UK urged to improve data protection for the digitally naive
Several consumer groups have written to UK Minister for Digital Matt Hancock urging changes to data privacy and protection rules, removing grey areas which allow companies to navigate breaches unscathed, reports Telecoms.com (Banking Technology‘s sister publication).
Many rules and regulations should be viewed as dated today. This is not necessarily anyone’s fault, but is more a consequence of how quickly the digital society has engulfed the world. Governments are making the necessary changes, but technology moves faster than politicians. In a letter to Hancock, the consumer groups point towards the idea of collective redress in instances of mass data breaches and systemic insecurities in connected devices, as a means to move rules into the digital age.
“Under the current system individuals have the right to seek redress from organisations when their data has been lost or misused,” the letter reads.
“Whilst we wholly support the provisions in Article 80(1), which reflects the existing system, it is inadequate on its own in holding organisations to account. Further, given the potential scale of data breaches and the breach notification duty, a mechanism under Article 80(2) would save significant administrative and court time, in that it will avoid a myriad of individual claims.”
The letter, which has been signed by Which, the Open Rights Group, Age UK, the Financial Services Consumer Panel and Privacy International, effectively asks the government for permission to make complaints against organisations without prior instruction from consumers. This might sound unusual, but there is some logic here.
We had a brief chat with Jim Killock, the Open Rights Group executive director, who likened it to the world of competition complaints. Here, there are a select number of organisations, known as “super complainants”, who can raise complaints to the Competition and Markets Authority (CMA) on behalf of consumers, but not because of instruction from individuals.
In the digital world, this could be quite a useful change. Take for example a data breach, few consumers are aware as to whether their information is actually part of the breach, maybe due to anonymised data, or perhaps the breach was suitably long ago that they aren’t actually bothered. Data breach fatigue might be another reason consumers do not take action, but in every circumstance the offending company receives less flak.
Another example is with the very old or very young. The very old might not have the digital know-how or enthusiasm to realise or follow-up on these breaches, but does that mean the companies should be allowed to get away with inferior security? With the young, parents might not want to drag children through the legal process if the personal information of a 14-year-old was breached. Should companies be allowed to profit off non-action?
By creating a super complainant in the digital world, organisations like the Open Rights Group can take action against the offending organisation, and create an environment of accountability. Currently a human face has to be attached to a complaint before it can be taken forward, but the letter urges for action against bad practice, not necessarily the harm of consumers.
Of course, there would have to be certain conditions for the super complainants to operate. For instance, only a small number of organisations would be given the accreditation. These would have to demonstrate they have the in-house resources to deal with such a mission, but also that they are able to act with care; flood the Information Commissioners Office with too many irrelevant cases and you could have the accreditation removed.
There would also be financial conditions. There should not be a financial reward for taking the sword to these companies, but it should be done as the action of a privacy and security advocate. This will rule out the cowboys and digital ambulance chasers of the world.
It certainly sounds like a logical idea, but whether the digital-inept politicians in charge of our digital economy actually do anything remains to be seen. We certainly won’t be holding our breath.