Online businesses must better explain their 'need' for personal data, say MPs

Out-Law News | 01 Dec 2014 | 1:09 pm | 3 min. read

Online service providers should be more open with users about their need to gather and store personal data, a group of UK MPs has said.

The Science and Technology Committee said that many service providers currently require service users to provide personal information without properly explaining why they need that information.

The Committee called on the government to provide guidelines to help organisations collect only the personal data they need.

"There is a qualitative difference between requesting personal information when registering for a service and requiring that same information," the Committee's new report on the responsible use of data (44-page / 483KB PDF) said. "Companies should have a greater responsibility to explain their need to require (and retain) personal information than when they simply request it."

"We welcome the work of the Information Economy Council and recommend that the government use that work to provide companies with guidelines to aid organisations in deciding what information they should require and how that, and the subsequent use of the data, might be managed responsibly. We expect the government, in its response to this inquiry, to outline a draft timetable for when businesses might expect to receive government endorsed guidelines in this area," it said.

The Information Economy Council, a body made up of representatives from government, business and academia that seeks to develop thinking on information and technology issues, is already working on "creating a set of data principles to address how we can reassure consumers in this new digital age without losing the opportunity to get the most out of technological innovations", according to the Committee's report.

The Committee also identified the length and complexity of consumer contracts as a barrier to online service providers obtaining users' informed consent to the collection of their personal data. It questioned whether users of online services "understand the access rights of third parties to their personal data" as a result of the long and jargon-filled contracts that the service providers are reliant upon.

"The opaque, literary style of such contracts renders them unsuitable for conveying an organisation’s intent for processing personal data to users," the Committee said in its report. "These documents are drafted for use in American court rooms, and no reasonable person can be expected to understand a document designed for such a niche use."

The Committee said the government should "detail how the public at large will be involved in arriving at more robust mechanisms for achieving truly informed consent from users of online services". It said that "the destination of data should be explained separately" if consumer contracts "cannot be made easier to understand", and said the government could help to drive new information standards for businesses to adopt so as to explain personal data use intentions simply.

"We recommend that the government drives the development of a set of information standards that companies can sign up to, committing themselves to explain to customers their plans to use personal data, in clear, concise and simple terms," the Committee said. "In its response, the government should outline who will be responsible for this policy and how it plans to assess the clarity with which companies communicate to customers."

The Committee said it is incumbent on the government to "lead by example" by conforming to higher information standards itself.

"The government cannot expect to dictate to others, when its own services, like care.data, have been found to be less than adequate," the Committee said. "We request that the government outline how it plans to audit its own services and what actions it plans to take on services that do not meet a satisfactory level of communication with users about the use of their personal data."

In September, the Article 29 Working Party, a committee made up of representatives from data protection authorities across the EU, said that new mechanisms for obtaining consent are needed to address consumers' data protection rights in the ‘internet of things’ (IoT) era. It said traditional consent mechanisms might be unsuitable for the IoT age because they could produce "'low-quality' consent" that does not conform to legal standards required under EU privacy rules.

Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said at the time that "it is now clear that businesses need to have an ongoing dialogue with consumers about how they plan to use their data to account for the fact that technological change is delivering new ways for that data to be used that were previously unforeseen".

"The challenge for businesses is finding a technological mechanism that enables them to explain data use plans to consumers and simultaneously allows consumers to manage their preferences and which is not a cumbersome tool," Wynn said.