The Data Protection Bill Explained
Prior to the 2017 general election, we look very briefly at the Conservative proposals to introduce and strengthen consumer data protection online, including their manifesto pledge to give young people the right to have any information, videos, or photos from before their 18th birthday removed from social networks. The policy was announced as a part of the Queen’s speech, where she declared that the UK would retain its “world-class” data protection regime.
The bill, if it passes, would replace the 1998 Data Protection Act, which is, arguably, far out of date given the growth of the internet and big data since its inception. It would also implement the EU General Data Protection Regulation (GDPR), as the UK has fully committed to upholding EU law until 2019 and the official leave date for the UK. The GDPR will give regulators far great powers to fine companies up to 4% of their global turnover or 20m euros (£17m), whichever is greater. Currently, the Information Commissioner’s Office (ICO) only has the power to issue a £500,000 fine.
The regulation will also force companies to explain how they are complying with regulations and make it mandatory for larger firms to employ a data protection officer. Data breaches will also now have to be reported within 72 hours of the breach. Interestingly, these new laws are to apply to any firms outside of the EU who are handling the data of EU citizens, so US firms like Facebook or Google could be forced to comply – although it is unclear just how this will work in practice.
The GDPR also allows citizens the “right to be forgotten”, the “right to data access” (so you can easily find out what data a company is storing about you) and the right to “data portability” which will force companies to delete data and information at a client’s request or move them to a new service provider with ease.
The UK Data Protection bill that has been proposed takes the new laws from the GDPR and builds upon them further, to comply with EU regulations whilst they remain a part of the political union, ensure the country met its obligations while a member of the EU, and to help the UK maintain its “ability to share data with other EU members states and internationally after we leave the EU”.
“The Bill includes tougher rules on consent, rights to access, rights to move and rights to delete data. Enforcement will be enhanced, and the Information Commissioner given the right powers to ensure consumers are appropriately safeguarded.”
The document went on to lay out their proposals to make Britain one of the safest places in the world to store our data as a consumer,
“Our vision is to make the UK the safest place to live and do business online. With the increasing volumes of personal data there is an increasing need to protect it.”
Perhaps the most striking part of the proposals is the expansion of the definition of “personal data”, which will be expanded to include “IP addresses, internet cookies and DNA”.
The UK bill will also give the ICO powers to record more serious offences on the Police National Computer (PNC) database which can be disclosed as part of a previous conviction or criminality checks. The legislation would also create a host of new offences including:
- Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, with an unlimited maximum fine.
- Altering records with intent to prevent disclosure following a subject access request, using Section 77 of the Freedom of Information Act 2000 as a template. It states that “any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.” The new law would not only apply to public authorities, but to any data processors and controllers – in other words, anyone who is handling your personal data – and would also carry an unlimited fine.
- Widening the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully) – this, in turn, will also give more power to consumers to demand their right to be forgotten and move their data between service providers like insurers, email hosts, etc.
- The laws even include protections for journalists and whistleblowers, creating exemptions.
- All companies handling our personal data will require a Data Protection Officer who will “advise data controllers on data issues, handle complaints and ensure compliance with the Data Protection Law Enforcement Directive.”
Finally, these proposals will attempt to make it more difficult for companies to collect data without explicit consent (especially in the case of personal data). The use of “opt-out” or preselected “tick boxes” will be outlawed, parental consent will be required for a site to process the data of any child under the age of 13, and consent for the use of our personal data will be “easier to withdraw”.
Whilst the feasibility of the implementation of some of these regulations may be called into question, there is no doubt that this expansion of consumer rights over our own personal data is long overdue. With ever increasing amounts of our personal data being stored by companies around the world, these measures are a step towards putting the power of our data back in our own hands.