Government tweaks Data Protection bill to protect security research

Government proposes new changes to Data Protection Bill to protect security researchers

The government has put forward amendments to the Data Protection Bills in order to support security researchers exploring ways people and companies can abuse personal data.

In the past, security professionals have slammed the UK's data protection laws for criminalising research intended to protect people's online security.

According to The Guardian, though, the proposed amendments will include a new clause stating that it is against the law to "intentionally or recklessly re-identify individuals from anonymised or pseudonymised data".

Because of this semantic change, the government could introduce unlimited fines for offenders. However, it's not known when such changes would happen.

Introduced in August, the government's new data protection laws are intended to bring post-Brexit Britain into line with EU data protection laws, effectively absorbing the essence of the EU General Data Protection Regulation (GDPR) into British law.

However, they have been scrutinised closely to ensure that nothing is slipped in that might undermine internet security or encryption.

The concerns were first raised in the summer, when The Guardian published a report on the topic. So far, security bods have approved of the government's planned amendments.

Lukasz Olejnik, an independent researcher who specialises in cyber security and internet privacy, is one of them. "I am very happy with the amendments," he said.

I'm especially impressed with designing a responsible way of submitting privacy weaknesses directly to ICO

Thanks to the new amendment, researchers who are conducting "effectiveness testing" will no longer be classed as breaking the law and won't face charges.

While these changes support researchers, they still have to follow a string of guidelines. Before starting any research, they need to inform the Information Commissioner's Office (ICO).

They should aim to do this within three days of testing data. As well as this, researchers will also need to show that their work is of interest to the general public.

Matt Hancock, the new culture and digital secretary, said: "We are strengthening Britain's data protection laws to make them fit for the digital age by giving people more control over their own data.

"This amendment will safeguard our world-leading cybersecurity researchers to continue their vital work to uncover abuses of personal data."

Olejnik added: "I'm especially impressed with designing a responsible way of submitting privacy weaknesses directly to ICO. In this way, the role of ICO is even strengthened as a mediator between researchers and organisations.

"The whole case underlines the need of careful analysis of proposed regulations, whether in UK or beyond. These days, badly designed technology regulations have the potential to negatively affect entire societies."