UK negotiates leniency from the EU’s stifling GDPR

The UK government has published a draft of its Data Protection Bill which brings the EU’s controversial GDPR (General Data Protection Regulation) into UK law but provides leniency in some important areas.

In an editorial last month, IoT News highlighted the danger of GDPR regulations holding back startups which rely on data collection. We spoke to Peter Wright, solicitor and managing director of Digital Law UK, who had similar concerns.

“If you’re dealing with large amounts of big data, so you could develop and build an AI, there’s an argument within the regulation that you will need a DPO (Data Protection Officer) in place,” said Wright.

“You’d then have to demonstrate regulatory compliance – with immense penalties if you happen to get this stuff wrong in terms of a €20 million fine, or four percent of your global turnover – and it’s measures like this which have a chilling effect on entrepreneurship, innovation, and creativity.”

The draft Data Protection Bill sets out how GDPR is planned to be implemented; subject to scrutiny by the House of Lords and House of Commons.

Keeping the best of GDPR

GDPR brings in some vital protections for consumers in the modern world. One measure enables users to request social networks to delete anything posted before the age of 18 to help ensure people are not haunted by anything they did in their less mature years.

“Right to be forgotten” will also be expanded. Currently, a user can put forward a request for data to be erased if it causes significant distress. Under GDPR, a user will also be able to request data to be erased if the information is outdated or irrelevant.

Companies will also need to sign users up to services with the strictest privacy settings by default. This will ensure users only share data they are explicitly comfortable with doing so by opt-ins. Anyone under 13 will require the consent of parents or legal guardians to sign up.

Rather than be tied into using a particular service, GDPR will allow for “data portability” so users can move their data from one to another. How this will be implemented, however, isn’t clear.

To protect user privacy and keep them informed; any breach of data must be reported to the UK’s Information Commissioner’s Office within 72 hours. Significant penalties will be incurred for a failure to do so, or for the general poor handling of user data.

Axeing the worst of GDPR

Interestingly, the UK government claims to have negotiated “exemptions from the EU’s General Data Protection Regulation to create a proportionate data protection regime which is right for Britain.”

This doesn’t fit in with the EU’s standard “one-size-fits-all” approach to member states. Other members are sure to demand similar exemptions as the stricter regulatory environment will otherwise make them less competitive.

“There are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality,” comments Matt Hancock, the UK Minister of State for Digital. “Today, as we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work.”

In the face of Brexit, the exemptions mark a particularly surprising development. Nevertheless, it’s a welcome move as it axes most of the regulations we’ve raised concerns about in the past.

The bill will include exemptions for data processing in the following areas:

  • Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded.

  • Scientific and historical research organisations such as museums and universities will be exempt from certain obligations which would impair their core functions.

  • National bodies responsible for the fight against doping in sport will continue to be able to process data to catch drug cheats.

  • In the financial services sector, the pricing of risk or data processing done on suspicion of terrorist financing or money laundering will be protected.

  • Where it is justified, the Bill will allow the processing of sensitive and criminal conviction data without consent, including to allow employers to fulfill obligations of employment law.

Prior tailored exemptions that were implemented as part of the Data Protection Act 1998 will be carried over into the new law as they have “worked well” according to the UK government.

The UK is seen as a hotbed for AI and has attracted global investment such as Google’s acquisition of Cambridge-based DeepMind. The government is pumping £16 million into AI and robotic technologies through its Innovate UK initiative. The Industrial Strategy Challenge Fund, meanwhile, provides financial support for UK businesses working on ‘cutting-edge’ technology.

It’s good to see the UK government’s plans to protect consumers with the best aspects of GDPR but axe its worst bits to ensure innovative businesses can flourish. We hope this continues and the new powers to bypass Parliament the government has given itself as part of the “Great Repeal Bill” this week are not abused.

What are your thoughts on the Data Protection Bill draft? Let us know in the comments.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.