UK Data Protection Bill lands: Oh dear, security researchers – where's your exemption?

So if re-identifying folk from anonymised data is to be a crime...

The UK’s Data Protection bill has landed with a hefty thud, offering up 200-plus pages of legislation for the geeks and wonks to sink their teeth into.

The bill, launched into the House of Lords yesterday and published in full today (PDF), aims to overhaul the UK’s data protection laws and update them for the digital age.

Much of the text aims to implement the European Union’s General Data Protection Regulation, which comes into force in May 2018; confirming for the Nth time that businesses can’t rely on the idea that Brexit will get them out of complying.

As Neil Brown, tech lawyer at decoded:Legal, put it: “The message seems clear: irrespective of Brexit, the GDPR is here to stay, so you may as well get on and implement it, and do it well.”

On top of this, there are some added extras in the UK’s bill - such as new criminal offences related to dodgy data dealings - as well as some exemptions and derogations, which are to be expected when a member state implements an EU regulation.

However, any hopes that the UK’s legislation would ease the confusion - or perhaps high drama - around the GDPR have been dashed.

The document runs to 218 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, and - as has been pointed out by many observers, parts of the text - like this eye-crossing sentence: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR” - are fairly Kafka-esque.

Certainly, the complexity of the document - which is part and parcel of a bill that seeks to implement EU law and replace existing UK laws on data processing by both corporate and law enforcement bodies - will keep the lawyers in business for the foreseeable.

Nine months and a lot more b*llocks to go before new EU data protection rules kick in


Describing the bill as “a bit of a mess”, Jon Baines, chairman of the National Association of Data Protection and Freedom of Information Officers, said it was "indicative of how difficult it is, and will be, for the UK to make legislation which enables us to trade and cooperate with the EU when we leave it".

He added that there was a "real risk" of confusion, in part because of the escalating hype around GDPR.

“Already we have organisations utterly confused about their obligations, and any number of ill- or under-informed advisers and consultants muddying the waters. This is only going to get worse, I fear," said Baines.

A glimmer of hope for those frustrated by the prevalence of GDPR snake-oil salesmen comes in the section of the bill that will make accreditation of certification providers valid only if they are carried out by the information commissioner or the national accreditation body.

But Baines noted that the ICO has been working on something similar for years, and added: “I really hope the accreditation and certification provisions ultimately lead to a raising of standards but I'm not optimistic for the near and mid-term future.”

What's in the bill?

The purported aim of the new legislation is to offer people more control over their data and how people use it.

It tightens up rules on consent - for instance, the much-trailed end of the dreaded pre-ticked box - allows people to withdraw consent, and gives them the right to access information on how organisations use their data, as well as to request that posts or photos about them are deleted.

Groups that are given exemptions from some of the data processing rules in the Data Protection Bill include journalists - who are allowed to process data on people if it will ”expose wrongdoing” - and bodies investigating financial fraud and doping in sport.

Fines for organisations in breach of the rules are to be paid in Sterling, and have been set at a maximum of £17m or 4 per cent of global turnover. This is (at the moment) a straight conversion of the GDPR's max fine of €20m - if Brexit does much more damage to the exchange rate, UK firms might have something to be thankful for.

Elsewhere, the UK government sets out new recordable offences - meaning the police will record them in the national police computer - including unlawfully obtaining personal data and altering personal data in a way to prevent it being disclosed.

Re-identification of de-identified personal data will also be an offence, which comes with an unlimited fine.

However, Brown noted that the legislation does not make a specific reference to exemptions for security researchers - so they will have "to take care to ensure what they do is 'justified in the public interest'."

Alan Woodward, a security researcher at the University of Surrey, said that there was a real chance researchers could be caught out by this, adding that it was reminiscent of laws that make reverse-engineering of software products illegal.

“At the moment I think researchers are ‘assuming’ that if they prove that an anonymised data set can be subject to re-identification, then it would be in the public interest for that fact to be known,” he said. “Personally I would see it as equivalent to responsible disclosure of security vulnerabilities.”

But Baines argued that, although it might be preferable to have something more specific, “in practical terms, the [defences set out in the legislation] should prevent anyone being unfairly prosecuted for public interest security research”.

Observers told The Reg that they had spotted few other controversies or surprises in the document, but stressed that it was still early days, especially when the bill has yet to be debated in Parliament.

The legislation is due for its second reading in the House of Lords - the first chance for peers to discuss the legislation - on 10 October. ®

Other stories you might like

  • Dog forgets all about risk of drowning in a marsh as soon as drone dangles a sausage

    It's not the wurst idea in the world

    Man's best friend, though far from the dumbest animal, isn't that smart either. And if there's one sure-fire way to get a dog moving, it's the promise of a snack.

    In another fine example of drones being used as a force for good, this week a dog was rescued from mudflats in Hampshire on the south coast of England because it realised that chasing a sausage dangling from a UAV would be a preferable outcome to drowning as the tide rose.

    Or rather the tantalising treat overrode any instinct the pet had to avoid the incoming water.

    Continue reading
  • Almost there: James Webb Space Telescope frees its mirrors and prepares for insertion

    Freed of launch restraints, mirror segments can waggle at will

    NASA scientists have deployed mirrors on the James Webb Space Telescope ahead of a critical thruster firing on Monday.

    With less than 50,000km to go until the spacecraft reaches its L2 orbit, the segments that make up the primary mirror of the James Webb Space Telescope (JWST) are ready for alignment. The team carefully moved all 132 actuators lurking on the back of the primary mirror segments and secondary mirror, driving the former 12.5mm away from the telescope structure.

    Continue reading
  • Arm rages against the insecure chip machine with new Morello architecture

    Prototypes now available for testing

    Arm has made available for testing prototypes of its Morello architecture, aimed at bringing features into the design of CPUs that provide greater robustness and make them resistant to certain attack vectors. If it performs as expected, it will likely become a fundamental part of future processor designs.

    The Morello programme involves Arm collaborating with the University of Cambridge and others in tech to develop a processor architecture that is intended to be fundamentally more secure. Morello prototype boards are now being released for testing by developers and security specialists, based on a prototype system-on-chip (SoC) that Arm has built.

    Arm said that the limited-edition evaluation boards are based on the Morello prototype architecture embedded into an Armv8.2-A processor. This is an adaptation of the architecture in the Arm Neoverse N1 design aimed at data centre workloads.

    Continue reading

Biting the hand that feeds IT © 1998–2022