Sign up to Newsletter

data protection graphic

Data Protection

Data Protection laws seek to protect people's data by providing individuals with rights over their data, imposing rules on the way in which companies and governments use data, and establishing regulators to enforce the laws.

Data protection law is going through another revolution. Established in the 1960s and 1970s in response to the increased use of computing and databases, re-enlivened in the 1990s as a response to the trade of personal information and new market opportunities, it is now becoming much more complex.

New challenges are also emerging in the form of new technologies and business models, services, and systems increasingly rely on analytics, 'Big Data', data sharing,tracking, profiling, and artificial intelligence. The spaces and environments we inhabit and pass through generate and collect data from human behaviour. The devices we wear and carry with us, install in our homes, our channels of communications, sensors in our transport and our streets all generate more and more data. 

Data protection frameworks may have their boundaries and new regulatory regimes may need to be developed to address emerging new data-intensive systems, new frameworks nevertheless provides an important and fundamental starting point to ensure that the fundamental strong regulatory and legal safeguards are implemented to provide the needed governance frameworks nationally, and globally, before we see ourselves the subject of data exploitation.

What is the problem

Protecting privacy in the modern era is essential to effective and good democratic governance. However, despite increasing recognition for and awareness of the right to privacy and data protection across the world, there is still a lack of legal and institutional processes and infrastructure to support the protection of rights. Some parts of the world in particular suffer from a void: a lack of regulatory and legal frameworks in many countries, and the poor implementation and enforcement in others.

As a result, innovations in policy and technology, private and public sector data practices, are largely left unregulated and unchecked, and this will have significant implications for rights of individuals, as well as for the development of the economies and societies.

There is also a systemic and structural challenge which is aggravating this situation. Decision-making and legislative processes are all too often not subject to any or only very limited public scrutiny. 

What is the solution

Institutions, public or private, that collect and use your personal data must:

  • be subject to rigorous regulations providing them with standards on how to handle any data they process;
  • be compelled to be transparent and accountable;
  • be subject to checks and balances;
  • fulfill the rights of individuals
  • respect the rule of law.

There are a number of a basic principles upheld by widely recognised codes, practices, decisions, recommendations, and policy instruments which provide the framework for effectively regulating the processing of personal data.  However, it is essentail for the protection of individuals rights that a data protection framework is given the force of law. 

Data Protection legislation must be carefully scrutinised to seek to ensure that the resulting framework is as strong as possible and not undermined by legal loopholes and exemptions. Once in force, data protection legislation must be accompanied by effective implementation and enforcement. This requires an independent regulator or authority must be appointed to ensure the law protection law is enforced, and it must have the mandate and resources to conduct investigations, act on complaints and impose fines when they discover an organisation has broken the law. An important safeguard is a strong and critical civil society, with the ability to raise complaints, research abuses and be constantly vigilant of implementation. 

Furthermore, recognising the need for multi-disciplinary nature of such mechanisms, technological measures from the conception phase to the processing of data can support a regulatory framework to minimise data collection, to mathematically restrict further data processing, to assuredly limit unnecessary access, amongst other privacy measures. Such measures can be adopted by both companies and governments.The onus must be squarely on those processing our data to protect it both by design and by default. 

Learn

Explainer

Infrared temperature screening

Explainer

7+1 tips on how to make the most out of your DSAR

Explainer

101: Data Protection

Public opinion about data-driven election campaigning in the UK

1m34s

Immediately following the UK general election in December 2019, we worked with Open Rights Group to commission a YouGov poll about public understanding and public opinion about the use of data-driven campaigning in elections.

The poll used a representative sample of 1,664 adults across the UK population.

'Data-driven political campaigning' is about using specific data about you to target specific messages at you. So, for this might involve knowing that you are, for example, likely to have two children between the ages of 2-5, and then using this data to target political messages at you that are designed to appeal to young parents, such as messages about investment in early years education. All of this would be done without these political parties revealing to you what data they hold about you, and indeed without telling you that that they are presenting you with these particular messages because of that data.

Key findings from the poll include:

  • 58% of people polled oppose the use of targeted ads during elections.
  • 69% of people polled oppose election spending when the source of that money is unknown.
  • Evidence suggests that the more the public knows about data-driven campaigning, the more they want to see stronger controls around its use.
  • 78% of people polled want to see tougher punishments like criminal convictions and fines when political campaigning rules are breached.
  • Many of the public don’t even know that data-driven political campaigning is happening. Therefore they won’t know that they are potentially being presented with certain kinds of messages because of what political parties think they will be interested in, and that others will be targeted with very different messages.

WANT TO KNOW WHAT DATA UK POLITICAL PARTIES HOLD ABOUT YOU?
SUBMIT A DATA SUBJECT ACCESS REQUEST (DSAR) THROUGH THE OPEN RIGHT'S GROUP'S WEBSITE.

 

Featured Campaign

Neighbourhood turning into Policing, Inc.
Campaigns

Unmasking Policing, Inc.

Governments are secretly collaborating with private companies. Here is why PI is concerned about surveillance outsourcing, and why together we urgently must expose them.
Read more

Reports and Analysis

Aerial picture of Lima, Peru
Case Study

Public-Private Partnerships on Technology in Peru: A Government without horizon

The Peruvian Government has repeatedly collaborated with the private sector in developing technology. In many cases who has access to the data is unclear, and - although Peru has a legal framework for public-private partnerships - it does not use it for technology.

Continue reading
Report
data protection

A Guide to Litigating Identity Systems: Data Protection and National Identity Systems

This section presents arguments on data protection concerns, highlighting the importance of safeguards to protect rights, and pointing to issues around the role of consent, function creep, and data sharing.

Continue reading
Report
rights other than privacy

A Guide to Litigating Identity Systems: Impact of identity systems on rights other than privacy

This section sets out arguments on rights other than privacy, namely liberty, dignity, and equality. It provides detail on the social and economic exclusion and discrimination that can result from the design or implementation of identity systems.

Continue reading
View more

News

4th August 2020

Banning TikTok? It's time to fix the out-of-control data exploitation industry - not a symptom of it

22nd May 2020

In big tech we trust: is Apple's and Google's COVID-19 reputation laundering enough to make us forget about their past?

22nd May 2020

GDPR - 2 years on

24th April 2020

Schools and Covid-19

21st April 2020

Zoom is not the worst, just getting the attention software deserves

13th March 2020

French regulator launches investigation of Criteo following PI's complaint

See more

Examples of Abuse

Want to know how this translate in the real world? Here is the latest example in the news.

Study finds gaps in GAEN contact tracing apps privacy protection

A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish
Read more
See more examples of abuse

Our Advocacy

Briefing on the Responsible Use and Sharing of Biometric Data in Counter-terrorism

This briefing aims to map out some of the implications of the adoption of identification systems based on biometrics in a counter-terrorism context.

Read more
View more advocacy