SECURITY

Data Protection Wars

4/11/2013 3:17:42 PM

Consumers should decide what happens to data kept about them, rather than corporate lobbyists.

An unprecedented lobby effort is threatening to derail changes to data protection laws, which are aimed at giving you knew rights over your data. Lobbyists from the USA and Europe are shouting extremely loudly in an attempt to water down new regulations, which they fear will cost them money.

Data laws in the USA and Europe are very different, of course. Roughly speaking, the USA basically has a free-for-all, where companies can do pretty much what they like with their own data, subject to contract. Conversely, European law gives everyone rights over their data. However, the two models are competing globally. This sets up the new data protection laws for a major clash between the European Commission and privacy advocates on one hand, and the US government and companies on the other.

An unprecedented lobby effort is threatening to derail changes to data protection laws, which are aimed at giving you knew rights over your data.

An unprecedented lobby effort is threatening to derail changes to data protection laws, which are aimed at giving you knew rights over your data.

How did we get here 7 Back in the 1970s, governments started to worry that companies were gathering increasing amounts of information about private citizens in databases. Companies such as IBM pioneered computing technologies that streamlined data processing, in areas such as payroll sand banking. Governments in Europe then reacted by creating 'data protection’ laws. Their objective was to place enough rights in the hands of the citizen to allow them to avoid the resale and disclosure of their personal data.

Principles such as consent, fairness, accuracy, necessity and security were placed into data protection law. You have specific rights, such as 'subject access’, where you can demand a copy of the information about you that a company holds. You also have the right to have data corrected, and to limited redress when things go wrong.

Nevertheless, while the laws generally remained static, the power of companies to utilize this information in ways that fundamentally shape our lives has grown. You can’t obtain a bank loan without agreeing that information about it is stored and shared through credit-rating agencies, for instance. Insurers and even supermarkets base large parts of their business on the use of your data.

Facebook and lnstagram

Companies buy each other and merge their data, as we’ve seen with Facebook and lnstagram, whether or not you want your data traded in this way

Internet data has also proved highly difficult to regulate. Logs, cross-site tracking information and the profiling of individuals has become big business, but advertisers obviously haven’t wanted to bring these practices into data protection laws. Instead we’ve seen advertising firms claiming that these logs and profiles aren’t' personal data’, as they don’t relate to an 'identifiable' individual. Therefore, while you’re profiled, companies evade responsibility for giving you rights to control what data is collected about you.

Meanwhile, companies buy each other and merge their data, as we’ve seen with Google and YouTube, or Facebook and Instagram, whether or not you want your data traded.

Data protection hasn’t protected people against data leaks either. Neither private companies (such as Sony) nor the British government seem capable of keeping your data safe. Now, mistakes are always going to take place, whether or not there are laws. However, laws need to deter bad practice and make sure that citizens receive redress when it occurs. Currently, there’s no general obligation to notify you of data breaches when they take place. The fines available are also too small for most large companies to consider them worth worrying about at the highest levels.

For example, in January this year, Sony was fined $380,800 by the Information Commissioner’s Office, after a major security breach in 2011, which the government said could have been avoided with up-to-date software, and ’compromised the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords’, as well as some customers’ payment card details. It’s good that the legal framework is in place, but this money is a drop in the ocean for a company the size of Sony, making it ineffective as a legal tool.

In short, data protection laws look inadequate and out of date. Consumers aren’t properly protected and can’t make the choices they need. Data protection is an area of law with very wide implications, though, including global consequences, as so many data businesses are global now. In the USA, privacy laws are very piecemeal, with strict laws for some sectors and very little regulation for others. Some states require ’breach notification’, while others don’t.

In the USA, the strongest protection online citizens generally have are the ’terms and conditions’ to which they agree. The Federal Trade Commission takes abuse of contract very seriously, and uses it to enforce some privacy standards where other regulations don’t exist.

While US privacy advocates look at European data protection with envy, US businesses probably look at these laws with terror; they look like a substantial extra cost, and a burden. The EU, however, has tried to get other countries to agree to similar data protection laws, as a baseline for trade. European companies are legally obliged to ensure that their customers are protected, wherever their data resides. Therefore, EU law has become a motor for improvement of citizens’ data rights across the globe, as ’safe harbor’ agreements and data protection laws are adopted.

Interestingly, there’s also one wide area of agreement. Companies and privacy advocates generally all want data protection laws to be more consistent. They’re fed up with different approaches in different countries making it hard for customers to know their rights. The new data protection laws now being considered by the EU Parliament are a step towards even stronger rights. Together with the international factors, this helps to explain the scale of recent corporate lobbying.

PlayStation Network

Sony was fined $378 for the PlayStation Network security breach in 2011 but this isn’t enough to make data protection a consideration in the boardroom

The fight back from industry is sophisticated. The main areas include the scope of the new laws: if the definition of ’personal data’ can be limited then areas such as Internet data could fallout of scope, and protection could be reduced. Other areas include the ’right to be forgotten’, which industry representatives have portrayed as an attack on free speech and historic record. In fact, the right to be forgotten is about making a clean exit from a service such as Facebook, allowing you to leave without the firm retaining large amounts of data about you. It isn’t about demanding Google or Facebook removing references to you made by third parties.

Industry is also resisting the right for you to obtain a copy of your data freely and easily, and in a portable format. You can currently get this kind of data, but you might receive it as paper copies. Retrieving your data is a way for you to move from one service provider to another, or even a means of assessing which service would be most cost-effective for you-if the data is your electricity usage record, for instance. Some have even claimed that making this data available would encourage consumers to try to engage in fraud.

Certainly, data protection laws are complicated and there will be conflicts between personal security, data rights and free speech at the edges. However, it’s important for governments to balance the claims of corporate lobbyists with the rights of consumers, and avoid whittling down the proposals to a point where they’re meaningless or worse than the current laws.

Data Rights Manifesto

Jim Killock's proposed changes to data protection laws

·         Mandatory notification If your data is lost or stolen, you should be notified within a set number of days.

·         Bigger fines Companies should be fined by up to 2 percent of their turnover, in order to make data protection important enough to be considered in the boardroom.

·         Right to data portability You would have the right to get your data back, in full, in an electronic format, allowing you to change the service you use.

·         Right to be forgotten You would possess the right to have your data deleted when you leave a service.

·         Rights of groups to complain Rather than complaining as an individual, groups such as Which? Or the Open Rights group could make a data protection complaint on your behalf.

·         Consent The definition of personal consent may be strengthened to make it explicit and informed in all circumstances.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8