dade72 - Fotolia
Planned UK data protection legislation fails to meet its stated aims of making laws fit for the digital age and empowering consumers to take control of their data, according to an open letter to the government.
Addressed to digital minister Matt Hancock, the letter says the Data Protection Bill currently going through parliament presents a “unique opportunity” to legislate for a cost-effective and administratively efficient mechanism for redress in instances of mass data breaches and “systemic insecurities” in connected devices that make up the internet of things (IoT).
The Data Protection Bill is the result of the government’s commitment to update and strengthen data protection laws and part of the government’s plans to bring UK data protection law into line with the EU’s General Data Protection Regulation (GDPR).
Hancock signalled the intention to align UK law with the GDPR in February 2017 when giving evidence to an inquiry about data protection post-Brexit by the House of Lords’ EU Home Affairs sub-committee.
The letter calling for the change to the Data Protection Bill is signed by representatives of the Open Rights Group, Age UK, Which?, the Financial Services Consumer Panel, Privacy International and the True Potential Centre for the Public Understanding of Finance.
The groups call for the bill to include measures that take into account the potential scale of data breaches.
The campaigners are calling for the right for organisations, such as consumer rights groups, to seek redress directly when personal data is abused, without having to seek out individual complainants, which they say could be difficult when the victims are young, old or not aware of the problem.
As previously reported by Computer Weekly, another problem with independent bodies requiring named complainants would arise if a data breach occurred in an organisation that data subjects may be unwilling to be publicly associated with, such as Alcoholics Anonymous or Samaritans.
Despite a commitment that the government would use the Data Protection Bill to make it easier for those affected by data breaches to have a clearer right of redress, the letter claims that the bill currently fails to deliver the provisions that are needed.
The letter suggests that implementing Article 80(2) of the GDPR would create a collective redress regime for breaches of data protection law.
“This would complement the existing collective redress regime introduced under the Consumer Rights Act 2015 (CRA) which applies to infringements of competition law,” the letter says, arguing that the courts have procedures and practices in place for the CRA, including ensuring only cases that have merit proceed, which could be adapted to apply to an Article 80(2) regime.
“Article 80(2) would ensure a scheme whereby consumers are afforded effective and appropriate redress,” the letter says. “It provides a mechanism whereby serious breaches of data protection, which may affect the most vulnerable in society, are addressed and result in real change that benefits thousands, if not millions, of consumers in the UK.”
According to the campaigners, a mechanism under Article 80(2) would save “significant administrative and court time” and avoid “myriad individual claims”.
“We urge the government to allow for not-for-profit bodies, as defined in Article 80(1) of the GDPR, to act in the public interest to help groups of affected people to seek collective redress from those in breach of their data protection obligations,” the letter concludes.
Jim Killock, executive director of the Open Rights Group, said that the young, the elderly and people who do not know their data has been abused will be defenceless without this change. “The government says it wants to protect people’s privacy, so it should give consumer organisations the tools to do the job,” he added.