The Growth of Privacy; Day 1 – Beginnings
JANUARY 28, 2020
I started studying law in University College Cork in the first week of October 1990; I was 18. Law had never really been a passion of mine, more something that I drifted into, and I had very little (read “no real”) idea of what to expect.
The date was somewhat providential, entirely co-incidentally so, in a privacy context for reasons that I will return to; though privacy as an aspect of law was not something within a million miles of my consciousness when I first began to consider law as a subject.
For some reason what stands out in my mind from that first year in 1990 were the contract law lectures by the then head of the faculty, Professor John O’Connor, known affectionately to the students as Johnny Contract. My recollections of that autumn seem to involve a lot of wandering about in the rain and cramming sodden into lecture theatres in the West Wing of the Quad in UCC listening to concepts that were completely alien to me. Things like offer, acceptance and consideration; these apparently were the fundamental ingredients of a contract. And indeed it was the communication of these elements, or disputes regarding them, that comprised the case law on which much of contract law was founded.
Most of the case law emanated from the 19th century with exotic names like Carlill v Carbolic Smokeball Co being one case that sticks in my skull for some reason. Another was the concept of the posting rule. The idea that the date of acceptance of an offer was considered to be the date on which it was posted in the ordinary course of business, as opposed to the date on which it may have been received.
The very nature of the modes of communication that gave rise to this case law demonstrates how, even as recently as 1990 (and I’m not really that old), the digital age and the privacy considerations that it gives rise to, was unimaginable. Certainly, even though it existed, and was then developing in the world, it remained completely unknown territory to me.
I left UCC in 1993 and went on to do a master’s degree in law in UCD, under a man who had in fact written the book that we had used in the first year in contract law, Professor Robert Clarke. Bob Clarke was then running what was considered to be a progressive and forward-thinking master’s programme that included information technology; a topic lawyers had paid little attention to up to that point, indeed many of them haven’t paid it much attention since. And so in 1994 I first became acquainted with what was at that time the Data Protection Act, 1988, my first encounter with the legal concepts of privacy and data protection. And, legally speaking, this was pretty new stuff, 6 years is nothing in the introduction and development of new legislation; practically no-one had heard of, not to speak of having any interest in, data protection in 1994.
And I have to confess to recalling being a little less than riveted by the subject at the time myself. As a 22-year-old, I found it difficult to conceive of its relevance for me. In terms of the development of information technology, recall that this was an era that predated the widespread use of email, floppy disks were the latest thing, the world wide web had been created in 1990 but was still a very new-fangled rarity for most, dial-up connections were horrendously slow and Google wasn’t to be created for another 4 years. Why on earth should anyone give a crap about data protection? The only place it seemed to matter was in the public service; not something I had any interest in becoming involved in.
In hindsight, of course, that was the whole point. It just didn’t have any real meaning for me at the time.
I mentioned that I started studying law in the first week of October 1990. It just so happened that the reunification Germany took place on 3 October 1990, right in the middle of fresher’s week. I can’t, hand on heart, say I really noticed.
The Berlin Wall then came down the following year in November 1991, something that had a much more visceral impact; it was real and you could see people on TV hacking off bits of masonry.
Looking back on it now, these events that coincided with the start of my legal career, are of particular significance in terms of the growth of privacy and data protection in a legal sense to what we know of it today.
Because if you want to understand where privacy and data protection in the EU is coming from in terms of where they are today, East Germany during the cold war is where we need to start. The Stasi, or the Ministry for State Security of the German Democratic Republic, was responsible from 1950 to 1990 for spying on the population of East Germany, it has the dubious distinction of being one of the most effective and repressive intelligence regimes to have ever existed. And it did it all with data. They had a file on everyone.
And so, data protection as a concept in Europe emerged as a system for ensuring that nothing like the Stasi could ever emerge again and that the public had a right to protect itself against the abuse of its data by the government. It doesn’t sound sexy, but then again try feeling sexy while the secret police are recording everything through the plaster in your bedroom wall; when it comes to the fundamentals of your privacy from the security of your most intimate thoughts and moments downwards, boring is beautiful.
To mind this is critical to understanding where the concepts of privacy and data protection law are coming from and where they are going, it isn’t merely some technical box-ticking that some European bureaucrat has just dreamt up; it is based at its core on the fundamental human right to privacy; the right to be left alone, that which each of us cherishes.
So this is where data protection and privacy have come from and, Zellig-like, I found myself starting my legal educational journey at a time that proved a watershed moment in terms of the importance of these right to the very existence of the post-war European peace project that is the EU.
And while I might like to pretend that this high minded view of data protection and privacy is how I came to it all, of course, that would be entirely untrue. My ultimate route into an interest in this area in practice was a far different, less noble one.
After completing my legal studies I went into the private practice of law, but not in data protection and privacy. I qualified in 1998 and went into practice for myself in 2000. From 2000 to 2008 my fledgling practice grew rapidly. I smugly thought that I was a business and legal genius.
In 2009 I discovered that it was not my business acumen that had brought me to where I was, but rather an Irish property bubble, which dramatically burst in the Great Recession of 2009. Let’s just say I didn’t have a good recession.
It turned out everything that we had been doing was linked to the property market (and I was personally also deeply embedded in the wholesale leveraged property debt that was at the core of all of that). That all blew up overnight with spectacularly bad consequences with those involved up to that point.
For me, among other things, it meant that I no longer had a functioning business and I had to go out and reinvent that. Gradually, and quite desperately, I did so and in the process discovered a passion for marketing, in particular, direct response marketing. Over more than a few very difficult years we succeeding in rebuilding a practice from less than nothing using those principles.
And of course, in the 21st century, at the core of any direct response marketing system is data, managed by CRM systems and autoresponder follow-up, all of which is cloud-based. I quickly came to realise that the concepts of privacy and data protection that had been of academic interest to me as a legal student, were of existential importance to me as a marketer. My ability to continue using the marketing techniques and systems that had allowed me to re-invent and save my business was entirely dependant on my ability to create and use them in compliance with data protection and privacy law.
And then in October 2015 the Court of Justice of the European Union decided in the Schrems case that the primary system for legitimising transfers of data from the EU to the US, a system called Safe Harbor, was invalid. Almost overnight all of those lovely cloud-based computing systems so beloved of marketer suddenly looked like they might no longer be capable of being used legally in the EU.
If it hadn’t before, data protection as a concept now really had my attention.
Since then we have had the Privacy Shield replace Safe Harbor but uncertainty remains, not least from further legal action being brought by the same Mr Schrems. And of course, we have had the GDPR in the meantime and we have the prospect of an ePrivacy Regulation coming down the tracks.
My first encounter with data protection happened in a legal academic setting where its provisions seemed dry and irrelevant, no matter how noble and rights-based. On the other hand, my first really serious conscious thoughts about the practical implication of data protection came as a business owner.
The realisation I have come to from all of this is that if we are to continue with viable, sustainable, and ultimately profitable businesses, we are going to have to put data protection compliance and respect for the privacy and fundamental human rights of our customers, clients and prospects at their core.
Flor McCarthy is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi award winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.
Do you need to know more about Article 27 Representation in the EU for GDPR and how it impacts your business?
The Ultimate Guide to Article 27 GDPR EU Representation for Non-EU Businesses.
Find out everything that you need to know about GDPR Article 27 Representation for your organisation in this free guide.