(6 years, 5 months ago)
General CommitteesIt is a privilege to serve under your chairmanship, Mr Sharma. The Minister will be delighted to hear that we are not planning to divide the Committee this afternoon, but none the less hon. Members will want some assurances about the change that the legislation will effect in the world.
At the moment, it feels to me that the Government are being forced to take incremental steps forward. We lack a holistic plan for electronic identity in this country. A country such as Estonia has 10 basic databases that contain all the information that anyone entitled to public services might need to draw on, and it is well connected. Here, we are relying on the Minister’s introducing “bits and pieces” statutory instruments, which allow this official and that official to share information.
I urge the Minister to go back to the drawing board in the months to come and think about how we can create a public option for eID. Most of us now have a plethora of private IDs, some of which are safer than others. In Estonia, they have found that creating a public option for electronic ID with good oversight allows them to unlock all kinds of new electronic services, which will be in both the public and private sector in the years to come.
The proposals are basically good. They are important because most entitlements to public services in this country still require some kind of verification from the individual, such as their paper birth certificate, marriage certificate, civil partnership certificate or indeed death certificate. At the moment it is too difficult to share that information.
There are two particular case studies on which I want to press the Minister for answers. The first relates to how the regulations will empower immigration officials in the UK Border Agency and the Home Office to quickly and readily get hold of basic information that they need to prove someone’s right to a British passport. I know that you, Mr Sharma, will have had such cases. I have had lots of cases where the Home Office either lost a passport or lost access to a passport, and where basic information is just not readily accessible or collectible in one place to allow a quick decision on, for example, nationality. Will the regulations make it easier for immigration officials to get hold of registration information that is often buried in the books and databases of registrars up and down the country, so we can stop this basic injustice? That injustice, at its worst, led to the Windrush scandal in recent weeks.
The second point on which I want to press the Minister relates to the very difficult situation that many families face upon the death of a loved one. As she will know, the courts have recently ruled that someone’s faith is a relevant issue in deciding whether to release a body quickly, so that where the diktats of someone’s religion require a burial within 24 hours, that wish can be accommodated. At the moment, in cities such as Birmingham—I know it is a problem in London as well—delays are far too great. That leads to incredible distress among families who cannot bury their loved ones within 24 hours, as they would like to in line with their religion.
It is partly about the underfunding of registration services up and down the country, but there is also a lack of information sharing between the national health service, the coroner’s office and the registration service. At the moment, that leads to delays. If, for example, someone dies at the weekend, the consultant who was on at that weekend may not be rostered back on duty for another few days, so the coroner cannot get in touch with the last medical professional to see the person before they died. It beggars belief that the national health service is unable to put in place systems that allow information sharing with civil registration officials and, where necessary, with coroners, so that bodies can be released within 24 hours and people can be buried in line with their religious beliefs.
I urge the Minister to think more radically about how we assemble a proper electronic ID scheme in this country that connects the principal databases that hold information about each of us. Secondly, I would like an answer on whether this will help us to avoid some of the mistakes that we saw in the Windrush scandal. Thirdly, if she will give us some hope that the registration system for deaths may get better for important communities in our country, we would all be reassured.
(6 years, 5 months ago)
General CommitteesIt is a pleasure to serve under your chairmanship, Mr Hosie. I have been writing about the need for Government to join themselves up a bit better for 22 years and so the Minister will be delighted to hear that we can give these measures—they are humble measures but none the less a step forward—our full support this afternoon.
There are, though, three questions on which the Minister could helpfully brief the Committee. First, she is seeking much broader powers for various Departments, and it is a well established principle in the House that where broader powers are given to the Executive, greater powers of oversight and scrutiny should be applied to those agencies, so we would be grateful if she said a little more about what additional oversight comes as a result of these regulations falling into place.
Secondly, the reality is that not a lot of public services are delivered proactively any more, because not many public services are left in many of our communities. None the less, where there are opportunities for local councils to join up with the Department for Work and Pensions, that is a good thing. It has been a real problem for many years that sometimes it is easier for an officer in a local authority to join a temping agency and get a temp job with the DWP in order to get hold of information from the Department. Will the Minister lay out with some clarity this afternoon that local councils will now be able to share information with the DWP and the DWP will share information with local authorities, and will she tell us what steps her right hon. Friend the Secretary of State for Work and Pensions will take to ensure that frontline managers in the DWP understand the new legal latitude available to them to join together to deliver what public services are left in this country?
The final point that the Minister might just say a word about is a problem that was raised before the Secondary Legislation Scrutiny Committee in the other place, which I do not think we have had a particularly good answer to: why, under these regulations, can data be exchanged about the whole household even if only one individual in the household meets the criteria she has set out? These are sensible regulations and they should have been put in place a long time ago, but there are a number of assurances that I know the Committee will want to hear this afternoon.
I thank both hon. Gentlemen for their remarks. In addressing some of the questions raised by the shadow Minister, I will first point out that we have made great efforts to protect the welfare state and public services as we sought to deal with a very challenging deficit. I would like to see the public services in the context of our abilities to direct those services more towards those who really need them. That is the strategy we have adopted.
For example, in the area of energy, which I spent some time on in my opening remarks, we are talking about benefits such as winter fuel payments, cold weather payments and warm home discounts. Those benefits are alive and well, and valued by the several million people who receive them. What we seek to do through the safeguards is to ensure that, when there is discretion from energy companies about how to target some of those benefits, they can use intelligence about the people who are likely to need them most to deliver those benefits even more effectively. That is what we are debating.
The right hon. Gentleman rightly points out that we need safeguards. We need to ensure that information sharing is proportionate, that it is only used by the recipient for the purposes for which it is intended and that it is not retained for any longer than necessary. We are putting a number of safeguards in place. The data sharing powers must be exercised in compliance with the safeguards under the Data Protection Act 2018 and the Human Rights Act 1998. There is also a minimum amount of data required to meet the objectives for sharing information; that is another safeguard that we have put in place.
Any further changes to the list of public authorities permitted to share data under the codes of practice can be made only via regulations that are subject to the affirmative procedure, and we have involved the Information Commissioner’s Office throughout the development of those codes. I reassure the right hon. Gentleman that we have given great consideration to safeguards and that they have been put in place. He also asked about the question of data exchange on the whole household if only one individual meets the criteria. The purpose of the objective is to assist individuals or households with a combination of disadvantages. The problems of one household member can affect the outcomes of others in the same household; in particular, children growing up in a workless family are almost twice as likely as children in working families to fail at all stages of their education.
As a result, 150,000—I am so sorry. You will be pleased to know that I was about to wind up, Mr Hosie, and—
I have given the right hon. Gentleman an opportunity to intervene. I apologise to my hon. Friends for that.
Will the Minister confirm what latitude she is giving councils and the DWP to share information? I think that that is the principle clarification that we were looking for.
The right hon. Gentleman did indeed raise that important point. It should not be the case, of course, that people need to job-hop to find out what is going on when they have only the good of citizens in mind. What is important is that the DWP will, according to the safeguards that we have built in, be able to share information for certain purposes. For example, if the Department has information about someone’s fuel poverty status they will be able to share information with local authorities. Likewise, if it has information that meets any of the other objectives that I outlined, it will be permitted to share it directly with local authorities.
I did not mean to intervene again, but my constituency has the highest youth unemployment in Britain and down the years we have been bedevilled by a lack of co-operation between the DWP and the city council. The city council often wants to target young people who need local authority-run job and employment creation schemes. It is unable to run outreach schemes that target individuals effectively, because it cannot get the information from the DWP, so it has to resort to the rather inefficient approach of targeting whole postcodes. That is the sort of thing I am driving at.
The right hon. Gentleman eloquently underlines the need for the measures that we are putting in place. We should not have to target whole populations to find the percentage of people, whatever it may be, who would particularly benefit from a programme that a local authority might want to put in place.
As long as the various protections in the information sharing code of practice, which I have gone through, are met, there is no reason why the DWP and local authorities will not be able to work together. They are permitted to share information under the Digital Economy Act 2017—and the powers in question are permissive. The right hon. Gentleman mentioned that we may need to raise awareness of the powers that the DWP now has under the provisions, and I take that on board as something to which my Department can contribute.
Question put and agreed to.
DRAFT INFORMATION SHARING CODE OF PRACTICE: CODE OF PRACTICE FOR PUBLIC AUTHORITIES DISCLOSING INFORMATION UNDER CHAPTERS 1, 3, AND 4 (PUBLIC SERVICE DELIVERY, DEBT AND FRAUD) OF PART 5 OF THE DIGITAL ECONOMY ACT 2017
Resolved,
That the Committee has considered the draft Information Sharing Code of Practice: Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017.—(Margot James.)
(6 years, 6 months ago)
Commons ChamberI congratulate my hon. Friend on all his work in this area. We have a full agenda following the publication of the sector deal, which will ensure that the benefits of AI are effected across the country. Tech Nation now has an AI programme that will support ecosystems across the country.
If we are to be a world leader in AI, we will need more computer scientists. This week, Roehampton University reported on the total collapse in the number of students studying ICT at GSCE level. Will the Minister set out her target for the number of students studying technology over the next year, and say what she will do to ensure that more girls in particular study ICT, because that is where the collapse is worst?
I very much share the right hon. Gentleman’s concerns. We must encourage girls to study science, technology, engineering and maths, not just computer science, and programmes have been designed to do just that. We have made progress by making computer science mandatory in schools, which is a good first step. I am sure we will build on that, and recover the lost students at GSCE level to which the right hon. Gentleman rightly refers.
(6 years, 7 months ago)
General CommitteesIt is a great pleasure and privilege to serve under your chairmanship this evening, Mr Evans.
May I offer begrudging congratulations to the Minister on implementing yet another measure from the Labour manifesto, where we set out with a clarity that was perhaps lacking in the Conservative manifesto that we would implement anti-bot legislation to stop professional ticket touts ripping off thousands of fans in this country? The Minister did not put on the record her thanks to Professor Waterson, but let me put on the record our own thanks to him for his excellent review.
We shall not divide the Committee on the draft regulations, because the measure was such a clear and popular one in our manifesto, but we encourage the Minister to go a little further and to look at what else we promised in our manifesto. We said clearly that we would like to go beyond the recommendations that Professor Waterson proposed, which were good, but which we thought could be strengthened still further.
With that in mind, I shall ask the Minister a few questions. First, has she considered the recommendation by Professor Waterson that large-scale sellers on secondary platforms should be reclassified as traders? If someone is classified as a trader, a number of protections kick in under the Consumer Rights Act. At the moment, those protections are not available in the case of secondary platforms. It is therefore a very important question, and the Committee will want to hear the answer from the Minister.
Secondly, has the Minister considered Professor Waterson’s recommendation that such organisations should have to attain a licence to sell a large number of tickets? At the moment, they are making enormous profits from the Government’s rather hands-off, slipshod and laissez-faire approach. We think that that should change, and that Professor Waterson’s recommendation is important. We would like to hear the Minister’s conclusion, having considered the matter now that she has been in position for some time.
The third question is about the secondary ticketing market through companies such as Ticketbis and Viagogo, which continue to leave fans open to large-scale fraud. I understand that tickets for World cup and premier league games are on sale on Ticketbis without the relevant information required by the Consumer Rights Act. This will shock you, Mr Evans, but some tickets for the World cup final are coming in at more than £20,000. The Minister shakes her head, but she is the Minister, and I think the Committee would like to know what the Government are doing to ensure that fans are not being scammed.
As a fan of Heart of Midlothian football club, I have never suffered from the inability to gain tickets to big matches, but there is a report today that some tickets for the champions league final on Saturday—Liverpool versus Real Madrid—with a face value of £61 are selling for nearly £15,000 on secondary ticket sites. Not only is that detrimental to fans who wish to purchase those tickets, but someone is making an awful lot of money.
I can scarcely believe what my hon. Friend has told the Committee. It is a very good example of the profit margins being made by unscrupulous traders, who are being allowed to get away scot-free by this careless Government.
My fourth question is about an important health and safety matter. As the Minister knows, at the moment secondary ticketing websites allow tickets in the away end of football stadiums to be acquired by home fans. That undermines safety regulations that have been in force in stadiums for decades. I did not hear what the Government propose to do about that. At the moment, the Premier League is describing organisations such as Ticketbis and other platforms as unauthorised sellers of tickets for games, yet they continue to operate with extraordinary impunity and in a way that completely flouts the protections that this House put in place in the Consumer Rights Act. We would like to hear what the Minister will do to bring order to this chaos.
I thank hon. Members for their comments. I am sorry that I shook my head at the shadow Minister when he cited the price of World cup final tickets. Although I am the Minister responsible for ticketing, among many things, since I had not sought tickets for the final I really did not know that they were changing hands for that sort of money. I was shocked and surprised by that—perhaps I should not have been.
I can always rely on the shadow Minister to make some gibe or another, and that was quite a good one. We are doing a lot. As I tried to explain in my opening remarks, the regulations are important primarily in tackling the use of bots, but they should be seen in the context of other measures we are taking, including what the CMA and ASA are doing on the responsibility of secondary sites to include all the charges as soon as someone registers an interest in purchasing a ticket, rather than leaving that until right at the end. We are taking a panoply of measures, and we are not finished yet. I agree that we still have more work to do, but none the less this is an important milestone.
The hon. Member for Hyndburn asked about phone banks. The definition will fall to be decided by the courts in individual cases, but we do believe that the regulations could tackle the issue of phone selling as well, coming under the auspices of electronic means. The definition of an electronic communications network is a broad one.
On large-scale sellers being classified as traders or licensed, which Professor Waterson inquired into, the CMA announced in April that three of the four major secondary sites have committed to improving information, including on who is buying from whom so that people know whether a seller is a business so that they can benefit from asserting additional rights under consumer legislation.
(6 years, 7 months ago)
Commons ChamberThere is no recognised press regulator other than IMPRESS. As many journalists have pointed out, the truth is that these new clauses would have made it near impossible to uncover some of the stories of abuse, including the abuse of all those children in Rotherham. Another example is that of Mark Stephens, who represented phone hacking victims. He wrote today that the new clauses would
“return Britain to the legal Dark Ages and make it easier for wealthy people to suppress negative stories.”
The impact on local newspapers, too, risks being catastrophic. I say do not just take my word for it. The editor of the Express & Star, well known to the hon. Member for West Bromwich East (Tom Watson), said that the new clauses could spell the end of newspaper printing in this country on a large scale and are a
“ludicrous and patently unfair…piece of legislation.”
Will the Secretary of State confirm to the House that the BBC, Channel 4 and every other broadcaster operates under much more stringent rules, and yet nothing seems to have got in the way of their powers of interrogation and investigation? Does he think that they are operating second-class investigations today?
We have three separate systems of media regulation in this country: a separate system for broadcasters; an essentially self-regulated system under IPSO for newspapers; and then there is the issue of how we make sure that what happens online is properly regulated as well. I will come on to that last point, because it is a very important part of the debate. The impact of the new clauses on the local press should not be underestimated. Two hundred local newspapers have already closed since 2005, and these new clauses would accelerate that decline. However, there is one national newspaper that is carved out in the small print of the new clauses as it only covers newspapers run for profit. Which newspaper is exempted? It is The Guardian. If those who tabled these new clauses thought that they were making friends with The Guardian, they were wrong. The Guardian has said that
“the Data Protection Bill should not be used as a vehicle for imposing an unfair and partial system on publishers.”
It did not ask for the measures, and it, too, opposes them. Indeed, in a recent consultation, 79% of direct responses favoured full repeal of section 40, compared with just 7% who favoured full commencement.
Given that this is a Data Protection Bill, the review will consider data protection issues, but I would expect it to be as broad as necessary, to ensure that all those matters are considered.
We have listened to concerns raised during the passage of the Bill, including in this debate.
I am grateful to the Secretary of State for giving way just before he moves off the subject of IPSO. He has set out arguments in IPSO’s defence. It is not just MailOnline that is outside the arbitration scheme; that is also true of Newsquest and Archant, so a significant chunk of the press is outside it. Brian Leveson said that the regulator needed to have independent board members, independence of operation, fair remedy for complaints, the ability to carry out investigations, the ability to issue fines, and universal arbitration. None of those conditions is put in place by IPSO, so which of those principles does the Secretary of State think should be retired?
On the contrary, the scheme introduces new, compulsory, low-cost arbitration to ensure that people can have exactly the recourse to justice mentioned by the right hon. Gentleman. In order to address some of the concerns, we have tabled two new clauses. First, new clause 19 requires the Information Commissioner to publish information on how people can get redress. The point is to ensure that there is a plain English guide to help anyone with a complaint to navigate the system. Secondly, new clause 22 requires the Information Commissioner to create a statutory code of practice, setting out standards on data protection. The point is that, when investigating a breach of data protection law, the commissioner has to decide whether a journalist acted reasonably. When making that judgment, a failure to comply with the statutory code will weigh heavily against the journalist.
No, that is not right. The statutory code of practice for journalists must be a consideration in the Information Commissioner’s judgments, and a failure to comply with the statutory code will weigh against the journalist in law. It has precisely the impact that we are trying to bring about.
New clause 18, tabled by the former Leader of the Opposition, the right hon. Member for Doncaster North (Edward Miliband), requires the Government to, in effect, reopen the Leveson inquiry, but only in relation to data protection. I want to say something specific and technical about the new clause. Even on its own terms, it would not deliver Leveson 2 as envisaged. It focuses on data protection breaches, not the broad question of the future of the press. The new clause, therefore, is not appropriate for those who want to vote for Leveson 2.
The first Leveson inquiry lasted more than a year and heard the evidence of more than 300 people, including journalists, editors and victims. The inquiry was a diligent and thorough examination of the culture, practices and ethics of our press, in response to illegal and improper press intrusion. There were far too many cases of terrible behaviour, and having met some of the victims, I understand the impact that had. The inquiry was followed by three major police investigations, leading to more than 40 criminal convictions. More than £48 million was spent on the police investigations and the inquiry.
This is probably a good point for the Secretary of State to remind the House about Brian Leveson’s view of the future of the inquiry. Will he set that out for us?
Sir Brian was very clear in his letter to me. He stated that he wanted the inquiry to continue on a different basis. I think, having considered his view and others, that the best approach is to ensure that we do the work necessary to improve the standards of the press, but we do it based on what is needed now to improve things in the future. I will come back to that.
New clause 23 is about ensuring that in the future there is a review of activity from now onwards, and alongside it we will ensure that there is a named person to ensure that the issues in Northern Ireland are looked into properly.
Overall, I want to ensure that the law that applies to the press is applied fairly, and that we have a free press and one that is responsible. I therefore oppose new clauses 18, 20 and 21, which would make that more difficult, not easier, and I urge every Member of the House to do the same.
I rise to support in particular new clause 18, in the name of my right hon. Friend the Member for Doncaster North (Edward Miliband), and indeed our new clause 20 and the consequential amendments.
The background to this is fairly well rehearsed, but it is worth remembering the level of shock we all felt when the revelations about phone hacking first became public. It is worth remembering the shock we felt when we heard that Milly Dowler’s phone had been hacked. It does not often happen in this House that Members on both sides unite to try to construct a shared way forward through an extremely difficult problem, yet that is exactly what we managed to do with the Leveson inquiry.
That was very difficult, but it was always going to be a game of two halves. There were too many cases coming to court at the time; there was too much evidence still under wraps; and there was too much that had to be left in the dark. As the Father of the House so rightly pointed out, it was never a question of opening a new inquiry; this is about letting the existing inquiry actually finish its work.
When the previous Prime Minister, Mr Cameron, having spoken to victims, made a statement, the point he wanted to impress on Members on both sides of the House was the need for Leveson to finish the job:
“One of the things that the victims have been most concerned about is that part 2 of the investigation should go ahead—because of the concerns about that first police investigation and about improper relationships between journalists and police officers. It is right that it should go ahead, and that is fully our intention.”—[Official Report, 29 November 2012; Vol. 554, c. 458.]
The then Prime Minister was not speaking simply on his own behalf; he was speaking on behalf of Government Members, including members of today’s Government Front Bench such as the Chief Whip, the right hon. Member for Skipton and Ripon (Julian Smith), who wrote not too long ago to one of his constituents:
“The Government has been clear all along that the status quo is not an option and I, personally, am determined to see Lord Justice Leveson’s principles implemented.”
Where has that commitment gone this afternoon?
May I add another voice? There is no journalist more respected on these shores than Sir Harold Evans, the former editor of The Sunday Times. He wrote to everybody today in support of the previous Government’s promises:
“Whatever your party, I and many of my associates, look to you to honour that commitment. To renege would be an affront to every citizen who suffered intrusion, but also the many independently-minded journalists of talent and integrity.”
