UK draws up fresh data protection measures for Brexit

A new Data Protection Bill will enshrine GDPR principles into UK law

Parliament

The government today published plans to overhaul the UK's data protection regulations, in order to align UK law with corresponding measures being introduced by the European Union.

Part of the proposals will see the introduction of the "right to be forgotten", allowing UK citizens to request that companies delete their personal data from any records, as well as demanding social media sites to delete data they posted as children - something the EU is not implementing.

Advertisement - Article continues below

The Information Commissioner's Office (ICO), the UK's data protection watchdog, will also be able to hand down tougher fines against firms that mishandle personal data.

Firms which are found to be in breach of the new data protection bill will face fines of up to 17 million, or 4% of global turnover, whichever is highest. That's up from the current 500,000 cap imposed by the Data Protection Act 1998.

The Data Protection Bill will replace the current Data Protection Act that came into force in 1998, and which is considered inadequate for dealing with modern data processing.

Digital minister Matt Hancock, who was responsible for drafting today's proposals, described the new Data Protection Bill as "one of the most robust, yet dynamic, set of data laws in the world".

Advertisement
Advertisement - Article continues below

"It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit," he added in a statement.

Advertisement - Article continues below

Information commissioner Elizabeth Denham said: "We are pleased the government recognises the importance of data protection and its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public."

The bill mirrors proposals set out under the EU's upcoming General Data Protection Regulation(GDPR), which will apply automatically in the UK on 25 May 2018, as it will in all EU member states. However, once Brexit completes, GDPR will no longer apply to the UK, meaning it must draw up its own laws. Today's Statement of Intent is the first step in doing so.

GDPR measures include making data more portable, so it can be moved easily between providers, and ensuring companies are forced to immediately disclose details of a security breach if it involved the leak of personal data. It will include similar tough fines, of up to 20 million, and will hand EU citizens the right to be forgotten, as well as force organisations to gain clear opt-in consent to use and process people's personal information.

Advertisement - Article continues below

By enshrining like-for-like regulations into UK law, it is likely that the UK will be 'whitelisted' by the EU, allowing UK and EU businesses to move data through both areas without interruption.

"Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU," said Hancock. "We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world."

The bill aims to make it far easier for citizens to prevent companies from using their personal data without their consent, and, similar to GDPR, any companies seeking to collect information will soon be required to obtain "explicit" consent to process that data.

The scope of what constitutes personal data will also be expanded to include IP addresses, DNA and internet cookies.

Tom Thackray, innovation director at CBI, welcomed the proposals, saying they "strike the right balance in improving standards of protection while still enabling businesses to explore new products and services".

Advertisement - Article continues below

"In the modern economy, data has huge value and its innovative use leads to better services and more productive businesses. But firms know that this ability to innovate is dependent on customers having confidence that their information is well protected," added Thackray.

Javier Ruiz,policy director at digital rights campaign organisation Open Rights Group, welcomed the move to enshrine GDPR legislation into UK law, saying: "It will strengthen everyone's ability to control what data can be collected about them and how it can be used."

But he added: "These laws could be fundamentally altered after Brexit. The government must explain how these data protection rights will be guaranteed after the UK has left the EU.We are disappointed that UK ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws."

Advertisement
Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/business-strategy/chief-executive-officer-ceo/354935/western-digital-hires-ciscos-david-goeckeler
chief executive officer (CEO)

Western Digital hires Cisco’s David Goeckeler as its new CEO

6 Mar 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020