How Important Is Privacy To You?

In this episode, serial author and leading privacy professional Judith Ratcliffe breaks down the role of privacy pros in preserving our privacy rights in the digital age

We discuss:

• Why the UK urgently needs a Privacy Council to protect privacy rights
• How to discern between genuine privacy-enhancing technologies and those that make false promises
• The legal implications of misleading advertising in privacy tech
• The Importance of the Right to Be Offline and how it empowers us to take control of our privacy

This episode will leave you with a deeper understanding of the challenges and opportunities facing privacy today, and how we can create a more privacy-friendly future.

Judith is a leading privacy professional, and a serial author who has been championing individual rights and helping organisations and government departments to get privacy and data protection right for over a decade.

She's also worked in financial crime prevention and she was a hospital radio broadcaster for seven years. So I'm sure you'll share some tips on how to get this podcast even better. Her first privacy and data protection book, Privacy and Data Protection in Your Pocket, Personal Data Breaches is out now.

And earlier this year, the Law Society of Scotland journal published her opinion piece on why we need the UK government to commit to providing services through offline channels

If you're ready to transform your career and become the go-to GDPR expert, get your copy of 'The Easy Peasy Guide to GDPR' here: https://www.bestgdprbook.com/

Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Follow Judith on LinkedIn: https://www.linkedin.com/in/judith-r-6659452b/

Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers

► https://newsletter.privacypros.academy/sign-up

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

• Free LIVE Training
• Free Easy Peasy Data Privacy Guides
• Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place. Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch, progress and excel your career as a Privacy Pro. Hear about the latest news and developments in the world of Privacy. Discover fascinating insights from leading global privacy professionals and hear real stories and top tips from the people who've been where you want to get to. We've trained people in over 137 countries and counting. So, whether you're thinking about starting a career in data privacy, or you're an experienced professional, this is the podcast for you.

Welcome to another episode of the Privacy Pros podcast. And we've got a very exciting episode today. Today, we're going to be talking about the need for a UK Privacy Council, why we need the right to be offline, and misleading advertising in relation to privacy enhancing technology and how you can protect yourself from becoming a target for fraud. So all that and more coming up. I'm your host, Jamal Ahmed, Author of the international best selling, The Easy Peasy Guide to the GDPR. And with me today, I have a special guest, someone that's been so kind to me from the moment I entered the data privacy space to now.

And she's been supporting me through my ups and downs, and she's always sending me gifts. So we have to know why you're so generous, Judith. But today our guest is Judith Ratcliffe. She is a leading privacy professional, and a serial author who has been championing individual rights and helping organizations and government departments to get privacy and data protection right for over a decade. She's also worked in financial crime prevention and she was a hospital radio broadcaster for seven years. So I'm sure you'll share some tips on how to get this podcast even better. Her first privacy and data protection book, Privacy and Data Protection in Your Pocket, Personal Data Breaches is out now. And earlier this year, the Law Society of Scotland journal published her opinion piece on why we need the UK government to commit to providing services through offline channels. Wow. What a bio. Judith, welcome to the Privacy Pros Podcast.

Thank you. It's such a pleasure to be here, Jamal, thank you so much for inviting me. And it's so nice to actually say hi properly. Cause we talk so much behind the scenes,

Yeah. It's like a fun party for us, isn't it? Yeah. Completely. All right. So look, it's a Friday today. So I have to ask, what's your favourite way to switch off and relax on a weekend?

Oh, too many to mention, but ones that people will know me for, I do street dance whenever I can. What? I do street dance yeah.

I did not see that one coming. Can I find some street dances of yours on YouTube?

Oh, gosh, no. I'm not a professional by any means. It's very much amateur. And I'm very lucky because there's this great group in Leamington called Fit2Dance. I used to do a lot of stuff with them because I know the person who leads that class, and she's very kind, she's very lovely. Her name is Liz England. I'm sure she won't mind me mentioning it here. Go and look her up, go and look up Fit2Dance get the kids involved, because one of the best things and things that I've most enjoyed doing with them is the Christmas shows, because there's always something for the bigger kids. And I was allowed to join in with the bigger kids for a very long time, probably long past I should do. But it's okay. I was CRB checked and I'm usually CRB checked, so it's all good.

