back to article Coming soon to a Parliament near you – UK's Data Protection Bill

The UK's new legislation on data protection is to get its first airing in Parliament next month, the government has said. The Data Protection Bill, announced in the Queen's Speech at the end of June, will replace existing data protection legislation on both corporate data and data processing by law enforcement agencies. The …

  1. Yet Another Hierachial Anonynmous Coward

    Laymans terms..

    This is quite a well discussed and anticipated piece of legislation which has the potential to affect many of us commentards. Would the team at El Reg consider putting together an article, or series of articles, written by an appropriate person, detailing the act in laymans terms? I'm sure it would be appreciated by the many of us who are self-employed, or small operators who don't have the luxury of corporate training departmenmts.

    Does anyone else agree?

    1. Doctor Syntax Silver badge

      Re: Laymans terms..

      Seconded. An excellent idea.

    2. Anonymous Coward
      Anonymous Coward

      Re: Laymans terms..

      Hope they send "Real people" like (clueless) Amber Rudderless on corporate training course. Because she seems to have a total disregard for the privacy of data she holds on others. I'd like to see an inspection of her consituency office by ICO, before we start hounding others.

      Most of it is common sense (she has absolutely none). Imagine your own data in place of the data you're storing on behalf of others. Look at the threats to that data, from outside and internally.

      If it feels "wrong" or security feels "weak" it probably is.

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Conflict Wth IPA.....

      No. Performing a regulated activity or being in government trumps the GDPR. For example your bank doesn't need your permission to gather information about you to perform anti money laundering checks either, because they're legally required to do so.

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Conflict Wth IPA.....

          Certain government functions are bound by the GDPR, just as they are today under the DPA. However those restrictions are principally concerned with what government bodies do with data after it is gathered. Specifically you can't use data gathered for statutory compliance for non-statutory purposes. You must still gather it to comply with statute if necessary. This usually manifests itself as one department or body being unable to share data with another department or body.

          The main difference versus the current DPA is that there is a broad purpose "legitimate grounds" exemption that allows government to process data as long as there's a reasonable argument to do so, regardless of consent. The GDPR removes this exemption, which will require departments to justify non-consented processing* in terms of statutory compliance (as discussed above) or the much stricter public interest argument.

          *Public bodies actually can't obtain free consent in most circumstances due to the imbalance of power between the government and an individual. It's hard to say "No" to someone that can put you in prison.

          The GDPR does not change much in terms of who is allowed to do what with any given bits of data. It tightens up a few definitions of what constitutes personal data; updating it for the 21st century. Mostly the GDPR details what you must do while you process the data, specifically putting in place broad rules around transparency, security-by-design, mandatory reporting of breaches and so on.

          1. Woodnag

            Re: Conflict Wth IPA.....

            "t will have to adhere to the GDPR for about a year"

            So some non-govermental institution fails to follow GDPR, one takes it to court, and by the time it goes through the Data Protection Bill is active, and the court throws the case out as moot because the new law will allow anything to happen with any data under any circumstance.

            Unfortunately all governments want organisations to collect everything, because governments want to categorise people as threat/non-threat to the state. Not "terrorism", just "effective dissent against the state" is the threat.

          2. John Brown (no body) Silver badge

            Re: Conflict Wth IPA.....

            The GDPR does not change much in terms of who is allowed to do what with any given bits of data."

            Yes, but to me the most important part of GDPR is increase in penalties applies to people who mis-use or don't properly secure the data. Something much needed. Although it remains to be seen how well and how strongly it's enforced.

        2. Anonymous Coward
          Joke

          Re: Conflict Wth IPA.....

          "equal to the greater of €10 million or 2% of the entity's global gross revenue"

          The ICO will get a nice little windfall when HMRC leave a USB drive on the train...

          1. Anonymous Coward
            Anonymous Coward

            Re: Conflict Wth IPA.....

            Nope, the £££ will go to the Treasury and the ICO will still be scratching about for funding

  3. Doctor Syntax Silver badge

    I've been thinking over the implications of various surveillance laws, including the possible demand for passwords to encrypted devices, seizure of servers etc.

    In the real world a company computer might hold information subject to various regulatory regimes including the DPA. Any agency gaining control of such data, either by interception or by physical seizure, usurps the role of whoever would have been responsible in the owner's organisation. This ought to transfer such responsibility to that agency.

    Perhaps this Bill would be an opportunity to put such transfer into statute law rather than leaving the issue to be decided in court in the event of a breach.

  4. Anonymous Coward
    Anonymous Coward

    Can I ask a potentially daft question?

    As I understand it processing of personal data where it can be identified by the IP address would require consent and the ability to withdraw consent.

