Why this missing piece of the UK's Data Protection Bill 'threatens consumer rights'

Digital rights groups continue to demand that independent bodies should be able to act on behalf of consumers

The UK's new Data Protection Bill, which is currently making its way through Parliament, seeks to update our data protection legislation to be in line with upcoming changes at the European level under GDPR, considered some of the toughest data regulations in the world.

The move means that once GDPR comes into force in May 2018, the UK will have regulations that closely follow those at the European level, something that is required to ensure the UK is white listed and is able to participate in the transfer of data across the continent.

Advertisement - Article continues below

However, the UK does have some leeway when it comes to the implementation of these regulations, including the option to tweak articles to fit UK requirements.

Currently, the UK's Data Protection Bill contains 27 amendments or omissions to the GDPR regulation framework. This includes a change to article 8, which allows the government to set its own age of consent laws for the processing of data, and a relaxation of article 10, allowing the UK to authorise the processing of data relating to criminal offences by bodies other than public authorities, otherwise prohibited under GDPR.

Many of the derogations are minor, and reflect certain procedural aspects that the UK government wishes to keep, yet the omission of article 80 has proven to be contentious among digital rights campaigners.

Advertisement
Advertisement - Article continues below

The first part of this article (80.1) states that victims of data breaches wishing to seek compensation have the right to hand their case over to independent bodies who will fight on their behalf. Instead of implementing the article in full, the government has decided to omit this clause, stating that it will move to legislate separately to allow non-profit organisations to deal with compensation claims.

Advertisement - Article continues below

Currently, there's nothing to indicate that the government will renege on this pledge, however the fact it will not be enshrined into the Data Protection Bill has raised concerns among consumer groups that it either won't happen, or will not appear in time for GDPR coming into force next May.

What is equally troubling is that organisations will be unable to act off their own initiatives to bring complaints against company's in breach of consumer rights, as article 80.2, which would grant this power, has also been omitted from the Bill. Currently, there's no indication that the government plans to legislate on this provision. 

Following the announcement in September that the Bill would be moving through parliament, it encountered almost immediate opposition from the Open Rights Group. The body's executive director Jim Killock said that the government had "neglected an important option in the General Data Protection Regulation. Open Rights Group wants to be able to campaign on behalf of people who are afraid of complaining or do not realise that they have been affected." 

Advertisement - Article continues below

This week the issue surfaced once again when consumer group Which? called for the Data Protection Bill to include a clause that lets both non-profit and for-profit organisations fight on behalf of consumers, even if express permission is not given by affected parties. 

"Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised," said Which? managing director of home products and services, in a statement. "The Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach."

Research conducted by the watchdog found that of 2,000 internet users interviewed, one in ten believed they had been subject to a data breach over the past year, but remain confused as to who is responsible for protecting their data, and who to contact if they want to seek compensation.

Advertisement - Article continues below

When asked why the clause had been omitted in the Data Protection Bill, a government spokesperson told TechCrunch: "We are confident that our Data Protection Bill will provide consumers with the necessary protections when there's been an infringement of their rights regarding personal data. The Bill will make the UK fully compliant with the GDPR."

The issue is that for many consumers, the process of secure redress for lost data requires taking a lengthy, and often expensive, route through the courts where they're unlikely to benefit from the same legal expertise that an independent body will provide. Given that article 80 will not make its way into the Data Protection Bill, there's a possibility that an equivalent law won't see agreement until after GDPR comes into effect next May, and when it does arrive, will significantly hamstring the powers of consumer rights organisations.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/phishing/355120/hackers-pose-as-three-to-exploit-high-data-demand
phishing

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020