(5 years, 7 months ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
That is an excellent suggestion. I am happy to put that to my hon. Friend the Minister for Sport, and if the hon. Lady and the hon. Member for Warrington North, who chairs the Petitions Committee, would like to attend that meeting, we will set that up. Yes, we will definitely invite all football authorities to that meeting.
The hon. Member for Warrington North also talked about the effect on moderators. Thousands of people are now employed by tech companies to moderate content and make decisions on whether it crosses the threshold and should be taken down. We are looking more and more to systems of artificial intelligence to do as much of that job as possible, precisely for the reasons she set out. It is a horrendous job to do, and I imagine that over time it ends up affecting the moderators’ mental health. On a positive note, 75% of the 4 million videos that YouTube has taken down in, I think, the past six months were identified and removed via artificial intelligence. That does offer us some hope for the future.
The Minister is being generous. The only danger with introducing such statistics, which all the social media companies are desperate to put into our hands, is that it creates the impression that somehow they are doing enough when they are not. We will never get to a solution to this problem by relying on voluntary action. That is why the law needs to change, and enforcement needs to change.
I certainly agree with the right hon. Gentleman. I am sorry if I gave that impression; I wanted to offer up some hope that over time more and more solutions for removal will be technological so that moderators, who have a terrible job to do, do not have to spend their working lives wading through this horrendous content. To clarify, that is absolutely not at all to say that companies are doing enough. They are doing more, but it is by no means enough as yet.
I see that we have had a change of Chair. It is a pleasure to serve under your chairmanship as well, Mr Austin.
Coming back to the point made by my right hon. Friend the Member for Arundel and South Downs, we intend that the new system of regulation will take some of the burden off the police and place it on to the tech companies. Those companies should be accountable for taking care of their users by eliminating such content, hopefully before it comes online but certainly very swiftly after it is reported.
The law in Germany, which the shadow Minister referred to, requires content to be taken down within 24 hours of companies knowing about it; if it is later than that, swingeing fines can be applied. We want to create an environment in which companies deal with matters themselves and use less and less of our valuable policing time for the privilege.
As I mentioned earlier, we have committed to developing a media literacy strategy—one of the proposals made by Glitch—to ensure that we have a co-ordinated and strategic approach to online media literacy education. We have published a statutory code of practice for social media providers about dealing with harmful contact, and we have consulted on the draft code with a variety of stakeholders, including people with disabilities. The code includes guidance on the importance of social media platforms having clear, accessible reporting processes and accessible information on their terms and conditions, highlighting the importance of consulting users when designing new software, new apps and new safety policies.
There has been some discussion about whether the law itself is adequate, particularly with regard to hate crime. I will say a few words about the Law Commission’s review. In February last year the Prime Minister announced that the Law Commission would undertake a review of current legislation on offensive communications to ensure that laws are up to date with technology. The Law Commission completed the first part of its review and published a report at the end of last year. It engaged with a range of stakeholders, including victims of online abuse, the charities that support them, legal experts and the Government. The report concluded that abusive communications are theoretically criminalised to the same or even greater degree than equivalent offline behaviours—I did not necessarily accept that verdict myself—but practical and cultural barriers mean that not all harmful online conduct is pursued through criminal law enforcement to the same extent that it is in an offline context. I think the consensus in this room is that that is definitely the case.
The Government are now finalising the details of the second phase of the Law Commission’s work. The Law Commission has been asked to complete a wide-ranging review of hate crime legislation in order to explore how to make hate crime legislation more effective, including whether it is effective in addressing crimes targeting someone because of their disability. I urge Members present and organisations that might be taking an interest in this debate to give their input to the review.
Before the Minister finishes, I am grateful for the opportunity to ask her whether she thinks that the Law Commission’s work is going to finish in time to allow her to bring a Bill before the House in the next Session.
I am afraid that I cannot give the right hon. Gentleman that assurance. We are not sure when the next Session will commence, but I fear that the timing of the second phase of that work means that it will not be carried out in time to form the basis of much-needed changes to the law, which I hope the Law Commission will propose. We might have to wait until the following Session. Having said that, the Law Commission might have an opportunity to provide some interim results from its inquiries, and there is nothing to stop an hon. Member introducing a private Member’s Bill, should the opportunity arise, to look closely at the subject and bring something forward for debate.
This review of hate crime is very necessary. One of today’s contributions mentioned the fact that hate crime is aggravated by certain characteristics, including disability, but that might not go far enough. These matters and a review of hate crime are part of the remit of the second phase of the Law Commission’s work. I will also be suggesting to the Law Commission that it looks at the issue of online gender-based hate crime. As the hon. Member for West Ham mentioned, a significant amount of online abuse is misogynistic—it devalues women, it degrades them sexually and it amounts to gender-based hatred. There is a powerful case for women to be afforded the same legal protection against misogynistic online abuse as that given to people with other protected characteristics over which they have no control.
In conclusion, I thank Members for their thoughtful contributions and the Petitions Committee for the huge amount of work it has done on this vital subject. I look forward to continued engagement from across the House as we develop the proposals set out in the online harms White Paper.
(5 years, 9 months ago)
General CommitteesI thank Members for their remarks. We are supportive of the regulations because we believe, given that the country has decided to leave the European Union, that we are at least protecting consumers against bill shocks and inadvertent roaming.
The right hon. Member for Birmingham, Hodge Hill asked why we cannot impose a price control. If we were to try to do that, it would result in either the company’s entire user base having to accept higher prices or individual users who partake in roaming having to pay higher prices. For the benefit of consumers, we have put in place the monthly cap of £45, at which point they are notified that they are running towards a higher bill. They then have to exercise choice as to whether they want to use more data or use their phone further during their travels.
The Government are prepared to accept caps on energy prices, yet they are not bringing that principle to mobile phone policy. If we have energy caps, why can we not have mobile phone caps?
I recall that an argument against energy caps was that they would establish a precedent. The Competition and Markets Authority found a vast amount of consumer detriment in energy. Many things were tried to get energy companies to be fairer in their billing practices. In the end, a price cap was agreed. It is too soon to assess the outcome of that decision, and it is certainly too soon to apply it at random in other markets.
We have introduced safeguards and the Regulatory Policy Committee assessed the impact assessment and made a conclusion on whether prices may rise in the future. I appreciate the comment by the hon. Member for Linlithgow and East Falkirk that the fact that companies have no plans to introduce price rises is no guarantee, but those companies have made that statement of good intent. They do not want to raise prices for their consumers. We must not force operators so that they are not effective in the future.
I have explained why we have not introduced price controls. It is a commercial matter—this is a market. We have sought to provide as much protection as possible, but the ultimate protection against roaming charges lies with the country staying in the single market, which it has taken the decision not to do. In those circumstances, the regulations are the best possible outcome for consumers, and I commend them to the Committee.
Question put.
(5 years, 10 months ago)
General CommitteesI am grateful to the right hon. Gentleman for his questions, and his support for the amendment regulations. With regard to the issues that all Members had with the Independent Parliamentary Standards Authority’s guidance last year, in the immediate aftermath of the passage of the legislation, Members were rightly very concerned about the guidance that some of their staff members were receiving from officially sanctioned courses and training. For a period, there seemed to be something of a debacle around that issue, but we were able to clarify it.
I think the problem arose because the courses were designed before the legislation had fully progressed through both Houses, so they did not take account of the various amendments that we debated and passed—notably, the exemption for people in elected office to use the lawful basis of democratic engagement to process personal data. I think we have clarified that.
I was not aware, but the right hon. Gentleman has made me aware, that there was similar confusion about charges. Before we created the exemption, elected officials and all the other categories that we have discussed this afternoon were, strictly speaking, liable in law to pay a charge to the ICO. That is why we have introduced the exemption. We debated the exemption during the passage of the Bill, but we have been able to bring it into law only today.
There should be no further confusion about charges. We, as elected representatives, are data processors. Candidates are also data processors as soon as they start dealing with people’s inquiries in their constituencies or wards.
The Minister uses the word “candidate”, which elides two important definitions. One is that set out in the regulations:
“a person seeking to become (or remain) an elected representative”.
The second is that of an individual who is in that position and has been nominated by a political party. Most Members present think of a candidate as someone who has been validly nominated, rather than the definition in the regulations.
I was going to come to that, because the right hon. Gentleman made that point clearly in his earlier remarks. I will look into the discrepancy in the language. He has raised an important point. I agree that valid nomination is the definition that we want, and if that is not in the amendment regulations, I will look into that and write to him. I should also point out that the Information Commissioner herself is developing a code of practice for political parties regarding their use of data, and this matter may well be something that she touches on during that work.
The Minister has sought a test that is not in the regulations, so she is inviting the Committee to approve them using a definition that is not in the regulations, but in her speech. Will she undertake, before she concludes her remarks, to write to me and provide an assurance that she will re-present the regulations if necessary? I am happy to give them our leave this afternoon, but I am also happy for her to re-present them if she thinks the definitions need tidying up to bring them within the definition that she set out in her remarks.
I will certainly write to the right hon. Gentleman. Since I last rose to speak, I have been informed that the regulations apply to both prospective and validly nominated candidates. We have kept it deliberately broad to prevent unfairness between incumbents and those starting out on the democratic process. I think I have already covered that point.
I am grateful to the Minister for being very generous and giving way again, but that is not good enough, because anyone could seek to stand for elected office. If she and the Information Commissioner want to avoid a very large number of people seeking those exemptions and destroying the economic base of the ICO, the Minister must act, because otherwise that is what she will get. I think she will have to re-present the regulations, but let us just get something in place now to ensure that there is no lacuna in the law. However, please introduce stronger proposals.
I will certainly write to the right hon. Gentleman. If it is clear that we need to tighten the definition up, I am happy to re-present the regulations.
Question put and agreed to.
(5 years, 11 months ago)
General CommitteesI thank the right hon. Gentleman for his questions and remarks. I will reassure him on the question of adequacy, as far as I am able. In the event of a deal, the Commission has agreed to start adequacy discussions at the beginning of the transition period, which will last two years. He made the point that, once the Commission starts adequacy discussions, they usually take an average of two years. I am optimistic that we will have concluded adequacy decisions and got an adequacy agreement by the end of the implementation period.
In the event of no deal, that is less easy to predict. I have no doubt that the Commission will wish to start adequacy discussions if the country leaves without a deal. The right hon. Gentleman and I agree—I hope, anyway—that that is unlikely, but it is possible, hence the need for this statutory instrument. In that event, it is harder to predict, but the Government’s absolute intention is to secure an adequacy agreement. We will co-operate with the Commission as soon as it initiates discussions.
I want to make sure I have understood this correctly. Is the Minister saying to the Committee that, in the event of no deal, it is harder to predict whether an adequacy agreement will come into force?
No. I am sorry if I gave that impression. It is harder to predict the timing of the adequacy decision. I am confident that we will get an adequacy decision whether we leave with a deal or with no deal, but I feel more confident that it will be a swift process if it takes place in the context of our implementation period and our discussions about the future framework, in line with the political declaration. There is a framework, which is highly beneficial to the swift agreement of an adequacy decision if we leave with the deal that the Prime Minister has negotiated. I urge the right hon. Gentleman to support that deal, if he is so concerned about the timing of an adequacy decision.
Let me move on to supervisory powers. The draft regulations will not introduce new powers; they will merely facilitate the smooth operation of existing powers by the regulator in accordance with UK legislation, without the need to consult the EU or to satisfy, report to or consult the Commission. They will allow the regulator to pursue its existing powers without needing to do things that are required by our membership of the European Union but that will no longer apply once we have left.
I absolutely concur with the right hon. Gentleman and reassure him that the draft regulations are not a race to the bottom in terms of consumer protection, regulation of the telecoms industry or support for the regulator. We are introducing them because we wish to maintain existing powers, rights and protections. The UK has a robust telecoms regulatory framework; the draft regulations will make no changes to that regime, beyond correcting deficiencies in retained EU law. I think we can all agree that it is essential for the regulations to be in place in the unlikely event of a no-deal outcome.
Question put and agreed to.