Is it not time today for fair and independently minded MPs to vote as Sir Harry advises?
My hon. Friend makes an excellent point. What strengthens his argument is the way in which the Secretary of State has sought to bring forward one argument after another, all of which have been knocked down.
When we were first told that Leveson 2 could not proceed, we were told that there had been a day, sometime in about 2010, when magically, all of a sudden, all the abuse that we had ever heard about before categorically, unequivocally and without doubt ceased. We were all quite surprised about that. We were even more surprised, therefore, when John Ford presented his evidence to the Digital, Culture, Media and Sport Committee on 13 March. It is worth setting out what Mr Ford said, because not everyone luxuriates in membership of that Committee:
“I illegally accessed phone accounts, bank accounts, credit cards, and other personal data of public figures… My targets included politicians of all parties. In most cases, this was done without any legitimate public interest justification.”
Mr Ford goes on to reflect on whether the practice had magically ended, as the Secretary of State asserted, or whether it was ongoing. He was asked directly to reflect on the Secretary of State’s assertion that it was all over—nothing more to see; time to walk on by. Mr Ford writes in his letter:
“I am sorry to inform you that Mr Hancock is totally wrong”.
Who can imagine such a thing? He goes on to say that
“having spent 15 years in the business, it is no surprise…that I still know people in the illegal data theft industry, and specifically,”—
this is the nub of the argument—
“that I know individuals who are still engaged in these activities on behalf of newspapers.”
The idea that magically this bad behaviour suddenly stopped and is not ongoing is argument one that has been knocked down.
As reprehensible as those activities are, the fundamental point is that they are criminal acts. They are against the law. The right hon. Gentleman is wrong to conflate that point with the question of press regulation. Those are criminal acts to be dealt with by the courts.
Actually, it is not wrong to conflate press regulation with these matters, because the purpose of press regulation, in case the hon. Gentleman has not spotted it, is to try to stop such offences happening again. That is how public policy tends to be made in this country.
Is it not extremely relevant that one of the main aims of Leveson 2 was to investigate the relationship between the police and the press, because the police are the people who look into illegal acts and there has been evidence in the past of corruption involving the exchange of information between the police and the press, some of which has affected how Government Members have been presented? Independent-minded Members of the House should be looking into that, not suppressing it. Is it not right that that is looked into?
My hon. Friend is precisely right. We heard a couple of different arguments from the Secretary of State this afternoon, but they boil down to this: “Inquiries are expensive and time consuming, and officials have a lot of better work to do, unless you live in Northern Ireland, in which case we will crack on with the job now.”
Are not culture and criminality very closely linked in these matters and the changes proposed by Opposition Members fair and proportionate? I was disappointed to hear the Secretary of State’s very loose sense of history—of what is more recent and what is in the past. The families of Kirsty Maxwell and Julie Pearson, two of my constituents who were both killed abroad, were harassed by the press. In the case of Kirsty Maxwell, a particular tabloid harassed the family to the detriment of other good and decent journalists, because the family were too scared to speak to the press. Any fair-minded and decent journalist will support these changes.
That point is well put by the hon. Lady. If there is one ambition that we share in this House, it should be not only for a free press, but for a clean press. The idea that there is nothing to see and that we should all walk on by has collapsed.
I am following what the right hon. Gentleman is saying with great interest. I think he is saying that he appreciates that a lot of the activities that he is talking about are illegal, but that they have still been done by journalists and others. Where I am not joining the dots, as he clearly is, is on why Leveson 2, were it to reopen, would make journalists and others more cognisant of those things that are already illegal and change their behaviours.
For a very simple reason: we have evidence that bad behaviour is still ongoing. When the Secretary of State originally decided to cancel Leveson 2, he said that the bad behaviour was in the past. Actually, the evidence is that it is ongoing. What is more, there was much evidence that could not be considered by Lord Leveson because of the court cases that were ongoing. Crucially, that evidence included allegations of collusion between the press and the police. I would have thought that we should scrutinise that to bits in this House, not just walk on by.
It is obviously me; I still do not get why the reopening of Leveson—
Sorry, the reconvening. I do not get why the reconvening of Leveson would make things that are currently illegal any more illegal than they already are. The courts and the prosecution services have the power to bring those cases when illegality takes place. We do not need Leveson 2 to achieve that, surely.
The point of inquiries is to get to the nub of the truth. There was much that the first half of the Leveson inquiry could not consider because of the courts cases that were ongoing. As a Member of this House, I want to know whether the press regulation system that we are setting up takes account of what we have learned about the sins of the past. I do not think that those sins should be buried and forgotten, and that we should walk on by—unless, of course, people are lucky enough to live in Northern Ireland.
I know that the right hon. Gentleman thinks that people in Northern Ireland can be treated with the back of his hand with comments like that, but I should make it clear that the Northern Ireland press were exempt from proper scrutiny by Leveson. That is why people feel aggrieved. Many Members whose phones were hacked, like myself, were completely ignored by that process. Now, perhaps, we will have the chance of fairness. Quite frankly, there has been no fairness up until this point.
I am listening very jealously to the hon. Gentleman. I would like the privileges he has just secured for Northern Ireland for the rest of the country, because the victims who live in England and Wales deserve the same rights.
I understand that new clause 23 applies to the whole United Kingdom. I live in the United Kingdom.
The hon. Gentleman may be assured by the process that he has been offered by the Secretary of State this afternoon, but the Opposition are not. We want Lord Leveson to be given the right to finish the job and do the work that he was commissioned to do by the last Prime Minister.
I am grateful to the right hon. Gentleman for being so generous in giving way. I want to follow up on the point made by my hon. Friend the Member for North Dorset (Simon Hoare). What I do not understand about the Labour new clauses is what he and those in his party who want phase 2 of Leveson, if we want to call it that, think they will learn that they have not learned and could not learn from the court cases and all the evidence that is already in the open. Is there not enough evidence for us to make the necessary changes, without going through the interminable process of opening it up? Is there some specific area of the criminal law he does not understand that Lord Leveson may be able to explain to him?
What I want to learn is the truth. I want to learn the truth about police-press collusion and I want to know how we improve our press regulation in the future, so that we have not just a free press but a clean press.
Let me make some progress. The Secretary of State offered us a second line of argument that has now collapsed. I am not quite sure of the exact words he used when he came to the House, but most of us walked away thinking that Lord Leveson was pretty content that the whole thing was going to be shuttered. The House can therefore imagine our surprise when Sir Brian Leveson said that he “fundamentally disagreed” with the Government’s decision to end part two of the inquiry. When Lord Leveson said that he wanted the terms to be revised, he meant that he wanted them to be expanded, not cancelled all together. The Secretary of State says that malpractice is in the past and that there is nothing more to see, officials are busy, inquiries are expensive and so we must move on. He intimated that Lord Leveson agreed with him when that was not in fact the case.
A third line of attack from the Secretary of State was that the review looked to the past and ignored the challenges for the press in the future. That was a legitimate challenge and if he studies carefully the words of the amendment tabled by my hon. Friend the Member for West Bromwich East (Tom Watson), he will see that there is a new ambition to get into some of the challenges around fake news that were looked at by Brian Leveson. That was not enough to satisfy the Secretary of State, however. In a letter to Conservative Members—I did not receive a copy—he offered some more objections, each one of which we can knock down.
The Secretary of State, in his letter to his colleagues, says that the first half of Leveson was “full and broad” when in fact it was partial and incomplete. He says that newspaper margins are under pressure, as if economic hardship is now some sort of defence against the full glare of justice. He says that the effect of the proposals will be “chilling”, when he knows that our fine broadcasters in this country operate under far more rigorous regulation than newspapers and that does not stop them pursuing the most extraordinarily brilliant investigations. He says that Sir Joe Pilling has “cleared” the IPSO scheme, but Joe Pilling was appointed by IPSO and IPSO itself says it does not comply with Leveson. He says that IPSO now has a low-cost arbitration scheme, but as the hon. Member for Wellingborough (Mr Bone) pointed out, MailOnline, Newsquest and Archant are all outside it, so it is not a universal scheme in the way the Secretary of State has tried to present it to the House this afternoon.
The final line of argument is that officials are very busy and inquiries are very expensive, and we should therefore just walk on by. I just do not think that that is good enough.
The right hon. Gentleman is not making much progress. He is implying that broadcasters are under regulation but there is no chilling effect. The description of a chilling effect, raised by my hon. Friend the Member for Croydon South (Chris Philp), is the expected impact of section 40, under which anybody would be able to take a newspaper to court and get costs awarded against the newspaper even if they did not have anything in their case. The broadcasters do not have to deal with anything like that. On the point about things being brought to light, will he confirm that the case of Mr Ford, which he raised and was raised in an argument for Leveson 2, was in fact raised in the original Leveson inquiry and was therefore covered?
Mr Ford’s activity was, but not Mr Ford’s allegations that the activity is already under way.
Let me come on to the point the Secretary of State made about the future of press regulation. The scheme he voted for—it was elegantly designed, I think, by the right hon. Member for West Dorset (Sir Oliver Letwin)—was a good scheme. There have been a couple of important objections to it made by many of our constituents, but more importantly by many journalists in our local media. The first objection is that a royal charter is somehow tantamount to a state authorised, state-operated regulator, which will somehow impede free speech. Royal charters have for centuries been the basis by which we have given stature to universities and learning societies like the Royal Society. None of them confront restrictions on free speech in any way whatever. That argument, frankly, is fanciful.
The point is that this was well debated at the time and the argument presented by those on the Treasury Bench was that there was no point in setting up a new regulator and then doing nothing to create incentives to join that regulator. That was the proposal the Secretary of State voted for the first time around.
I was not in the House at the time, so correct me if I am wrong. Am I right in thinking that Brian Leveson recommended that incentivisation to encourage the publishers to sign up to an independent regulator?
Absolutely. It was a very delicate job. The structure put in place was designed to minimise any dangers to free speech but create incentives for the press to move to a scheme that gave low-cost arbitration and access to justice for victims. That is at the core of this debate.
I want to conclude with two points. The first is, I suppose, a plea to the House. If we have learned one thing from the scandals of the past 10 to 12 years—whether the expenses scandal, Hillsborough or Orgreave—it is that it is never the right thing to look at a scandal and decide that it is too expensive or that we are too busy to get to the bottom of what happened. That is the core of the argument to let Brian Leveson finish his job.
I want to give the last word to the father of Madeleine McCann. When Gerry McCann found out that the Government were proposing to scrap the second half of the Leveson inquiry, he said:
“This Government has abandoned its commitments to the victims of press abuse to satisfy the corporate interests of large newspaper groups… This Government has lost all integrity when it comes to policy affecting the press.”
I hope that we can reflect on those harsh words this afternoon and rescue the integrity that is currently endangered by the Government’s determination to sweep aside the lessons of history.
Time is tight, so I will be brief. I rise to speak in support of new clause 18 because the Scottish National party has been clear throughout that all individuals should be able to seek redress when they feel they have been the victim of press malpractice. It benefits each and every one of us to have a media that is both transparent and accountable.
The Scottish National party is committed to ensuring that the practices that led to the Leveson inquiry never happen again. We have been equally clear, however, that if there is to be a second part of the Leveson inquiry, the distinct Scottish legal context must be taken into account and the Scottish Government must be consulted on the scope and scale of any future inquiry.
Both my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) and I raised that on Second Reading and again in Committee, and we put on record our dismay at the wholly inappropriate, indeed lazy, amendments made in the other place that sought to impose a blanket, one-size-fits-all, Truro-to-Thurso policy without any cognisance of the devolution settlement or of the fact that matters of press regulation and criminal justice are wholly devolved to the Parliament in Holyrood. I do not think it unreasonable to expect the House of Lords to know that both criminal justice and press regulation, and all the associated issues of the culture, practice and ethics of the press, fall under devolved competence, and that any blanket UK-wide proposal could only negatively impact on devolution.
Scottish National party Members have said repeatedly that, as long as the Scottish Government are consulted and the Scottish legal system is taken into account, we would be happy to support a Leveson inquiry.
I am following the hon. Gentleman’s argument closely. He is right to say that we need to ensure the sins of the past are not repeated, which is why we need new clause 20. Can he confirm whether his party’s position is to support new clause 20 today or, as I have heard, to abstain on it?
The right hon. Gentleman may push that to the vote, but new clause 20 seeks to impose on Scotland a system of press regulation from Westminster, even though this is wholly devolved. I appreciate the work that he and others in Hacked Off have tried to do to square that circle, but it has not been squared. Therefore, we cannot support a system of press regulation that will be imposed from Westminster on Holyrood. That is why I am so pleased that new clause 18 is presented in such a way that it takes on board all of our concerns. I am extremely grateful for the efforts made by the right hon. Member for Doncaster North (Edward Miliband) in fashioning the new clause in a way that allows the second part of the Leveson inquiry to take place while recognising the devolution settlement and the distinct position in Scotland. I commend the passion with which he put across his argument this afternoon.
There will be some who will say that part 2 of Leveson is now out of date—indeed, the Secretary of State said as much when he announced his plans to scrap it. People are right to say that much has changed since 2011, which was before Brexit or the fake news agenda dominated the newspapers, but we need to ask ourselves how much has really changed since the height of the phone hacking scandal. The Government are convinced that a step change has taken place, but I question whether it really has. The Secretary of State has pointed out that the world has changed, but these concerns are as relevant now as they were then.
We have seen how social media is now part and parcel of everyday life. Surely the time is right, with this second part of Leveson, to investigate the role of social media companies—Facebook, Twitter and others—in spreading fake news and disinformation. I would like to think that this inquiry would look to build on the outstanding work being done by the hon. Member for Folkestone and Hythe (Damian Collins) and his Select Committee in pursuing fake news and the spread of disinformation.
On behalf of the Scottish National party, I am delighted to have added my name to new clause 18 because I believe any reasonable person would agree that the terms of reference for this part of the Leveson inquiry have not yet been met.
It does not rule out immigration and it does allow the restriction of certain specified rights—not wholesale restrictions—for the purpose of safeguarding
“other important objectives of general public interest”.
The purpose is to provide a derogation for member states wide enough that they can pursue an overall Government policy in the general public interest. I would conclude that immigration is one such example. It has been suggested that the provisions represent a blanket carve-out of all a data subject’s rights. That is certainly not the case. I would like to reassure the right hon. Gentleman that we are being very selective about the rights that could be disapplied. The exemption will be applied only on a case-by-case basis and only where it is necessary and proportionate.
Has the Minister learnt nothing from the Windrush scandal? Here we have a Department of State that is not fantastic at keeping records. The idea of selectively carving out particular rights of particular people who need this information to fight tribunal cases strikes me as lunacy, given what we have learnt about the dysfunction at the Home Office.
Perhaps if I continue my remarks, I can reassure the right hon. Gentleman that of course lessons have been learnt, not least by the Home Office itself, as both the former Home Secretary and the current Home Secretary have made abundantly clear to the House.
The exemption in the amendment is to be applied only on a case-by-case basis and only where it is necessary and proportionate. It cannot and will not be used to target any group of people. Nor does the application of the exemption set aside all a data subject’s rights; it sets aside only those expressly listed. A further limitation is that it can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.
Effective safeguards for crime prevention are already written into the Bill, which gives the Minister the power she is seeking to fulfil the purpose she is setting out for the House. If we selectively discard rights for selected people, we come pretty close to arbitrary decision making, and it is practically impossible to do that consistently and in way make it defendable in a judicial review. These provisions will result in injustice and cases that the Home Office loses, so just dump them now!
The right hon. Gentleman should know that different structures govern crime and immigration. I reiterate that we are disapplying these rights selectively—the data subjects will hang on to the majority of their rights—but it cannot be right for the Home Office to have to furnish someone who is in contravention of immigration law with information it has been given.
I shall have to write to the right hon. Lady once I have communicated with Home Office Ministers. According to my understanding, the Bill says that the exemption applies—
On a point of order, Madam Deputy Speaker. We are being invited to pass an important piece of legislation which hands important new powers to Her Majesty’s Home Office, yet there is not a Home Office Minister on the Front Bench to respond to the points that we are making about the details of that legislation. What steps can we take to summon a Home Office Minister this afternoon, so that our questions can be answered?
I understand the right hon. Gentleman’s point of order, but the fact is that the Minister, who is a very capable Minister, speaks for the Government, who are seamless. The Minister who is currently at the Dispatch Box is in a position to speak for all Ministers on this matter, which is why she has this responsibility and is responding to the questions that are currently being asked of her.
I commend the hon. Lady for that observation, because she has a fair point. I will raise her concern with the Information Commissioner. My right hon. Friend the Member for Hemel Hempstead said that some businesses have been advised that they should delete their data, so I can see where the hon. Lady is going on that. It raises the prospect that some organisations might use this as an excuse to delete data that it would be in the data subject’s interests to preserve.
I have not been able to address every amendment in the time available, but I am mindful of the number of colleagues who wish to contribute, and we have less than 60 minutes remaining. I have addressed most of the matters that came up in the Public Bill Committee, and the Government’s position will remain the same on many of them.
In short, we have enhanced the ICO’s enforcement powers, we have changed the way we share data, we have reached out to parish councils, we have narrowed the immigration exemption and we have responded to calls to better protect lawyer-client confidentiality. We have also dealt—effectively, I hope—with the concern expressed by my hon. Friend the Member for Totnes about the sharing of data between the Department of Health and Social Care and the Home Office.
May I start by welcoming the new powers for the Information Commissioner, which we called for in Committee? Nobody who observed the debacle of the investigation into Cambridge Analytica will have needed persuading that that those powers are necessary—it took the court five or six days to issue the requisite search warrants, and that time might well have been used by Cambridge Analytica to destroy evidence—so I am glad that the Minister has heeded our calls and introduced the proposals this afternoon. We are happy to give them our support.
I will speak to a number of new clauses and amendments in the group, particularly new clause 4, which is our enabling clause for creating a bold and imaginative Bill of data rights for the 21st century. I want to make the case for universal application of those rights, including their application to newcomers, who need rights in order to challenge bad decisions made by Governments, which is why our amendment 15 would strike out the immigration provisions that have so unwisely been put into the Bill. I will also say a few words about new measures that are needed in the Bill to defend the integrity of our democracy in the digital age.
The Minister took the time to make a comprehensive speech, which included an excellent explanation of the Government amendments, so I will be brief. Let me start with the argument for a Bill of data rights. Every so often we have to try to democratise both progress and protections. In this country we are the great writers of rights—we have been doing it since Magna Carta. Over the years, the universal declaration of human rights, the UN convention on the rights of the child, the charter of fundamental rights, the Human Rights Act 1998, the Equality Act 2010 and, indeed, the original Data Protection Act have all been good examples of how good and wise people in this country have enshrined into charters and other legal instruments a set of rights that we can all enjoy, that give us all a set of protections, and that help us to democratise progress.
My right hon. Friend makes an excellent point. Does he share my astonishment that the Government are not taking the opportunity to update our rights for the digital age? Does he think that that is because they are too captured by the tech giants, because they are too confused by Brexit to invest in change, or because they are too ideologically constipated regarding the free market that they can do nothing about it?
My hon. Friend hits the nail on the head. The answer, of course, is that it is for all three of those reasons that we do not have before us an imaginative bill of digital rights, but the times do call for it.
In the early days, when we were writing great charters such as Magna Carta, the threats to ordinary citizens were from bad monarchs. We needed provisions such as Magna Carta and the Bill of Rights and the Glorious Revolution to protect the citizens of this country and their wealth from bad monarchs who would seek to steal things that were not theirs.
What we now confront is not a bad monarch—we have a fantastic monarch—but the risk of bad big tech. The big five companies now have a combined market capitalisation of some $2.5 trillion, and they are up to all sorts of things. They are often protected by the first amendment in the United States, but their business—their bad business—often hurts the data rights of citizens in this country.
That is why we need this new bill of rights. We have to accept that we are on the cusp of radical and rapid changes in legislation and regulation. I often make the point that over the course of the 19th century there was not one Factory Act but 17 Factory Acts. We had to legislate and re-legislate as technology, economics and methods of production changed, and that is the point we are at now. We will have to regulate and re-regulate, and legislate and re-legislate, again and again over the decades to come. Therefore, if we are to give people any certainty about what the new laws will look like, it would be a sensible precaution if we were to write down now the principles that will form the north star that guides us as we seek to keep legislation up to date.
I am sure that my right hon. Friend has received correspondence from constituents who are worried about the use of personal data. My constituents have a lot of sympathy with the views of the hon. Member for Totnes (Dr Wollaston) about this. Does my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne) agree?
