New Data Protection Bill & IPA - A match made in hell

New Data Protection Bill & IPA - A match made in hell

Last week the Government announced a new Data Protection Bill which will replace the existing Data Protection Act 1988 by aiming to strengthen UK citizens control over their own personal data and align our laws with the EU’s new GDPR legislation which will come into effect from May 2018. Excellent- what a good idea! There’s just one problem though - that annoying Investigatory Powers Act (IPA) which already exists and contradicts this almost entirely!

9 August 2017

[caption id="attachment_135" align="alignleft" width="128"]Paul Paul Heritage-Redpath, Product Manager[/caption] Last week the Government announced a new Data Protection Bill which will replace the existing Data Protection Act 1988 by aiming to strengthen UK citizens control over their own personal data and align our laws with the EU’s new GDPR legislation which will come into effect from May 2018. Excellent- what a good idea! There’s just one problem though - that annoying Investigatory Powers Act (IPA) which already exists and contradicts this almost entirely! Commenting on the new Bill, Matt Hancock, Minister of State for Digital said: “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.” We don’t disagree with Mr Hancock. The Government’s press release quotes research showing more than 80% of people feel they don’t have complete control over their data online and the new Bill will aim to improve this by introducing a ‘right to be forgotten’ meaning they can request their personal data be erased (including from social media sites). It will also eradicate the use of the current default opt-out and pre-selected check boxes for consent in the collection of personal data - both requirements already included in the forthcoming GDPR. Further cohesion with the GDPR comes in the form of fines - the ICO will be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches. To summarise, the main points of the new Bill are as follows:
  • Make it simpler to withdraw consent for the use of personal data
  • Allow people to ask for their personal data held by companies to be erased
  • Enable parents and guardians to give consent for their child’s data to be used
  • Require ‘explicit’ consent to be necessary for processing sensitive personal data
  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
  • Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
  • Make it easier for customers to move data between service providers
What about the IPA? Sounds great, but we have one question for Government - how exactly will this new law work with the existing IPA? Back in January we asked a very similar question regarding the co-existence of the IPA and the EU Court of Justice who ruled that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime”. A clear contradiction to the IPA and now clearly this latest Bill and the IPA have similar co-existence issues. How can a law that requires the mass collection of personal information by your ISP and then authorises that information be accessed by various law enforcement and security agencies without a warrant, coexist with a new law that gives citizens the ‘right to be forgotten’ and (rightly or wrongly) even classes your IP address as a form of personal data. Surely, this is a contradiction in Government policy at the very least? Whilst we have a few small concerns in the detail of the new Data Protection Bill (such as classifying an IP address, which can be dynamic and/or shared by many people within a home, as a personal identifier) in the main we welcome its introduction and commend the Government on attempting to update and align our existing outdated laws with the newer EU alternatives, protecting our rights post-Brexit. However, we once again call for the highly controversial IPA to be re-thought - surely, this is yet another example of how unworkable the Act is in modern society. Have your say! How do you feel about the new Data Protection Bill and the protections it will afford UK citizens? Do you think the Government is right to align our data protection laws with the forthcoming EU GDPR or not? Do you agree the IPA and the new Bill conflict and should be reconsidered? Let us know your thoughts by leaving us a comment below. Related articles Further information [subscribe2]

CityFibre News

With network projects in over 60 cities and construction underway to reach up to 8 million homes