(6 years, 1 month ago)
Commons ChamberThis Government tend to have ambitious plans for us to be an also-ran in the data age. We have an infrastructure that is hopelessly out of date, an education system that most teachers think is not fit for the future and a voluntary approach to regulation that will not ensure that the online world is a world of trust or a safe space for our children.
We welcome the Minister’s statement, and I thank her for advance sight of it. I also thank her for her words of praise for my hon. Friend the Member for West Bromwich East (Tom Watson), the shadow Secretary of State, who was indeed a pioneer of open data and the Open Data Institute and the Power of Information Task Force. However, if the new centre is to be an establishment that simply writes voluntary codes and publishes best practice, it will not stop the online hate speech, the data breaches, or the risk of new algorithms coding old injustices into new injustices and inequalities. The centre joins 12 other regulators and advisory bodies with some oversight of the internet, so we now have 13 different regulators and advisers, and this one lacks any statutory basis for either its independence or its focus.
As a test case, will the Minister tell us whether the centre will advise her on the Google DeepMind deal, whereby British health data and its control were transferred to California despite all the assurances that were given to the Government and the public at the time? Will she tell us what specific guidance she is seeking on algorithmic unfairness, given that she voted down the amendments that we had proposed to create a legislative basis in the Data Protection Act 2018? Will she tell us what advice she is seeking on reforming the competition regulation regime, given that more companies, like Amazon, are using data to create monopolistic practices in this country? Finally, will she tell us what steps she will take to ensure that the centre builds on our proposal for a digital rights Bill in a new clause earlier this year?
We are not living through an era of change; we are now living through a change of era, and it is time that the Government rose to the challenge.
I thank the right hon. Gentleman for his questions. First, I should make it clear that the centre is not a new regulator. It will be an advisory body, which, for its first year or so, will be in the business of advising the Government and leading public debate on serious ethical issues associated with artificial intelligence. However, I can give a positive response to his question about its independence. It will become independent, and it will be placed on a statutory footing as soon as parliamentary time is available for us to introduce the necessary legislation. We fully intend this body to be totally independent of the Government in due course. Only on that basis, I believe, will it become the world-leading authority on data ethics and innovation that we want it to be in the future.
The right hon. Gentleman asks what the centre will do about online hate speech and other well-known online harms, which my Department and, indeed, the whole Government take extremely seriously. Earlier this year, we published a response to the Green Paper on internet safety, in which we stated that we were working on a White Paper that would explore various options, including legislation and statutory regulation to hold internet companies, particularly social media platforms, to account, and that we intended to produce legislation when parliamentary time permitted. We regard that area as separate from the ethical issues on which the new centre will advise public debate and the Government.
The right hon. Gentleman mentions data protection. As he knows, that is regulated by the Information Commissioner, who has been involved in the development of the centre. He also mentions competition and the concentration of huge amounts of market power in the hands of a few companies. I am sure that many Members on both sides of the House share that concern, but it is very much a matter for the Competition and Markets Authority rather than for the new centre.
The right hon. Gentleman asks whether the centre will advise on Google’s decision to move parts of the healthcare practice of DeepMind to its Californian headquarters. As DeepMind and Google are private corporations, it is not up to the Government to pass comment on how they manage their affairs, but it is, of course, up to the new centre to opine on the practices and code of corporate governance of companies with which public services and Government contracts might work in the future. So there is a connection for the centre, albeit a rather tenuous one.
(6 years, 1 month ago)
Commons ChamberWe have a fantastic organisation, Tech Nation, with which we work closely to build the hubs around the country that directly support SMEs; the British Business Bank also does this and it is now starting a regional network of advisers for SMEs in tech.
The tech sector is important, but it is not yet a big enough contributor to the Treasury. Can the Minister tell us what percentage of sales will be paid in the new tax introduced by the Chancellor by the big five tech giants next year?
My understanding of what the Chancellor announced in the Budget on Monday is that he will be introducing a digital sales tax approximating to 2% of digital turnover. I think the right hon. Gentleman can make his own calculations.
I can tell the Minister that, based on last year’s sales, next year the big five will be paying 0.01% of their sales in tax. That is the Treasury forecast in the Red Book, but even the Office for Budget Responsibility says that that is highly uncertain, and it will be outweighed by the cut in corporation tax to 17%. So is it not true that she has conspired with the Treasury to give a free pass to some of the wealthiest firms on earth?
I have had no discussions with the Treasury on that matter. [Hon. Members: “What?”] No, I have not. The right hon. Gentleman has alleged that I have had discussions, which I have not. To answer his substantive point, the Treasury expects to raise £1.5 billion over the next four years; 2% is a start and he should know that other countries are planning to take action, but no country has yet done so. Therefore, I suggest that the UK is taking the lead on this. We hope for international action, which will land a bigger hit, but at this stage international action is not forthcoming so we are taking action unilaterally—
(6 years, 2 months ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
I always learn something new when I am answering debates. I did not know that. I am not sure that I look forward to finding out more about it, but I certainly will.
We are undoubtedly living in an age where mobile devices mean that people feel compelled to be connected at any time. The hon. Member for Livingston (Hannah Bardell) clearly made that point when she talked about her desire for some off-screen time in her personal time in the countryside, which proved difficult. We have dwelt on the darker side of those devices and platforms during the debate, because we are talking about addiction, but it is incumbent on us to recognise that a great deal of positivity has come forth from those devices.
We are looking at the impact on children and young people, to whom we have a particular responsibility. Youth policy is one of my Department’s responsibilities, so that is close to our hearts. The chief medical officer, Professor Dame Sally Davies, is reviewing the impact that internet use can have on children’s mental health. There are no results from that yet, because it was requested only about a month ago by the new Secretary of State for Health and Social Care, who, I am delighted to inform hon. Members, shares the concerns that we have heard and is in a position to do more about them in the Department of Health and Social Care.
As the Minister knows, the national health service is under tremendous strain. What arguments is she making to Her Majesty’s Treasury to do something about the low rates of tax paid by those companies, so that there is money to do something about the problem?
As the right hon. Gentleman knows, tax is a matter for the Treasury. The Chancellor indicated that he was looking at a digital services tax in his speech a few weeks ago. His first priority is to gain international agreement for the fairer taxation of technology companies, particularly these platforms. Actually, I should retract that; I do not think that he said particularly these platforms, but he did say that he wanted an international agreement for the fairer taxation of technology companies as his first priority. If he does not get that, I am told that he will introduce a tax unilaterally in the United Kingdom.
The health review will cover important and diverse issues, including cyber-bullying, online gaming, sleep problems and problematic internet use. I gather that the chief medical officer’s report will be published next year, and I will try to get a handle on when within that 12-month period we can expect it.
The Department of Health and Social Care has also reviewed evidence on the impact that social media can have on children, which showed that those who spend more than three hours using social media on school days are twice as likely to report high or very high scores for mental ill-health. The right hon. Member for Birmingham, Hodge Hill (Liam Byrne) said that he had seen research showing a socio-economic difference in the amount of screen time, which, along with the research I have mentioned about some sort of causal link in the time spent, shows that digital technology is in danger of widening the social gaps in society, although it has the potential to bring people together. We obviously need to work to ensure that the latter prevails. The Government have made children and young people’s mental health a top priority for the NHS, and a major programme to improve access to specialist services is supported by £1.4 billion of new funding.
We are also looking at the use of smartphones in schools, which I know inspires strong passions. I have seen some initial results from that analysis, and most schools have rules in place that require that smartphones are not visible during school hours. We need to see more research on whether that is universally applied.
The Government believe that schools are best placed to make decisions about how best to use technology. Headteachers are empowered to manage mobile phone usage. Many schools and parents would appreciate more guidance, however, which we are working on across Government, inspired by the commission of the Secretary of State for Health and Social Care to the chief medical officer to advise on the mental health impact of social media and smartphone usage.
On internet safety in the wider sense, the overuse of technology and concerns about online harms are not limited to young people. Our forthcoming joint Department for Digital, Culture, Media and Sport and Home Office White Paper will be published in the winter. It will set out a range of legislative and non-legislative measures and will detail how we propose to tackle online harms. It will set clear responsibilities for tech companies to keep citizens safer.
The right hon. Member for Birmingham, Hodge Hill asked whether we would look to place a duty of care on social media platforms. That route is certainly worthy of consideration. It is a proven method in other areas, and we will look at its relevance to the online world. Working with the Department of Health and Social Care and across Government, we will develop proposals targeted at improving the ability of users. We are also reforming the UK council for child internet safety so that it no longer focuses exclusively on children. Children will continue to be a top priority, but its remit will be widened.
In response to the hon. Member for Livingston, video games are indeed enjoyed by a large number of people across the UK. For the majority of people, that is a recreational activity, but research shows that, for a minority, their gaming can become excessive, to the extent that they prioritise it over other activities and experience negative effects from it. In recognition of that, as the hon. Lady mentioned, the World Health Organisation has recognised the potential to diagnose gaming disorder in some circumstances. It has not reached a conclusion yet, but I gather that it is working on it. Through its internet safety strategy, my Department is working to improve online safety in games, including by promoting healthy and responsible gaming. To do that, we will work closely with the gaming industry and organisations such as the Video Standards Council. Gaming will also be an important part of our internet safety White Paper.
On isolation and loneliness, I pay tribute to the Under-Secretary of State for Sport and Civil Society, my hon. Friend the Member for Chatham and Aylesford (Tracey Crouch). She has taken responsibility for tackling loneliness, which affects between 5% and 18% of the UK population, and social media is often highlighted as a cause. The strategy includes how Government can set a framework to enable local authorities, the third sector and businesses to support people’s social health.
Research suggests that the reality of social media and its connection to people’s relationships is nuanced and that how negative or positive the impact is depends on which social media service is being used and whether it is substituting for or complementing real-life interactions. For example, there are applications that help new mothers to stay more connected through difficult early stages of parenthood and products that use artificial intelligence to provide real-life experiences for those unable to leave their homes. If used correctly, the technology has real potential to break down barriers and improve the situation that isolated people might be exposed to. That is why social media companies are a core part of initiatives to tackle isolation. Digital means of bringing people together can be especially important to people with mobility problems and families separated by distance.
Technology can be and largely is a powerful force for good. It serves humanity, spreads ideas, and enhances freedom and opportunity across the world. However, what we have heard today gives us great pause for thought. It is informing our deliberations on online safety and I look forward to the continued debate with colleagues here in this Chamber and beyond as we develop our White Paper. We look forward to hearing their further thoughts on the various actions that we might take.
(6 years, 2 months ago)
General CommitteesOf course; I appreciate that, Mr Evans.
Like me, my hon. Friend will have been alarmed by the catena of platitudes from both Ministers this afternoon about the importance of data, the importance of trade and the importance of data to trade. We heard absolutely nothing about whether the Ministers are confident of securing an adequacy agreement, especially in the event of a no deal Brexit. As is eloquently set out in the paperwork for today’s hearing, the Ministers know as well as we do that this has to be signed off not only by the European Commission, but by the European Parliament, the article 29 working group and the European data protection supervisor.
Given the imminence of Brexit, I am extremely concerned that we have heard nothing about a timetable or a level of confidence. My question is blunt: in the event of a no deal Brexit, are the Ministers prepared to guarantee to the House this afternoon that a data adequacy agreement will be secured and that free data flows will continue?
I thank the right hon. Gentleman for his question. I cannot give him a categorical assurance that an adequacy agreement will be in place at any particular point during the negotiations. I can tell him that the UK Government have made it clear to the Commission that we are ready to commence discussions on a future adequacy agreement, even though the Commission has not indicated that it is yet ready to start such discussions. If we are successful in securing the transition and implementation period, we will stand ready to begin those preliminary discussions on an adequacy assessment during that period. Indeed, we stand ready now, but the Commission has indicated that it is not yet ready.
We agree that our primary goal is to secure an adequacy agreement. Through the recent publication of a technical notice, we have various provisions in place that should allow for the free transfer of data during the period in which we are discussing adequacy but have not yet secured it.
I do not know whether you prefer me to ask these questions standing up or sitting down, Mr Evans.
