12

Joint Committee on Human Rights

Oral evidence: The Right to Privacy (Article 8) and the Digital Revolution, HC 1810

Wednesday 10 July 2019

3.15 pm

 

Written evidence from witnesses:

       Privacy International

 

Watch the meeting

Members present: Ms Harriet Harman (Chair); Lord Brabazon of Tara; Fiona Bruce; Ms Karen Buck; Lord Dubs; Baroness Ludford; Scott Mann; Lord Singh of Wimbledon; Lord Trimble.

Questions 1933

 

Witnesses

I: Ms Ailidh Callander, Legal Officer, Privacy International; Ms Tamsin Allen,  Partner, Head of Media and Information Law, Bindmans LLP; Mr Richard Cumbley,  Partner, Global Head of TMT/IP, Linklaters LLP.

 

Examination of Witnesses

Ailidh Callander, Tamsin Allen and Richard Cumbley.

Q19            Chair: Welcome, and thank you for coming to give evidence to us today. We are the Joint Committee on Human Rights. We are half Members of the House of Lords and half Members of the House of Commons. As our name suggests, we are concerned about human rights. The human rights we are concerned with in this inquiry relate to privacy: the right to privacy in family life and the right not to be discriminated against. We hope that you will help us with both of those in respect of the digital revolution that is under way. That is what we are looking at now.

I am very grateful to you for coming along to give evidence to us. Could you say one by one who you are and what you do? That will also work as a sound check to make sure the people behind you can hear you as well as us.

Ailidh Callander:  I am a lawyer at Privacy International.

Richard Cumbley: I am a partner at Linklaters, a law firm in London.

Tamsin Allen: I am a partner at Bindmans.

Q20            Chair: Perhaps I can kick off with the first question. We have already heard that there is extensive gathering of people’s personal data through their use of the internet. Our concern is how this respects, or does not respect, their right to privacy.

My first question is how realistic it is to expect individuals to know about the risks they are taking, what the risks are, and what steps to take to protect themselves from them. Is it really down to the individual to know about this and to take steps, or is it beyond the individual and there has to be a very strong regulatory regime? How much can it be on the shoulders of the individual, and how much does it have to be done by somebody else, like a regulator?

Ailidh Callander: The onus and the burden should definitely not be on the individual, especially when we look at systemic problems. People should be protected by design and by default by the systems. It should not be on them to seek out information and to try to understand it, because the digital world is defined by fundamental asymmetry. On the one hand companies know more about people than they ever did before, but on the other it is practically impossible to understand where your data is, who has it, what is happening to it and the consequences that might have for you.

Richard Cumbley: It might seem surprising, but I agree. Transparency and information sharing are important so that consumers can, if they are interested, make informed choices, but the expectation that consumers can make choices in an extremely and increasingly complex area seems to us pretty unrealistic, save in very limited circumstances.

Our recommendation to most of our clients for quite some time now has been to think about not using content as a way of justifying processing, but using some of the other processing grounds that you have heard about under data protection legislation, because that seems a fairer way to enable consumers to ensure that their rights are respected and for businesses to achieve their legitimate aims.

Chair: So give the individual the right to find out and the right to know, but do not rest the system on those individuals?

Richard Cumbley: The way we have described it is that reliance on consent is outsourcing compliance from the business to the individual. You effectively wash your hands of the issue by saying that the individual has consented. The reality is that in a very complex environment consent has its place, but it is only one of the tools available and in really complex areas it is probably not a fair one.

Chair: So the idea that compliance with these human rights obligations can be just sloughed off to the individual is not the right way to do things, in your view?

Richard Cumbley: Quite so.

Tamsin Allen: I completely agree. The current model deployed by the law and the regulators is a kind of contractual service model. In fact, the user is not in a position to enter into a contract. This problem is much more analogous to entering a building. What we are dealing with is agreeing to the use of your data not just by one company; you are agreeing to your data being used, reused, combined, mathematically altered, and kept probably for ever in one form or another, affecting your rights to self-determination, keeping you as one digital archetype at one moment in time. You do not know about all these very important things or how it works.

If you enter a building, you do not sign away your rights to enter it safely. You do not sign a form with 14,000 pages that tells you how the building was built and that says you have to accept the risk. You rely on the fact that the architect, the engineer and the builder will be subject to regulation, and that there will be insurance and public liability requirements on the building because it is open to the public, and you will feel that you can then walk into that building safely.

The companies that build data systems describe themselves as architects and engineers, so it is unfair on an individual to expect them to take responsibility for any risks, and there are serious risks of harm associated with using web-based services.

Chair: That is a very helpful analogy. You would not expect, as an ordinary person going into a building, to sign the fire certificate. You would expect the fire control regulations to have been signed off.

Tamsin Allen: Quite. You would expect the engineers and architects who built the system to have been subject to regulation. They would have been told how to build something safely and ensure that people can use it in the way it is intended to be used, and that they can leave again without a problem.

Q21            Lord Brabazon of Tara: Can you give us some examples of how data is shared, the legal basis on which it is shared, and how this affects the right to privacy and related issues such as the right not to be discriminated against?

Ailidh Callander: Data is collected, shared and aggregated in many ways. That collection and issuing happens in milliseconds and is often invisible to the people whose data is being collected. The Committee has already heard about the real-time bidding system behind online advertising.

Chair: Could you remind us of the online bidding system? The witnesses in the last evidence session explained it to us, but remind us what it is.

Ailidh Callander: It is basically that behind everything we see, in particular the adverts that we look at as we go about our lives online on a browser or phone, are being targeted at us. That happens through an online bidding system where our profiles are matched with the target audience that the advertiser wants to reach. There is an architecture and a system behind that.

