Open Rights Group briefing on the Data Protection Bill - HoL Second Reading

This briefing outlines the case for treating data protection the same as traditional consumer rights.


Open Rights Group (ORG) is the UK's only digital campaigning organisation working to protect the rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK.

Digital technology has transformed the way we live and opened up limitless new ways to communicate, connect, share and learn. But for all the benefits, technological developments have created new threats to our human rights. We raise awareness of these threats and challenge them through public campaigns, legal actions, policy interventions and tech projects. 

The Government introduced its Data Protection Bill on 13 September to regulate the processing of personal data by private bodies such as Facebook, Amazon, Google, or public institutions like Universities, Government Departments, and Law Enforcement. This Bill will adopt much of the General Data Protection Regulation, but there are key areas that can be worked on to improve the protection of consumer rights for everyone in the United Kingdom.

GOVERNMENT’S VISION

“Our vision is to make the UK the safest place to live and do business online. With the increasing volumes of personal data there is an increasing need to protect it. Data loss can have distressing repercussions on individuals whilst risking significant reputational damage for the responsible party. Victims lose trust.”

Department for Digital, Culture, Media, & Sport, A new Data Protection Bill: Our Planned Reforms.

Those challenges the Government’s vision outlines, require a coherent data protection framework, backed by strong enforcement. Simple changes to the proposed Bill will make a huge difference in protecting individuals’ consumer rights. 

Currently, the Government proposes to allow civil society to represent data subjects only after data subjects “instruct” them to do so. This means:

 -   Vulnerable members of society, such as the elderly and children, are less likely to have their rights protected because they are less likely to assert their rights in the first place.

-   Data Protection will not have the same enforcement powers as other consumer rights.

General Data Protection Regulation Article 80 contains the relevant information about the representation of data subjects in complaints procedures:

80(1)

Providing the data subject has given the mandate to a not for profit body, the body has the power to exercise rights of complaint:

-       Article 77. Lodge a complaint with a supervisory authority (not for profit lodges a complaint at the Information Commissioner’s Office)

-       Article 78. Complain against a supervisory authority, either a complaint is not handled or the data subject is not informed within three months on the progress or outcome of the complaint lodged pursuant to Article 77 (not for profit complains about the Information Commissioner’s Office to a court if the Information Commissioner’s Office is not doing its job).

-       Article 79. Lodge a judicial complaint against a controller or processor (not for profit lodges a complaint in the courts against a processor or controller that has infringed the Regulation).

80(2) of the General Data Protection Regulation provides for an optional power that allows for a select group of not for profit bodies to exercise Articles 77 to 79 powers independent of a data subject’s mandate.

Take this opportunity to stand for consumer rights in the UK. Call for Article 80(2) adoption in the Second Reading debate of the Data Protection Bill on 10 October.

PROTECTING THE VULNERABLE

Elderly individuals have been targeted by unfair marketing, leading to deeply troubling results. Including Olive Cooke, a pensioner who at the time of her suicide was receiving over 2,000 charity mailings a year because of data sharing between charities.

A sample of 99 charities found that 70 of 99 had obtained her details from a third party, so Olive Cooke would not have provided those details directly to them. She may have even been unaware how to ask them to delete her details or remove her from the list.

The Global Privacy Enforcement Network, an international coalition of data protection authorities, released a report in 2015 which showed how badly children’s details are treated by websites: 

  • ⅔ sites surveyed by the Information Commissioner’s Office collected children’s personal information
  • However, only 1 in 3 had effective controls in place to limit the collection of personal information from children.
  • Half of the sites shared personal information with third parties.
  • Only 1 in 3 websites provided an accessible means for permanent deletion of the personal information held.

Despite the authorities noting this troubling practice, and promising they were doing follow-up work, there has been no substantive work to show that websites have improved their practices, or enforcement proceedings taken up by the Information Commissioner’s Office.

PROBLEM

These vulnerable individuals may not have the time or skill, to make a complaint.

These are normally the people that most need protection and yet they aren’t even able to take the first step.

SOLUTION

Currently accountability systems for the most vulnerable risk discouraging taking complaints because they are confusing, time burdensome, and for the most vulnerable, not visible.

Giving a small set of “not for profit” bodies the option to take challenges against bad data protection practices on behalf of the public will improve the support of vulnerable individuals.

Not for profit bodies like the Open Rights Group could identify behaviour and take action without adding to the distress of the vulnerable individual (which is a risk of a system that requires a named individual to assert their right) and improve their livelihood, and the protection of their data.

DATA PROTECTION THE SAME AS OTHER CONSUMER RIGHTS

In consumer laws there is a power for private enforcers to take civil actions in courts to protect the collective consumer rights via enforcement orders. Which? are the only designated private enforcer.

In the financial sector, there is a power for Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland to present “super-complaints” to the Financial Conduct Authority.

The “super-complainant” system is one of the reasons the PPI misselling scandal was discovered, via Citizens Advice work.

PROBLEM

There are empowered, independent enforcers of consumer rights in the traditional consumer sector and the consumer finance sector, but there is no equivalent status for digital consumer enforcers.

Powers for independent action are an important aspect of other consumer protection frameworks. The need for a similar framework in data protection is no different

SOLUTION

Introducing the possibility of select not-for-profit bodies taking actions against actors will mean data protection has the same enforcement standard and opportunities as other consumer rights, harmonising the consumer rights enforcement landscape.

Support Article 80(2) adoption on 10 October and take a stand for consumer rights.