Safety and surveillance: how far will the UK’s newly proposed data protection laws go?

According to Toni Vitale, head of data and information law at Addleshaw Goddard: “We have an opportunity to modernise our data protection laws and make them fit for a 21st-century connected world, and to strike the right balance between protecting the rights and freedoms of individuals and protecting them from harm, such as terrorism.”

One eye-catching new law will give young people the right to demand that social networks delete any personal data they shared prior to turning 18.

The government also says it will implement the General Data Protection Regulation (GDPR), a series of new European Union data protection rules due to come into force in 2018, which will replace the Data Protection Act 1998.

“The new law will ensure the country meets its obligations while a member of the EU and will help the UK maintain its ability to share data with other EU member states, and internationally, after we leave the EU,” says Mr Vitale.

The government has stated that the new legislation will ensure “the United Kingdom retains its world-class regime protecting personal data”.

Mr Vitale says: “Some might regard that comment as ironic. In fact, the EU Commission has frequently complained that the UK’s current data protection law failed properly to bring into law about one third of the EU Data Protection Directive (1995), such as the definition of personal data and ‘relevant filing system’, the collection of personal data in job applications and the ability to claim damages from a data controller in the event of a breach.

“In addition, in 2002, a survey of privacy conditions in 50 countries, carried out by Privacy International, singled out the UK for criticism over a series of law enforcement measures, which the authors said had undermined civil liberties.”

The report concluded: “There is, at some levels, a strong public recognition and defence of privacy… On the other hand, crime and public order laws passed in recent years have placed substantial limitations on numerous rights, including freedom of assembly, privacy, freedom of movement, the right of silence and freedom of speech.”

Mr Vitale says: “In short, according to the Electronic Privacy Information Centre, Britain has one of the worst, rather than one of the best, records in the developed world for protecting the privacy of its citizens.”

The furore which last year surrounded the passing of the Investigatory Powers Act, the so-called Snoopers’ Charter requiring internet service providers and mobile operators to retain and allow government access to certain types of data, led to criticism from the government’s own data watchdog, the Information Commissioner’s Office (ICO). This is particularly prescient with regard to prime minister Theresa May’s “Enough is enough” comments. Delivered outside 10 Downing Street in the aftermath of recent terror attacks, her remarks outlined cracking down on social media operators and suggested the government should be permitted to circumvent encryption.

“If the possible obligations surround the weakening or circumvention of encryption, then this is matter of real concern,” the ICO said. “The ICO has stressed the importance of encryption to guard against the compromise of personal information. Weakening encryption can have significant consequences for individuals.”

Mr Vitale asks: “Will the government have the political collateral to seize the opportunity to thoroughly update our data laws, and will it strike the right balance between protecting citizens’ rights and preventing future terrorist attacks?

“If you look at what the government has promised, it feels a little like they are doing the minimum necessary, rather than undertaking a route-and-branch review.”

The government has promised to establish a new data protection regime for non-law enforcement data processing, replacing the Data Protection Act 1998; strengthen rights and empower individuals to have more control over their personal data, including a right to be forgotten when individuals no longer want their data to be processed, provided there are no legitimate grounds for retaining it; modernise and update the regime for data processing by law enforcement agencies; and update the powers and sanctions available to the prime minister.

“To some extent the government’s hands are tied by having to implement GDPR,” says Mr Vitale. “For example, the proposal for a ‘right to be forgotten’ when you turn 18 is not an original idea dreamt up by the UK government, although it is one of the few policies to survive the trashing of its manifesto. It was first considered in 2010, when a Spanish citizen lodged a complaint against a Spanish newspaper and Google. He complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights, because the proceedings had been fully resolved for a number of years and the reference to these was entirely irrelevant.”

It will be a tough balancing act to ensure citizens’ rights, protect their liberty, keep them safe and make sure we remain competitive

The GDPR allows people to request that data is erased when it is no longer needed or if they withdraw consent. “The right mentioned in the Queen’s Speech appears to go slightly further, requiring companies to erase all data on request when a teenager turns 18. The exact details of this new provision and how it will be enforced remain uncertain,” says Mr Vitale.

Even if the government had not listed the new data protection laws in the Queen’s Speech, GDPR would apply from May 2018 in any case, because it is a regulation applying automatically to all 28 EU member states. “The key thing will be what happens after May 2019 when we leave the EU,” says Mr Vitale.

“We have choices, depending on whether we retain the whole of the GDPR or try to water it down – the so-called hard and soft Brexit options. If we make the wrong choice, it could harm UK business by making it harder to transfer data with Europe and this might have a knock-on effect on attracting inward investment. After all, if you were seeking to locate a data centre in a business-friendly English-speaking country in the EU, why would you choose the UK over Ireland?

“A challenge for the UK government is to ensure our data laws match those of Europe, so that we can continue to transfer data back and forth, and give our citizens the same rights as others enjoy in Europe, and resist the temptation to make the UK a business-friendly offshoring data haven or hub with weakened protection. It will be a tough balancing act to ensure citizens’ rights, protect their liberty, keep them safe and make sure we remain competitive.”

For more information please visit: addleshawgoddard.com