“The GDPR should offer a substantial level of protection for people's personal data, but this does not seem to have materialised in practice. The Government should review whether there are adequate measures in place to enforce the GDPR and DPA in relation to how internet companies are using personal data, including consideration of whether the ICO has the resources necessary to act as an effective regulator”.
The internet is built on what are seemingly free services. However, the business models of companies providing these services monetise personal data by selling it to third-party advertisers. These companies provide a service to their customers but are simultaneously ‘data brokers’ for other companies. The Joint Committee on Human Rights has highlighted that this model does not uphold an individual’s Article 8 right to privacy, nor does it adhere to the spirit and intention of the GDPR for two main reasons:
“Our view, based on the evidence we heard, is that the consent model is broken. It puts too much onus on the individual to educate themselves on how the technology companies work rather than setting a high standard of protection by default.”
In order to process personal data, companies need to disclose a legal basis for processing the data. Most companies use ‘consent’ as a legal basis for processing personal data, however an issue which arises is that individuals are highly unlikely to read or understand the terms and conditions which they technically consent to.
Individuals generally have to navigate through ‘clickwraps’ or ‘browsewraps’ to access a service. If they do not accept the terms, and agree to legal jargon, then they cannot use the service. What this results in is that children and vulnerable adults in particular are likely to find it particularly difficult to give meaningful consent. This is further illustrated by a research project conducted by Doteveryone which highlighted that 47% of people felt they had no choice but to sign up to terms and conditions, even if they have concerns about them.
According to the Doteveryone research, 62% of the people are unaware that social media companies make money by selling data to third parties and 45% are unaware that information they enter on websites and social media can help target advertisements.
This design by companies, is purposeful however. Companies want to collect as much data as they can about an individual, and if they collected zero data by default, then their business model would likely fall apart. It is however, possible to empower individual rights without damaging companies’ business models.
Companies do not have to obtain consent to process personal data, they can rely on the processing ground of legitimate interests.
There is not sufficient clarity on how an organisation determines what is in its legitimate interest and how it overrides the individual’s rights. This leads to companies using legitimate interests for very vague reasons such as ‘to provide the individual a more personalised service’. Essentially, this acts as a loophole in the GDPR which allows companies to process data and sell data behind an individual’s back.
Personal data is currently stored with companies, and as a result, companies are data controllers for this personal data about their customers. Self-Sovereign Identity (SSI) changes this. SSI puts data into the hands of individuals who can explicitly consent to where and when it is used via an affirmative and clear action.
Companies will still be able to monetise data and will have more up-to-date data from individuals. However, the transparency of where and what the data is being used for is vastly increased for the customer.
To learn more about the value SSI can bring for individuals and for businesses, please don't hesitate to contact us here.