The Data Grab Bill will harm mothers and children
In data: a new direction, the UK Government proposes to reform legitimate interest. What may sound like a technicality has rather serious implications for UK residents: tech companies and organisations will be able to use personal data without consent, even when it harms individuals or trumps their rights.
SUBVERTING LEGITIMATE INTEREST
Open Rights Group wrote about Government plans to subvert the nature of legitimate interest before, but how does this affect us in practice? We will use Bounty as an example. The Information Commissioner’s Office fined them £400.000 for illegally selling the personal information of 14 million mothers and babies to data brokers, and Privacy International is now helping victims to shield themselves from further abuses of their data.
However, the changes the UK Government proposed would legalise this kind of illegal practice, making it nearly impossible to hold the perpetrators to account. Even more outrageously, offenders would be allowed to profit from your data access requests under the new fee regime.
Marketing with a licence to abuse
Bounty advertise themselves as “an information service for pregnant women and new mothers”. They are also known for their horrific commercial practices, such as approaching women moments after stillbirth or still bleeding mothers within hours of giving birth.
Bounty are not champions in data protection either and were fined by the ICO for “sharing the personal data of over 14 million individuals to […] credit reference and marketing agencies”. In particular, the ICO held that “neither the consent condition, nor the legitimate interests condition […] was met”. Although they were fined primarily for their failure to obtain valid consent, it is important to understand why legitimate interest wasn’t an available option to justify this abuse.
Bounty would have, in principle, a reasonable interest in selling personal information to data brokers and advertisers to “improve their marketing services”. However, their interest is overrun in practice by mothers and children’s rights not to be profiled without their knowledge, or exposed to abuses. In the words of the ICO, Bounty data practices exposed victims to “a significant loss of control over their data”, and “to potential distress without reasonable justification”.
This is an example of the balancing test that the UK Government want to scrap for “improving services for customers”. In turn, your right not to be harmed wouldn’t matter anymore: Bounty could share mothers’ data, this time under the blessing of Government new rules.
The UK Government is also considering whether to remove the balancing test for children data, but data about mothers and fathers’ habits and purchases are inherently revealing of their offspring’s personal traits. Then, allowing the collection of parents’ data under the legitimate interest exemption will inevitably expose children data, regardless of what the Government decides in relation to this question.
Offenders will answer to your questions, but for a price
Because of the nature of data brokerage, Bounty victims are still exposed to having their data sold and resold many times over, by and to faceless companies. This is why Privacy International is helping victims to submit data subjects access requests; in other words, asking Bounty if your data was shared and with whom.
However, the Government wants to introduce a fee regime for access requests: Bounty would not only profit from selling your information, but they would also charge you if you ask any questions about it. The impact of access fees on individuals is even more profound if you consider that Bounty sold this data to 39 organisations, which may have shared or sold this information themselves. The number of access requests, and conversely the amount of fees you would be charged with, can grow exponentially and leave you helpless.
It is also worth mentioning that the UK Government do acknowledge this issue, but they think it “may be mitigated by the fact that a third party can raise a subject access request on their behalf”. In other words, the Government think that the good samaritan will be the answer to your problems.
Finally, isn’t there a Regulator for this sort of widespread abuses? Indeed, the ICO could conduct a regulatory sweep against the data brokerage sector, but they are taking it easy as they always do. This situation would worsen under Government proposed rules. The ICO would be forced to consider the economic impact of their regulatory activities. Besides, the Secretary of State would have the power to dictate ICO priorities.
There is a simple way to put it: does the Secretary of State consider data brokerage important to unleash the power of data across the economy? Would enforcing against data brokers involve high compliance costs for them? This is not your lucky day, the ICO have their hands tied.
Your privacy binned
Claiming an interest in doing something is rather easy. Think of a bank willing to run a credit reference check, an employer willing to monitor your performance at work, or a school willing to proctor an online examination. Devil is in the details: lacking any counterweight, imagination is the only limit to how Government proposed approach would loosen up protections for individuals, if not legitimise abuses as a whole.
The UK Government proposals are structurally unsound and cannot deliver the safeguards that data protection is meant to offer. This is not a glitch or a flaw that you can put a lid on, but it goes at the core of what the UK is losing by replacing a rights-based GDPR framework with a cynical corporate rulebook. Is there an industry that makes a living out of data abuses? It’s the economy, baby! Are you looking for answers? Nothing comes for free, my dear!
The UK Government would have your humanity, weaknesses, and pretence to keep your personal life and those of your children private treated as obstacles in their path for innovation and growth.