Policy actions sorted A-Z.
Policy actions sorted A-Z.
Digital signatures are recognised with legal equivalence to “wet signatures” so that people can transact digitally.
Estonia: eSignatures for registering a company online, e-banks, online voting system and electronic tax filing.
United States: 2001 ESIGN Act states a contract or signature “may not be denied legal effect, validity, or enforceability solely because it is in electronic form”.
European Union: Article 5 of the Electronic Signatures Directive mandates that European states must regard electronic signatures with the same authority as wet signatures.
Elsewhere: Many other G20 countries implement legislation that gives legal recognition to digital signatures for most purposes. Some countries enforce restrictions: Argentina prohibits use for certain legal documents and public deeds; Canada prohibits use for wills and marriage controls; China, in practice, prohibits use in corporate documents that require public notarisation.
Recognised organisations are able to raise fast-tracked complaints to digital regulators, so consumer organisations can act quickly on behalf of consumers in important cases.
United Kingdom: Organisations, including Which?, have power under 2002 Enterprise Act to take action on behalf of consumers, including the ability to make a “super complaint” to the Office of Fair Trading.
Recognised organisations can represent groups of consumers and take action against companies that sell defective goods or services. This enables legal action by people who may not be able to do so on their own, and increases the weight of an action.
European Union: General Data Protection Regulation introduces this in Article 80.
United Kingdom: The Consumer Rights Act 2015 allows for “collective proceedings” on an “opt-out” basis.
Canada: The Consumers’ Association of Canada has led class action lawsuits.
It is difficult for consumers to know when a class action lawsuit has been launched against a manufacturer if it isn’t widely publicised.
The opt-in and opt-out nature of these actions means some customers may miss participation or may participate when they don’t wish to.
Organisations should set standards, or regulators should enforce standards, on the communication of terms and conditions to users. This would improve users understanding the contract they enter with a digital service.
Terms of Service; Didn’t Read gives an overview of the main points of various digital services terms and conditions, assigning a rating on their fairness to their users.
IF’s Data licences explores how a consistent design pattern can improve people’s understanding of how their data will be used.
Suitably capable regulators are able to inspect, audit and test the code/algorithms of high impact products and services to ensure fairness and safety.
United States: A new regulation, currently in review, would allow the Commodity Futures Trading Commission to inspect the source code of automated trading algorithms.
United Kingdom: The Gambling Commission enforce a standard (PDF) for remote gambling software. Gambling service operators are subject to auditing against this standard.
Regulators may not have the internal skills and understanding to effectively audit code.
Ethics, context and humanity aren’t written into the code.
Code could be written so a product passes an audit but behave differently under normal conditions.
Organisations may perceive code inspections as breaches of their intellectual property rights.
A data protection organisation, which understands current risks and capabilities, exists to protect people’s information rights.
Jurisdiction between different government departments could be unclear.
Loose definitions of personal data could allow data controllers to take advantage of gaps of coverage.
Insufficient technical ability or understanding in the organisation.
Enforce conditions to building planning permissions that require builders to integrate broadband-capable wiring into buildings.
Laws should allow consumers to understand, review and prevent automated decisions made about them, in order to improve the accountability of these processes.
European Union: The General Data Protection Regulation introduces safeguards such as the right to not be subject to an automated decision and the right to have a human intervene in a decision.
United States: The Equal Credit Opportunity Act allows credit applicants to know why their application was rejected.
People have the right to port their data between service providers so that they have genuine choice of providers. This is distinct from “enable people to access data held about them in an agreed format” as the particular data about a consumer isn’t readily accessible to them, but a transfer between services can be made.
European Union: Article 20 of the General Data Protection Regulation gives people the right to obtain and reuse their data across different services.
United Kingdom: QR codes on utility bills contain energy usage data for quick comparison between providers.
United Kingdom: Current account switch guarantee automates the process of changing banks by automatically transferring balances and direct debit instructions.
Switching mobile phone number: Communication regulators in many countries mandate that mobile phone numbers can be transferred between different networks.
Large, interlinked services operating effectively as monopolies could block transfer of data to services with a narrower focus.
Companies could use anti-patterns that make it difficult for people to transfer data between services.
People have the right to find and request access to data held about them by data controllers so that they can understand what is held about them, by whom and correct errors.
United Kingdom: Subject Access Requests give data subjects the right to access their data under the Data Protection Act. They are entitled to know if their personal data is being processed, to receive a description of the data, to receive a copy of the data and to know the details of the source of the data.
European Union: In Article 16 of the General Data Protection Regulation, data subjects are entitled to have their data altered if it’s inaccurate or incomplete. Data controllers must respond within one month, or within two months if the request is complex.
Elsewhere: Most other G20 countries have legislation that allows data subjects to request their personal data and request corrections. Of particular interest, in the United States, the Children’s Online Privacy Protection Act allows parents to view personal data collected by a website about a child and correct or delete it. In the Quebec region of Canada, data controllers cannot charge a request fee.
Data controllers could make it difficult for people to request their data.
Companies may not keep track of who data is shared with and cannot update historic information.
People can access a history of who has viewed data held about them, so they can understand what is happening to their data and spot fraud and misuse.
United States: Under the Health Insurance Portability and Accountability Act, “patients can request an account of the manner their private health information has been used”.
Credit report services show when lenders have accessed an individual’s credit report.
Competition authorities can act to address the issues created by digital monopolies. This prevents services from having a stronghold on a certain sector, for example Uber in public transportation, and allows emerging services an ability to compete in the market.
European Union: A report from the European Parliament suggests competition law measures to weaken digital monopolies, namely ensuring data portability so consumers can easily switch between services. It also proposes a review on guidelines for horizontal mergers, where a larger company may be prevented from taking over a smaller company in the same field.
China: Commentators suggest that the definition of “assets” needs to be broadened to include data and web traffic to help regulators address digital monopolies.
Establish the legal concept of “digital personhood” so that rights afforded to people in the physical world are made applicable on digital platforms.
The right to privacy is a legal tradition found in many national and international laws. Establishing the concept of digital personhood would compel digital services to follow this convention for maintaining privacy in people’s online activities.
Duty of care is a common legal doctrine that requires reasonable care to be taken in activities that can cause harm. Application of this in digital services through digital personhood would ensure service providers took necessary measures by default to enforce this duty.
“Digital personhood” is not recognised universally, but we increasingly see hints of this as an approach: the OECD/G20 report “Key issues in Digitalisation” (PDF) raises the idea of a “digital impact assessment”, a concept that could be developed further to take into account the individual and collective impacts of digital.
Although treating consumers fairly should be an integral part of the good governance and corporate culture of all service providers, the digital aspects of this may not be taken seriously at a corporate level.
Create or update legislation around the fair use of copyrighted material. This should extend the personal use rights of consumers to apply to digital content. A lot of current copyright law around content is based on physical media; someone who purchases a DVD can lend it to another person. This concept of ownership is less clear with digital content.
Integration of Creative Commons licences into services like Flickr give consumers easy control over the terms of how the content they produce is shared, unlike services like Facebook and Instagram where terms and conditions set absolute rules on rights.
People are able to permanently opt-out of communications.
United Kingdom: Telephone Preference Service, a central register for opting out of marketing calls. A similar service exists in the US.
United States: The CAN-SPAM Act of 2003. Requires promotional emails to contain unsubscribe links as well as the mailing address of the sender.
European Union: The Directive on Privacy and Electronic Communications requires consent from the data subject before unsolicited communications are sent.
Australia: The Spam Act 2003 requires data subjects to opt-in to unsolicited communications. These unsolicited communications need to include a clear statement of the identity of the sender and clear opt-out instructions.
People are able to opt-out permanently of tracking, both digitally and physically, to prevent their activity being monitored by invasive service providers, such as advertisers.
United States: There have been failed attempts at different levels of government to pass laws that regulate the online tracking of individuals.
South Korea: Websites that have more than 10,000 daily active users are not allowed to collect resident registration numbers.
Do Not Track is a feature of the standard used to serve websites in browsers. It allows users to consent to data being shared between websites for the purposes of serving adverts. Most major browsers implement this part of the standard, but there is no legal requirement to do so. The US Federal Trade Commission recommended its usage in December 2010.
Visitors to Hyde Park in London were tracked using mobile phone data. The park authority says the tracking would “inform policing of crowds at large events, tailor amenities to park usage and protect the ecology of the park”.
Commuters in London were tracked by TfL using MAC addresses from devices with Wi-Fi switched on.
Short-range transmitters like Apple iBeacon can be used to push notifications to consumers in physical stores.
People have a right to return, repair or replace faulty digital products.
Digital content could still work after a refund has been issued.
Content providers could use anti-patterns to prevent people from exercising this right.
Internet service providers are legally forbidden from prioritising data transfer by a certain digital service to ensure consumers have equal access to all services on any connection plan.
Brazil: The Civil Rights Framework for the Internet states that “all data packages must be treated equally, without distinction of content, origin and destination, service, terminal or application”.
India: Facebook Free Basics, a zero rated service, was banned by the Telecom Regulatory Authority of India based on the 2016 Prohibition of Discriminatory Tariffs for Data Services Regulations law.
European Union: Net neutrality regulations prevent EU internet service providers from throttling access to certain websites, unless there is a technical reason for doing so.
Introduction of net neutrality legislation has met resistance from internet service providers.
Particularly in emerging markets, free access to resources like Wikipedia Zero can have educational benefits.
People have access to the internet as a basic right to enable them access to the wider consumer market.
United Nations: In 2016, a resolution was made that condemned the “intentional disruption of internet access by governments” and upheld that “the same rights people have offline must be protected online”.
France: In 2009, a court struck down a portion of the HADOPI law, that gave authorities the ability to cut off internet access to people illegally downloading copyrighted content after two warnings, without judicial review, effectively declaring internet access a right.
Brazil: Under the Civil Rights Framework for the Internet, “access to the Internet is deemed under the law as essential for the exercise of citizenship”.
Some may consider internet access as a luxury.
Difficult to distinguish between economic, consumer and civil/human rights.
Regulatory bodies must review, improve and test their rules and practices on an extremely regular basis, identifying and evaluating approaches in short cycles.
Legislative systems may not work fast enough to keep a fast review pace.
Secondary legislation may lack democratic oversight.
The national data regulator maintains a searchable database of data controllers so consumers can find their point of contact and easily retrieve their data policies.
United Kingdom: Information Commissioner’s office maintains a searchable register of data controllers. Entries for each controller contain their date of registration, the expiry of this registration, their postal address and what personal data is processed.
Argentina: A similar service to that found in the United Kingdom exists, showing the contact details of a data controller.
Existing legislation may not require the data protection regulator to make registration records public.
Online registers can be limited in use, because their interfaces are difficult to use or the data isn’t available in an open format.
The data covered in online registers may not be extensive enough.
Create a means for a consumer to easily resolve a consumer dispute without having to resort to court action. This ensures the consumer is treated fairly in online transactions and avoids the resource intensive process of going to court.
European Union: An online dispute resolution service has been created that allows citizens of European member states to create complaints against organisations.
India: Online Consumer Mediation Centre provides digital infrastructure for resolving consumer disputes through physical and online mediation.
Mexico: Profeco, a consumer organisation, provides an online dispute resolution service called Concilianet.
Elsewhere: Online commerce services like eBay and PayPal provide dispute resolution services to resolve issues around non-payment, non-receipt of product and false advertising.
Administration and arbitration overheads could produce a backlog of complaints.
Services could be built to meet the needs of the digital platform rather than the needs of consumers.
Legislation that allows private individuals to request a data controller removes outdated or inaccurate information that might cause personal distress.
European Union: After a Spanish national took Google to the European Courts of Justice, the court ruled that people have the “right to be forgotten”.
South Korea: The Korea Communications Commission states that citizens are able to request search engines and website administrators to restrict individuals postings from being publicly accessible.
United States: A law in California requires websites to allow people under 18 to permanently erase their content. This “Eraser Button law” aims to prevent teenagers from being tied to content when they grow older.
Regulators should be able to compel manufacturers to follow standards for privacy and security when designing Internet of Things (IoT) devices, in a similar way that regulators mandate that electrical safety standards are followed. This is important for consumers, because IoT devices collect so much data about a person and their surroundings and privacy considerations are poor at present.
European Union: A working group of European data protection regulators have published an opinion (PDF) on the privacy risks of IoT and how the current data protection framework in the EU can be applied in their context.
United States: The Federal Trade Commission have released a report (PDF) into IoT and possible regulation. It states that it may be too early to do so, as the industry is still in its infancy, but general data protection legislation should be strengthened.
David Wheeler has written about policy interventions for digital security that could apply to Internet of Things devices.
Range of devices is so broad that it’s difficult to audit them consistently.
Regulatory overhead prevents small companies from launching products.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.
The law requires the use of strong customer authentication for certain kinds of service.
Estonia: A chipped identity card is used as secondary authentication when accessing digital services.
European Union: the European Banking Authority requires the use of “strong authentication”, defined to mean “multi-factor authentication”, in online payments.
Implementing multi-factor authentication into existing systems could be costly.
If designed poorly, multi-factor authentication can make a service less usable.
