A Manx GDPR Muddle
- Details
- Created on 16 May 2018
- Written by Steve Burrows
The ten most valuable businesses in the world today are, in order: Apple, Amazon, Alphabet (Google), Microsoft, Tencent, Berkshire Hathaway, Alibaba, Facebook, JP Morgan Chase, and Johnson & Johnson. Seven of the ten are tech businesses for whom the exploitation of our personal data is a core activity - including all of the top five (it would have been the top six but for Facebook’s recent data troubles).
Personal data is the most commercially valuable commodity in the world. Not really surprising because the more we know about our customers the better equipped we are to satisfy their needs and thus capture more income. Crudely, personal data is potentially more important and more valuable than money, because in the right (or wrong) hands it is a license to print money. Similarly personal data is the most valuable commodity in the public sector. Intelligent use of personal data is crucial to both taxing and serving a population efficiently. The potential for abuse of our data by business and government is immense.
Hence the EU General Data Protection Regulation - GDPR. The confidence we as a population have in the administration of the state in which we reside is significantly predicated upon the state dealing with us honestly and respectfully. Most of us in first world western democracies take this for granted - but not all of us. Ask the Catalonians what they think about the Spanish government. The same goes for businesses, we are more likely to provide our data to those which appear to deal honestly with us. Implementing GDPR is a hassle, but it’s necessary. So how are we doing on the Isle of Man?
If I’m honest, not nearly as well as I would have hoped. I checked in with the Information Commissioner, Iain McDonald, recently to get an update and some clarification on the island’s approach to implementing the legal framework for GDPR, and came away wondering how the heck we got into this pickle.
Straight up, Iain McDonald is probably one of our national assets. He is well respected by the information commissioners, data protection regulators et. al. across Europe, because he engages with them all, attends and contributes to the multinational workshops in which he and regulators for other nations determine policy and approach, he participates on behalf of the Isle of Man and gives confidence to the regulators in the EU that we understand and are doing the right things in respect of Data Protection, and are going to do the right things in respect of GDPR.
Unfortunately it seems to me that our government has made his job rather difficult, because our last minute attempts to produce a suitable legislative and regulatory framework for GDPR look to me like a real Manx muddle.
In the EU, GDPR is a Regulation, meaning that it is EU law. All that EU member countries really need to do as a minimum is appoint their national regulators and fund them, because the law is already defined. GDPR does give some limited scope for national customisation, and some countries have chosen to customise it a little, in varying ways. One of those is the UK, which has a troubled history with the previous EU Data Protection Directive because the UK government approach to implementing EU Data Protection didn’t fully comply with the EU intent. This incomplete compliance is one of the reasons that the update to EU data protection, GDPR, is being rolled out as an EU Regulation so that the EU can enforce a consistent and level data protect playing field across all member states.
The UK government has, of course, half an eye on Brexit - when it will cease EU membership, and half an eye on protecting the same get-outs that it sought when it watered down the previous EU data protection regime. Consequently the UK GDPR legislation, currently going through the Westminster parliamentary process, is not pure GDPR - it incorporates GDPR, the EU Data Protection Directive 2016/680 (Law Enforcement Directive) (“LED”), and assorted customisations and UK get-outs, into a Data Protection Bill which contains “Applied GDPR” - being the modifications which UK is applying to the EU GDPR. In order to correctly understand data protection in the UK one must read both the EU GDPR and the UK Data Protection Bill containing the “Applied GDPR”.
We in the Isle of Man seem to have gone further. We have created a new Data Protection Act 2018 which in turn implements a “Data Protection (Application of GDPR) Order 2018” and a “Data Protection (Application of LED) Order 2018” which copy the GDPR and LED with some necessary modifications for the Island into law and then implement another set of Regulations. This further set of Regulations appear to be based directly upon the UK Data Protection Bill (modified from the EU GDPR and LED), which has then been further modified by the Manx government to suit local needs. Hence in order to comprehend the technicalities of GDPR as applied on the Isle of Man it appears to be necessary to consult the Isle of Man “GDPR and LED Implementing Regulations 2018”, the “Data Protection (Application of GDPR) Order 2018” (and the “Data Protection (Application of LED) Order 2018” if you are processing data for law enforcement purposes), and to interpret these in the context of the UK Data Protection Bill from which the regulations are derived, within the overall context of the EU GDPR (and LED if applicable), in order to be certain of correct interpretation.
