The British government has published a statement of intent for a new Data Protection Bill that will bring the UK's data laws in line with the upcoming General Data Protection Regulation.
In a statement, minister of state for digital Matt Hancock MP said that the Data Protection Bill will bring data protection laws up to date in the UK, adding "tougher rules on consent, rights to access, rights to move and rights to delete data".
Part of this translates to new criminal sanctions – so "intentionally or recklessly re-identifying individuals from anonymised or pseudoanonymised data" will become an offence with the maximum penalty of an unlimited fine.
The Bill will also create a new offence for altering records to block subject access requests – the right of a citizen to request the data held on them from a company or organisation. Offenders will be hit with an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.
The Information Commissioner's Office (ICO) will be given powers to significantly bolster the amount it can issue in fines. It can currently fine organisations a maximum of £500,000, with the new rules increasing this figure significantly to £17 million, or four percent of global turnover. This is in line with GDPR, which will usher in fines of up to €20 million, or four percent of turnover for serious violations.
Rules for consent, the government says, are also being strengthened – pledging to make sure that consent is 'unambiguous' and 'explicit' as well as easy to withdraw for personal data.
Individuals, it adds, will find it easier to request data held on them by an organisation, as well as new rules on data portability to make it easier to shift data between service providers.
New 'right to be forgotten' rules will allow web users to request their personal data to be erased, as well as a provision for requesting the deletion of all information held by social media platforms that was generated during their childhood.
The government statement of intent adds that in some circumstances, individuals will be able to request social media companies delete any and all of their posts.
According to the statement, users should have more of a say in decisions made about them that are based on automated processing. "Where decisions are based on solely automated processing, individuals can request that processing is reviewed by a person rather than a machine," the statement says.
Principal security researcher at Kasperky Lab, David Emm, noted that these will be "unprecedented rights" for consumers.
"In combination with the incoming GDPR regulations being implemented in the European, there will be widespread changes in the coming years to the way organisations collect, store and process data," Emm said. "It is important the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cyber criminals."
The Bill will also differ from GDPR in the way children can consent to data processing. The European laws set the age threshold at 16, but the government will act to allow children to consent to data processing at 13. The government will also allow for third parties that are not official authorities to access offender and criminal data, for example, to run criminal record checks.
Research organisations, such as universities, will also have exemption for having to respond to subject access requests "when this would seriously impair or prevent them from fulfilling their purposes". They won't "have to comply with an individual's rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure."
Since the announcement of the GDPR, organisations have been under pressure to audit their data in line with the new regulation, set to come into effect in May 2018. But Britain's vote to leave Europe complicated matters, and the government has been consulting the Information Commissioner about the next steps forward.
Businesses will have to ensure they understand where their data is and precisely what data they hold or face the potentially hefty fines.
The Data Protection Bill effectively brings GDPR into British data policy, but it's still unclear whether the government will seek an adequacy agreement with Europe.
An adequacy agreement would mean European approval for British data law, and allow data to move between Europe and Britain with minimum disruption – but the ICO warned earlier this year that it could take as long as two years before Europe's Article 29 working party reached a decision.
KPMG's head of privacy, Mark Thompson, said that the statement of intent "shows that the UK is committed to protecting the privacy of individuals' data and the way it is processed."
"This commitment also sends a strong message that the UK will have resilient data protection regimes, post-Brexit," Thompson said.