UK flag

British lawmakers have filed on Monday a statement of intent regarding proposals for improvements to the Data Protection Act, with a focus on criminalizing anonymous data re-identification, imposing larger fines for cyber incidents, and more user protections for British online netizens.

The modifications are part of UK's effort to comply with the EU's General Data Protection Regulation (GDPR) that's set to come into effect in May 2018, time until which EU governments must amend national laws to include its provisions.

New bill adds many GDPR provisions

The new Data Protection Bill (DPB), as it's currently known, includes amendments for GDPR compliance. For example:

≻    Make it simpler to withdraw consent for the use of personal data
≻    Make it easier and free for individuals to require an organization to disclose the personal data it holds on them
≻    Allow people to ask for their personal data held by companies to be erased
≻    Require ‘explicit’ consent to be necessary for processing sensitive personal data
≻    Enable parents and guardians to give consent for their child’s data to be used
≻    Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
≻    Make it easier for customers to move data between service providers

Bigger fines for cyber-incidents

Besides the above GDPR provisions, there is another, which is to raise the amount for maximum fines that UK authorities can impose for cyber incidents.

Until now, these fines were limited to £500,000 ($650,000). The biggest fine the UK government ever gave out until now was for the TalkTalk breach of 2015 when the ICO fined the ISP with only £400,000 ($520,000).

According to the proposed DPB, which is compliant with GDPR provisions, the new fine limit is of up to £17 million ($22 million) or 4% of a company's global turnover.

The criminalization of data re-identification

On top of the GDPR provisions, the DPB also comes with an extra proposal. This is the creation of a new criminal offence for when someone, intentionally or recklessly, re-identifies individuals from anonymised or pseudonymised data.

"Offenders who knowingly handle or process such data will also be guilty of an offence," the DPB proposal reads. "The maximum penalty would be an unlimited fine."

Dr. Lukasz Olejnik, independent cybersecurity and privacy researcher, affiliatee of Princeton’s Center for Information Technology Policy, applauds the UK's efforts.

"UK’s GDPR implementation may have visionary traits; in that it goes beyond merely implementing the GDPR as just a legislation," he wrote on Monday on his blog. "UK will introduce new criminal offences, among them reidentification."

Privacy expert sees some problems with new criminal offence

While Olejnik applauds the UK's efforts to expand user data privacy protections, he warns that the UK may be treading dangerous ground.

"There are several issues with [the] banning of reidentification," he says. "First, it won’t work. Second, it will decrease security and privacy."

The biggest problem in Olejnik's eyes is that there's is no effective way to enforce it in practice. Second, it stifles security and privacy research who often re-identify anonymized data in their day-to-day work.

"UK’s ICO will furthermore find itself in a possibly inconvenient position where they will need to judge which research is or isn’t appropriate," Olejnik explains.

In other words, it's good that the UK government has identified a problem, but putting it into legislation may end up being used by companies threatening researchers with prosecution in case they want to publish unflattering research that relies on re-identifying users and revealing their details from anonymized data.

In addition, the DPB statement of intent also mentioned some protections for journalists and whistleblowers, but it did not provide any details.