On August 7, the UK government published a so-called “Statement of Intent” for the overhaul of its data protection law. Nearly a month later, companies and citizens alike are still waiting for the details.
Speculation has been rife, but it is clear that this is a first step to compliance with the EU General Data Protection Regulation (GDPR). As the EU GDPR will come into force on 25 May next year, well before any Brexit deal, the UK is obliged to comply with it. But even after Brexit, UK data protection law will need to be aligned with EU GDPR rules if a free flow of data is to continue.
New elements for UK data protection law
So what do we know? The definition of “personal data” will be expanded to include IP addresses, cookies, and DNA – how the last category could ever have been in doubt is a moot point. Other unsurprising changes include:
- Banning default opt-out checkboxes for data collection.
- Children older than 13 will be able to consent to data collection, as allowed by the EU GDPR.
- Social media platforms would be required to delete information held about children at the age of 18 upon request.
- So-called “class action” legal redress is foreseen to allow actions to be brought on behalf of similarly affected individuals by a representative entity (e.g. ombudsman, consumer or civil society bodies).
Reckless identification outlawed
More controversially, the paper wants to “create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.”
However this has provoked controversy among legitimate security researchers who may no longer lawfully conduct their investigations as they often have to show re-identification as a “proof of concept” when highlighting security flaws.
Lukasz Olejnik, a cybersecurity and privacy researcher, told The Guardian: “It’s a justified risk. Security and privacy research requires assessing system strength, including trying to break de-identification and anonymisation systems. This can be done by demonstrating re-identification. When faced with unlimited fines and unspecified provisions, I cannot imagine anyone risking conducting research for public good.”
However although creation of the new UK data protection law will involve the repeal of the current Data Protection Act 1998, the government says it will reflect it as far as possible, including reproducing the existing exemptions. This is likely to take the form of a derogation allowing organisations that currently process sensitive personal data for public interest purposes in compliance with the Data Protection Act, to continue to do so under the updated law.
Sanctions or slap on the wrist?
The EU GDPR caused headlines with its high sanctions, and the new UK data protection law will reflect this with top fines of 4 percent of global annual turnover or £17 million – similar to the EU’s €20 million cap.
But UK Information Commissioner, Elizabeth Denham, said that maximum fines will not become the norm, but rather a last resort: “We have never invoked our maximum powers. Predictions of massive fines under the EU GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense,” she said in a blog post.
“Like the Data Protection Act, the EU GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.”
The UK data protection law is expected in full in the coming weeks and is due to be voted on in the current parliamentary term in plenty of time for the May 2018 EU GDPR deadline.
British Minister for Digital, Matt Hancock, claims “the UK is leading the way on modern data protection laws and we have worked closely with our EU partners to develop world leading data protection standards.” Many, particularly in the European Parliament, might disagree with him in light of the country’s spectacular carve out for intelligence services under the Investigatory Powers Bill, also commonly referred to as the Snooper’s Charter.
Although it is clear the UK wants to settle UK-EU data transfers for the foreseeable future, Brexit is a stumbling block. In its latest Brexit policy paper the UK government says: “It would be in the interest of both the UK and EU to agree early in the process to mutually recognize each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.”
That could include giving the UK Information Commissioner a seat on the European Data Protection Board, but the EU is unlikely to accept that if the UK cannot meet adequacy standards. Britain may very well find itself in the same hot water as the US following the European Court of Justice Schrems ruling and forced to negotiate a similar Privacy Shield-style agreement.
Elsewhere, the EU is likely to sign adequacy decisions with Japan and South Korea next year, something the ICO, will no doubt watch with interest.