Personal data is at the core of every industry, from healthcare and education, to banking and social media. Is it therefore, concerning that the primary law that surrounds personal data and its protection in the UK was last updated in 1998? The Data Protection Act of 1998 was adopted from a directive submitted by the European Parliament and the European Council. This directive (95/46/EC) sought to protect “individuals with regard to the processing of personal data and on the free movement of such data” (EUROPA: EUR-Lex, 2017:1). Established as a EU directive in 1995, and then brought into UK law three years later it is unsurprising that this law struggles to keep up with technological advances. How can a law established to cover basic data transfer and processing in 1998 when only “147 million people” used the Internet be expected to protect the data of the now “3,885 million” Internet users (Internet World Statistics, 4th Dec 2017)?
One of the basic fundamentals of running a business is maintaining and increasing the audience/consumers that visit and use the services of said business. But in the era of the Internet, a businesses’ consumer is most likely accessing their business online through a website or an online advert. These Internet users are captive audiences for businesses. While most businesses seek to collect data and information to either better understand their consumers’ needs or to market their products specifically towards each consumer, some practices conducted by businesses are necessarily darker and surprisingly not included in UK law.
With “3,607,080” searches conducted on Google every minute (MicroFocus.com, 2017), Twitter now boasting “330 million monthly active users”, and sees an average of “500 million tweets per day”, which is up from “35 million tweets per day” in 2010 (Statista.org, 2017; InternetLiveStats.org, 2016). Mobile data has increased exponentially, at the beginning of 2014 mobile phones (which includes tablets and any other non-desktop device) “uploaded and downloaded around 2 exabytes (1 exabyte is equal to 1 billion gigabytes) of data”, this figure has quadrupled in three years to “8 exabytes” (MicroFocus.com, 2017).
Facebook founded in 2004, six years after the current data protection laws were ratified into UK law. Facebook now boasts “2.07 billion monthly active users”, and was the first social network to surpass “1 billion users in 2012” (Statista.org, 2017). Facebook’s conception sparked an explosion of social media networks and later mobile apps. YouTube is another example of an explosion of data and users alike. YouTube users now view over 4 million videos every minute, compared with an original “8 million videos” that were viewed per day in the year it was founded, 2005 (MicroFocus.com, 2017; Statista.org, 2017).
With the creation of the Internet of Things (IoT), the levels of data created by these devices reach “2.5 quintillion bytes of data” every single day, with devices both in our homes and on our person, wearable devices have become one of the fastest growing data devices at “28.3 million” units sold in 2016 alone (MicroFocus.com, 2017). The threat of potential data misuse and loss has increased with its growing usage. It is commonplace for an individual to conduct almost all of their personal and work-based business online using some form of technology. As both the number of Internet users and the amount of data created increases the levels of protection for the users of devices that are Internet accessible and those that possess data upload features. However, the development of the Internet has far exceeded the reaches of the UK’s data protection laws. This statement is no clearer than when discussing online-tracking. As these data points for individuals continue to expand, who is responsible for its protection?
With companies like Google and Facebook now regularly seen in congressional hearings concerning our all important data, many questions have arisen in recent years, primarily what these companies do with the data that they collect, why they use it in such a manner, and what data they truly have on any individual? What these questions mean for anyone in particular is truly still unclear, with the new ability to request what data a company holds on you should we all be more concerned about what information that we are putting out into the world? Simple technological changes have advanced our everyday lives, such as fingerprint locks on iPhones, FaceID, device based purchasing abilities, but without proper data protection laws to ensure our online safety, are these changes more terrifying than they are astounding? These questions are not easy to answer, but the next steps seem to require consumer led requests for better online data protections. As seen with many data scandals such as Alphabet Inc.’s Google+ breach of user data in 2018, or the rise of Cambridge Analytica during the early 2010’s and its eventual exposure in 2018, the role that data plays in personal lives is very least of its reach. Data affects everything from personal banking to political participation, so where does this rise in both data and breaches leave us?
With the creation of data increasing year on year, it is impossible for the current legal framework that protects the data of industries, businesses, states and their populations. With the update of the Data Protection Act 1998, expected in May 2018; with the adoption of the new European Parliament directive can we hope to be better protected while using the internet?
In the spring of 2016, the answer could have been a tentative yes. However, since the UK’s referendum to leave the European Union rendered a leave result, the adoption of the European Union’s (EU) directive into UK law may be null and void. With the directive only able to cover data protection when “processing…transferring…or recording” the data owned by a citizen or business of an EU member state, UK citizens will be vulnerable when interacting with any business that operates outside of the EU (Ian J. Lloyd, 1998:15). What these political changes mean for our data security are unclear, but what is clear, is that the scope of the UK government will now need to be a lot more wide-ranging.
Image Credit: Canva Images
Council of Europe (2017), The Directive of data protection, written in 1995, ratified into law 1998 Available at:
http://ec.europa.eu/justice/data-protection/reform/index_en.htm (Accessed: 12th December 2017)
EUROPA – European Commission (2017) New Data Protection Laws Available at: ec.europa.eu/justice/data-protection/ (Accessed: 2nd Dec 2017)
Facebook.com (2017) Legal Directives to Social Media Available at: https://www.facebook.com/safety/groups/law/guidelines/ (Accessed: 8th Dec 2017)
Internet World Statistics (2017) Statistics of data on the Internet Available at: internetworldstatistics.org (Accessed: 7th Dec 2017)
Lloyd, J. I. (1998) Guide to the Data Protection Act
Law Society (2017) Data practice in social media Available at: https://www.lawsociety.org.uk/support-services/advice/practice-notes/social-media/ (Accessed: 10th December 2017)
Simitis, S. (1994) From the market to the polls: the EU directive on the protection of personal data
Statista.org (2017), Statistics on online user data, social media development and personal data creation. Available at: https://www.statista.com/statistics/273018/number-of-internet-users-worldwide/ (Accessed: 10th December 2017)