My hon. Friend is right. We have been on the receiving end of a huge number of data breaches in this country—really serious infringements of basic 21st-century rights—which is why we need a bold declaration of those rights so that the citizens of this country know what they are entitled to. Unless we get this right, we will not be able to build the environment of trust that is the basis of trade in the digital economy. At the moment, trust in the online world is extremely weak—that trust is going down, not up—so we need to put in place measures now, as legislators, to fix this, turn it around and put in place preparations for the future.
The Government’s proposal of a digital charter is a bit like the cones hotline approach to public service reform. The contents of the charter are not really rights but guidelines. There are no good methods of redress or transparency. Frankly, if we try to introduce rights and redress mechanisms in that way, they will basically fail and will not lead to any kind of change. That is why we urge the Government to follow the approach that we are setting out.
I put on record my profound thanks to Baroness Kidron and the 5Rights movement. Her work forms the basis of the bill of rights we are proposing to the House: the right to remove data, as enshrined in the GDPR—that right is very important to children—the right to know; the right to safety and support; the right to informed and conscious use; and the right to digital literacy. Those are the kinds of rights we should now be talking about as the rights of every child and every citizen.
The right hon. Gentleman makes some good points. I agree with the rights he is talking about, but those rights exist under the GDPR and are intrinsic to the Bill, so I see no need for his amendment.
There is no right to digital literacy under the Bill, which is why we propose the five rights as the core of new schedule 1 in which, as the Minister knows, we go much further. The provision sets out rights to equality of treatment, security, free expression, access, privacy, ownership and control, the right not to be discriminated against as a result of automated decision making, and rights on participation, protection and removal.
Rights are sometimes scattered through thousands and thousands of pages of legislation, which is where we are on data protection today. That is why from time to time, as a country, we decide to make bold declaratory statements of what principles should guide us. These are methods of simplification and consolidation, and we are pretty good at that in this country. When we press our proposal to enable the creation of such a bill of rights to a Division a little later, we hope that it will be the call that the Government need to begin the process of consultation, thought, argument and debate about the digital rights that we need in this century and what they need to look like. Rights should not be imposed from the top down; they should come from the grassroots up, and the process of conversation and consultation is long overdue. To help the Government, we will accelerate that debate during this year.
The second point I wish to make is about amendment 15, which would ensure that the rights set out in the GDPR would stretch to everyone in this country. It would mean that the Government would not be permitted to knock out selective rights for certain people who just happen to be newcomers to this country. The proposal to withhold data rights from migrants and newcomers is a disgrace and does not deserve to be in the Bill. In Committee, Ministers were unable to tell us why the Bill’s crime prevention provisions could not be stretched to accommodate their ambitions for immigration control. The Minister has not been able to give us a succinct definition of “immigration control” today, and we have not been able to hear about the lessons learned from Windrush. Frankly, the debate has been left poorly informed, and we have had promises that letters will be sent to hon. Members long after tonight’s vote.
I totally agree with the right hon. Gentleman’s point. He says that this is about newcomers and immigrants, and I am sure he will agree that it also applies to British citizens’ ability to get their immigration file. Can he confirm that that is the case?
I am not sure that that is the case. British citizens have confirmed rights under the GDPR—that is safeguarded under EU legislation—but the risks I am worried about are the same ones as the right hon. Gentleman. I spent two and a half years in the Home Office. I recognised many of the errors that were made by the former Home Secretary in the situation that we inherited back in 2006, so I do not think that lessons have been learnt from Windrush, or that many lessons have been learnt from errors over the past eight to 10 years. The Home Office is a great Department of State, with tremendous strengths. It has fantastic civil servants who do an amazing job, without the resources to do it properly and very often without the level of support they need from their Ministers, but it is a human institution and such institutions make mistakes. To correct those, we have tribunals and courts through which people can test decisions made by officials without the disinfectant of sunlight. Unless we equip those individuals with everything they need to make their case effectively, we risk injustice. After our debates over the past month, we must do everything we can so that we never run that risk again.
To pursue those rights, people also need legal aid, and in some circumstances, they are denied legal aid. The state should not have the right to give private information about its citizens to anybody, or even to sell it to organisations.
Correct. In my first months at the Home Office, I spent a lot of time in immigration tribunals. I used to go to the courts up in Islington to sit, watch and listen so that I could learn the basic mechanisms of justice in this country. The thing that struck me was the inequality of arms that comes to bear in these tribunals. On the one side, there is a Home Office lawyer, who is sometimes there, sometimes not. Home Office lawyers are backed by teams and have well-constructed cases and all the information they need. On the other side of the argument are people without money or access to lawyers, but now the Government propose to deny some of them the information that they need to argue and win their cases. It is a recipe for injustice.
I very much agree with the points that the right hon. Gentleman is making. Does he agree that we ought to consider the way in which the crime exemption in the Bill will be invoked in respect of low-level offences under immigration law? Is it really acceptable for data rights to be suspended in relation to normal activities such as driving—just being here—that are currently criminalised under immigration law?
Those are real risks, which is why amendment 15 would delete such an important chunk of the Bill and therefore improve it.
I know that when I was a Home Office Minister, I took decisions that sometimes were wrong, and those decisions were corrected through the tribunal system. Tribunal cases were often successfully prosecuted by those who had rights that we were seeking to deny because subject access requests had been used to get the information necessary to win the argument. If we switch off that access, injustice will follow, so I urge the Government to think again and I urge Members from all parties to support amendment 15.
The last measure to which I shall speak is new clause 6, which is our proposal for a UK version of the Honest Ads Act that is currently being debated in the United States Congress. I do not want to rehearse the background to the debate for long, because for six months now a hardy group of us has been seeking to raise and unpack the new risks that we confront from countries such as Russia that are aiming at us a new panoply of active measures, including all kinds of bad behaviour online. Right now, we do not have good measures to defend the integrity of our democracy. Indeed, the most recent edition of the national security strategy did not even include the defence of the integrity of democracy among its core strategic aims.
We have to bring our election law into the 21st century as it is hopelessly out of date. We have an Electoral Commission that is unable effectively to investigate donations and money coming from abroad. The Information Commissioner has only this afternoon been given the powers that it needs. Ofcom will not investigate videos on social media and the Advertising Standards Authority does not investigate political advertising. We have a massive lacuna in which there should be good, robust legislation to police elections in the 21st century.
If we look at what is going on throughout the west, we see that we have to wake up to this risk. Giving the Electoral Commission new powers to require information about money that is used to run campaigns that try to influence votes is now a de minimis provision for a modern democracy in the digital age. We hope that the Minister will listen to us and take our ideas on board.
I am grateful to the Minister for that further clarification.
Amendments 20 and 21 get to the heart of an issue that has been raised by a number of Members, which is the power of the Information Commissioner to act in data investigations. The Minister, the right hon. Member for Birmingham, Hodge Hill (Liam Byrne) and others have referenced the Cambridge Analytica data breach scandal, which is a very good example of why these additional powers are needed. We raised that in the Select Committee with the Secretary of State. The Information Commissioner raised it with us and it was raised on the Floor of the House on Second Reading.
The ability to fine companies for being in breach of data rules is important, but what is most significant is that we get hold of the data needed by investigators, so that we understand who is doing what, how they are doing it and how wide-ranging this is. It is crucial that the Information Commissioner has the enforcement powers she needs to complete those investigations.
In the case of Cambridge Analytica, an information notice was issued by the Information Commissioner to that company to comply with requests for data and information. Not only did Cambridge Analytica not comply, but Cambridge Analytica and Facebook knew that. That information notice expired at 5 o’clock on the evening of the day when that deadline was set; it was the beginning of the week. Before the notice had expired and a warrant could even be applied for, Facebook had sent in its own lawyers and data experts to try to recover data that was relevant to the Information Commissioner’s request.
The Information Commissioner found out about that live on “Channel 4 News” and then effectively sent a cease and desist note to Facebook, telling it to withdraw its people. She might very well not have been made aware of what Facebook was doing that evening, and data vital for her investigation could have been taken out of her grasp by parties to the investigation, which would have been completely wrong. Not only did that happen—thankfully, Facebook stood down—but a further five days expired before a warrant could be issued—before the right judge in the right court had the time to grant the warrant to enable her to complete her work. We live in a fast-moving world, and data is the fuel of that fast-moving world, so we cannot have 19th or even 20th-century legal responses. We must give our investigatory authorities the powers they need to be effective, which means seizing data on demand, without notice, as part of an investigation, and having the ability to see how data is used in the workplace or wider environment.
The Government are bringing forward amendments, which I think have the support of the House, that will give us one of the most effective enforcement regimes in the world. They will give us the power to do something we have not been able to do before, which is to go behind the curtain to see what tech companies, even major tech companies, are doing and make sure they comply with our data rules and regulations. Without that or an effective power to inspect, we would largely be in the position of having to take their word for it when they said they were complying with the GDPR. Particularly with companies such as Facebook that run closed systems—they have closed algorithms and their data is not open in any way—there are very good commercial reasons for doing so, but there are also consumer safety reasons. We must have the power to go in and check what they are doing, so the amendments are absolutely vital.
There are further concerns. The shadow Minister, the right hon. Member for Birmingham, Hodge Hill, was right to raise concerns about honesty and transparency in political advertising. Both the Information Commissioner and the Electoral Commission are examining the use of data in politics, as well as looking at who places the ads. It is already a breach of the law in the UK, as it is in other countries, for people outside our jurisdiction to run political advertising during election campaigns in this country.
In the case of Facebook, it is unacceptable that its ad check teams have not spotted such advertising and stopped it happening when someone is breaking the law. If this were about the financial services sector, we would not let a company say, “Well, we thought someone was breaking the law, but we weren’t told to do anything about it, so we didn’t”. We would expect such a company to spot it and to take effective action. We need to see a lot more progress on this, particularly in relation to the placement of micro-targeting ads and dark ads. The Institute of Practitioners in Advertising has called for a moratorium on the micro-targeting of political ads, which may be seen only by the person who receives an ad and the person who places it.
When the chief technology officer of Facebook, Mike Schroepfer, gave evidence to the Select Committee, I asked him whether, if someone set up a Facebook page to run ads during a campaign and micro-targeted individual voters before taking down the page at the end of the campaign and destroying the adverts, Facebook would have any record that that advertising had ever run, he said that he did not know. We have written to him and Mark Zuckerberg saying that we need to know, because unless we know, a bad actor could run ads in huge volumes, investing a huge amount of money in breach of electoral law, and if they did not declare it, there would be no record of that advertising ever having been placed.
The Chair of the Select Committee is doing a brilliant job with his investigation, but the argument must stretch further than simply political advertising. For example, when Voter Consultancy Ltd ran attack ads against Conservative Members, accusing some of them of being Brexit mutineers, it was running an imprint for a company that was actually filing dormant accounts at Companies House. There are real questions not just about political ads in the narrow traditional sense, but about how to get to the bottom of who is literally writing the cheques.
The right hon. Gentleman is absolutely right and that throws up two really important points.
The first point is that the Information Commissioner is also currently investigating this, which links to the right hon. Gentleman’s point about where the money comes from and who the data controllers are in these campaigns. Although Facebook is saying that it will in future change its guidelines so that people running political ads must have their identity and location verified, we know that it is very easy for bad actors to fake those things. It would be pretty easy for anyone in the House to set up a Facebook page or account using a dummy email address they have created that is not linked to a real person, but is a fake account. This is not necessarily as robust as it seems, so we need to know who is running these ads and what their motivation is for doing so.
Secondly, the Information Commissioner is also looking at the holding of political data. It is already an offence for people to harvest and collect data about people’s political opinions or to target them using it without their consent, and it is an offence for organisations that are not registered political parties even to hold such data. If political consultancies are scraping data off social media sites such as Facebook, combining it with other data that helps them to target voters and micro-targeting them with messaging during a political campaign or at any time, there is a question as to whether that is legal now, let alone under the protection of GDPR.
As a country and a society, we have been on a journey over the past few months and we now understand much more readily how much data is collected about us, how that data is used and how vulnerable that data can be to bad actors. Many Facebook users would not have understood that Facebook not only keeps information about what they do on Facebook, but gathers evidence about what non-Facebook users do on the internet and about what Facebook users do on other sites around the internet. It cannot even tell us what proportion of internet sites around the world it gathers such data from. Developers who create games and tools that people use on Facebook harvest data about those users, and it is then largely outside the control of Facebook and there is little it can do to monitor what happens to it. It can end up in the hands of a discredited and disgraced company like Cambridge Analytica.
These are serious issues. The Bill goes a long way towards providing the sort of enforcement powers we need to act against the bad actors, but they will not stop and neither will we. No doubt there will be further challenges in the future that will require a response from this House.
(6 years, 7 months ago)
Commons ChamberI am grateful for that guidance, Mr Speaker.
It is always good to see the Minister in her place. She certainly knows how to pack the House with her statements. I am sorry that I am not able to respond to the detail of her statement, but it only came to me by email at 11.25 am, so I was not able to see it in advance. None the less, it is good of her to show up and present her plans, which were first presented to The Times, rather than to Parliament. It is welcome that the Government have now decided to step into the breach where a policy should be. It is a shame that the Minister has allowed the French, the Americans, the South Koreans and the Chinese to get there first, but better late than never.
From what I can divine from what the Minister said to the House, no new money has been announced today. Rather, a top-down earmarked amount of cash has already been handed out to research councils. That is fine as far as it goes, but it is an awful long way short of the £1 billion of funding that President Macron has just announced to support artificial intelligence in France.
As the Minister knows, a strong AI sector in this country will be built on three basic foundations: good networks, which support the internet of things; trust, which supports big data; and skills, which require a great education system. Today, our science spend is, I am afraid, in the second league, our digital networks are lamentable, our framework of trust is hopelessly out of date—in fact, we still have no date for the Data Protection Bill returning to this House—and our skills base is alarmingly thin. Indeed, the Government prayed in aid Jérôme Pesenti in their strategy this morning, but he was told by the Government that he was not allowed to look at the maths curriculum, as he told the House of Lords Artificial Intelligence Committee when he was giving evidence to its inquiry. That is why we call for science spend not at 2.4% of GDP, but up at 3%. We think there should be universal provision of networks at 30 megabits per second, a Bill of digital rights to restore trust and a national education service to restore the skills base.
In the interests of brevity, Mr Speaker, I have some specific questions for the Minister. First, the sector plan makes great play of a £2.5 billion investment fund delivered by the British Business Bank. Is this just for AI, or for innovation generally? Is it DEL—departmental expenditure limit—funding or loan guarantees? Is it intended to deliver grants or loans? When does that money come online? Is it, in other words, spin over substance?
Secondly, the Minister will know that artificial intelligence will accelerate the destruction of existing jobs, so when will we have a White Paper on the future of work? This will be a G20 agenda item in November. We have heard nothing about the Government’s plans to explore this and put in place adequate protections for workers today.
Thirdly, where is the strategy to harness Government procurement, with a cross-Whitehall futures unit, to use the power of Government to drive forward this agenda? That is the way that every other western, and eastern, nation drives its science and tech investment. Why are the Government not doing this?
This morning, the Bank of England published figures showing that this Government have presided over the worst productivity figures since the late 18th century. If we are to be masters of the fourth industrial revolution, as we were of the first, the Government will have to do an awful lot better than this.
I apologise if the right hon. Gentleman received my statement such a short time ago. That was certainly not my intention. I shortened my statement in anticipation of Mr Speaker’s wish for brevity, and perhaps that delayed matters.
It is a shame that the right hon. Gentleman’s response was pretty overwhelmingly negative, given that we start from a good base in this country with our world-leading institutions and our state of readiness. Oxford Insights, which I mentioned in my statement, has put us at No. 1 across the world on its Government AI readiness index. He referred to other countries, predominantly in Asia, which are indeed investing hugely in this area. [Interruption.] He mentions Macron from a sedentary position; he also mentioned him in his response. We are of course delighted that President Macron is also seeing the potential for AI. There is nothing wrong with that. We are a global-facing country. It is great that our partners in Europe are also committing to this agenda.
The right hon. Gentleman mentioned the importance of data and digital performance in this country. The UK is in a very competitive position in terms of digital performance. We now have 95% access to superfast broadband, which was delivered by the end of last year. Only yesterday, I was at a meeting with all the successful parts of the country that bid for the 5G test bed and pilot programme, which will put us in a pivotal position to take advantage of the internet of things. These test beds and pilots extend right across the country, from the Orkney Islands to the south-west of England, and a new wave of bids will be announced this summer. We are very determined on this front.
The right hon. Gentleman asked about the British Business Bank. I can assure him that this is new money that will be provided to tech start-ups and tech scale-ups via both equity finance and loans. I remind him that as of September last year, the British Business Bank had supported, through a combination of loans and equity finance, very many tech companies to the tune of £350 million. We are building on success.
The right hon. Gentleman talked about the future of work. This is an extremely important issue. Of course, we recognise that we are in for a fast ride here. The pace of technological change is such that momentous changes that are not always predictable can potentially displace groups of workers. We are very cognisant of the need to smooth the path through continuous training. The industrial strategy has at its heart improving the world of work and access to retraining throughout people’s lives, so that no one is left behind by these technological advances.
Finally, on that critical subject, the Government’s response to the Taylor review and the consultations that we announced at the beginning of the year will be out at some point this summer, and I am sure that the points raised by the right hon. Gentleman about the future of work in the context of technological advance will be taken extremely seriously.
(6 years, 8 months ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
It is a pleasure to serve under your chairwomanship, Ms McDonagh. When I mention my constituency of York, hopefully hon. Members think about the city walls, the minster, the Vikings—
The hon. Gentleman is absolutely right. The digital and technological industries break boundaries in many ways, not least by providing alternative forms of employment. They certainly do not have any rules about where they are located. It is a 24/7 industry, so it includes individuals in their own homes and small businesses with global impacts. It is an exciting sector to be involved in.
The University of York is also at the cutting edge of digital technology and has its own digital creative labs, which I had the real pleasure of visiting earlier this year. I should say that I am on an apprenticeship with much of this, and I am learning: they are at the heart of the video-gaming industry, which has its home in York. Many businesses—start-up businesses, new companies, small tech companies—surround our city. We have 250 such businesses in York alone, and all that activity is building into the future of our economy, as we search for a new identity in a new era.
What also really excites me is that old is blending with new, as we move forward in our city. The new gives new opportunities. At the heart of our city, we have the biggest brownfield site in Europe, waiting for businesses to land. Rich heritage surrounds where people live. I say to any digital tech or digital creative company, “Come and see if your future is in York, and you will be most welcome to make it your home and make it your own”.
As I have said, I am on a bit of an apprenticeship in this industry and I thank the Industry and Parliament Trust for giving me the opportunity to explore this sector—to have placements across the sector and to learn more about the cutting edge that the industry is providing our economy and our nation.
I have learned that our gaming industry is one of the fastest growing in the world because of the skills base that we are able to provide. The potential is huge if we really embrace that wider economic opportunity. In York itself, we are seeing how this industry—both alone and standing alongside other industries—is so cross-cutting and how the skills acquired around video-gaming can then be applied right across the curriculum. Education is certainly at the forefront of that. I saw programmes that provided individualisation of tutoring. For instance, I undertook a French course; I will not say how I got on. Such programmes can track an individual’s learning, taking them back over their weaknesses, improving their skills and ensuring that they are the best that they can be at that particular skill.
I also saw how the Yorkshire Museum has embraced virtual reality, to take visitors into a Viking village and enable them to experience life in that settlement. I saw 3D modelling technologies, pioneered in the games industry, that now help companies such as Rolls-Royce to design better engines. I saw artificial intelligence—machine learning—and how that work is advancing and the technology is progressing. This is in my city, this is in our country and we must be so proud of that.
The academic world around this work is so strong. Along with other cities, York hosts the Intelligent Games and Game Intelligence—IGGI, for short—programme, which hosts 60 PhD students. An absolutely global standard is being set around academia and looking at the future technologies that will drive our country’s engine forward. Gaming will be really important to us, and not just for the sake of playing games; there is also the application of the skills that many people working in the industry will go on to develop.
What is going on before us—spread across the country, including in my city—is a quiet revolution that is transforming all our lives, with massive opportunities for the future of our country and my city. However, there are some issues that I want to talk about today. First of all, there is skills. We have good skills in our country, but we need some changes. The narrowing of the curriculum is not helping, particularly with regard to the digital creative sector. The arts have been downgraded and yet they could really be at the forefront. I ask the Minister to go back and have a look at that and make sure that the creative subjects are at the heart of our curriculum, too: it is when the technical and the creative join that we see this explosion of opportunity coming to our economy.