It does sound like a lot of fun. And if there's anyone that's listening from around the West Midlands and you want to get involved in all of this, then get in touch with Judith and I'm sure Liz England would also take care of you too. I have to ask, was it something that you were exploring or is it something that you got tempted into initially?

It was something I was looking into to begin with. I was doing hospital radio at the time. So I was in my twenties and actually... Liz was, , teaching at my little sister's high school, as I recall, unless I'm misremembering this, and then it all went downhill from there, really, because my little sister said, oh, you might want to get in touch with her, because I think she does it outside as well, and I rocked up and went, I'm probably going to be the oldest person in this class, aren't I? Is that okay? And Liz was like, oh, yeah. Come and have some fun. And I did and it was great and the kids were awesome. And to be honest, they are like way better than me and always have been. They can add stuff and do all the getting down with it. And I'm just going, okay I'll be on the back row for this one. Let you guys take the centre stage, which is what I'm there for in the show is to do anyway, really, to back them up and be like, something goes wrong you can blame it on me and that's all good. But yeah, but it's all so much fun. And they're great.

Okay, great. So in our community at the Academy, we've actually got a lot of people who are into their creatives. So if they get together, they were talking about doing a band. Could they invite you to come along and be one of the backing dancers?

Yeah, I know, they need to teach me the routine, but yeah, totally, I'd be up for that. That'd be awesome.

All right. We can put on a show now. Yeah. So I have a confession to make. When I was at college, one of my friends, he dragged me in to sign up for this dance class as well. And it was actually a Bollywood dance class. Charity fundraising event or something.

That's so cool, Jamal! Wow! That's fantastic!

I was terrible, but I had so much fun.

That's so awesome.

Let's get into privacy now. So how did you go from a hospital radio broadcaster to starting your journey to privacy?

I'll just throw this caveat in now, incidentally, because I forgot to do it earlier and then... we can carry on with the discussion. But just to say that nothing that I say throughout any of this is going to be legal advice. So if you do need legal advice as a result of anything I've said, obviously, please go and speak to a barrister or solicitor of your choice. I can't give legal advice and I certainly wouldn't want to do it in a podcast anyway, for obvious reasons. So just to get that out of the way. And then, apologies, the question was about, getting into privacy at the same time as doing hospital radio. So I was doing my law degree. I was at Oxford Brookes, and then, I fell into it by accident, because I was doing my legal research project, if you will, on unreliable evidence, and I found the SNMARP of the United Kingdom case, which was going through the European Court of Human Rights at the time, and it's a case about unlawful over retention of DNA, deoxyribonucleic acid, for the scientists amongst you, and biometrics. So it's a great one for privacy pros to look at, and the reason for that is because it shows that even if you think you can override someone's rights by pleading task in the public interest, when it actually comes to their overarching right to respect for their private life, you can't do that. And it also demonstrates the implications of wrongful refusal of rights to erasure requests. So sometimes you do still have to destroy the data, no matter what your lawful basis is. And you have to look at all the facts of the case. And on data protection alone, which was unlawful over retention by the police, of this DNA and biometric evidence, the court held in favour of the complainants. It said, no, you can't keep it.

You should be destroying this. So task in the public interest is not a get out of jail free card. And in fact, no lawful basis is. So if the retention is disproportionate and, or it's not genuinely strictly necessary and, or your organization has done something wrong, unlawful or illegal when you've collected it, when you've used it, or when you've retained it, then you have to destroy it, and the right to erasure then becomes arguably absolute. And that's no matter what the lawful basis is and the exemptions usually can't be applied either in those instances. So it's worthwhile to remember that. But that's a short version of how I got into it while I was also doing hospital radio at the same time.

Wow, that sounds quite fascinating. So you were looking at your law dissertation and focusing on evidence and the evidence or the unlawful evidence?

