In a landmark decison that shines a light on widespread data protecton failings by the entire data broker industry, the UK data protection censor ICO, has taken enforcement action against Experian, based in part on a complaint made by Privacy
International in 2018.
Privacy International (PI) welcomes the report from the UK Information Commissioner's Office (ICO) into three credit reference agencies (CRAs) which also operate as data brokers for direct marketing purposes. As a result, the
ICO has ordered the credit reference agency Experian to make fundamental changes to how it handles people's personal data within its offline direct marketing services.
Experian now has until July 2021 to inform people that it holds their personal
data and how it intends to use it for marketing purposes. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021.
The ICO investigation found widespread and systemic data
protection failings across the sector, significant data protection failures at each company and that significant invisible processing took place, likely affecting millions of individuals in the UK. As the report underlines, between the CRAs, the data of
almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.
Moreover, the report notes that all three of the credit referencing agencies investigated were also using
profiling to generate new or previously unknown information about people. This can be extremely invasive and can also have discriminatory effects for individuals.
Experian has said it intends to appeal the ICO decisions saying:
We believe the ICO's view goes beyond the legal requirements. This interpretation (of General Data Protection Regulation) also risks damaging the services that help consumers, thousands of small businesses and charities, particularly
as they try to recover from the COVID-19 crisis.
One bad privacy idea that won't die is the so-called data dividend, which imagines a world where companies have to pay you in order to use your data. Sound too good to be true? It is. By Hayley Tsukayama
Australia's eSafety Commissioner Julie Inman-Grant has rejected the practicality of a know your customer-type ID verification requirement for social media companies to ensure the age of their users.
Addressing Senate Inman-Grant said such a regime
works in the banking industry as it has been heavily regulated for many years, particularly around anti-money laundering:
It would be very challenging, I would think, for Facebook for example to re-identify -- or
identify -- its 2.7 billion users, she said. How do they practically go back and do that and part of this has to do with how the internet is architected.
While she admitted it was not impossible, she said it would create a range of
other issues and that removing the ability for anonymity or to use a pseudonym is unlikely to deter cyberbullying and the like. Similarly, she said, if the social media sites were to implement a real names policy, it wouldn't be effective given the way
the systems are set up. She added:
I would also suspect there would be huge civil libertarian pushback in the US.
I think there are incremental steps we could make, I think totally getting rid
of anonymity or even [the use of] pseudonyms on the internet is going to be a very hard thing to achieve.
I want to be pragmatic here about what's in the realm of the possible, it would be great if everyone had a name tag online
so they couldn't do things without [consequence].
A group of tech companies, publishers, and activist groups including the Electronic Frontier Foundation, Mozilla, and DuckDuckGo are backing a new standard to let internet users set their cookie privacy settings for the entire web.
Under EU law, every
website needs to ask for permission from users before being able to set cookies. In particular this applied to cookies that allow website usage analytics and also for website history snooping that is used for targeted advertising. This permission is only
mandatory in the EU and parts of the USA but no doubt this will spread.
Companies often try and make opting out from tacking cookies difficult by asking users to drill down into multiple forms, or else to present the options in such a way as to
hide the ramifications of the choice.
Now there the group of companies are champion a new standard new standard, called Global Privacy Control , which lets users set a single setting in their browsers or through browser extensions telling
each website that they visit not to sell or share their data. It's already backed by some publishers including The New York Times , The Washington Post, and the Financial Times, as well as companies including Automattic, which operates blogging platforms
wordpress.com and Tumblr.
Advocates believe that under a provision of the California Consumer Privacy Act, activating the setting should send a legally binding request that website operators not sell their data. The setting may also be enforceable
under Europe's General Data Protection Regulation, and the backers of the standard are planning to communicate with European privacy regulators about the details of how that would work.
It is expected to take a little while for this new standard
to get legal backing, and in the meantime it will be implemented as simply advice to websites of a users privacy preferences.
If adopted the move will be a massive improvement for user privacy, but one also needs to know that estimates suggest
that this would lead to a halving of advertising income for websites, which may then lead to the end of some websites maintaining a free service.
We are running a consultation about an updated version of the Statutory guidance on how the ICO will exercise its data protection regulatory functions of information
notices, assessment notices, enforcement notices and penalty notices.
This guidance is a requirement of the Data Protection Act 2018 and only covers data protection law under that Act. Our other regulatory activity and the other
laws we regulate are covered in our Regulatory action policy (which is currently under review).
We welcome written responses from all interested parties including members of the public and data controllers and those who represent
them. Please answer the questions in the survey and also tell us whether you are responding on behalf of an organisation or in a personal capacity.
We will use your responses to this survey to help us understand the areas where
organisations and members of the public are seeking further clarity about information notices, assessment notices, enforcement notices and penalty notices. We will only use this information to inform the final version of this guidance and not to consider
any regulatory action.
We will publish this guidance after the UK has left the EU and we have therefore drafted it accordingly.