The UK’s Digital Minister, Matt Hancock, has drafted a proposed Data Protection Bill that would give British citizens more power over their data. The proposed legislation – which will be published in its entirety in September – seeks to prepare the UK for Brexit by bringing UK legislation into line with the EU’s forthcoming General Data Protection Regulation (GDPR).
Mr Hancock says the bill will, in effect, amount to a “right to be forgotten” by corporations. It will allow people to request that online traders and services delete their data, and will stop firms from exerting a totalitarian “tick box” free-for-all on consumer data. From the statement of intent:
“The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.”
The proposed legislation is not unique to the UK. Martin Sloan from Brodies solicitors advised that,
“Despite the fanfare, today’s announcement on the Data Protection Bill contains little new in relation to the protection of individuals’ personal data. It simply confirms the UK Government’s intention to mirror the General Data Protection Regulation into UK law post-Brexit. What we do now have is some more detail on how the UK plans to implement some of the national derogations under GDPR.”
In his blog post on the subject, Sloan reveals that “as an EU Regulation in force at the date of Brexit, those measures [GDPR] would be imported automatically into UK law upon Brexit under the European Union (Withdrawal) Bill.”
The European GDPR legislation in question will be enforced starting from 25 May 2018. It will apply to all UK firms from that point forward. As such, the UK legislation simply seeks to clarify the UK’s position on GDPR before it withdraws from the single market.
The proposed legislation also seeks to make good on promises made by Theresa May during her election campaign. At that time, May proposed that young people should be given the power to delete comments made on social media when under the age of 18. That proposal was included in the Queen’s speech, following the Conservative party’s win.
Perhaps surprisingly, that proposed legislation has now been hardened by the government. It will instead allow all UK citizens to request that their data be deleted. I say “surprisingly” because it appears that the UK is finally doing something right with regards to privacy. This is something of a shock considering that Britain has been marred by criticism for invasive bills like the Snooper’s Charter (Investigatory Powers Act) in recent years. Although, it is also worth noting that the law won’t apply to the spook agency GCHQ or UK ISPs (which will still have to retain consumer data for 12 months).
Power to the People
Like the GDPR, the new law will give UK citizens a vast amount of power over their digital footprints. In addition, Mr Hancock says the law will increase what is defined as “personal data” to include not only DNA, but important information such as IP addresses and cookies. Furthermore, it will specify that criminal charges may be brought against firms that allow people to be either intentionally or accidentally identified from previously anonymized data.
This may force firms to be more careful when anonymizing consumer data (anonymized credit card information for example). Firms will need to be very careful if they don’t want to be caught out, especially if you consider that research conducted in 2015 revealed that it is possible to easily identify specific people from previously anonymized data. That study (called “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata”) used patterns to re-identify data previously scrubbed of names, addresses, and account numbers. Under the UK government’s proposals, that procedure could lead to fines for the firms that did the anonymizing in the first place.
What’s more, the proposed Data Protection Bill greatly increases fines for failing to protect consumer data, from a current maximum of £500k to a whopping £17m (or 4% of global turnover). As such, the fines that firms face for a severe data breach could be monumental.
Using the TalkTalk hack from October 2015 as an example helps to put the change into perspective. Following that severe data breach, the UK telecoms firm was fined a record £400,000. Under these new proposals, the firm could have incurred a much larger fine.
What Should Firms Store?
One possibility is that firms based in the UK might decide to stop collecting and storing so much data about UK consumers in the first place. This would be a good thing. It might help to create a culture where firms not only make greater efforts to protect consumer data but also are more selective about what they keep on their servers.
As a general rule, if it isn’t absolutely necessary, it would be better for consumers and firms alike if data wasn’t stored at all. After all, having data hanging around on servers only creates a temptation for cybercriminals.
Hancock’s statement makes it clear that the UK government believes the legislation will be nothing but positive:
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
Minor Differences from EU’s GDPR
The UK’s version of GDPR will differ from its European counterpart on a few important points. The EU version only permits official bodies such as the police to process personal data pertaining to criminal cases. In the UK, the law will permit other organizations to handle that type of data under “specific circumstances.” This will allow employers, for example, to carry out criminal records checks.
The UK version of GDRP will also permit the handling of personal data via “automated means.” According to the statement of intent, this is because there are legitimate functions for this kind of data processing – such as bank credit rating systems, which can make a decision by automatically extrapolating from data sets. The good news is that the law will also allow people to challenge decisions made by automated means.
In addition, the UK’s data protection bill will lower the “digital age of consent” to 13 (bringing it into line with COPPA regulation in the US). That means children over 13 will no longer require parental consent when asked for their personal data by online services and apps.
Kathryn Wynn of Pinsent Masons has said that it is still early days, and that UK-based firms will need to wait for the full publication of the drafted legislation to be sure about how they need to handle their customers’ data in practice.
However, Wynn doesn’t feel that any of the differences from the EU GDRP law “unduly prejudice the privacy of individuals.” She feels that those derogations will be “welcomed by businesses,” particularly the financial sector.
Opinions are the writer’s own.
Title image credit: Tashatuvango/Shutterstock.com
Image credits: Drop of Light/shutterstock.com, northallertonman/Shutterstock.com