On the 7th August the UK Government's Department for Digital, Media and Culture (DCMS) published a press release to the effect that they intended to strengthen the UK data protection laws to give individual citizens enhanced rights to determine what happens to their personal data on the Internet. You can read their press release here:
https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law
To quote from the DCMS GOV.UK Website the thrust of the enhancement to the law is:
Apparently, this change to the law is intended to ensure that citizens' rights are protected 'post-Brexit' and to ensure that companies and organisations know where they stand. The proposed fines for transgression are substantial.
Reading the proposed enhancements to the law, it appears that these changes are to be welcomed. They appear to substantially strengthen the rights of UK citizens to control and protect their personal data. If these proposals become UK law, they'll be of benefit to the 'average Joe' and will redress the balance somewhat between the Website and the user.
However, there are some hurdles to cross before that happens and two that immediately spring to my mind are:
Both of these factors may result in a weakened law or no law at all. To use an old saying; "There's many a slip betwixt cup and lip." That may well be the case here.
The Minister for Digital; The Right Honourable (Rt. Hon.) Matt Hancock is the sponsor of these proposals and will be responsible for guiding them through the UK Parliament. Let's hope he's successful.
This broadly means that the pages that are used to gather users' data are insecure and could be leaking data to any Tom, Dick or Harry that cares to look. To my mind, this is a basic error and is inexcusable. In my opinion it demonstrates a cavalier disregard for a user's personal data and probably indicative of how that data will be treated when stored by the Website's originators.
You may well think that this is a phenomenon that only affects small 'fly-by-night' Web operations, but I'm here to disabuse you of that notion. To my surprise, several "household" names are guilty of this abject negligence. Discretion prevents me from naming names (that and the willingness to litigate) but believe me when I say they're out there if you care to look.
If the Rt. Hon. Minister wants to further strengthen users' rights concerning personal data, he would do well to consider introducing legislation that mandates all Web pages that are used to gather users' data implement SSL protocols and have a valid and current digital certificate from a bona-fide certificating authority. This, to me, would be a basic 'quick win' to strengthen Internet security and bolster the safeguarding of users' data.
Of course, for legislation to be effective, it needs to be backed by appropriate sanction for transgressors. In this case, I would encourage the Minister to consider appropriate fines of the same magnitude as those proposed for the intended legislation described in the first part of this post. In addition, the Minister should consider drafting the law so that any organisation found to be gathering user data without appropriate SSL and certificate protocols be regarded as automatically criminally negligent, thus creating the opportunity for users to recover damages for the disregard in handling their data.
The resulting hit to their 'bottom line' should serve as an incentive to properly protect the data of users that supply it. Sticks and carrots...
If the Minister is out there reading this (why would he?) then Minister, I would encourage you to give serious consideration to this proposal and to drafting the appropriate legislation to address it. It would be a straightforward way of ensuring that proper regard is paid to user data gathering via the Internet.
Thank you all for reading.
https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law
To quote from the DCMS GOV.UK Website the thrust of the enhancement to the law is:
Public to have greater control over personal data - including right to be forgotten.
New right to require social media platforms to delete information on children and adults when asked.
What Is Proposed
Broadly, this will mean that once the proposal is made law then:The Data Protection Bill will:(Source: GOV.UK website. Accessed 14/08/17)New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data [This will outlaw the use of 'opt-out' and pre-selected tick boxes giving Websites consent to gather users' personal data.]
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
Apparently, this change to the law is intended to ensure that citizens' rights are protected 'post-Brexit' and to ensure that companies and organisations know where they stand. The proposed fines for transgression are substantial.
Reading the proposed enhancements to the law, it appears that these changes are to be welcomed. They appear to substantially strengthen the rights of UK citizens to control and protect their personal data. If these proposals become UK law, they'll be of benefit to the 'average Joe' and will redress the balance somewhat between the Website and the user.
However, there are some hurdles to cross before that happens and two that immediately spring to my mind are:
- The proposals have to actually make it into UK law. This is a long and drawn-out process and delays and failures are reasonably commonplace.
- Lobbyists will no doubt already be hard at work trying to get the proposed legislation watered down to favour the interests of their corporate paymasters.
Both of these factors may result in a weakened law or no law at all. To use an old saying; "There's many a slip betwixt cup and lip." That may well be the case here.
The Minister for Digital; The Right Honourable (Rt. Hon.) Matt Hancock is the sponsor of these proposals and will be responsible for guiding them through the UK Parliament. Let's hope he's successful.
A Useful Addition?
During my random wanderings through the Internet one of the things that I've noticed that would help safeguard users' personal data is the use of SSL connections and certificates. Let me expound: I've noticed that when gathering users' personal data there are a number of Websites that either:- Don't use SSL (an 'https') connection when gathering the data.
- Have invalid or expired digital certificates on the same pages.
This broadly means that the pages that are used to gather users' data are insecure and could be leaking data to any Tom, Dick or Harry that cares to look. To my mind, this is a basic error and is inexcusable. In my opinion it demonstrates a cavalier disregard for a user's personal data and probably indicative of how that data will be treated when stored by the Website's originators.
You may well think that this is a phenomenon that only affects small 'fly-by-night' Web operations, but I'm here to disabuse you of that notion. To my surprise, several "household" names are guilty of this abject negligence. Discretion prevents me from naming names (that and the willingness to litigate) but believe me when I say they're out there if you care to look.
If the Rt. Hon. Minister wants to further strengthen users' rights concerning personal data, he would do well to consider introducing legislation that mandates all Web pages that are used to gather users' data implement SSL protocols and have a valid and current digital certificate from a bona-fide certificating authority. This, to me, would be a basic 'quick win' to strengthen Internet security and bolster the safeguarding of users' data.
Of course, for legislation to be effective, it needs to be backed by appropriate sanction for transgressors. In this case, I would encourage the Minister to consider appropriate fines of the same magnitude as those proposed for the intended legislation described in the first part of this post. In addition, the Minister should consider drafting the law so that any organisation found to be gathering user data without appropriate SSL and certificate protocols be regarded as automatically criminally negligent, thus creating the opportunity for users to recover damages for the disregard in handling their data.
The resulting hit to their 'bottom line' should serve as an incentive to properly protect the data of users that supply it. Sticks and carrots...
If the Minister is out there reading this (why would he?) then Minister, I would encourage you to give serious consideration to this proposal and to drafting the appropriate legislation to address it. It would be a straightforward way of ensuring that proper regard is paid to user data gathering via the Internet.
Thank you all for reading.
Comments
Post a Comment
Yes, it is annoying to have to go through this process. I appreciate that. However, I really don't want the bulk of comments to be vacuous spam posted in the main by bots.
If you are a reasoning human, please persevere.