The UK has published its new Data Protection Bill, which the Government claims will “bring our data protection regime into the twenty-first century”. The bill which is part of the National Cyber Security Strategy is intended to find a balance between protecting data, penalising those who break the rules and returning control of data to the people.
From a government so intent on undermining encryption, a tool which really does protect online data, this might seen a little inconsistent, so it is no surprise that the new bill has been described by the chairman of the National Association of Data Protection and Freedom of Information Officers, Jon Baines as “a bit of a mess”.
EU General Data Protection Regulation
The new Data Protection Bill is enormous. It stretches to 218 pages, has 18 schedules, and no fewer than 112 pages of explanatory notes. This often means that there will be a few surprises hidden with the legal language and no doubt in the coming days, policy wonks will be generating a few new headlines as they dig down into the detail.
The bulk of the bill is dedicated to bringing the European Union’s General Data Protection Regulation (GDPR) into British law. This is required to come into force by May 2018, a date which gives this bill a timeline by which it must come into law.
It also emphasises that the GDPR is going to apply to the UK despite Brexit, which some businesses had hoped would exclude them. The Government has confirmed that this bill will remain in law after Brexit has been completed.
GDPR is massively complicated and many companies are still unsure what exactly it will require them to do. Sadly, this Bill has not made anything much clearer and unless the Government or the EU does deliver some clear guidance ahead of the May 2018 implementation date, short-term chaos is likely to ensue.
What else is in the new Data Protection Bill?
For individuals, the new bill is intended to hand back more control over their data and there are a few things included to be welcomed. People will now be able to demand information about how online sites are using their information, request that photos and posts that relate to them are removed, and withdraw consent for the use of their data.
Websites will no longer be permitted to use ‘pre-ticked boxes’ to get users to hand over the rights to their data, as is currently the case. The penalties proposed by the new bill for companies which break these new laws are also stringent, with a maximum of £17million or 4% of global turnover being proposed, although these figures are the requirements from the GDPR.
The bill also includes a number of new criminal offences including changing personal data in an attempt to stop it being disclosed and unlawfully obtaining personal data. The re-identification of de-identified data will also be a crime, with an unlimited fine available for law enforcement officers. This last one may worry security researchers a little and it is quite likely that an exemption for them will be added as the bill progresses.
Exemptions to the bill
There are already a number of notable exemptions to many of the laws included in the bill, which the Government claims to have successfully negotiated with the EU. This includes allowing journalists to access personal data for the purposes of exposing wrongdoing or as part of their right to freedom of expression.
Scientific and historical organisations also have exemptions in cases where the new laws might impinge on their research, as do anti-doping agencies who are chasing those elite athletes who use performance-enhancing drugs. Some financial services and employment law exemptions are also included.
These are broadly sensible although the addition of security researchers is a necessity. As the GDPR requirements were already known, there are not many surprises in the bill.
Indeed, the only real surprise is the government having the audacity to claim that it has people’s data protection interests at heart, while at the same time hoovering up everybody’s online data and attempting to undermine encryption.
These two policies offer a huge threat to data protection and until policy changes are introduced in this area, there can be no real credibility given to UK Government in this particular area.