UK publishes first draft of new, stricter data protection laws
The bill includes some exemptions from the latest EU regulations.
The UK's Data Protection Act 1998 is staring retirement in the face, as the government has now published the first draft of the new Data Protection Bill designed to replace it. We actually know quite a bit about the bill already. It was first mentioned in the Queen's Speech in June, with many of the finer details revealed last month. Among the headline provisions is a new power for the public to request social networks delete anything they posted before the age of 18, informally known as "the right to innocence."
This is in addition to expanded "right to be forgotten" rules. You'll be able to ask Google, for example, to remove search results on the basis the information is outdated or irrelevant. Currently, you can only make a case to have your past erased if search results surface info that causes significant distress -- something you did as kid that doesn't reflect you as an adult but is still haunting you, for instance.
The bill also intends to create an environment where you can expect more control of your data and a higher level of protection as standard. As part of the "privacy by default and design" concept, services like social networks will have to set you up with the strictest privacy settings rather than assuming you'll opt-out of anything you're uncomfortable with later. They will also have to seek the explicit consent of parents and guardians before allowing anyone under the age of 13 to register.
One of the proposals that's still not particularly well understood is an onus on companies to allow for "data portability." In practice, this should let you take all your data from one service and move it to a competitor's platform -- swapping email provider and taking your inbox and contacts with you, for example. The bill also introduces tougher penalties for poor data handling, as well as a requirement for businesses to alert the UK's Information Commissioner's Office of any breaches within 72 hours.
Broadly speaking, the bill will write the EU's freshly stamped General Data Protection Regulation (GDPR) into British law. Interestingly, though, the government said today it has "successfully negotiated" several exemptions from the GDPR. These don't appear to be at odds with the general tone of European regulations, however. The exemptions basically give extra protection to or eliminate confusion around the processing of data of journalists, scientific and historical research organisations, sports bodies investigating doping and financial institutions looking for evidence of money laundering and other illegal activity.
The Data Protection Bill has now begun the standard process of being scrutinised by the House of Lords and House of Commons before eventually becoming an Act of Parliament. Just a few weeks ago, the government published a related set of proposals outlining the best-case scenario for how it can keep data flowing between the UK and EU post-Brexit. MPs hope that data sharing can continue uninhibited, on account of the Data Protection Bill reflecting the strictness of the EU GDPR.
The reality of the post-Brexit relationship could be a very different, though, as once we lose our seat at the round table, the EU might take issue with the UK's digital surveillance powers. Particularly those in the Investigatory Powers Act, some of which take a certain disregard for data privacy when it's deemed "necessary and proportionate" to aid certain intelligence investigations.