In recent years, many have warned about the dangers of Facebook knowing so much about everyone’s beliefs, preferences, and attitudes. Clearly Cambridge Analytica, the advertising firm accused of harvesting 50 million Facebook users’ data without their consent, thought they were a match made in – let’s say – purgatory. But let us focus on a particular claim made today by the Secretary of State for Digital, Culture, Media, and Sport, Matt Hancock: that the companies are operating in an internet “Wild West” in which the UK government is straining to impose law and order.
The Wild West of the internet
This metaphor is invoked by ministers whenever they are displeased by something that happens on the internet. However, in this case, data protection laws have existed for decades. If data protection is inadequate, or unenforced, then that is the result of the laws and the sheriffs appointed by the incumbent Town Mayor.
Matt Hancock should be apologising for the extremely lax data protection regime that the UK has deliberately created as a matter of government policy, something that has gone on for decades.
For instance, the government argued against most of the improvements to data protection during the recent passage of the GDPR through the EU, arguing that business flexibility and innovation were paramount over data protection rights. It may be this kind of approach that attracts “innovative” businesses like Cambridge Analytica to the UK, rather than, say, Germany or Austria.
To give a couple of examples, the UK was steadfastly against fines of 4% of turnover for violation of the rules, and did its best to water down the central definition of consent in the GDPR so that it meant in essence, “you agreed because it seemed like you did, so you should have known better”. Which is pretty much how data protection consent has been understood in the UK since the 1990s.
Mr Hancock continues to argue for the weakening of data protection. Not only is he refusing to extend the ability of organisations to challenge breaches when a specific data subject could not be found or persuaded to make a legal challenge, but he is supporting exemptions for government to ignore data protection rules regarding immigration. The government is granting itself all kinds of exemptions, many of which we believe will prove unlawful.
The government is continuing to listen to business, which is worried that the “flexible” and “pragmatic” voice of the UK will be missed in Europe after Brexit. The UK is arguing for a place on the European Data Protection Board, so that the UK can argue for “flexibility” and avoid “rigid” interpretations of the GDPR. This may be unlikely to happen.
But the main reason the UK really wants to continue participating in the EU data protection regime is that it would be harder to argue that UK mass surveillance is not compliant with EU data protection laws, as they would continue to apply, more or less directly.
When it comes to internet privacy, the problem is not so much a wild west, but a succession of two cent town Mayors that have spent their time inviting dubious characters to seedy bars to decide how best to remove laws, render them meaningless or unenforceable, and above all, to make sure privacy laws never really apply to the nameless bureaucrats in the mail office opening all the letters.