Data Protection and Privacy: Is the consent model broken?
Are companies violating individuals’ human rights by relying on consent and legitimate interest to process personal data? On 3rd November 2019, the Joint Committee on Human Rights (“JCHR”) published a report on the impact company practices for processing personal data has on human rights and whether the current regulatory regime is sufficiently robust.
The Data Protection Act 2018 and General Data Protection Regulation (“GDPR”) were introduced eighteen months ago with a key aim being to further empower individuals with control of their personal data. The Human Rights Act 1998 protects, among other things, individuals’ right to respect for private and family life and freedom from discrimination. The JCHR considered whether the data protection legislation has fallen short of its goal and its implementation by private (primarily online) companies has not prevented them from increasingly encroaching on these fundamental human rights.
The use of the internet and online digital platforms has become central to people’s home and work lives . The rapid development of technology and the growth of companies offering free online services in exchange for data has created new business models where millions of individuals¹ personal data is collected and sold online. To do this, companies most commonly rely on ‘consent’ or ‘legitimate interest’ as a legal basis for processing the personal data. However, the JCHR concludes that the ‘consent model is broken’ and legitimate interest is not sufficiently understood, thus, fostering an online industry that is encroaching on individuals’ human rights.
The JCHR report concludes that the consent model unreasonably places the onus on individuals to educate themselves in order to understand the risks associated with sharing their personal data online. The complexity of privacy policies makes it almost impossible for individuals to understand what consent they are giving. Further, many businesses make use of their online services conditional on agreeing to their non-negotiable terms. Therefore, consent is often not ‘informed’ or ‘freely given’ under the GDPR.
Personal data can be processed where ‘it is necessary for the purpose of the legitimate interests’ pursued by a company. The data protection legislation describes broad areas where legitimate interest could be relied upon. The JCHR report observes that there is a general lack of understanding on what would constitute a legitimate interest and calls for clearer guidance and a rigorous process to test whether companies are using legitimate interests appropriately.
How does this affect human rights?
Despite data protection regulations, companies are routinely buying, selling and sharing people’s data without the individual’s true consent or knowledge, clearly infringing on their right to privacy.
The JCHR report details how data is now being shared and at times aggregated to create online profiles of individuals without their knowledge, a concern shared by a number of European privacy regulators including the UK Information Commissioner’s Office. These online profiles are often used for online targeted advertising. The algorithms used for targeted advertising draw inferences from a person’s online profile and makes a decision whether to show that person particular ads, for example for a job or a services. As a result, the individual, who has no way of knowing about their online profile or correcting any of its inaccuracies, are discriminated against with no access to certain services and opportunities due to their online demographic.
The JCHR conclusions
The JCHR has recommended (among other things) the following:
- Introduction of human rights impact assessments and due diligence to review how a company’s gathering and sharing of customer data may result in an adverse impact on the human rights of their users;
- Stronger enforcement of the data protection regulations, and a review as to whether further legislation is required to make companies take more responsibility for the safety of their users; and
- The introduction of a mechanism, similar to a subject access report, where individuals should have the right to request data that companies have generated about them, to understand any inferences that have been drawn, such as if they have been refused access to a service based on inferences taken from online aggregated data.
Why is this important?
The implementation of the data protection legislation is a changing landscape. On 8th April 2019, the Government published its Online Harms White Paper, which concluded that the legal framework provides adequate protection against the misuse of people’s data by internet companies. However, the JCHR are urging the government to re-consider this position and include the violation of people’s right to privacy and freedom from discrimination as part of the government’s list of ‘online harmful activity’ to consider. If you are a private company who utilises machine learning for targeted advertising, or relies on legitimate interest or consent as a legal basis for processing customer personal data, it may be worth taking the time to consider whether your practices could impact on those individuals’ human rights and whether to make any changes.
¹The Office for National Statistics in the UK stated that 87% of all adults used the internet daily or almost every day in 2019.
When can you set off claims against different elements of a project
The Court’s decision raises important drafting considerations for construction contracts involving multiple elements of a project.
Drafting terms and conditions or negotiating a contract? Be wary of "unusual" and "exorbitant" exclusion clauses
When drafting a set of terms and conditions, companies must adhere to the requirements contained in the Unfair Contract Terms Act 1977
Stop, collaborate and listen: Top 10 Tips with Collaboration Agreements
Providing you with the top ten tips on collaboration agreements - what should you know?
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Preparing your company for sale
We set out here some initial steps to consider in anticipation of a sale.
ESG investment and the challenges for trustees
What challenges does the ESG revolution present for trustees of private family trusts?
The impact of COVID-19 on commercial and residential tenancies
What impact has COVID-19 had on commercial and residential tenancies? Read more here.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Q&A: Separate blocks, common parts and enfranchisement
Miriam Seitler and Lauren Fraser answer queries relating to leaseholders seeking to acquire the freehold.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
The family court’s role in micro managing 'trivial' disputes
The recent decision has dealt with the family court’s role in micro managing “trivial” disputes in relation to children
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Taxing horizons and fiscal black holes
A super-massive black hole at the centre of the nation’s finances means that tax reform and rates rises look increasingly likely.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Q&A: Wrestling with restrictive covenants
Camilla Lamont (barrister at Landmark Chambers) and Real Estate Disputes Partner Emma Humphreys answer a pair of covenant queries
Charles Russell Speechlys advises Grape Paradise on the acquisition of a fine wine business
Charles Russell Speechlys has advised Grape Paradise on the acquisition of the Sarment Group in the China Mainland territories.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Olivia Crane writes for The Grocer on the importance of robust data protection policies for checkout-less stores
The ‘personal data footprint’ created by this type of service and technology isn’t something that should be overlooked.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.