Open Rights Group is calling on Peers from across the political spectrum to improve consumer rights as the Data Protection Bill reaches the last day of the Report stage debate in the House of Lords this afternoon.
Do you remember that time when Uber didn’t tell us that the data of 57 million of their users got exposed? Or that time when Equifax failed to protect data of 400,000 people in the UK? Or those two Yahoo hacks that breached more than one billion accounts? Oh, and that time when TalkTalk was fined £400,000 for inadequately protecting 156,959 accounts of their customers?
I could go on. These are just a fraction of the data breaches that have caused leaks of people’s data. Every time you provide your name, date of birth, home address or details for an online payment to a company you do so based on trust that they will keep your data safe. But increasingly, companies fail their customers.
Currently, the Government’s Data Protection Bill will give citizens the power to instruct a select group of not for profit bodies to represent them in complaints to the data protection authority or the judiciary. This is required of the Government - Article 80(1) is a mandatory provision in the EU’s General Data Protection Regulation (GDPR).
But what happens when customers don’t realise they have been a victim of a hack that is a direct result of weak data protection? Or worse, what happens when products and services used by children get hacked and their parents are not aware?
There have been, and will continue to be, cases when consumers are unaware that they have been a victim of a hack or don’t want to have their identity connected to a particular incident such as the hack of Ashley Madison - a dating website specialising in extramarital affairs . These complaints could be dealt with if the Government agreed to implement Article 80(2) of the GDPR (reflected in the amendment 175A supported by Labour Lord Stevenson and Lord Kennedy, Lib Dem Lord Clement-Jones and crossbench Peer Baroness Kidron). The amendment would give select not for profit bodies the option to raise those complaints without having an affected member of the public instruct them.
The amendment also explicitly recognises the right of adults to seek collective redress on behalf of children who are the victims of data breaches. Additionally, it will allow individuals who have been affected by data breaches to bring collective redress actions on behalf of everyone else who has been similarly affected.
The Government has been refusing to implement additional protections claiming that Article 80(1) will provide enough protection. This is simply not true. Article 80(1) and 80(2) provide consumer protections in different scenarios. By not implementing enhanced protections, the Government is consciously allowing for obstacles to collective redress for more vulnerable groups such as children and the elderly.
The idea of collective redress has been around for a while for other consumer issues related to finance or competition. Consumer groups such as Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the right to present “super-complaints” on behalf of consumers without being instructed by them.
The time has come to see lack of data protection as a consumer issue which is as important as unfair financial arrangements and bad competition practices.
It has become near impossible for consumers to obtain services and products without providing their data to companies. At the same time, the evidence (see the data breaches above) shows that companies have not always been able to protect consumers’ data. The Information Commissioner’s Office and the Deputy Counsel to the Joint Committee on Human Rights are both in favour of implementing Article 80(2).
The Government cannot disregard that data protection is inevitably linked to consumer protection. Data protection is about rights - the right for the public to hold private and public bodies that collect and process their data to account. This is what drives better practice to make our data more secure.
Implementing the amendment allowing for collective redress will give Peers a chance to help make the UK one of the safest places in the world to be online. They should take it.