Explaining to the EU how the Isle of Man implements specific aspects of GDPR, which will be necessary when we are reviewed by the EU for GDPR adequacy, is not going to be simple. Given the scope of some of our modifications applied on top of the UK modifications, nobody can guarantee a positive outcome for the island’s GDPR adequacy review - in all probability the best weapon we have in achieving EU acceptance of our system is the high esteem in which Information Commissioner Iain McDonald is held by EU data protection czars, and their confidence that he will act effectively despite the layers of opacity between their intent for GDPR and our implementation.
It didn’t have to be this way. A couple of years ago I and others in the digital industries were very confident that the island could lead the way on a clean and clear GDPR implementation. If we had taken the EU GDPR directly, and applied it into Isle of Man law without waiting for the UK and butchering their efforts, we could have been ahead. That didn’t happen, it seems Mr. McDonald had negligible involvement in the preparation of our new data protection law and regulations and didn’t see the drafts from the Cabinet Office until December last year, shortly prior to the first public consultation.
By way of contrast, Guernsey’s new GDPR implementation was passed into law last November, and was developed from the ground up as Guernsey’s own primary legislation. Similarly Jersey’s new law, also developed from the ground up to implement GDPR, was passed into law in February this year to take effect from May 25th. In both cases our Channel Island competitors, with weaker digital sectors and inferior digital infrastructure, have beaten us to the punch. Their law is clearer and simpler to understand, more likely to be awarded adequacy by the EU, and in place before ours. Both jurisdictions are now actively marketing themselves as “data havens” - a vision which we on the Isle of Man set out years ago but have failed to deliver on. Both Guernsey and Jersey have also established their data protection regulators as statutory authorities, and appointed significant and respected EU data protection experts to their boards.
Bluntly, if I were an executive in a big digital corporation looking for a tax-competitive home in which to build new datacentres and processing facilities to serve my EU customers, Guernsey and Jersey would be higher on my list the the Isle of Man. Despite our significant advantages in digital infrastructure, space and cost, we’re losing the race for data.
We have however, still got a card to play; the possibility of replacement, built for purpose, Isle of Man GDPR compliant primary legislation in a couple of years which will also take into account the upcoming EU e-Privacy Regulation that is going to replace the old EU e-privacy Directive of 2002. This could, if government pulls its collective finger out, enable us to leap ahead again with a clear, coherent, “all in one” framework for data protection that would give the island a fit regime for data-centric businesses. At the same time, if not before, we should probably convert the Information Commissioner’s office into a statutory board and give it the authority and resources to independently investigate and prosecute any organisation which breaches data protection obligations, including Government.
In the meantime, if you’re confused by Isle of Man GDPR, Iain's advice is - don’t panic. Small Manx businesses who only hold data on isle of Man residents will have a further year in which to implement the new Isle of Man data protection law, and the regulator’s priorities for his limited resources will be determined by risk. Read the Information Commissioner’s advice and guidance at https://www.inforights.im. Get your personal data protection policies in place and published (Transparency), and be prepared to show how you live by them (Accountability).
In respect of the bigger picture, whilst I wish the Isle of Man had sorted its GDPR legislation sooner and more cleanly (like Guernsey and Jersey), Iain tells me that so far only six EU states have actually got their GDPR regimes in place. As he observes, one hundred and twenty years ago few people saw the need for motoring laws, and those laws are still evolving. So it is with personal data, we are still in the early stages of understanding the need for and complexities of personal data protection.