There are also the tech skills of kids to consider. We narrow people into boxes around a traditional learning curriculum, which is fit for a different era. We need to ensure that our children are embracing the new technologies of the future, because children are doing so elsewhere in the world and we really need to ensure now that we embed digital and technical skills right into the heart of our curriculum.
In the 19th century, it was the marriage of design and engineering brilliance in York that ensured it was the centre of the railway industry. Does my hon. Friend take inspiration from that?
My right hon. Friend makes an absolutely excellent point, because that is our heritage—how we drove our economy forward through the Victorian years. We have that opportunity again today. The digital signalling centre in our city—the rail operating centre, or ROC, as it is called—is now at the heart of how trains are driven. They will not be driven in the cab of a train any more; the digital tech sector is now driving forward, so it is like having a train set in front of a screen. That is completely radicalising the way that our country works. It is cutting-edge, 21st-century technology, and we have to see more of it in the future.
As I was saying, whether someone studies history, literature, medicine or maths, the digital and technical industries will play a vital role in their future. Just last week, I had the opportunity to take a tour of another York University department—the archaeological department. Archaeology digs into the past, but I also saw how the department is using technology to provide access to artefacts, by displaying them in a unique way, so that people can explore them and manipulate them on screen, to connect with artefacts dug up all over the world. They are put into context and it is possible to understand the history surrounding them: the experience was mind-blowing. That is because through technology the past has met the future, and there are very exciting opportunities in that regard.
The tech industry will also provide the breakthrough for telehealth, which will improve all our health. Again, I was exposed to some of those opportunities when I looked around the University of York, but so much more can be done, even when it comes to issues such as our mental health. We are massively struggling for resources in our health sector, including in mental health, so to have technology that can support us—technology can work against us, but also support us—and improve our wellbeing, we must embrace that technology as we move forward. It is so important that we consider the scope of where this technology is leading us and understand why the investment in our schools and education is so important.
I turn to research and innovation. We are talking about a very disparate sector, with lots of different companies scattered around. They do not have the capacity to build up much resource to get funding for research. We need to find a breakthrough on research, so that companies can network, to come together and draw down research funding, because we have a real future in this area, not least in the field of artificial intelligence, where we can really drive that technology forward. Of course, such technology is not about replacing humans; it is partly about doing things quicker, but also about pioneering breakthroughs in how we work. However, we need support for that.
I want the technology to have a social impact as well. York itself is brilliant in every stretch of the imagination, but it is also a very divided city. Some of the most deprived areas in the country are in my city and we are seeing exclusion being built in around it. I ask the Minister to consider whether the digital and tech sectors can be used to reduce the inequality in our country, not only through opportunities and skills but through the outcomes that the sector can bring. For me, that will be the win-win of the sector.
Finally, I want to say that the arts enrich all of us. In closing, I want to talk about Mediale 2018. Will the Minister meet me to discuss it? It will run from 27 September to 6 October, and it will be the nation’s creative digital festival. It is a platform for innovative art and technology, showing what can be done in this modern age, providing art to everyone as an enhancing experience. Mediale will be a springboard for this sector of our economy and how the arts are projected across our country, blending the old and the new. I am sure the Minister will want to ensure that the sector has a major footprint not only in York, but in the whole nation.
It is a pleasure to see you in the Chair, Ms McDonagh. I, too, congratulate the hon. Member for St Albans (Mrs Main) on securing the debate.
I recognise the enormous progress that many of us have celebrated this afternoon, but I want to sound a note of warning about becoming complacent. For all the progress that we have talked about in our constituencies and around the country, the truth is that, across the horizon, others are moving much faster. We have heard about some of the big technology firms that are troubling us from the west coast of the United States, but look east, to Alibaba, Tencent, and Baidu.
Look at the fact that China is now not only the country that invented paper currency, but will soon become the first cashless society, where everybody pays for everything on WeChat. That country is now backed by the biggest science spend on Earth. There are countries around the world moving much faster than us, and if we want to ensure that this great superpower of the steam age does not become an also-ran in the cyber age, the Government will need to make a number of important policy reforms and changes of direction, three of which I will touch on very quickly.
First, we have to ensure that the digital economy in this country has a much more robust foundation of trust. Trust is the foundation of trade; it always has been and always will be. However, as we have seen in the debate surrounding Cambridge Analytica and Facebook, that trust is evaporating very quickly, which is why we need a clear statement of principles and a clear Bill of digital or data rights for the 21st century.
The truth is that we are going into a period of rapid regulation and re-regulation. That is perfectly normal and sensible. There was not just one Factory Act during the course of the 19th century; there were 17. We regulated again and again as the technology and the economics of production changed. That is what we are about to do in this country, yet if we do not have a clear statement of principles, that regulation will be difficult for anybody, frankly, to anticipate.
It should not simply be about our rights as consumers; it should be, as the hon. Member for East Dunbartonshire (Jo Swinson) said, about basic equalities. In South Korea, they want to use wearable technology to increase life expectancy by three years. How do we ensure that those new privileges are not simply the preserve of those who can afford the technology? How do we ensure that we democratise both the protections that we need and the progress that we want to share? That is why a Bill of digital rights is so important.
It is important that the Government pick up on one crucial component of trust: the electronic ID system—a public choice for EID—that we currently lack. At the moment, public data is scattered between the Driver and Vehicle Licensing Agency, the Passport Office, the Department for Work and Pensions, Her Majesty’s Revenue and Customs, and the Government Gateway, which I see the Minister’s Department has now claimed. At the moment, that information is so disjointed that we cannot use it as citizens to create a secure public EID system, as they have done in Estonia. That has been the key to Estonia’s creation of 3,000 public e-services and 5,000 private e-services. It is the foundation of what is now the most advanced digital society on Earth. The Government need to put in place those important foundations of trust.
The second point is on infrastructure. It is not just here in the Houses of Parliament where the digital infrastructure is appalling. I do not know about you, Ms McDonagh, but I certainly cannot get a mobile signal in my office, on the fifth floor of Portcullis House, and I know that frustration is widely shared, but it is not just a problem here. In fact, the areas of this country that Brexit will hit hardest are those where download speeds are slowest. The parts of the country that will be hurt most by Brexit are therefore the least prepared to prosper in the new digital society that we are all so much looking forward to.
Other countries are racing ahead of us in terms of the targets that they are putting in place for broadband access. I was privileged to visit South Korea last week, where they have 60% fibre to the premises. What is it here in Britain? It is 3%. Not only do they have much greater penetration of fibre than we do, they have not one but three mobile networks delivering 100% broadband access, and they will commercialise 5G not in 2020, but this year. That is why the Government should be far more ambitious about universal service obligation for broadband access. We proposed 30 megabits per second, and proposed putting £1.6 billion behind that. The Government should be more ambitious than they are today. We will soon go to consultation on what it would take in terms of public investment to commercialise widespread 5G. We hope that the Government will look closely at our results.
Through the confidence and supply arrangement that the Democratic Unionist party made with the Conservative party, we secured £150 million for broadband to take us up to that level, so we can continue to be the leader in regions across the whole of the United Kingdom for economic development and delivery.
Well, lucky you! If the west midlands had enjoyed a per capita bung on the same level as Northern Ireland, an extra £600 million would be coming into my region; I know I am not the only one to look at the deal that the hon. Gentleman and his colleagues skilfully struck with some jealousy.
The final component is skills. My hon. Friends the Members for Bristol North West (Darren Jones) and for York Central (Rachael Maskell) made brilliant speeches about the importance of skills. I come from the city that is home to Soho House. Soho Manufactory was the first great factory, built in 1766. People have heard, of course, of James Watt, but many forget Matthew Boulton. It was Boulton who put together not only the best engineers in the world, but the best designers in the world. Where did he get them from? He brought engravers and artists from France, Germany and central Europe. That was the strength of the business; it married design brilliance and technical brilliance.
What do we have today, 250 years later? In Jaguar Land Rover, we have a company producing vehicles where the infotainment system is now worth more than the engine. Design brilliance and technical excellence need to go together, but design brilliance is being smashed out of the curriculum at the moment. I speak as a father of a boy going through his GCSEs, so I see it first-hand when I go home.
Young people are at the sharp end of the jobs risk of automation—that was confirmed by the International Monetary Fund yesterday, and by the OECD a week or two ago. However, as my hon. Friend the Member for Bristol North West mentioned, older workers are also crucial. By the age of 52, a working-class man in this country has paid £103,000 in national insurance. What happens if he loses his job? He gets sent down the job centre like everybody else, with no extra help, retraining or reskilling for the digital economy. Yet this is the country of the Open University, the Workers’ Educational Association, Unionlearn, and great education entrepreneurs such as Dr Sue Black and Martha Lane Fox. We should be bringing those players together to create a different kind of lifelong learning for the 21st century.
This is a nation of scientific genius. We have been burying our sovereigns with our scientists since we interred Isaac Newton over the road in Westminster abbey. We are the only country in the world that could make films about great scientists such as Turing and Hawking. We are the nation of the industrial revolution, but if we do not change course soon, this foundation of the industrial revolution will not be the leader in the fourth industrial revolution.
(6 years, 8 months ago)
General CommitteesIt is a privilege to serve under your chairmanship for the first time, I think, Mr Bone. I want to develop the points rehearsed by my hon. Friend the Member for North Durham and the hon. Member for Windsor. The Minister needs to rethink the consultation and these regulations for three reasons. First, as the hon. Member for Windsor rightly said, they are based on a budget of about £30 million for the Information Commissioner, which is an increase of about one third. The budget was set before the events of the past couple of weeks, when the implementation of GDPR was in mind. We did not foresee that the Information Commissioner would have to struggle for literally a week to get a search warrant to get into the offices of Cambridge Analytica. The idea that the Information Commissioner can investigate companies such as Facebook with a budget of £30 million is, frankly, fanciful.
We had a debate last week about the need to empower the Information Commissioner. When the Secretary of State intervened in the House a couple of weeks ago, he gave many of us the impression that that would happen under the Data Protection Bill, but the Minister walked back from that commitment in the Bill Committee last week. If we do not equip the Information Commissioner with the powers she needs to do her job and investigate some of the biggest companies on Earth, we need to look again at the budget and resources she has to do that job.
The second issue, as my hon. Friend the Member for North Durham rightly said, is that Government have declared that there will be a series of exemptions to the regulations sometime in the future. The Minister is inviting the Committee to agree the regulations this afternoon, and yet the exemptions will be organised and implemented sometime down the track. I do not think that is the right way round. The Minister should have organised a consultation on the exemptions before the regulations came to the Committee, and the exemptions should have been hard-wired into the regulations before the Committee was asked to agree to them.
The most significant problem that I want to flag up for the Minister is the appalling lack of consultation with local authorities. Something like 40,000 different data controllers were invited to respond to the consultation that led to the regulations, and 2,000 data controllers responded, but some affected parties, including minor stakeholders such as the Local Government Association, were not invited to contribute their views. That is a serious problem, because local authorities are some of the most important data controllers in the country, and they face a 480% increase in their charges.
It is not clear to me that the consultation was well organised. Events have moved on—I have some sympathy with the Minister about the fast-moving nature of her brief. I am afraid that the basics of the consultation should have been done differently, which is why I object to these regulations.
(6 years, 9 months ago)
Public Bill CommitteesA subject access request gives individuals the right to ask for all the personal information that an organisation holds about them. That is a powerful right, designed to ensure that individuals may access information held about them within a specified time and, as such, it needs to be protected. The Bill provides such protection by making it an offence to require someone to exercise the right as a condition of employment, a contract or the provision of a service or goods. That is set out in clause 181 and schedule 17 and is intended to substantively replicate and in places build on the comparable provision in section 56 of the Data Protection Act 1998.
Amendments 127 and 128 insert a definition of a “relevant health record” for the purposes of clause 181, to ensure that the scope is consistent with that of other types of “relevant record” set out in schedule 17. Amendment 181 is technical in nature and simply updates a reference to a piece of legislation in Northern Ireland to reflect the fact that the legislation has been replaced.
I thank the Minister for that explanation. She is absolutely right to say that subject access requests are extremely powerful in how they operate. It is therefore such a shame that they are not a right or a power that the Government will see fit to extend to newcomers to this country, who will seek to use and have in the past sought to use subject access requests to access important information about their immigration status and history, and the decision-making processes in the Home Office and UK Border Agency about their immigration status. I am sure that we will come back to this debate on Report, and I hope that it is something that the Minister will reflect on.
Amendment 127 agreed to.
Amendments made: 128 in schedule 17, page 206, line 21, at end insert—
“Relevant health records
1A ‘Relevant health record’ means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.”.
See the explanatory statement for Amendment 127.
Amendment 181 in schedule 17, page 207, line 22, leave out sub-paragraph (iii) and insert—
“(iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));”.—(Margot James.)
In a list of functions of the Secretary of State in relation to people sentenced to detention, this amendment removes a reference to section 73 of the Children and Young Persons Act 1968 (which has been repealed) and inserts a reference to Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (which replaced it).
Schedule 17, as amended, agreed to.
Clause 182 ordered to stand part of the Bill.
Clause 183
Representation of data subjects
Amendments made: 63, in clause 183, page 105, line 42, leave out “80” and insert “80(1)”.
This amendment changes a reference to Article 80 of the GDPR into a reference to Article 80(1) and is consequential on NC2.
Amendment 64, in clause 183, page 105, line 44, leave out “certain rights” and insert “the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy)”.
In words summarising Article 80(1) of the GDPR, this amendment adds information about the rights of data subjects that may be exercised by representative bodies under that provision.
Amendment 65, in clause 183, page 106, line 7, leave out “under the following provisions” and insert “of a data subject”.
This amendment and Amendments 66, 67 and 68 tidy up Clause 183(2).
Amendment 66, in clause 183, page 106, line 9, at beginning insert “rights under”.
See the explanatory statement for Amendment 65.
Amendment 67, in clause 183, page 106, line 10, at beginning insert “rights under”.
See the explanatory statement for Amendment 65.
Amendment 68, in clause 183, page 106, line 11, at beginning insert “rights under”.—(Margot James.)
See the explanatory statement for Amendment 65.
Clause 183, as amended, ordered to stand part of the Bill.
Clause 184
Data subject’s rights and other prohibitions and restrictions
Amendment made: 69, in clause 184, page 106, line 41, leave out “(including as applied by Chapter 3 of that Part)”.—(Margot James.)
This amendment is consequential on Amendment 4.
Clause 184, as amended, ordered to stand part of the Bill.
Ordered,
That clause 184 be transferred to the end of line 39 on page 105.—(Margot James.)
Clause 185
Framework for Data Processing by Government
Question proposed, That the clause stand part of the Bill.
I seek a bit of reflection and clarification from the Minister on this point. Clause 185 touches on the way in which the data processing regime operates for Her Majesty’s Government. Within Her Majesty’s Government, there are three very significant Departments that employ tens of thousands of people and process millions of bits of data every year. The three big data-processing parts of Her Majesty’s Government are the Department for Work and Pensions, Her Majesty’s Revenue and Customs and the Ministry of Defence. Very often, the formal data controller is the person who sits at the top of the office. Sometimes it is someone who has a relationship with the accounting officer at the top of the Department. The challenge that that creates for people who seek to exercise their data rights under this Bill is that subject access requests or other requests go into the Department, and it takes for ever to get a response. That is not a reflection on the quality of the civil servants who run the Departments; it is simply that they are sitting on top of millions of records—potentially hundreds of millions of bits of data—and the records may be held or processed by thousands of people operating at the frontline of a particular business.
The way we get around that problem in the national health service, which is probably the biggest Government data processor in the country, is that the data processor is often nominated at the trust level. The data controller may be a clinical commissioning group or an NHS hospital trust. The big Departments—the DWP, the MOD and HMRC—do not operate that strategy. It would be useful to know whether the Government, in the codes of practice that they issue to Departments, will persist with the practice of nominating data controllers at the very top, so that there will be a single data controller in a very large Department with ultimate responsibility for enforcing the Bill right the way through some of the biggest and most complex organisations on earth.
The Minister will know, having long been in her role, that all kinds of problems arise, particularly in the DWP, when information is sought, for example, for tribunal cases. If someone is bringing a tribunal case or wants to contest something about benefits, sometimes the fastest way to do that is to file a subject access request just to get in one place how HMRC or the DWP did the calculations. Like the rest of us, the Minister will have had surgery cases along those lines. The first thing to do is to try to create a single picture of how the Department came to the decisions it made, which have a material impact on our benefits, health and wellbeing.
If the only way to assemble that full picture is to file a subject access request right the way up the chain to a civil servant at the top of the organisation, that is a very slow and fraught process. I invite the Minister to say a bit more about how she will reflect on a very different strategy for appointing and managing data controllers in the NHS, compared with the strategy that currently pertains in those three big administrative parts of Her Majesty’s Government.
The right hon. Gentleman makes a very good point. It might help if I say a little about the framework that the Secretary of State has to issue, as directed by clause 185, about the processing of personal data in connection with the exercise of functions within Government. Before the framework is issued, it has to be subject to parliamentary scrutiny. Some of these practical issues can be explored at that point. The framework will provide guidance to Departments on all aspects of their data processing. The content is being developed and we will definitely take into account the right hon. Gentleman’s concerns.
Question put and agreed to.
Clause 185 accordingly ordered to stand part of the Bill.
Clause 186
Approval of the Framework
Question proposed, That the clause stand part of the Bill.
I am grateful to the Minister for taking those points on board. I suppose it begs the question of when she thinks we might see this framework. The process set out in the clause is a wise and practical course of action. We all have constituency experience that could have a bearing on how this piece of guidance is drafted and presented. We have the luxury of serving our constituents week in, week out. That is not a privilege that the civil servants who are asked to draft these frameworks enjoy.
It is important that the Minister goes through a good process, which allows her not to present the House with a fait accompli or something for an up and down motion. That will not be in any of our interests. My concern is how we practically operationalise this in a way that allows us continually to strengthen and improve the service that we provide to our constituents. It is very hard for us to do that if we have a data management regime operationalised by Her Majesty’s Government that gets in the way.
When does the Minister expect to issue this framework? How will she ensure that there is a period of soft consultation with, perhaps, the Speaker’s Committee here in the House so that we are not presented with a final draft of a document that we have 40 days to consider, moan about and make representations about, all of which will then basically be ignored because the approval process requires an up-down vote at the end.
I cannot be precise as to when, but it will be a priority to issue the framework for all the reasons that the right hon. Gentleman set out. We intend to engage fully with officials across Government, in particular the Departments that he has mentioned, and will consult other areas of expertise and the Information Commissioner herself. Indeed, clause 185(5) sets a requirement for consultation. Most importantly, the framework will then come to Parliament for proper scrutiny. At that point the right hon. Gentleman will have every chance to contribute further to the practicality of establishing this framework as speedily as possible.
Question put and agreed to.
Clause 186 accordingly ordered to stand part of the Bill.
Clause 187
Publication and review of the Framework
Question proposed, That the clause stand part of the Bill.
The only issue arising from this clause is the frequency with which the Minister expects the framework to be updated. I welcome the steer that she has given the Committee about how clause 186(5) will be operationalised, but that does not quite get round the problem that I am concerned about. Sometimes, and it has been known to happen, regulations get somewhat hard wired before they are presented to the House. Although it is in the Bill, sometimes that 40-day consultation period does not provide an opportunity to revise and update a measure if we do not think that it is practical.
If, for example, a code of practice is brought forward that says, “For the DWP, the data controller is going to be the accounting officer of the Department or someone associated with the accounting officer of the Department,” that is not going to be a practical strategy for operationalising this Bill within a Department as big and complicated as the DWP. So it may not be possible. We have to accept that. We have to accept the way statutory instruments are put through this place, and the political reality of that. Let us be mature about that. However, we have a belt-and-braces approach set out in clause 187, in that we have the chance to review it. Perhaps the Minister could say a word about how frequently she expects to review and update the legislation, so that it continually improves in the light of experience?
Clause 187 requires the Secretary of State to publish the framework, and under clause 185 he must keep it under review, and commit to updating it as appropriate. Furthermore, although the Information Commissioner has to take the framework into account, were she investigating a data breach by a Government Department, for example, she might consider it relevant to consider whether that Department had applied the principles set out in the framework. She is also free to disregard the framework if she considers it irrelevant or getting in the way.
It will be a moving thing, and the legislation provides for the Secretary of State to keep it under continual review. If the right hon. Gentleman wishes to have some input before it arrives in the House in the form of a Statutory Instrument, I would be very happy to engage with him.
Question put and agreed to.
Clause 187 accordingly ordered to stand part of the Bill.
Clause 188 ordered to stand part of the Bill.
Clause 189
Publication and review of the Framework
Question proposed, That the clause stand part of the Bill.
