On 3 November 2019, the Joint Committee on Human Rights (JCHR) published a report on The Right to Privacy (Article 8) and the Digital Revolution. The report highlights ways in which privacy rights risk being undermined by technology companies online, and proposes recommendations for reform. While some of the report’s findings are underdeveloped, on the whole it should be welcomed.

Summary

The JCHR report focuses on the impact of activities of private technology companies on privacy rights online. It builds on two earlier reports from 2019: the House of Lords report, Regulating in a digital world, and the UK Government’s Online Harms White Paper. By focusing on private technology companies, the JCHR aimed to “add a new perspective”.

To produce this report, the JCHR conducted a year-long inquiry, receiving written and oral evidence from NGOs, lawyers, industry representatives, the Information Commissioner’s Office (ICO), as well as the perspectives of “ordinary members of the public”. The report was published last month, just three days before Parliament was dissolved for the 2019 UK General Election. It has therefore received little public discussion. This is unfortunate, as many of its comments are valuable and suitable for further consideration.

Key findings and recommendations

The report should be read in full, given its wide-ranging findings and recommendations. Highlights include the following:

– The JCHR is highly critical of the main ‘consent’ method used by technology companies to collect personal data online. It refers to this as “broken”, as individuals typically will not know what they are consenting to and are left with no real choice. The JCHR also expresses concern regarding the alternative ‘legitimate interests’ method and concludes that robust and clear standards are required to better protect individuals’ rights in this area.

– The report notes that technology companies not only collect huge amounts of personal data, but also increasingly use this data to make inferences about individuals, thus creating new data about them. The JCHR considers that this inferential data would not be automatically obtainable by individuals under the GDPR and Data Protection Act 2018 (DPA), and it recommends reform to confirm that individuals have a right to this data. This issue—whether individuals have a right to inferential data—is a complex developing area, and worthy of further consideration. Ultimately, as others have noted, a new ‘right to reasonable inferences’ may be warranted.

– The JCHR was “shocked to hear that major companies have used the ability to target advertising in order to discriminate against certain groups of people”. It acknowledges this raises “challenging questions”. To deal with this, the JCHR supports further development of privacy class actions, recommending “mechanisms allowing for better collective redress” so civil society organisations and charities can “pursue cases on behalf of … affected individuals.” Again, this area is developing and rich for further analysis, given the recent Court of Appeal judgment permitting an opt-out privacy class action, Lloyd v Google.

Other aspects

While the report overall is a useful contribution to discussion on protecting privacy rights online, certain aspects should be treated with caution. In particular:

– It is regrettable that the report, both in its body and press release, uses the inaccurate metaphor of the online world as an unregulated “Wild West”. In fact, there are a range of laws regulating privacy online. The report also glosses over successes, such as the ICO’s recent proposed fines for data breaches by British Airways and Marriott, only one of which is referenced briefly.

– The most concerning recommendation is for the Government to consider “creating a single online registry that would allow people to see, in real time, all the companies that hold personal data on them, and what data they hold”. There are significant privacy concerns with such a centralised, government-run database. There are also practical reasons to doubt its workability, as have been noted elsewhere.

– Protecting online privacy necessarily has extraterritorial elements, and requires regulating technology companies headquartered overseas. International cooperation is therefore key. Parts of the report would benefit from greater acknowledgement of this.  The JCHR’s report can be contrasted here with the UK government’s Online Harms White Paper, which referred to “the global nature of both the digital economy and many of the companies in scope” and emphasised as “vital that the regulator takes an international approach.”

Conclusion

The JCHR’s report is a valuable starting point for discussions about how best to regulate technology companies and personal data. While some aspects should be treated with caution, both the UK and foreign governments should take note of, and build on, this report to strengthen online privacy laws in future policy developments.