Unreliable evidence. So I was looking at things like the shaken baby cases and expert witnesses and DNA and all of those kinds of things.And the fact that sometimes it seemed at the time to me, and it still seems now that people over rely on certain aspects of scientific evidence, like DNA to decide whether somebody's innocent or guilty.

Okay, got it. Now coming back to the Privacy Council. So you're very passionate about the need for a UK Privacy Council. Could you explain this concept of a UK Privacy Council and the specific challenges or gaps in privacy that a UK Privacy Council could actually address and solve?

I can and thank you so much for bringing it up. I am very passionate about this. So the concept is fairly simple. Our privacy rights are far more than data protection rights alone, as I know you know, but very few people actually know those rights and understand them. So it's the right to respect for your private life, your family life, your home, and your correspondence. So it includes things like personal autonomy and those informed choices, things like bodily autonomy, particularly sensitive perhaps for those of us who are girls, but also sensitive for the gentlemen amongst our audience members particularly if you're thinking about, things like maybe forced sterilization that affects, I think, both genders in different ways, in terms of bodily autonomy, in terms of vaccines that you have or you don't have, that's bodily autonomy too. In terms of whether or not you choose to donate your organs, what happens in postmortem examinations and whether those indeed are carried out when people pass away. All that goes into bodily autonomy and a lot more besides. Things like physical and mental integrity and , even things like bullying and harassment can come into. physical and mental integrity and privacy at work. There's also things about your reputation and protection of your reputation. The right to control what happens to photographs of you, and there's a lot more besides that I won't list here, but I am writing a book on the subject. I'll try to go into as much of it as I can within that book. But I do also have a little LinkedIn group which is, know your privacy rights more than data protection ones, and I'm trying to fill that with as much as I can, bit by bit in between other things, have a look at those and look wider because it's a lot bigger.

There's also, the specific challenges at the moment are that, the legal draftsmen writing the law don't seem to understand privacy properly and therefore they're writing very bad laws that take your privacy away. Data protection and digital information bill, anybody? Numbers one and two. There's also a lot of misleading advertising around privacy enhancing technology that doesn't seem to protect privacy at all. And even ISO standards appear to be led by security professionals. And there's nothing wrong with it being led by security professionals, let me say that now. But, privacy is noticeable conspicuously by its absence. Even when they're saying, oh, we've put privacy in, this is a privacy standard, I've gone through them and gone sort of, but not exactly. And also, where is the proper support from our regulators for individuals and their privacy rights? Time and again, I hear about individuals , being told by the regulators I'm sorry, you're one person and alone. therefore no dice, and similar. And, when do you ever see the headlines about privacy being violated properly hitting the headlines? It doesn't seem to be reported on an awful lot at all, unless you are rich, famous, powerful and privacy violations, of course, are more than just personal data breaches and can cause very serious harm. In short, we appear to have bad laws, abysmal policies and processes, and your rights being broken and eroded right, left, and central.

And all because the general public, politicians, and organizations don't understand your rights or how to protect them properly. And there are, as far as I can see, no proper privacy standards for industry to follow. And engineers aren't trained in how to incorporate privacy either. That's a big failing at university level and below as well.

So we've understood the problem. Now what we want to understand is how you envision a UK Privacy Council solving some of those challenges.

The problem might seem complex, but it's a fairly simple solution. So you have a Privacy Council. It's manned by privacy professionals who understand the overarching Article 8 Human Rights Act, European Convention on Human Rights, Privacy Rights, so the right to respect for your private life, family life, home and correspondence, and all component parts, including data protection, but not limited to just that. People who can apply them and make them understandable to both Businesses and Parliament, and enforcing those rights when needed. So the Council would basically be the equivalent of the National Cyber Security Centre, is what I'm imagining. And in effect, it would provide education, advice, provide guidance from small businesses to medium businesses to large organizations to corporate organizations and all other organizations as well and governments. So there would be no limits, charities could go to them for advice and all sorts. The council would collate and create helpful resources and share them to educate others. And they would help to design privacy enhancing technologies that actually do help protect privacy. And they'd also be advising and guiding that actually you don't need to reinvent the wheel. Sometimes it's just about taking the technology away or not including it in the first instance to protect privacy. And that's something that I think a lot of people forget. They rush to the tech for all of these solutions, including protecting privacy, but actually sometimes it's just about not putting it in the first place and not including it. And then there's also the council would obviously hold organizations and government departments to account and hold them to account properly for every individual that actually had a case that was backed up by the facts, the evidence and the law. And it's as simple as that.

It sounds very simple. How far are we away from establishing a UK privacy council?

I do have a petition at the moment, but the petition only runs for a couple of months and it's only got about 21 signatures, so I would say we're quite a way away from it at the moment because we need to get those primary discussions in Parliament. It needs to be on the table and everywhere, we need news reports on it, we need the BBC maybe to get involved, we need Channel 4 dispatches maybe to get involved, we need the world to know that it's a problem first. And then hopefully people will start going, okay there's an easy solution to this and here's what it is. But my first step is talk about it because if nobody knows about it, how can they go, oh yeah, okay, we need to do something now.

Absolutely. So we need to raise awareness. And so what we're going to do is we're going to link in the petition link to the show notes. So if you are listening and you've heard what Judith has to say, and it makes sense to you, it definitely makes sense to me.Then add your name to the signature and let's get this front of the UK government and let's create something that's going to actually be a positive and a powerful body that's going to help us to make sure that we have those rights up we have our rights respected. We have those rights upheld and it's done in a way where we're actually empowering businesses, charities, any organization that handles that data to be empowered to understand what they need to do or what they shouldn't do to begin with and make things easier. So every woman, every man, and every child can enjoy freedom over their personal information. Now, Judith, there's been lots of discussion about the right to be offline for people who are not familiar with what that means. What does this right entail? And why is it essential today in a very digital age?

Another great question. And again, thank you so much for letting me bring this in Jamal. I really appreciate it. The right to be offline, There's lots of parts to it, so I could, go into chapter and verse and everything, but I won't. I'll stick to the bits that I've partly got a petition going on about at the moment, but also just also narrowing the scope a little bit to some of the most important bits at the moment.

Sideline question. How many petitions do you have going on right now?

I've only done three this year. One of which sort of fell because it only got 500 signatures on it. That was to get the data protection digital information bill binned. The other two are still live and it's just the privacy council one and also the right to be offline one. But, it's getting the government to commit to providing offline services. which is what I'm going to be mainly focusing on, but with a little bit of something else in our discussion today. So the right to be offline, the wider right to be offline as well, should include a right to do business with government departments on paper. This means offline identity checks, offline right to work checks, offline counter terrorist checks, disclosure barring criminal Records Bureau checks, all of that done on paper. Passport renewals done on paper. Tax forms and correspondence done on paper. Those are just a few examples. A right to have paper salary slips. A right to do banking offline, so over the counter, face to face and on paper. A right to speak to a doctor at a surgery and have letters instead of emails. And also to have your medicine given to you, administered by nurses, by real people, instead of... by a machine or a connected device, I should say.

Obviously, noting that in some hospitals you do have drips and stuff that are by a machine, but a person oversees that and changes things over. It's not all a connected device delivering it to you and so on. There's also the right to have phone lines available, to speak to customer services teams that are based in the United Kingdom or wherever you are based, in France if you're in France, in Germany if you're in Germany, in America if you're in America. To avoid having your personal data shared with ticketing teams based in third countries that don't have adequate protections necessarily for your rights in place. A right to paper-based correspondence where it isn't automatically provided and to have that right respected at all times with a very few limited exceptions only where the organization is only based online. Because I do appreciate, particularly at the moment, we do have a number of organizations. They've been set up online. Everybody's happy to do business with them online. Everybody knows about it and that's okay. But you can't have that for core services. You've got to be able to give people that informed choice and you need to have a genuinely viable alternative offline for people who don't want to do things online. For example, we can't have every bank in the United Kingdom being online only. We need offline ones too, that are as widely available and aren't ripping out all their cash machines and are still letting people come into branch, and do things over the counter. Without too many limitations on that and no penalties.So no making things more difficult for individuals who choose to do things offline. So for example, you can't increase your costs or charge people extra for doing things offline or on paper, and you can't take hours to respond to a phone call or make it really difficult for people to get through to you on the phones.

