Why this missing piece of the UK's Data Protection Bill 'threatens consumer rights'

A padlock on a motherboard surrounded by keys

The UK's new Data Protection Bill, which is currently making its way through Parliament, seeks to update our data protection legislation to be in line with upcoming changes at the European level under GDPR, considered some of the toughest data regulations in the world.

The move means that once GDPR comes into force in May 2018, the UK will have regulations that closely follow those at the European level, something that is required to ensure the UK is white listed and is able to participate in the transfer of data across the continent.

However, the UK does have some leeway when it comes to the implementation of these regulations, including the option to tweak articles to fit UK requirements.

Currently, the UK's Data Protection Bill contains 27 amendments or omissions to the GDPR regulation framework. This includes a change to article 8, which allows the government to set its own age of consent laws for the processing of data, and a relaxation of article 10, allowing the UK to authorise the processing of data relating to criminal offences by bodies other than public authorities, otherwise prohibited under GDPR.

Many of the derogations are minor, and reflect certain procedural aspects that the UK government wishes to keep, yet the omission of article 80 has proven to be contentious among digital rights campaigners.

The first part of this article (80.1) states that victims of data breaches wishing to seek compensation have the right to hand their case over to independent bodies who will fight on their behalf. Instead of implementing the article in full, the government has decided to omit this clause, stating that it will move to legislate separately to allow non-profit organisations to deal with compensation claims.

Currently, there's nothing to indicate that the government will renege on this pledge, however the fact it will not be enshrined into the Data Protection Bill has raised concerns among consumer groups that it either won't happen, or will not appear in time for GDPR coming into force next May.

What is equally troubling is that organisations will be unable to act off their own initiatives to bring complaints against company's in breach of consumer rights, as article 80.2, which would grant this power, has also been omitted from the Bill. Currently, there's no indication that the government plans to legislate on this provision.

Following the announcement in September that the Bill would be moving through parliament, it encountered almost immediate opposition from the Open Rights Group. The body's executive director Jim Killock said that the government had "neglected an important option in the General Data Protection Regulation. Open Rights Group wants to be able to campaign on behalf of people who are afraid of complaining or do not realise that they have been affected."

This week the issue surfaced once again when consumer group Which? called for the Data Protection Bill to include a clause that lets both non-profit and for-profit organisations fight on behalf of consumers, even if express permission is not given by affected parties.

"Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised," said Which? managing director of home products and services, in a statement. "The Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach."

Research conducted by the watchdog found that of 2,000 internet users interviewed, one in ten believed they had been subject to a data breach over the past year, but remain confused as to who is responsible for protecting their data, and who to contact if they want to seek compensation.

When asked why the clause had been omitted in the Data Protection Bill, a government spokesperson told TechCrunch: "We are confident that our Data Protection Bill will provide consumers with the necessary protections when there's been an infringement of their rights regarding personal data. The Bill will make the UK fully compliant with the GDPR."

The issue is that for many consumers, the process of secure redress for lost data requires taking a lengthy, and often expensive, route through the courts where they're unlikely to benefit from the same legal expertise that an independent body will provide. Given that article 80 will not make its way into the Data Protection Bill, there's a possibility that an equivalent law won't see agreement until after GDPR comes into effect next May, and when it does arrive, will significantly hamstring the powers of consumer rights organisations.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.