Thank you, Mr Evans. I am grateful for the Minister’s answer, but perhaps she could go further and tell us the precise timetable her officials have given her for what needs to be agreed when. Ultimately, we need to know when an adequacy agreement needs to be in place to ensure the free flow of data after we have left the European Union, which the Prime Minister assures us will happen at the end of March. Given that long stop date, as it were, what is the timetable for securing the necessary agreements from the European Parliament, the article 29 working party and the European data protection supervisor?
As I said, the UK is ready to begin preliminary discussions on an adequacy assessment now. I cannot give a cast-iron timetable, because I cannot speak for the European Commission, which is the vital party to such discussions. The ball is in its court. We have indicated that we are ready and willing to start adequacy discussions. We anticipate that those discussions will take place during the transition and implementation period. Through the technical notice, we have established the arrangements that we would put in place if there were to be a gap between our departure from the European Union and the timing of the future framework. We all know what is going on—on both sides—on many fronts, not just data protection.
My last question is to press the Minister on a single point: by what date must an adequacy agreement be reached and in place to ensure that the free flow of data continues?
The Government will ensure the free flow of data, even if there is a gap between the time at which the United Kingdom obtains an adequacy decision and the time at which we leave the European Union. We are scheduled to leave the European Union at the end of March next year. We anticipate that there will be an implementation period that takes us a further 20 months. During that implementation period, we anticipate discussions with the Commission on an adequacy decision.
We cannot guarantee exactly when that adequacy decision will be made. I reassure all members of the Committee that on our departure from the European Union we will be 100% aligned with European data protection law, particularly the provisions of the GDPR. The right hon. Member for Birmingham, Hodge Hill and I shared many discussions during proceedings on the Bill. When it received Royal Assent in May this year, it put us in 100% alignment with EU data protection law. We can be optimistic that an adequacy decision will not require the usual length of time that it takes the Commission to bestow such decisions on other third countries. However, the right hon. Gentleman will understand that I cannot give a guarantee on that, because to do so is not in the UK Government’s gift. The decision will be forthcoming from the European Union.
If the right hon. Gentleman wants me to tell members of the Committee what will happen if we do not have an adequacy decision, either as we leave the European Union next March or even after the implementation period, I am happy to do so, but he looks as though he wants to intervene.
I am much less sanguine than the Minister about the possibility of an adequacy agreement. As she knows, we will not have article 8 to rest on after we leave the European Union. We have also sketched into the Data Protection Act 2018 sweeping exemptions from the GDPR for anyone who happens to be an immigrant, so I think the European Parliament will have some serious questions for the Minister about the adequacy agreement. Do we need an adequacy agreement in place to cover the implementation period, or not?
I am not sanguine about anything to do with this; it is a serious matter. I may be optimistic, but there is a lot of work to be done, and I cannot guarantee when an adequacy decision will be made. I can only state categorically that it is the Government’s intention to prioritise discussions in relation to adequacy with the European Union, such that we get an adequacy decision as soon as it is practically possible for the European Commission to grant us one.
We have put in place some exemptions to the GDPR, as have other member states, but we have done so in a framework that permits member states to apply such derogations and exemptions. Other member states will have put in place similar or different exemptions. I contest the right hon. Gentleman’s statement that the exemptions are “sweeping” in respect of immigration. I remember the debates well. The powers are extremely contained, and they were amended on Report to constrain them even further.
I can answer questions about the measures that we will put in place if there is a gap between the granting of an adequacy decision and our departure from the European Union—and, indeed, after the implementation period, assuming the implementation period is agreed.
Motion made, and Question proposed,
That the Committee takes note of European Union Document No. 5191/17, a Communication from the Commission to the European Parliament and Council on Exchanging and Protecting Data in a Globalised World, and an Unnumbered European Union proposal for provisions on Cross-border data flows and protection of personal data and privacy; welcomes the adequacy framework as an effective means of ensuring a free flow of data from the EU to third countries; and further notes that in the context of the UK leaving the EU it provides the right starting point.—(Margot James.)
(6 years, 5 months ago)
General CommitteesThe hon. Gentleman asks me to look to the future more that I am able to do. To reiterate what I said, all data that emanates from publicly funded research must be used for the benefit of the public good. That may in time also produce a commercial return, but it would have to be for the public good.
In the deal between DeepMind, a private sector company, and Moorfields Eye hospital, a national health organisation—they have come together in a joint venture—the data is being used with AI to improve diagnosis and treatment patterns at the hospital. The connection between commercial gain and the public interest is being well managed in that example, and strict rules will be in place to ensure that any further such commercial endeavours using public data will be similarly managed under an ethical framework.
That leads me neatly to the remarks and questions of the shadow Minister, the right hon. Member for Birmingham, Hodge Hill. I share his optimism that real-time data will hugely benefit public decision making and I am sorry if I downplayed that significant advantage in my opening remarks. I certainly believe that that will be immensely valuable, and that it is underpinned by the codes of practice we are discussing.
We are in the process of establishing the Centre for Data Ethics and Innovation. A chair has been appointed, other board members will be appointed during the summer and its remit is available for public comment. In its embryonic form, it is working with the UK Statistics Authority to ensure seamless communication between the two bodies in future. I agree with the shadow Minister that that is important.
The shadow Minister talked about the ethical principles that must continue to underpin the use of data sourced in the way that the UK Statistics Authority manages. The use of data must have clear benefits to the users and serve the public good. Where individuals are concerned, identity is protected. Information must be kept confidential and secure, and consent will have been considered appropriately. Data used, and methods employed, are consistent with legal requirements such as the Data Protection Act, the Human Rights Act 1998, the Statistics and Registration Service Act and the common law duty of confidence. The access, use and sharing of data must be transparent and communicated clearly, and accessibility for the general public must be protected.
I am grateful to learn that there is a seamless channel of communication between the Centre for Data Ethics and Innovation and the UK Statistics Authority, but that was not the question I asked. I asked how the guidelines are going to be revised as the Centre for Data Ethics and Innovation pronounces new judgments. It is not for the Centre for Data Ethics and Innovation and the UK Statistics Authority to sort something out between themselves; it is for this House to set out the principles by which both organisations act.
The right hon. Gentleman is right—he did ask that question. The UK Statistics Authority will continue to keep these principles, and documentation underpinning these principles, under close review. That will include the work of the Centre for Data Ethics and Innovation as it evolves. The future review of these principles and the codes underpinning them will be subject to scrutiny of both Houses of Parliament under the negative procedure.
Question put and agreed to.
Draft Statistics Statement of Principles and Draft Code of Practice on Changes to Data Systems
Resolved,
That the Committee has considered the draft Statistics Statement of Principles and draft Code of Practice on Changes to Data Systems.—(Margot James.)
(6 years, 5 months ago)
General CommitteesI thank both hon. Gentlemen for their remarks. In addressing some of the questions raised by the shadow Minister, I will first point out that we have made great efforts to protect the welfare state and public services as we sought to deal with a very challenging deficit. I would like to see the public services in the context of our abilities to direct those services more towards those who really need them. That is the strategy we have adopted.
For example, in the area of energy, which I spent some time on in my opening remarks, we are talking about benefits such as winter fuel payments, cold weather payments and warm home discounts. Those benefits are alive and well, and valued by the several million people who receive them. What we seek to do through the safeguards is to ensure that, when there is discretion from energy companies about how to target some of those benefits, they can use intelligence about the people who are likely to need them most to deliver those benefits even more effectively. That is what we are debating.
The right hon. Gentleman rightly points out that we need safeguards. We need to ensure that information sharing is proportionate, that it is only used by the recipient for the purposes for which it is intended and that it is not retained for any longer than necessary. We are putting a number of safeguards in place. The data sharing powers must be exercised in compliance with the safeguards under the Data Protection Act 2018 and the Human Rights Act 1998. There is also a minimum amount of data required to meet the objectives for sharing information; that is another safeguard that we have put in place.
Any further changes to the list of public authorities permitted to share data under the codes of practice can be made only via regulations that are subject to the affirmative procedure, and we have involved the Information Commissioner’s Office throughout the development of those codes. I reassure the right hon. Gentleman that we have given great consideration to safeguards and that they have been put in place. He also asked about the question of data exchange on the whole household if only one individual meets the criteria. The purpose of the objective is to assist individuals or households with a combination of disadvantages. The problems of one household member can affect the outcomes of others in the same household; in particular, children growing up in a workless family are almost twice as likely as children in working families to fail at all stages of their education.
As a result, 150,000—I am so sorry. You will be pleased to know that I was about to wind up, Mr Hosie, and—
I have given the right hon. Gentleman an opportunity to intervene. I apologise to my hon. Friends for that.
Will the Minister confirm what latitude she is giving councils and the DWP to share information? I think that that is the principle clarification that we were looking for.
The right hon. Gentleman did indeed raise that important point. It should not be the case, of course, that people need to job-hop to find out what is going on when they have only the good of citizens in mind. What is important is that the DWP will, according to the safeguards that we have built in, be able to share information for certain purposes. For example, if the Department has information about someone’s fuel poverty status they will be able to share information with local authorities. Likewise, if it has information that meets any of the other objectives that I outlined, it will be permitted to share it directly with local authorities.
I did not mean to intervene again, but my constituency has the highest youth unemployment in Britain and down the years we have been bedevilled by a lack of co-operation between the DWP and the city council. The city council often wants to target young people who need local authority-run job and employment creation schemes. It is unable to run outreach schemes that target individuals effectively, because it cannot get the information from the DWP, so it has to resort to the rather inefficient approach of targeting whole postcodes. That is the sort of thing I am driving at.
The right hon. Gentleman eloquently underlines the need for the measures that we are putting in place. We should not have to target whole populations to find the percentage of people, whatever it may be, who would particularly benefit from a programme that a local authority might want to put in place.
As long as the various protections in the information sharing code of practice, which I have gone through, are met, there is no reason why the DWP and local authorities will not be able to work together. They are permitted to share information under the Digital Economy Act 2017—and the powers in question are permissive. The right hon. Gentleman mentioned that we may need to raise awareness of the powers that the DWP now has under the provisions, and I take that on board as something to which my Department can contribute.
Question put and agreed to.
DRAFT INFORMATION SHARING CODE OF PRACTICE: CODE OF PRACTICE FOR PUBLIC AUTHORITIES DISCLOSING INFORMATION UNDER CHAPTERS 1, 3, AND 4 (PUBLIC SERVICE DELIVERY, DEBT AND FRAUD) OF PART 5 OF THE DIGITAL ECONOMY ACT 2017
Resolved,
That the Committee has considered the draft Information Sharing Code of Practice: Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017.—(Margot James.)
(6 years, 6 months ago)
Commons ChamberI congratulate my hon. Friend on all his work in this area. We have a full agenda following the publication of the sector deal, which will ensure that the benefits of AI are effected across the country. Tech Nation now has an AI programme that will support ecosystems across the country.
If we are to be a world leader in AI, we will need more computer scientists. This week, Roehampton University reported on the total collapse in the number of students studying ICT at GSCE level. Will the Minister set out her target for the number of students studying technology over the next year, and say what she will do to ensure that more girls in particular study ICT, because that is where the collapse is worst?
I very much share the right hon. Gentleman’s concerns. We must encourage girls to study science, technology, engineering and maths, not just computer science, and programmes have been designed to do just that. We have made progress by making computer science mandatory in schools, which is a good first step. I am sure we will build on that, and recover the lost students at GSCE level to which the right hon. Gentleman rightly refers.
(6 years, 7 months ago)
General CommitteesI thank hon. Members for their comments. I am sorry that I shook my head at the shadow Minister when he cited the price of World cup final tickets. Although I am the Minister responsible for ticketing, among many things, since I had not sought tickets for the final I really did not know that they were changing hands for that sort of money. I was shocked and surprised by that—perhaps I should not have been.
I can always rely on the shadow Minister to make some gibe or another, and that was quite a good one. We are doing a lot. As I tried to explain in my opening remarks, the regulations are important primarily in tackling the use of bots, but they should be seen in the context of other measures we are taking, including what the CMA and ASA are doing on the responsibility of secondary sites to include all the charges as soon as someone registers an interest in purchasing a ticket, rather than leaving that until right at the end. We are taking a panoply of measures, and we are not finished yet. I agree that we still have more work to do, but none the less this is an important milestone.
