The success of the GDPR has been praised, but it is in conflict with the amount of data we create and how we do not consider consent.
Speaking during the Westminster Events Conference on data protection, Dr Subhajit Basu, associate professor of information technology (cyber law) at the University of Leeds and chair of the British and Irish Law Education and Technology Association (BILETA), said while technology drives our lives, the amount of data we create “is growing exponentially.”
He claimed that the number of data protection and privacy laws that have been enacted around the world “is a testament to the importance of data protection globally, or a desire by many countries to qualify trade with the European Union to meet its adequacy requirements.” So after Brexit, the opportunity is there for the UK to become a leading role model for a society empowered by data decisions, but to fulfil this ambition “the UK will have to build a robust legal framework in terms of data protection and cybersecurity.”
The Telecommunications Security bill received its latest reading in the House of Commons this week, and Basu called this “a step in the right direction” as it will propose fines on telcos if they fail to tighten security”, but post Brexit, the UK will need to improve its governance structure for handling data.
“In order to meet this potential, we must find a way to balance the flow of user data, whilst at the same ensuring privacy, security, safety and ethical standards,” he said.
Basu called this a “fundamental” step, as he advocated for a continuation of a strong, user centric data protection law. However, he said that “data governance is just plain complicated” as data protection is often seen as separate from the right to privacy, and the focus is on due process and there are moves to find the best solution.
He went on to say that he has “a lot of faith in the GDPR” as this is the right step towards user empowerment for transparency and control to users when it comes to data sharing. “Data subjects are given more choices on how their information is collected, processed and used,” he said. “But hounding users with more rights means you have a role in protecting their data, but most users continue to hand their over data impatiently, causing this paradox where our concerns are not reflected in our behavior.”
Basu also said he has concerns about “consent in data protection law” as he sees that consent gives an “illusion of control, rather than any meaningful control from a data subject’s point of view.” This is because the process of obtaining consent has become more complicated, and will become more complicated as we move towards using more IoT and AI.
This is also paired with data protection fatigue, as users are asked to read privacy documentations and policy before giving consent and this makes the process tedious. “The sheer number of documents that you need to navigate through is beyond any human capacity,” he said.
He concluded by calling a “lacklustre attitude” to GDPR as being alarming, and pointed at the ICO’s supervisory and adjunct role “without proper demarcation as difficult to accept.”