UK regulators warn industries on customer data access


While regulators in the U.K. drew a line in the sand last week for financial services companies, mobile operators and energy companies--warning them to comply voluntarily with rules governing customer access to data or be compelled to do so--lawyers from Pinsent Masons this week held the U.K.'s business-friendly approach to big data and anonymizing data as a model for the rest of the European Union.

According to the Department for Business, Innovation and Skills, other industry sectors could be subject to the same legislation if it decides regulation is necessary. Its goal is to ensure that "midata standards" are met, which give consumers access to the transaction or consumption of data being gathered, and maintain them in a digital format.

If regulation is necessary, the U.K.'s data protection watchdog, the Information Commissioner's Office, would act as enforcer of the rules.

The BIS said earlier this year that "where businesses choose to collect information about individual consumer's transaction history, which can be linked to that consumer, that individual should be able to access their own transaction data in a portable electronic format."

It added that among other benefits to competition, it builds trust among consumers. The BIS has given these industries until the fall of 2013 to accelerate the progress of their voluntary efforts before it enacts legislation.

Luke Scanlon, technology lawyer with Pinsent Masons, the law firm behind, said this week that this pragmatic, voluntary approach helps businesses reap greater rewards from big data, but that rules in the European Union overall threaten this approach. The EU says that personal data rendered anonymous falls outside the scope of data protection laws and that the re-identification of data can no longer be possible.

The ICO thinks guaranteeing against this possibility is too cumbersome and said last week in new guidance that a business which wants to anonymize data need only prove that it has assessed the risk of re-identification, and having done so, can reasonably conclude that there is only a remote risk of re-identification, Scanlon reported. This approach follows U.K. case law.

Scanlon said that privacy protection is an essential concern that must be respected. "Privacy, respect for personal and family life and a person's reputation are all interests protected by EU human rights law. But privacy is not a right that can be guaranteed, just as all other rights cannot be guaranteed," he said.

He worries that making companies do the impossible and guarantee privacy beyond a reasonable effort may curtail a company's ability to leverage the big data opportunity.

For more:
- see the opinion

Related Articles:
Spotlight: In UK government, secrecy undermines big data plans
The best breach disclosure events of 2012