Chair: From the point of view of the user, how does that operate? I am thinking of buying a suitcase and I go online to look for one. How do I get involved in real-time online bidding?

Ailidh Callander: You as a user are never involved in that system.

Chair: Yes, but how is my action involved in that?

Ailidh Callander: It is invisible to you as a user; it is just that when it loads, the web page will use the data about you.

Chair: Sure, but what happens to it? When the web page loads, what happens then?

Ailidh Callander: When the web page loads and the adverts load on that page, the ones you see will be determined by the data, but it is never clear to you what that data is—what has determined why you can see that ad and which data points have been shared in the profile that has been built. One of the issues of the system is the lack of transparency.

Chair: By clicking on that ad I am producing data that shows that I am interested in the suitcase.

Ailidh Callander: That is one way, but this system operates before that even happens. It is not something that you actively participate in at all. When you search for things and click on articles, for example, different tracking technologies allow those using the technologies to build up a picture of you.

Your browsing history might then be used by a company to infer something else about you such as your gender, your age, whether you have children and your level of education. That profile is then used to determine what adverts you see. The key issues in that are the lack of transparency and the lack of control. That is one issue.

Another example of how data is shared is that if you download an app, once you open it, data is automatically and immediately shared with a number of third parties, which can be lots of different companies like Google and Facebook. All of that is invisible to you, because it is built into the architecture and development of that app. As an individual, one of the key concerns is that it is invisible to you. You do not know that it is happening, but privacy is often a time-shifted risk. The risks and harms often happen in the future and they disproportionately affect some people more than others. There are many examples, as we go about our day-to-day work, of how data is shared in different ways.

Going on to the second question about the legal basis, from a data protection law perspective, as I think the Committee has already heard, in a corporate environment there are two legal bases that can be relied on. One is consent, which has a number of fundamental problems. Although it is supposed to be about the agency and autonomy of an individual, which is key to the right to privacy, the way it is being implemented by companies at the moment makes it extremely problematic.

The other is called legitimate interest, which means in theory that you balance the interests of the company with the interests of the individual. However, we are concerned that not only is consent being implemented in a way that is not meaningful to individuals, but legitimate interest is being used as a way to justify any business interest. There is no demonstrable evidence of how the rights of individuals are being considered. Those are two of the concerns.

Lord Brabazon of Tara: Following up on what the Chair said about buying a suitcase on the internet, I have bought one and then the next time you go on to the internet to look at the weather or something like that, adverts for suitcases are always there, even though I have already bought the damn thing. That is what I find rather irritating. However, I cannot see that there is any real harm in that, because who cares whether I am going to buy a suitcase or not?

Ailidh Callander: Another example of something that might seem mundane is baby products and someone perhaps being shown adverts for nappies. A number of baby and parenting services have been fined by the UK data protection authority. Depending on the stage of your life and what has happened to you, seeing an advert for baby products that follows you around the web could be extremely hurtful and harmful. There have been a number of instances in the UK and elsewhere when women have come out to speak against that.

It is another example of what might seem to be mundane to one person but could be harmful to another. However, the correlation between having looked for the suitcase and what adverts you see is often not quite as obvious. Sometimes you know because you know that you looked for a suitcase, but at other times it is not clear why you are seeing the suitcase advert. It might not be just a product advert but a political advert. A number of issues are involved here.

Richard Cumbley: There are a couple of other important concepts in this. We have talked about processing grounds such as consent with interest. Another thing that the Committee should think about is that data protection law has divided the world into two groups of organisations. Take data controllers. Controllers take responsibility for processing and make decisions about how data is used, and processors are humble servants who just do what they are told and nothing else. Controllers have almost all the responsibility under the legislation, including the obligation to give notice and establishing a processing ground, which you have just heard about from Privacy International.

Lord Trimble: What does process mean in this context?

Richard Cumbley: Processing is rather confusingly used in two different ways in legislation. It is used to describe the category of servants—people who do only what they are told by controllers. It is also used to describe the activities that are carried out with the personal information. In that context, processing is effectively anything that is done with information about people—holding it, deleting it, sending it on to someone or keeping it in a black box. All those activities are processing in this context.

It is important to understand that concept. The real-time bidding industry matches the publishers of websites and brand owners who want to advertise to me through a real-time bidding exchange. The brand owners, who may know me, and the publisher, who may also know me, are clearly controllers of data. The individuals in the middle of that chain could be controllers of data, in which case they get to control how the data is used and what is done with it—obligations to give notice—or they could be processors, the humble servants of publishers and brand owners.

Establishing whether they are controllers or processors is crucial to understanding their discretion of activity, who must give notice and who must establish processing grounds. That is because, if they are processors, they just do what they are told.

Lord Trimble: Some people set themselves up in business just to be processors, do they not? I came across a firm doing that. It had located itself in Northern Ireland, because it was easy to get stuff sent from North America over to it to be processed. I wondered what on earth they were doing.

Richard Cumbley: There are all sorts of data processing activities. We see everything, from simple data entry from hard copy documents through to holding records about HR staff. We see a wide variety of things in our business.

Tamsin Allen: I have examples. A simple example: yesterday a colleague was talking about how a friend of his had developed an app that helps you to get compensation if your travel arrangements are late. You just take a photograph of your ticket and they sort it out for you. He said, “That’s great. I’m going to use that. That’s really interesting. How do you make money on that?” His friend replied, “The business model is data sharing”.

The purpose of the app, its business model and the way it makes money is to get people’s information about when they are travelling and where they are going and selling it on. That is part of the terms and conditions you agree to—the pages you do not look at when you download the app. The business model of many apps that we all use on our smartphones all the time is not to provide you with a helpful service; it is to collect your data.

