An unprecedented lobby effort is threatening to derail changes to data protection laws aimed at giving you new rights over your data. Lobbyists from the USA and Europe are shouting extremely loudly in an attempt to water down new regulations, which they fear will cost them money.
The result might well be a significant shift towards increased power of companies and global corporations over our lives. At the least, if they are successful, we may witness an erosion of rights over our data as we ahead towards an unregulated US-style free for all.
Laws in the US and Europe are very different. Roughly speaking, the US has a free-for-all, where companies can do what they like with their own data, subject to contract; while European law gives everyone rights over their data. The two models are competing globally. This sets up the new data protection laws for a major clash between the Commission and privacy advocates on the one hand, and the US government and companies on the other.
How did we get here? Back in the 1970s, governments started to worry that companies were gathering ever larger amounts of information about private citizens in databases. Companies like IBM pioneered computing technologies that streamlined data processing, in areas like payrolls and banking.
Governments in Europe reacted by creating ‘data protection’ laws. Their objective was to place enough rights in the hands of the citizen to allow them to avoid the abuse, resale and disclosure of their personal data.
Principles such as consent, fairness, accuracy, necessity and security were placed into data protection law. You have specific rights, like ‘subject access’, where you can demand a copy of the information that a company has about you. You have the right to get data corrected, and to limited redress when things go wrong.
Nevertheless, while the laws remained roughly static, the power of companies to use this information in ways that fundamentally shape our lives has grown. You can’t get a bank loan without agreeing that the information is stored and shared through credit rating agencies, for instance. Insurers and even supermarkets base large parts of their business on the use of your data; it has even been claimed that supermarkets may know when a woman is pregnant before she does herself.
Europe has also been worrying about Internet data, which has proved highly difficult to regulate. Logs, cross-site tracking information and profiling of individuals has become big business, but advertisers have not wanted to bring these practices into data protection laws. Instead, they have claimed that these logs and profiles are not ‘personal data’ as they do not relate to an ‘identifiable’ individual. Thus, while you are tracked and profiled, companies evade responsibility for giving your rights to control what is happening to you.
New kinds of information, like biometric data offer new possible uses and abuses. New practices, as companies buy each other and merge their data, like Google and Youtube, or Facebook and Instagram, offer problems for people who don’t want their data traded in this way. European data protection authorities try to protect consumers against these actions, but are finding it difficult.
Data Protection hasn’t protected people against data leaks either. Neither private companies nor the British government seem capable of keeping your data safe. Now, mistakes are always going to take place: laws can’t stop that. But laws do need to deter bad practice and make sure that citizens get redress when it takes place. Currently, there is no general obligation to notify you of a data breaches when they take place. The fines available are too small for most large companies to consider them worth worrying about at the highest levels.
In short, data protection laws look inadequate and out of date. Consumers aren’t properly protected and can’t make the choices they need.
But as we noted, data protection is an area of law with very wide implications, including global consequences, as so many data businesses are global. In the USA, privacy laws are very piecemeal, with strict laws for some sectors and very little regulation for others. Some states require ‘breach notification’, while others don’t.
Online in the States, the strongest protection citizens generally have will be the ‘terms and conditions’ they agree to: the Federal Trade Commission takes abuse of contract very seriously, and uses it to force some privacy standards where other regulations don’t exist.
While US privacy advocates look at European data protection with envy, US businesses look these laws with terror. In short, to some businesses, data protection rights look like a cost and a burden, and something they don’t want to spread.
The EU, however, has tried to get other countries to agree to similar data protection laws, as a baseline for trade. European companies are legally obliged to ensure that their customers are protected, wherever their data resides. Thus EU law has become a motor for improvement of citizens’ data rights across the globe, as ‘safe harbour’ agreements and data protection laws are adopted.
Interestingly, there is one wide area of agreement. Companies and privacy advocates all want more consistent data protection law. They are fed up with different approaches in different countries making it hard for customers to know what their rights are. The British government, however, disagrees. It’s a bit out on a limb on this, though.
The new data protection laws now being considered by the EU Parliament are a step towards even stronger rights. Together with the international factors, this helps explain the scale of the corporate lobbying.
The fight back from industry is sophisticated and highly threatening. The main areas include the scope of the new laws: if the definition of “personal data” can be limited, then areas like Internet data could fall out of scope, and protections could be reduced. Other areas include the “right to be forgotten”, which industry portrays as an attack on free speech and historic record. In fact, the right to be forgotten is about making a clean exit from a service like Facebook, allowing you to leave without them retaining large amounts of data about you. It isn’t about demanding Google or Facebook remove references to you by third parties.
Industry is also resisting the right for you to get a copy of your data freely and easily, and in a portable format. You currently can get this kind of data, but you might receive it as paper copies. Getting your data back is a way to move from one service provider to another – or even of assessing what service would be most cost effective, if your data is your electricity usage record, for instance. Some have even claimed it would encourage consumers to try to engage in fraud.
Certainly, data protection laws are complicated and there will be conflicts between personal security, data rights and free speech at the edges. But corporate lobbying should not be allowed to conflate careful balances with business self interest, in order to whittle down the proposals to something meaningless or worse than those we currently have. These are new rights worth fighting for.
YOUR NEW DATA RIGHTS?
Mandatory notification: if your data is lost or stolen, you should be notified within a set number of days
Bigger fines: companies can be fined up to 2% of their turnover, in order to make data protection important enough to be considered “at the boardroom”
Right to be forgotten: you would have the right to have your data deleted when you leave a service.
Right to data portability: you would have the right to get your data back, in full, in an electronic format, allowing you to change the service you use.
Rights of groups to complain: rather than complaining as an individual, groups like Which? or the Open Rights group could make a data protection complaint on your behalf
Consent: the definition of personal consent may be strengthened, to make it explicit and informed in all circumstances