UK Data Protection Bill lands: Oh dear, security researchers – where's your exemption?
So if re-identifying folk from anonymised data is to be a crime...
The UK’s Data Protection bill has landed with a hefty thud, offering up 200-plus pages of legislation for the geeks and wonks to sink their teeth into.
The bill, launched into the House of Lords yesterday and published in full today (PDF), aims to overhaul the UK’s data protection laws and update them for the digital age.
Much of the text aims to implement the European Union’s General Data Protection Regulation, which comes into force in May 2018; confirming for the Nth time that businesses can’t rely on the idea that Brexit will get them out of complying.
As Neil Brown, tech lawyer at decoded:Legal, put it: “The message seems clear: irrespective of Brexit, the GDPR is here to stay, so you may as well get on and implement it, and do it well.”
On top of this, there are some added extras in the UK’s bill - such as new criminal offences related to dodgy data dealings - as well as some exemptions and derogations, which are to be expected when a member state implements an EU regulation.
However, any hopes that the UK’s legislation would ease the confusion - or perhaps high drama - around the GDPR have been dashed.
The document runs to 218 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, and - as has been pointed out by many observers, parts of the text - like this eye-crossing sentence: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR” - are fairly Kafka-esque.
Fuck off pic.twitter.com/2HLFrMLayu— Tim Turner (@tim2040) September 14, 2017
Certainly, the complexity of the document - which is part and parcel of a bill that seeks to implement EU law and replace existing UK laws on data processing by both corporate and law enforcement bodies - will keep the lawyers in business for the foreseeable.
Nine months and a lot more b*llocks to go before new EU data protection rules kick inREAD MORE
Describing the bill as “a bit of a mess”, Jon Baines, chairman of the National Association of Data Protection and Freedom of Information Officers, said it was "indicative of how difficult it is, and will be, for the UK to make legislation which enables us to trade and cooperate with the EU when we leave it".
He added that there was a "real risk" of confusion, in part because of the escalating hype around GDPR.
“Already we have organisations utterly confused about their obligations, and any number of ill- or under-informed advisers and consultants muddying the waters. This is only going to get worse, I fear," said Baines.
A glimmer of hope for those frustrated by the prevalence of GDPR snake-oil salesmen comes in the section of the bill that will make accreditation of certification providers valid only if they are carried out by the information commissioner or the national accreditation body.
But Baines noted that the ICO has been working on something similar for years, and added: “I really hope the accreditation and certification provisions ultimately lead to a raising of standards but I'm not optimistic for the near and mid-term future.”
What's in the bill?
The purported aim of the new legislation is to offer people more control over their data and how people use it.
It tightens up rules on consent - for instance, the much-trailed end of the dreaded pre-ticked box - allows people to withdraw consent, and gives them the right to access information on how organisations use their data, as well as to request that posts or photos about them are deleted.
Groups that are given exemptions from some of the data processing rules in the Data Protection Bill include journalists - who are allowed to process data on people if it will ”expose wrongdoing” - and bodies investigating financial fraud and doping in sport.
Fines for organisations in breach of the rules are to be paid in Sterling, and have been set at a maximum of £17m or 4 per cent of global turnover. This is (at the moment) a straight conversion of the GDPR's max fine of €20m - if Brexit does much more damage to the exchange rate, UK firms might have something to be thankful for.
Elsewhere, the UK government sets out new recordable offences - meaning the police will record them in the national police computer - including unlawfully obtaining personal data and altering personal data in a way to prevent it being disclosed.
Re-identification of de-identified personal data will also be an offence, which comes with an unlimited fine.
However, Brown noted that the legislation does not make a specific reference to exemptions for security researchers - so they will have "to take care to ensure what they do is 'justified in the public interest'."
Alan Woodward, a security researcher at the University of Surrey, said that there was a real chance researchers could be caught out by this, adding that it was reminiscent of laws that make reverse-engineering of software products illegal.
“At the moment I think researchers are ‘assuming’ that if they prove that an anonymised data set can be subject to re-identification, then it would be in the public interest for that fact to be known,” he said. “Personally I would see it as equivalent to responsible disclosure of security vulnerabilities.”
But Baines argued that, although it might be preferable to have something more specific, “in practical terms, the [defences set out in the legislation] should prevent anyone being unfairly prosecuted for public interest security research”.
Observers told The Reg that they had spotted few other controversies or surprises in the document, but stressed that it was still early days, especially when the bill has yet to be debated in Parliament.
The legislation is due for its second reading in the House of Lords - the first chance for peers to discuss the legislation - on 10 October. ®
Sponsored: Becoming a Pragmatic Security Leader