The UK’s ambitious Data Protection and Digital Information Bill is currently being debated in the Parliament but it has already caused ripples across the tech world with giants such as WhatsApp and Signal joining hands to oppose the bill.
The government claims that these new rules will reduce the cookie pop-ups and crackdown on nuisance calls with bigger fines, contributing £4.7 billion to the UK economy over ten years.
Key talking points of the Data Protection and Digital Information Bill
The current bill is the second version which has replaced the original one of July 2022. Here are some main points of the bill:
- The data will only be considered personally identifiable by an organisation other than the controller or processor if the organisation has access to the data or is likely to get access to it in the future. If the organisation doesn’t have access to the data or isn’t likely to get access to it, then the data is considered anonymous and is outside the ambit of the bill.
- The processing of personal data for marketing purposes may be regarded as carried out for legitimate interest. However, it is important to note that necessity and balancing tests will still need to be met. The bill also states that controllers may rely on Article 6(1)(f) to process data for other legitimate activities if it is necessary and proper balancing is carried out.
- The bill moved some parts of GDPR into the main law to make it clearer. While keeping the list of types of scientific research such as applied or fundamental research into technological development, the bill adds a clause to confirm what research can be considered scientific, whether they are publicly or privately funded or whether the research is carried out for commercial or non-commercial purposes. The government has also clarified that research into public health is only scientific research if it is in the public interest. The bill is also proposing to exempt controllers from the requirement to provide notice where personal data has been collected directly from the data subject for research, archival or statistical purposes, and where providing such information would be impossible or require a disproportionate effort.
- The record-keeping requirement has been considerably changed. Organisations are only required to keep records of personal data processing if that processing is likely to result in a high risk to the rights and freedoms of the individuals.
- The Secretary of State can add or remove scenarios via secondary legislation where there is meaningful human involvement.
Why there is a furore from certain sections of society?
Although the government of UK have high hopes for this bill, many online platforms and certain sections of the civil society are not particularly pleased with it.
WhatsApp and Signal, along with other services such as Element, Session, Threema, Viber and Wire, signed an open letter to the government saying that the bill could be used to outlaw end-to-end encryption. The bill provides no explicit protection for encryption and if passed, it would empower Ofcom, the UK’s communication regulator, to snoop in on the messages nullifying the very purpose of end-to-end encryption.
At the very core of the debate are the clauses that allow Ofcom to compel communications providers to take action to prevent harm to the users. These clauses take away the possibility of the messaging app not meddling in the messaging process as they will have to comply with Ofcom’s directives.
At the very least, these clauses expose the hypocrisy of the lawmakers. On one hand, they appreciate the importance of encryption and on the other hand, they claim that it’s possible to view anyone’s message without undermining end-to-end encryption which is simply not possible.
However, not all the sections are against the bill. Despite privacy concerns, the bill is backed by child safety campaigners, with the National Society for the Prevention of Cruelty to Children (NSPCC) describing private messaging apps as the “frontline of online child sexual abuse”.
“Experts have demonstrated that it is possible to tackle child abuse material and grooming in end-to-end encrypted environments. Regulation should incentivise tech companies to find a balanced settlement and distance themselves from tired false arguments that claim children’s fundamental right to safety online can only be achieved at the expense of adult privacy”, said Rich Collard, the associate head of child safety, NSPCC.
Now, it is up to lawmakers to balance privacy concerns with the security of children. The tech giants have already warned to leave the UK should the bill is passed and becomes law.
In the News: RentoMojo confirms data breach; Over a lakh subscribers impacted