After Schrems, “committee speed” is no longer an option in digital law

The fallout from the Schrems – Safe Harbor case has been examined from many angles. One of those angles is an issue I’ve spoken about at every conference and also discussed on Jeffrey Zeldman’s show last week. It’s the question of how we, as an industry working at light speed, can work more productively with governments and legislators who regulate the internet at committee speed.

Our industries work in very different cultures. Government legislation must be thorough, deliberate, and measured. Indeed, legislation regarding the internet which is pushed through quickly – like the first try at the revised Snooper’s Charter earlier this year – is rarely good news. Digital legislation must also be consultative. Everyone affected has to be consulted to have their fair say, although the web industry’s lack of professional organisation means we choose not to show up at the table (see my upcoming piece in A List Apart for more on that.)

The web industry, meanwhile, is best illustrated by an independent group of web developers setting up and shipping an “AirBNB for refugees” site in the time it took the EU to announce they were going to have an emergency committee meeting about refugees in two weeks. Our industry works live in real time from wherever we are sitting, and our work is governed by and for whoever decides to show up. To quote the book title of the same name, we just fucking ship.

And ne’er shall the twain meet.

Speedy Gonzales brings hope of digital law reform to his cousin, Slowpoke Rodriguez.

In a recent piece I wrote on Section 508, the US federal government’s accessibility law, I explained the problem which results from that clash of cultures:

It is increasingly the norm, and not the exception, for digital laws to spend so many years languishing in committee processes that they risk being irrelevant by the time they become law. For their part, digital professionals who depend on these pieces of legislation to provide standards for their work lose patience with the process as well as respect for the responsible bureaucracy.

Section 508 is perhaps the most extreme example of that. Its refresh has been dragging through committees since 2006 – almost ten years. The consequence of that delay is that web developers working for the US federal government are still required to retrofit their work to a pre-WCAG accessibility standard from 1998. They might get their refreshed standard next year. Might. But after waiting nine years for the committee to JFS, those developers understandably now refer to them using language a lot worse than that.

The collapse of the Safe Harbor agreement has happened at the same time that the EU is working through the draft General Data Protection Regulation (GDPR), the revision of the legal framework across the continent which would replace the 1995 law currently in place. It has been in the works since 2012 and they are aiming for a 2017 release, with a 2019 compliance deadline. Obviously this process is absolutely massive. In fact, the draft law is so complicated that the EU has released an app allowing you to compare the three draft versions. (The app contains nearly 30 megabytes of solid text. No, I haven’t downloaded it either.) Few people held out hope for the reform to be completed by 2017 before the Schrems verdict came down. Even fewer believe it will happen now. This means even more years of living in a legal “what if” dependent on a byzantine committee process.

Where this now gets interesting is that in light of the Schrems verdict, two different UK-based digital organisations have independently come out and said that “committee speed”, business as usual, is no longer appropriate for the GDPR.

The first was TechUK, who repeated a call they made earlier this year for the GDPR reform to move at pace:

The digital revolution moves far more quickly than the pace of European decision making, and Europe’s policy response needs to be more agile and fleet of foot. Progress on building the DSM is more likely to be made through a succession of small steps that can be agreed quickly, rather than a series of giant leaps that require many years of complex negotiation and often result in outcomes that are considerably removed from what was originally intended.

The second was the Society for Computers and Law, the professional organisation for lawyers working in IT and digital law. They echoed TechUK’s concerns in their own editorial:

All these changes in the data protection landscape have gone on while we await the final, final version of the data protection reform package. The lot of those charged with the task of finalising the GDPR has not got easier. In fact, while I share the impatience of those wondering how anything can take this long, I note that even those who were previously very impatient have changed their tone a little and seem resigned to yet further delay. The danger must be that, just as the last Directive was decades behind developments in practice, the GDPR will be a decade behind practice and a long way behind the case-law developments. The saving grace may be that data protection principles are (relatively) simple and must be kept that way. But I still feel strongly that this might be a case where the usual practice of postponing direct implementation in Member States for two years should be abandoned and a speedier implementation agreed – lest the law and practice move on round the bend. As it is, we have vast changes in data protection practice being addressed by the courts using old tools.

These pleas for sanity may well fall on deaf ears. As we’ve seen with VATMOSS, the perception that the UK is anti-EU means that constructive criticism of EU policies – even from pro-EU individuals and bodies – sees those critiques written off as uninformed griping. Let’s hope that doesn’t happen here. For now, the fact that organisations representing both the digital industry and the law profession are finally understanding what we in the web profession have been saying for years is a small but satisfying mark of progress.