We’re all data subjects now

follow rightsBy Matthew Rice

We’re all consumers for someone. Whether you are a chief executive with a LinkedIn account, a charity worker with a Twitter presence, or a lawyer subscribed to newsletters and conference websites, you are an individual that has signed up and agreed to the terms and conditions of a service.

But when it comes to discussing data protection and the new law which is currently making its way through Parliament, most attention is paid from the perspective of data controllers (those that hold the data), and not as data subjects (those whose data is being held).

We are all data subjects, with rights that we can exercise. It’s important not to lose sight of that. The General Data Protection Regulation – and the UK Government’s Data Protection bill which brings it into UK law – intends to create more accountability, with less bureaucracy. One way towards achieving those goals is to empower individuals to exercise their rights.

These rights give individuals the opportunity to change services, to restrict or refuse automated processing, and the right to be forgotten, among others. They have potential to redraw the accountability between an individual, and the public or private body that controls their data.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Providing the processing is based on the individual’s consent or the performance of a contract, and that it is carried out by automated means.

For example, you would have the right to request your energy provider processing your meter readings you submit to generate your bill, to provide those readings back to you in a format that can transfer to another energy provider.

The right to erasure, is also included in the new rights framework. While not as absolute as some would like to scaremonger, it is another important development. When personal data is no longer necessary in relation to the purpose for which it was originally collected or processed, an individual can request the erasure of that data.

A controller could refuse to comply with that request, but would have to come up with a good reason for doing so (for example, defending legal claims; or performing a legal obligation of a public interest task). If no good reason can be provided, then you have the right to have that personal data erased.

Importantly, if the data controller had shared the personal data with other third parties, they have to go to those third parties and inform them about the erasure, unless it is impossible to do so.

Taking our energy provider example again. You’ve decided you are going to switch providers and get that better deal; you could also return to the old provider and ask for your personal data currently held to be erased as it is no longer necessary for them to process that data. That energy provider would have to inform third parties they shared your information with (say a smart meter provider) that your personal data is to be erased.

One right that will grow in importance in the future are the safeguards against the risk that a potentially damaging decision is taken without human intervention. Individuals have the right not to be subject to a decision when it is solely based on automated processing, and produces a legal effect or similarly significant effect on the individual. While this right has its carve outs too, ensuring processing is fair and transparent by providing meaningful information about the logic involved is an important step in holding back the tide of significant decisions rendered unaccountable on behalf of algorithms.

It is vitally important we start to understand how we can exercise our rights. The consumer group Which? published research this month that almost 1 in 5 consumers said they would not know how to claim redress following a data breach. Those statistics suggest a deficit in the public’s understanding of rights that we have, and how to exercise them.

The Open Rights Group is working alongside Which? and others to place in law the power for not-for-profit bodies, such as Open Rights Group, to seek redress “independently of a data subject’s mandate”, if it considers the rights of data subjects have been breached. This optional power, not currently implemented in the proposed law, would improve the rights enforcement framework for everyone.

There are two outcomes for this new data protection law; one guaranteed, one potential. The guarantee is that the lawyer, the chief executive, and the charity worker will understand their responsibilities as data controllers. They have to, and there are enough trainings and seminars out there to remind them of that. The potential outcome is that we will all become data subjects capable of exercising our rights under this new framework. The work Open Rights Group plans to undertake will help the public reach that potential outcome.

Matthew Rice is Scotland Director of the Open Rights Group.