So you should be able to have fully competent staff, phoneable and speak toable. and able to resolve complaints and so on over the counter within a matter of minutes. So in the pandemic, there was a little bit of bad behavior, I would call it, from a number of organizations who decided that because it was the pandemic, they were going to basically have all the phone lines as, we effectively either have shut the phone line off, So there's nobody to speak to at all. Or it takes hours and hours to get through to somebody on the phone which runs up your phone bill, which personally, I don't think is okay because I don't think that's fair. Why should you have to foot the bill for them taking hours to respond? And obviously I can understand it a little bit, but at the beginning of the pandemic, massive shock to the system okay, maybe. But as we got deeper and deeper into it and coming out the other side of it, as people were also starting to return to the office and things like that organizations, from my perspective, really should have got their act together by that point. That's when it starts to become a little bit, yeah, this isn't okay. And also because you would have thought that there would have been some kind of plan in place, even a contingency plan, because people have off days, people are ill, people, have family emergencies. You would have thought that there was something in place in any event for people to still be able to deal with that in the event of an epically bad situation. And that just all seemed to fall over all at once. In some ways understandable, but in other respects woefully inadequate. Because it was serious things. It was government departments. It was tax authorities. It was, sometimes it was your bank or your building society all of these sort of crucial areas that kind of just fell over.

And people can't afford to have, particularly because with things like, and I'll pick on the tax authorities. Because with things like that, and I'm not saying whether they did well or badly or indifferently, but if you are a tax authority and you've got something going badly wrong and you aren't answering the phone on time and somebody's got an emergency, so let's say you've told them that they owe you tax that they don't owe, or that maybe that they do owe, but you're going to impose a very hefty penalty if they don't get in touch with you to sort stuff out. So what do you do? You try to ring them, and then you can't get through for hours, days, weeks, months. Because there's an issue with the phone system? Can you see what I'm saying? I know I'm picking a bit on the tax authorities here and to be fair, and they were not doing bad things, and I'm not, indicating that they were by any means by any stretch of the imagination. I'm picking on the, if that is the kind of service that sort of thing happened to, ,

There was a thing about them recording people's voices without telling them.

We'll, yeah let's discuss that , on another day because I need to make sure I get my facts straight on those, but , there are elements of things that all organizations mess up. I don't think it's deliberate, it's just people have off days and people do mess up. But I'm just saying that, for the purposes of obviously this podcast, I'm certainly not pointing fingers at anybody. There will be a certain times when I do point fingers at people and I'll make that apparent because I'm going to do some finger pointing as well during this podcast, but at this particular point I'm not blaming people for how they handled things during the pandemic.] I think it was a massive shock to the system for everybody and I think, it's everybody did the best they could with what they had at the time. I'm simply saying that if you are a tax authority, particularly, and this sort of thing happens and you therefore, for whatever reason, can't, it can be a bit more sensitive and a bit more problematic for people and you could cause people to have penalties, fines imposed and cause some quite nasty things to happen to them because you haven't got your phone line in order and because they can't quickly and easily sort it out with someone. So the impact on real human beings can be quite extreme even if you think, oh it's just a phone line, they could surely send us another letter. or send us another email or whatever it happens to be. But the other thing you've got to appreciate is that where people do things offline and do things through the post, that telephone number is a lifeline for emergency situations because emails might get through to your team very quickly. But if I don't do things by email to protect my privacy and to protect everything that I do from identity theft and fraud, then I've got to rely on A, that letter getting to you, B, it getting passed to the right person, which it isn't always, especially again, and I'm going to pick on government departments because I know this frequently happens with them.

