Data protection for customers, but not for citizens

Credit: Rawpixel.com/Shutterstock.com

The bill will also make it easier for surfers to withdraw permission for companies to harvest their personal data, require companies to reveal on request the personal data they hold on customers, and to require consent from parents before the personal data of children can be harvested.

Such measures are intended to bring British law in line with the EU's General Data Protection Regulation, which is scheduled to come into effect from May 2018.

However, while this will certainly give the UK public more control over the data they generate as customers and consumers, it will do nothing to address the worst excesses of the Investigatory Powers Act, which obliges internet service providers (ISPs) to keep records of the websites visited by their customers for 12 months.

Bigger fines

The announcement of the Data Protection Bill comes at a time when a string of ISPs and companies have been embarrassed by failures to keep their customers' data safe.

The most high profile example of this was TalkTalk's notorious hack from October 2015, when cybercriminals stole the personal data of 156,959 customers.

As serious as this breach was for these customers (and for TalkTalk's reputation), other cases have followed since, with November's Tesco Bank cybertheft and Virgin Media's Super Hub 2 scare being some of the most notable.

A big part of the new legislation being proposed by the Department for Digital, Culture, Media and Sport (DDCMS) is avoiding future occurrences of such mishaps, since aside from giving customers greater control over their personal data it will seek to impose steeper penalties on companies for data breaches.

For example, the Information Commissioner's Office (ICO) slapped TalkTalk with a £400,000 fine after the 2015 hack, the largest penalty it can currently levy.

Yet under the proposed terms of the legislation, ICO will in the most serious cases be able to exact a fine equal to £17 million or 4% of a company's turnover (whichever is larger), something which will provide firms with a greater disincentive to take data security for granted.

As Matt Hancock, the Minister of State for Digital, explains, "Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account."

New rights

Added to harsher penalties, the Data Protection Bill will also provide internet users with a range of new powers to wield over their personal data.

The most significant of these is perhaps the right to be forgotten, which will allow customers to ask companies to erase their personal data.

Yet added to this, the following rights are also being proposed:

• Make it simpler to withdraw consent for the use of personal data
• Enable parents and guardians to give consent for their child's data to be used
• Require 'explicit' consent to be necessary for processing sensitive personal data
• Expand the definition of 'personal data' to include IP addresses, internet cookies and DNA
• Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
• Make it easier for customers to move data between service providers

Investigatory Powers trump data rights

In theory, such measures will give customers greater assurance that their data will be protected, and that they can restrict the amount of data collected and stored by third parties.

However, there is a significant gap in its protection, even if the Government's press release and statement on the bill makes no mention of it.

More specifically, this is the gap created by the Investigatory Powers Act, which legally forces ISPs to store the browsing histories of their customers for 12 months.

Given that the Government's rationale for introducing the Act was to tighten up national security in the face of the threat of terrorism, it's unlikely that the personal powers proposed by the new bill will cover the kind of "personal data" the Government want ISPs to collect.

In other words, even with the Data Protection Bill, no individual will be able to ask ISPs to delete the personal data they're collecting on behalf of the Government, and neither will they be able to withdraw their consent for it to be collected.

In light of this, it becomes apparent that the new bill isn't so much about privacy or protecting personal data in general, as it is about protecting the data whose security can have an effect on the willingness of people to pump money into the UK economy.

As the Information Commissioner, Elizabeth Denham, commented, "We are pleased the government recognises the importance of data protection [and] its central role in increasing trust and confidence in the digital economy."

However, once the Investigatory Powers Act comes into full effect, it will be an open question as to how much trust in the digital economy can ever really be created.