GDPR And The Data Reform Bill: What You Need To Know

The text GDPR against a blue map of Europe background
Share This:

As you travel around the internet, you will probably have come across those really annoying pop=ups that ask you for your consent to various types of cookies.

These pop-ups were in response to a (in my opinion) badly worded and implemented section of GDPR about consent and letting the user opt-out of certain marketing and tracking tools.

What Is GDPR?

GDPR stands for the General Data Protection Regulation.

Before GDPR was introduced there wasn’t a standardised way that European countries handled data and privacy.

For example, in the UK we had the Data Protection Act 1998[1]Wikipedia: Data Protection Act 1998 (this replaced one from 1984 and also merged with additional 1987 legislation).

As you’re probably aware, internet use wasn’t that widespread back then so the 1998 act wasn’t really fit for a modern way of doing things.

The UK Data Protection Act (DPA) was further updated in 2018[2]Wikipedia: Data Protection Act 2018 which merged elements of the new European GDPR laws into UK law.

GDPR and the DPA both cover your rights to have a say in how your data is used: who can use it, what they can do with it, who they can share it with, find out what data they hold on you, ask them to delete that data and more.

GDPR also means that if there is a data breach (such as a website is hacked and passwords are stolen), the company has to notify you of what data was accessed in a set amount of time.

Until GDPR companies used to regularly cover up data breaches meaning users were unaware there data had fallen into nefarious hands.

Breaches of GDPR can come with hefty fines[3]GDPR Fines & Data Breach Penalties which are determined by the country that the breach occurred in. Fines of up to €10 million can be issued, or a penalty of 2% of the company’s worldwide annual revenue if that’s a higher figure.

One of the annoyances of GDPR was that you had to consent to a company using cookies (small files that help track you around websites monitoring your usage, what pages you visit etc.) when you visit a site.

As a web developer I remember being extremely worried at the route the EU were taking with this legislation.

Initially they weren’t going to allow you to use any cookies, for any reason – this would mean that things like shopping carts would stop working unless code was heavily modified.

Then they said you would have to give permission every time you visited a site which would have been a usability nightmare – not to mention a pain in the rear for the website visitor.

Eventually things calmed down a bit and websites are allowed to use cookies for core functionality but the user now has to opt in if you use cookies for tracking, advertising or similar, you can’t just assume that they’ve given consent and therefore automatically opt them in to tracking.

Why Is GDPR In The News Now?

On the 17th June 2022, the Government published a consultation on “Data: a new direction – government response to consultation[4]Data: a new direction – government response to consultation” which ran from 10th September to 19th November 2021[5]Data: a new direction.

Note that the consultation received 2,924 responses, 684 via email and 2,240 via the survey platform so it’s hardly indicative of the thoughts of a majority of data processors, stakeholders or even end users.

Within the consultation outcome the Government want to introduce the following changes:

Legitimate Interest

Allowing greater sharing of data through “legitimate interest” grounds.

Recommended  Did Donald Trump Break The Espionage Act?

This means a company doesn’t need your permission to pass data on, they can do it if they believe there is a need or reason for it.

You might remember back in the summer of 2021 when there was massive backlash at the government and NHS for automatically sharing patient data with third parties[6]https://www.nhs.uk/using-the-nhs/about-the-nhs/sharing-your-health-records/.

Due to challenges over GDPR they were then forced to allow people an option to back out of the scheme and it would appear that this change in the law is to stop similar challenges from working in the future

Restrict Data Access

The Government state in the document (point 186, section b) that people have basically been abusing the right to see their data and that this is putting a strain on businesses.

They propose that a business may now refrain from giving you access to your data if they deem the request to be outside the scope of the data they hold on you, to be used for harassment or disruption amongst other (unnamed) reasons.

They don’t say what would happen if you disagree with the refusal but I am assuming it would be escalated to the Information Commissioners Office (more on that in a moment).

Charge You For Access

Under the DPA 1998, a company could charge you an administration fee of up to £10 for giving you access to your data. GDPR removed the right to charge a fee under most circumstances.

The government propose a fee scheme, similar to one in use for Freedom Of Information requests. This has fees of up to £600 for requesting certain information, depending on the body involved.

They do not clarify what the schedule of fees would be but said that it would have to be reasonable to allow the majority of people to access their data.

Reduce Cookie Notices

They want to get rid of the annoying cookie opt-ins so that’s one good thing I suppose (until is isn’t).

Although it would appear that companies will now be able to place tracking cookies on your device without your consent as long as they comply with the DPA 2018 and the Privacy and Electronic Communications Regulations 2003. So that’s not a very good thing I suppose (and it gets worse – keep reading!)

Allow Private Companies To Process Data On The Behalf Of A Public Body

This has already been happening – test & trace is an example of this – but according to the consultation the Government had to jump through several legal hoops in order to allow this to take place.

They propose streamlining the process by codifying into law that if a private company is acting on behalf of a public body they can process the data as required.

This does make sense, although one needs to question what that company with also do with that data when the work is over (or during). Several companies sell on data they received under the banner of “legitimate interest” – a protection that we can see the government is weakening with these changes.

