Right to privacy “may exist on paper” – but not in online “Wild West”, says JCHR
3 November 2019
- Individuals are giving away “vast amounts of data” and are expected to be risk-aware when using web based services
- “The consent model is broken”: Committee calls for robust regulation to govern how personal data is used and stringent enforcement of the rules
- “Deeply troubling” evidence that data being used to discriminate in job and housing ads online
Grounds for concern over 'consent' people give when sending information
The Committee reports serious grounds for concern about the nature of the “consent” people provide when giving over an extraordinary range of information about themselves, to be used for commercial gain by private companies:
- Privacy policies are too complicated for the vast majority of people to understand: while individuals may understand they are consenting to data collection from a given site in exchange for “free” access to content, they may not understand that information is being compiled, without their knowledge, across sites to create a profile. The Committee heard alarming evidence about eye tracking software being used to make assumptions about people's sexual orientation, whether they have a mental illness, are drunk or have taken drugs: all then added to their profile.
- Too often the use of a service or website is conditional on consent being given – raising questions about whether it is freely given
- People cannot find out what they have consented to: it is difficult, if not nearly impossible, for people - even tech experts - to find out who their data has been shared with, to stop it being shared or to delete inaccurate information about themselves.
- The consent model relies on individuals knowing about the risks associated with using web based services when the system should provide adequate protection from the risks as a default..
- It is completely inappropriate to use consent when processing children's data: children aged 13 and older are, under the current legal framework, considered old enough to consent to their data being used, even though many adults struggle to understand what they are consenting to.
Key conclusions and recommendations
The Committee points out that there is a real risk of discrimination against some groups and individuals through the way this data is used: it heard deeply troubling evidence about some companies using personal data to ensure that only people of a certain age or race, for example, see a particular job opportunity or housing advertisement.
There are also long-established concerns about the use of such data to discriminate in provision of insurance or credit products.
Unlike traditional print advertising where such blatant discrimination would be obvious and potentially illegal personalisation of content means people have no way of knowing how what they see online compares to anyone else.
Short of whistleblowers or work by investigative journalists, there currently appears to be no mechanism for protecting against such privacy breaches or discrimination being in the online “Wild West”.
The Committee calls on the Government to ensure there is robust regulation over how our data can be collected and used and it calls for better enforcement of that regulation.
The Committee says:
- The “consent model is broken” and should not be used as a blanket basis for processing. It is impossible for people to know what they are consenting to when making a non-negotiable, take it-or-leave-it “choice” about joining services like Facebook, Snapchat and YouTube based on lengthy, complex T&Cs, subject to future changes to terms.
- This model puts too much onus on the individual, but the responsibility of knowing about the risks with using web based services cannot be on the individual. The Government should strengthen regulation to ensure there is safe passage on the internet guaranteed
- Its completely inadequate to use consent when it comes to processing children's data,. If adults struggle to understand complex consent agreements, how do we expect our children to give informed consent? The Committee says setting the digital age of consent at 13 years old should be revisited.
- The Government should be regulating to keep us safe online in the same way as they do in the real world - not by expecting us to become technical experts who can judge whether our data is being used appropriately but by having strictly enforced standards that protect our right to privacy and freedom from discrimination.
- It should be made much simpler for individuals to see what data has been shared about them, and with whom, and to prevent some or all of their data being shared.
- The Government should look at creating a single online registry that would allow people to see, in real time, all the companies that hold personal data on them, and what data they hold.
Chair's comments
Rt Hon Harriet Harman MP, Chair of JCHR said:
“Individuals are giving away lots of information about themselves when using web based services and the expectation is that they should know about the risks of using the internet. Individuals cannot be expected to know whether their data is being used appropriately and what risks this poses to their right to privacy. Instead there should be adequate regulation in place to ensure that everyone's privacy is protected online.
“It should be simple to know what data is shared about individuals and it must be equally easy to correct or delete data held about us as it was to us to sign up to the service in the first place. These rights already exist, but they clearly have yet to be effectively implemented by companies and enforced by regulators. The Government must address this, urgently. We say it often but it bears repeating again now: rights are meaningless if not enforced.”
Further information
Image: Creative Commons