Multimillion-pound fines could be imposed for nuisance or fraudulent calls and texts under a proposed overhaul of the UK’s data rules.
Companies behind nuisance communications can be fined £500,000 by the Information Commissioner’s Office (ICO) but ministers are considering bringing the punishment in line with General Data Protection Regulation (GDPR), which can issue a fine of up to £17.5m or 4% of global turnover.
The Department for Digital, Culture, Media and Sport (DCMS) said bringing fines up to the level of the GDPR regime “could help to ensure that the enforcement regime is dissuasive”. Last year, the ICO imposed the maximum £500,000 penalty for the first time against a Glasgow-based business that made more than 193m automated calls in 2018.
Victims of persistent calls can block some by registering their number with the Telephone Preference Service, but it only blocks calls made by people, not computer-generated calls.
The proposal was published in a 10-week government consultation on a new data regime for the UK, with a specific emphasis on leaving behind EU rules in the post-Brexit era.
“Data is one of the most important resources in the world and we want our laws to be based on common sense, not box-ticking,” said the culture secretary, Oliver Dowden. “Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society.”
The 147-page document also proposes removing the need to seek user consent for analytics cookies, which track data such as how long someone dwells on a website. The DCMS said the impact on privacy from such a move was likely to be “minimal”.
“The government also welcomes evidence on the risks and benefits of … [an] option which could permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. This could include processing that is necessary for the legitimate interest of the data controllers where the impact on the privacy of the individual in likely to be minimal,” said the DCMS.
The document also flags computer and mobile phone users being able to enter their cookie preferences into browser or device settings once so that it applies to all sites, thus reducing the number of pop-up notifications they see. However, the DCMS also acknowledged that such a move could strengthen data access for companies such as Apple and Google.
The consultation also confirmed that ministers would consider a recommendation from a government taskforce to scrap the right to have a human review a decision made by a computer algorithm – such as being prioritised for Covid vaccination.
That right is covered by Article 22 of the EU data protection regulation, which became part of UK legislation as part of the switchover to a post-Brexit statutory. The taskforce on innovation, growth and regulatory reform, whose members include the former prime minister Theresa May and Iain Duncan Smith, described Article 22 as being “burdensome” for companies seeking to use artificial intelligence.