We now come to offences, and crucially in clause 189, the question of penalties for offences. The real world has provided us with some tests for the legislation over the past few days. We have reviewed clauses 189 to 192 again in the light of this week’s news. Some quite serious questions have been provoked by the Cambridge Analytica scandal, and the revelations about the misuse of data that was collected through an app that sat on the Facebook platform.
For those who missed it, the story is fairly simple. A Cambridge-based academic created an app that allowed the collection not only of personal data but of data associated with one’s friends on Facebook. The data was then transferred to Cambridge Analytica, and that dataset became the soft code platform on which forensic targeting was deployed during the American presidential elections. We do not yet know, because the Mueller inquiry has not been completed, who was paying for the dark social ads targeted at individuals, as allowed by Cambridge Analytica’s methodology.
The reality is that under Facebook’s privacy policy, and under the law as it stood at the time, it is unlikely that the collection and repurposing of that data was illegal. I understand that the data was collected through an app that was about personality tests, and then re-deployed for election targeting. My understanding of the law is that that was not technically illegal, but I will come on to where I think the crime actually lies.
The right hon. Gentleman’s point makes it clear that the legislation is extremely timely. Does he not agree that that is why we are all here today—to try to improve the current situation?
Absolutely. That is why the European Commission has been working on it for so long. Today’s legislation incorporates a bit of European legislation into British law.
The crime that may have been committed is the international transfer of data. It is highly likely that data collected here in the UK was transferred to the United States and deployed—weaponised, in a way—in a political campaign in the United States. It is not clear that that is legal.
The scandal has knocked about $40 billion off the value of Facebook. I noted with interest that Mr Zuckerberg dumped a whole load of Facebook stock the weekend before the revelations on Monday and Tuesday, and no doubt his shareholders will want to hold him to account for that decision. I read his statement when it finally materialised on Facebook last night, and it concerned me that there was not one word of apology to Facebook users in it. There was an acknowledgement that there had been a massive data breach and a breach of trust, but there was not a single word of apology for what had happened or for Facebook basically facilitating and enabling it. That tells me that we simply will not be able to rely on Facebook self-policing adherence to data protection policies.
The hon. Member for Hornchurch and Upminster is absolutely right—that is why the Bill is absolutely necessary—but the question about the clause is whether the sanctions for misbehaviour are tough enough. Of the two or three things that concerned me most this week, one was how on earth it took the Information Commissioner so long to get the warrant she wanted to search the Cambridge Analytica offices. The Minister may want to say a word about whether that warrant has now been issued. That time lag begs the question whether there is a better way of giving the Information Commissioner the power to conduct such investigations. As we rehearsed in an earlier sitting, the proposed sanctions are financial, but the reality is that many of Cambridge Analytica’s clients are not short of cash—they are not short of loose change—so even the proposed new fines are not necessarily significant enough.
I say that because we know that the companies that contract with organisations such as Cambridge Analytica are often shell companies, so a fine that is cast as a percentage of turnover is not necessarily a sufficient disincentive for people to break the law. That is why I ask the Minister again to consider reviewing the clause and to ask herself, her officials and her Government colleagues whether we should consider a sanction of a custodial sentence where people get in the way of an investigation by the Information Commissioner’s Office.
I am afraid that such activities will continue. I very much hope that the Secretary of State for Digital, Culture, Media and Sport reflects on our exchange on the Floor of the House this morning and uses the information he has about public contracts to do a little more work to expose who is in the network of individuals associated with Cambridge Analytica and where other companies may be implicated in this scandal. We know, because it has said so, that Cambridge Analytica is in effect a shell company—it is in effect a wholly owned subsidiary of SCL Elections Ltd—but we also know that it has an intellectual property sharing agreement with other companies, such as AggregateIQ. Mr Alexander Nix, because he signed the non-disclosure agreement, was aware of that. There are relationships between companies around Cambridge Analytica that extend far and wide. I mentioned this morning that I am concerned that the Foreign and Commonwealth Office may be bringing some of them together for its computational propaganda conference somewhere in the countryside this weekend.
The point I really want the Minister to address is whether she is absolutely content that the sanctions proposed under the clause are sufficient to deter and prosecute the kind of misbehaviour, albeit still only alleged, that has been in the news this week, which raises real concerns.
I will be very brief, because I will largely echo what the right hon. Member for Birmingham, Hodge Hill said. It is absolutely fair to say that our understanding of the potential value of personal information, including that gained by people who break data protection laws, has increased exponentially in recent times, as has our understanding of the damage that can be done to victims of such breaches. I agree that it is not easy to see why the proposed offences stop where they do.
I have a specific question about why there is a two-tier system of penalties. There is a set of offences that are triable only in a summary court and for which there is a maximum fine. I think the maximum in Scotland and Northern Ireland is £5,000. There is a second set of offences that could conceivably be triable on indictment, and there is provision there for an unlimited fine, but not any custodial sentence.
For some companies, if they were in trouble, a £5,000 fine for essentially obstructing justice would be small beer, especially if it allowed them to avoid an unlimited fine. It would be interesting to hear an explanation for that. Many folk would see some of the offences that are triable on indictment as morally equivalent to embezzlement, serious theft or serious fraud, so it is legitimate to ask why there is no option for a custodial sentence in any circumstance.
I certainly share the concerns that hon. Members have expressed in the light of the dreadful Cambridge Analytica scandal. I will set out the penalties for summary only offences, which lie in clause 119, “Inspection of personal data in accordance with international obligations”; clause 173, “Alteration etc of personal data to prevent disclosure”; and paragraph 15(1) of schedule 15, which contains the offence of obstructing the execution of a warrant. The maximum penalty on summary conviction for those offences is an unlimited fine in England and Wales or a level 5 fine in Scotland and Northern Ireland.
Clause 189(2) sets out the maximum penalties for offences that can be tried summarily on indictment, which include offences in clause 132 “Confidentiality of information”; clause 145 “False statements made in response to an information notice”; clause 170 “Unlawful obtaining etc of personal data”; clause 171 “Re-identification of de-identified personal data”; and clause 181 “Prohibition of requirement to produce relevant records”. Again, the maximum penalty when tried summarily in England or Wales, or on indictment, is an unlimited fine. In Scotland and Northern Ireland, the maximum penalty on summary conviction is a fine
“not exceeding the statutory maximum”
of an unlimited fine when tried on indictment.
I was listening carefully to the Minister’s reply. She said that the sanction is an unlimited fine in England and Wales. Let us take the hypothetical case of Cambridge Analytica, which is a one-man shell company, in effect; in the UK, it is wholly owned by SCL Elections. I am concerned about what happens if that holding company—let us say it is SCL Elections—is registered outside England and Wales, in the United States or Uruguay, for example? Will the fine bite on the one-man shell company, Cambridge Analytica? If so, the shell company will just go out of business—the directors will be struck off and that will be the end of it. That is not much of a sanction.
The sanctions are as I outlined. The right hon. Gentleman talks about more complex corporate structures. Later in our proceedings, we will touch on the jurisdiction of the general data protection regulation when it comes to dealing with cross-border situations outside the European Union. Perhaps we can throw some light on what he is saying when we come to that point.
The GDPR strengthens the rights of data subjects over their data, including the important right of consent and what constitutes consent by the data subject to the use and processing of their data. That right must now be clear, robust and unambiguous. That is a key change that will provide some protection in the future.
The right hon. Gentleman should remember that, in addition to data protection laws, other sanctions are available, including prosecution for computer misuse, fraud and, potentially, in the case of the example we have been talking about, electoral laws, depending on the circumstances.
Question put and agreed to.
Clause 189 accordingly ordered to stand part of the Bill.
Clause 190 ordered to stand part of the Bill.
Clause 191
Liability of directors etc
Question proposed, That the clause stand part of the Bill.
The debate presents what is potentially a good opportunity to offer a flow of advice to the Minister, if I might pose my question like this: if a company based in the UK has committed an offence, but its holding company is based somewhere else, in what way will clause 191 bite not on the UK operations, but on the holding company elsewhere?
My reading of the extraterritoriality provisions is that the implementation of GDPR and the sanctions around it may well bite in Europe—we will get on to this issue in the debate on extraterritoriality, as the Minister has said—but where companies are registered in, heaven forbid, various tax havens around the world such as Panama or Belize, will the Information Commissioner be able to, in effect, bring prosecutions that will result in action biting on a director of a holding company domiciled somewhere abroad, such as Belize? That is a pretty plausible scenario. Again, this touches on whether the sanctions in the Bill are sufficient to deter the kind of misbehaviour that we now know is running loose around the wild west that the Secretary of State described.
The clause allows proceedings to be brought against a director, or a person acting in a similar position, as well as the body corporate, where it has been proven that breaches of the Act have occurred with the consent, connivance or negligence of that person. The clause will have the same effect as that of section 61 of the Data Protection Act 1998. I might have to come back to the right hon. Gentleman on some of the points he raised in that hypothetical circumstance, which I have no doubt could certainly exist in the future.
I would be grateful if the Minister wrote to me on that this afternoon, because if there are deficiencies we will have to get on with preparing amendments for consideration on Report.
Question put and agreed to.
Clause 191 accordingly ordered to stand part of the Bill.
Clauses 192 to 195 ordered to stand part of the Bill.
Clause 196
Tribunal Procedure Rules
Question proposed, That the clause stand part of the Bill.
Questions have arisen on the procedure rules associated with tribunals. The Opposition are concerned that the rights conferred in the Bill are rights in reality, not in theory. That is why we moved important amendments earlier, which were unwisely rejected by the Government, on collective forms of class action.
If we are to ensure that our constituents genuinely have access to the kind of justice mechanisms set out in the clause, we are obviously required to confront the reality that people will sometimes not have the resources for the financing of solicitors or representatives to help them to make their cases. Will the Minister say a word about whether our constituents will have access to resources such as legal aid to fight those cases in a tribunal?
The clause provides a power to make tribunal procedure rules to regulate how the rights of appeal before the tribunal and the right to apply for an order from the tribunal, conferred under the Bill, are exercised. It sets out the way a data subject’s right to authorise a representative body to apply for an order on his or her behalf under article 80 of the GDPR and clause 183 can be exercised. For somebody who does not have the means to pursue an individual claim, that is obviously a way forward in some circumstances. In addition, it provides a power to make provision about
“securing the production of material used for the processing of personal data,”
and
“the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.”
The provisions are equivalent to paragraph 7 of schedule 6 of the 1998 Act.
That is a helpful explanation. It is obvious from the Minister’s response that those tribunal rules will be incredibly important in providing democratic access to justice where our constituents have been maligned and their data rights abused. The tribunal procedure rules, given what she has said, will be of great interest to right hon. and hon. Members.
Will the Minister clarify what oversight and scrutiny we may have in the House of those tribunal procedure rules, or whether they are purely rules that are the child of the tribunal authorities? Are they something the tribunal authorities can just issue, or is there some oversight, amendment or improvement that we in the House can provide?
I cannot be precise about the level of scrutiny that the tribunal procedure rules may or may not be subject to, but in further answer to the right hon. Gentleman’s earlier question, legal aid is also available, as set out in the Legal Aid, Sentencing and Punishment of Offenders Act 2012, where a failure to fund would breach the European convention on human rights. There is that protection over and above the right of people to join a group action. The rules set by the Tribunal Procedure Rules Committee will be set, I am told, by applying its own consultation process, which the Lord Chancellor lays before Parliament.
Question put and agreed to.
Clause 196 accordingly ordered to stand part of the Bill.
Clause 197 ordered to stand part of the Bill.
Clause 198
Other definitions
Amendments made: 70, in clause 198, page 114, line 25, at end insert
“the following (except in the expression “United Kingdom government department”)”.
This amendment makes clear that the definition of “government department” does not operate on references to a “United Kingdom government department” (which can be found in Clause 185 and paragraph 1 of Schedule 7).
Amendment 71, in clause 198, page 115, line 8, at end insert—
“(2) References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—
(a) section 125(4), (7) and (8);
(b) section 160(3), (5) and (6);
(c) section 176(2);
(d) section 179(8) and (9);
(e) section 180(4);
(f) section 186(3), (5) and (6);
(g) section 190(3) and (4);
(h) paragraph 18(4) and (5) of Schedule1;
(i) paragraphs 5(4) and 6(4) of Schedule3;
(j) Schedule5;
(k) paragraph 11(5) of Schedule12;
(l) Schedule 15;
(and the references in section 5 to terms used in Chapter 2 or 3 of Part 2 do not include references to a period expressed in hours, days, weeks, months or years).”
This amendment provides that periods of time referred to in the bill are generally to be interpreted in accordance with Article 3 of EC Regulation 1182/71, which makes provision about the calculation of periods of hours, days, weeks, months and years.
Amendment 182, in clause 198, page 115, line 8, at end insert—
“( ) Section 3(14)(aa) (interpretation of references to Chapter 2 of Part 2 in Parts 5 to 7) and the amendments in Schedule 18 which make equivalent provision are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978, or any similar provision in another enactment, as it applies to other references to, or to a provision of, Chapter 2 of Part 2 of this Act.” —(Margot James.)
Clause 3(14)(aa) (inserted by amendment 4) and equivalent provision contained in amendments in Schedule 18 state expressly that references to Chapter 2 of Part 2 of the bill in Parts 5 to 7 of the bill, and in certain amendments in Schedule 18, include that Chapter as applied by Chapter 3 of Part 2. This amendment secures that they are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978. Section 20(2) provides that where an Act refers to an enactment that reference includes that enactment as applied, unless the contrary intention appears.
Clause 198, as amended, ordered to stand part of the Bill.
Clause 199 ordered to stand part of the Bill.
Clause 200
Territorial application of this Act
Amendments made: 183, in clause 200, page 117, line 15, leave out subsections (1) to (4) and insert—
‘(1) This Act applies only to processing of personal data described in subsections (2) and (3).
(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.
(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—
(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—
(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.’
This amendment replaces the existing provision on territorial application in clause 200(1) to (4). In the amendment, subsection (2) provides that the bill applies to processing in the context of the activities of an establishment of a controller or processor in the UK. Subsection (3) provides that, in certain circumstances, the bill also applies to processing to which the GDPR applies and which is carried out in the context of activities of an establishment of a controller or processor in a country or territory that is not part of the EU.
Amendment 184, in clause 200, page 118, line 8, leave out “(4)” and insert “(3)”.
This amendment is consequential on amendment 183.
Amendment 185, in clause 200, page 118, leave out line 10 and insert “processing of personal data”.
This amendment is consequential on amendment 183.
Amendment 186, in clause 200, page 118, line 10, at end insert—
‘(5A) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (2).
(5B) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).’
New subsection (5A) secures that the reference to “processing” in the new subsection (2) inserted by amendment 183 includes all types of processing of personal data. It disapplies clause 3(14)(b), which provides that references to processing in Parts 5 to 7 of the bill are usually only to processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies. New subsection (5B) secures that the reference in the new subsection (3) to Chapter 2 of Part 2 of the bill does not include that Chapter as applied by Chapter 3 of Part 2.
Amendment 187, in clause 200, page 118, line 11, leave out “established” and insert “who has an establishment”.
This amendment is consequential on amendment 183.
Amendment 188, in clause 200, page 118, line 21, after “to” insert “a person who has an”.
This amendment is consequential on amendment 183.
Amendment 189, in clause 200, page 118, line 23, leave out subsection (7).—(Margot James.)
This amendment is consequential on amendment 183.
Question proposed, That the clause, as amended, stand part of the Bill.
This is where we get into some of the whys and wherefores of the territorial application of the Bill. We can see in clause 200(1) that the Bill essentially bites on a data controller who is domiciled here in the United Kingdom. A question of public concern—it should also concern us in this Committee—is whether the bite and sanctions of the Bill will touch on people who are registered here, but not necessarily on directors of holding companies who are domiciled elsewhere.
I expect that the things we will learn about over the weekend and into next week will confirm for us all that very small companies—essentially corporate shells—that are perhaps registered as data controllers and might have committed offences under the 1998 Act or under the Bill, once it has received Royal Assent, might be controlled by directors who are domiciled elsewhere. If the Bill is to be worth anything and if it is to change anything in the real world in which we happen to live, there is a real question about how offences committed under it by people here will be limited by the corporate realities, which mean that shell companies are data controllers, but actually the wealth, assets and operating mind of a company are somewhere else. Perhaps the Minister will say a little about how she will tackle that particular problem, because we know it is going to arise.
First, a word on the clause, which sets out the territorial application with respect to the circumstances in which the Bill applies to the processing of personal data. Article 3 of the GDPR says that the GDPR applies where the processing of personal data occurs in the context of the activities of a controller or a processor established in the EU, and that it will also apply where a controller or processor is based outside the EU, but is processing the data of people within the EU in connection with the offering of goods and services to them, or for monitoring their behaviour.
We have revisited the clause to ensure that, as far as possible, the scope of the Bill aligns with the scope of the GDPR, albeit in a UK-only context. The Bill will allow the sanction to be given to an overseas entity where it is in the control of a UK-based company. Whether it can be enforced will depend on international arrangements for bringing people to justice, including those beyond the area of data protection.
One additional point, regarding the global nature of these crimes, is that under UK law we already have stronger data protection laws than many other countries—indeed, considerably stronger than in the United States. That means that American citizens with an interest in this Cambridge Analytica debacle are using the British courts and British legislation to enforce things such as data subject access requests, which have revealed a great deal of the evidence that is coming out of Cambridge Analytica. So we benefit as well from the strength of the data provisions that we have at the moment, which we are of course strengthening through the Bill.
Question put and agreed to.
Clause 200, as amended, accordingly ordered to stand part of the Bill.
Clause 201 ordered to stand part of the Bill.
Clause 202
Application to the Crown
Question proposed, That the clause stand part of the Bill.
I think we would all benefit from a little bit of explanation about how this clause will work in practice. For those who have not read clause 202 in detail, it basically explains how this Bill will operate when it comes to the Crown. That is obviously important, because within Her Majesty’s estates there are particular estates such as the Duchy of Lancaster and indeed the Duchy of Cornwall, which are often quite big businesses. I remember from my own time as Chancellor of the Duchy of Lancaster that there are some quite significant property holdings in that Duchy, and they make a not insignificant contribution to the funds that Her Majesty uses to work with, day to day. How will this clause be put into practice and are there any relevant exemptions that we should know about?
Clause 202 does not contain any provision to exempt the Crown from the requirements of the GDPR. Likewise, section 63 of the 1998 Act also binds the Crown. This clauses makes similar and related provision. For example, where Crown bodies enter into controller-processor relationships with each other, subsection (3) provides that the arrangement may be governed by a memorandum of understanding, rather than a contract. This is to meet the requirements of article 28 of the GDPR. “the data protection legislation section 1261(1)”. “the data protection legislation section 1173(1)”.” “Data Protection Act 2018 Section145 False statements made in response to an information notice””
Question put and agreed to.
Clause 202 accordingly ordered to stand part of the Bill.
Clause 203 ordered to stand part of the bill.
Clause 204
Minor and consequential amendments
Amendment made: 190, in clause 204, page 120, line 12, leave out subsection (1) and insert—
‘(1) In Schedule 18—
(a) Part 1 contains minor and consequential amendments of primary legislation;
(b) Part 2 contains minor and consequential amendments of other legislation;
(c) Part 3 contains consequential modifications of legislation;
(d) Part 4 contains supplementary provision.”
This amendment sets out the contents of Schedule 18 and is consequential on the amendments being made to Schedule 18 including in particular the insertion of new Parts 3 and 4 into that Schedule by amendment 224.—(Margot James.)
Clause 204, as amended, ordered to stand part of the Bill.
Schedule 18
Minor and Consequential Amendments
Amendments made: 191, in schedule 18, page 208, line 25, at end insert—
“Registration Service Act 1953 (c. 37)
A1 (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.
(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 122 of the Data Protection Act 2018 (data-sharing code)”.
(3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
Veterinary Surgeons Act 1966 (c. 36)
A2 (1) Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.
(2) In subsection (8)—
(a) omit “personal data protection legislation in the United Kingdom that implements”,
(b) for paragraph (a) substitute—
“(a) the GDPR; and”, and
(c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.
(3) In subsection (9), after “section” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”
This amendment makes consequential amendments to primary legislation.
Amendment 192, in schedule 18, page 210, line 4, at end insert—
“Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))
8A The Pharmacy (Northern Ireland) Order 1976 is amended as follows.
8B In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.
8C In article 8D (European professional card), after paragraph (3) insert—
“(4) In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
8D In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—
“(za) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
8E (1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “the GDPR”.
(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
8F (1) The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
8G (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.
(2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”.
(3) For sub-paragraph (3) substitute—
“(3) In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4) After sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
Representation of the People Act 1983 (c. 2)
8H (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.
(2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
(3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
(4) In paragraph 11A—
(a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and
(b) omit sub-paragraph (2).”
This amendment makes consequential amendments to primary legislation.
Amendment 193, in schedule 18, page 210, leave out lines 5 to 39 and insert—
“Medical Act 1983 (c. 54)
9 The Medical Act 1983 is amended as follows.
10 (1) Section 29E (evidence) is amended as follows.
(2) In subsection (5), after “enactment” insert “or the GDPR”.
(3) For subsection (7) substitute—
“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4) In subsection (9), at the end insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”
11 (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.
(2) In subsection (4), after “enactment” insert “or the GDPR”.
(3) For subsection (5A) substitute—
“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4) In subsection (7), at the end insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”
12 In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
13 In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.
13A (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.
(2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”.
(3) After sub-paragraph (3) insert—
“(4) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
13B (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.
(2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.
(3) For sub-paragraph (8A) substitute—
“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4) After sub-paragraph (13) insert—
“(14) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
13C (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.”
This amendment replaces the existing consequential amendments of the Medical Act 1983.
Amendment 194, in schedule 18, page 211, line 18, leave out from “GDPR”” to “(see” in line 19 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 33B of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 195, in schedule 18, page 211, line 20, at end insert—
15A In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”
This amendment makes further consequential amendments to the Dentists Act 1984.
Amendment 196, in schedule 18, page 211, line 39, leave out from “GDPR”” to “(see” in line 40 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 36Y of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 197, in schedule 18, page 211, line 41, at end insert—
16A In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.
16B (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
Companies Act 1985 (c. 6)
16C In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.”
This amendment makes consequential amendments to primary legislation, including further consequential amendments to the Dentists Act 1984.
Amendment 198, in schedule 18, page 212, line 16, leave out from “GDPR”” to “(see” in line 17 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 13B of the Opticians Act 1989 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 199, in schedule 18, page 212, line 18, at end insert—
“Access to Health Records Act 1990 (c. 23)
18A The Access to Health Records Act 1990 is amended as follows.
18B For section 2 substitute—
“2 Health professionals
In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”
18C (1) Section 3 (right of access to health records) is amended as follows.
(2) In subsection (2), omit “Subject to subsection (4) below,”.
(3) In subsection (4), omit from “other than the following” to the end.”
This amendment makes consequential amendments to the Access to Health Records Act 1990.
Amendment 200, in schedule 18, page 213, line 2, at end insert—
“Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))
21A (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.
(2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After paragraph (6) insert—
“(7) In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Industrial Relations (Northern Ireland) Order 1992.
Amendment 201, in schedule 18, page 216, line 10, leave out from “data”” to “(see” in line 11 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 40 of the Freedom of Information Act 2000 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 202, in schedule 18, page 219, line 15, leave out from “GDPR”” to “(see” in line 16 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 203, in schedule 18, page 220, line 7, at end insert—
“Enterprise Act 2002 (c. 40)
64A (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.
(2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
(3) After subsection (6) insert—
“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Enterprise Act 2002.
Amendment 204, in schedule 18, page 221, line 21, leave out from “data”” to “(see” in line 22 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 38 of the Freedom of Information (Scotland) Act 2002 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 205, in schedule 18, page 222, line 21, at end insert—
“Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)
75A (1) Section 279 of the Mental Health Care and Treatment (Scotland) Act 2003 (information for research) is amended as follows.
(2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.
(3) After subsection (9) insert—
“(10) In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).””
This amendment makes consequential amendments to the Mental Health (Care and Treatment) (Scotland) Act 2003.
Amendment 206, in schedule 18, page 222, line 29, at end insert—
“Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)
76A The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.
76B (1) Section 15A (disclosure of information by tax authorities) is amended as follows.
(2) In subsection (2)—
(a) omit “within the meaning of the Data Protection Act 1998”, and
(b) for “that Act” substitute “the data protection legislation”.
(3) After subsection (7) insert—
“(8) In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”
76C (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.
(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After subsection (7) insert—
“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Companies (Audit, Investigations and Community Enterprise) Act 2004.
Amendment 207, in schedule 18, page 225, line 10, at end insert—
88A (1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.
(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After subsection (3) insert—
(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes further consequential amendments to the National Health Service Act 2006.
Amendment 208, in schedule 18, page 225, line 28 at end insert—
“Companies Act 2006 (c. 46)
92A The Companies Act 2006 is amended as follows.
92B In section 458(2) (disclosure of information by tax authorities)—
(a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and
(b) for “that Act” substitute “the data protection legislation”.
92C In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
92D In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
92E In section 1173(1) (minor definitions: general), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.
92F In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.
92G In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.
92H In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.
92I In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—
92J In Schedule 8 (index of defined expressions: general), at the appropriate place insert—
This amendment makes consequential amendments to the Companies Act 2006.
Amendment 209, in schedule 18, page 225, line 38, at end insert—
96A (1) Section 45 (information held by HMRC) is amended as follows.
(2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
(3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.”
This amendment makes further consequential amendments to the Statistics and Registration Service Act 2007.
Amendment 210, in schedule 18, page 230, line 16, at end insert—
“Coroners and Justice Act 2009 (c. 25)
122A In Schedule 21 of the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).”
This amendment makes a consequential amendment to the Coroners and Justice Act 2009 and is consequential on the amendments being made to section 3 of the Access to Health Records Act 1990 by amendment 199.
Amendment 211, in schedule 18, page 232, line 39, after “after “” insert “this”
Paragraph 130(3) of Schedule 18 to the bill amends paragraph 8(8) of Schedule 2 to the Welsh Language (Wales) Measure 2011 by inserting new text. This amendment clarifies where that new text is to be inserted in the English language version of that Measure.
Amendment 212, in schedule 18, page 242, line 40, at end insert—
“Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)
186A (1) Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.
(2) In the English language text—
(a) in subsection (9), omit from “and in this subsection” to the end, and
(b) after subsection (9) insert—
“(9A) In subsection (9)—
“data subject” (“testun y data”) has the meaning given by section3(5) of the Data Protection Act 2018;
“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”
(3) In the Welsh language text—
(a) in subsection (9), omit from “ac yn yr is-adran hon” to the end, and
(b) after subsection (9) insert—
“(9A) Yn is-adran (9)—
mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran3(2) a (14) o’r Ddeddf honno);
mae i “testun y data” yr ystyr a roddir i “data subject” gan adran3(5) o’r Ddeddf honno.”
This amendment makes consequential amendments to the Additional Learning Needs and Educational Tribunal (Wales) Act 2018.
Amendment 213, in schedule 18, page 243, line 14, at end insert—
“Estate Agents (Specific Offences) (No. 2) Order 1991 (S.I. 1991/1091)
187A In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—
This amendment makes a consequential amendment to the Estate Agents (Specific Offences) (No. 2) Order 1991.
Amendment 214, in schedule 18, page 243, line 22, after “controller”,” insert—
(ba) after “in the context of” insert “the activities of”,”
This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.
Amendment 215, in schedule 18, page 243, line 27, after “controller”,” insert—
(ba) after “in the context of” insert “the activities of”,”
This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.
Amendment 216, in schedule 18, page 243, line 28, at end insert—
“Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))
188A The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.
188B In Article 4 (health professionals), for paragraph (1) substitute—
“(1) In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”
188C In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.
Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)
188D In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—
“(2) For the purposes of section 200 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).
(3) For the purposes of section 200 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”
European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)
188E The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.
188F (1) Regulation 2(1) (interpretation) is amended as follows.
(2) Omit the definition of “Directive 95/46/EC”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
188G (1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)
188H For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—
“7 Data Protection Act 2018
(1) The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—
(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)
188I For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—
“9 Data Protection Act 2018
(1) The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Commission is to be treated as a government department for the purposes of the following provisions—
(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)
188J The Representation of the People (England and Wales) Regulations 2001 are amended as follows.
188K In regulation 3(1) (interpretation), at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
188L In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188M In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188N In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188O In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188P (1) Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.
(2) After sub-paragraph (b) insert—
“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3) Omit sub-paragraphs (c) and (d).
188Q In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
188R In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188S In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188T In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188U In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188V In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
(i) Article 89 GDPR purposes;”.
Representation of the People (Scotland) Regulations 2001 (S.I. 2001/ 497)
188W The Representation of the People (Scotland) Regulations 2001 are amended as follows.
188X In regulation 3(1) (interpretation), at the appropriate places, insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
188Y In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188Z In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188AA In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188AB In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188AC In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188AD (1) Regulation 92(2) (interpretation of Part VI etc) is amended as follows.
(2) After sub-paragraph (b) insert—
“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3) Omit sub-paragraphs (c) and (d).
188AE In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
188AF In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AG In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AH In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AI In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
(i) Article 89 GDPR purposes;”.
Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)
188AJ (1) Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.
(2) In paragraph (2B), for sub-paragraph (a) substitute—
“(a) the disclosure is made in accordance with Chapter V of the GDPR;”.
(3) After paragraph (5) insert—
“(6) In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Nursing and Midwifery Order 2001 (S.I. 2002/253)
188AK The Nursing and Midwifery Order 2001 is amended as follows.
188AL (1) Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.
(2) In paragraph (18), after “enactment” insert “or the GDPR”.
(3) After paragraph (18) insert—
“(19) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
188AM (1) Article 25 (the Council’s power to require disclosure of information) is amended as follows.
(2) In paragraph (3), after “enactment” insert “or the GDPR”.
(3) In paragraph (6)—
(a) for “paragraph (5),” substitute “paragraph (3)—”, and
(b) at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act).”
188AN In article 39B (European professional card), after paragraph (2) insert—
“(3) For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
188AO In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
188AP (1) Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.
(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
188AQ (1) The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
188AR In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.
Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)
188AS Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.
188AT In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.
188AU In paragraph (3)—
(a) omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and
(b) at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”
This amendment makes consequential amendments to secondary legislation, including to the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 and the Northern Ireland Assembly Commission (Crown Status) Order 1999.
Amendment 217, in schedule 18, page 244, line 1, at end insert—
(d) for “data controller” substitute “controller”, and
(e) after “in the context of” insert “the activities of”.
Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)
191A The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.
191B (1) Regulation 2 (interpretation) is amended as follows.
(2) Omit the definition of “the 1998 Act”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
191C (1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.
(2) After “any information” insert “to the extent that any of the following conditions are satisfied”.
(3) For paragraphs (a) to (c) substitute—
(aa) the pupil to whom the information relates would have no right of access to the information under the GDPR;
(ab) the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.
(4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.
(5) In paragraph (e), for “that” substitute “the information”.
191D In regulation 9 (fees), for paragraph (1) substitute—
“(1A) In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.
(1B) Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—
(a) exceeds the cost of supply, or
(b) exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”
European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)
191E Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.
191F (1) Paragraph 74(1) (interpretation) is amended as follows.
(2) Omit the definitions of “relevant conditions” and “research purposes”.
(3) At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
191G In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.”
This amendment makes consequential amendments to secondary legislation, including to the Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003. The amendment to that Order is consequential on amendment 183, and also changes the reference in article 11(4) of that Order to a “data controller” to a “controller”.
Amendment 218, in schedule 18, page 244, line 13, leave out from “GDPR”” to “(see” in line 14 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in the Environmental Information Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 219, in schedule 18, page 246, line 31, leave out from “GDPR”” to “(see” in line 32 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in the Environmental Information (Scotland) Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 220, in schedule 18, page 247, line 40, at end insert—
“Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)
199A (1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.
(2) In paragraph (1)(b)—
(a) for paragraph (iii) (but not the final “, and”) substitute—
“(iii) the results of a request made under Article 15 of the GDPR or section45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and
(b) in the words following paragraph (iii), omit “search”.
(3) After paragraph (2) insert—
“(3) In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)
199B The Education (Pupil Information) (England) Regulations 2005 are amended as follows.
199C In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section3(4) of the Data Protection Act 2018”.
199D (1) Regulation 5 (disclosure of curricular and educational records) is amended as follows.
(2) In paragraph (4)—
(a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and
(b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.
(3) After paragraph (6) insert—
“(7) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.””
This amendment makes consequential amendments to secondary legislation.
Amendment 221, in schedule 18, page 248, line 37, leave out from “GDPR”” to “(see” in line 38 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 222, in schedule 18, page 249, line 1, at end insert—
“Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)
200A In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—
(a) for the definition of “data protection principles” substitute—
““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and
(b) at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);”.
Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)
200B The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.
200C (1) Regulation 39 (sensitive information) is amended as follows.
(2) In paragraph (1)(d)—
(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.
(3) After paragraph (1) insert—
“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a) Article 21 of the GDPR (general processing: right to object to processing), or
(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C) The condition in this paragraph is that—
(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section15,16 or26 of, or Schedule2,3 or4 to, the Data Protection Act 2018,
(b) on a request under section45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c) on a request under section94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).
(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4) Omit paragraphs (2) to (4).
National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)
200D (1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(4) After that sub-paragraph insert—
“(2) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)
200E In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—
“(b) any material used consists of or includes human cells or human DNA,”.
National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)
200F For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—
“5 Data Protection Act 2018
(1) The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Assembly Commission is to be treated as a government department for the purposes of the following provisions—
(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))
200G In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity) —
(a) in the English language text, for paragraph (c) substitute—
“(c) any material used consists of or includes human cells or human DNA; and”, and
(b) in the Welsh language text, for paragraph (c) substitute—
“(c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.
Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)
200H (1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.
(2) In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—
“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(3) After paragraph (1) insert—
“(2) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)
200I In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a) in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—
(i) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after paragraph (3) insert—
“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)
200J The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 is amended as follows.
200K In regulation 2 (interpretation), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
200L In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.
Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)
200M In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and
(b) after paragraph (3) insert—
“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)
200N In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”.
Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))
200O The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.
200P In regulation 2(1) (interpretation)—
(a) at the appropriate place in the English language text insert—
““the GDPR” (“y GDPR”) and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”, and
(b) at the appropriate place in the Welsh language text insert—
“mae i “y GDPR” a chyfeiriadau at Atodlen2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran3(10), (11) a (14) o’r Ddeddf honno);”.
200Q (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
(2) In paragraph (7)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (8)—
(a) in the English language text substitute—
“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
200R (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
(2) In paragraph (6)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (7)—
(a) in the English language text substitute—
“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
200S (1) Regulation 29 (occurrence reports) is amended as follows.
(2) In paragraph (3)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (4)—
(a) in the English language text substitute—
“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)
200T (1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.
(2) In paragraph (3)—
(a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.
(3) After paragraph (3) insert—
“(3A) The condition in this paragraph is that the disclosure of the information to a member of the public—
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a) Article 21 of the GDPR (general processing: right to object to processing), or
(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4) After paragraph (4) insert—
“(5) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”
Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)
200U (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Overseas Companies Regulations 2009 (S.I. 2009/1801)
200V (1) Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Provision of Services Regulations 2009 (S.I. 2009/2999)
200W In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
“(d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”
This amendment makes consequential amendments to secondary legislation including to the National Assembly for Wales Commission (Crown Status) Order 2007.
Amendment 223, in schedule 18, page 249, line 32, at end insert—
“INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)
201A (1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.
(2) In paragraph (2)—
(a) omit “or” at the end of sub-paragraph (a),
(b) for sub-paragraph (b) substitute—
“(b) Article 21 of the GDPR (general processing: right to object to processing), or
(c) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c) omit the words following sub-paragraph (b).
(3) After paragraph (6) insert—
“(7) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).
(8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)
201B The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.
201C In regulation 2(2) (interpretation), at the appropriate place insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.”
201D (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
(2) In paragraph (7), at the end insert “or the GDPR”.
(3) For paragraph (8) substitute—
“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
201E (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
(2) In paragraph (6), at the end insert “or the GDPR”.
(3) For paragraph (7) substitute—
“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
201F (1) Regulation 29 (occurrence reports) is amended as follows.
(2) In paragraph (3), at the end insert “or the GDPR”.
(3) For paragraph (4) substitute—
“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
Pharmacy Order 2010 (S.I. 2010/231)
201G The Pharmacy Order 2010 is amended as follows.
201H In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.
201I (1) Article 9 (inspection and enforcement) is amended as follows.
(2) For paragraph (4) substitute—
“(4) If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”
(3) After paragraph (4) insert—
“(5) In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
201J In article 33A (European professional card), after paragraph (2) insert—
“(3) In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
201K (1) Article 49 (disclosure of information: general) is amended as follows.
(2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.
(3) For paragraph (3) substitute—
“(3) In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”
(4) After paragraph (5) insert—
“(6) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
201L (1) Article 55 (professional performance assessments) is amended as follows.
(2) In paragraph (5)(a), after “enactment” insert “or the GDPR”.
(3) For paragraph (6) substitute—
“(6) In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”
(4) After paragraph (8) insert—
“(9) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
201M In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—
“(aa) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
201N (1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.
(3) In paragraph 9 (processing data)—
(a) omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and
(b) after sub-paragraph (2) insert—
“(3) In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”
201O (1) The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
National Employment Savings Trust Order 2010 (S.I. 2010/917)
201P The National Employment Savings Trust Order 2010 is amended as follows.
201Q In article 2 (interpretation)—
(a) omit the definition of “data” and “personal data”, and
(b) at the appropriate place insert—
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”
201R (1) Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.
(2) In paragraph (1)—
(a) for “disclosure of data” substitute “disclosure of information”, and
(b) for “requested data” substitute “requested information”.
(3) In paragraph (2)—
(a) for “requested data” substitute “requested information”,
(b) for “those data are” substitute “the information is”, and
(c) for “receive those data” substitute “receive that information”.
(4) In paragraph (3), for “requested data” substitute “requested information”.
(5) In paragraph (4), for “requested data” substitute “requested information”.
Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)
201S (1) Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(1) (interpretation and general)—
(a) omit the definition of “research purposes”, and
(b) at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.
Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))
201T (1) Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.
(2) In paragraph (5)—
(a) in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—
(a) which the head teacher could not lawfully disclose to the pupil under the GDPR, or
(b) to which the pupil would have no right of access under the GDPR.”, and
(b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—
(a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu
(b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”
(3) After paragraph (5)—
(a) in the English language text insert—
“(6) In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and
(b) in the Welsh language text insert—
“(6) Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”
Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)
201U In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.
Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)
201V The Police and Crime Commissioner Elections Order 2012 is amended as follows.
201W (1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.
(2) In paragraph 20 (absent voter lists: supply of copies etc)—
(a) in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (10) insert—
“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b) after that sub-paragraph insert—
“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
201X (1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3) In paragraph 5 (restriction on use of documents or of information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b) after sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)
201Y Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.
201Z (1) Paragraph 29(1) (interpretation of Part 8) is amended as follows.
(2) At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3) For the definition of “relevant conditions” substitute—
““relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.
(4) Omit the definition of “research purposes”.
201AA In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
201AB In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AC In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AD In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AE In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes (as defined in paragraph 29),”.
Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)
201AF (1) Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.
(2) For paragraph (4) substitute—
“(4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
(3) In paragraph (5), after “enactment” insert “or the GDPR”.
(4) After paragraph (6) insert—
“(7) In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”
Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)
201AG (1) Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.
(2) The existing text becomes paragraph (1).
(3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(4) After that paragraph insert—
“(2) In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to secondary legislation.
Amendment 224, in schedule 18, page 250, line 7, at end insert—
“Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)
204A (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)
204B The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.
204C (1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.
(2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After paragraph (2) insert—
“(3) In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
204D (1) Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.
(2) For paragraph (1) substitute—
“(1) Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”
(3) After paragraph (3) insert—
“(4) In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)
204E The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.
204F (1) Regulation 2(1) (interpretation) is amended as follows.
(2) Omit the definition of “Directive 95/46/EC”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
204G In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.
204H In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.
204I In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.
204J In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).
204K In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.
Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
204L The Scottish Parliament (Elections etc) Order 2015 is amended as follows.
204M (1) Schedule 3 (absent voting) is amended as follows.
(2) In paragraph 16 (absent voting lists: supply of copies etc)—
(a) in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (10) insert—
“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3) In paragraph 20 (restriction on use of absent voting lists)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after that sub-paragraph insert—
“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
204N (1) Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3) In paragraph 5 (restriction on use of documents or of information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)
204O In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.
Register of People with Significant Control Regulations 2016 (S.I. 2016/339)
204P Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.
204Q (1) Paragraph 6 (disclosure to a credit reference agency) is amended as follows.
(2) In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(3) In sub-paragraph (c)—
(a) omit “or” at the end of paragraph (ii), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice); and”.
(4) After sub-paragraph (c) insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”
204R In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—
(b) for the purposes of ensuring that it complies with its data protection obligations.”