Big Brother Is Watching You

A statement from point 286 of the consultation:

the government proposes to clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.

So the government can pass your health data on to a third party if they deem it to be in relation to the “public interest in relation to public health”.

The question would be “Who determines what’s in the public interest?”

There also doesn’t seem to be a away to refuse or opt out of having your data shared this way.

Recommended  The Sue Gray Report: What Were The Findings?

Nadine Gets Revenge On “The Algorithms”

Allegedly during a meeting at Microsoft, Nadine Dorries (Secretary for Digital, Culture, Media and Sport) asked them “When are you going to get rid of algorithms?[7]The London Economic: Nadine Dorries lampooned following claims she asked Microsoft to get rid of algorithms

Algorithms are complex sets of code that are used for everything from suggesting what should appear in your “Watch Next” queue on Netfix to helping scientists to treat cancer[8]BBC News: Artificial intelligence used to predict cancer growth. So to ask when they’re being “got rid of” is a rather naive view at best.

In the consultation document it would appear though that The Culture Secretary has got part of her wish granted.

Point 290 reads:

The government proposes introducing compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data.

So she gets part of her request

Although it would appear Microsoft can still use secret algorithms in private, it wouldn’t surprise me if they try and make the private sector’s use of algorithms more transparent – although how that would mesh with proprietary data and trade secrets I don’t know – maybe that’s why it seems to be omitted.

Reform The Information Commissioner’s Office

The basic gist of this is that they need to reform the ICO in order for it to keep up with changes in technology and the way data is collected and managed. That’s a fair point as we slowly move towards a metaverse where all our data, biometrics and more will eventually be stored.

However, there’s a couple of sentence that did raise some concerns. From point 311

This should allow the ICO to, for example: increase its
strategic outreach to sectors that are using personal data in new and innovative ways, including financial services, healthcare and marketing; enhance its sandbox function to provide greater opportunities for organisations to test new and innovative products in a safe way

I understand the need to improve the way data is handled but with the fact that there will be weaker protections given that pretty much any company can claim they have a legitimate interest in using your data, it’s concerning that the companies will be allowed to “test” these products without us having opted in (or even have the ability to opt out).

There’s also sections on introducing KPIs (is it a government report if KPIs aren’t mentioned?), salaries and more which bring the ICO into line with other regulatory bodies like OfComm.

Editor’s Note: This list isn’t exhaustive – the document’s 146 pages after all – but it gives you a good idea of what they are planning on doing.

So What Is All The Fuss About?

Essentially privacy advocates are saying that rather than strengthen UK citizen’s rights to say how their data is used, it weakens them – especially when it comes to the sharing of sensitive data such as health records.

“The UK GDPR affords important protections to women, workers, patients, migrants, ethnic minorities, LGBT communities and everyone else,” the Open Rights Group says.
“The Data Reform Bill will endanger all this, if DCMS make the wrong calls and keep carrying out the consultation without regard of due process.”

The Brexit Issue

There are problems with even the seemingly most simple issue – those horrible cookie consent pop-ups.

Companies spent hundreds (if not thousands) on implementing systems that allowed for compliance with GDPR – it was not a simple or fun time, I can tell you!

Recommended  What Is The Bill Of Rights And What Does It Mean For British Citizens?

Some companies in the United States even went as far as blocking visitors from Europe accessing their content completely.

A company can’t simply flick a switch and undo every change they have made in order to provide the weird model the government is proposing.

Also, what will happen when a person who lives in France visits a UK based/owned website? They are legally required to be able to manage their cookies – usually through a cookie pop-up so…. Um…. yeah.

Are we supposed to block EU visitors like the Americans have?

The Data Protection Issue

While the government may be saying that they’re reducing red tape and the need for companies to have Data Protection Officers, a lot of these things will still need to be in place if the company deals with Europe in any way[9]Forbes: UK Lays Out Proposed New Data Protection Laws.

You will still have to hold data in a way that is complaint with GDPR and provide access to it – and under GDPR you wouldn’t be able to charge an EU organisation the admin fee either.

Wrapping Up

While most people completely agree that laws surrounding data, how it’s used and who can use it need amending in order to keep up with the fast pace of technological change, many organisations are already arguing that the steps laid out in the government’s consultation document are not fit for purpose or weaken existing protections and will not “ensure people can control their personal data” as Nadine Dorries claims.

It’s also interesting to see that a lot of the reforms centre around the healthcare sector. Obviously the pandemic brought up some serious floors in the current system but with the weakened protections over “legitimate interest” data sharing, it could certainly pave the way for a smoother entry of private companies into the NHS whereas under the current law it would be a lot more difficult (and people could opt out).

So, while I can see why the government would want overhaul Data Privacy law, and needs to in order to stay ahead of the curve, the Data Reform Bill isn’t the “red tape cutting, data protecting” panacea that the government make it out to be.

It’s still in its early stages yet so it will be interesting to see how it changes – especially when privacy groups start looking into the proposed legislation as it’s rolled out, until then we’re just going to have to put up with those cookie pop-ups.

Other Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.