were they presented with straightforward information so that they had a clear understanding of what marketing/fundraising communications they could expect to receive?
  3. Did they have a clear and easy ability to choose to accept this, or to object if they didn’t want to receive future marketing?
    If the outcome of the engagement leads to these three questions being able to be answered with a ‘yes’ then it would seem very likely that the donor has given ‘unambiguous’ consent. That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.”

This is all – to use a technical term – bollocks.

Mitchison is correct – consent is not necessary for postal marketing and phone-calls to those not on TPS. However, this has nothing to do with the nature of unambiguous consent. The explanation is reasonably straightforward. To use any personal data, you need to meet a condition under the DPA – this is the position now and it remains so under the GDPR. Consent is one of the conditions but not the only one. If an alternative condition can be found, you can forget consent and use the other one instead. The GDPR recognises that the legitimate interests condition can be used to justify marketing, and so this can apply to postal marketing. You don’t need consent because you can use legitimate interests. The opt-out bit is a red herring in this context – the marketer offers an opt-out because  it’s good practice and the subject has an automatic right to opt-out of any marketing anyway. It would be nice if such opt-outs were respected instantly and permanently, but that’s an issue for another time.

Electronic forms of marketing are not just covered by Data Protection. They are also covered by the e-Privacy Directive, implemented in the UK as PECR. PECR adds a layer of rules, and in some cases insists that only consent applies. You can’t rely on legitimate interests for automated calls, email or text marketing, because PECR says that only consent will do.

Live calls straddle both conditions. You can rely on legitimate interests for cold calls to people who are not on TPS, but you need consent for those people who are. Again, this is nothing to do with DP, this is an extra rule laid on by PECR. I hold no brief for Mr Mitchison, but the DMA are usually robust about the effect of marketing law, so my guess is that this is the point he was making.

I haven’t explained completely why I think Mr Fluskey’s comments are bollocks. Permit me to do so now. I suspect he hasn’t even read the Regulation, despite the fact that he is issuing clear (if bogus) advice about it to a sector that has wallowed in ignorance for far too long.

The definition of consent in Article 4 is plain for all to see: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” – indication means active, given means active, clear affirmative action means active. Everything about the definition of consent means that the subject has to do something to consent. It’s obvious that Fluskey hasn’t read the regulation because he happily takes ‘freely given’ out of its context as part of the definition of consent and pretends that it relates to the provision of information. If there was any doubt (there isn’t, but we’re here now), Recital 32 helpfully addresses any possible uncertainty:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Once again, just in case you missed it: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”  Compare that to what Mr Fluskey says: “‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box”. They saw him coming. That’s exactly what it does mean, that’s what it says. Consent has to be active, and it has to be demonstrable. Silence or inaction does not mean consent, but that’s exactly what an opt-out model represents – assuming consent from silence or inaction. Under the GDPR, opt-out consent is dead. There’s an argument that this is the case under the current DP as well, but leave that to one side. Nobody who has read the full Regulation can think that opt-out is a valid way to get consent, and only those who have read it should be giving advice to others.

The problem with the Institute of Fundraising is that their code of practice has created a fog of uncertainty about what is law and what is practice or industry standard. And here they are, doing it again: “That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.” Complying with the regulation isn’t about trying to capture some phantom ethos – it’s clear, and unambiguous. No opt-outs, never again.

Don’t get me wrong. Fundraising companies have a problem. For many years, they have built profitable businesses, employed lots of people, and made lots of money, some of it even for the charities who hire them. The GDPR makes clear what was not clear, emphasises what has been underplayed, and gives new rights to subjects that will directly challenge the business model of some fundraisers. Consent has to be clear and it has to be opt-in. Profiling has be to explained to subjects, and they have significant rights to challenge and object to it. Data sharing cannot be justified on tiny, badly-explained clauses buried in interminable terms and conditions. I can understand that the more they delve into the GDPR, the more fundraising companies may despair.

But denial and confusion is not the answer, and this nonsense must end. The Institute of Fundraising has to stop issuing inaccurate and confusing guidance which, let’s assume coincidentally, has the effect of maximising the number of calls, texts and emails that can be made and sent. Charities have been battered for a while now, some with more justification than others. But they have no hope of emerging from the mess and getting back to where they should be if this endless stream of misinformation continues to be sprayed at them. The problem for some fundraisers is not that the GDPR is confusing. It is that it is not.

