Micro-targeting of individuals and mass targeting of companies
One of my highlights in the last couple of months was attending the House of Commons Science and Technology Committee’s session at the Palace of Westminster with Elizabeth Denham, Information Commissioner, on the use of algorithms in public and business decision making (p.21). With a few MPs around a U shaped table and at most ten interested observers, it was quite an informal occasion, with each MP putting their questions to her.
There was even an opportunity for general laughter when one MP asked her about the use of “filter bubbles” and then admitted he did not know what he meant! She came to his rescue explaining “These people … could be like you. That is part of behavioural advertising or micro-targeting.”
She described the ICO’s investigation into micro-targeting in the EU referendum and the general election as “probably the most complicated investigation that the ICO has undertaken. We are looking at the relationship between political campaigns, data analytics companies, social media platforms and others that are collecting and sharing personal data to micro-target individual voters or individuals.” This investigation has been led by Michael McEvoy, Deputy Information and Privacy Commissioner, British Columbia, Canada who was seconded to the ICO for six months for this role. On 5th March, he was appointed as Commissioner there and takes up his new post on 1st April.
Denham’s hour long engagement with the MPs showed not only her firm grasp of the policy details but also a close rapport with the MPs of all parties. Towards the end of the session, Vicky Ford MP declared warmly “I could listen to you all day – I think we are really lucky to have you in the UK.”
Mass targeting of companies for compensation claims
From 25 May the Data Protection Authorities in the European Economic Area will gain the opportunity to impose huge fines, and that has attracted headlines even in the general business media. But for many companies that is not their main fear. Many companies fear compensation claims more than high DPA fines.
Collective (class) action will be made possible under the GDPR, for example, via consumer agencies and trade unions (pp.11-14). But will individuals have to opt-in to join a collective action of this type? In the last few days, the UK’s Data Protection Bill has been amended so that a review will be carried out after two and a half years on whether to allow not-for-profit bodies to represent individuals in collective actions when an individual has not given consent to being represented (p.5).
As subject access requests are used as a precursor to and a weapon in litigation. It is possible that claims management companies will start pursuing cases on a no-win-no-fee basis. For some companies, the risk of collective action is worse in terms of reputation, and potentially cost, than the expected realistic level of fines from the ICO.
Future PL&B events
Coming up on 28th March we have the third in the current series GDPR Help! Roundtable: On the Starting Blocks.
In the next few days we will write to you to:
• lauch a GDPR National Implementation conference in London on 30th April, to be hosted by Latham & Watkins, with Data Protection Authority speakers from Germany, Poland and Spain and lawyers from France and Germany.
• announce the day by day programme for Navigating GDPR: The art of the possible, PL&B’s 31st Annual International Conference, 2-4 July at St. John’s College, Cambridge.
We look forward to meeting you at these events.
Stewart Dresner, Publisher
UK Report 96
ICO launches first technology strategy and action plan
The regulator is to start a sandbox experiment and recruit more technology specialists, including post-doctoral experts.
Contents also include:
- Comment: DP Bill: Look out for changes
- Tensions between access to AI logic and commercial rights
- GDPR implementation – the barristers’ view
- Beware of GDPR no-win no-fee compensation claims
- Compensation claims under the GDPR: The brewing storm
- Interaction between the GDPR and the NIS Directive
- The GDPR, market disrupters and innovators: Friends or foes?
- Aviva sees GDPR as leading to a new privacy culture
- Risk management is key to successful GDPR compliance
- Management strategies for data security and Privacy by Design
- Industry supports PM’s Brexit data privacy stance
- DP Bill amended on data processing for safeguarding
- ICO issues guidance on DP Bill
- Data protection fees will be up to £2,900
- Denham: Get consent for electronic marketing
- Government issues digital charter, looks for ethics leader
- Jersey adopts new data protection law