» ISP News » 

The Trouble with the UK’s New “Right to be Forgotten” Internet Law

Monday, August 7th, 2017 (9:51 am) - Score 1,993

The Government has today set out details of their new Data Protection Bill, which aims to give individuals more control over their data online by introducing a new “right to be forgotten” (i.e. asking for your personal data to be deleted) and enabling emails or files to be moved when switching ISP.

The bill also adds a new data portability rule, which means that “where you change internet service provider, if you are using email or file storage services to store personal photographs or other personal data you should be able to move that data.” At present it’s not particularly clear how this will work but it sounds as if the ISP may need to offer some form of common export / import format.

On the surface what the Government hopes to achieve is entirely understandable and in many ways very necessary, particularly in light of all the recent cyber-attacks and massive leaks of personal data. Not to mention the way in which our data can be used, and sometimes abused, by all sorts of Internet companies and organisations.

Suffice to say that tougher rules are most definitely needed and the Data Protection Bill, which is an update to the Data Protection Act 1998 (DPA), is seen as the solution and one that introduces the following key changes.

The Data Protection Bill will:

* Make it simpler to withdraw consent for the use of personal data.

* Allow people to ask for their personal data held by companies to be erased.

* Enable parents and guardians to give consent for their child’s data to be used.

* Require ‘explicit’ consent to be necessary for processing sensitive personal data.

* Expand the definition of ‘personal data’ to include Internet Protocol (IP) addresses, internet cookies and DNA.

* Update and strengthen data protection law to reflect the changing nature and scope of the digital economy.

* Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them.

* Make it easier for customers to move data between service providers.

The bill itself is effectively the United Kingdom’s version of the EU’s new General Data Protection Regulation (GDPR) framework, albeit with a few extra bits and bobs bolted on top. The GDPR will apply in the UK from 25th May 2018.

Matt Hancock MP, Minister of State for Digital, said:

“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.

The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

However the law could also suffer from a number of problems with implementation, which in some cases might make its provisions unworkable. Most of the problem areas tend to stem from a lack of technical understanding about how internet systems, content and services work in the real-world vs how politicians think they function.

For example, the decision to include IP addresses as personal data could be tricky because most ISPs assign a dynamic address to their end-user connections, which can change every time your router is switched off and on (rebooted) or when the ISP recovers from an outage (unless it’s a static IP). Not to mention that many people may conceal their real IP behind Proxy Servers, VPNs or TOR etc.

Similarly a dynamic IP address on its own is at best usually only good enough to identify a connection or device (e.g. your broadband router) and possibly the bill payer, but modern internet connections are usually shared between many users (e.g. home / hotel / public wifi) and so they aren’t much good at accurately identifying a specific individual.

Forcing websites to adopt tough new rules on data privacy and strict consent systems could also face problems. Today there are over 1 billion websites in the world and most of those are setup by individuals and small businesses that have very little knowledge of the underlying technology or how to self-code their own systems.

For example, many people will simply click a button to install a Content Management System (CMS) on some webspace they’ve purchased and then another button is clicked to add a style and content. All those systems will be coded by other companies and yet they still enable the website owner to offer member systems and thus to handle personal data.

In this example we could say that the CMS author (coder) holds the most responsibility for adapting their systems, but if they exist outside of the UK and EU then the law may not be such a concern unless it impacts their cash flow (assuming they have a big EU/UK cash flow, but many are open source projects). Even then the website owner may not even know how to upgrade.

This is a bit like the difference between knowing how to drive a car (install a simple webpage) and knowing how to rebuild the engine (i.e. self-code a website and its systems); most do the former but not the latter. Except in this case not being able to do the latter could mean that website owners will lack the necessary knowledge or money to correctly adapt their websites for the new law, which opens them up to possible fines.

Currently the maximum fine the ICO can issue is £0.5m, but larger fines of up to £17m (€20m) or 4% of global turnover will be allowed, enabling the ICO to respond in a proportionate manner to the most serious data breaches. Mind you that’s more of a problem for companies than individuals.

Admittedly the Government are perhaps more concerned about the big players, although the law as proposed doesn’t appear to differentiate between big and small. It also seems to put more of the blame for hacking on those being attacked rather than the hackers themselves, yet there’s no such thing as 100% security in any system. On this point it would be good to see the police being given more resources to investigate hacks against smaller organisations, not only the big boys.

Elsewhere the law says it will “expect responsible websites to have minimum age rules and policies to ensure that children are not exposed to inappropriate content“, which is all well and good for the big boys like Google and Facebook but it doesn’t work at the smaller scale. The vast majority of websites have no way of accurately identifying visitors or their ages and nor would most of them ever want to have that level of power. In fairness even Google and Facebook can be misled, with ease, about the identity of their users (fake names, emails etc.).

The other problem is that allowing somebody to delete their content / personal data can destroy the continuity and context of a discussion that may involve many more people. For example, if the original author of a discussion topic or news article removes what they wrote then that could ruin all of the many pages of submissions that follow. Hopefully an exception will be included to prevent public figures, such as politicians, from being able to remove their past misdeeds.

However the “right to be forgotten” does include a caveat, which means that it can only be used “as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.” Arguing the latter could be tricky.

One other potential area of conflict is that the new law appears to conflict with the Government’s internet snooping centric Investigatory Powers Act (IPA).