Data controllers handle and protect personal data that is generated through consumer transactions to protect the privacy of consumers.
Most countries have a general right to privacy written into their national law or constitutions.
Different industries have their own data privacy laws.
Confidentiality of medical data is enforced in the United States by the Health Insurance Portability and Accountability Act. In Turkey, patient privacy is guaranteed in Articles 78 and 100 of Legal Code 5510. In Canada, medical confidentiality is protected at federal and provincial level. In Australia, it is protected under the Personally Controlled Electronic Health Records Act 2012 and the Privacy Act 1988.
Financial institutions also have implied privacy unless required to disclose transactional information to law enforcement.
UNGCP 2016 and OECD Privacy Guidelines 2013 mention recognition of right to privacy as a major element of consumer protection.
LEGO’s website, which connects children through games, has no third party cookies or connections to social media accounts, and advises users to use pseudonyms.
The same data is treated differently across industries and national borders, weakening how people perceive the right.
Challenges in identifying, defining and quantifying risks, as well as enforcing the right.
Individual services comply, but, in the aggregate, companies breach intent of privacy.
People expect a minimum broadband speed and may request compensation if the speed is not met. Countries may do this in several ways; including creating a minimum service obligation for a certain speed, or creating a legal definition of what services may be sold as broadband.
United Kingdom: 10 Mbps download speeds are recommended by Ofcom. The UK government are in the process of creating a minimum service obligation.
United States: The US communications regulator, the Federal Communications Commission, have defined broadband as 25 Mbps download and 3 Mbps upload.
Canada: The CTRC have ruled that broadband is minimum 50 Mbps download and 10 Mbps upload.
Brazil: Internet service providers are mandated to provide 80% of the advertised download speed.
India: To be classified as broadband, connection speeds must be higher than 0.5 Mbps.
Policy can be influenced by telecoms organisations to reduce speed below public expectations.
Measuring connection speeds require a consistent methodology.
The baseline isn’t flexible enough to reflect changing expectations and capacity.
Upload speed: how fast data can be transferred from a consumer’s device to a server that runs a service.
Download speed: how fast data can be transferred from a server that runs a service to a consumer’s device.
Megabits per second: Abbreviated to Mbps, this is a measurement of data transfer speed, the amount of megabytes that can be transferred in a second.
Providers of digital services are legally bound to comply with design standards that allow people with accessibility needs to access digital services.
Worldwide: W3C published a recommendation, the Web Content Accessibility Guides (WCAG), that helps web developers create accessible digital content.
United Kingdom: Standard 8878 by the British Standards Institute defines the processes needed in the planning and deployment of accessible web products. While not legally enforceable as a standard, other legislation in the UK means that websites are legally required to be accessible.
United States: A 1998 amendment to the Rehabilitation Act that requires Federal agencies to make their electronic and IT technology accessible to people with disabilities.
Spain: A law, UNE 139803, requires websites to follow accessibility requirements based on the WCAG standard.
Laws and processes exist to prosecute data controllers in the event of a data breach. Punitive measures are intended to incentivise data controllers to better protect consumers data to avoid punishment.
Most G20 countries have data protection laws that, at minimum, enforce a monetary fine.
European Union: The General Data Protection Regulation allows the levying of a fine for €20 million or 4% of global turnover for an organisation. Section 82 of the GDPR states that data subjects have a right to compensation for “material or nonmaterial damage”. Data controllers are exempt from liability when they can prove they are not responsible for the data breach.
Brazil: The Brazilian Regulatory Framework for the Internet enables a 10% fine on domestic gross income and a potential temporary suspension of data collection activities. This fine is proportionate to the nature of the data breach. Consumers are able to bring a data breach case to court for material and nonmaterial damages.
India: A data controller that doesn’t implement reasonable security practises is “liable to pay compensation for any wrongful loss or wrongful gain”. Claims below 50 million rupees are handled by the Department of Information Technology at state government level, claims above this are handled by civil courts. A data controller that discloses personal data without the consent of the subject may be liable to three years imprisonment, a maximum fine of around $7,500 or both.
Japan: Responsibility for data protection regulation is shared in Japan. The Ministry of Economy, Trade and Industry and the Financial Service Agency investigate companies for data protection compliance. They can issue a corrective order if they are found to be non-compliant. If a data controller fails to follow a corrective order, they may be liable for imprisonment up to six months or about a $2,600 fine.
Could drive organisations to be less transparent about breaches.
Accountability for breaches could be hard to pinpoint due to complex arrangements between service providers and third parties.