Data Protection Day: What should be done about web firms' exploitation of personal data?

To mark Data Protection Day, Computing asked the experts if and how web firms' data use should be reined in

Data Protection Day is an annual event organised by human rights organisation Council of Europe that takes place every 28th January.

Launched eight years ago - and known as ‘Privacy Day' outside Europe - it aims to raise awareness surrounding data protection, an issue that has become increasingly prominent in light of cyber security breaches and NSA surveillance revelations.

But it is not just loose-cannon government agencies and cyber criminals who are threatening data privacy, but businesses as well.

"The problem is the tension between the legal models we have that say we need our data to be protected and here's the way to do it, and the business models which are based on the processing of data and the greater the amount of data processed, the better those models are in economic terms," Sophie Kwasny, head of Council of Europe's data protection unit, told Computing.

That tension, she argued, has created friction between major US tech organisations and European governments, which have different approaches to how businesses should handle users' data.

"The internet has created this huge shift; there's a tension between American firms - because most of the internet players are US firms - with a different vision of how this is to be done, so balancing both isn't easy," said Kwasny.

Google notoriously ignored European laws when it combined privacy policies for all of its services into one, a move that angered data protection authorities (DPA), with many issuing fines after a continent-wide investigation.

But the fines could only be levied at a national level and none put much of a dent in Google's earnings while the firm continued with its altered privacy policy regardless.

"You had the Spanish DPA fining Google €900,000, the French fined Google €150,000 – it's ridiculous," said Kwasny.

"Clearly, being able to give a fine of such a limited amount is irrelevant, it's a symbolic action."

[Please turn to page 2]

Data Protection Day: What should be done about web firms' exploitation of personal data?

To mark Data Protection Day, Computing asked the experts if and how web firms' data use should be reined in

Britain's own DPA, the Information Commissioner's Office (ICO), says web firms like Google have an obligation to let users know how their personal information is used.

"I'm not sure I'd use the word exploit, but I do think all organisations that collect and use people's personal information have responsibilities," Deputy Commissioner David Smith told Computing, indicating that making users aware of how their data is being used is key.

"Multinationals - Google and Facebook are prime examples - have a particular responsibility in leading the way in good information practices.

"Making sure people who use those services are aware of how their information is used, that they have proper choices and there are no nasty surprises," Smith continued, adding that they should "provide more guidance on how that information is being used, more choices for individuals, more tools so that people can easily find out what's being kept about them."

James Mullock, partner and head of the Osborne Clarke Data Law and Privacy Team, agreed that firms need to be transparent about how they collect data.

"Companies need to be clear about what they're doing and whether they're happy with the knowledge consent processes that they've got in place to do that," he said.

"That's what the law is looking for, visibility of what's happening and to be able to consent to that."

Mullock argued "most consumers are willing to exchange their data for value", especially when it comes to e-commerce, but the firms still need to "make sure they're jumping through the right hoops", so as not to fall foul of privacy laws.

However, when asked if web firms should be more open with users as to how they use data, Mullock said it was "a strategic decision", in which companies need to weigh up the benefits of harnessing personal information against the potential publicity pitfall it could stumble into if it is deemed to be taking too many liberties.

"As public awareness of privacy is growing, what are the PR implications of pushing the boundaries of knowledge consent? There may be brand issues, devalue issues in behaving like that and there are companies more willing therefore to take a cautious approach," he said.

"It's a strategic decision for businesses and one that some businesses take a very different approach to than others," Mullock concluded.

Computing contacted Google for comment but received no response at the time of writing.