Data protection is getting a shake up in the UK. The EU’s General Data Protection Regulation (GDPR) is due to be applied in the UK from 25th May 2018. The government has already confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Now it seems that the government is using this as an opportunity to overhaul UK Data Protection legislation as it brings it in line with the new Regulation.
On the surface the proposed changes seem to do a good job of addressing some of the issues that we face with ever increasing data protection, while not constraining innovation and competition. Time will tell whether they meet the rather lofty goals of making the UK the safest place to live and do business online.
“Our vision is to make the UK the safest place to live and do business online.”
The planned reforms, drafted by the Digital Minister, Matt Hancock, are intended to strengthen individual rights and give people more control over their personal data.
The UK’s Information Commissioner, Elizabeth Denham, has welcomed the approach being taken – “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
One issue mentioned specifically in the proposals is strengthening rules around consent, making the granting of consent both less ambiguous and easier to withdraw. Critics of the current data protection framework have long criticised how good ideas have led to poorly implemented regulations.
The EU ‘Cookie Law’ approach is one implementation that has long drawn fire for doing little to prevent tracking via cookies, while making internet users become complacent about simply clicking ‘I agree’ on the notices that websites are required to display.
The new proposals are intended to ensure that default opt-outs or pre-selected “tick boxes”, which the proposals note are largely ignored, will become a thing of the past.
When it comes to organisations holding personal data, the proposals suggest a need for improved data access, making it easier to require an organisation to disclose the personal data it holds no charge to data subjects. Being able to identify what personal data is stored by companies, and to be able to correct errors and omissions has long been the core of the UK’s data protection principles.
One important aspect that, if implemented properly, should help support greater diversity and competition in the digital arena are proposed new on data portability, making it easier for customers to move data between service providers.
Importantly, the new proposals also touch on ‘Big Data’ analysis and decision making, with new commitments on ensuring individuals will have greater say in decisions that are made about them based on automated processing. In addition, a right to a manual review, where decisions have been made based on solely automated processing is to be included.
Possibly most importantly, the new legislation will include an broader right to be forgotten.
People will be able to ask for personal data, whether it is collected about them or posted by them, or information posted when they were children, to be deleted. This may go some way to address the problems that have started to arise for people who have been visible on social media for a young time, often since they were teenagers. With controversial or simply unprofessional comments and posts, that may or may not reflect their current views, being prominently visible when their names are searched.
Under the new proposals individuals would have the ability to ask social media companies to delete any or all of their posts. The proposals suggest that, a post on social media made as a child would normally be deleted upon request, subject to very narrow exemptions under the new rules.
The UK’s data protection regulator will also see its powers expanding, as well as the ability to levy considerably larger fines on organisations that that breach the rules. In the UK firms that allow significant amounts of personal data to be compromised could be fined up to £17m or 4% of global turnover.
There has been internal change at the Information Commissioners Office (ICO) to help manage the changing environmental and operational landscape. Departmental structures have been revamped a new Senior Leadership created, although questions remain around whether the ICO has the resources to properly address the challenges and opportunities arising from an ever growing digital economy and changes to legislation both in the UK and abroad.
As part of the ICO’s Annual Report for 2016/17 Ms Denham was explicit about the changes her office faces.
“My office is preparing for the future in data protection with new processes, a comprehensive change programme and an education and guidance programme for stakeholders and the public.”
“Continued growth and citizen confidence in the digital economy needs an information rights regulator that is helpful, authoritative, tech-savvy and practical, but also a regulator that is firm and takes action when wrongdoing occurs”
For any new data protection regime to work, the ICO has to have the right resources. With the right resources and good legislation based on these plans, legislation that really does protect individuals and personal data, the UK may well become a very attractive, safe place to live and do business online.
Even so it will also have to overcome the barriers created by security legislation like the Investigatory Powers Act, and the perception that the UK is far too keen to intercept and monitor personal and business communications.