The hon. Member for Hyndburn asked about phone banks. The definition will fall to be decided by the courts in individual cases, but we do believe that the regulations could tackle the issue of phone selling as well, coming under the auspices of electronic means. The definition of an electronic communications network is a broad one.
On large-scale sellers being classified as traders or licensed, which Professor Waterson inquired into, the CMA announced in April that three of the four major secondary sites have committed to improving information, including on who is buying from whom so that people know whether a seller is a business so that they can benefit from asserting additional rights under consumer legislation.
(6 years, 7 months ago)
Commons ChamberIt does not rule out immigration and it does allow the restriction of certain specified rights—not wholesale restrictions—for the purpose of safeguarding
“other important objectives of general public interest”.
The purpose is to provide a derogation for member states wide enough that they can pursue an overall Government policy in the general public interest. I would conclude that immigration is one such example. It has been suggested that the provisions represent a blanket carve-out of all a data subject’s rights. That is certainly not the case. I would like to reassure the right hon. Gentleman that we are being very selective about the rights that could be disapplied. The exemption will be applied only on a case-by-case basis and only where it is necessary and proportionate.
Has the Minister learnt nothing from the Windrush scandal? Here we have a Department of State that is not fantastic at keeping records. The idea of selectively carving out particular rights of particular people who need this information to fight tribunal cases strikes me as lunacy, given what we have learnt about the dysfunction at the Home Office.
Perhaps if I continue my remarks, I can reassure the right hon. Gentleman that of course lessons have been learnt, not least by the Home Office itself, as both the former Home Secretary and the current Home Secretary have made abundantly clear to the House.
The exemption in the amendment is to be applied only on a case-by-case basis and only where it is necessary and proportionate. It cannot and will not be used to target any group of people. Nor does the application of the exemption set aside all a data subject’s rights; it sets aside only those expressly listed. A further limitation is that it can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.
Effective safeguards for crime prevention are already written into the Bill, which gives the Minister the power she is seeking to fulfil the purpose she is setting out for the House. If we selectively discard rights for selected people, we come pretty close to arbitrary decision making, and it is practically impossible to do that consistently and in way make it defendable in a judicial review. These provisions will result in injustice and cases that the Home Office loses, so just dump them now!
The right hon. Gentleman should know that different structures govern crime and immigration. I reiterate that we are disapplying these rights selectively—the data subjects will hang on to the majority of their rights—but it cannot be right for the Home Office to have to furnish someone who is in contravention of immigration law with information it has been given.
I shall have to write to the right hon. Lady once I have communicated with Home Office Ministers. According to my understanding, the Bill says that the exemption applies—
On a point of order, Madam Deputy Speaker. We are being invited to pass an important piece of legislation which hands important new powers to Her Majesty’s Home Office, yet there is not a Home Office Minister on the Front Bench to respond to the points that we are making about the details of that legislation. What steps can we take to summon a Home Office Minister this afternoon, so that our questions can be answered?
I commend the hon. Lady for that observation, because she has a fair point. I will raise her concern with the Information Commissioner. My right hon. Friend the Member for Hemel Hempstead said that some businesses have been advised that they should delete their data, so I can see where the hon. Lady is going on that. It raises the prospect that some organisations might use this as an excuse to delete data that it would be in the data subject’s interests to preserve.
I have not been able to address every amendment in the time available, but I am mindful of the number of colleagues who wish to contribute, and we have less than 60 minutes remaining. I have addressed most of the matters that came up in the Public Bill Committee, and the Government’s position will remain the same on many of them.
In short, we have enhanced the ICO’s enforcement powers, we have changed the way we share data, we have reached out to parish councils, we have narrowed the immigration exemption and we have responded to calls to better protect lawyer-client confidentiality. We have also dealt—effectively, I hope—with the concern expressed by my hon. Friend the Member for Totnes about the sharing of data between the Department of Health and Social Care and the Home Office.
May I start by welcoming the new powers for the Information Commissioner, which we called for in Committee? Nobody who observed the debacle of the investigation into Cambridge Analytica will have needed persuading that that those powers are necessary—it took the court five or six days to issue the requisite search warrants, and that time might well have been used by Cambridge Analytica to destroy evidence—so I am glad that the Minister has heeded our calls and introduced the proposals this afternoon. We are happy to give them our support.
I will speak to a number of new clauses and amendments in the group, particularly new clause 4, which is our enabling clause for creating a bold and imaginative Bill of data rights for the 21st century. I want to make the case for universal application of those rights, including their application to newcomers, who need rights in order to challenge bad decisions made by Governments, which is why our amendment 15 would strike out the immigration provisions that have so unwisely been put into the Bill. I will also say a few words about new measures that are needed in the Bill to defend the integrity of our democracy in the digital age.
The Minister took the time to make a comprehensive speech, which included an excellent explanation of the Government amendments, so I will be brief. Let me start with the argument for a Bill of data rights. Every so often we have to try to democratise both progress and protections. In this country we are the great writers of rights—we have been doing it since Magna Carta. Over the years, the universal declaration of human rights, the UN convention on the rights of the child, the charter of fundamental rights, the Human Rights Act 1998, the Equality Act 2010 and, indeed, the original Data Protection Act have all been good examples of how good and wise people in this country have enshrined into charters and other legal instruments a set of rights that we can all enjoy, that give us all a set of protections, and that help us to democratise progress.
My hon. Friend is right. We have been on the receiving end of a huge number of data breaches in this country—really serious infringements of basic 21st-century rights—which is why we need a bold declaration of those rights so that the citizens of this country know what they are entitled to. Unless we get this right, we will not be able to build the environment of trust that is the basis of trade in the digital economy. At the moment, trust in the online world is extremely weak—that trust is going down, not up—so we need to put in place measures now, as legislators, to fix this, turn it around and put in place preparations for the future.
The Government’s proposal of a digital charter is a bit like the cones hotline approach to public service reform. The contents of the charter are not really rights but guidelines. There are no good methods of redress or transparency. Frankly, if we try to introduce rights and redress mechanisms in that way, they will basically fail and will not lead to any kind of change. That is why we urge the Government to follow the approach that we are setting out.
I put on record my profound thanks to Baroness Kidron and the 5Rights movement. Her work forms the basis of the bill of rights we are proposing to the House: the right to remove data, as enshrined in the GDPR—that right is very important to children—the right to know; the right to safety and support; the right to informed and conscious use; and the right to digital literacy. Those are the kinds of rights we should now be talking about as the rights of every child and every citizen.
The right hon. Gentleman makes some good points. I agree with the rights he is talking about, but those rights exist under the GDPR and are intrinsic to the Bill, so I see no need for his amendment.
There is no right to digital literacy under the Bill, which is why we propose the five rights as the core of new schedule 1 in which, as the Minister knows, we go much further. The provision sets out rights to equality of treatment, security, free expression, access, privacy, ownership and control, the right not to be discriminated against as a result of automated decision making, and rights on participation, protection and removal.
Rights are sometimes scattered through thousands and thousands of pages of legislation, which is where we are on data protection today. That is why from time to time, as a country, we decide to make bold declaratory statements of what principles should guide us. These are methods of simplification and consolidation, and we are pretty good at that in this country. When we press our proposal to enable the creation of such a bill of rights to a Division a little later, we hope that it will be the call that the Government need to begin the process of consultation, thought, argument and debate about the digital rights that we need in this century and what they need to look like. Rights should not be imposed from the top down; they should come from the grassroots up, and the process of conversation and consultation is long overdue. To help the Government, we will accelerate that debate during this year.
The second point I wish to make is about amendment 15, which would ensure that the rights set out in the GDPR would stretch to everyone in this country. It would mean that the Government would not be permitted to knock out selective rights for certain people who just happen to be newcomers to this country. The proposal to withhold data rights from migrants and newcomers is a disgrace and does not deserve to be in the Bill. In Committee, Ministers were unable to tell us why the Bill’s crime prevention provisions could not be stretched to accommodate their ambitions for immigration control. The Minister has not been able to give us a succinct definition of “immigration control” today, and we have not been able to hear about the lessons learned from Windrush. Frankly, the debate has been left poorly informed, and we have had promises that letters will be sent to hon. Members long after tonight’s vote.
(6 years, 7 months ago)
Commons ChamberI am grateful for that guidance, Mr Speaker.
It is always good to see the Minister in her place. She certainly knows how to pack the House with her statements. I am sorry that I am not able to respond to the detail of her statement, but it only came to me by email at 11.25 am, so I was not able to see it in advance. None the less, it is good of her to show up and present her plans, which were first presented to The Times, rather than to Parliament. It is welcome that the Government have now decided to step into the breach where a policy should be. It is a shame that the Minister has allowed the French, the Americans, the South Koreans and the Chinese to get there first, but better late than never.
From what I can divine from what the Minister said to the House, no new money has been announced today. Rather, a top-down earmarked amount of cash has already been handed out to research councils. That is fine as far as it goes, but it is an awful long way short of the £1 billion of funding that President Macron has just announced to support artificial intelligence in France.
As the Minister knows, a strong AI sector in this country will be built on three basic foundations: good networks, which support the internet of things; trust, which supports big data; and skills, which require a great education system. Today, our science spend is, I am afraid, in the second league, our digital networks are lamentable, our framework of trust is hopelessly out of date—in fact, we still have no date for the Data Protection Bill returning to this House—and our skills base is alarmingly thin. Indeed, the Government prayed in aid Jérôme Pesenti in their strategy this morning, but he was told by the Government that he was not allowed to look at the maths curriculum, as he told the House of Lords Artificial Intelligence Committee when he was giving evidence to its inquiry. That is why we call for science spend not at 2.4% of GDP, but up at 3%. We think there should be universal provision of networks at 30 megabits per second, a Bill of digital rights to restore trust and a national education service to restore the skills base.
In the interests of brevity, Mr Speaker, I have some specific questions for the Minister. First, the sector plan makes great play of a £2.5 billion investment fund delivered by the British Business Bank. Is this just for AI, or for innovation generally? Is it DEL—departmental expenditure limit—funding or loan guarantees? Is it intended to deliver grants or loans? When does that money come online? Is it, in other words, spin over substance?
Secondly, the Minister will know that artificial intelligence will accelerate the destruction of existing jobs, so when will we have a White Paper on the future of work? This will be a G20 agenda item in November. We have heard nothing about the Government’s plans to explore this and put in place adequate protections for workers today.
Thirdly, where is the strategy to harness Government procurement, with a cross-Whitehall futures unit, to use the power of Government to drive forward this agenda? That is the way that every other western, and eastern, nation drives its science and tech investment. Why are the Government not doing this?
This morning, the Bank of England published figures showing that this Government have presided over the worst productivity figures since the late 18th century. If we are to be masters of the fourth industrial revolution, as we were of the first, the Government will have to do an awful lot better than this.
I apologise if the right hon. Gentleman received my statement such a short time ago. That was certainly not my intention. I shortened my statement in anticipation of Mr Speaker’s wish for brevity, and perhaps that delayed matters.
It is a shame that the right hon. Gentleman’s response was pretty overwhelmingly negative, given that we start from a good base in this country with our world-leading institutions and our state of readiness. Oxford Insights, which I mentioned in my statement, has put us at No. 1 across the world on its Government AI readiness index. He referred to other countries, predominantly in Asia, which are indeed investing hugely in this area. [Interruption.] He mentions Macron from a sedentary position; he also mentioned him in his response. We are of course delighted that President Macron is also seeing the potential for AI. There is nothing wrong with that. We are a global-facing country. It is great that our partners in Europe are also committing to this agenda.
The right hon. Gentleman mentioned the importance of data and digital performance in this country. The UK is in a very competitive position in terms of digital performance. We now have 95% access to superfast broadband, which was delivered by the end of last year. Only yesterday, I was at a meeting with all the successful parts of the country that bid for the 5G test bed and pilot programme, which will put us in a pivotal position to take advantage of the internet of things. These test beds and pilots extend right across the country, from the Orkney Islands to the south-west of England, and a new wave of bids will be announced this summer. We are very determined on this front.
The right hon. Gentleman asked about the British Business Bank. I can assure him that this is new money that will be provided to tech start-ups and tech scale-ups via both equity finance and loans. I remind him that as of September last year, the British Business Bank had supported, through a combination of loans and equity finance, very many tech companies to the tune of £350 million. We are building on success.
The right hon. Gentleman talked about the future of work. This is an extremely important issue. Of course, we recognise that we are in for a fast ride here. The pace of technological change is such that momentous changes that are not always predictable can potentially displace groups of workers. We are very cognisant of the need to smooth the path through continuous training. The industrial strategy has at its heart improving the world of work and access to retraining throughout people’s lives, so that no one is left behind by these technological advances.
Finally, on that critical subject, the Government’s response to the Taylor review and the consultations that we announced at the beginning of the year will be out at some point this summer, and I am sure that the points raised by the right hon. Gentleman about the future of work in the context of technological advance will be taken extremely seriously.
(6 years, 9 months ago)
Public Bill CommitteesA subject access request gives individuals the right to ask for all the personal information that an organisation holds about them. That is a powerful right, designed to ensure that individuals may access information held about them within a specified time and, as such, it needs to be protected. The Bill provides such protection by making it an offence to require someone to exercise the right as a condition of employment, a contract or the provision of a service or goods. That is set out in clause 181 and schedule 17 and is intended to substantively replicate and in places build on the comparable provision in section 56 of the Data Protection Act 1998.
Amendments 127 and 128 insert a definition of a “relevant health record” for the purposes of clause 181, to ensure that the scope is consistent with that of other types of “relevant record” set out in schedule 17. Amendment 181 is technical in nature and simply updates a reference to a piece of legislation in Northern Ireland to reflect the fact that the legislation has been replaced.
I thank the Minister for that explanation. She is absolutely right to say that subject access requests are extremely powerful in how they operate. It is therefore such a shame that they are not a right or a power that the Government will see fit to extend to newcomers to this country, who will seek to use and have in the past sought to use subject access requests to access important information about their immigration status and history, and the decision-making processes in the Home Office and UK Border Agency about their immigration status. I am sure that we will come back to this debate on Report, and I hope that it is something that the Minister will reflect on.
Amendment 127 agreed to.
Amendments made: 128 in schedule 17, page 206, line 21, at end insert—
“Relevant health records
1A ‘Relevant health record’ means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.”.
See the explanatory statement for Amendment 127.
Amendment 181 in schedule 17, page 207, line 22, leave out sub-paragraph (iii) and insert—
“(iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));”.—(Margot James.)
In a list of functions of the Secretary of State in relation to people sentenced to detention, this amendment removes a reference to section 73 of the Children and Young Persons Act 1968 (which has been repealed) and inserts a reference to Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (which replaced it).
Schedule 17, as amended, agreed to.
Clause 182 ordered to stand part of the Bill.
Clause 183
Representation of data subjects
Amendments made: 63, in clause 183, page 105, line 42, leave out “80” and insert “80(1)”.
This amendment changes a reference to Article 80 of the GDPR into a reference to Article 80(1) and is consequential on NC2.
Amendment 64, in clause 183, page 105, line 44, leave out “certain rights” and insert “the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy)”.
In words summarising Article 80(1) of the GDPR, this amendment adds information about the rights of data subjects that may be exercised by representative bodies under that provision.
Amendment 65, in clause 183, page 106, line 7, leave out “under the following provisions” and insert “of a data subject”.
This amendment and Amendments 66, 67 and 68 tidy up Clause 183(2).
Amendment 66, in clause 183, page 106, line 9, at beginning insert “rights under”.
See the explanatory statement for Amendment 65.
Amendment 67, in clause 183, page 106, line 10, at beginning insert “rights under”.
See the explanatory statement for Amendment 65.
Amendment 68, in clause 183, page 106, line 11, at beginning insert “rights under”.—(Margot James.)
See the explanatory statement for Amendment 65.
Clause 183, as amended, ordered to stand part of the Bill.
Clause 184
Data subject’s rights and other prohibitions and restrictions
Amendment made: 69, in clause 184, page 106, line 41, leave out “(including as applied by Chapter 3 of that Part)”.—(Margot James.)
This amendment is consequential on Amendment 4.
Clause 184, as amended, ordered to stand part of the Bill.
Ordered,
That clause 184 be transferred to the end of line 39 on page 105.—(Margot James.)
Clause 185
Framework for Data Processing by Government
Question proposed, That the clause stand part of the Bill.
The right hon. Gentleman makes a very good point. It might help if I say a little about the framework that the Secretary of State has to issue, as directed by clause 185, about the processing of personal data in connection with the exercise of functions within Government. Before the framework is issued, it has to be subject to parliamentary scrutiny. Some of these practical issues can be explored at that point. The framework will provide guidance to Departments on all aspects of their data processing. The content is being developed and we will definitely take into account the right hon. Gentleman’s concerns.
Question put and agreed to.
Clause 185 accordingly ordered to stand part of the Bill.
Clause 186
Approval of the Framework
Question proposed, That the clause stand part of the Bill.
I am grateful to the Minister for taking those points on board. I suppose it begs the question of when she thinks we might see this framework. The process set out in the clause is a wise and practical course of action. We all have constituency experience that could have a bearing on how this piece of guidance is drafted and presented. We have the luxury of serving our constituents week in, week out. That is not a privilege that the civil servants who are asked to draft these frameworks enjoy.
It is important that the Minister goes through a good process, which allows her not to present the House with a fait accompli or something for an up and down motion. That will not be in any of our interests. My concern is how we practically operationalise this in a way that allows us continually to strengthen and improve the service that we provide to our constituents. It is very hard for us to do that if we have a data management regime operationalised by Her Majesty’s Government that gets in the way.
When does the Minister expect to issue this framework? How will she ensure that there is a period of soft consultation with, perhaps, the Speaker’s Committee here in the House so that we are not presented with a final draft of a document that we have 40 days to consider, moan about and make representations about, all of which will then basically be ignored because the approval process requires an up-down vote at the end.
I cannot be precise as to when, but it will be a priority to issue the framework for all the reasons that the right hon. Gentleman set out. We intend to engage fully with officials across Government, in particular the Departments that he has mentioned, and will consult other areas of expertise and the Information Commissioner herself. Indeed, clause 185(5) sets a requirement for consultation. Most importantly, the framework will then come to Parliament for proper scrutiny. At that point the right hon. Gentleman will have every chance to contribute further to the practicality of establishing this framework as speedily as possible.
Question put and agreed to.
Clause 186 accordingly ordered to stand part of the Bill.
Clause 187
Publication and review of the Framework
Question proposed, That the clause stand part of the Bill.
The only issue arising from this clause is the frequency with which the Minister expects the framework to be updated. I welcome the steer that she has given the Committee about how clause 186(5) will be operationalised, but that does not quite get round the problem that I am concerned about. Sometimes, and it has been known to happen, regulations get somewhat hard wired before they are presented to the House. Although it is in the Bill, sometimes that 40-day consultation period does not provide an opportunity to revise and update a measure if we do not think that it is practical.
If, for example, a code of practice is brought forward that says, “For the DWP, the data controller is going to be the accounting officer of the Department or someone associated with the accounting officer of the Department,” that is not going to be a practical strategy for operationalising this Bill within a Department as big and complicated as the DWP. So it may not be possible. We have to accept that. We have to accept the way statutory instruments are put through this place, and the political reality of that. Let us be mature about that. However, we have a belt-and-braces approach set out in clause 187, in that we have the chance to review it. Perhaps the Minister could say a word about how frequently she expects to review and update the legislation, so that it continually improves in the light of experience?
Clause 187 requires the Secretary of State to publish the framework, and under clause 185 he must keep it under review, and commit to updating it as appropriate. Furthermore, although the Information Commissioner has to take the framework into account, were she investigating a data breach by a Government Department, for example, she might consider it relevant to consider whether that Department had applied the principles set out in the framework. She is also free to disregard the framework if she considers it irrelevant or getting in the way.
It will be a moving thing, and the legislation provides for the Secretary of State to keep it under continual review. If the right hon. Gentleman wishes to have some input before it arrives in the House in the form of a Statutory Instrument, I would be very happy to engage with him.
Question put and agreed to.
Clause 187 accordingly ordered to stand part of the Bill.
Clause 188 ordered to stand part of the Bill.
Clause 189
Publication and review of the Framework
Question proposed, That the clause stand part of the Bill.
We now come to offences, and crucially in clause 189, the question of penalties for offences. The real world has provided us with some tests for the legislation over the past few days. We have reviewed clauses 189 to 192 again in the light of this week’s news. Some quite serious questions have been provoked by the Cambridge Analytica scandal, and the revelations about the misuse of data that was collected through an app that sat on the Facebook platform.
For those who missed it, the story is fairly simple. A Cambridge-based academic created an app that allowed the collection not only of personal data but of data associated with one’s friends on Facebook. The data was then transferred to Cambridge Analytica, and that dataset became the soft code platform on which forensic targeting was deployed during the American presidential elections. We do not yet know, because the Mueller inquiry has not been completed, who was paying for the dark social ads targeted at individuals, as allowed by Cambridge Analytica’s methodology.
The reality is that under Facebook’s privacy policy, and under the law as it stood at the time, it is unlikely that the collection and repurposing of that data was illegal. I understand that the data was collected through an app that was about personality tests, and then re-deployed for election targeting. My understanding of the law is that that was not technically illegal, but I will come on to where I think the crime actually lies.
I will be very brief, because I will largely echo what the right hon. Member for Birmingham, Hodge Hill said. It is absolutely fair to say that our understanding of the potential value of personal information, including that gained by people who break data protection laws, has increased exponentially in recent times, as has our understanding of the damage that can be done to victims of such breaches. I agree that it is not easy to see why the proposed offences stop where they do.
I have a specific question about why there is a two-tier system of penalties. There is a set of offences that are triable only in a summary court and for which there is a maximum fine. I think the maximum in Scotland and Northern Ireland is £5,000. There is a second set of offences that could conceivably be triable on indictment, and there is provision there for an unlimited fine, but not any custodial sentence.
For some companies, if they were in trouble, a £5,000 fine for essentially obstructing justice would be small beer, especially if it allowed them to avoid an unlimited fine. It would be interesting to hear an explanation for that. Many folk would see some of the offences that are triable on indictment as morally equivalent to embezzlement, serious theft or serious fraud, so it is legitimate to ask why there is no option for a custodial sentence in any circumstance.
I certainly share the concerns that hon. Members have expressed in the light of the dreadful Cambridge Analytica scandal. I will set out the penalties for summary only offences, which lie in clause 119, “Inspection of personal data in accordance with international obligations”; clause 173, “Alteration etc of personal data to prevent disclosure”; and paragraph 15(1) of schedule 15, which contains the offence of obstructing the execution of a warrant. The maximum penalty on summary conviction for those offences is an unlimited fine in England and Wales or a level 5 fine in Scotland and Northern Ireland.
Clause 189(2) sets out the maximum penalties for offences that can be tried summarily on indictment, which include offences in clause 132 “Confidentiality of information”; clause 145 “False statements made in response to an information notice”; clause 170 “Unlawful obtaining etc of personal data”; clause 171 “Re-identification of de-identified personal data”; and clause 181 “Prohibition of requirement to produce relevant records”. Again, the maximum penalty when tried summarily in England or Wales, or on indictment, is an unlimited fine. In Scotland and Northern Ireland, the maximum penalty on summary conviction is a fine
“not exceeding the statutory maximum”
of an unlimited fine when tried on indictment.
I was listening carefully to the Minister’s reply. She said that the sanction is an unlimited fine in England and Wales. Let us take the hypothetical case of Cambridge Analytica, which is a one-man shell company, in effect; in the UK, it is wholly owned by SCL Elections. I am concerned about what happens if that holding company—let us say it is SCL Elections—is registered outside England and Wales, in the United States or Uruguay, for example? Will the fine bite on the one-man shell company, Cambridge Analytica? If so, the shell company will just go out of business—the directors will be struck off and that will be the end of it. That is not much of a sanction.