What happens to it next? It might be combined with your Facebook likes, your Twitter activity, your purchasing history, the sites you have looked at online. All that information might be combined. From that you can get a really detailed picture about what someone is like: what they do, where they come from, their gender, their medical history.

As we move into the internet of things and our homes become connected, your fridge—we already have smart fridges—will talk to your home hub and order you your food. Maybe you say to your Alexa, “I need painkillers”. Maybe you say that every month. From that, Alexa starts to work out that you are female: you eat chocolate and order painkillers once a month. Then it suddenly has a picture of your menstrual history and patterns. It knows how old you are. If you stop ordering chocolate and painkillers once a month it thinks you might be pregnant. Without you realising, it builds a very complete picture.

That not only means that you will get annoying ads—that is the half of it. That information could be sold to political actors who then know how to target you with exactly the message you want to hear. It gives companies an unfair economic advantage. If Alexa can deliver your painkillers a day before you need them, how can Boots ever compete? Boots has to end up just servicing Amazon. Amazon might then say, “You’re not a Prime member. You don’t get special brand painkillers, you get own label painkillers. You get a reduced menu. Your electric car cannot go in certain areas. The ability to influence the way people are treated and their behaviour in society is enormous.

Data sharing also influences culture. When you are on Spotify or YouTube you get, “You listened to this. You might like this”. You are recommended based on your past listening patterns. Based on the data they have obtained about you, you are recommended new things. How can culture develop when you are told to listen to or look at only things that you have already liked? Where would punk rock be if that was the way? If you have listened to something before, you will never be recommended that you might like punk rock or hip-hop.

New musical movements and new ways of writing do not appear in algorithmic land. We live in digital never-never land when that much data is shared about us. We get stuck, because algorithms only know how to base themselves on the data that already exists. They prevent innovation.

Data is shared in all sorts of unexpected ways. I have a young friend who was beaten up in Bristol just before the referendum. He might have done some searching afterwards; he did not remember exactly what he did. He was probably under 18 at the time, and then he was 18 at the time of the referendum. He, alone out of his family, and his other friends who were beaten up were sent images of young black men rioting.

In fact, they were not rioting, the images were taken from Calais, but they were very aggressive, very alarming images. They were very definitely young black men in those images. I do not know the race of the people who attacked him, but somebody seemed to have known that this young man was feeling vulnerable. He was young and possibly open to being manipulated. Suddenly his feeds were flooded with, “Recommended for you”, “You might like”, “You might be interested in”, and then these really scary images, when anti-immigration messages were everywhere in the referendum campaign.

It looks as though somebody somewhere is taking parts of his digital history, using his personal data—where he has been, what he has looked at, information that he has handed over—and targeting a message at him. It was not an overtly political message; it did not say anywhere, “This is a message on behalf the people who want to do the country harm”. You do not know where it comes from. You have no way of knowing. Those are some of the ways data sharing is more than selling someone a suitcase.

Baroness Ludford: I want to go back a bit to the legal basis for processing. I was one of the lead MEPs on the drafting of the GDPR in 2013, or whenever it was. I have forgotten a lot of it, but I remember very well that of all the terms in the GDPR we spent the most time on Article 6(1)(f) on legitimate interests. We went all round the houses. I am very interested.

Ailidh might have confirmed this, and I do not know whether Richard can, but I noted that Richard said he advises clients not to use consent as a legal basis. I do not want to play devil’s advocate, but it sounded almost as though that was a favour to the user because it outsources compliance. Richard advised to use one of the other bases. I do not know whether that would largely be legitimate interests.

We were trying to tighten up what we felt, particularly in the UK, was previous sloppy use and exploitation of the basis of legitimate interests. We laboured and came up with the fact that the processor could use legitimate interests, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.

After the hours, weeks, months we spent on that, I feel like a failure, I have to admit, because it does not sound as though anything has really changed. We wanted to shift the spotlight to consent, maybe naively in my case. It does not sound as though we have achieved that.

Has anything changed post GDPR, as opposed to the old Data Protection Act, in your advice to clients for justifying legitimate interests?

Richard Cumbley: Maybe I should reassure you on that, or at least in some ways. Thinking back to advising clients under the old Data Protection Act and the old directive on what processing grounds they could rely on, since consent was not as closely controlled as it is now under the GDPR, we will all have experienced as consumers that it was relatively straightforward to be asked to tick to agree to terms and conditions, or to the privacy notice, and then effectively to have accepted whatever was written in that privacy notice. You have heard evidence about the length of those documents.

The use of legitimate interest in this country, in part because of that balancing test and language, now requires organisations to go to something called a legitimate interest assessment. That is documentation of the grounds on which you rely, as an organisation, on legitimate grounds, balancing it against the challenges to the individual posed by it. It has to be shown to a regulator.

One client of mine has several hundreds of those legitimate interest assessments documented for different processing grounds, because that diligence is required to ensure that you can evidence to the regulator that you have taken appropriate steps to mitigate risks to individuals. In some cases, that means that the processing has stopped because you cannot make out a legitimate interest assessment: there is no legitimate interest and that balancing test has failed. That is important.

Chair: Can we come back to that later?

Baroness Ludford: Yes, sorry. It is legalistic, but it is key.

Chair: It is. Can we come back to it later? It is a really important point.

Q22            Ms Karen Buck: From what you are saying, it does come over as the devil having all the best tunes on this. The way this is presented it is very much about the efficacy of the microtargeting of advertising. I am interested to know whether you think it might be possible for the public interest to defend itself against that, because even with some of your slightly more hair-raising examples I could see it being perceived as enhancing individual convenience for most people most of the time.

