British lawmakers have filed on Monday a statement of intent regarding proposals for improvements to the Data Protection Act, with a focus on criminalizing anonymous data re-identification, imposing larger fines for cyber incidents, and more user protections for British online netizens.
The modifications are part of UK's effort to comply with the EU's General Data Protection Regulation (GDPR) that's set to come into effect in May 2018, time until which EU governments must amend national laws to include its provisions.
New bill adds many GDPR provisions
The new Data Protection Bill (DPB), as it's currently known, includes amendments for GDPR compliance. For example:
≻ Make it easier and free for individuals to require an organization to disclose the personal data it holds on them
≻ Allow people to ask for their personal data held by companies to be erased
≻ Require ‘explicit’ consent to be necessary for processing sensitive personal data
≻ Enable parents and guardians to give consent for their child’s data to be used
≻ Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
≻ Make it easier for customers to move data between service providers
Bigger fines for cyber-incidents
Besides the above GDPR provisions, there is another, which is to raise the amount for maximum fines that UK authorities can impose for cyber incidents.
Until now, these fines were limited to £500,000 ($650,000). The biggest fine the UK government ever gave out until now was for the TalkTalk breach of 2015 when the ICO fined the ISP with only £400,000 ($520,000).
According to the proposed DPB, which is compliant with GDPR provisions, the new fine limit is of up to £17 million ($22 million) or 4% of a company's global turnover.
The criminalization of data re-identification
On top of the GDPR provisions, the DPB also comes with an extra proposal. This is the creation of a new criminal offence for when someone, intentionally or recklessly, re-identifies individuals from anonymised or pseudonymised data.
"Offenders who knowingly handle or process such data will also be guilty of an offence," the DPB proposal reads. "The maximum penalty would be an unlimited fine."
Dr. Lukasz Olejnik, independent cybersecurity and privacy researcher, affiliatee of Princeton’s Center for Information Technology Policy, applauds the UK's efforts.
"UK’s GDPR implementation may have visionary traits; in that it goes beyond merely implementing the GDPR as just a legislation," he wrote on Monday on his blog. "UK will introduce new criminal offences, among them reidentification."
Privacy expert sees some problems with new criminal offence
While Olejnik applauds the UK's efforts to expand user data privacy protections, he warns that the UK may be treading dangerous ground.
"There are several issues with [the] banning of reidentification," he says. "First, it won’t work. Second, it will decrease security and privacy."
The biggest problem in Olejnik's eyes is that there's is no effective way to enforce it in practice. Second, it stifles security and privacy research who often re-identify anonymized data in their day-to-day work.
"UK’s ICO will furthermore find itself in a possibly inconvenient position where they will need to judge which research is or isn’t appropriate," Olejnik explains.
In other words, it's good that the UK government has identified a problem, but putting it into legislation may end up being used by companies threatening researchers with prosecution in case they want to publish unflattering research that relies on re-identifying users and revealing their details from anonymized data.
In addition, the DPB statement of intent also mentioned some protections for journalists and whistleblowers, but it did not provide any details.
Comments
Occasional - 7 years ago
As was pointed out: the intensions may be good, but l doubt those crafting the legislation have sufficient understanding of the nature of data and information.
An example: "Make it simpler to withdraw consent for the use of personal data"
Most importantly, not including an identifier in one dataset doesn't mean individuals can't be ID by combining data from several sources.
Also, "withdraw consent"? From whom? Data and metadata are bought, sold, traded, hacked...; and the organization that acquired the consent (if still in business), can only say they won't use, sell, trade... that person's (explicitly/single-sourced), PID any more.
Richard_Stallman - 7 years ago
I agree that the reidentification ban should not apply to researchers,
but if it is limited to commercial activity and public relations or
campaign activity, it would be ethical.
Would it be enforcible? If the penalties are sufficiently strong,
organizations aiming for profit or other success would hesitate to
violate the law.
The law needs to address the scenario where the reidentification is
done in some other country but the usage is targeted at people in the
UK. Usually some organization that operates in the UK will be paying
for the service. If that organization can be identified and punished,
that might make the law enforcible enough.
kahid - 4 years ago
Additionally, reading a relationship book https://tutuappx.com/ together can also help you to maintain your relationship.
kahid - 4 years ago
Having a day or two to yourself each week helps you to better appreciate one another, and gives you a chance to miss each other. It also gives you https://vidmate.onl/ an opportunity to reconnect with yourself and become a better partner.