It doesn't necessarily get passed to the person that you write the letter to. I might be writing to the person who I think can best help me sort this out, and I might be right or wrong about that, but it will then get redirected, possibly through several other teams. May not necessarily get to the person that I've directed it to, and may also potentially get directed to somebody who is either too junior to sort it out, who then has to pass it on to someone else, or who sends me back a completely inappropriate response because they haven't understood what's going on. There are all sorts of other complications. That again, need to be appreciated with, you've got to have that proper telephone backup when you do things offline. You can't just say, Oh we'll rely on them just sending us letters because it doesn't quite work that way. And that's just practical.

Everything you're saying makes a lot of sense. And from my own experience and from the people in my community, in my family, even in my neighbors I was just having a chat with one of my neighbors across the road. He's a vulnerable gentleman. And he was saying that the local branch was closed and now if he wants to go to the other branch, they're asking him to pay more money to pay money into his own account. I'm like, they're charging you money to pay money into your own account. It just doesn't make any sense to me. So I can see some of the actual practical considerations on everyday people. Being impacted detrimentally and I do really actually think that we also need to get behind this petition About this right to be offline. A lot of people might say what's the big deal? Isn't that the way forward? but if you look at it and if you look at some of the things that you've been talking about Judith there are actually going to be some really detrimental consequences for everyday people in different walks of life. Things that I can do right now might not be such a challenge, but if I think about the same task for my mom or somebody else, then you can see how this right to be offline could really be a benefit for every individual to be able to access those things offline.

So yeah, they completely are. Just before we go into that though, I will give an example and this is one where I am going to point fingers and without naming names, but I'm going to point fingers a little bit. And I'm going to give an example of something that is impacting people in terms of failing to protect them from fraud and failing quite catastrophically in doing so, which is also why the right to be offline is important. So a number of counter terrorist check organizations, so serious stuff, and also your... personal data from your referees, so not just yours, but other people who are your nearest and dearest, or perhaps people that you know, your employer, and so on. They are refusing, at the moment, to action paper forms, and this is despite being given all the information on those forms to undertake those checks, and despite having a paper route available, and Ombudsmen and regulators appear to be failing to stand up for people and stop this apparent abuse of power. So people have lost jobs that they lawfully and fairly won because of the refusal to action those paper forms. And my question is, should that be allowed to happen in a fair and democratic society when the paper form that the counter terrorist check organization was given had everything they needed for them to action it?

And the other part of that, very quickly, is that those same counter terrorist check organizations, they ask for date of birth at the top of every email in order to verify people, and that breaks government guidance, which very clearly says don't do that, and so it's not only potentially in my view, breaking the law, but it's also breaking government guidance as well. So there are other issues. But anyway, as I say it causes you to put yourself and your referees potentially at risk of your identity theft and fraud, because we all know that Encryption's lovely, but a reasonably motivated hacker can easily break through that. And also a lot of other unauthorized, potentially even internal, data sharing and oversharing and use of that data.

So let's shift gears a little bit now. Let's go to Privacy Enhancing Technologies. Privacy Enhancing Technologies have gained popularity, but there are concerns around their ability to deliver. How can Privacy Pros discern between genuine Privacy Enhancing Technologies and those that make false promises? Are there any specific red flags or criteria that we should look out for when considering these?

At the moment, beware anything that is called privacy enhancing technologies, because from my perspective, none of it actually does what it says on the tin, even in terms of protecting data protection rights. It's shocking, isn't it? I know, it's terrible. But particularly, beware of anything called trusted. Beware of so called data clean rooms. Beware of so called zero knowledge proofs or blind proofs, because zero knowledge proofs and blind proofs don't seem to use as little knowledge and aren't necessarily so blind, as appears to be the case at first glance. Anything where they claim privacy is being protected, but are telling you that they're reusing the data. or that they've already got the data, and there is no evidence of informed consent for those extra uses that they want to use things for. There's always the classic also, you know that the underlying organization doesn't protect privacy properly, and they're now offering you privacy enhancing tech? Really? Okay, if you can't protect it properly in the first instance, how exactly are you enhancing your offering? And any and all of the ones in the Royal Society's report, I have to flag because none of those seem to enhance privacy properly at all. So that's trusted execution environments, homomorphic encryption, secure multi party computation, PSI or PIR, federated learning or federated machine learning, differential privacy preserving synthetic data, and I'll add a couple more to the list.