How is it possible to win an argument about the value of privacy and how to avoid the data sharing being used for purposes that will have a negative individual impact as well as a negative social impact?

Tamsin Allen: You need to talk to the data scientists and the architects of the system, but my proposal would be that those are the people who are regulated and that the principles should allow individuals sufficient agency and autonomy, because at the moment individuals end up being pushed down a route that they do not understand and do not know. They are pushed into this building. You cannot just say, “I’m not going to use Google or the internet”. It does not work. You cannot say, “I’m not going to use social media”, or you will lose all your friends and probably your job.

We know that there are real problems with putting it all on to the consumer. We know that there are benefits to data use; proper data use, ironically enough, can stop spam and you being bombarded with unwanted adverts, because it makes sure that you just get what you are interested in.

The key thing is ensuring that at a much earlier stage, in the development of the engineering and the architecture of the system, designers are required to ensure that proper respect is paid to the rights of the individual and the importance of all the harms I talked about being avoided.

Ms Karen Buck: What would that look like in policy terms? How would you legislate for that?

Tamsin Allen: I could not tell you how. To use the building analogy again, it might look like a building code that set out the engineering principles that had to be complied with and the inspectors. It might also require licensing of some sort. It might then require some sort of insurance or some fund to make sure that there is a way of compensating when harm happens.

It would be a system that was analogous to the sorts of systems that we use for making sure that aeroplanes are safe to fly in and cars are safe to drive in—there are seatbelts that work. I could not tell you the mathematical formula for a good seatbelt, but I can tell you that it is a good idea to have policy and legislation that requires there to be those rules.

Q23            Ms Karen Buck: Does the GDPR give you an architecture for doing any of that, or does that fundamentally need to change? Following on in the spirit of the value of consent in this world, is raising awareness about any of this of any meaningful use at all?

Richard Cumbley: Raising awareness is enormously important. That is one of the important functions that Privacy International has served: raising awareness of these kinds of issues so that they are debated in this kind of forum and others. Raising awareness and making organisations be transparent about what they do with information is enormously important.

Going back to your question about whether the GDPR provides any of this infrastructure, we have talked a lot about processing grounds and notice. One thing to think about in relation to legislation—many of you will be aware of this already—is that the GDPR already establishes a set of principles that all organisations must follow.

The most important of those is fairness. This Committee heard evidence previously about the discriminatory targeting of advertising in relation to employment opportunities. That example sounds to me like a very good instance of unfair processing. We have a regulator that is armed with the tools to engage with that activity and has demonstrated quite forcefully over the last two days how very potent those tools can be. We already have infrastructure to deal with some of these issues through that fairness of processing principle.

Tamsin Allen: It is a good start.

Ailidh Callander: I agree. We are only just over a year in to the GDPR taking effect. We really need implementation and enforcement. That is where the gap is at the moment and where the effort should be: on proactive implementation and enforcement where there is blatant non-compliance, and where there is systemic non-compliance to the extent that it has become, for example, an industry standard.

Going back to the point about the right to privacy, it is really important to remember that the right to privacy is also a right on which other rights are built. Particularly important for your Committee is the right to privacy with respect to all our civil and political rights and our socioeconomic and cultural rights, and how these issues impact on all our human rights. That is really important to remember. 

Q24            Fiona Bruce: Thank you. It is a fascinating session, and the Committee still has many questions to ask you, so I will ask you to be relatively brief because I have four sub-questions that relate to the right to be informed when your data is being used—that is what we have largely been talking about, so you have answered some of that already—and the right for personal data to be erased; the right to be forgotten.

My first short question is based on whether companies are making sure that individuals are informed when their data is shared with another organisation. Is that happening? I think we have heard a bit about that already. If people want their data to be erased or corrected, how do they make sure that all the organisations that might have that data can comply with that request?

Tamsin Allen: I sometimes represent claimants in cases against tech companies, as well as whistleblowers in tech companies, and my experience is that individuals are often not informed about what is going on.

An example of that relates to some due diligence organisations, which are private companies that provide information for banks, financial institutions and accountants which they aggregate from super-internet searches all around the world. There might be a businessman accused of a crime in another country and then acquitted, but there are newspaper reports in the local town where it happened. Those things end up in a report that is given to members of a subscription service. The person who is the subject of the report does not know about it. All they know is that suddenly banks will not give them bank accounts, and lawyers and accountants will not deal with them, and they have no idea why.

There are a number of people providing these services, and you cannot find out who they are. When you do find out and try to get the information changed or removed, very often there has to be a battle with them and the individual has to instruct a lawyer and find funds to fight that battle. The regulator is very busy, these issues sometimes need to be dealt with quickly, and the companies do not even keep a record of who has accessed the report.

The poor individual has no way of knowing that they need to write to XYZ bank, lawyers and accountants, because they do not know who has seen the report. They are left in a very difficult position. If they find out about it at all, they do not know where the information has gone and it is very difficult to correct it.

These are reputable due-diligence services provided by reputable publishers like Reuters and LexisNexis. That is the top end of the market, but even there it is very difficult.

Q25            Fiona Bruce: Thank you. May I persevere with Ms Allen, and then perhaps the witnesses can come in later?

Can you give us any examples of cases where compliance has not occurred and of the consequences on the individuals affected? You touched on an example. Without naming names, can you give us some real-life examples?

Tamsin Allen: Yes. I have those real-life examples, relating to World-Check and LexisNexis, and I have another client about whom completely false and private information was published in newspapers. He tried to go through the Google delisting route. Months and months later, after their refusing to delist the URLs, he had to instruct lawyers. Months and months after we wrote to them, at great expense on his part, they agreed to de-list just some.