Entanet’s Product Manager, Paul Heritage-Redpath, said:

“How can a law that requires the mass collection of personal information by your ISP and then authorises that information be accessed by various law enforcement and security agencies without a warrant, coexist with a new law that gives citizens the ‘right to be forgotten’ and (rightly or wrongly) even classes your IP address as a form of personal data. Surely, this is a contradiction in Government policy at the very least?”

Overall the law includes some much needed improvements, although there are clearly a lot of challenges involved with its implementation and we hope that the Government will recognise those as part of their forthcoming debates. The internet and websites are not merely setup by companies and big organisations, millions of people have setup personal or small business websites too and many of those may struggle to adapt without support.

The 2017-18 Data Protection Bill

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
8 Responses
  1. dragoneast says:

    Sorry, I can’t see this as anything else than another extension of the nanny state, Thatcher’s real legacy and, like her, a hangover from the 1950s. Politicians will get their grubby mits on anything if we let them. They’re the only bit of the state that is totally out of control. If we want to keep something private: don’t put it out there in the first place. And if we really have to because of the benefits, then do so thoughtfully and accept the consequence. I grew up without a nanny, an I don’t want one now I’m older, either. Think first, and try to understand. I know, it’s old-fashioned. Not for the cry-babies we’ve all become. The more protection, the more vulnerable we become. It used to be called growing-up.

  2. Providence says:

    Your analogy about driving a car vs building an engine, imho, is not entirely accurate. Although the vast amount of drivers in the UK cannot rebuild an engine, they are held accountable for making sure that the car is in a road worthy condition (eg MOT, regular servicing, enforcement from Road Traffic Branch of Police, min amount of tyre tread depth, etc). Whilst most people cannot (nor expected to) rebuild an engine, they are expected to make sure the vehicle is road worthy and complies with the law, through yearly servicing etc, ignorance is not an excuse. I believe that a behavioural change will need to happen with the same applying to websites. Websites that are not updated will need to be, or the owners will see an enforcement notice and be held accountable. If they do not have the necessary expertise to code the necessary changes, then they either have to pay for the it or close the website.

    1. Mark Jackson says:

      Yes but that’s because Car accidents kill and seriously injure masses of people every year and so the rules have to be extremely strict. Setting up a tiny website generally is not quite such a threat to life and if you go around imposing fines on everybody then it would be a huge disincentive to starting any kind of website or online business.

      On top of that it might also discourage websites from enabling free speech by their visitors (forums, comments etc.) because the legal risk of offering such a system would be too high.

    2. dragoneast says:

      Well, at least I suppose if motoring and use of the highway is the analogy we won’t have to worry much – the laws can be observed more in the breach than in the observance, as with the laws relating to the use of vehicles (of all types).

  3. dragoneast says:

    The question all the time is how far should regulation go? Whether it’s roads or the internet. How far would vehicle regulation have to go to ensue that everyone was safe on the roads? You’d have to ban vehicles from the roads.

    In the same way restrict the internet, so that it’s not something available to everyone, whenever and wherever, and for whatever. Rationing, if you like, as we seem to be so keen on the 1950s.

    There’s a very strong public safety argument for both. Is that what we want? It’d certainly be cheaper, and quite possibly, a better world, if both motor vehicles and the internet were only available to those with the knowledge, need and sense to use them wisely. Not to everyone who wants them, and with the pretence at regulation we have at the moment, which is more about learning to play the system to your own personal advantage than anything else, least of all the protection of everyone else. Supposed democracy has a lot to answer for!

  4. gah789 says:

    Heaven preserve us from civil servants and politicians who have no technical knowledge and want to create rules that are nonsensical as a consequence. It appears that no-one has pointed out to DCMS that IP addressing is controlled by rules and bodies that are outside both UK and EU control. Both ARIN and RIPE might have something to say on the subject of transferring static IP addresses. Does every would-be owner want to register with RIPE and pay the standard membership fees? Dynamic IP addresses cannot be transferred as they are drawn from a pool that of defined addresses for private or semi-private subnets. Etc, etc. I can’t think of any proposal more likely to guarantee that every ISP will shift to CGNAT or similar for user connections. And as for coping with transfers of IPv6 addresses – well the best of luck to whoever thought of that!

    1. gpmgroup says:

      Are they actually suggesting IP addresses should be portable? Or is it just that the listing and sharing of IP addresses is subject to data protection laws in the same way your name and home address would be?

  5. Simon says:

    DNA was not classed as personal data?


Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.00 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £70 Reward Card
Large Availability | View All
New Forum Topics
Cheapest Ultrafast ISPs
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*27.50)
    Speed: 200Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3564)
  2. BT (3023)
  3. Politics (1939)
  4. Building Digital UK (1928)
  5. FTTC (1888)
  6. Openreach (1837)
  7. Business (1691)
  8. Mobile Broadband (1480)
  9. Statistics (1409)
  10. FTTH (1365)
  11. 4G (1277)
  12. Fibre Optic (1174)
  13. Virgin Media (1171)
  14. Wireless Internet (1162)
  15. Ofcom Regulation (1149)
  16. Vodafone (846)
  17. EE (834)
  18. 5G (772)
  19. TalkTalk (769)
  20. Sky Broadband (747)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact