Disclaimer: The views expressed are that of the individual author. All rights are reserved to the original authors of the materials consulted, which are identified in the footnotes below.
By Alex Roper
How is our data being used?
In the 21st century, the most coveted commodity is data. With the power to manipulate every facet of consumer behaviour,[1]influence democratic elections,[2] or even start a riot,[3] data has undeniably earned its title as ‘the oil of the digital era.’[4]
Technological developments in the past decade have been the driving force behind this data revolution; information can now be collected in a myriad of manners, with companies utilising the increased prominence of smart devices and electronic payments to closely monitor consumer interests and behaviours,[5] interpreting this information in conjunction with data on location, age, gender, and other personal characteristics. Cookies allow companies to collect information on the sites a customer has visited, the products they viewed, and where they go after leaving the site,[6] meaning even the most trivial of internet searches are tracked, analysed, and commodified.
Social media companies are even more sophisticated in their use of data, employing algorithms to monitor every aspect of their users’ behaviour on the platforms, not only to tailor content to individuals, but also to build up data profiles on customers which third parties can buy access to.[7] The issues surrounding data privacy gained significant media attention in the aftermath of the ‘Cambridge Analytica’ scandal, which involved the acquisition of ‘the private Facebook data of tens of millions of users’[8] by Cambridge Analytica to sell on to political campaigns in the lead-up to the 2016 US election. This controversy both alerted the public to the threat of inadequate data protection measures, and further encouraged the data protection revolution already in motion in Europe.
How is our data protected?
The extensive accumulation, analysis, and sale of data clearly pose a serious risk to the rights of consumers to privacy and agency over their information, particularly in light of high-profile data breaches.
What measures, then, are in place to protect our personal information? The General Data Protection Regulation (‘GDPR’), implemented by the European Union in May 2018, is the driving force behind data protection in Europe, setting a ‘high standard’ for companies to meet and requiring significant investment by individual businesses.[9] The regulation was subsequently implemented into UK law by the Data Protection Act 2018 (‘DPA’), which has remained in place post-‘Brexit’ alongside the retained EU GDPR legislation.[10]
There are a number of reasons behind the creation of the GDPR and the ensuing DPA. Firstly, previous legislation (the Data Protection Directive 1995) had failed to remain ‘relevant to today’s digital age,’[11] unable to ‘keep up with the pace of the levels of technological advancement’[12] in the early 21st-century. In addition, there was a need to ‘harmonize data privacy laws’[13] given the movement of data between European states. The EU also aimed to set a ‘higher general standard’[14] of data protection than had been achieved by previous legislation.
The key provisions of the DPA (transposed from the GDPR) focus on the necessity of consent when obtaining personal data,[15] the rights of individuals to access their data,[16] as well as their rights to erasure and restriction of the processing.[17]Underlying this is a wider interpretation of ‘data’ to encompass a greater breadth of personal information, and a stronger emphasis on reporting data breaches to the Information Commissioner’s Office (‘ICO’).[18] The legislation also creates personal liability, with the possibility of prosecution, for individuals within offending businesses.[19]
These provisions and principles create a seemingly comprehensive system of rules that prevent companies ‘knowingly and recklessly obtaining or disclosing personal data.’[20] However, questions still remain with regards to the success of the new regulations.
How effective are data protection laws?
Data protection law has clearly seen a major shift in recent years. But how effective have GDPR and domestic legislative measures been in UK data protection enforcement?
The statistics on the reporting of data breaches post-DPA point to notable improvements in the protection of personal information under the new system. The ICO reported a significant increase in data breach reporting in 2019[21] (the year after the introduction of the DPA) and, in 2020, the UK ‘collected the second-highest total value of fines for data protection violations,’ amounting to £39.7m.[22] This suggests that data privacy is far more strictly enforced under the DPA, and is a promising indication that companies are being actively monitored and regulated.
However, the figures are perhaps somewhat misleading. The ICO was one of the ‘least active in terms of issuing fines’ of European authorities in 2020 and was only the 6th ranked country in this category,[23] a worrying finding given the UK’s position as one of Europe’s biggest states. This discrepancy between the total value of fines and the ICO’s general activity level is due to the fact that the former was accumulated from a mere three companies.[24
These three cases were a £1.25m fine paid by Ticketmaster,[25] £20m from British Airways,[26] and Marriott’s £18.4m sum for a major data breach involving 339 million customers.[27]
This paints a far more troubling picture of the efficacy of new data protection laws and begs the question of what can be done to more actively enforce data privacy measures and bolster the legislation moving forwards.
How can data protection laws be improved?
