A major update to the UK’s data protection rules will place new requirements and responsibilities on companies that process users’ personal data, including by making it easier for consumers to withdraw consent their data to be processed; view what data is held on them for free; ask for their data to be deleted; and move their data between service providers.
The government published a statement of intent yesterday for the forthcoming data protection bill, setting out its aims and thinking, and confirming it will repeal the existing Data Protection Act to avoid creating any legal conflicts or confusion.
Under the incoming rules, teenagers will be able to ask social media companies to delete information posted in their childhood, for example — expanding an existing European legal ruling around a so-called ‘right to be forgotten‘ which currently applies to how search engines can index the personal data of EU citizens.
While widely used, much derided pre-ticked ‘consent’ boxes for processing personal data are set to be outlawed — with consent having to “unambiguous” (or “explicit” for sensitive personal data), as well as easy to withdraw .
The updated UK data protection legislation will also expand the definition of personal data to include IP addresses, Internet cookies and DNA; and make it a criminal offense to re-identify individuals from anonymized data — either with intent or through recklessness. The maximum penalty for this new offense will be an unlimited fine.
Digital minister Matt Hancock described the plans, published yesterday in draft form and following an earlier consultation, as a “balance between supporting innovation and data protection”.
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account,” he said in a statement. “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.
“The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
Another new offense set to be created under the law is the altering of records with intent to prevent disclosure following a subject access request — this will also carry an unlimited fine in England and Wales.
The UK’s data protection agency is also set to get sharper teeth as a consequence of the European Union’s General Data Protection Regulation (GDPR), which ramps up the size of the fines that can be levied by regulators for data protection breaches.
Currently in the UK the maximum fine the Information Commissioner’s Office (ICO) can issue is £0.5M. (Last year the agency issued a then-record fine of £0.4M to ISP TalkTalk for a 2015 data breach.)
Larger fines of up to £17M (€20M) or 4 per cent of global turnover will be allowed under the new rules — which the government says will enable the ICO to “respond in a proportionate manner to the most serious data breaches”.
The GDPR also shrinks the time-window when organizations are required to report serious data breaches to the ICO — down to within 72 hours.
“Businesses must notify the ICO within 72 hours of a data breach taking place, if the breach risks the rights and freedoms of an individual. In cases where there is a high risk, businesses must notify the individuals affected,” the government notes on this.
Companies also face obligations under the GDPR to conduct risk assessments if they carry out “high risk data processing” — in order to “understand the risks involved and mitigation required to prevent inappropriate usage”.
In a statement on the UK proposals, information commissioner, Elizabeth Denham, said: “We are pleased the government recognizes the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
“The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past,” the government asserts now, in its proposals to update domestic DP law.
The GDPR is due to come into force across the EU in May 2018, and much of the UK plans for updating domestic data protection rules are aimed at achieving alignment with the pan-European regulation. Even though the UK voted last year to leave the bloc, it remains an EU member during the two-year exit negotiation process and therefore must comply with EU law.
Beyond that, and when it comes to data protection rules specifically, the UK’s stated desire for a continued trade and information sharing relationship with the EU in the future — i.e. after it is no longer a member — essentially requires continued compliance with the bloc’s data protection standards.
Hancock himself said as much earlier this year, when he told a committee that the government wanted to ensure “unhindered data flows after Brexit”, which he said essentially meant “matching” the EU’s data protection rules, rather than the UK trying to strike out and set its own standards.
In the statement of intent for the new data protection bill, Hancock details how the government intends to handle some areas of permitted derogation from the GDPR — for example it plans to set the age at when a child can legally give consent for their data to be processed at 13 (the GDPR allows Member States to set an age between 13 and 16, though sets its own default at 16).
The UK also intends to continue to allow organisations other than those vested with official authority to process personal data on criminal convictions and offenses in “certain specified circumstances” — an existing regime which it says has enabled, for example, employers to perform “accurate criminal records checks”, and the underwriting of driving insurance.
And says it “will take a similar approach to that taken for the processing of special (i.e. sensitive) categories of personal data”.
Another exemption the government intends to exercise is to allow scientific or historical research organisations which gather statistics or organisations performing archiving functions in the public interest to be exempted from obligations to provide rights of access of individuals to the data held on them and obligations to rectify inaccurate personal data upon notification — although it notes this will only be the case “if compliance would seriously impair these organisations’ ability to carry out research, archiving or statistics-gathering activities”.
It also intends to exercise an exemption on automated individual decision-making. While the GDPR states that an individual has the right not to be the subject of a purely automated decision making process, it does allow for exemptions — “where suitable measures are put in place to safeguard the individual’s rights, freedoms and legitimate interests”.
“Individuals will have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to them which is based solely on automated processing and which produces legal effects or similarly significantly affects them, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention,” the government notes.
The statement also confirms the government intends to legislate to provide for an expanded and modernized data protection framework specifically for national security purposes — an area that lies outside the scope of the GDPR.
This will be based on a revised Council of Europe convention, with the government saying it plans to introduce data protection standards “that reflect the huge growth in data and changes in technology”, and ensure “data is processed, not only lawfully, but ethically”.