204S (1) In Part 3 (interpretation), after paragraph 13 insert—
14 In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—
(a) where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)
204T The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.
204U In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.
204V In regulation 3(3) (supervision), omit “under the 1998 Act”.
204W For Schedule 2 substitute—
SCHEDULE 2
Information commissioner’s enforcement powers
Provisions applied for enforcement purposes
1 For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 24—
(a) section 140 (publication by the Commissioner);
(b) section 141 (notices from the Commissioner);
(c) section 143 (information notices);
(d) section 144 (information notices: restrictions);
(e) section 145 (false statements made in response to an information notice);
(f) section 146 (assessment notices);
(g) section 147 (assessment notices: restrictions);
(h) section 148 (enforcement notices);
(i) section 149 (enforcement notices: supplementary);
(j) section 151 (enforcement notices: restrictions);
(k) section 152 (enforcement notices: cancellation and variation);
(l) section 153 and Schedule 15 (powers of entry and inspection);
(m) section 154 and Schedule 16 (penalty notices);
(n) section 155(4)(a) (penalty notices: restrictions);
(o) section 156 (maximum amount of penalty);
(p) section 158 (amount of penalties: supplementary);
(q) section 159 (guidance about regulatory action);
(r) section 160 (approval of first guidance about regulatory action);
(s) section 161 (rights of appeal);
(t) section 162 (determination of appeals);
(u) section 179(1), (2), (5), (7) and (12) (regulations and consultation);
(v) section 189 (penalties for offences);
(w) section 190 (prosecution);
(x) section 195 (proceedings in the First-tier Tribunal: contempt);
(y) section 196 (Tribunal Procedure Rules).
General modification of references to the Data Protection Act 2018
2 The provisions listed in paragraph 1 have effect as if—
(a) references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;
(b) references to a particular provision of that Act were references to that provision as applied by these Regulations.
Modification of section143 (information notices)
3 (1) Section 143 has effect as if subsections (9) and (10) were omitted.
(2) In that section, subsection (1) has effect as if—
(a) in paragraph (a)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;
(b) paragraph (b) were omitted.
Modification of section144 (information notices: restrictions)
4 (1) Section 144 has effect as if subsections (1) and (9) were omitted.
(2) In that section—
(a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;
(b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 145 or paragraph 15 of Schedule 15”;
(c) subsection (8) has effect as if for “this Act (other than an offence under section 145)” there were substituted “paragraph 15 of Schedule 15”.
Modification of section146 (assessment notices)
5 (1) Section 146 has effect as if subsection (10) were omitted.
(2) In that section—
(a) subsection (1) has effect as if—
(i) for “controller or processor” (in both places) there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”;
(b) subsection (2) has effect as if paragraphs (g) and (h) were omitted;
(c) subsections (7), (8) and (9) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.
Modification of section147(assessment notices: restrictions)
6 (1) Section 147 has effect as if subsections (5) and (6) were omitted.
(2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
Modification of section148 (enforcement notices)
7 (1) Section 148 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
(2) In that section—
(a) subsection (1) has effect as if—
(i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;
(ii) for “sections149 and150” there were substituted “section149”;
(b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
Modification of section149 (enforcement notices: supplementary)
8 (1) Section 149 has effect as if subsection (3) were omitted.
(2) In that section, subsection (2) has effect as if the words “in reliance on section 148(2)” and “or distress” were omitted.
Modification of section151 (enforcement notices: restrictions)
9 Section151 has effect as if subsections (1), (2) and (4) were omitted.
Withdrawal notices
10 The provisions listed in paragraph 1 have effect as if after section152 there were inserted—
“Withdrawal notices
152A Withdrawal notices
(1) The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—
(a) the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and
(b) the condition in subsection (2) or (3) is met.
(2) The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.
(3) The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—
(a) the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and
(b) the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
(4) A withdrawal notice must—
(a) state when the withdrawal takes effect, and
(b) provide information about the rights of appeal under section161.”
Modification of Schedule15 (powers of entry and inspection)
11 (1) Schedule 15 has effect as if paragraph 3 were omitted.
(2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—
(a) there are reasonable grounds for suspecting that—
(i) a trust service provider has failed or is failing to comply with the eIDAS requirements, or
(ii) an offence under section145 or paragraph 15 of Schedule15 has been or is being committed,”.
(3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
(a) in sub-paragraph (1) and (2), for “controller or processor” there were substituted “trust service provider”;
(b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.
(4) Paragraph 5 of that Schedule (content of warrants) has effect as if—
(a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;
(b) in sub-paragraph (2)(c)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “as described in section148(2)” there were substituted “to comply with the eIDAS requirements”;
(c) in sub-paragraph (3)(a) and (c)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”.
(5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
Modification of section154 (penalty notices)
12 (1) Section 154 has effect as if subsections (1)(a), (2)(a), (3)(g), (3A) and (5) to (7) were omitted.
(2) Subsection (2) of that section has effect as if—
(a) the words “Subject to subsection (3A),” were omitted;
(b) in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
(3) Subsection (3) of that section has effect as if—
(a) for “controller or processor”, in each place, there were substituted “trust services provider”;
(b) in paragraph (c), the words “or distress” were omitted;
(c) in paragraph (c), for “data subjects” there were substituted “relying parties”;
(d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.
Modification of Schedule16 (penalties)
13 Schedule16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
Modification of section156 (maximum amount of penalty)
14 Section156 has effect as if subsections (1) to (3) and (6) were omitted.
Modification of section158 (amount of penalties: supplementary)
15 Section158 has effect as if—
(a) in subsection (1), the words “Article 83 of the GDPR and” were omitted;
(b) in subsection (2), the words “Article 83 of the GDPR” and “and section 157” were omitted.
Modification of section159 (guidance about regulatory action)
16 (1) Section 159 has effect as if subsections (4) and (10) were omitted.
(2) In that section, subsection (3)(e) has effect as if for “controllers and processors” there were substituted “trust service providers”.
Modification of section161 (rights of appeal)
17 (1) Section 161 has effect as if subsection (5) were omitted.
(2) In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
(ca) a withdrawal notice;”.
Modification of section162 (determination of appeals)
18 Section162 has effect as if subsection (7) were omitted.
Modification of section179 (regulations and consultation)
19 Section179 has effect as if subsections (3), (4), (6), (8) to (11) and (13) were omitted.
Modification of section189 (penalties for offences)
20 (1) Section 189 has effect as if subsections (3) to (5) were omitted.
(2) In that section—
(a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
(b) subsection (2) has effect as if for “section 132, 145, 170, 171 or 181” there were substituted “section 145”.
Modification of section190 (prosecution)
21 Section190 has effect as if subsections (3) to (6) were omitted.
Modification of section195 (proceedings in the First-tier Tribunal: contempt)
22 Section195 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section161”.
Modification of section196 (Tribunal Procedure Rules)
23 Section196 has effect as if—
(a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 161”;
(b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.
Approval of first guidance about regulatory action
24 (1) This paragraph applies if the first guidance produced under section 159(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
(2) Section 160 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
(3) Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.
(4) Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.
Interpretation
25 In this Schedule—
“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 146A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”
Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)
204X The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.
204Y In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a) Article 5(1) of the GDPR, and
(b) section34(1) of the Data Protection Act 2018.”
204Z In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a) Article 5(1) of the GDPR, and
(b) section34(1) of the Data Protection Act 2018.”
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)
204AA The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
204AB In regulation 3(1) (interpretation), at the appropriate places insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.
204AC In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a) the Data Protection Act 2018 or any other enactment, or
(b) the GDPR.”
204AD In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a) the Data Protection Act 2018 or any other enactment, or
(b) the GDPR.”
204AE For regulation 40(9)(c) (record keeping) substitute—
(c) “data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
(b) “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
204AF (1) Regulation 41 (data protection) is amended as follows.
(2) Omit paragraph (2).
(3) In paragraph (3)(a), after “Regulations” insert “or the GDPR”.
(4) Omit paragraphs (4) and (5).
(5) After those paragraphs insert—
“(6) Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—
(a) for the purposes of preventing money laundering or terrorist financing, or
(b) as permitted under paragraph (3).
(7) In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.
(8) In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 9, 10 and 10A of that Schedule).
(9) In this regulation—
“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”
204AG (1) Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.
(2) In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) For paragraph (11) substitute—
“(11) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
204AH (1) Regulation 85 (publication: the Commissioners) is amended as follows.
(2) In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) For paragraph (10) substitute—
“(10) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
204AI For regulation 106(a) (general restrictions) substitute—
“(a) a disclosure in contravention of the data protection legislation; or”.
204AJ After paragraph 27 of Schedule 3 (relevant offences) insert—
27A An offence under the Data Protection Act 2018, apart from an offence under section173 of that Act.”
Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)
204AK (1) Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) For paragraph (b) of that sub-paragraph substitute—
(b) for the purposes of ensuring that it complies with its data protection obligations.”
(4) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a relevant institution, means—
(a) where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).
National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)
204AL The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.
204AM (1) Regulation 1 (citation and commencement) is amended as follows.
(2) In paragraph (2), omit “Subject to paragraph (3),”.
(3) Omit paragraph (3).
204AN In regulation 3(1) (interpretation)—
(a) omit the definition of “the 1998 Act”,
(b) at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”, and
(c) omit the definition of “GDPR”.
204AO (1) Schedule 6 (other contractual terms) is amended as follows.
(2) In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—
(a) the data protection legislation, or
(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”
(3) For paragraph 64 (meaning of data controller etc.) substitute—
“Meaning of controller etc.
64A For the purposes of this Part—
“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(6) and (14) of that Act);
“data protection officer” means a person designated as a data protection officer under the data protection legislation;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2), (4) and (14) of that Act).”
(4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.
(5) In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i) the data protection legislation, and
(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(6) In paragraph 94(4) (variation of a contract: general)—
(a) omit paragraph (b), and
(b) after paragraph (d) (but before the final “and”) insert—
“(da) the data protection legislation;
(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)
204AP The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.
204AQ (1) Regulation 1 (citation and commencement) is amended as follows.
(2) In paragraph (2), omit “Subject to paragraph (3),”.
(3) Omit paragraph (3).
204AR In regulation 3(1) (interpretation)—
(a) omit the definition of “the 1998 Act”, and
(b) at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”, and
(c) omit the definition of “GDPR”.
204AS (1) Schedule 1 (content of agreements) is amended as follows.
(2) In paragraph 34 (interpretation)—
(a) in sub-paragraph (1)—
(i) omit “Subject to sub-paragraph (3),”,
(ii) before paragraph (a) insert—
(iii) for paragraph (d) substitute—
(b) omit sub-paragraphs (2) and (3),
(c) in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—
(a) the data protection legislation, or
(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and
(d) in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.
(3) In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i) the data protection legislation, and
(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(4) In paragraph 61(3) (variation of agreement: general)—
(a) omit paragraph (b), and
(b) after paragraph (d) (but before the final “and”) insert—
“(da) the data protection legislation;
(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
Part 3
Modifications
Introduction
204AT (1) Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.
(2) That legislation is—
(a) subordinate legislation made before the day on which this Part of this Schedule comes into force;
(b) primary legislation that is passed or made before the end of the Session in which this Act is passed.
(3) In this Part of this Schedule—
“primary legislation” has the meaning given in section204(7);
“references” includes any references, however expressed.
General modifications
204AU (1) References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.
(2) Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.
(3) References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.
Specific modification of references to terms used in the Data Protection Act 1998
204AV (1) References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).
(2) References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).
(3) References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).
(4) References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).
(5) References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—
(a) Article 5(1) of the GDPR and the applied GDPR, and
(b) sections 34(1) and 85(1) of this Act.
(6) References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 123 of this Act.
(7) References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 197 of this Act.
(8) References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 198 of this Act.
Part 2
Supplementary
Definitions
204AW Section3(14) does not apply to this Schedule.”
This amendment makes consequential amendments to secondary legislation including to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (the EITSET Regulations) and to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It also inserts two new Parts into Schedule 18. New Part 3 contains consequential modifications of provisions in certain legislation not amended by Parts 1 and 2 of Schedule 18. New Part 4 contains supplementary provision.—(Margot James.)
Schedule 18, as amended, ordered to stand part of the Bill.
Clause 205
Commencement
Amendments made: 72, in clause 205, page 120, line 37, leave out paragraph (b)
This amendment is consequential on the omission of Clauses 168 and 169 (see Amendments 60 and 61).
Amendment 225, in clause 205, page 121, line 4, at end insert—
‘( ) Regulations under this section may make different provision for different areas.”
This amendment enables regulations under clause 205 bringing provisions of the bill into force to make different provision for different areas.—(Margot James.)
Clause 205, as amended, ordered to stand part of the Bill.
Clause 206 ordered to stand part of the Bill.
Clause 207
Extent
Amendments made: 73, in clause 207, page 121, line 12, after “(2)” insert “, (2A)”
See the explanatory statement for Amendment 74.
Amendment 226, in clause 207, page 121, line 12, leave out “and (3)” and insert “, (3) and (3A)”
See the explanatory statement for amendment 227.
Amendment 74, in clause 207, page 121, line 14, at end insert—
‘(2A) Sections (Representation of data subjects with their authority: collective proceedings) and (Duty to review provision for representation of data subjects) extend to England and Wales and Northern Ireland only.”
This amendment and Amendment 73 provide that NC1 and NC2 extend only to England and Wales and Northern Ireland.
Amendment 227, in clause 207, page 121, line 15, after “extent” insert “in the United Kingdom”
This amendment and amendments 226, 228 and 229 clarify that amendments of enactments made by the bill have the same extent in the United Kingdom as the enactment amended and that certain amendments also extend to the Isle of Man.
Amendment 228, in clause 207, page 121, line 16, leave out “(ignoring extent by virtue of an Order in Council)”
See the explanatory statement for amendment 227.
Amendment 229, in clause 207, page 121, line 17, at end insert—
‘(3A) This subsection and the following provisions also extend to the Isle of Man—
(a) paragraphs 200N and 205 of Schedule18;
(b) sections204(1),205(1) and206, so far as relating to those paragraphs.”
See the explanatory statement for amendment 227. Paragraph 200N in amendment 222 amends the Competition Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008.—(Margot James.)
Clause 207, as amended, ordered to stand part of the Bill.
Clause 208
Short title
Amendment made: 75, in clause 208, page 121, line 24, leave out subsection (2)
This amendment removes the privilege amendment inserted by the Lords.—(Margot James.)
Clause 208, as amended, ordered to stand part of the Bill.
New Clause 1
Representation of data subjects with their authority: collective proceedings
‘(1) The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.
(2) In this section, “relevant claim”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject’s behalf under Article 80(1) of the GDPR or section 183.
(3) The power under subsection (1) includes power—
(a) to make provision about the proceedings;
(b) to confer functions on a person, including functions involving the exercise of a discretion;
(c) to make different provision in relation to England and Wales and in relation to Northern Ireland.
(4) The provision mentioned in subsection (3)(a) includes provision about—
(a) the effect of judgments and orders;
(b) agreements to settle claims;
(c) the assessment of the amount of compensation;
(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e) costs.
(5) Regulations under this section are subject to the negative resolution procedure.”
This new clause confers power on the Secretary of State to make regulations enabling representative bodies (defined in Clause 183) to bring collective proceedings in England and Wales or Northern Ireland combining two or more claims in respect of data subjects’ rights.—(Margot James.)
Brought up, read the First and Second time, and added to the Bill.
New Clause 2
Duty to review provision for representation of data subjects
‘(1) Before the end of the review period, the Secretary of State must—
(a) review the matters listed in subsection (2) in relation to England and Wales and Northern Ireland,
(b) prepare a report of the review, and
(c) lay a copy of the report before Parliament.
(2) Those matters are—
(a) the operation of Article 80(1) of the GDPR,
(b) the operation of section183,
(c) the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject’s rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject), and
(d) the merits of making equivalent provision in relation to data subjects’ rights under Article 82 of the GDPR (right to compensation).
(3) “The review period” is the period of 30 months beginning when section 183 comes into force.
(4) After the report under subsection (1) is laid before Parliament, the Secretary of State may by regulations—
(a) exercise the powers under Article 80(2) of the GDPR in relation to England and Wales and Northern Ireland, and
(b) make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject’s rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject.
(5) The powers under subsection (4) include power—
(a) to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject’s rights;
(b) to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject’s rights,
(c) to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;
(d) to confer functions on a person, including functions involving the exercise of a discretion;
(e) to amend sections164 to166,177,183,196,198 and199;
(f) to insert new sections and Schedules into Part 6 or 7;
(g) to make different provision in relation to England and Wales and in relation to Northern Ireland.
(6) The provision mentioned in subsection (5)(b) and (c) includes provision about—
(a) the effect of judgments and orders;
(b) agreements to settle claims;
(c) the assessment of the amount of compensation;
(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e) costs.
(7) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause imposes a duty on the Secretary of State to review the operation of provisions enabling a representative body to exercise data subjects’ rights with their authority in England and Wales and Northern Ireland and to consider exercising powers under the GDPR to enable a representative body to exercise such rights there without being authorised to do so by the data subjects.—(Margot James.)
Brought up, read the First and Second time, and added to the Bill.
New Clause 5
Bill of Data Rights in the Digital Environment
Schedule [Bill of Data Rights in the Digital Environment] shall have effect.
This new clause would introduce a Bill of Data Rights in the Digital Environment.—(Liam Byrne.)
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
New clause 6—
“Bill of Data Rights in the Digital Environment (No. 2)
‘(1) The Secretary of State shall, by regulations, establish a Bill of Data Rights in the Digital Environment.
(2) Before making regulations under this section, the Secretary of State shall—
(a) consult—
(i) the Commissioner,
(ii) trade associations,
(iii) data subjects, and
(iv) persons who appear to the Commissioner or the Secretary of State to represent the interests of data subjects; and
(b) publish a draft of the Bill of Rights.
(3) The Bill of Data Rights in the Digital Environment shall enshrine—
(a) a right for a data subject to have privacy from commercial or personal intrusion,
(b) a right for a data subject to own, curate, move, revise or review their identity as founded upon personal data (whether directly or as a result of processing of that data),
(c) a right for a data subject to have their access to their data profiles or personal data protected, and
(d) a right for a data subject to object to any decision made solely on automated decision-making, including a decision relating to education and employment of the data subject.
(4) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause would empower the Secretary of State to introduce a Bill of Data Rights in the Digital Environment.
New Schedule 1 Bill of Data Rights in the Digital Environment—
1 The UK recognises the following Data Rights:
Article 1 —Equality of Treatment
1 Every data subject has the right to fair and equal treatment in the processing of his or her personal data.
Article 2 — Security
1 Every data subject has the right to security and protection of their personal data and information systems.
Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.
Article 3 — Free Expression
1 Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.
Article 4 — Equality of Access
1 Every data subject has the right to access and participate in the digital environment on equal terms.
Internet access should be open.
Article 5 — Privacy
1 Every data subject has right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.
Article 6 — Ownership and Control
1 Every data subject is entitled to know the purpose for which personal data is being processed to exercise his or her right to ownership. Government, corporations and data controllers must obtain meaningful consent for use of people’s personal data.
Every data subject has the right to own and control his or her personal data.
Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.
Article 7 — Algorithms
1 Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.
Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.
Article 8 — Participation
1 Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.
Article 9 — Protection
1 Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.
Article 10 — Removal
1 Every data subject is entitled to revise and remove their personal data.
Compensation
Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.
Application to Children
1 The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child.
1 Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code.”
We now come to the good stuff. Members of the Committee can look forward to an enormous amount of ground to cover in the debates ahead. We will try to speed through it as quickly as we can, but there is an awful lot of ground to cover. New clauses 5 and 6 and new schedule 1, tabled in my name and that of my hon. Friends, are an attempt to provoke the Government into being more ambitious in their strategy for the digital world. Every so often, as a great nation, we make important declarations of rights.
Rights are important because they ensure that progress is democratised, but they also provide important new protections against new imbalances of power that arise. We really began to turn our minds to this about 803 years ago when we came up with Magna Carta. We then made a much more sweeping and important statement that received Royal Assent on 16 December 1689. We had a couple of centuries off and in more recent years we went rights crazy and started signing universal declarations in the years after the second world war with much greater speed. We had the universal declaration of human rights, in which British civil servants took a leading role; the UN convention on the rights of the child; the charter of fundamental rights, which we helped shape; and the incorporation of those regimes of rights, which we wrote for our neighbours, into British law through the Human Rights Act 1998 and the Equality Act 2010.