Finally, we had to issue proceedings here and apply to serve them out of the jurisdiction and serve them on a Google in America—at enormous cost, because they were not playing ball with their own delisting service. They instructed very expensive lawyers in London, who had a row with us. Eventually they agreed: “Right, we’ll delist”. They delisted, but everything that previously did not appear on the Google listing because it was too far down the ranking suddenly popped up.

We got to the conclusion of the proceedings, he spent a fortune, and suddenly there is a whole load more of the same pieces of information back on Google. So we had to write back and asked them to go through all this again. They said, “Okay. We’ll get rid of it all again”. The same thing happened.

Chair: Can you say what the information was?

Tamsin Allen: It was an allegation of a criminal offence that was completely false and had been the subject of a libel claim that had been won many years before. It was private information about his former employment with the secret service. That was very dangerous information that should not have been published. Tt was a serious case with serious consequences for him in that it could have put him at the risk of physical harm, yet it took 18 months to get anywhere near an internet clean-up, which is exceptionally difficult and expensive to do.

Chair: Roughly how much did it cost him?

Tamsin Allen: I cannot remember off the top of my head, but it was tens of thousands, and it could have been a lot more if I had not done him a favour.

Fiona Bruce: Just before we move on to my next question, presumably an awful lot of name confusion occurs when information is put out.

Tamsin Allen: Yes. I do not know whether you watched the Channel 4 exposé about the Cambridge Analytica people. Alexander Nix described the methods that Cambridge Analytica was using. He said, “You can seed the internet and just watch it grow”. I think those were his words. It does not matter if it is true or false as long as it has an impact. That can happen very easily and things can grow and multiply.

I have a client who at the moment is bringing a privacy claim against Associated Newspapers, but the information about him will never be cleaned up on the internet. It will always be there and he will never do the job he was trained to do. He is a young man and his life has been ruined.

Q26            Fiona Bruce: Thank you. On the other side of the coin, can you give us examples of organisations that have done a good job of upholding rights on the internet?

Tamsin Allen: I do not come across them, because I get involved only when there is a problem. I defer to Richard on that.

Richard Cumbley: Perhaps I may give a good example of notice and then a good example of access.

Last year we did a review of the use by the Royal Free Hospital in north London of an app called Streams, which was developed in conjunction with DeepMind. Streams helps to identify incidences of acute kidney injury, a condition that kills 40,000 people a year in the UK and costs the NHS around £1 billion. The technology is loaded on to doctors’ phones and allows them to identify really quickly a spike in particular readings in a blood test, which is an early indicator of acute kidney injury.

Chair: How can it get from the doctor’s phone to the blood reading?

Richard Cumbley: It is simply a matter of placing information into a centralised information repository that should then be available on the mobile device. Although DeepMind, the technology business that developed it, is known for artificial intelligence, we found that it is actually not a piece of artificial intelligence, it is just a piece of very good software development.

That, of course, requires transparency in the form of giving individuals an explanation of what is happening to their information when they arrive at the hospital. In the case of the Royal Free, that involves not just a long notice the length of the works of Shakespeare but the use of different forms of media. If you go on to the website you will see a cartoon showing how Streams works. You can see the heads of medical practitioners talking about the importance of the application, and when you visit the hospital you will see banners about the way the information is being used so that individuals can exercise their right if they choose not to become involved in it. Different modes of access and communication are being used to help to explain why this is good for individuals.

Baroness Ludford: Sorry, did the ICO have to get involved in that?

Richard Cumbley: The ICO got involved and we were then brought in to do a widespread audit of a range of activities, including notice. That is one of the issues we looked at. It was an area of our report that is public, and we have made a number of recommendations. One area of strength that we found in relation to that application was the quality of notice that was being given to patients. That is an example of notice.

You also talked about access. Tamsin has described some egregious examples that diminish that, but some businesses are trying to make it easier for individuals to find out what information is being held about them. There are tools where you can visit a website, put in your email address, and it will come back to you with details of the information being held about you. It is automated so it is done quickly, in a matter of 48 hours or something like that.

There are businesses that are really trying. I do not want you to take away a picture of just the bad side, because some UK businesses are really trying to enable information rights.

Ailidh Callander: The two rights you mentioned are intimately linked. The problem is that people do not know and are not being told about what is happening to their data. You may not know that the data even exists, because often it is not the data that you provide but the data that is combined and inferred about you. If you do not know that that data is even there, how can you ask to have it deleted? How do you know who to ask? This is one of the core issues, and those rights are intimately linked. That is an example of harm.

It is also important to recognise that many platforms and systems are relied on by others who are delivering services in really challenging environments. We worked with the International Committee of the Red Cross on risks in the humanitarian context, for example, so there are many different scenarios.

Going back to the question of rights, our experience, unfortunately, is that while some effort is being made to make rights easier to exercise and inroads are being made, that is often challenging. Obstacles are put in the way and it can be a slow and frustrating process.

Q27            Fiona Bruce: Thank you. My final question, and you can keep your answer as short as you like, is whether the rights under the data protection rules effectively ensure the enjoyment of our right to privacy for our personal data.

Tamsin Allen: The short answer is no, not in my experience.

Fiona Bruce: No. That is fine.

Richard Cumbley: Not on their own. You need a well-funded and well-supported regulator in the long run. The ICO today is a well-staffed and well-funded regulator, so we need to make sure that that stays the same.

Ailidh Callander: I agree with both. The rights are important, indeed essential, but they are no substitute for proactive implementation, protection and enforcement.

