The UK government has officially released the Data Protection Bill, a proposed change in law designed to implement the requirements of the European Union's General Data Protection Regulation (GDPR), but while campaigners have welcomed it in principle they also warn it's missing a key feature of GDPR which will make consumer rights groups' lives considerably more difficult.
Released late yesterday, the Bill, which could become an Act of Law if approved, comes with the government's assurances as to its quality: 'We are strengthening Britain's data rules to make them fit for the digital age in which we live and that means giving people more control over their own data,' claims Minister of State for Digital Matt Hancock of the Bill. 'There are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality. Today, as we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work.'
Those protections come in the form of a range of exemptions, many of which are carried over from the existing Data Protection Act (DPA): The processing of personal information by journalists for the purposes of freedom of expression and to expose wrongdoings is explicitly protected, scientific and historical research organisations gain exemptions from 'certain obligations which would impair their core functions,' national bodies working to fight doping in sport are granted certain rights, while data processing on suspicion of the financing of terrorism or money laundering is also exempted.
These exemptions, and the additional safeguards implemented in the Bill, have been welcomed by privacy rights campaign organisation the Open Rights Group (ORG), but it warns that its own activities - allowed under the GDPR - may be under threat. 'The UK has neglected an important option in the General Data Protection Regulation which gives consumer privacy groups like Open Rights Group the ability to lodge independent data protection complaints,' claims ORG executive director Jim Killock of the Bill. 'It is almost impossible for the average person to know how their data is being collected, shared and sold by social media platforms, advertisers and other businesses. We may not know which companies hold data about us. Privacy groups can therefore play an important role in protecting consumers by taking independent action against companies that fail to protect our data protection rights. Open Rights Group wants to be able to campaign on behalf of people who are afraid of complaining or do not realised that they have been affected.'
The Bill, which includes an increase in the maximum penalty the Information Commissioner's Office (ICO) can levy against a company found to have breached data protection legislation from £500,000 to £18 million, will now go through the debate process before being voted upon as an Act of Law.