On October 22 the UK Government consultation on implementing new data protection enforcement powers will close. This consultation asks whether not for profit organisations, and others should be given the power to launch formal complaints about breaches of data protection law in the United Kingdom. This is a key moment for data protection law in the United Kingdom, and the UK’s place in the global order on data protection. Open Rights Group is calling on everyone to take a couple of minutes and express their support for the new proposals through our consultation tool.
Take action before 22 October and support making data protection law in the United Kingdom stronger.
The GDPR seeks to protect fundamental rights and freedoms of everyone, in particular the right to the protection of personal data. This includes the right to complain that your personal data has been processed unlawfully. This could include things like having your data misused by businesses, sold to data brokers without your consent, or involved in a data breach.
These complaints can be made to a supervisory authority, in the UK the Information Commissioner, or a judicial authority, you could even complain about a decision from the ICO if you don’t agree with it. These are key rights to making your rights practical and effective, and creating an environment that respects your privacy for pain of enforcement, which could include fines.
All of these rights rest with the individual, and there isn’t much support that currently exists outside of getting a lawyer involved. This is where Article 80.1 of the GDPR comes in, it allows individuals to allow a not for profit to exercise those rights on their behalf. Article 80.2, the subject of this UK Government consultation, allows not for profits active in the field of data protection to take action without requiring an individual to mandate the organisation. This optional turns those individual rights into a strong collective right, with organisations like Open Rights Group as a privacy watchdog, seeking out to challenge abuses of your personal data and hold public bodies and businesses to account.
At a time where pubs are involved in harvesting your test and trace data for marketing purposes and the Government are failing to carry out basic privacy checks, this ability for not for profits to take action, and get the ICO moving, is a particularly powerful opportunity.
Article 80.2 would also respond to some key aspects of the complex data economy, provide protection for individuals where their rights have been breached in sensitive or stigmatised areas of our lives, and would put data protection on the same footing as other key consumer rights.
Take action now and make data protection stronger for everyone.
Online advertising is a deeply complex area, but it affects all of us. Real Time Bidding sits behind many websites on the Internet and broadcasts your personal data to hundreds of advertisers every time you land on a web page running advertising. This includes sensitive personal data like individual’s mental health or politics or religion. We don’t expect everyone to know this or be able to complain about this – which is why we took action to challenge RTB complaining to the UK’s data protection authority, the ICO. However if we had 80.2 in place we would have been able to widen the argument not just to the experience of our Executive Director but to complain about the whole system, that needs reform.
The international NGO Privacy International released a report in September 2019 showing that third party trackers from Google, Facebook and Amazon were operating on mental health websites. These trackers grabbed personal data and shared content keywords like “depression” “psychology” with advertisers. This was done before users were able to express (or deny) consent. Even with this knowledge in hand we would be surprised if any brave individual would risk the stigma of taking an action relating to their use of a mental health website. If Article 80.2 were in place that individual would not have to come forward but a not for profit, like Privacy International, could take a formal enforcement against the mental health websites for abusing their users privacy and trust in this way.
Finally, we just need to look around other parts of enforcement to see that empowered organisations are becoming a key part of accountability. Firstly we have the super-complaint system in consumer law where organisations like Which? can make a complaint to the Competition Markets Authority under competition law for practices that appears to significantly harm consumers. Another form of super-complaint his was used to particularly strong effect by Citizen’s Advice in 2005 to complain about mis-selling of Payment Protection Insurance, setting off a decade of action against unfair trading practices. Recently we have seen a super-complaint system set up for taking action against concerning patterns of policing practices that include organisations such as Liberty. 80.2 is a similar power, placing data protection law on the same footing as consumer law or policing regulation.
These are areas of our lives where complex or systemic issues can harm many, and is often difficult to understand or perceive the impact from an individual perspective but step back and gather evidence of the system and you can see the need for action. Article 80.2 would allow for appropriate organisations to take that step back, consider and act in the interests of everyone.
There are emerging areas of potential action, such as the civil class action taken by former Which? Executive Director Jon Lloyd against Google seeking damages for potentially millions of iPhone users that suffered from Google deploying “the Safari workaround”. The case is heading to the Supreme Court to decide whether such a claim is even permissible. This is an important area to keep an eye on but a decision in either direction of that case should not determine whether 80.2 is a worthwhile thing to bring in. They are separate actions, one pursuing damages through civil action, the other operating to allow for individual’s fundamental rights to be exercised and to potentially engage regulatory action like ordering a controller to stop processing personal data in a non-compliant way. One does not replace the other, they both play a role in creating disincentives for shady data practices.
This is a time when the future of our data protection standards in the United Kingdom are under serious pressure, we need to create all the systems of accountability we can so that privacy is not an empty concept, but something that has real accountability, and real consequences for those who abuse it willfully or recklessly. Article 80.2 is one of those key parts of accountability, and it is time for everyone to take a moment to let it be known: we want data protection to work for everyone.