Consumers should decide what happens
to data kept about them, rather than corporate lobbyists.
An unprecedented lobby effort is
threatening to derail changes to data protection laws, which are aimed at
giving you knew rights over your data. Lobbyists from the USA and Europe are
shouting extremely loudly in an attempt to water down new regulations, which
they fear will cost them money.
Data laws in the USA and Europe are very
different, of course. Roughly speaking, the USA basically has a free-for-all,
where companies can do pretty much what they like with their own data, subject
to contract. Conversely, European law gives everyone rights over their data.
However, the two models are competing globally. This sets up the new data
protection laws for a major clash between the European Commission and privacy
advocates on one hand, and the US government and companies on the other.
An
unprecedented lobby effort is threatening to derail changes to data protection
laws, which are aimed at giving you knew rights over your data.
How did we get here 7 Back in the 1970s,
governments started to worry that companies were gathering increasing amounts
of information about private citizens in databases. Companies such as IBM
pioneered computing technologies that streamlined data processing, in areas
such as payroll sand banking. Governments in Europe then reacted by creating
'data protection’ laws. Their objective was to place enough rights in the hands
of the citizen to allow them to avoid the resale and disclosure of their
personal data.
Principles such as consent, fairness,
accuracy, necessity and security were placed into data protection law. You have
specific rights, such as 'subject access’, where you can demand a copy of the
information about you that a company holds. You also have the right to have
data corrected, and to limited redress when things go wrong.
Nevertheless, while the laws generally
remained static, the power of companies to utilize this information in ways
that fundamentally shape our lives has grown. You can’t obtain a bank loan
without agreeing that information about it is stored and shared through
credit-rating agencies, for instance. Insurers and even supermarkets base large
parts of their business on the use of your data.
Companies
buy each other and merge their data, as we’ve seen with Facebook and lnstagram,
whether or not you want your data traded in this way
Internet data has also proved highly
difficult to regulate. Logs, cross-site tracking information and the profiling
of individuals has become big business, but advertisers obviously haven’t
wanted to bring these practices into data protection laws. Instead we’ve seen
advertising firms claiming that these logs and profiles aren’t' personal data’,
as they don’t relate to an 'identifiable' individual. Therefore, while you’re
profiled, companies evade responsibility for giving you rights to control what
data is collected about you.
Meanwhile, companies buy each other and
merge their data, as we’ve seen with Google and YouTube, or Facebook and
Instagram, whether or not you want your data traded.
Data protection hasn’t protected people
against data leaks either. Neither private companies (such as Sony) nor the
British government seem capable of keeping your data safe. Now, mistakes are
always going to take place, whether or not there are laws. However, laws need
to deter bad practice and make sure that citizens receive redress when it
occurs. Currently, there’s no general obligation to notify you of data breaches
when they take place. The fines available are also too small for most large
companies to consider them worth worrying about at the highest levels.
For example, in January this year, Sony was
fined $380,800 by the Information Commissioner’s Office, after a major security
breach in 2011, which the government said could have been avoided with
up-to-date software, and ’compromised the personal information of millions of
customers, including their names, addresses, email addresses, dates of birth
and account passwords’, as well as some customers’ payment card details. It’s
good that the legal framework is in place, but this money is a drop in the
ocean for a company the size of Sony, making it ineffective as a legal tool.
In short, data protection laws look
inadequate and out of date. Consumers aren’t properly protected and can’t make
the choices they need. Data protection is an area of law with very wide
implications, though, including global consequences, as so many data businesses
are global now. In the USA, privacy laws are very piecemeal, with strict laws
for some sectors and very little regulation for others. Some states require
’breach notification’, while others don’t.
In the USA, the strongest protection online
citizens generally have are the ’terms and conditions’ to which they agree. The
Federal Trade Commission takes abuse of contract very seriously, and uses it to
enforce some privacy standards where other regulations don’t exist.
While US privacy advocates look at European
data protection with envy, US businesses probably look at these laws with
terror; they look like a substantial extra cost, and a burden. The EU, however,
has tried to get other countries to agree to similar data protection laws, as a
baseline for trade. European companies are legally obliged to ensure that their
customers are protected, wherever their data resides. Therefore, EU law has
become a motor for improvement of citizens’ data rights across the globe, as
’safe harbor’ agreements and data protection laws are adopted.
Interestingly, there’s also one wide area
of agreement. Companies and privacy advocates generally all want data
protection laws to be more consistent. They’re fed up with different approaches
in different countries making it hard for customers to know their rights. The
new data protection laws now being considered by the EU Parliament are a step
towards even stronger rights. Together with the international factors, this
helps to explain the scale of recent corporate lobbying.
Sony
was fined $378 for the PlayStation Network security breach in 2011 but this
isn’t enough to make data protection a consideration in the boardroom
The fight back from industry is
sophisticated. The main areas include the scope of the new laws: if the
definition of ’personal data’ can be limited then areas such as Internet data
could fallout of scope, and protection could be reduced. Other areas include
the ’right to be forgotten’, which industry representatives have portrayed as
an attack on free speech and historic record. In fact, the right to be
forgotten is about making a clean exit from a service such as Facebook,
allowing you to leave without the firm retaining large amounts of data about
you. It isn’t about demanding Google or Facebook removing references to you
made by third parties.
Industry is also resisting the right for
you to obtain a copy of your data freely and easily, and in a portable format.
You can currently get this kind of data, but you might receive it as paper
copies. Retrieving your data is a way for you to move from one service provider
to another, or even a means of assessing which service would be most
cost-effective for you-if the data is your electricity usage record, for
instance. Some have even claimed that making this data available would
encourage consumers to try to engage in fraud.
Certainly, data protection laws are
complicated and there will be conflicts between personal security, data rights
and free speech at the edges. However, it’s important for governments to
balance the claims of corporate lobbyists with the rights of consumers, and
avoid whittling down the proposals to a point where they’re meaningless or
worse than the current laws.
Data Rights Manifesto
Jim Killock's proposed changes to
data protection laws
·
Mandatory notification If your data is lost or stolen, you should be notified within a set
number of days.
·
Bigger fines
Companies should be fined by up to 2 percent of their turnover, in order to
make data protection important enough to be considered in the boardroom.
·
Right to data portability You would have the right to get your data back, in full, in an
electronic format, allowing you to change the service you use.
·
Right to be forgotten You would possess the right to have your data deleted when you
leave a service.
·
Rights of groups to complain Rather than complaining as an individual, groups such as Which? Or
the Open Rights group could make a data protection complaint on your behalf.
·
Consent The
definition of personal consent may be strengthened to make it explicit and
informed in all circumstances.
