Call to tighten UK law over data breaches

Consumer group Which? is unhappy with the U.K. data protection bill and has called on the government to amend the draft legislation to allow third-party organizations to seek collective redress for data breaches on behalf of consumers.

In a statement, Alex Neill, MD of the group’s home products and services division, said: “Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised.

“The government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach.”

A Which? survey of more than 2,000 people in the U.K., carried out between October 9 and 10, found wide support for such a provision from the public, with three quarters (74 percent) of those surveyed saying they would welcome an independent body helping to get redress on a collective basis.

The research also found that almost one in 10 (8 percent) of people who had shared details online believe they have been subject to a data breach in the last year, and three quarters (73 percent) were concerned that data they have shared online could be at risk of being breached.

Which? said its research also found general confusion among U.K. consumers over current data protection rules, including who is responsible for protecting their data and how they can seek redress if things do go wrong.

According to the poll, as many as one in five (20 percent) consumers said they would not know how to claim redress following a data breach, while one-fifth (22 percent) said they would not know who is responsible for helping them when data is lost.

The U.K. Data Protection bill, currently being debated in parliament, is needed to update domestic legislation to bring it into compliance with a new data protection framework at the European Union level — under the incoming General Data Protection Regulation (GDPR), which comes into force across the bloc next May.

Article 80(2) of the GDPR offers EU member states an optional provision allowing for collective redress for consumers via third parties, such as consumer privacy groups acting independently and lodging data protection complaints on consumers’ behalf.

However, the U.K. government has chosen not to include the provision in the current draft of the bill. 

In August DCMS put out a statement of intent that it was intending to update and strengthen U.K. data protection law, with digital minister Matt Hancock saying then the bill would “give consumers the confidence that their data is protected and those who misuse it will be held to account.”

And given how confusing data-related issues can clearly be for consumers, not to mention how complex it can be for an individual to try to pursue redress over a data breach on their own, there’s surely a pretty straightforward argument for letting independent organizations push for redress on behalf of consumers. So it’s not clear why the government has opted not to include this.

We reached out to the department responsible for the DP bill, DCMS, to ask why the government does not see value in including the provision. A spokesperson told us: “We are confident that our Data Protection Bill will provide consumers with the necessary protections when there’s been an infringement of their rights regarding personal data. The Bill will make the UK fully compliant with the GDPR.”

The same issue has been flagged by privacy rights organization, the Open Rights Group. In September, the ORG’s executive director, Jim Killock, said the government had neglected an “important option” in GDPR by failing to include the provision for independent groups to lodge data protection complaints on behalf of consumers.

“It is almost impossible for the average person to know how their data is being collected, shared and sold by social media platforms, advertisers and other businesses,” he said then. “We may not know which companies hold data about us. Privacy groups can therefore play an important role in protecting consumers by taking independent action against companies that fail to protect our data protection rights.”

The DP bill began the parliamentary scrutiny process in the House of Lords last month, and has yet to arrive in the House of Commons — so there’s still time for amendments to be tabled.

While the U.K. is headed out of the EU, as a result of the 2016 referendum vote backing Brexit, ministers have said the intention is to closely mirror EU legislation on data protection to avoid the risk of a cliff edge cut-off for data flows when the country leaves the bloc.