UK data protection laws to be overhauled
Britons could obtain more control over what happens to personal information under proposals outlined by the government.
Citizens will be able to ask for personal data, or information posted when they were children, to be deleted.
The proposals are part of an overhaul of UK data protection laws drafted under Digital Minister, Matt Hancock.
Firms that flout the law will face bigger fines, levied by the UK's data protection watchdog.
The bill will transfer the European Union's General Data Protection Regulation (GDPR) into UK law.
"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world," said Mr Hancock in a statement.
"It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit," he added.
Proposals included in the bill will:
- make it simpler for people to withdraw consent for their personal data to be used
- let people ask for data to be deleted
- require firms to obtain "explicit" consent when they process sensitive personal data
- expand personal data to include IP addresses, DNA and small text files known as cookies
- let people get hold of the information organisations hold on them much more freely
- make re-identifying people from anonymised or pseudonymised data a criminal offence
This places a strong burden on firms to protect data and allows for significant fines if they fail to protect information or suffer a breach.
What can I ask to be removed?
If you worry about embarrassing social media posts lingering online for years, you will soon have the right to ask for them to be removed.
And should you wish for any firm that holds your personal data - from your name to your DNA - you will be able to ask them to delete it.
There are, however, arguments that those holding the data can put forward to refuse such requests, such as freedom of expression and matters that are of scientific or historical importance.
Many of these measures are already part of the EU's forthcoming GDPR, but they are also being woven into the government's bill.
All of this goes beyond the "right to be forgotten" rules that already apply to search engines - those affect what can be listed in search results - but the GDPR and associated legislation impact data held by a wide range of companies.
In the UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover.
The current maximum fine firms can suffer for breaking data protection laws is £500,000.
The UK's Information Commissioner will have its powers strengthened and extended to help it police the new regime.
Elizabeth Denham, the information commissioner, said: "We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public."
But small companies were largely in the dark about what the proposed law would mean for them, warned Mike Cherry, national chairman at the Federation of Small Businesses.
"They simply aren't aware of what they will need to do, which creates a real risk of companies inadvertently facing fines," he said.
And as for members of the public, many find it "almost impossible" to understand the complex ways in which firms handle their data, according to computer security researcher Steven Murdoch at University College London.
He argued that privacy groups should be able to make independent data protection complaints on behalf of consumers.
"Currently, the UK's proposal does not take up this option available under EU law," he told the BBC.