New proposals aimed at making it easier to demand personal data is deleted have been put forward by the Government’s Minister for Digital.
The new rules could mean fines of billions of pounds for companies like Google and Facebook, but is there actually anything new in the plans at all?
Let’s go back to basics – what is in the proposed law?
Image Credit: Clem Onojeghuo / Pexels
Under the new proposals, we will all have the right to demand that data about us is deleted. Yes, that includes embarrassing photos and Facebook posts we made years ago.
Amongst other things, it will also be made simpler to withdraw consent for personal data to be used. Firms will often have to get explicit consent to process sensitive data, rather than relying on tick-boxes which are often overlooked. However, explicit consent will not always be needed – there are a number of potential exceptions in Article 9 of the Regulation; for example, if the data has already been made public by the individual or the processing is necessary for criminal justice purposes.
The rules will cover data we don’t even realise we’re exchanging too, like IP addresses and ‘cookies’, which websites put on our computers to recognise us. Our DNA – which most of us don’t know about, but which can be detected from any cell in our bodies – will also count as personal data
It will even become a criminal offence to re-identify people from data which has been made anonymous. Companies will also have a duty to protect themselves from cyber-crime, such as the WannaCry attack which affected many NHS hospitals in May, and to be able to show how they are doing it.
And what happens if companies don’t comply?
Image Credit: Negative Space / Pexels
Hancock says that the new Data Protection Bill will give us “one of the most robust, yet dynamic sets of data laws in the world.” Firms that flout the new laws could be subject to huge fines, up to £17million, or 4% of global turnover.
Many companies are thought to be quite unready for the new regime and may risk these fines simply through their own ignorance of what they need to do.
So, what’s this got to do with Brexit then?
Brexit Protest Picture: Garon S / Flickr
Critics say these aren’t much more than the EU’s General Data Protection Regulation, (GDPR) which automatically become UK law anyway in May 2018. Although the UK has voted to leave the EU, we have to comply with EU regulations until Brexit has actually happened.
The GDPR brings in seven main data rights, including a right of erasure (to get rid of the stuff we don’t want out there anymore) and a right of free access. Like all EU Regulations, the GDPR has ‘direct effect’ in the UK until we leave, and we don’t have to pass new laws to bring them in. The proposed new law repeats much of what is already in the GDPR.
The new Bill will ensure, however, that whatever happens with the rest of EU law, data rights will continue to be protected.