Todayâ€™s Irish Times has a â€˜newsâ€™ story about a man who, during the boom, sold his home and land for â‚¬3million and has just bought it back for â‚¬215,000.
Fair play to him. He sold a property and home he loved and made a profit. Now he can have his cake and eat it, returning wealthier to the same home and hearth.
The same, unfortunately, is not true of protections for fundamental human rights. In the current economic turmoil it is tempting to mortgage them or sell them off in the interests of supporting business and reducing red tape. However, when the economy recovers it will probably be impossible to push the pendulum back towards respecting the rights we have forgone in the interests of economic expedience. We will have a recovered economy but a diminished society.
This is what is happening with the EU Data Protection Regulation. Earlier this month the Irish Government, in one of the last acts of their EU Presidency, trumpeted their â€˜victoryâ€™ in the first four chapters of the Regulation, getting a quasi kind of agreement to introduce a level of protections that has been watered down to near homeopathic levels. Whatever good is in some of the proposals the Irish Government is horribly undermined and hollowed out by the move to a purely â€œrisk basedâ€ model of regulation (similar to that which has worked so well in Financial Services) amongst other things.
Iâ€™ve written about that in detail here with Fergal Crehan.
Principles diluted do not retain the memory of the principle. Homeopathic regulation doesnâ€™t work. The parts of the Regulation that might have served to retain focus and concentration were the sections around enforcement and penalties.
Today we learn via a leaked document that these sections have likewise been diluted to homeopathic levels by the Irish EU Presidency (again, annoyingly in tandem with some good and positive changes)
- The specific levels of fines to be levied have been omitted from the document (Dr. Chris Pounder on the Hawktalk blog suggests this may be due to there being no agreement, my view is that if it has been taken out whatever is put back in will be a lot less attention focussing than the 2% of global turnover levels previously proposed)
- A range of mitigating factors and considerations have been introduced which must be considered by a Data Protection Authority before levying a penalty of any amount. 13 different factors to be considered. One for every tooth a Regulator might have had. One more line of defence to be argued over before enforcement can commence.
So, errant Data Controllers may now be in a position where they can self-assess their risks based on their own perception of the risk and impacts of their actions (just like people of a certain generation used to self-assess whether they were sober enough to drive), but just in case they get it horribly wrong the hoops a Regulator will have to jump through before being able to levy any form of meaningful penalty have grown in number and vagueness.
This the text book definition of light touch regulation. History has shown repeatedly, and at great cost, that this simply does not work.
The man in the newspaper today bought back his old family home and made a tidy profit because of a catastrophic failure of culture, governance, and regulation. Rules around due diligence and proper management of lending were set aside or worked around because it was â€œgood for businessâ€.
We must learn the lessons of history or we will have mortgaged our rights to be â€œleft aloneâ€ in the interests of economic expedience and only those who held on to their financial muscle in this crisis will be able to make the payment needed to buy back that right through the Courts.
An appropriate balance must be struck between the economy and the society.