Google and Facebook could face fines stretching into billions of pounds if they breach users’ privacy under a new law.
The fines are part of the Data Protection Bill which the Government is introducing to give citizens more control over their data.
It will place new requirements on companies about how they are allowed to hold and use data on ordinary citizens.
In the case of the most serious breaches of these rules, it allows the data regulator, the Information Commissioner’s Office (ICO), to fine companies £17m or 4% of their global turnover, whichever is higher.
The fines for the largest companies which use individuals’ data to sell advertisements, such as Google and Facebook, could stretch to billions of pounds.
Neil Brown, a solicitor at Decoded Legal, a law firm specialising in digital laws, told Sky News “it was unlikely that the regulator will go anywhere near the top level very quickly”.
“Other corrective powers – including the power to ban a company from processing data – are likely to be the regulator’s first port of call,” Mr Brown said.
The proposals include:
:: Allowing people the “right to be forgotten” online
:: Individuals can ask social media platforms to delete information they posted when they were children
:: People must give explicit consent for personal information to be collected online
:: People can ask for personal data held by companies to be deleted
:: It will be easier and free for people to get organisations to reveal the personal data they hold
:: New criminal offences will be created to deter companies from creating situations where someone can be identified from anonymised data
:: The definition of personal data will be expanded to include internet cookies and IP addresses
The law will also require social media platforms to delete information on children and adults when asked to, and will mean that default “opt-out” checkboxes will become a thing of the past.
Instead of people ticking the box to not receive marketing emails, they will now need to “opt-in” and give explicit consent to be contacted for those purposes.
Mr Brown said that by outlawing ‘consent by silence’ and pre-ticked boxes, and requiring companies to separate out requests for consent from general terms and conditions, consumers should be far better informed about when, and for what, they are being asked for consent.
Matt Hancock, minister of state for digital, said the law was designed to support businesses in their use of data, and give consumers the confidence that their data is protected and that those who misuse it will be held to account.
Elizabeth Denham, who heads the ICO, said her office was “pleased the Government recognises the importance of data protection”.
The bill is designed to bring one of the EU’s widely supported General Data Protection Regulations into British law, giving the Brussels-based law new footing in Westminster.
Mr Brown said: “Having a law which is consistent with the EU framework will be essential if Brexit goes ahead, so this announcement is very promising.
“However, questions are likely to be asked by the European Commission and others about the UK’s surveillance powers and whether they afford sufficient privacy protections.”