The government has been accused of trying to grab cheap headlines as it unveiled a new Data Protection Bill that will bring the EU's General Data Protection Regulation (GDPR) into UK law.
Under the new bill the UK's data protection watchdog, the Information Commissioner's Office (ICO), has been handed the power to issue fines of up to £17m or four per cent of global turnover in cases of the most serious data breaches.
Individuals will also have more control over their data by having the right to be forgotten. This means they can ask for their personal data held by companies to be erased.
The announcement - which was trailed in this year's Queen's Speech - was billed as the government "strengthening UK data protection law", while digital minister Matt Hancock said the bill will "give us one of the most robust, yet dynamic, set of data laws in the world".
The bill will help the UK prepare for a successful Brexit by bringing GDPR into UK law, the announcement added. It has been welcomed by some onlookers, who said it will raise confidence in the wake of the Brexit vote.
But others have accused the government of taking credit when the bill merely mirrors GDPR. Under GDPR, firms could face fines of up to €20m or four per cent of global turnover for the most serious breaches, and individuals will have the same right to ask for their personal data to be erased, among other things.
Bob Tarzey, director at analyst Quocirca, called the announcement "a nonsense".
"The UK government is making headlines about something we've already had that was EU-based. It's been presented as a UK data protection law, but it's just GDPR," he said. "There's nothing I'm aware of that the government is doing to enhance data protection beyond what GDPR is doing."
According to the government, the bill will:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child's data to be used
- Require "explicit" consent to be necessary for processing sensitive personal data
- Expand the definition of "personal data" to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
Matt Hancock, minister of state for digital (pictured), said: "Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive."
Despite the UK implementing GDPR - which has been flagged as a $3.5bn annual sales opportunity for security and storage resellers - Tarzey said Brexit raises the possibility of UK data protection rules diverging from EU ones in the future.
"The ICO was instrumental in designing GDPR, so it had a huge impact; but if there are changes in the future, it will have no impact," he said. "If UK data protection laws start to drift from data protection laws in the rest of Europe, because we're not part of the EU, you're back to the old days where US firms have to heed every data protection law across the region."
However, Lawrence Jones, CEO of UK hosting provider UKFast, welcomed the announcement.
"In light of Brexit we have been calling on the UK government to deliver legislation at least equal to the GDPR, so it's reassuring to see Matt Hancock announce these measures to implement the EU law today," he said.
"Businesses are built upon confidence: confidence in suppliers, in each other and in the economy. Brexit has already caused a huge amount of uncertainty in the economy, so the last thing we need is confidence to fall in our abilities as tech leaders."
Paul Wilford, cyber security architect at EACS, also spotted some areas where the bill will go beyond GDPR.
"Organisations need to be savvy to certain elements that differ from GDPR," he said. "By way of example, an organisation could potentially be fined for a breach, or they could be fined for lack of compliance even if it hasn't actually been breached. But there are also some new additions as well, such as a new offence for ‘intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data'. Offenders who knowingly handle such data will also be guilty of an offence and the maximum penalty will be an unlimited fine. Elements like this are beyond the original message of GDPR and suggest that that the UK is actually bolstering the legislation."
Asked for further comment on where the bill builds on GDPR, a representative for the Department for Digital, Culture, Media and Sport pointed out that it will contain a number of derogations in it, including around the minimum age at which a child can consent to data processing (the full list can be found on p16 of this document).
A summary of what you get if you subscribe to our premium market intelligence service
Matthew Polly says CrowdStrike is looking to branch out from the UK and into mainland Europe
Southampton-based VAR states that further acquisitions are in the pipeline
With UKFast launching a public cloud consultancy, Tom Wright asks if this is the way forward for all local hosting providers