The UK government is inviting experts to provide insights about the data brokerage industry and the potential risks it poses to national security as it moves to push new data-sharing legislation over the line.
Organizations that pay for the services of data brokers and supply data to them, as well as data brokers themselves, are specifically invited to engage with the Department for Science, Innovation, and Technology's (DSIT) call, although views from all stakeholders are welcome. The views of academics and think tanks whose work concerns the industry are also in demand.
"The UK government is seeking views to understand more about organizations that take part in data broking and the wider industry," DSIT said. "In particular, the government would like to understand the operations, security practices, and customers of data brokers, to support policy development."
Data brokers or information product companies – whatever your preferred term for these types of orgs – have faced growing criticism in today's data protection-conscious world, especially as their hoarding of data into poorly guarded cloudy jackpots has faciliated of leak after leak.
These companies essentially collect vast amounts of personal data and sell these datasets to other organizations that can use them to build profiles on their target market.
This naturally makes them a goldmine for both marketers and cybercriminals. The US has in recent years taken regulatory action against several, some of which store hundreds of millions of records.
Where the FTC doesn't act, The Register steps in to shine a spotlight on those with less-than-ideal security. Successful attacks on data brokers are not as rare as you might think or hope.
The UK government appears to recognize this. DSIT's call for evidence acknowledges that these companies hold a trove of sensitive data that could be of huge interest to hostile states and cybercriminals both domestically and abroad.
It's not a coincidence that the call comes as the Data (Use and Access) Bill (DUAB), legislation aiming to toe the line between GDPR compliance and "business friendliness" – yep, the old "open for business" line is being rolled out.
Just a few steps away from becoming law, and the DUAB – like previous contender the Data Protection and Digital Information Bill (DPDIB) – aims to remove some of GDPR's limitations set out in the Data Protection Act 2018 while somehoe also ensuring continued compliance with the regulation to allow for smooth dealings with EU organizations.
The government says the DUAB will help the NHS, police forces, scientists, and businesses to make "better use" of data with easier sharing opportunities than the current law allows.
One key proposal is the introduction of data intermediaries – third parties trusted to facilitate the sharing of data between organizations under smart data schemes, which have so far satisfied the UK's data protection watchdog, the Information Commissioner's Office.
Their role will be to ensure data is shared only in line with the intended purpose and with ethical and regulatory requirements.
While this may resemble data brokerage, the UK government insists that data intermediaries and brokers serve distinct functions.
DSIT explained the difference in a separate call for evidence about these data intermediaries specifically, which also launched on Monday.
It said: "Data intermediaries are one way of facilitating the right to data portability, as they can enable data subjects to port their data from one data controller to another, acting on a data subject's behalf or in their interest. They differ from other data-driven companies such as data brokers, in that they rely on the agreement of the individual (the data subject) and act in their interest."
The data broker inquiry primarily focuses on security concerns – the national security risks they pose and the effectiveness of existing security measures and governance frameworks.
In contrast, the data intermediary inquiry examines their day-to-day operations, and what an effective intermediary looks like, rather than the potential cybersecurity pitfalls they too could bring to the table.
Those with a horse in this race have until May 12 to share their perspectives with DSIT.
The government is also aware that some questions demand answers that could expose commercially sensitive information. Details such as a data broker's security practices would be damaging in the wrong hands, but DSIT assures that any submitted data will be handled "carefully and securely." ®