Right to be forgotten: UK pledges to crack down on companies hoarding your data
If a company breaks data protection law in the UK right now, the maximum fine it can receive is £500,000 – that’s either a mild slap on the wrist or a mortal wound, depending on the company in question. Under a planned overhaul unveiled by digital minister Matt Hancock today, that figure could be 3,300% higher.
The government’s Data Protection Bill will push the General Data Protection Regulation (GDPR) through following its announcement in the Queen’s Speech in June. GDPR has been designed to protect EU citizens from privacy and data breaches. It will give customers more control of their data and force companies to tell customers about breaches within 72-hours.
But fines of up to £17 million (or 4% of global turnover), as part of this Data Protection Bill, are actually not the headline change here. Rather, it’s the tightening of the laws which could lead to such fines. Most prominent of these is a “right to be forgotten” for UK customers of businesses which hoard data, from social media platforms to ecommerce sites. Under these regulations, anybody would be free to demand that their data be removed from company records.
And the plans also considerably expand what can be classified as data, expanding the definition to include IP addresses, DNA and cookies. Not only will companies have to ask for explicit consent to use collected data (no more pre-filled tick boxes permitted), but the regulations also intend to make it simpler for customers to withdraw consent for their data to be used whenever they like.
This is considerably stronger than anything written in the Conservative manifesto at the general election, but it’s hard to imagine any MPs standing in the way of the proposed law. In fact, it’s the kind of safe bill that minority governments like to push ahead with, to create the perception of getting things done, when more partisan votes would almost certainly fail.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” said Hancock, in a somewhat grandiose statement. “It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
Digital minister, Matt Hancock
Ah yes, it wouldn’t be a British political story without talking about the red, white and blue elephant in the room. A deliberate purpose of the new laws is to ensure that British and European regulations match, to create as frictionless a relationship between the EU and UK as possible post Brexit. Once Britain leaves the European Union, it will change from being a member state to a “third-party country”, and EU law stipulates that data can only be transferred to such nations when a certain level of protections are guaranteed.
By getting ahead of the EU on these matters, Britain hopes to remove a hurdle from the trade negotiations, although it’s fair to say that the figurative course ahead would still favour Kendra Harrison over Usain Bolt.
Image: Policy Exchange used under Creative Commons