A class action UK lawsuit is being mounted against Google, which stands accused of unlawfully harvesting personal data from 5.4 million UK users by bypassing privacy settings on their iPhones. This was allegedly accomplished over several months in 2011 and 2012, when Google placed ad-tracking cookies on the devices of users of the Safari browser, which is set by default to block such cookies. It has become known as the ‘Safari Workaround’. Writing exclusively for ExchangeWire, Mark Weston, head of IT, IP, and commercial at law firm Hill Dickinson explains why law must win out over trust.
There is a saying in the tech world: “If the service is free, the product is YOU.” Users of free web services such as Gmail, Facebook, Twitter, etc. all operate on the basis that some giant philanthropic organisation is making a life-enhancing tool available for free – a tool that such users soon find it hard to be without. Yet at some level (subconscious or otherwise) each user ‘knows’ that their emails, posts, and tweets are being scrutinised, processed, and acted on to make money. Yet we all use such services because at some level we ‘trust’ the operator of the service not to do anything ‘too bad’. And we also know that at some level if we really wanted to, we could block certain actions of the service operator or even just stop using the service. We ‘sort of’ know there are rules of the game – the law – even if most of us are not sure what those rules are; and we trust the operators of the service to play by those rules.
But what if that trust is betrayed? Seemingly, the Safari Workaround was a vehicle for just such a betrayal.
There are laws against that. Data protection legislation has been in place since 1984, although it was last beefed up in 1998 in the form of the Data Protection Act 1998 (DPA) and various regulations such as the Privacy and Electronic Communications Regulations 2003. Breach of the DPA can lead (potentially) to a fine of up to £500,000 and huge reputational damage.
But data protection legislation is now 20 years out of date. It is being updated to take account of the major changes in how individuals share their own data and how businesses use that data. In recent years, there has been a massive adoption of the internet and social media and individualised technologies such as smartphones and tablets. The amount of data existing about individuals has therefore expanded exponentially. The ability to process that data, and the tools available for sophisticated targeting, have expanded exponentially. The ability of data to be stolen, hacked, or misused has increased exponentially. While this has been happening, businesses have been using evermore sophisticated processes to analyse and track that data – and to track and predict individuals’ behaviour – for a variety of purposes, including marketing. Many activities with data are so complex that the average person struggles to understand what personal data of theirs is ‘out there’ and how that personal information is being used, let alone control the use of it by businesses.
The new European regulation, GDPR, comes into force in EU countries on 25 May, 2018. It will also apply after Brexit in the form of a new UK Data Protection Act. It was created to redress the balance in favour of the individual by giving a raft of new rights to individuals, including, under certain circumstances, the ‘right to be forgotten’, if they want, or their right to ask for all of their data to be moved to another organisation – the right to data portability. Individuals are going to become a lot more knowledgeable about their rights and businesses a lot more controlled. There is going to be a paradigm shift towards use of personal information being a highly regulated activity.
The idea of the GDPR is to make businesses adopt a root-and-branch cultural change in their attitude to the data of individuals. It is not a tick-box exercise. The regulators are expecting a sea change in how businesses view and treat data of individuals. This must happen from the top downwards, so that the management of a business disseminates the correct attitude and approach to all levels of staff.
Breach of the GDPR can lead, potentially, to a fine of up to €20m (£17.74m) or 4% of annual global group turnover (whichever is greater). To put this into perspective, TalkTalk’s well-publicised £400,000 fine in 2016 under the DPA could have increased to £72 million under the GDPR. Even the Googles of this world will be taking that seriously.
That level of fine forces the management of any business to sit up and take notice, but everyone is (and should be) principally worried about the reputational damage to the business and loss of client trust if the GDPR is breached. And there is a lot to implement and change to comply with the GDPR.
Protections must be built into every stage of a business process (so-called privacy by design and default) and data protection impact assessments will be the norm. GDPR regulates personal data on a par with Health & Safety. Importantly, one major requirement is to be able to demonstrate compliance by maintaining policies, records, logs, minutes of discussions – all taking place within a business over time.
Less trust. More law.