2021iii3, Wednesday: data, privacy and the Golden Rule.

If people talk about changing data protection laws, always ask for their philosophy; if they won't say, be suspicious. And two great tales about the file format that makes remote working possible.

2021iii3, Wednesday: data, privacy and the Golden Rule.
I wouldn’t worry if it were still like this.

Short thought: On Friday, I’m giving a webinar on privacy issues in employment. It’s part of a series of employment law webinars over 15 days (two a day); the second such series since lockdown, organised by my friend Daniel Barnett. With signups come big donations to the Free Representation Unit, a splendid charity which organises advocates for people who can’t afford lawyers in employment and social entitlement cases. (So yes - if employment law is important to you, sign up. There’s still 80% of the sessions left to run, all are recorded for later viewing at your leisure, and it only costs £65 plus VAT a head. Discounted significantly the more heads you book for.)

Anyhow: prepping for it has got me thinking. There’s a lot of noise, particularly post-Brexit, about what kind of law governing privacy and data protection we should have. GDPR comes in for a lot of stick: it’s cumbersome, it’s civil rather than common law, it’s inflexible, it makes life harder for small businesses and is easy for large ones. Scrap it, some say. Other countries get adequacy decisions (that’s the European Commission saying: yes, your data protection laws give sufficiently equivalent protection that we won’t treat you as a pure third country, with the significant restrictions on cross-border data transfer that entails) with different laws. Why shouldn’t we? (Incidentally, initial signs are we should get an adequacy ruling. Phew.)

All of this, I tend to feel, misses the point. The first step to working out what data protection architecture we have isn’t common vs civil law. It’s identifying the essential philosophical and ethical - and, yes, moral - basis for why data protection is needed in the first place. When I hear people advocating for changing the onshored version of GDPR, I want to hear that philosophical basis. If I don’t, I’m going to start patting my pockets and checking my firewalls. Because the cynic in me is going to interpret that the same way I interpret - say - calls for restricting judicial review, or “updating” employment law: as a cover for a fundamental weakening of my protections as a citizen and an individual.

Here’s why. GDPR, for all its faults, did represent a root-and-branch shift, and it’s that shift rather than its shortcomings (and lord knows it has them) that has caused much of the outcry. The shift? The imposition, in clearer terms than ever before, of the idea that people’s data is theirs, unalienably so. And if you want to muck about with it, they get to tell you whether that’s OK or not.

I know this is a wild over-simplification. But in our data-rich, surveillance-capitalism world, as a citizen that’s what I want. Yes, it carries downsides. Some business models are rendered more difficult, or even impossible. But that’s a trade-off I’m happy with.

I’m aware of one case, for instance, where an employer is alleged to have accessed an ex-employee’s personal email and social media accounts (or tried to) using credentials left on their old work computer, because the credentials to a work system were missing and there might have been password re-use.

I’ll leave the reader to compile their own list of what potential problems this might give rise to. But it does bring into sharp relief what I think the core issue is in privacy and data protection, both generally and in the employment context.

And it boils down to this: don’t be (to use The Good Place’s euphemistic structure) an ash-hole.

Honestly, it’s that simple. So much of employment law (and here, as we saw in the Uber case and many others, it differs from “pure” contract law significantly) is about what’s fair and reasonable. (As employment silk Caspar Glyn QC put it in his webinar on Covid issues yesterday, he’d made a 30-year career out of the word “reasonable”.) And through the architecture of statutes and decisions and judgments, what the tribunals and courts are ultimately trying to do is apply the Golden Rule. Has this person, in the context of the inevitably unequal power relationship between them and their employer, been treated fairly?

Now, everyone’s definition of “fair” is going to differ. But that’s why we have laws and (in common law jurisdictions like ours) authority. So that we can have a common yardstick, refined over time as society evolves, by which to judge fairness.

What does this have to do with privacy in employment? Loads. For instance:

  • Can you record people on CCTV? Well, have you told them? Have you thought about whether it’s proportionate to the risk you’re confronting? Does it actually help with that risk more than other, less intrusive, means?
  • Can you record details of employees’ or visitors’ Covid test results? Well, why are you doing it? Do you really need it? If so, how are you keeping it safe - since this is highly personal and sensitive health data?

It’s difficult. But it’s difficult for a reason. Personal data is so-called for a reason. Its use and misuse have immense, and often incurable, effects. The power imbalance is significant.

We lawyers can and do advise on the letter of the law: what GDPR, the Data Protection Act, the e-Privacy Directive and so much more tell you about your obligations.

But a sensible starting point remains, always, to consider: if this was my sister, my brother, my child, working for someone else, how would this feel? How would their employer justify it to them? And if they came home, fuming about it, would I think it was fair?

I live here. Or so my family would probably say.

Someone is right on the internet: I haven’t been in my Chambers since September. My workplace is my home office. It’s evolved into a decent environment over the past year. Furniture, tech, habits: they’ll keep changing, but they’re in a pretty good place right now.

But in many senses, the single biggest enabler of my remote working isn’t a piece of kit, or even a piece of software. It’s a data format. The PDF.

PDFs have been around for decades. Adobe came up with it, and in one of the smarter bits of corporate thinking, gave it away. Not entirely, of course. But anyone can write a PDF app (my favourite being PDF Expert) without paying Adobe a penny; while Adobe, rightly, still makes shedloads from selling Acrobat software for manipulating PDFs as a de facto, rather than de jure, industry standard.

And I rely on PDF entirely. I convert almost everything to PDF. All my bundles. All my reading matter. Practitioner texts. Authorities. Everything. Even my own drafting gets converted to PDF for use in hearings. That way, I know I can read them on any platform. Add notes, whether type or scribble (thank you, Goodnotes, you wonderful iPad note-taking app), highlight, underline. And have those notes available, identically, everywhere, in the reasonable confidence that when I share them with someone else, they’ll see precisely what I see, on whatever platform and app they themselves have available. They’re now the required standard in the courts, with detailed and thoroughly sensible instructions on how PDF bundles are to be compiled and delivered. (Note that some courts and tribunals have their own rules, so follow them. But this is a good starting point.)

My utter reliance on, and devotion to, PDF means I’m interested in its history. And two excellent pieces tell that story well. One describes Adobe’s long game. The other describes PDF as “the world’s most important file format”. Neither are terribly short, but neither really qualify as long reads. And given how much we now rely on this file format, they’re both well worth your time.