Chair: We have already covered questions 5 and 6, so perhaps we can go to question 7.

Q28            Lord Singh of Wimbledon: My question is directed to the whole panel. Do organisations take sufficient steps to ensure that children’s rights and interests are sufficiently protected? Are the protections good enough, or are there any glaring gaps?

Tamsin Allen: I have no children cases at the moment. The GDPR provisions for children are much better than previously, and I know that the organisations I have dealt with are now being more careful when they handle information on children. That is obviously important, because informed consent in the context of children is obviously a different beast.

Important rights to personal privacy are encompassed in Article 8: the right to autonomy, to personal development and to develop personality in relation to your relationship with other human beings. The core of Article 8 is all the more important to children. Children are big internet and social media users and they are leaving a digital footprint that will affect them for the rest of their lives. That might mean that they could become stuck in what I call a digital never-never land. The privacy rights of children are particularly acute and need special protection. They have better protection under the GDPR, but the whole model of it being down to the individual to become involved in a sort of contractual relationship is, I believe, flawed for the reasons we have discussed.

Lord Singh of Wimbledon: It seems slightly one-sided. While it is a contractual relationship, obviously there cannot be any consent. Can that consent be passed on to parents or to anyone else?

Tamsin Allen: That is the current model: the parent or the person with parental responsibility has to give consent for children up to the age of 13. Children aged under 13 are not required to give consent themselves, because obviously that would be nonsense.

But, of course, there are problems with parents consenting on behalf of children. How are they supposed to know? Children may not want to tell their parents what is happening. Where you are required to give consent, the questions may be, “Do you have the permission of your parent?”, “Are you the parent of this child?” or “Are you aged over 18?” Those questions are obviously open to abuse.

Lord Singh of Wimbledon: Is any direction given as to the risks or downsides of what children are getting up to?

Tamsin Allen: Do you mean: is it given to the parents?

Lord Singh of Wimbledon: To the parents or to the children to pass on?

Tamsin Allen: I do not think that many digital services or ways of interacting give information that is useful to parents or people with parental responsibility when they are considering consenting on behalf of children. In fact, most places you go to on the internet just require you to consent on your own behalf. They do not even go into the issue.

Richard Cumbley: This goes back to your earlier point about giving children permission to make mistakes in a way that we recognise is part of childhood and growing up. There is parental supervision and there is parental monitoring. We think about the rights of the child; parental monitoring of everything the child does not is not necessarily desirable when it comes to allowing children to make mistakes and develop.

One other point that we should definitely mention is the age-appropriate design code, which is currently in draft. It takes the principles in the GDPR and issues of what fairness means, what is legitimate when dealing with children, what informed consent is in the context of children, and expands them into 16 extremely helpful principles.

The code is still in draft and I do not know where it will end up, but it will be extremely helpful to organisations to help them to understand how they should shoulder their responsibilities when dealing with children. For example, rather than talking about legitimate interests, that code talks about the best interests of the child. Organisations that process data about children must always be thinking primarily about the best interests of the child. That is an expansion of the concepts of fairness that we have just been talking about, so that the GDP tools are used by our regulator in a specific and focused way.

Lord Singh of Wimbledon: That is in the process of drafting?

Richard Cumbley: That is in a code that is currently out for consultation.

Chair: But if there is buying and selling of the child’s data, how can that be in the best interests of the child? It is in the best interests of the people making money out of the child’s data, is it not?

Richard Cumbley: The code talks specifically about data sharing. It requires that sharing should be done only where it is in the compelling interest of the child. One of the great benefits of principle-based law is that we can always make exceptions. There will be some situations where that is okay, but establishing compelling interests for sharing that data when related to children seems pretty challenging.

Chair: How can they know that they are dealing with a child?

Richard Cumbley: Organisations try to do that in a wide variety of ways. “Try” is an important word in that sentence, because it is very hard to guarantee. There are services available that will help you to verify the age of children.

Chair: So it is if the organisation knows that it is a child the child is pretty well shielded, but for the most part there is no differentiation between an adult and a child. Therefore, a child’s information is bought and sold in a way that will have a lifelong impact in exactly the same way as that of an adult who consented.

Richard Cumbley: Organisations take on a responsibility, if they are handling data that might involve children, to take reasonable steps to verify whether they are dealing with children.

Chair: I cannot remember anything that I have ever used that has asked me whether I am a child. Have WhatsApp or Instagram ever asked me if I am a child? I do not remember.

Tamsin Allen: There are occasions when you watch things on the BBC. That is about the only thing I can think of.

Chair: So basically for the most part nobody is asking. Children are using it and nobody knows that they are children.

Richard Cumbley: They may not need to ask you, because they can confirm that you are an adult.

Chair: How do they know?

Richard Cumbley: Sign-up depends on the service, but one thing that might be done as part of signing-up processes is confirmation that you are an adult on, for example, the edited electoral roll. That is a publicly accessible database. That will be done in the background to verify, if you are signing up for one of the new financial services apps, that you are who you claim to be.

That is discharging a legal responsibility. That will be done in the background in an automated way, whereas maybe 20 years ago you would take in a copy of your electricity bill and your driving licence.

Chair: Yes, but leaving aside financial services, what about something like Instagram?

Richard Cumbley: You would need to ask Instagram.

Chair: They have not asked me whether I am a child.

Richard Cumbley: No, they may not have done.

Chair: They might be checking my monthly intake of paracetamol and chocolate.

Q29            Lord Dubs: Supplementary to that, whether it is a child or not, what safeguards are there for somebody who might have, say, mental health difficulties? It is an open door and they can be easily exposed, can they not? There are no safeguards.

