The Future of Data Protection
Data protection law is currently regulated in the UK by way of the Data Protection Act 1998 but that is set to change after it was announced in the Queen’s Speech that there will be a new Act.
The new law will not only update existing legislation but will also include new rules and potentially incorporate the EU’s General Data Protection Regulation (GDPR).
The proposal was welcomed in some quarters as maintaining the UK’s world-class regime for data protection and would ensure businesses are fully prepared for when the GDPR comes into force in 2018.
Both of these points can be called into question beginning with the GDPR.
As an EU Regulation that is directly applicable, the UK will be bound by the GDPR from May 2018 irregardless of the action taken by the current government. The only effect that a new Data Protection Act would have is to ensure that the law remains codified after Brexit. In other words the rules would likely become and remain part of the UK legal system in some form or another anyway.
The parts of the proposed law that will introduce new provisions should not, however, be immune from scrutiny.
One of the key aims is to expand the ways in which data can be used to help law enforcement agencies but with so much already available, any further powers granted to the police and other bodies raise serious questions over abuses of the right to privacy. Given the recent attacks on UK soil that could not be prevented by the security services it is understandable that they would like greater and more powerful tools at their fingertips but this should not come at a cost to the liberty of UK citizens.
On top of this the Act seeks to give users greater control over their private data and at first glance this appears to be huge win for the man on the street. The law will most likely include the right to be forgotten and other rules related to control over personal information.
However this will undoubtedly place a burden on companies who will have to take greater precaution in the first place and may well end up chasing their tail if someone is successful in a ‘right to be forgotten’ case.
If this is too difficult or not economically viable then it will simply become easier for those companies to withdraw from the UK. We have already seen the EU attack large tech companies like Google over the issue of data protection and while they will reluctantly pay any fines for now, there is a limit to their patience.
Ultimately my data and your data and everyone else’s data is a commodity. If an app that I download is ‘free’ but the company requires my email address to proceed then essentially I am buying the app with my email address. The sooner that individuals and governments realise this the better. There needs to be a shift in the culture whereby people realise how valuable their own data is and take responsibility when they send something like their mobile phone number into the ether.
Of course things do sometimes go awry and there needs to be a form of regulation that protects people in such circumstances. As a general rule however, further regulation for data protection only entrenches the culture that we have at the moment and instead of protecting consumers it in fact does more harm to those businesses that are able to produce cheap and innovative products that we all regularly make use of.