The UK government has enjoyed pats on the back all round this week with the announcement of plans to strengthen data protection laws.
The Data Protection Bill, which will hand citizens significant new rights to stop companies collecting and sharing data about them online, has been widely welcomed by privacy campaigners, consumer rights advocates and the tech industry alike.
Yet less than nine months ago, this same government passed the Investigatory Powers Act. Dubbed ‘the Snoopers’ Charter’, this draconian new set of surveillance laws handed UK authorities unprecedented powers to spy on people through their online browsing habits, the apps they use on their smartphone, and the digital services they subscribe to.
Coming out fighting for citizens’ digital rights is certainly welcome. But when you are at the same time engaged in your own mass harvesting of private data, with little or no oversight, something starts to smell a little fishy.
A boost for privacy
In its own right, the Data Protection Bill should be welcomed as a timely boost for online privacy and personal data protection. The new laws will:
- Hand UK citizens the right to see what data any online company holds on them;
- Create a “right to be forgotten”, forcing organisations to delete digital records they hold on a person on request;
- Extend the definition of personal digital data to include IP addresses and cookies, which can be used to track browsing habits;
- End “consent by default” in data collection. Web users will now have to opt in to any collection activity;
- Enforce all proposals with stiff fines of up to £17 million, or 4% of turnover.
All of this will greatly empower ordinary people in the UK to take control of how their private data is collected and used online. It marks a landmark in the struggle for digital privacy.
There is, however, a catch. As far as anyone can tell, these proposals will apply to companies and organizations which operate online – but not to the government.
The proposals apply to companies and organizations that operate online – but not to the government.
So while Westminster wants to be seen standing up as a champion of the people by cracking down on the snooping the likes of Google, Facebook and Amazon do into our lives, the question is – who is going to stand up against mass online surveillance carried out by the government?
Do as we say, not as we do
The proposals contained in the Data Protection Bill mean companies will no longer be able to assume your consent, using pre-checked tick boxes, before sharing information about you with online advertisers. It will mean that, if you ask for it, your ISP will be forced to show you all of the data it holds about you, including all of your historical browsing records. If you ask them to delete any of that data, they will have to comply.
These new digital rights are directly contradicted by some of the main points of the Investigatory Powers Act.
Are we, for example, now going to see the UK government ask for consent before it collects private digital data? Not likely. One of the central points of the Snoopers’ Charter was to remove the need for judicial approval before the authorities could access your data.
The new digital rights are directly contradicted by the key points of the Snoopers’ Charter. It’s rank hypocrisy.
The classification of IP addresses and cookies as private data also rings hollow when you consider that the Investigatory Powers Act forces ISPs to collect information about subscribers’ browsing habits en masse, and hand it over on request. Your IP address, and the cookies websites leave on your device when you load them, are key to how your ISP tracks what you do online.
And what about the ‘right to be forgotten’? The Data Protection Bill will mean social media companies like Facebook will have to delete any posts, including images, you make before the age of 18, if you ask them to. Do we really expect the government to follow suit and show citizens the data it holds on them, nevermind delete it?
None of the proposals in the Data Protection Bill are ideas dreamed up by the UK government. Point by point, they are almost identical to those in the General Data Protection Regulation (GDPR) – the EU-wide reforms which come into force in May 2018.
Regardless of the Brexit vote, the UK will still be a member of the EU then. The government has always said it will honor the GDPR, so from that point of view, the Data Protection Bill is a formality.
There is also a revealing line in the announcement of the Bill which talks about “helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.” Despite all the talk of a ‘hard’ Brexit, the government knows full well the importance of EU trade to the UK economy, and how critical it is to maintain open lines of data exchange to support this.
In other words, the UK cannot afford not to be compliant with the GDPR. These are rules it is borrowing wholesale from the EU because it feels it has no other choice. Given the background of the Investigatory Powers Act, talk of championing personal privacy is just lip service. This Bill is about looking after business interests in a changing international climate on data regulation.
The UK government simply cannot be trusted to protect your personal data. PM Theresa May’s track record on online privacy alone is enough to cast serious doubt about her government’s motives. And what we are in danger of seeing is a two-tier approach to digital privacy. Companies will be forced to tow the line and put the interests of ordinary users first, while the government continues to harvest our data wholesale with no oversight or regulation.
Trusting the government to take care of your data will only lead to complacency and even greater risk. The only way to be sure you are protected is to take responsibility yourself, by changing your online habits and choosing the technology which can keep your data safe.