The Information Commissioner’s Office (ICO) has joined data protection authorities from around the world in calling for more openness about the proposed Libra digital currency and infrastructure.
A statement to Facebook and 28 other companies behind the project asks them to provide details of how customers’ personal data will be processed in line with data protection laws. It asks for assurances that only the minimum required data will be collected, that the service will be transparent, and requests details of how data will be shared between Libra Network members.
The statement is signed by a cross section of authorities representing millions of people in Europe, the Americas, Africa and Australasia. These include the UK’s Information Commissioner Elizabeth Denham and her counterparts in Australia, the USA, Canada, Burkina Faso and Albania, as well as the EU’s European Data Protection Supervisor.
Ms Denham said:
“The ambition and scope of the Libra project has the potential to change the online payment landscape, and to offer benefits to consumers. But that ambition must work in tandem with people’s privacy expectations and rights.
“Facebook’s involvement is particularly significant, as there is the potential to combine Facebook’s vast reserves of personal information with financial information and cryptocurrency, amplifying privacy concerns about the network’s design and data sharing arrangements.
“We know that the Libra Network has already opened dialogue with many financial regulators on how it intends to comply with financial services product rules. However, given the rapid plans for Libra and Calibra, we are concerned that there is little detail available about the information handling practices that will be in place to secure and protect personal information.
“I hope this statement will prompt an open and constructive conversation to ensure that data protection is a key part of the design process and that data protection regulators are a key consultative group as the Libra proposals develop.”
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The General Data Protection Regulation (GDPR) is a new data protection law which applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU did not affect the commencement of the GDPR.
- The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary; and
- Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
- Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
- To report a concern to the ICO go to ico.org.uk/concerns.