    Where does that leave websites as you would process the data to confirm unique visitors? I also believe that there is a caveat for not being a pre-requisite so how do you get consent if not by asking them for consent and only allowing them access after consent has been given?

    1. Anonymous Coward
      Anonymous Coward

      It's not a daft question.

      If it's PII and you don't have explicit, free consent for a legitimate business function you *usually* may not use that information.

      This is, technically speaking, the law as it stands now. The only difference in this scenario is IP addresses have been explicitly identified as PII (Recital 30) whereas previously it was a theoretical argument based on a court judgement only applicable in certain scenarios.

      There's also not a whole lot you can do. Most techniques that would mask any other data simply don't work on IP addresses. You can't hash them because there's only 4 billion possible values. You can't truncate them because then they're useless to you. More fundamentally pseudo-anonymised data (i.e. where there is a 1:1 mapping) cannot be considered anonymised due to the proven ease of reconstructing an identity from metadata.

      Now, I did say consent is *usually* required. There are, as always, exemptions. In fact, obtaining consent is just one of six grounds for processing PII set out in Article 6(1) of GDPR. Option "F" is what is called the "legitimate interests" argument. Put simply, if your interest in processing the data is normal, expected and necessary to performing your normal business functions you do _not_ need to obtain specific consent. Monitoring your own internal infrastructure for unique users, DDoS attacks and so on is an obvious legitimate interest.

      In contrast harvesting billions of page views for 3rd party AdTech applications (which are then resold to other 3rd parties) without the user ever knowing about it is a much, much trickier application to justify as it has nothing to do with the business the person is interacting with. Though there is a specific mention of "direct marketing" being acceptable, so this one stays firmly grey.

  5. thondwe

    EU again

    So HM Gov registers EU citizens for "free movement" (says some random element of the cabinet), so has to comply with EU GDPR which they have no power to influence??

    #takebackcontrol?????

    Don't you just love this mess? Insert "Popcorn" icon here

    1. Anonymous Coward
      Anonymous Coward

      Re: EU again

      GDPR applies to all organisations that handle any EU citizen's data or handles any person's data within the EU, regardless of where that organisation itself operates.

      So yes it applies to us and we have no say in its enforcement.

      But that has nothing to do with whatever you're on about.

    2. Doctor Syntax Silver badge

      Re: EU again

      "takebackcontrol?"

      Let me try and simplify this for you.

      Taking back control was sold to the voters (or at least to those who bought into the idea) as allowing the UK people to take back control from some nefarious EU and its courts. It should have failed under the Trades Description Act.

      What HMG, and particularly our Home Sec in residence and Home Sec in command, mean is that they, the govt., take back the control that the EU had granted to the EU people.

      For instance every attempt by successive governments of whatever colour to undertake mass surveillance has foundered when it gets to court and is judged by those EU standards. When they take back control they can do what they want because they'll have removed themselves from the control of the court that exists to protect you.

      Make no mistake, you don't get control; you get controlled.

      1. Anonymous Coward
        Anonymous Coward

        Re: EU again

        To put it another way.

        We're spectacularly screwed and it's our own fault.

    3. phuzz Silver badge
      Trollface

      Re: EU again

      We should try and find a way to get some kind of influence over EU laws and regulations, we should get a vote or something. Even better, then we'd be able to steer the regulations so that they benefited the UK!

      Oh wait....

      1. codejunky Silver badge

        Re: EU again

        @ phuzz

        "We should try and find a way to get some kind of influence over EU laws and regulations"

        Why? While we are conquering the EU and bending them to our will we also trade with the US. Shall we do the same with them? Or the Chinese, India, etc. We dont need to get down on our knees to please anyone else we work with so if the EU is so stuck up that it cant figure out a way to work then thats their issue.

        Lets get off our knees and have some dignity and self respect

  6. nsld
    Facepalm

    Gudiance

    A lot of the guidance from the Article 29 working party is yet to be published so its going to be interesting to see how many changes are required in this bill before it truly meets the requirements of GDPR.

    Of course this also crosses the Maybots red line regarding the ECJ as they will make rulings which the UK will have to comply with to continue to do business with EU nations. Its going to be interesting to see how they spin that.

    Whichever way you slice and dice it we will have no voice or say, and if the EU decides on an arbitary basis that as a 3rd country we no longer meet the requirements then its game over for a lot of tech business. Any global business with half a brain is going to move its data processing operations to the EU27 rather than risk a negative determination as a third country which also means that UK citizens data will be housed in an area we have no say or influence over.

    Apparently, when it comes to data 'taking back control' really means dropping our pants and wondering why everyone is pointing and laughing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like