OK it’s been fun ignoring all those ‘We don’t want to lose you’ emails for when the General Data Protection Regulation (GDPR) becomes enforceable on Friday. Even better is the satisfaction of noting that the great majority of these messages - including from law firms that ought to know better - are at best admissions of poor data management in the past and at worst actual breaches of data protection law. So hooray for the regulation and the accompanying Data Protection Act, which received Royal Assent today, for updating our essentially pre-internet regime for handling personal data.
But, as the Information Commissioner's Office continually reminds us, Friday's 'GDPR day' is the start, not the end, of the process. That process is a fundamental change in the culture of handling personal data, which will have negative as well as positive consequences.
So far the main grumbles have been about the costs of ensuring corporate compliance by Friday: an average of £15m for each FTSE 100 company, by one estimate. The correct response here is: tough. Businesses have had two years to prepare for the GDPR day and, more to the point, most of what they had to do to comply was good practice under the 1998 Data Protection Act already. That so many businesses seem to have been shocked into urgent action - all those blasted emails - is a pretty damning indictment of corporate attitudes up to now.
The real worry is what happens next, and whether the GDPR will exert a chilling effect on innovation in what techies call the fourth industrial revolution. For all the reassurances of culture secretary Matt Hancock, let's not forget that the GDPR is partially a protectionist measure drawn up by the EU following Europe's abject failure to produce a player in the digital economy on the scale of Google, Facebook and Amazon. The strategic idea is to create a walled garden inside which the web giants' cavalier handling of personal data is unacceptable. They either play by the new rules or go elsewhere, allowing an ethical, home-grown, digital economy to grow up in our regulated haven.
The problem is, protectionist regulatory measures by technological losers have a poor historic record of nurturing innovation. Look at the history of railway gauges, or China's 15th century ban on ocean-going ships. At stake now is something more than free-to-use web browsers: the hopes currently invested in artificial intelligence, which is a significant element of the UK government's industrial strategy, are based on the assumption that computing algorithms will have vast resources of data to learn from.
Perhaps the European model of tight regulation, in which individuals have indefinite control of what uses are made of data collected about their behaviour, will turn out to be the right climate for nurturing this revolution, but let's not forget there are alternatives. Apart from the US, which also enjoys freedom from the EU's 'precautionary principle' when it comes to adopting new technologies, there is China, which of course has already built its own style of walled garden in the digital economy. Here, of course, the emphasis is on shutting out news and social media content that does not meet the regime's approval. But a walled garden in which approved enterprises can process data on a couple of billion citizens with no fear of individual privacy actions could well offer a competitive advantage in the development of algorithms for, say, self driving cars or medical diagnosis.
Europe's hope, of course, is that the world will see the sense of doing things its way and that GDPR will become a global standard. The key player could be the other Asian giant, India, which is currently considering tightening its data protection regime following the Supreme Court's discovery of a right to privacy last year. But as much will depend on relative economic pull. At the moment, the UK has no choice but to follow Europe: hence the need to implement GDPR through the Data Protection Act (though without incorporating the regulation's text) to preserve adequacy following Brexit.
Whether Europe's data protection regime remains the optimum remains to be seen. Future governments should ensure that the UK picks the winning team.