Anything that uses blockchain, anything that uses AI for rights request handling, and Biometrics, anything that collects, uses or stores biometrics, all of those break privacy left and central as far as I'm concerned. I've got a couple of articles I'll share them. So you've got the links and people can see them. And also in my digital currencies webinar, which again, if I haven't already I'll share the link. So you've got it. I go into those in quite a lot of detail and into the Royal Society ones , in chapter and verse and data clean rooms as well. So you'll see them, but just to take one example, so the trusted execution environments. So according to the Royal Society's report, this means securely outsourcing to a server or cloud computations on sensitive data. I'm sure some of you will have picked up on sensitive data. Hello. But also my observations of these again, calling something trusted doesn't make it but also outsourced providers and cloud providers, as I know, and everybody watching this will know they're known to regularly leak, aren't they? And sharing the personal data with them can in and of itself be a personal data breach, which breaks the confidentiality of the personal data that perhaps I maybe only wanted to share with my doctor.

Or with my bank, or with whoever I'm transacting with on that particular day. So subsequent actions on the data, whether permitted by your organization or not in those environments, if I can get the words out. Who cares? But they may or may not be expected, but in all likelihood, they are unexpected by those individuals, and they may also be further personal data breaches, unless the individuals to whom the data belongs, and that isn't your organization, believe it or not, it's the person like me, you who the data's come from. If we haven't given our specific and informed consent to those further actions that you're doing in that trusted environment, then that's Yet more personal data breaches, isn't it? But how can you tell they're making false promises is also quite important, isn't it, to this? So let's think about a car. You wouldn't buy a car ordinarily, or well, perhaps you would, but I wouldn't buy a car, certainly, without checking that the brakes work, without making sure that oil wasn't leaking from somewhere, without checking the steering wheel and that it was fully functional and that the gear stick wasn't loose and didn't jam, and you'd probably call a car seller out for misleading you if any of those things didn't work, and more, depending on what you look for in a car, right? If this is, described as a fully functioning working car. The same applies in terms of privacy. And in checking that privacy enhancing technology does what the name implies. And you need to watch out for this because misleading advertising is actually punishable under UK law, specifically the trade descriptions, the business protection from misleading marketing regulations, 2008, and also the consumer protection amendment regulations, 2014.

But let me explain. . An action is misleading if it contains false information, or if it is likely to mislead the average consumer in its overall presentation. It doesn't matter if I, as a privacy professional, might go, Aha! I know what this means and, I can clearly see that this is not okay. If the general public, so people who don't know and will take it on face value what you say, so if you say it's privacy protecting, they may well believe you, especially if you are a trusted financial services provider, for example. If it's going to mislead them, then you're in trouble. And it's the information that misleads can be about the main characteristics of the product. Its benefits or how it's made up, how it works. It can also be, though, about a consumer's rights or about the risks that he or she might face. And so I'll flag to you again, the risks he or she might face, because those risks, , are not necessarily properly explained, drawn out. And if they aren't enhancing or protecting privacy properly in any event, the risks that they claim they're mitigating may actually still be there underneath it all. And an example, an easy example within the regulations that they actually give you is, so a consumer takes out an expensive 18 month broadband package advertised with speeds of up to 24 megabits per second, but in fact, it was never possible for any customer to achieve this and average speeds were less than half. So in the same way, if products claim to enhance privacy and or preserve privacy, but don't genuinely do that, then they may also be considered to break those regulations. Does that sort of help?

It does. That does really help. And that does make a lot of sense.

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released. Remember to join the Privacy Pros Academy Facebook group where we answer your questions. Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class Privacy Pro. Please leave us a four or five star review. And if you'd like to appear on a future episode of our podcast, or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk . Until next time, peace be with you.