The consumer advice group Which? is calling for the Data Protection Bill, which is being debated in Parliament, to be amended so that independent organisations acting in the public interest can help groups of affected consumers to get collective redress.
New research from Which? has found that almost one in ten people who have shared their details online believe they have been subject to a data breach in the past year, with three quarters concerned that the information they have shared could be at risk of a leak. The research also found general confusion around data protection rules, including who is responsible for protecting consumers’ data and how consumers can seek redress if things do go wrong.
As many as one in five people said that they don’t know how to claim redress following a data breach, with a fifth saying they don’t know who is responsible for helping them when data is lost. People have the right to redress when there is a data breach. But, if the company at fault has acted negligently and doesn’t offer adequate support or redress, the only option available to consumers is a lengthy and potentially expensive route via the courts.
Which? Managing Director of Home Products and Services Alex Neill, said: ‘Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised. The Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach.’
Comments
David Emm, principal security researcher at the IT security product firm Kaspersky Lab, said: “Customers have no control over the security of their online providers, so the right to collective redress after a data breach is a positive step in the right direction. However, it is also important that the general public recognises the value of personal information. New data protection laws are designed to make organisations more careful, but regardless of this, it is important that, at an individual level, we know what information is being kept and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands. Being vigilant online needs to become second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using Internet security software across all devices can significantly help protect data.”
And Tony Pepper, CEO and co-founder, Egress, said: “Given the number of data breaches we’re now seeing – and by extension, consumers impacted – it’s not a surprise to see consumer groups like Which? calling for more action and greater scope for compensation for the victims. There is, however, change on the way and when the General Data Protection Regulation (GDPR) comes into force next May, consumers will have the right to compensation if they’ve ‘suffered material or non-material damage as a result of an infringement of [the GDPR].
“Of course, without practical cases related to the GDPR, it’s difficult to know what that means in reality – what data subjects can claim compensation for and how much, for example, but the 2015 Vidal-Hall v Google case made damages for distress alone sufficient grounds for compensation. So, while the finer details will reveal themselves once we start seeing action taken, GDPR is going to impact the rights of consumers. Which?’s demands seem to be towards the right for them, and similar consumer rights groups, to represent victims collectively. If it helps to address the bad behaviour of organisations when handling data then groups acting in the interests of consumers can only be a good thing. For the organisations on the other end of it though, there’s going to be more pressure than ever before to get a grip on the data they hold, or if could prove an incredibly expensive mistake.”