Tamsin Allen: As far as I know, very few. Take the political targeting model, for example, for campaign organisations and political parties. Both campaigning organisations in the referendum and campaign organisations in America were using information taken from the electoral roll and commercially available datasets—lots of people who have ticked “I accept” when they have gone on shopping or newspaper websites. They have a very large amount of data. From that they can work out whether somebody is likely to be more vulnerable, whether they are neurotic or confident. From that you can work out what kind of targeting is most likely to affect them.

There are two problems with that. One is that instead of being a public square of debate, hustings and challenging, people will have someone whispering in their ear without anyone being able to verify whether it is true.

Chair: But that is the opposite of a higher level of protection. That is a gateway to a higher level of exploitation, which is the very opposite of what Lord Dubs was asking.

Tamsin Allen: That is exactly what I am saying. I do not know of any protection, but I do know that there is a vulnerability where people’s psychological weaknesses are deliberately targeted by campaigners. I know that that has happened. One of those weaknesses might be mental health fragility, which would be a very obvious one to target.

Ailidh Callander: There are some parts of the law, going back to the principle of fairness and the idea that you should be doing data protection and impact assessments, that try to think about the rights of individuals, although it is obviously context-specific. If they were properly implemented in a specific context, there might be some safeguards, but it is often not clear and there is no demonstrable evidence that there are such safeguards. As Tamsin said, lots of mental health websites are full of trackers. The fact that you might have sought advice is shared with innumerable parties.

Q30            Scott Mann: Some of this has been touched on already, but I am keen to explore datasets, and how the algorithms pick up from the original source and are used by third parties.

Do you think the legislation needs to be changed to manage the algorithm rather than the original consent websites? Is that generally where you think we need to be to legislate to secure the individual’s protection?

Tamsin Allen: Data scientists are writing the algorithms, creating the software and systems that deploy the data. The data is the petrol in the engineered vehicle. They need the data to work, but it is the vehicle that drives and does the thing. The data on its own does not do anything. There definitely needs to be legislative change, regulation and codes of practice at the level of the people who make those vehicles, those algorithms, alongside the improved protections in the GDPR.

Q31            Lord Trimble: My question focuses on automated decisions and possible profiling. Are automated decisions the same as algorithms, or something different?

Richard Cumbley: They are the same, yes.

Tamsin Allen: One is a method and one is an outcome. Automated decisions are made by algorithms.

Ailidh Callander: You might have different types. You might have a purely automated decision, or an automated process that informs a decision. There are limitations in the GDPR’s provisions, but an important first step is the implementation and enforcement of the provisions that we have.

Profiling is now defined in the law. All the safeguards within the law apply to profiling. There are then certain types of automated decision-making and profiling that go even further. The first step should be the implementation of them and enforcement to clarify any ambiguities around them. Then there is room to see how those provisions are dealt with in the UK’s Data Protection Act and whether they could be improved.

The first step is that we have some law here, so let us implement it and let us have it enforced so that there are some safeguards.

Richard Cumbley: There is one other point that may be worth building on. We have two pieces of law to think about when thinking in particular about targeted advertising online. One is the new legislation that is built for the 21st century, the general data protection regulation. I agree with you, Ailidh, that it would be great to see how that works in practice with the strong regulator that we have.

We also have much older legislation, from 2002—the Privacy and Electronic Communications Regulations—that deals specifically with the dropping of cookies on to individuals’ computers. That is the starting gun for programmatic advertising. At the moment, that cookie legislation, unlike the GDPR, is focused solely and wholly on the obtaining of consent. We go back to our conversation right at the beginning: when you are dropping cookies, the only option for an organisation is to seek to get consent, to opt in. The consent must be informed.

For the other ground that we talked about, organisations having to take much more responsibility for what they do rather than outsourcing it, the starting gun for programmatic advertising is not available to them because the Privacy and Electronic Communications Regulations are old legislation.

Ailidh Callander: That is in the process of being updated, and all those who grudgingly accepted that the GDPR was a thing have now moved their attention to the e-privacy legislation, which is stuck. It is really important that that moves forward and that we have the umbrella frameworks and these specific bits of law.

We should look at all the laws that we have—the Equality Act, for example—all the different legal tools that we have for this current environment, before jumping the gun and looking for new ones.

Richard Cumbley: It would be great if the Privacy and Electronic Communications Regulations could be unbunged.

Chair: A final question from Baroness Ludford.

Q32            Baroness Ludford: Turning to European and international data sharing, what would the effect be on data sharing within the EU if we Brexit, and how would the UK’s ability to influence the rules on this be affected? I do not say “will”, because they will be affected, but how they will be.

Secondly, on international transfers, how is the protection of data to a high standard internationally working out? Obviously we had all this stuff with the EU on the privacy shield, although I cannot remember all the history of that. Where is that at? Is more uniformity coming in internationally, or are we getting different data rules in different parts of the world, and how will that affect the development of data sharing on the internet?

Richard Cumbley: We talked about that outside the room beforehand.

One of the remarkable things about the GDPR is that it has been a great success. It is regarded as the gold standard for privacy legislation around the world, and it has been successfully taken on by a large number of jurisdictions in similar ways. There are now more than 130 countries with data protection. Jurisdictions that do not have comprehensive privacy law are now out of step with international norms, and the GDPR has been an important force for spreading that around the world. It is now much more common to find privacy law in Asia and Latin America, for example, than when I started out in this area.

Coming back to your original question about Europe and Brexit, at the moment there are no special controls on sharing information around the EU. We treat sharing information with Brussels no differently from sharing it with Birmingham; it is treated in exactly the same way. There are controls; we talked earlier about processes whereby you share information with a processor, your humble servant. That is very closely controlled. The GDPR sets up a very rigid set of contractual obligations that must be met.

