Mozilla files comments on UK Data Protection Consultation

Mozilla recently submitted its comments to a public consultation on reforming the UK’s data protection regime launched by the UK Department for Digital, Culture, Media & Sport. With the public consultation, titled ‘Data: A New Direction’, the UK government set out to re-evaluate the UK’s approach to data protection after no longer being bound by the bloc’s General Data Protection Regulation (GDPR). We took this opportunity to share our thoughts on data stewardship and the role effective regulation can play in addressing the lopsided power dynamics between large data collectors and users.

For Mozilla, privacy is not optional. It is an integral aspect of our Manifesto, which states that individuals’ security and privacy on the internet are fundamental and must not be treated as optional. This is why privacy is at the core of our product work and why we have long promoted robust data protection in our policy and advocacy work. Further, Mozilla’s Data Futures Lab is exploring alternative approaches to data governance and promoting data stewardship through original research and support to builders.

Our response to the consultation focused on the following themes and recommendations:

  • Data protection and individuals’ control over their data should remain the cornerstones of new legislation: Data privacy should be the bedrock of any law promoting data sharing and increased processing. In principle, the control over their data should lie with data subjects. The key underlying principles of any data protection regulation should include informing and empowering consumers, strong security, and limiting data collection to what is necessary and delivers value.
  • Alternative models of data governance can help shift power: Alternative data governance is a nascent field but has the potential to shift control and value creation back to data subjects and communities. However, considerable work will need to be done to ensure that they don’t duplicate the existing systemic problems of today. In light of this, due attention needs to be paid to several important considerations: consent as the basis for data stewardship; robust security; trust in new governance models; being mindful of legal context and accountability; transparency and notice; and inclusiveness to rectify existing digital inequalities.
  • Collective rights could complement individual data rights: Individual data rights can be a means to correct harms and power asymmetries, but can also fail to account for collective harms where data does not only concern one person but a group of individuals. New legislation should therefore take an expanded account of collective interests and provide mechanisms to address such harms.
  • Data sharing is best encouraged via incentives and legal protections: Public authorities should create incentives for and enable data sharing. In doing so, they should always ensure that individuals’ privacy and agency over their data is protected while preventing government abuse of these powers.

We are looking forward to working with regulators (both in the UK and beyond) as they revise their data protection framework over the coming months, especially around the important issue of data stewardship.