Over the years, the regime of rights that we have pioneered in this country has been absolutely fundamental to the progress that we have made as a nation. If we go back to the debates here in the 1630s and 1640s, we see that the rights of new entrepreneurs to defend the wealth that they had created through trading, particularly in the Atlantic colonies—examples include the Virginia Company and, later, the East India Company—and the rights that we sought to enshrine and protect against arbitrary taxation, were absolutely fundamental in laying the foundation for the industrial revolution that really began to take off in the years after the Bill of Rights was enshrined by William III in 1689.
The argument that I want to make this morning is that the sweeping changes of the digital age mean that it would be wise of us to consider a similarly ambitious set of rights for the digital age. Anyone who has an interest in economic history will know that, ultimately, we can never contract for anything. Ultimately, a handshake will always be as important as a contract, and a handshake relies on an environment of trust. When countries do not have environments of trust, they lack economic institutions that allow their economies to flourish.
The challenge in this country today is that we are not making quite as much progress with the digital economy as perhaps we could be. Indeed, in most international indexes, where we should be at the top, we are normally batting at about fifth and sixth. That is not terrible, but most of us would like it to be better. We are the home of the scientific revolution and the industrial revolution. We should be at the top of the table, not fifth and sixth.
That provokes us to ask what is the state of online trust and digital trust in this country. The figures that I have dug out are for the time before the scandals that we have learned about over the last couple of weeks, which will not have put trust levels up. Online fraud is now growing very quickly. In fact, Action Fraud says that 70% of all fraud is now cyber-enabled. That is not simply a commercial problem; it is also a public sector problem. Public services such as the NHS hold vast quantities of public data. The NHS has been hit very badly by malware in a way that has provoked real questions about the UK’s digital resilience. The National Audit Office said that the NHS and the then Department of Health must “get their act together” or suffer far worse than the chaos of 2017. Edelman recently produced a survey that said that one quarter of the UK population trusts social media and 61% trust traditional media, so there are huge imbalances in what people trust today.
I have been interested in this question for a while, and I have been interested in seeing what we can learn from some of the world’s digital leaders. On a recent visit to Estonia, which is by some agreement the world’s leading digital society, the thing that really struck me was the fact that digital trust is supremely high. The Government of Estonia took the big decision, when they left that north-west corner of the USSR, that they would have to take a big gamble on the future. As we leave the north-west corner of Europe, we need to be taking a similar big bet on the future. We need to be betting on digital in the way we bet on steam a couple of centuries ago.
Two things are absolutely key to the digital environment in Estonia. One is a platform called X-Road, which allows Government data from distributed databases to come together to answer particular kinds of problems, but absolutely fundamental is the public option of an e-ID scheme. That involves two-factor authentication and it comes with important features such as the ability for people to look online at who has been using their data, who has been accessing it, and what they have been using it for. In fact, doctors and police officers have gone to jail because they have misused their ability to access online records—medical records, for instance.
Anyone in this country who has tried to file their taxes online, as I did early in January, will know that the Government gateway here is nowhere near that level. Once I had been issued with my fifth online ID, I frankly gave up and rang the MPs’ hotline, and the person there said, “Yeah, we’ve had lots of problems like this. You can just file your tax return on paper like everybody else.” We are sadly lacking the kind of digital infrastructure that many other countries enjoy.
The point about the public option for electronic ID is that there is a country that has decided that the right to a secure ID is a fundamental right, and on that fundamental right has flourished a digital economy that has helped to create the world’s leading digital society. There are now 3,000 Government e-services and 5,000 private sector e-services that sit on top of that platform. When I met the former Prime Minister of Estonia, he said that the key to winning the argument was that financial institutions such as banks were so confident in the public infrastructure that had been created that they were prepared to go out to the public in Estonia and say, “The public option for an electronic ID is the right option.”
I am enjoying the right hon. Gentleman’s history lesson about Estonia.
I had that sense. The key thing about Estonia, aside from the fact that it is a far, far smaller country, is that the register for the digital ID that the right hon. Gentleman is talking about is held centrally by the Government. There is a fundamental difference between this country and Estonia. If he were seriously to propose to citizens in the UK that the Government should hold that central register, I think they would give him pretty short shrift. In his long lecture, will he either make the case for a Government-held central register or acknowledge that it would still be a pretty tough thing to get past the British public?
I am very happy to. I am lucky enough to be able to draw on my extensive experience as the Minister for ID cards in the Labour Government. I will take the hon. Gentleman, in detail, through the architecture I proposed. Well, he asked for it.
The challenge we confronted in about 2006 is that we originally proposed one big database for all the data, including biometric data. That was an error. The architecture I proposed in its stead was a way of connecting three different databases—one that would have basically held Driver and Vehicle Licensing Agency data, a second that would have held the passport services data, and then a couple of identifiers that would have allowed those two records to be indexed and joined together. That brought the cost of the ID card system down by about two thirds.
Although the hon. Member for Boston and Skegness says that the British public would not like Government databases to hold all that information, that happens to be the country they live in. The Passport Office and DVLA hold comprehensive data on most people, and people find that extremely useful.
I was very careful about what I said. What I said was not that we should have compulsory e-ID, but that we should have a public option so people can choose to use it. That is obviously a different regime from Estonia’s, where ID cards have been compulsory since the country was invented about a century ago.
Giving people a public option would be quite attractive. There are, however, important safeguards that we need to learn from. It would be a mistake to have biometric information connected to that kind of service. We do not need biometric information connected to that kind of service. The ID card system in India has gone down that route, and it has suffered pretty significant leaks of biometric data over the past year and a half. If people get their hands on that data, that will be far more dangerous. The Estonian system, in which people have an electronic ID and a password that sits in their head—a two-factor authentication—has proven much more successful.
My broader point is that we should have a debate about the data rights that we, as citizens of this country, should have. Partly, that is about having rights to things that would make our lives better and would allow us to pursue new freedoms, such as the freedom not to have a million and one passwords, which we lose track of. It is also about having certain protections. We have had a useful debate, and will have an even longer one shortly, about the right to be treated fairly by algorithms. That is obviously incredibly important. The Government have given a nod in that direction, so the Minister will probably say a little about their digital charter.
On the different sides of the House, there are different philosophies on rights. The Conservative party traditionally defends rights to do with negative freedoms, and my side often talks the language of positive freedoms—the power to do things, which we think is necessary for social justice. However, I hope that in the months ahead we can have a sensible conversation about what negative and positive freedoms we can crystallise and enshrine in a bill of digital rights. At some point in this century, we shall write that. It is inevitable, because the world will change in a way that requires it, and the citizens of this country will begin to demand it. What we are starting to debate today is what will come to pass at some point. I hope to be the Minister who drives it through in the next Labour Government, which is imminent.
I hope, too, that we can debate that idea and help to perfect it. Where regimes of rights have been most effective, they have stood the test of time. For something to stand the test of time, it always helps if there is a little—not too much—cross-party consensus.
The new schedule has a couple of ideas at its core, and we are lucky in having been able to draw on not only the rights literature, but the incredible work of Baroness Kidron. As well as being a talented member of the creative industries, she has been one of the leading champions of the creation of strong digital rights for our children. As we have rehearsed in Committee previously, the issue is fundamental, not marginal. About a third of online users are children. The Government will have, in a way, to step in that direction. They will have to step towards new clauses 5 and 6, and new schedule 1, because they have committed to issuing an age-appropriate design code that will operationalise clause 124. I want to encourage the Government to think creatively about the way they will write the code of practice on age-appropriate design codes, with at least one eye on the broader bill of data and digital rights, which we want to propose.
The 5Rights movement has a couple of important ideas. One is the right to remove: children should be able to remove content that they have uploaded. There are probably members of the Committee who have posted all kinds of unfortunate content in their lives, which they might not want to have there in the future. That is certainly true of many children I know. The right to remove is, I think, widely accepted, and is reflected as one of the ambitions of the Bill.
The second right is the right to know. Children should be able to learn easily the who, what and why—and know for what purposes their data is being exchanged. That is important. The Minister herself has talked about the need to educate online users—to educate us all, so that we become better critical consumers of the content that we find online. That is doubly important for children.
The third right is the right to safety and support. Much of what upsets young people online is not illegal. It is legal. Support is often quite sparse and fragmented. It is often pretty invisible to children and young people when they need it most.
It will be challenging for the Government to turn the right to informed and conscious use into part of the code of practice, but that is incredibly important. It is simply unfortunate that social media firms spend quite so much money, effort and engineering talent on creating features that create a kind of addiction because of the rush of endorphins that they trigger in young people’s minds.
Those technologies, techniques and tricks of the trade are based on exactly the same principles as casino slot machines, and it is quite telling that a number of social media leaders have, over the last six months, gone on the record to say that they will not let their children use the apps that millions of children around the world use. The right to informed and conscious use will be difficult for the Government to interpret, but it is none the less important.
The right to digital literacy is perhaps the most important of all. It is something that our schools already do a terrific job of putting into practice, but what struck me in Estonia is the way that people see the right to internet access as basically a social right. That is surely something that we should debate and put in practice, too.
We have had quite a collection of evidence over the last year from people such as the Children’s Commissioner, who have ridden in behind and supported Baroness Kidron’s 5Rights movement. The Children’s Commissioner recently said:
“The social media giants have simply not done enough to make children aware of what they are signing up to when they install an app or open an account.”
The idea that children can look at these pages and pages of terms and conditions and just click and agree to them is obviously nonsensical. Indeed, the Children’s Commissioner, when reflecting on that, said:
“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online.”
The Government have obviously sought to exercise their derogation under the GDPR and set the age of consent at 13, rather than 16, so the code of practice that the Minister has agreed to is really important.
We would like this bill of data rights to go alongside more effective mechanisms to ensure that those rights are enforceable. That is why we tabled our amendments to clause 80(2). We think it is impossible in today’s economic environment for ordinary citizens to take effective action against the biggest firms on earth. These five firms have a market capitalisation, although it is slightly less than it was, of about $2.5 trillion, so the idea that a humble citizen can take on some of these giants is nonsensical. We would therefore like this bill of data rights to sit alongside a much more effective, open and democratic form of class action.
I am really interested in the Minister’s observations on the rights we have set out. Article 1 of our proposed new schedule covers equality of treatment, which is enshrined in the GDPR. The GDPR is long—we have made incredible progress through it, article by article—and it is a miracle that we have arrived at page 123 of the Bill by Thursday afternoon, but that is a real testament to the skilful chairing of Mr Hanson and you, Mr Streeter. The principle of equality of treatment is written throughout every clause of the Bill. The point is that it is written through 200 clauses, so we think a basic statement of equality of treatment is a good place to start.
Article 2 covers the right to security, which is the subject of the Bill. Again, let us set that out in terms. Article 3 covers the right to free expression, which is something we have signed up to in articles of the European convention on human rights. It is something that we should set within the context of a bill of data rights. Article 4 covers the right of equality of access. Giving equal access to the digital environment is extremely important. The digital environment creates a network, and network effects mean that the more people joined to it, the greater the value of the network. It is important to specify, set out and declare that we see equality of access to the digital environment as important.
Article 5 sets out the right to privacy, which, again, is scattered throughout the Bill, although we would like to consolidate and crystallise it and bring it together. Article 6 covers ownership and control, which will only grow in importance. This is not the place to get into the vexed debate about who owns the copyright to the data that someone might have and the new data that might be created by joining that data with someone else’s. However, the question of who owns the copyright, and therefore who owns the value of data that is personal in origin, is only going to grow. That debate is almost the 21st century equivalent to that on the enclosure of the commons, frankly. Who owns the copyright of data will become more important as the value of data grows exponentially.
Article 7 talks about the right to fairness when it comes to automated decision making, which we will come to in the debate on algorithmic fairness. Algorithms are making more and more decisions in our lives. People have a right not to be treated unfairly as a result of those decisions. In the phrase used by my hon. Friend the Member for Cambridge, we cannot have a world in which yesterday’s injustice is hard-coded into tomorrow’s injustice. We think that ensuring a right to algorithmic fairness in our bill of data rights is important. The rights to participation, protection and removal are important too.
We have a long tradition of rights in this country; we are the world’s pioneers of them. It is because we have been that pioneer down the centuries that we are today the world’s fifth-biggest economy, but we are not the world’s leading digital society. It is an ambition of the Opposition that we should be, and we think that a bill of digital rights would help us to get there.
I agree—that is why I welcome the Bill. I am saying that we ought to go further, which is why I support the new schedule, and having conversations about ownership.
Returning to the issue of health data, I have personal views about how we might tax revenues from platforms in a better way. I welcome the comments made by the Chancellor of the Exchequer, in line with his counterparts in Europe, about looking at how we tax revenues where they are made, not where the company is headquartered. That is a positive move, but surely if all this NHS data is creating profits for other companies and organisations, we can create a situation in which patients also benefit from that, by sharing in the profits that are made and by seeing value redirected into the health service.
All that becomes anchored in the question of ownership. There is still this legal space that says that data subjects do not own their own data. We need a much broader debate on that. [Interruption.] Members are shaking their heads. I am happy to take interventions, if Members would like.
Will my hon. Friend reflect on the idea that if someone is genuinely a popular capitalist and believes in the distribution of wealth as the basis of economic growth, then recognising and crystallising the value of personal data is actually pro-growth?
I agree entirely. I confess I never got all the way through my version of Piketty, but the idea of value through assets, as opposed to through the stagnating wages in our economy today, plays into this conversation around data. People from poorer backgrounds may not inherit houses or land, but they create their own data every day. It is an asset that should belong to them. They should be able to share in its value when companies around the world are making enormous profits off the back of it. In this digital age, there is a huge call for equality of opportunity and equality of access. We need to try to get those right in these fundamental understandings of the digital market and the rights that exist around it.
Lastly, I encourage and strengthen my right hon. Friend’s arguments on the application of these principles to children. The Committee has already debated how parental consent is not needed after the age of 13. One of my early jobs as legal counsel at BT was the dubious task of consolidating terms and conditions. Hon. Members who are no doubt happy customers of BT, with perhaps broadband, TV and sport, would originally have had to read five or six different documents that were very long and complicated. I had to consolidate those. That was not good enough, so I commissioned a YouTube star to do a video, which can be seen on the terms and conditions page, to try to explain some of these things. Even for adults, this was a really hard and laborious task.
I am not saying that it is for Government to tell businesses how to communicate to children. Second Reading and some of the Committee’s debates show—dare I say it—that we are probably not best placed to have those conversations. However, it is really important that there is an expectation on businesses that they take steps to ensure that children are properly engaged and really understand what they are signing up to, especially as the Government have opted to go to the minimum age range for consent, going to 13.
I just wanted to re-emphasise the debate on ownership and on children. I support my right hon. Friend’s new schedule and new clauses, and I hope the Government will support them.
My response will encompass our digital charter, as the right hon. Member for Birmingham, Hodge Hill mentioned, and I will also answer some of the points he made in his interesting exposition of his rights-based approach. I agree with him: the internet is a powerful force for good, serving humanity and spreading ideas, freedom and opportunity across the world. Yet, as he rightly states, there are considerable trust issues, which can have only worsened in recent days.
I would like to emphasise the point made by my hon. Friend the Member for Gordon that the UK has a strong digital economy accounting for over 12.5% of GDP, which makes us the leading digital economy in the G20.
The right hon. Gentleman was critical of Government sites and services, but we have developed a system that is being taken up by several other countries, including New Zealand, which are adopting our approach to providing Government services online. I am sorry that his experience on the tax side was not great, and there are always exceptions, but on the whole we are leaders in the provision of Government services online.
Citizens rightly want to know that they will be safe and secure online. Tackling these challenges in an effective and responsible way is absolutely critical. The digital charter is our response. It is a rolling programme of work to agree norms and rules for the online world and to put them into practice. In some cases, that will be through shifting expectations of behaviour and resetting a settlement with internet companies. In some cases, we will need to agree completely new standards; in others, we will want to update our laws and regulations. Our starting point is that we expect the same rights and behaviour online as we do offline, with the same ease of enforcement.
The charter’s core purpose is to make the internet work for everyone—for citizens, businesses and society as a whole—and it is based on liberal values. Every country is grappling with these challenges. The right hon. Gentleman suggested last week that the Government are not averse to making declaratory statements of rights and interpreting them into law, but his key example related to human rights. The Human Rights Act provides a detailed and well-considered legislative framework for those rights and ensures that they are meaningful.
When the right hon. Member for Surrey Heath (Michael Gove), who is now the Secretary of State for Environment, Food and Rural Affairs, was Secretary of State at the Ministry of Justice, he launched a consultation about an English Bill of Rights, which was about not simply human rights but a much broader set of rights. I do not think there is a big difference in our approaches to rights. Actually, I think there is a shared approach, as has been recognised down the years.
Yes, much of our approach is shared. The Government decided not to proceed with that Bill of Rights, but the right hon. Gentleman rightly points out that both our parties have a keen interest in this area. However, to set out his proposed bill of data rights in primary legislation would cut across the GDPR. It would impose its own rights of rectification and erasure, its own notion of control and its own obligations on controllers to keep data secure, but, of course, the GDPR already does that, and comparable rights are provided for in the Bill. I am concerned about how the Commission would react to such an attempt to redefine data protection standards. That is one of our main concerns with his new clauses and new schedule, no matter how much we might agree with the sentiments behind them. Given that, and the fact that we are proceeding with our digital charter, I feel that the Bill, in essence, covers this issue, and I need say no more about it.
Our proposed bill of data rights seeks not to redefine but to enshrine, so the rights reflected in the GDPR are no more than enshrined in it. The point is that it would go over and above the rights and obligations set out in this Bill. The right of equal access to the internet, the crystallisation of the right to expression and the advancement of the debate about the right to data ownership are important provisions whose time will come. At some point, due to the way the world is changing, our citizens and constituents will begin to demand both a democratisation of the privileges of this new age and of progress, and the right to effective defences and new protections.
I am glad that the Minister agrees with the sentiment behind the new clause, and I recognise that she perhaps does not see this Bill as the place to consolidate our brilliant ideas into the law of the land. I listened with interest to what she said about a rolling programme of ideas in the digital charter. There is a challenge with that approach: it will end up following the cones hotline model of public service reform. It will not live or sing; it will be bedevilled by voluntary codes, bureaucracy and operational procedures, and it will end up not really making a difference to the world. Our bill of data rights is clear.
If rights are to be a reality, they need not to be a mystery but to be understood. They need to be something that people can talk about in a pub. They need to be something not that is set out in 250 pages of primary legislation but that can be set out on the back of a fag packet. In our bill of data rights, we set out a clear agenda that would make a difference and be easily understood and enforced. It would be an improvement and would take forward the rights and liberties of the citizens of this country.
No. I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Nigel Adams.)
(6 years, 9 months ago)
Commons ChamberWe are entirely aligned on what we want to achieve, which is a Data Protection Bill entirely consistent with the GDPR, and that is what is before the House at the moment. Some amendments that have been tabled would make it more difficult for adequacy to be achieved, not least by introducing absolutist language on rights, as opposed to the nuanced language in the Bill at the moment. I urge the whole House to support the Government in our aim of achieving adequacy with the EU.
We will not get an adequacy agreement with the EU if we cannot keep data safe in this country. The Cambridge Analytica scandal shows how grave that threat has become. To get to the bottom of that threat, it is vital that we understand the network of companies associated with that malign octopus. Will the Secretary of State commit now to auditing and making public all Government contractors with links to Cambridge Analytica, some of whom, I understand, the Foreign Office is assembling for a secretive weekend somewhere in the countryside on Saturday?
An investigation, led by the Information Commissioner, was already under way before the recent scandal became public at the weekend. The Government have made it clear that there were contracts in the past with this group of companies, struck in 2008, for instance, and 2009 and 2014, but there are no ongoing arrangements—contractual arrangements—between the Government and Cambridge Analytica, or the Cambridge Analytica group.
There are many individuals and intellectual property agreements between Cambridge Analytica and other firms, and I hope that the Secretary of State will reflect on his answer and come forward with a more comprehensive approach. This episode has revealed that the Information Commissioner simply does not have the power to conduct investigations properly. It is ludicrous that it has taken her so long to get a search warrant for Cambridge Analytica offices, and it is ludicrous that people frustrating her investigations do not face jail for that frustration. Will the Secretary of State now commit to bringing forward extra powers for the Information Commissioner in the Data Protection Bill? If he does not, we will.
It is all very well the right hon. Gentleman’s adopting an abrasive tone, but the truth is that the Data Protection Bill currently before Parliament is all about strengthening enforcement and strengthening people’s right to consent. I did not intend to get partisan, but the powers that we were left by the Labour party are the powers that are being used at the moment, and I want those powers strengthened.
If, in the light of the evidence from this investigation, we need to further strengthen those powers, I am willing to consider that, but I am not willing to take a lecture from somebody who left the data protection powers in need of the update that we are driving through.