So there are controls. However, when sharing with controllers, those peer organisations, whether in Brussels today or Birmingham, there are relatively few mandatory requirements that must be documented. Ironically, although you might have to have a contract that says that some things are with a processor, you do not have to say that the contract is with a processor. That seems rather curious to me.

But, yes, the controls exist inside the European Union. When we leave the European Union, we will be treated like India or the United States. We will be a third country and will need to be dealt with like those other jurisdictions. That will mean more restrictions on how data is shared. We have devices and tools to do that; we have standard contractual clauses, as you will be well aware, but they are impediments. That is the nature of the Brexit beast.

Baroness Ludford: How much difficulty would you see in getting an adequacy decision from the Commission?

Chair: Can you just remind everyone what an adequacy decision is?

Ailidh Callander: An adequacy decision is one of the safeguards that can be put in place when you are transferring data from one country within the EU to outside the EU. Richard mentioned various ones. An adequacy decision is when the European Commission looks at the legal situation in another country and says, “Your standards are good enough for us, so we can have this flow of data. Only a few countries to date have had these adequacy decisions.

That is suddenly where the UK’s failings in some sense will come under much more scrutiny. In fact, the council to the committee pointed out a number of issues with the Data Protection Bill as it was going through Parliament, many of which were not resolved in the final iteration of the Billincluding on national security, for example. All those issues would come under scrutiny if, for example, the Commission looked at an adequacy decision for the UK.

On the point about data protection around the world, as Richard said there have been all these bits of legislation, which is very positive. It is very clear that data protection is a positive for privacy, but it should be seen as the baseline, and it needs to work in tandem with other sectoral laws and should not be undermined by exemptions.

Also, it is effective only if is actually enforced. Without enforcement, it will not mean anything. Enforcement often comes off the back of investigations by journalists, by civil society, by academia, and by regulators themselves. It is essential, if it is to mean anything, that all those groups are empowered to carry out that work and hold companies to account.

Q33            Chair: Can I ask one final question? If you are doing a job search, can the person who is putting out the job ad have said, “I would prefer this job ad to go to people who are between the ages of 20 and 30, white and a man”? Is it possible for people, when putting out their job ads, to describe a profile of who they want to target it at that excludes lots of other people from seeing that ad when they search?

Tamsin Allen: Technically yes, legally no.

Chair: So it is technically possible. How would you legally find that out, because the right belongs, does it not, to the individual who is discriminated against?

Tamsin Allen: This is one of the major problems. This is the whispering in the ear problem. If something is in a newspaper, it is there for everybody to see and it would be a breach of discrimination law.

Chair: The right would be with the individual who does not get the ad.

Tamsin Allen: Yes.

Chair: And they would never be in the position to know that they had not got the ad, because they had not got it.

Tamsin Allen: Exactly.

Chair: Because they did not have those characteristics.

Tamsin Allen: It is the whispering in the ear. It is a targeted job ad, or any form of advertisement or political message, that comes only to you; it comes on to a device that is yours and nobody else’s. Short of going round and showing it to every person you can think of in the market for the same job, you will never know.

Chair: So you would need a whistleblower in the organisation somewhere to say that the basis on which the ad is put out is discriminatory.

Tamsin Allen: Unlawful, yes.

Chair: Then you would have to find an individual who had suffered from that discrimination who then made a claim.

Richard Cumbley: Or you would have to rely on the regulator to exercise their powers to inspect that organisation and prosecute them. It would be unfair processing. The ICO has significant new powers under the new legislation and it would be able to investigate that organisation, audit it, inspect its records. That would identify that that programmatic advertising was being targeted in a way that was clearly discriminatory and unfair, and the organisation would be prosecuted.

Ailidh Callander: There are also steps in relation to transparency that can be taken now, and a lot more can be done now, for individuals. When you see and advert on the majority of platforms, it is not clear what targeting criteria have been used to target that ad at you.

Chair: But we are talking about the problem of not seeing the ad because you are not in the target category.

Ailidh Callander: Those steps would help to identify the targeting criteria. When it comes to the bigger problem of not seeing the ad, there are some steps relating to the ad archives which the platforms are developing that start to help with this. But there are big issues to do with transparency where a lot more could be done by all the players involved.

Chair: So for the regulator it would be like looking for a needle in a haystack. It will depend on insiders blowing the whistle, will it not? Otherwise, you could have rampant discrimination, and the reality is that the victims of discrimination will never know about it. Leaving aside the fact that you are not going to offered punk rock or something to listen to, you will never be offered job ads because you are not a white man aged between 20 and 30.

Tamsin Allen: That could happen, yes.

Lord Singh of Wimbledon: If an individual owns their ASA-profiled ad and wishes to probes further, are the advertisers obliged to respond to a query?

Tamsin Allen: You might be able to make a data subject access request. You could ask why you are being targeted with that information and they are supposed to tell you. You may have no reason to feel suspicious about it. You may well just get a direct message in your Twitter account saying, “We thought you might be interested in this job”, and you think, “Great. I’ll apply”. But if you do have some reason to be suspicious about it, again it is all down to the individual having to raise problems. Again, the individual somehow has to delve into a very opaque system.

Chair: But we are talking about them not getting the ad. You cannot search after a negative. You just think, “Oh, there are no jobs”. 

Tamsin Allen: You never even knew there was a vacancy.

Chair: Yes, “There are no vacancies out there”.

Thank you very much indeed. The session has been very helpful.

Oral Evidence: The Right to Privacy (Article 8) and the Digital Revolution