The sanctions are as I outlined. The right hon. Gentleman talks about more complex corporate structures. Later in our proceedings, we will touch on the jurisdiction of the general data protection regulation when it comes to dealing with cross-border situations outside the European Union. Perhaps we can throw some light on what he is saying when we come to that point.
The GDPR strengthens the rights of data subjects over their data, including the important right of consent and what constitutes consent by the data subject to the use and processing of their data. That right must now be clear, robust and unambiguous. That is a key change that will provide some protection in the future.
The right hon. Gentleman should remember that, in addition to data protection laws, other sanctions are available, including prosecution for computer misuse, fraud and, potentially, in the case of the example we have been talking about, electoral laws, depending on the circumstances.
Question put and agreed to.
Clause 189 accordingly ordered to stand part of the Bill.
Clause 190 ordered to stand part of the Bill.
Clause 191
Liability of directors etc
Question proposed, That the clause stand part of the Bill.
The debate presents what is potentially a good opportunity to offer a flow of advice to the Minister, if I might pose my question like this: if a company based in the UK has committed an offence, but its holding company is based somewhere else, in what way will clause 191 bite not on the UK operations, but on the holding company elsewhere?
My reading of the extraterritoriality provisions is that the implementation of GDPR and the sanctions around it may well bite in Europe—we will get on to this issue in the debate on extraterritoriality, as the Minister has said—but where companies are registered in, heaven forbid, various tax havens around the world such as Panama or Belize, will the Information Commissioner be able to, in effect, bring prosecutions that will result in action biting on a director of a holding company domiciled somewhere abroad, such as Belize? That is a pretty plausible scenario. Again, this touches on whether the sanctions in the Bill are sufficient to deter the kind of misbehaviour that we now know is running loose around the wild west that the Secretary of State described.
The clause allows proceedings to be brought against a director, or a person acting in a similar position, as well as the body corporate, where it has been proven that breaches of the Act have occurred with the consent, connivance or negligence of that person. The clause will have the same effect as that of section 61 of the Data Protection Act 1998. I might have to come back to the right hon. Gentleman on some of the points he raised in that hypothetical circumstance, which I have no doubt could certainly exist in the future.
I would be grateful if the Minister wrote to me on that this afternoon, because if there are deficiencies we will have to get on with preparing amendments for consideration on Report.
Question put and agreed to.
Clause 191 accordingly ordered to stand part of the Bill.
Clauses 192 to 195 ordered to stand part of the Bill.
Clause 196
Tribunal Procedure Rules
Question proposed, That the clause stand part of the Bill.
Questions have arisen on the procedure rules associated with tribunals. The Opposition are concerned that the rights conferred in the Bill are rights in reality, not in theory. That is why we moved important amendments earlier, which were unwisely rejected by the Government, on collective forms of class action.
If we are to ensure that our constituents genuinely have access to the kind of justice mechanisms set out in the clause, we are obviously required to confront the reality that people will sometimes not have the resources for the financing of solicitors or representatives to help them to make their cases. Will the Minister say a word about whether our constituents will have access to resources such as legal aid to fight those cases in a tribunal?
The clause provides a power to make tribunal procedure rules to regulate how the rights of appeal before the tribunal and the right to apply for an order from the tribunal, conferred under the Bill, are exercised. It sets out the way a data subject’s right to authorise a representative body to apply for an order on his or her behalf under article 80 of the GDPR and clause 183 can be exercised. For somebody who does not have the means to pursue an individual claim, that is obviously a way forward in some circumstances. In addition, it provides a power to make provision about
“securing the production of material used for the processing of personal data,”
and
“the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.”
The provisions are equivalent to paragraph 7 of schedule 6 of the 1998 Act.
That is a helpful explanation. It is obvious from the Minister’s response that those tribunal rules will be incredibly important in providing democratic access to justice where our constituents have been maligned and their data rights abused. The tribunal procedure rules, given what she has said, will be of great interest to right hon. and hon. Members.
Will the Minister clarify what oversight and scrutiny we may have in the House of those tribunal procedure rules, or whether they are purely rules that are the child of the tribunal authorities? Are they something the tribunal authorities can just issue, or is there some oversight, amendment or improvement that we in the House can provide?
I cannot be precise about the level of scrutiny that the tribunal procedure rules may or may not be subject to, but in further answer to the right hon. Gentleman’s earlier question, legal aid is also available, as set out in the Legal Aid, Sentencing and Punishment of Offenders Act 2012, where a failure to fund would breach the European convention on human rights. There is that protection over and above the right of people to join a group action. The rules set by the Tribunal Procedure Rules Committee will be set, I am told, by applying its own consultation process, which the Lord Chancellor lays before Parliament.
Question put and agreed to.
Clause 196 accordingly ordered to stand part of the Bill.
Clause 197 ordered to stand part of the Bill.
Clause 198
Other definitions
Amendments made: 70, in clause 198, page 114, line 25, at end insert
“the following (except in the expression “United Kingdom government department”)”.
This amendment makes clear that the definition of “government department” does not operate on references to a “United Kingdom government department” (which can be found in Clause 185 and paragraph 1 of Schedule 7).
Amendment 71, in clause 198, page 115, line 8, at end insert—
“(2) References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—
(a) section 125(4), (7) and (8);
(b) section 160(3), (5) and (6);
(c) section 176(2);
(d) section 179(8) and (9);
(e) section 180(4);
(f) section 186(3), (5) and (6);
(g) section 190(3) and (4);
(h) paragraph 18(4) and (5) of Schedule1;
(i) paragraphs 5(4) and 6(4) of Schedule3;
(j) Schedule5;
(k) paragraph 11(5) of Schedule12;
(l) Schedule 15;
(and the references in section 5 to terms used in Chapter 2 or 3 of Part 2 do not include references to a period expressed in hours, days, weeks, months or years).”
This amendment provides that periods of time referred to in the bill are generally to be interpreted in accordance with Article 3 of EC Regulation 1182/71, which makes provision about the calculation of periods of hours, days, weeks, months and years.
Amendment 182, in clause 198, page 115, line 8, at end insert—
“( ) Section 3(14)(aa) (interpretation of references to Chapter 2 of Part 2 in Parts 5 to 7) and the amendments in Schedule 18 which make equivalent provision are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978, or any similar provision in another enactment, as it applies to other references to, or to a provision of, Chapter 2 of Part 2 of this Act.” —(Margot James.)
Clause 3(14)(aa) (inserted by amendment 4) and equivalent provision contained in amendments in Schedule 18 state expressly that references to Chapter 2 of Part 2 of the bill in Parts 5 to 7 of the bill, and in certain amendments in Schedule 18, include that Chapter as applied by Chapter 3 of Part 2. This amendment secures that they are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978. Section 20(2) provides that where an Act refers to an enactment that reference includes that enactment as applied, unless the contrary intention appears.
Clause 198, as amended, ordered to stand part of the Bill.
Clause 199 ordered to stand part of the Bill.
Clause 200
Territorial application of this Act
Amendments made: 183, in clause 200, page 117, line 15, leave out subsections (1) to (4) and insert—
‘(1) This Act applies only to processing of personal data described in subsections (2) and (3).
(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.
(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—
(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—
(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.’
This amendment replaces the existing provision on territorial application in clause 200(1) to (4). In the amendment, subsection (2) provides that the bill applies to processing in the context of the activities of an establishment of a controller or processor in the UK. Subsection (3) provides that, in certain circumstances, the bill also applies to processing to which the GDPR applies and which is carried out in the context of activities of an establishment of a controller or processor in a country or territory that is not part of the EU.
Amendment 184, in clause 200, page 118, line 8, leave out “(4)” and insert “(3)”.
This amendment is consequential on amendment 183.
Amendment 185, in clause 200, page 118, leave out line 10 and insert “processing of personal data”.
This amendment is consequential on amendment 183.
Amendment 186, in clause 200, page 118, line 10, at end insert—
‘(5A) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (2).
(5B) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).’
New subsection (5A) secures that the reference to “processing” in the new subsection (2) inserted by amendment 183 includes all types of processing of personal data. It disapplies clause 3(14)(b), which provides that references to processing in Parts 5 to 7 of the bill are usually only to processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies. New subsection (5B) secures that the reference in the new subsection (3) to Chapter 2 of Part 2 of the bill does not include that Chapter as applied by Chapter 3 of Part 2.
Amendment 187, in clause 200, page 118, line 11, leave out “established” and insert “who has an establishment”.
This amendment is consequential on amendment 183.
Amendment 188, in clause 200, page 118, line 21, after “to” insert “a person who has an”.
This amendment is consequential on amendment 183.
Amendment 189, in clause 200, page 118, line 23, leave out subsection (7).—(Margot James.)
This amendment is consequential on amendment 183.
Question proposed, That the clause, as amended, stand part of the Bill.
This is where we get into some of the whys and wherefores of the territorial application of the Bill. We can see in clause 200(1) that the Bill essentially bites on a data controller who is domiciled here in the United Kingdom. A question of public concern—it should also concern us in this Committee—is whether the bite and sanctions of the Bill will touch on people who are registered here, but not necessarily on directors of holding companies who are domiciled elsewhere.
I expect that the things we will learn about over the weekend and into next week will confirm for us all that very small companies—essentially corporate shells—that are perhaps registered as data controllers and might have committed offences under the 1998 Act or under the Bill, once it has received Royal Assent, might be controlled by directors who are domiciled elsewhere. If the Bill is to be worth anything and if it is to change anything in the real world in which we happen to live, there is a real question about how offences committed under it by people here will be limited by the corporate realities, which mean that shell companies are data controllers, but actually the wealth, assets and operating mind of a company are somewhere else. Perhaps the Minister will say a little about how she will tackle that particular problem, because we know it is going to arise.
First, a word on the clause, which sets out the territorial application with respect to the circumstances in which the Bill applies to the processing of personal data. Article 3 of the GDPR says that the GDPR applies where the processing of personal data occurs in the context of the activities of a controller or a processor established in the EU, and that it will also apply where a controller or processor is based outside the EU, but is processing the data of people within the EU in connection with the offering of goods and services to them, or for monitoring their behaviour.
We have revisited the clause to ensure that, as far as possible, the scope of the Bill aligns with the scope of the GDPR, albeit in a UK-only context. The Bill will allow the sanction to be given to an overseas entity where it is in the control of a UK-based company. Whether it can be enforced will depend on international arrangements for bringing people to justice, including those beyond the area of data protection.
One additional point, regarding the global nature of these crimes, is that under UK law we already have stronger data protection laws than many other countries—indeed, considerably stronger than in the United States. That means that American citizens with an interest in this Cambridge Analytica debacle are using the British courts and British legislation to enforce things such as data subject access requests, which have revealed a great deal of the evidence that is coming out of Cambridge Analytica. So we benefit as well from the strength of the data provisions that we have at the moment, which we are of course strengthening through the Bill.
Question put and agreed to.
Clause 200, as amended, accordingly ordered to stand part of the Bill.
Clause 201 ordered to stand part of the Bill.
Clause 202
Application to the Crown
Question proposed, That the clause stand part of the Bill.
I think we would all benefit from a little bit of explanation about how this clause will work in practice. For those who have not read clause 202 in detail, it basically explains how this Bill will operate when it comes to the Crown. That is obviously important, because within Her Majesty’s estates there are particular estates such as the Duchy of Lancaster and indeed the Duchy of Cornwall, which are often quite big businesses. I remember from my own time as Chancellor of the Duchy of Lancaster that there are some quite significant property holdings in that Duchy, and they make a not insignificant contribution to the funds that Her Majesty uses to work with, day to day. How will this clause be put into practice and are there any relevant exemptions that we should know about?
