The UK's Data Protection Act began looking long in the tooth
some time ago. It was introduced in 1998 when the internet was a very different
place, after all, and today the government has published more details on the
upcoming Data Protection Bill, which will update laws to ensure they're fit for
the hyper-connected era. Delivering on a Conservative Party manifesto pledge,
the bill will introduce a new right for people to instruct social networks to
delete anything they posted before the age of 18.
This has been called the "right to innocence," and
will mean you can more easily purge social media activity that's embarrassing
or no longer reflects you as an adult. The power is part of a bigger expansion
of existing "right to be forgotten" laws. Currently, you can only
request that personal information be deleted -- removed from Google search
results, for example -- if it causes significant distress, such as details of a
petty crime you committed as a kid that are still following you decades later.
This right will be extended to any personal data you deem
irrelevant or outdated, giving you much more control over your digital
footprint. The definition of 'personal data' is also being widened to include
IP addresses, internet cookies and DNA. The Data Protection Bill should also
cut down on how much data you are producing and companies are collecting in the
first place.
The bill introduces the concept of "privacy by default
and design." The idea is that online services like social networks mustn't
assume consent and enable the strictest privacy settings as a matter of course.
Instead of having to dig through menus and opt-out of data collection schemes,
or finding out after the fact you agreed to something undesirable buried in
complex terms and conditions, you are offered the right to privacy "by
default." In other words, companies must be transparent about collecting
and processing data, and get your explicit consent to do so.
In a similar vein, social networks will be required to seek
the consent of parents/guardians before allowing anyone under the age of 13 to
register an account, and make the process of withdrawing that consent simple.
New rules also mean an individual can ask any company what data they hold on
them and be provided that information free of charge. Where the automated
processing of data builds a personal profile -- such as a credit rating, for
instance -- people will be entitled to request that the data be reviewed by a
human.
While it's still unclear how this will work exactly, the
Data Protection Bill introduces a requirement for "data portability."
This will mean companies have to create mechanisms by which you can 'export'
all your personal data so you can use it elsewhere. Say you wanted to swap
email provider. In that example, Yahoo will have to let you transfer all your
emails, contacts and such to another service like Gmail -- kind of how it's
pretty easy to move bookmarks between browsers.
The same will be true for cloud storage services, or fitness
tracking apps that record heart rate data. Again, this concept hasn't been
fully fleshed out, but the idea is you shouldn't be locked into using a
specific service just because you've built up a data history with that service.
By making it easy to move your data elsewhere, companies will be put under
greater competitive pressure to retain users and customers by building the best
or most affordable services.
As businesses will have all these new rules to play by, so
will the UK's Information Commissioner's Office (ICO) have to provide greater
oversight. There's a new requirement for companies processing large volumes of
personal data to notify the ICO of any breach within 72 hours. Any business
that doesn't adhere to the tighter data protection laws could also face much
higher penalties. The ICO can currently issue a maximum fine of £500,000. The
Data Protection Bill raises that up to £17 million, or 4 percent of global
turnover. A new offence will also be introduced in order to punish those
"intentionally or recklessly re-identifying individuals from anonymised or
pseudonymised data."
While the Data Protection Bill is specific to UK law, it's
mostly intended to reflect the EU General Data Protection Regulation (GDPR),
which was approved last year and comes into force in May 2018. The UK is still
an EU member state at this point, of course; but post-Brexit, the new Data
Protection Act will ensure our laws are on par with the rest of Europe. Having
the same privacy standards across the region means there shouldn't be any
barriers to the movement of data, whether that be between businesses, services
or law enforcement agencies.
COMMENTS