The Gamekeeper’s Fear of the Penalty

Amongst the hype over the end of negotiations over the new EU Data Protection Regulation, one theme kept emerging again and again: Big Penalties. It’s understandable that people might want to focus on it. The UK goes from a maximum possible penalty of £500,000 to one of just under £15,000,000 (at today’s Euro conversion rate) or even 4% of a private enterprise’s annual worldwide turnover. Only a fool would say that it wasn’t worth talking about. It’s much more interesting than the bit about Codes of Practice, and it’s easier to explain than the section about certification bodies.

It would be equally foolish to assume, however, that penalties on this scale will rain down from Wilmslow like thunderbolts from Zeus. At the same time as many were talking up the future, the Information Commissioner issued two monetary penalties under the current regime, one under Data Protection (£250 for the Bloomsbury Patient Network) and one under the Privacy and Electronic Communications Regulations (£30,000 for the Daily Telegraph). The £250 penalty is the lowest the ICO has ever issued for anything, while the PECR one is the lowest for a breach of the marketing rules, notwithstanding that the Daily Telegraph is probably the richest PECR target at which the ICO has taken aim.

You could argue that the embarrassment caused to the Telegraph carries an added sting (the ICO has never before taken enforcement action against a newspaper). It’s equally likely that the oligarchs who own the paper will consider £30,000 (£24,000 if they pay up in 35 days) to be a price worth paying if it had the desired effect on the outcome of a very close election. They’ll probably do it again.

In any case, the Bloomsbury Patient Network CMP is much worse. The Regulation calls for monetary penalties to be effective, proportionate and dissuasive, and yet everybody at the ICO thought that a £250 penalty, split between three people, was action worth taking and promoting. The Commissioner himself, Christopher Graham told the DMA in March 2015 that the ICO was not a ‘traffic warden‘, but if the Bloomsbury Three pay up on time, the £66.67 penalty they each face is no worse than a parking ticket you didn’t pay in the first fortnight.

The ICO’s press release claims that the penalty would have been much higher if the data controller had not been an ‘unincorporated association’, but this is irrelevant. The ICO issued a £440,000 PECR penalty against two individuals (Chris Niebel and Gary McNeish) in 2012, while the Claims Management Regulator recently issued a whopping £850,000 penalty against Zahier Hussain for cold calling and similar dodgy practices. The approach on PECR and marketing is positively steely. The problem clearly lies in Data Protection enforcement, and that is what the Regulation is concerned with.

The size and resources of the offending data controller are a secondary consideration; the test is whether the penalty will cause undue financial hardship. The ICO could bankrupt someone or kill their business if they deserved it. The Bloomsbury Patient Network’s handling of the most sensitive personal data was sloppy and incompetent, and had already led to breaches of confidentiality before the incident that gave rise to the penalty. Enforcement action at a serious level was clearly justified. Even if the level of the penalty was high enough to deter well-meaning amateurs from processing incredibly sensitive data, this would be a good thing. If you’re not capable of handling data about a person’s HIV status with an appropriate level of security, you have absolutely no business doing so at all, no matter good your intentions are. Donate to the Terence Higgins Trust by all means, but do not touch anyone’s data. If the ICO lacks the guts to issue a serious penalty, it would be better to do nothing at all and keep quiet, rather than display their gutlessness to the world.

Whoever made this decision cannot have considered what message it would send to organisations large and small who already think of Data Protection as pettifogging red tape, low on the agenda. Is there an organisation anywhere in the country that would consider the slim chance of being fined £66.67 to be a deterrent against anything. A fine is a punishment (it has to cause pain to those who pay it) and it is a lesson to others (it has to look painful to the wider world). The Bloomsbury Patient Network CMP is neither.

