The British government is wrapping up amendments to the Data Protection Bill. The Open Rights Group is wanting the government to implement stronger measures to protect consumers.
The British government is proposing legislation to protect information. This is through the Data Protection Bill. Certainly, the effort is timed well given the news in the last few months.
In 2017, we saw 143 million records exposed in the Equifax data breach. In addition to this, 2017 saw Alteryx have the records of 123 million people leak onto the Internet as well.
Already in 2018, we are witnessing the explosive story about how 1 billion people were exposed in a data breach for anyone willing to pay the tiny amount of 500 rupees (about $9.80 Canadian).
So, it is easy to say the British government proposing data protection legislation is timed pretty well. Recently, there has been debate swirling about allowing exceptions for security researchers. This is reflected in an article in The Guardian. After an outcry from the security community, the government added amendments to the bill that would protect them. From the report:
Now the government has introduced an amendment to the bill providing an exemption for researchers carrying out “effectiveness testing”. Researchers would have to notify the Information Commissioner’s Office (ICO) within three days of successfully deanonymising data, and demonstrate that they had acted in the public interest and without intention to cause damage or distress in re-identifying data.
Matt Hancock, the new culture and digital secretary, said: “We are strengthening Britain’s data protection laws to make them fit for the digital age by giving people more control over their own data. This amendment will safeguard our world-leading cybersecurity researchers to continue their vital work to uncover abuses of personal data.”
Olejnik said the amendments offered “a reasonable compromise” between the needs of researchers and the risks that exceptions could be abused. “I’m especially impressed with designing a responsible way of submitting privacy weaknesses directly to ICO. In this way, the role of ICO is even strengthened as a mediator between researchers and organisations.
“The whole case underlines the need of careful analysis of proposed regulations, whether in UK or beyond. These days, badly designed technology regulations have the potential to negatively affect entire societies.”
So, while the security community seems satisfied by the amendment, consumer rights organizations are unsatisfied with the bill. The Open Rights Group is calling on the government to adopt other proposed amendments that would strengthen consumer protections as well. As of now, the bill allows for people affected by a data breach or data leak to approach not for profit organizations and have them represent them when filing a complaint. The problem, they say, is when consumers are not notified that their information has been compromised. From Open Rights Group:
There have been, and will continue to be, cases when consumers are unaware that they have been a victim of a hack or don’t want to have their identity connected to a particular incident such as the hack of Ashley Madison – a dating website specialising in extramarital affairs . These complaints could be dealt with if the Government agreed to implement Article 80(2) of the GDPR (reflected in the amendment 175A supported by Labour Lord Stevenson and Lord Kennedy, Lib Dem Lord Clement-Jones and crossbench Peer Baroness Kidron). The amendment would give select not for profit bodies the option to raise those complaints without having an affected member of the public instruct them.
The amendment also explicitly recognises the right of adults to seek collective redress on behalf of children who are the victims of data breaches. Additionally, it will allow individuals who have been affected by data breaches to bring collective redress actions on behalf of everyone else who has been similarly affected.
The Government has been refusing to implement additional protections claiming that Article 80(1) will provide enough protection. This is simply not true. Article 80(1) and 80(2) provide consumer protections in different scenarios. By not implementing enhanced protections, the Government is consciously allowing for obstacles to collective redress for more vulnerable groups such as children and the elderly.
The idea of collective redress has been around for a while for other consumer issues related to finance or competition. Consumer groups such as Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the right to present “super-complaints” on behalf of consumers without being instructed by them.
Indeed, there are a lot of cases out there where a data breach or a data leak occurs and the affected organization simply elects to not let this information come to light for months, if not, years. That is the case with the Ancestry.com data leak. In that story, 300,000 accounts were exposed in a leak in 2015. The news never surfaced until a whole two years later.
In another case, Yahoo! suffered the largest data breach ever where 3 billion accounts were exposed. The hack happened in 2013, but the extent of the breach didn’t come to light until just last year – four years later.
In the case of private for profit companies, there can be motivation to hide these breaches. Sometimes, when news like this is exposed, stock prices for the company drops and business to business relations take a hit. In the case of the Equifax breach, executives sold their shares in the company before letting the news come to light. This, of course, is a source of a lot of controversy in that story. So, companies not only have a motive to hide breaches, but also have a history of doing so for financial reasons.
So, the Open Rights Group call on the government to include protections when consumers don’t know their information was compromised didn’t come from a vacuum. The government did seem to listen to researchers, so there is reason for hope that they will lend the same ear for consumer protections. Whether or not the government actually listens and implements these amendments remains to be seen.