Technology Secretary Michelle Donelan has re-introduced the Data Protection and Digital Information Bill. Promised is a ‘common-sense-led’ UK version of the European Union-wide GDPR (general data protection regulation).
To recap, the UK brought in its Data Protection Act 2018 to comply with the EU’s GDPR, despite the 2016 vote to leave the EU, as the UK was still in the EU when the GDPR came into force EU-wide. Science, Innovation and Technology Secretary Michelle Donelan said: “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs. The Bill was ‘paused’ last autumn as ministers thrashed out what to put in and leave out.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR. Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”
The Bill will create at the data privacy regulator the Information Commissioner’s Office (ICO) a statutory board with a chair and chief executive.
John Edwards, UK Information Commissioner, said: “Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the Government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament.”
The Department for Science in charge of data policy (a recent change to ministries by PM Rishi Sunak; previously responsibility lay with the DCMS, Department for Culture) says that AI and Quantum computing have the potential to create benefits, such as reducing the risk of fraud; and complains that the UK’s existing data protection laws are complex and lack clarity for solely automated decision-making and profiling.
Comments
Susannah Copson, Legal and Policy Officer at the campaign group Big Brother Watch said: “The revised Data Protection and Digital Information Bill poses serious threats to Brits’ privacy. The Government are determined to tear up crucial privacy and data protection rights that protect the public from intrusive online surveillance and automated-decision making in high-risk areas.
“This bonfire of safeguards will allow all sorts of actors to harvest and exploit our data more than ever before. It is completely unacceptable to sacrifice the British public’s privacy and data protection rights on the false promise of convenience.”
Dr Ilia Kolochenko, founder of ImmuniWeb, said: “Amid the rapidly growing EU GDPR fatigue, inconsistent enforcement among the EU member states and growing costs of formalistic compliance that merely fosters the tick-a-check-box-and-forget “security”, European companies would gain a significant competitive advantage on the global market if European GDPR goes through a similar set of improvements and simplifications.
“The current EU’s cybersecurity regulatory landscape is commencing verging on overregulation, making it a disservice to both European individuals and businesses. In the meanwhile, even more EU-wide legislation on AI, cybersecurity and privacy is coming in 2023-2024 – often promoting hardly compatible values and objectives thereby making compliance extremely complicated and unnecessarily expensive.
“If the trend of overregulation persists, we will probably see a massive and deliberate non-compliance as costs and penalties for non-major infringements will likely be much less important than costs of a holistic implementation of the mushrooming EU cybersecurity regulations and directives.”
Jamie Akhtar, CEO and co-founder of CyberSmart said: “The UK has taken the opportunity to rewrite the law in what it sees as a more appropriate way following its departure from the European Union. We applaud the shift from the check-box to risk-based privacy assessment and implementation, but if done without clarity or standardisation, this can actually erode privacy as well as create confusion for businesses and data subjects alike. Indeed, it seems oxymoronic that we can both make it easier for organisations to unlock the power of data by reducing privacy requirements, whilst still being able to retain the global gold standard for data protection.
“Despite the scepticism around the complexity and effectiveness of the GDPR, it’s been one of the best-marketed pieces of legislative changes in history. We risk reversing 5 years of educational progress toward better organisational awareness of the importance of personal data. This shift in stance signals that UK data protection law is an operational hindrance rather than an enabler of a trust-driven economy.
“Greater accessibility and guidance are going to be needed to provide clarity to those controlling and processing personal data. In its current form, the bill reduces this clarity, so we look forward to more practical guidance on how organisations will adopt the new regulation. Finally, the rise of Privacy Sovereignty has the potential to create further disparity in privacy frameworks across the globe. We’re therefore interested to see how adequacy will be met, particularly with the more prescriptive EU GDPR as well as the rest of the world (it’s been less than a year since the EU adopted the UK as adequate). There could be several challenges ahead in order to achieve recognition on a global level as the UK adopts more flexible privacy laws.”
And Julia O’Toole, CEO of MyCena Security Solutions, said: “While it is a good step towards better data protection and represents cost savings for UK businesses, it doesn’t address the critical question of who controls the access to the collected data. Imagine you collect a whole city population’s personal, health and financial data and put it into a large room, and that they have 500 employees working there. Imagine that every one of those 500 employees make their own passwords or keys to access that room full of data, and that data is leaked. Who is responsible for the leak? The company or anyone of the 500 employees who get their password phished.
“Until legislators wake up to the critical issue that companies currently do not control access to their data – their employees do, compliance to data privacy laws won’t help improve people’s data protection. However this issue can soon be resolved with new insurance policies coming this year requiring companies to have access segmentation and encryption management in place for coverage. This is where systems access credentials are segmented and distributed encrypted by organisations to their employees, so that their passwords can’t be known or stolen.”
