DSIT's call for evidence on Data Intermediaries - Which? response

Summary

Which? welcomes this opportunity to respond to the Department for Science, Innovation & Technology (DSIT) call for evidence on data intermediaries. 

DSIT's definition of data intermediaries; “a range of organisations that facilitate access to and exchange of data [...] they do so on behalf of or for the benefit of data subjects”, is in close alignment with Which?'s use of ‘Authorised Third Party’ in smart data as “Any business or organisation that a consumer gives permission to access and/or process their data for the provision of innovative services.". 

Our response highlights that as data intermediary ecosystems develop in parallel with the rollout of smart data schemes, and as DSIT draws on new draft legislation for smart data (the Data (Use and Access) Bill), it is essential to apply the key insights from Which?'s 'Building consumer trust in smart data' paper to ensure trust in the data intermediary ecosystem.

• Section A of the consultation is about exercise of data subject rights. We draw on our 2024 smart data report and our 2018 report “Control, Alt or Delete?” on consumer attitudes to data collection to highlight critical barriers that consumers face around exercising their data subject rights (including data portability), such as lack of clarity or visibility on data ecosystems; lack of empowerment, agency, trust and control; and lack of collective redress mechanisms. 

• Section D of the consultation is about the risks associated with exercise of data subject rights by third parties. We highlight risks around poor quality products and services, lack of meaningful consent, risks to consumer safety and exploitation of vulnerable users. We also outline our trust framework for smart data which places consumer consent and control at the centre, and lays out principles of governance, protection and scalability. 

• Our trust framework goes further than the minimum requirements of the ICO’s statutory data-sharing code or guidance on valid consent because the ICO does not have specific remit on the harms we describe above. We consider our model to be agnostic on sector and technology. That is, no matter what sector a scheme is established in or which technologies are used, the principles will still apply and be effective. For this reason, we believe our trust framework should also be applied to data intermediaries and it is essential that there is coordination between the smart data landscape and the data intermediary ecosystem currently across DBT and DSIT respectively.

Finally, we note that the Data (Use and Access) Bill presents a vital opportunity to strengthen the legislative framework, building consumer trust and confidence. Notably, the Bill could be used to signal the Government’s intention to implement Article 80(2) of the UK GDPR, allowing appropriate organisations to seek redress on behalf of groups of individuals where a service is designed in a way that similarly infringes the rights of multiple users. In addition, the regulations that are being brought forward under the Bill should contain requirements about how smart data schemes must address the needs of more vulnerable individuals.