Data protection debate at MoJ

Yesterday I attended the first of the Department of Justice’s Advisory panel meetings on the new Data Protection regulation laws being proposed at the EU.

The new laws are already the subject of intense lobbying and pressure. The key changes are designed to strengthen the privacy rights of citizens, in several ways:

Better definitions: the definitions of personal data and consent have caused problems especially in the UK, where we haven’t followed the Directive strictly. The result is that some personal data – like that collected by behavoural advertisers – is not treated as personal data; and sometimes consent is “implied” rather than actually freely given and explicit.

The right to be forgotten: perhaps better understood as a right to have data deleted in full, when you choose to exit a service. The debate is about how easy it is for a service to request data be deleted by third parties that it works with, when your data has been shared

The right to your data: in the UK, getting your data back costs £10. In other coutries, it is free. The new law proposes you get it back for free, and in electronic format so you can move around different data services easily. Some businesses claim that this would lead to frivolous claims, and want to limit your ability to get your data. We argue it should be possible for bigger businesses to make it easy by building the systems right.

Put together, the right to delete in full and get your data back are meant to create a market for individuals to be able to choose data services and drive the market.

Increased fines based on turnover: this would create a real and scalable deterrent, reflecting penalties in competition law.

Damages that are based on the sigificance of a breach to a person, not proving financial or personal harm: data breaches put you at risk and are a harm in themselves. In the UK, you must prove actuall loss, or stress, or some other tangible harm to take someone to court. This is too high a bar and means most people cannot complain to a court.

Breach notification: while longer than 24 hours speficied in the draft is needed, you should have a right to be told of a data breach.

Group actions: the regulation would allow groups like Which? or ORG to represent groups of affected citizens in a particular case.

EU consistency: by choosing a regulation, the new data protection law would be written straight into UK law, so would be the same as other countries. This would reduce the burden on business, improve predictability for citizens and hopefully make it easier for people to enforce their rights.

There was of course a lot of disagreement about the big issues, like what to do with the right to be forgotten, or how data portability should work. The meeting was conducted on Chatham House rules, so I can’t name names, but this may give you a picture.

There was surprising consensus that a unified European data protection law would be good for everyone: business, small businesses and citizens, by making it easier for people to know their duties and rights wherever they are. The group felt this should reduce the burden on business overall.

This placed the government’s current position of opposing a new, tighter “regulation” as failing to represent the consensus among those parts of UK society represented at the meeting. This included major businesses, small businesses, policing and civil society. Despite the government’s desire to limit the changes to data protection, the advisory group seemed to be prepared for change, and without a doubt wanted greater legal consistency.

There are also seemingly contradictory positions within the UK government, where BIS are trying to increase data portability through domestic legislation to support Midata, but Justice are resisting it at the EU.

The real arguments will come as US businesses and government lobbyists try to weaken the regulation. Right now, UK citizens’ interests need to be better reflected by the government, who should be supporting greater control over our personal information.