New data privacy laws will let Brits erase childhood social posts
The UK’s Data Protection Act began looking long in the tooth some time ago. It was introduced in 1998 when the internet was a very different place, after all, and today the government has published more details on the upcoming Data Protection Bill, which will update laws to ensure they’re fit for the hyper-connected era. Delivering on a Conservative Party manifesto pledge, the bill will introduce a new right for people to instruct social networks to delete anything they posted before the age of 18.
This has been called the “right to innocence,” and will mean you can more easily purge social media activity that’s embarrassing or no longer reflects you as an adult. The power is part of a bigger expansion of existing “right to be forgotten” laws. Currently, you can only request that personal information be deleted — removed from Google search results, for example — if it causes significant distress, such as details of a petty crime you committed as a kid that are still following you decades later.
This right will be extended to any personal data you deem irrelevant or outdated, giving you much more control over your digital footprint. The definition of ‘personal data’ is also being widened to include IP addresses, internet cookies and DNA. The Data Protection Bill should also cut down on how much data you are producing and companies are collecting in the first place.
The bill introduces the concept of “privacy by default and design.” The idea is that online services like social networks mustn’t assume consent and enable the strictest privacy settings as a matter of course. Instead of having to dig through menus and opt-out of data collection schemes, or finding out after the fact you agreed to something undesirable buried in complex terms and conditions, you are offered the right to privacy “by default.” In other words, companies must be transparent about collecting and processing data, and get your explicit consent to do so.
In a similar vein, social networks will be required to seek the consent of parents/guardians before allowing anyone under the age of 13 to register an account, and make the process of withdrawing that consent simple. New rules also mean an individual can ask any company what data they hold on them and be provided that information free of charge. Where the automated processing of data builds a personal profile — such as a credit rating, for instance — people will be entitled to request that the data be reviewed by a human.
While it’s still unclear how this will work exactly, the Data Protection Bill introduces a requirement for “data portability.” This will mean companies have to create mechanisms by which you can ‘export’ all your personal data so you can use it elsewhere. Say you wanted to swap email provider. In that example, Yahoo will have to let you transfer all your emails, contacts and such to another service like Gmail — kind of how it’s pretty easy to move bookmarks between browsers.
The same will be true for cloud storage services, or fitness tracking apps that record heart rate data. Again, this concept hasn’t been fully fleshed out, but the idea is you shouldn’t be locked into using a specific service just because you’ve built up a data history with that service. By making it easy to move your data elsewhere, companies will be put under greater competitive pressure to retain users and customers by building the best or most affordable services.
As businesses will have all these new rules to play by, so will the UK’s Information Commissioner’s Office (ICO) have to provide greater oversight. There’s a new requirement for companies processing large volumes of personal data to notify the ICO of any breach within 72 hours. Any business that doesn’t adhere to the tighter data protection laws could also face much higher penalties. The ICO can currently issue a maximum fine of £500,000. The Data Protection Bill raises that up to £17 million, or 4 percent of global turnover. A new offence will also be introduced in order to punish those “intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data.”
While the Data Protection Bill is specific to UK law, it’s mostly intended to reflect the EU General Data Protection Regulation (GDPR), which was approved last year and comes into force in May 2018. The UK is still an EU member state at this point, of course; but post-Brexit, the new Data Protection Act will ensure our laws are on par with the rest of Europe. Having the same privacy standards across the region means there shouldn’t be any barriers to the movement of data, whether that be between businesses, services or law enforcement agencies.
Source: Department for Digital, Culture, Media & Sport (1), (2) (PDF)