Clause 202 does not contain any provision to exempt the Crown from the requirements of the GDPR. Likewise, section 63 of the 1998 Act also binds the Crown. This clauses makes similar and related provision. For example, where Crown bodies enter into controller-processor relationships with each other, subsection (3) provides that the arrangement may be governed by a memorandum of understanding, rather than a contract. This is to meet the requirements of article 28 of the GDPR. “the data protection legislation section 1261(1)”. “the data protection legislation section 1173(1)”.” “Data Protection Act 2018 Section145 False statements made in response to an information notice””
Question put and agreed to.
Clause 202 accordingly ordered to stand part of the Bill.
Clause 203 ordered to stand part of the bill.
Clause 204
Minor and consequential amendments
Amendment made: 190, in clause 204, page 120, line 12, leave out subsection (1) and insert—
‘(1) In Schedule 18—
(a) Part 1 contains minor and consequential amendments of primary legislation;
(b) Part 2 contains minor and consequential amendments of other legislation;
(c) Part 3 contains consequential modifications of legislation;
(d) Part 4 contains supplementary provision.”
This amendment sets out the contents of Schedule 18 and is consequential on the amendments being made to Schedule 18 including in particular the insertion of new Parts 3 and 4 into that Schedule by amendment 224.—(Margot James.)
Clause 204, as amended, ordered to stand part of the Bill.
Schedule 18
Minor and Consequential Amendments
Amendments made: 191, in schedule 18, page 208, line 25, at end insert—
“Registration Service Act 1953 (c. 37)
A1 (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.
(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 122 of the Data Protection Act 2018 (data-sharing code)”.
(3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
Veterinary Surgeons Act 1966 (c. 36)
A2 (1) Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.
(2) In subsection (8)—
(a) omit “personal data protection legislation in the United Kingdom that implements”,
(b) for paragraph (a) substitute—
“(a) the GDPR; and”, and
(c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.
(3) In subsection (9), after “section” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”
This amendment makes consequential amendments to primary legislation.
Amendment 192, in schedule 18, page 210, line 4, at end insert—
“Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))
8A The Pharmacy (Northern Ireland) Order 1976 is amended as follows.
8B In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.
8C In article 8D (European professional card), after paragraph (3) insert—
“(4) In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
8D In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—
“(za) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
8E (1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “the GDPR”.
(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
8F (1) The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
8G (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.
(2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”.
(3) For sub-paragraph (3) substitute—
“(3) In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4) After sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
Representation of the People Act 1983 (c. 2)
8H (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.
(2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
(3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
(4) In paragraph 11A—
(a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and
(b) omit sub-paragraph (2).”
This amendment makes consequential amendments to primary legislation.
Amendment 193, in schedule 18, page 210, leave out lines 5 to 39 and insert—
“Medical Act 1983 (c. 54)
9 The Medical Act 1983 is amended as follows.
10 (1) Section 29E (evidence) is amended as follows.
(2) In subsection (5), after “enactment” insert “or the GDPR”.
(3) For subsection (7) substitute—
“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4) In subsection (9), at the end insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”
11 (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.
(2) In subsection (4), after “enactment” insert “or the GDPR”.
(3) For subsection (5A) substitute—
“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4) In subsection (7), at the end insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”
12 In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
13 In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.
13A (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.
(2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”.
(3) After sub-paragraph (3) insert—
“(4) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
13B (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.
(2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.
(3) For sub-paragraph (8A) substitute—
“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4) After sub-paragraph (13) insert—
“(14) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
13C (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.”
This amendment replaces the existing consequential amendments of the Medical Act 1983.
Amendment 194, in schedule 18, page 211, line 18, leave out from “GDPR”” to “(see” in line 19 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 33B of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 195, in schedule 18, page 211, line 20, at end insert—
15A In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”
This amendment makes further consequential amendments to the Dentists Act 1984.
Amendment 196, in schedule 18, page 211, line 39, leave out from “GDPR”” to “(see” in line 40 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 36Y of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 197, in schedule 18, page 211, line 41, at end insert—
16A In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.
16B (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
Companies Act 1985 (c. 6)
16C In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.”
This amendment makes consequential amendments to primary legislation, including further consequential amendments to the Dentists Act 1984.
Amendment 198, in schedule 18, page 212, line 16, leave out from “GDPR”” to “(see” in line 17 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 13B of the Opticians Act 1989 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 199, in schedule 18, page 212, line 18, at end insert—
“Access to Health Records Act 1990 (c. 23)
18A The Access to Health Records Act 1990 is amended as follows.
18B For section 2 substitute—
“2 Health professionals
In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”
18C (1) Section 3 (right of access to health records) is amended as follows.
(2) In subsection (2), omit “Subject to subsection (4) below,”.
(3) In subsection (4), omit from “other than the following” to the end.”
This amendment makes consequential amendments to the Access to Health Records Act 1990.
Amendment 200, in schedule 18, page 213, line 2, at end insert—
“Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))
21A (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.
(2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After paragraph (6) insert—
“(7) In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Industrial Relations (Northern Ireland) Order 1992.
Amendment 201, in schedule 18, page 216, line 10, leave out from “data”” to “(see” in line 11 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 40 of the Freedom of Information Act 2000 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 202, in schedule 18, page 219, line 15, leave out from “GDPR”” to “(see” in line 16 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 203, in schedule 18, page 220, line 7, at end insert—
“Enterprise Act 2002 (c. 40)
64A (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.
(2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
(3) After subsection (6) insert—
“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Enterprise Act 2002.
Amendment 204, in schedule 18, page 221, line 21, leave out from “data”” to “(see” in line 22 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 38 of the Freedom of Information (Scotland) Act 2002 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 205, in schedule 18, page 222, line 21, at end insert—
“Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)
75A (1) Section 279 of the Mental Health Care and Treatment (Scotland) Act 2003 (information for research) is amended as follows.
(2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.
(3) After subsection (9) insert—
“(10) In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).””
This amendment makes consequential amendments to the Mental Health (Care and Treatment) (Scotland) Act 2003.
Amendment 206, in schedule 18, page 222, line 29, at end insert—
“Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)
76A The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.
76B (1) Section 15A (disclosure of information by tax authorities) is amended as follows.
(2) In subsection (2)—
(a) omit “within the meaning of the Data Protection Act 1998”, and
(b) for “that Act” substitute “the data protection legislation”.
(3) After subsection (7) insert—
“(8) In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”
76C (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.
(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After subsection (7) insert—
“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Companies (Audit, Investigations and Community Enterprise) Act 2004.
Amendment 207, in schedule 18, page 225, line 10, at end insert—
88A (1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.
(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After subsection (3) insert—
(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes further consequential amendments to the National Health Service Act 2006.
Amendment 208, in schedule 18, page 225, line 28 at end insert—
“Companies Act 2006 (c. 46)
92A The Companies Act 2006 is amended as follows.
92B In section 458(2) (disclosure of information by tax authorities)—
(a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and
(b) for “that Act” substitute “the data protection legislation”.
92C In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
92D In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
92E In section 1173(1) (minor definitions: general), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.
92F In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.
92G In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.
92H In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.
92I In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—
92J In Schedule 8 (index of defined expressions: general), at the appropriate place insert—
This amendment makes consequential amendments to the Companies Act 2006.
Amendment 209, in schedule 18, page 225, line 38, at end insert—
96A (1) Section 45 (information held by HMRC) is amended as follows.
(2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
(3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.”
This amendment makes further consequential amendments to the Statistics and Registration Service Act 2007.
Amendment 210, in schedule 18, page 230, line 16, at end insert—
“Coroners and Justice Act 2009 (c. 25)
122A In Schedule 21 of the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).”
This amendment makes a consequential amendment to the Coroners and Justice Act 2009 and is consequential on the amendments being made to section 3 of the Access to Health Records Act 1990 by amendment 199.
Amendment 211, in schedule 18, page 232, line 39, after “after “” insert “this”
Paragraph 130(3) of Schedule 18 to the bill amends paragraph 8(8) of Schedule 2 to the Welsh Language (Wales) Measure 2011 by inserting new text. This amendment clarifies where that new text is to be inserted in the English language version of that Measure.
Amendment 212, in schedule 18, page 242, line 40, at end insert—
“Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)
186A (1) Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.
(2) In the English language text—
(a) in subsection (9), omit from “and in this subsection” to the end, and
(b) after subsection (9) insert—
“(9A) In subsection (9)—
“data subject” (“testun y data”) has the meaning given by section3(5) of the Data Protection Act 2018;
“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”
(3) In the Welsh language text—
(a) in subsection (9), omit from “ac yn yr is-adran hon” to the end, and
(b) after subsection (9) insert—
“(9A) Yn is-adran (9)—
mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran3(2) a (14) o’r Ddeddf honno);
mae i “testun y data” yr ystyr a roddir i “data subject” gan adran3(5) o’r Ddeddf honno.”
This amendment makes consequential amendments to the Additional Learning Needs and Educational Tribunal (Wales) Act 2018.
Amendment 213, in schedule 18, page 243, line 14, at end insert—
“Estate Agents (Specific Offences) (No. 2) Order 1991 (S.I. 1991/1091)
187A In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—
This amendment makes a consequential amendment to the Estate Agents (Specific Offences) (No. 2) Order 1991.
Amendment 214, in schedule 18, page 243, line 22, after “controller”,” insert—
(ba) after “in the context of” insert “the activities of”,”
This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.
Amendment 215, in schedule 18, page 243, line 27, after “controller”,” insert—
(ba) after “in the context of” insert “the activities of”,”
This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.
Amendment 216, in schedule 18, page 243, line 28, at end insert—
“Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))
188A The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.
188B In Article 4 (health professionals), for paragraph (1) substitute—
“(1) In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”
188C In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.
Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)
188D In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—
“(2) For the purposes of section 200 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).
(3) For the purposes of section 200 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”
European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)
188E The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.
188F (1) Regulation 2(1) (interpretation) is amended as follows.
(2) Omit the definition of “Directive 95/46/EC”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
188G (1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)
188H For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—
“7 Data Protection Act 2018
(1) The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—
(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)
188I For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—
“9 Data Protection Act 2018
(1) The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Commission is to be treated as a government department for the purposes of the following provisions—
(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)
188J The Representation of the People (England and Wales) Regulations 2001 are amended as follows.
188K In regulation 3(1) (interpretation), at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
188L In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188M In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188N In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188O In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188P (1) Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.
(2) After sub-paragraph (b) insert—
“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3) Omit sub-paragraphs (c) and (d).
188Q In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
188R In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188S In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188T In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188U In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188V In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
(i) Article 89 GDPR purposes;”.
Representation of the People (Scotland) Regulations 2001 (S.I. 2001/ 497)
188W The Representation of the People (Scotland) Regulations 2001 are amended as follows.
188X In regulation 3(1) (interpretation), at the appropriate places, insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
188Y In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188Z In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188AA In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188AB In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188AC In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188AD (1) Regulation 92(2) (interpretation of Part VI etc) is amended as follows.
(2) After sub-paragraph (b) insert—
“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3) Omit sub-paragraphs (c) and (d).
188AE In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
188AF In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AG In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AH In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AI In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
(i) Article 89 GDPR purposes;”.
Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)
188AJ (1) Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.
(2) In paragraph (2B), for sub-paragraph (a) substitute—
“(a) the disclosure is made in accordance with Chapter V of the GDPR;”.
(3) After paragraph (5) insert—
“(6) In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Nursing and Midwifery Order 2001 (S.I. 2002/253)
188AK The Nursing and Midwifery Order 2001 is amended as follows.
188AL (1) Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.
(2) In paragraph (18), after “enactment” insert “or the GDPR”.
(3) After paragraph (18) insert—
“(19) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
188AM (1) Article 25 (the Council’s power to require disclosure of information) is amended as follows.
(2) In paragraph (3), after “enactment” insert “or the GDPR”.
(3) In paragraph (6)—
(a) for “paragraph (5),” substitute “paragraph (3)—”, and
(b) at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act).”
188AN In article 39B (European professional card), after paragraph (2) insert—
“(3) For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
188AO In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
188AP (1) Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.
(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
188AQ (1) The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
188AR In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.
Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)
188AS Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.
188AT In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.
188AU In paragraph (3)—
(a) omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and
(b) at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”
This amendment makes consequential amendments to secondary legislation, including to the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 and the Northern Ireland Assembly Commission (Crown Status) Order 1999.