Despite the increased expectations raised by the GDPR, the ICO is actually losing its appetite for DP enforcement, with 13 Data Protection CMPs in 2013, but only 6 in 2014 and 7 in 2015. Meanwhile, there have been 24 unenforceable DP undertakings in 2015 alone, including one against Google which you’re welcome to explain the point of, and another (Flybe) which revealed endemic procedural and training problems in the airline which are more significant than the moronic cock-ups that went on at the Bloomsbury Patient Network. Wilmslow is so inert that two different organisations have told me this year that ICO staff asked them to go through the motions of self-reporting incidents that ICO already knew about, because the only way the enforcement wheels could possibly begin to turn was if an incident was self-reported. ICO staff actually knowing that something had happened wasn’t enough. It’s these same timid people who will be wielding the new powers in 2018.

Admittedly, there will be a new Commissioner, and it’s possible that the Government will pick a fearsome enforcement fiend to go after Data Protection like a dog in a sausage factory. You’ll forgive me if I don’t hold my breath. Nevertheless, something in Wilmslow has to change, because the General Data Protection Regulation represents a clear rebuke to the ICO’s DP enforcement approach.

Most obviously, in the long list of tasks in Article 52 that each Data Protection Authority must carry out, the first is very powerful: they must “monitor and enforce” (my emphasis) the application of the Regulation. Someone recently said that in certain circumstances, some organisations require a ‘regulatory nudge’, but the Regulation is much more emphatic than that. The ICO’s preference for hand-holding, nuzzling and persuading stakeholders (especially those where former ICO colleagues have gone to work) is a world away from an enforcement-led approach.

The huge increase of penalties throws down the gauntlet, especially when the ICO has rarely approached the current, comparatively low UK maximum. But the ICO should also pay close attention to the detail of Article 79 of the Regulation, where the new penalties are laid out. Of the 59 ICO monetary penalties, 57 have been for breaches of the 7th principle (security). The Regulation has two levels of penalty, the lower with a maximum of €10,000,000 (or 2% of annual turnover), and the higher with a maximum of €20,000,000 (or 4% of annual turnover). Breaches of Article 30, a very close analogue to Principle 7, is in the lower tier.

Admittedly, the higher penalty applies to all of the principles in Article 5 (which in a somewhat circular fashion includes security), but it explicitly covers “conditions for consent“, “data subject rights” and infringements involving transfers to third countries, areas untouched by the ICO’s DP penalty regime. The Regulation envisages monetary penalties at the higher level for processing without a condition, inaccuracy, poor retention, subject access as well as new rights like the right to be forgotten or the right to object. The ICO has issued a solitary penalty on fairness, and just one on accuracy – it has never fined on subject access, despite that being the largest single cause of data subject complaints.

The Regulation bites hard on the use of consent and legitimate interest, and misuse of data when relying on them would again carry the higher penalty. Most organisations that rely on consent or legitimate interest are outside the public sector, who rely more on legal obligations and powers. Indeed, the Regulation even allows for the public sector to be excluded from monetary penalties altogether if a member state wishes it. Nevertheless, since they got the power to issue them, only 24% of the ICO’s civil monetary penalties have been served on organisations outside the public sector (2 for charities and 12 for private sector).

I doubt the ICO is ready for what the Regulation demands, and what data subjects will naturally expect from such a deliberate attempt to shape the enforcement of privacy rights. The penalties are too low. The dwindling amount of DP enforcement is based almost exclusively on self-reported security breaches. While the Regulation might feed a few private sector cases onto the conveyor belt by way of mandatory reporting of security breaches, it will do nothing for the ICO’s ability to identify suitable cases for anything else. Few ICO CMPs spring from data subject complaints, and anyone who has ever tried to alert Wilmslow to an ongoing breach when they are not directly affected knows how painful a process that can be. The ICO has not enforced on most of the principles.

It’s been my habit whenever talking about the Regulation to people I’m working for to emphasise the period we’re about to enter. There are two years before the Regulation comes into force; two years to get ready, to look at practice and procedure, two years to tighten up. The need to adapt to the future goes double for the Information Commissioner’s Office. Instead of canoodling with stakeholders and issuing wishy-washy guidance, wringing its hands and promising to be an ‘enabler’, the ICO should take a long hard look in the mirror. Its job is to enforce the law; everything else is an optional extra. It’s wise to assume that the wish for total DP harmonisation will probably be a pipe dream; it’s equally obvious that the Regulation will allow for much easier comparisons between EU member states, and the ICO’s lightest of light touches will be found wanting.