Data misuse is often discussed alongside cybersecurity, within the overall context of data protection; but it is important to make the distinction between data which has been obtained legitimately but misused and data which has been collected illegally (eg without consent) or stolen (via computer hacking).

Data theft generally involves a cyberattack or harvesting of data by other means where data subjects are unaware of the collection or modification of their data; this type of cybercrime is largely covered by the Computer Misuse Act. Even where the data is provided knowingly and willingly, its collection may still be illegal if it breaches the Data Protection Act (DPA) or General Data Protection Regulation (GDPR).

The term “data misuse” is normally applied to personal data which has been initially willingly and legitimately provided by customers to a company, but is later used (either by the company or a third party) for purposes which are outside the scope of legitimate reasons for the initial data collection. This is what we will be discussing in this article.

Examples of data misuse

There have been many well publicised examples of data misuse, from Big Tech through to Brexit:

• Twitter recently admitted that it “inadvertently” used the personal information of its users, which it collected on the pretext of security purposes, to enhance targeting of advertisements.
• Google is the subject of an investigation by the Irish data regulator, which has accused the search engine of “exploiting personal data without sufficient control or concern over data protection.”
• Facebook has continued to face allegations of data privacy failures in connection which the sharing of user data with other tech firms, following on from the Cambridge Analytica scandal.
• Jeff Bezos does not escape scrutiny either, with Amazon subject to an investigation by the EU competition watchdog, preliminary findings of which claim that the company “appears to use competitively sensitive information – about marketplace sellers, their products and transactions on the marketplace.”
• The Leave.EU pro-Brexit group, which was co-founded by businessman Aaron Banks, and his insurance business Eldon Insurance, have both been fined by the Information Commissioner’s Office (ICO) for using personal data interchangeably. Information Commissioner Elizabeth Denham said, “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.”
• The ICO is investigating the AdTech industry more broadly, in particular looking at “how personal data is used in real time bidding (RTB) in programmatic advertising” and has raised concerns about how data is shared: “the scale of the creation and sharing of personal data profiles in RTB appears disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place”.

How is data misuse being tackled?

Until recently, the debate around data protection has tended to focus on cybersecurity; how to prevent personal information being stolen by “the bad guys” and put to use for malevolent ends (eg hacking into someone’s bank account). But just as computer hacking is not all black and white (there are also “grey hat” hackers!) it has become apparent that companies which legitimately collect personal data do not always use this data ethically.

In response to these grey areas – and in an attempt to redress the power imbalance between individuals and large corporations – laws are gradually being implemented by governments around the world to try and protect their citizens from having their personal data misused for profit.

The European Union is notably progressive in tackling data protection concerns. In 2018 it implemented the GDPR which contains a range of measures designed to protect personal data, of which the principle of purpose limitation is particularly directed at data misuse – article 5(1)(b) states that “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

But it is not just Brussels regulating to empower individuals with rights over their personal data; California has introduced its own scaled down version of the GDPR – the California Consumer Privacy Act (CCPA) – which comes into force at the start of 2020 and, amongst other measures, allows individuals to opt out of having their personal information sold on to third parties.

Although regulation is vital in tackling data misuse, Big Tech is also taking its own steps to self-regulate, a good example of which is Google’s Developer Data Protection Reward Program which pays out “bounties” to developers who “identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.”

What does the future hold?

The current primary challenge in relation to data misuse is arguably about reaching a consensus regarding the rights of data subjects to maintain control over the use of their data which is held by companies, governments and other organisations. In a recent lecture on “Algorithms, Artificial Intelligence and the Law” Lord Sales touched on the importance of democracy and national government in tackling a whole array of issues facing a digital world, including data misuse:

“In elections, the detailed information about individuals harvested by computing platforms allows voters to be targeted by messaging directed to their own particular predilections and prejudices, without the need to square the circle of appealing to other points of view at the same time. We need to find ways of reconstituting a common public space.”

Ultimately, more legislation is necessary to define and regulate data misuse. Perhaps the most difficult piece of the puzzle lies in achieving multi-jurisdictional agreement, where liberal governments wrangle with more authoritarian regimes, also highlighted by Lord Sales when he alluded to “China’s social credit system, in which computers monitor the social behaviour of citizens in minute detail and rewards or withholds benefits according to how they are marked by the state.”

But whilst legislators decide how to reach the right balance between allowing free data flows to help commerce and protecting the rights of citizens to control their personal information, digital innovation continues to forge on with new products and services – many of which revolve around collecting increasingly personal data (eg with the rise of MedTech).

Further reading

ICO: Update report into adtech and real time bidding

BAILII: Lord Sales, Algorithms, Artificial Intelligence and the Law (The Sir Henry Brooke Lecture) (PDF)

Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email alex@legalwords.co.uk. Twitter @alexheshmaty.

Image cc by Shop Catalog.