A key issue with the GDPR and the DPA is that behavioural data is not comprehensively covered by the legislation,[28] which allows companies to collect a vast amount of personal data without infringing the regulations, by inferring information about consumers through their internet browsing and social media habits.[29] A logical next step is to encompass this category of data to a greater extent within the DPA, which would work to negate the advantage social media companies hold in the data market.[30]
Additionally, the ICO must work to become a more active regulator, enforcing the new laws at all commercial levels. This would involve imposing smaller fines for more minor data breaches, to avoid the current precedent of fining only large companies for particularly significant data privacy breaches.
There is clearly scope for improvement in data protection legislation, and the rules will be tested over the next decade as technology advances; the success of the DPA, which will now largely function independently from the EU, will depend on its ability to adapt as data collection and distribution continues to develop in the digital era.
Image source: https://www.itpro.co.uk/data-protection/34061/what-is-the-data-protection-act-2018
[1] Competition and Markets Authority, The commercial use of consumer data: Report on the CMA’s call for information (2015) [6]
[2] Nicholas Confessore, ‘Cambridge Analytica and Facebook: The Scandal and the Fallout So Far’ (The New York Times, 4 April 2018) <https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html> accessed 9 February 2021
[3] Rory Cellan-Jones, ‘Tech Tent: Did social media inspire Congress riot?’ (BBC News, 8 January 2021) <https://www.bbc.co.uk/news/technology-55592752> accessed 9 February 2021
[4] ‘Regulating the internet giants: the world’s most valuable resource is no longer oil, but data’ (The Economist, 6 May 2017) <https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data> accessed 8 February 2021
[5] Sara Morrison, ‘Why you should care about data privacy even if you have “nothing to hide”’ (Vox, 28 January 2021) <https://www.vox.com/recode/22250897/facebook-data-privacy-collection-algorithms-extremism> accessed 8 February 2021
William Goddard, ‘How Do Big Companies Collect Customer Data?’ (IT Chronicles, 14 January 2019) <https://itchronicles.com/big-data/how-do-big-companies-collect-customer-data/> accessed 8 February 2021
[6] Ibid
[7] Ibid
[8] Confessore (n 2)
[9] Andrew Rossow, ‘The Birth of GDPR: What Is It and What You Need To Know’ (Forbes, 25 May 2018) <https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/?sh=16cd42655e5b> accessed 9 February 2021
[10] ‘Using personal data in your business or other organisation’ (Gov.uk, 31 December 2020) <https://www.gov.uk/guidance/using-personal-data-in-your-business-or-other-organisation> accessed 10 February 2021
[11] Rossow (n 9)
[12] Ibid
[13] Ibid
[14] ‘Why was GDPR created? – A History of EU Data Protection’ (ec2it, 29 September 2017) <https://www.ec2it.co.uk/gdpr/why-was-gdpr-created-a-history-of-eu-data-protection> accessed 9 February 2021
[15] Data Protection Act 2018, section 2
[16] Data Protection Act 2018, section 45
[17] Data Protection Act 2018, section 47
[18] Josephine Wolff, ‘How Is the GDPR Doing?’ (Slate, 20 March 2019) <https://slate.com/technology/2019/03/gdpr-one-year-anniversary-breach-notification-fines.html> accessed 10 February 2021
[19] Cynthia O’Donoghue, John O’Brien, ‘Data Protection Act 2018 comes into force’ (Technology Law Dispatch, 15 June 2018) <https://www.technologylawdispatch.com/2018/06/privacy-data-protection/data-protection-act-2018-comes-into-force/> accessed 9 February 2021
[20] Ibid
[21] Wolff (n 18)
[22] Keumars Afifi-Sabet, ‘UK ranked second for value of GDPR fines issued in 2020’ (IT Pro, 6 January 2021) <https://www.itpro.co.uk/policy-legislation/general-data-protection-regulation-gdpr/358239/uk-ranked-second-for-gdpr-fines> accessed 11 February 2021
[23] Ibid
[24] Ibid
[25] ‘Ticketmaster fined £1.25m over payment data breach’ (BBC News, 13 November 2020) <https://www.bbc.co.uk/news/technology-54931873> accessed 11 February 2021
[26] ‘British Airways fined £20m over data breach’ (BBC News, 16 October 2020) <https://www.bbc.co.uk/news/technology-54568784> accessed 11 February 2021
[27] ‘Marriott Hotels fined £18.4m for data breach that hit millions’ (BBC News, 30 October 2020) <https://www.bbc.co.uk/news/technology-54748843> accessed 11 February 2021
[28] Shachar Shamir, ‘The GDPR Aftermath: What Else Can be Done to Improve Data Security’ (Infosecurity, 13 August 2018) <https://www.infosecurity-magazine.com/opinions/gdpr-aftermath-improve-data/> accessed 10 February 2021
[29] Ibid
[30] Ibid
Comments