Time to make Data Protection work for consumers
Data Protection. Two words often followed with discussions about “business compliance”. Plenty of business to business conferences out there are making good money off the spectre of data protection. It doesn’t need to be this way. In fact it shouldn’t. Data protection is about rights – the right for the public to hold private and public bodies that collect and process their data to account.
The test for data protection fulfilling its purpose is whether it is improving consumer rights. Open Rights Group are calling for a specific improvement in consumer rights as the Data Protection Bill reaches its second reading debate in the House of Lords on Tuesday.
Currently, the Government’s Data Protection Bill will give citizens the power to instruct a select group of not for profit bodies to represent them in complaints to the data protection authority or the judiciary. This is required of the Government as Article 80(1) is a mandatory provision in the General Data Protection Regulation, which as a member state of the European Union is directly applicable in the United Kingdom.
However, when given the option to further strengthen consumer rights the Government decided against it. Article 80(2), an optional power in the GDPR, would give those select not for profit bodies the option to take those same complaints without having an affected member of the public instruct them.
Open Rights Group and other members of civil society are calling for 80(2) to be adopted.
This would improve consumer rights in two ways. Firstly, it will protect the most vulnerable members of society such as children and the elderly. Secondly, it will move data protection to the same status as other consumer rights frameworks like competition or finance.
It would finally acknowledge something that should have been a long time ago: data protection is a consumer right and with that should be given the same powers that have proven so important in other areas of consumer rights.
PROTECTING THE VULNERABLE
When it comes to standing up for your rights, it is often those that need it most that are least able. In the case of data protection there have been cases of the profoundly negative effect data sharing has had on the elderly, while research has shown how websites targeted at children are either doing a terrible job of explaining data collection and processing, or no job at all.
The story of Olive Cooke is a sad one. A 92 year old poppy seller who took her own life, was said to be “distressed and overwhelmed” by the huge number of requests for donations from charities she was receiving, according to a 2016 report from the Fundraising Standards Board.
The report found that nearly a fifth of the 99 charities sampled had passed on Olive’s details to others, and that most of those had “assumed” permission to share based on the fact that Olive had not proactively opted out of data sharing. The report concluded that there were “inadequate opportunities for the recipient to opt out” of the mailings and data sharing, which collectively created a situation that was “almost uncontrollable”.
The Global Privacy Enforcement Network, a coalition of data protection authorities from around the world released a report in 2015 showing the level of disregard for data protection standards that websites aimed at children were demonstrating. This included half of the sampled sites sharing personal information with third parties, but only 1 in 3 of them giving effective controls in place to limit the collection of personal information. There was a similarly low number of the websites providing an accessible means for permanent deletion of personal information held.
In both of these examples enforcement either came too late, or not all. One reason was because there was no way for a group to take up the cause for either Olive or children. While the Information Commissioner’s Office in the United Kingdom had actually made public comments on the children’s websites research, there has been no evidence of proceedings or follow up taking place.
If a power similar to Article 80(2) were in place, a not for profit body like Open Rights Group could take up the enforcement against these bad data protection practices. If done appropriately, the exercise of this power would improve the experience of elderly individuals such as Olive Cooke or millions of children online.
DATA PROTECTION AS A CONSUMER RIGHT
The idea that a not for profit body could take up an independent complaint against bad consumer practices is not novel. Traditional consumer rights such as competition and finance have similar powers for a select group of bodies. Some of these powers have lead to significant developments in the consumer landscape. It is time data protection is recognised as another area of consumer rights, one that is growing in importance, and should be given the same enforcement mechanisms as the others.
Consumer rights group Which? is capable of taking a private enforcement action in civil courts against traders for infringements of consumer protection legislation. There is no need to find an individual affected to instruct Which? to take on the enforcement, instead they need merely to show that consumers have suffered a loss.
Also, in the financial sector there is the power for Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland to present “super-complaints” to the Financial Conduct Authority. It was this form of complaint, exercised by Citizens Advice, that played an important role in tackling the mis-selling of Payment Protection Insurance.
The right for independent bodies to take complaints independently of finding an affected consumer are already in the wider consumer landscape. They have been wielded with discretion and have shown to be a valuable addition to the consumer rights framework. For data protection to be a modern consumer right, it is only logical that the same accountability frameworks are brought in. Implementing Article 80(2) is the way to achieve this.
GOVERNMENT’S VISION
The Government’s vision for the Data Protection Bill is to make the UK the safest place to live and do business online. It recognises the increasing volumes of personal data, and notes it as an increasing need to protect it. The vision even recognises that data losses can have distressing repercussions on individuals, and that victims can lose trust. All of this sounds hopeful, as though the Government has identified the issues that data protection can help solve.
If the Government truly wants to achieve its vision, the small addition to improve the accountability framework for consumer rights in data protection will be a big step to take it there.