The UK’s Information Commissioner, Elizabeth Denham, has been in post just under four months, but already the differences between her approach and those of her two most recent predecessors (Richard Thomas and Christopher Graham) are starting to become clear. This may be due partly to the fact that she comes to the role with six years’ experience as the Information and Privacy Commissioner for British Columbia, whereas Thomas and Graham came, respectively, from legal practice and the BBC.
Recently, Denham posted an update on the first eight weeks of her team’s investigation into personal data sharing between WhatsApp and Facebook. The bottom line is this: she thinks consumers and their data are not being properly protected, and she offers the prospect of enforcement action if Facebook uses consumers’ data without consent. Here’s how she thinks Facebook is falling short of the legal requirements:
- Subscribers are not properly protected, or properly informed about uses of data about them;
- Facebook does not have valid consent for sharing personal data;
- Users are not given sufficient control over data about them.
The Commissioner also highlights risk in a number of other areas:
- “Free” services are not a licence for the service provider to do as they please with users’ data;
- Vague terms of service don’t adequately protect the intimacy revealed by our online data;
- Company mergers, and aggregation of the resulting data, create privacy risks that go beyond simple data protection.
The tone of the Commissioner’s post is firm but understated. It focuses on basic steps: inform users, get meaningful consent, give users proper control, and be transparent about terms and conditions. The Commissioner’s concerns echo those expressed by the wider group of European information commissioners, the Article 29 Working Group. The head of that group, Isabelle Falcque-Pierrotin, has expressed its concern that, following WhatsApp’s acquisition by Facebook, personal data is being used for purposes that were not included in the terms users signed up to.
Some may point out that, in strict legal terms, consent is just one of a number of valid grounds for the processing of personal data. My personal view is that there is no need for equivocation here. I don’t care (and neither should consumers) if consent isn’t the only basis for legal processing: if the end result is not what I signed up for, and it increases privacy risk, I should be made aware of that and given the option to say no.
The Commissioner has set out her position, simply and clearly. It will be interesting to see what the next eight weeks bring.