The Trouble with the UK’s New “Right to be Forgotten” Internet Law

The Government has today set out details of their new Data Protection Bill, which aims to give individuals more control over their data online by introducing a new “right to be forgotten” (i.e. asking for your personal data to be deleted) and enabling emails or files to be moved when switching ISP.

The bill also adds a new data portability rule, which means that “where you change internet service provider, if you are using email or file storage services to store personal photographs or other personal data you should be able to move that data.” At present it’s not particularly clear how this will work but it sounds as if the ISP may need to offer some form of common export / import format.

https://www.youtube.com/watch?v=AwHLG2chwwU

On the surface what the Government hopes to achieve is entirely understandable and in many ways very necessary, particularly in light of all the recent cyber-attacks and massive leaks of personal data. Not to mention the way in which our data can be used, and sometimes abused, by all sorts of Internet companies and organisations.

Suffice to say that tougher rules are most definitely needed and the Data Protection Bill, which is an update to the Data Protection Act 1998 (DPA), is seen as the solution and one that introduces the following key changes.

The Data Protection Bill will:

* Make it simpler to withdraw consent for the use of personal data.

* Allow people to ask for their personal data held by companies to be erased.

* Enable parents and guardians to give consent for their child’s data to be used.

* Require ‘explicit’ consent to be necessary for processing sensitive personal data.

* Expand the definition of ‘personal data’ to include Internet Protocol (IP) addresses, internet cookies and DNA.

* Update and strengthen data protection law to reflect the changing nature and scope of the digital economy.

* Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them.

* Make it easier for customers to move data between service providers.

The bill itself is effectively the United Kingdom’s version of the EU’s new General Data Protection Regulation (GDPR) framework, albeit with a few extra bits and bobs bolted on top. The GDPR will apply in the UK from 25th May 2018.

Matt Hancock MP, Minister of State for Digital, said:

“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.

The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

However the law could also suffer from a number of problems with implementation, which in some cases might make its provisions unworkable. Most of the problem areas tend to stem from a lack of technical understanding about how internet systems, content and services work in the real-world vs how politicians think they function.

For example, the decision to include IP addresses as personal data could be tricky because most ISPs assign a dynamic address to their end-user connections, which can change every time your router is switched off and on (rebooted) or when the ISP recovers from an outage (unless it’s a static IP). Not to mention that many people may conceal their real IP behind Proxy Servers, VPNs or TOR etc.

Similarly a dynamic IP address on its own is at best usually only good enough to identify a connection or device (e.g. your broadband router) and possibly the bill payer, but modern internet connections are usually shared between many users (e.g. home / hotel / public wifi) and so they aren’t much good at accurately identifying a specific individual.

Forcing websites to adopt tough new rules on data privacy and strict consent systems could also face problems. Today there are over 1 billion websites in the world and most of those are setup by individuals and small businesses that have very little knowledge of the underlying technology or how to self-code their own systems.

For example, many people will simply click a button to install a Content Management System (CMS) on some webspace they’ve purchased and then another button is clicked to add a style and content. All those systems will be coded by other companies and yet they still enable the website owner to offer member systems and thus to handle personal data.

In this example we could say that the CMS author (coder) holds the most responsibility for adapting their systems, but if they exist outside of the UK and EU then the law may not be such a concern unless it impacts their cash flow (assuming they have a big EU/UK cash flow, but many are open source projects). Even then the website owner may not even know how to upgrade.

This is a bit like the difference between knowing how to drive a car (install a simple webpage) and knowing how to rebuild the engine (i.e. self-code a website and its systems); most do the former but not the latter. Except in this case not being able to do the latter could mean that website owners will lack the necessary knowledge or money to correctly adapt their websites for the new law, which opens them up to possible fines.

Currently the maximum fine the ICO can issue is £0.5m, but larger fines of up to £17m (€20m) or 4% of global turnover will be allowed, enabling the ICO to respond in a proportionate manner to the most serious data breaches. Mind you that’s more of a problem for companies than individuals.

Admittedly the Government are perhaps more concerned about the big players, although the law as proposed doesn’t appear to differentiate between big and small. It also seems to put more of the blame for hacking on those being attacked rather than the hackers themselves, yet there’s no such thing as 100% security in any system. On this point it would be good to see the police being given more resources to investigate hacks against smaller organisations, not only the big boys.

Elsewhere the law says it will “expect responsible websites to have minimum age rules and policies to ensure that children are not exposed to inappropriate content“, which is all well and good for the big boys like Google and Facebook but it doesn’t work at the smaller scale. The vast majority of websites have no way of accurately identifying visitors or their ages and nor would most of them ever want to have that level of power. In fairness even Google and Facebook can be misled, with ease, about the identity of their users (fake names, emails etc.).

The other problem is that allowing somebody to delete their content / personal data can destroy the continuity and context of a discussion that may involve many more people. For example, if the original author of a discussion topic or news article removes what they wrote then that could ruin all of the many pages of submissions that follow. Hopefully an exception will be included to prevent public figures, such as politicians, from being able to remove their past misdeeds.

However the “right to be forgotten” does include a caveat, which means that it can only be used “as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.” Arguing the latter could be tricky.

One other potential area of conflict is that the new law appears to conflict with the Government’s internet snooping centric Investigatory Powers Act (IPA).

Entanet’s Product Manager, Paul Heritage-Redpath, said:

“How can a law that requires the mass collection of personal information by your ISP and then authorises that information be accessed by various law enforcement and security agencies without a warrant, coexist with a new law that gives citizens the ‘right to be forgotten’ and (rightly or wrongly) even classes your IP address as a form of personal data. Surely, this is a contradiction in Government policy at the very least?”

Overall the law includes some much needed improvements, although there are clearly a lot of challenges involved with its implementation and we hope that the Government will recognise those as part of their forthcoming debates. The internet and websites are not merely setup by companies and big organisations, millions of people have setup personal or small business websites too and many of those may struggle to adapt without support.

The 2017-18 Data Protection Bill
https://www.gov.uk/../consultations/general-data-protection-regulation-call-for-views