Amendment 217, in schedule 18, page 244, line 1, at end insert—
(d) for “data controller” substitute “controller”, and
(e) after “in the context of” insert “the activities of”.
Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)
191A The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.
191B (1) Regulation 2 (interpretation) is amended as follows.
(2) Omit the definition of “the 1998 Act”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
191C (1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.
(2) After “any information” insert “to the extent that any of the following conditions are satisfied”.
(3) For paragraphs (a) to (c) substitute—
(aa) the pupil to whom the information relates would have no right of access to the information under the GDPR;
(ab) the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.
(4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.
(5) In paragraph (e), for “that” substitute “the information”.
191D In regulation 9 (fees), for paragraph (1) substitute—
“(1A) In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.
(1B) Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—
(a) exceeds the cost of supply, or
(b) exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”
European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)
191E Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.
191F (1) Paragraph 74(1) (interpretation) is amended as follows.
(2) Omit the definitions of “relevant conditions” and “research purposes”.
(3) At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
191G In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.”
This amendment makes consequential amendments to secondary legislation, including to the Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003. The amendment to that Order is consequential on amendment 183, and also changes the reference in article 11(4) of that Order to a “data controller” to a “controller”.
Amendment 218, in schedule 18, page 244, line 13, leave out from “GDPR”” to “(see” in line 14 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in the Environmental Information Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 219, in schedule 18, page 246, line 31, leave out from “GDPR”” to “(see” in line 32 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in the Environmental Information (Scotland) Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 220, in schedule 18, page 247, line 40, at end insert—
“Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)
199A (1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.
(2) In paragraph (1)(b)—
(a) for paragraph (iii) (but not the final “, and”) substitute—
“(iii) the results of a request made under Article 15 of the GDPR or section45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and
(b) in the words following paragraph (iii), omit “search”.
(3) After paragraph (2) insert—
“(3) In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)
199B The Education (Pupil Information) (England) Regulations 2005 are amended as follows.
199C In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section3(4) of the Data Protection Act 2018”.
199D (1) Regulation 5 (disclosure of curricular and educational records) is amended as follows.
(2) In paragraph (4)—
(a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and
(b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.
(3) After paragraph (6) insert—
“(7) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.””
This amendment makes consequential amendments to secondary legislation.
Amendment 221, in schedule 18, page 248, line 37, leave out from “GDPR”” to “(see” in line 38 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 222, in schedule 18, page 249, line 1, at end insert—
“Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)
200A In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—
(a) for the definition of “data protection principles” substitute—
““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and
(b) at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);”.
Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)
200B The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.
200C (1) Regulation 39 (sensitive information) is amended as follows.
(2) In paragraph (1)(d)—
(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.
(3) After paragraph (1) insert—
“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a) Article 21 of the GDPR (general processing: right to object to processing), or
(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C) The condition in this paragraph is that—
(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section15,16 or26 of, or Schedule2,3 or4 to, the Data Protection Act 2018,
(b) on a request under section45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c) on a request under section94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).
(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4) Omit paragraphs (2) to (4).
National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)
200D (1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(4) After that sub-paragraph insert—
“(2) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)
200E In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—
“(b) any material used consists of or includes human cells or human DNA,”.
National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)
200F For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—
“5 Data Protection Act 2018
(1) The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Assembly Commission is to be treated as a government department for the purposes of the following provisions—
(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))
200G In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity) —
(a) in the English language text, for paragraph (c) substitute—
“(c) any material used consists of or includes human cells or human DNA; and”, and
(b) in the Welsh language text, for paragraph (c) substitute—
“(c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.
Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)
200H (1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.
(2) In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—
“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(3) After paragraph (1) insert—
“(2) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)
200I In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a) in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—
(i) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after paragraph (3) insert—
“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)
200J The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 is amended as follows.
200K In regulation 2 (interpretation), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
200L In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.
Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)
200M In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and
(b) after paragraph (3) insert—
“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)
200N In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”.
Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))
200O The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.
200P In regulation 2(1) (interpretation)—
(a) at the appropriate place in the English language text insert—
““the GDPR” (“y GDPR”) and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”, and
(b) at the appropriate place in the Welsh language text insert—
“mae i “y GDPR” a chyfeiriadau at Atodlen2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran3(10), (11) a (14) o’r Ddeddf honno);”.
200Q (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
(2) In paragraph (7)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (8)—
(a) in the English language text substitute—
“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
200R (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
(2) In paragraph (6)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (7)—
(a) in the English language text substitute—
“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
200S (1) Regulation 29 (occurrence reports) is amended as follows.
(2) In paragraph (3)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (4)—
(a) in the English language text substitute—
“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)
200T (1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.
(2) In paragraph (3)—
(a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.
(3) After paragraph (3) insert—
“(3A) The condition in this paragraph is that the disclosure of the information to a member of the public—
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a) Article 21 of the GDPR (general processing: right to object to processing), or
(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4) After paragraph (4) insert—
“(5) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”
Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)
200U (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Overseas Companies Regulations 2009 (S.I. 2009/1801)
200V (1) Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Provision of Services Regulations 2009 (S.I. 2009/2999)
200W In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
“(d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”
This amendment makes consequential amendments to secondary legislation including to the National Assembly for Wales Commission (Crown Status) Order 2007.
Amendment 223, in schedule 18, page 249, line 32, at end insert—
“INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)
201A (1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.
(2) In paragraph (2)—
(a) omit “or” at the end of sub-paragraph (a),
(b) for sub-paragraph (b) substitute—
“(b) Article 21 of the GDPR (general processing: right to object to processing), or
(c) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c) omit the words following sub-paragraph (b).
(3) After paragraph (6) insert—
“(7) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).
(8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)
201B The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.
201C In regulation 2(2) (interpretation), at the appropriate place insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.”
201D (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
(2) In paragraph (7), at the end insert “or the GDPR”.
(3) For paragraph (8) substitute—
“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
201E (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
(2) In paragraph (6), at the end insert “or the GDPR”.
(3) For paragraph (7) substitute—
“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
201F (1) Regulation 29 (occurrence reports) is amended as follows.
(2) In paragraph (3), at the end insert “or the GDPR”.
(3) For paragraph (4) substitute—
“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
Pharmacy Order 2010 (S.I. 2010/231)
201G The Pharmacy Order 2010 is amended as follows.
201H In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.
201I (1) Article 9 (inspection and enforcement) is amended as follows.
(2) For paragraph (4) substitute—
“(4) If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”
(3) After paragraph (4) insert—
“(5) In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
201J In article 33A (European professional card), after paragraph (2) insert—
“(3) In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
201K (1) Article 49 (disclosure of information: general) is amended as follows.
(2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.
(3) For paragraph (3) substitute—
“(3) In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”
(4) After paragraph (5) insert—
“(6) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
201L (1) Article 55 (professional performance assessments) is amended as follows.
(2) In paragraph (5)(a), after “enactment” insert “or the GDPR”.
(3) For paragraph (6) substitute—
“(6) In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”
(4) After paragraph (8) insert—
“(9) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
201M In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—
“(aa) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
201N (1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.
(3) In paragraph 9 (processing data)—
(a) omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and
(b) after sub-paragraph (2) insert—
“(3) In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”
201O (1) The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
National Employment Savings Trust Order 2010 (S.I. 2010/917)
201P The National Employment Savings Trust Order 2010 is amended as follows.
201Q In article 2 (interpretation)—
(a) omit the definition of “data” and “personal data”, and
(b) at the appropriate place insert—
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”
201R (1) Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.
(2) In paragraph (1)—
(a) for “disclosure of data” substitute “disclosure of information”, and
(b) for “requested data” substitute “requested information”.
(3) In paragraph (2)—
(a) for “requested data” substitute “requested information”,
(b) for “those data are” substitute “the information is”, and
(c) for “receive those data” substitute “receive that information”.
(4) In paragraph (3), for “requested data” substitute “requested information”.
(5) In paragraph (4), for “requested data” substitute “requested information”.
Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)
201S (1) Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(1) (interpretation and general)—
(a) omit the definition of “research purposes”, and
(b) at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.
Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))
201T (1) Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.
(2) In paragraph (5)—
(a) in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—
(a) which the head teacher could not lawfully disclose to the pupil under the GDPR, or
(b) to which the pupil would have no right of access under the GDPR.”, and
(b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—
(a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu
(b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”
(3) After paragraph (5)—
(a) in the English language text insert—
“(6) In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and
(b) in the Welsh language text insert—
“(6) Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”
Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)
201U In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.
Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)
201V The Police and Crime Commissioner Elections Order 2012 is amended as follows.
201W (1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.
(2) In paragraph 20 (absent voter lists: supply of copies etc)—
(a) in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (10) insert—
“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b) after that sub-paragraph insert—
“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
201X (1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3) In paragraph 5 (restriction on use of documents or of information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b) after sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)
201Y Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.
201Z (1) Paragraph 29(1) (interpretation of Part 8) is amended as follows.
(2) At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3) For the definition of “relevant conditions” substitute—
““relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.
(4) Omit the definition of “research purposes”.
201AA In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
201AB In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AC In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AD In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AE In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes (as defined in paragraph 29),”.
Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)
201AF (1) Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.
(2) For paragraph (4) substitute—
“(4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
(3) In paragraph (5), after “enactment” insert “or the GDPR”.
(4) After paragraph (6) insert—
“(7) In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”
Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)
201AG (1) Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.
(2) The existing text becomes paragraph (1).
(3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(4) After that paragraph insert—
“(2) In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to secondary legislation.
Amendment 224, in schedule 18, page 250, line 7, at end insert—
“Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)
204A (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)
204B The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.
204C (1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.
(2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After paragraph (2) insert—
“(3) In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
204D (1) Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.
(2) For paragraph (1) substitute—
“(1) Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”
(3) After paragraph (3) insert—
“(4) In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)
204E The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.
204F (1) Regulation 2(1) (interpretation) is amended as follows.
(2) Omit the definition of “Directive 95/46/EC”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
204G In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.
204H In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.
204I In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.
204J In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).
204K In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.
Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
204L The Scottish Parliament (Elections etc) Order 2015 is amended as follows.
204M (1) Schedule 3 (absent voting) is amended as follows.
(2) In paragraph 16 (absent voting lists: supply of copies etc)—
(a) in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (10) insert—
“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3) In paragraph 20 (restriction on use of absent voting lists)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after that sub-paragraph insert—
“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
204N (1) Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3) In paragraph 5 (restriction on use of documents or of information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)
204O In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.
Register of People with Significant Control Regulations 2016 (S.I. 2016/339)
204P Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.
204Q (1) Paragraph 6 (disclosure to a credit reference agency) is amended as follows.
(2) In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(3) In sub-paragraph (c)—
(a) omit “or” at the end of paragraph (ii), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice); and”.
(4) After sub-paragraph (c) insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”
204R In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—
(b) for the purposes of ensuring that it complies with its data protection obligations.”
204S (1) In Part 3 (interpretation), after paragraph 13 insert—
14 In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—
(a) where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)
204T The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.
204U In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.
204V In regulation 3(3) (supervision), omit “under the 1998 Act”.
204W For Schedule 2 substitute—
SCHEDULE 2
Information commissioner’s enforcement powers
Provisions applied for enforcement purposes
1 For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 24—
(a) section 140 (publication by the Commissioner);
(b) section 141 (notices from the Commissioner);
(c) section 143 (information notices);
(d) section 144 (information notices: restrictions);
(e) section 145 (false statements made in response to an information notice);
(f) section 146 (assessment notices);
(g) section 147 (assessment notices: restrictions);
(h) section 148 (enforcement notices);
(i) section 149 (enforcement notices: supplementary);
(j) section 151 (enforcement notices: restrictions);
(k) section 152 (enforcement notices: cancellation and variation);
(l) section 153 and Schedule 15 (powers of entry and inspection);
(m) section 154 and Schedule 16 (penalty notices);
(n) section 155(4)(a) (penalty notices: restrictions);
(o) section 156 (maximum amount of penalty);
(p) section 158 (amount of penalties: supplementary);
(q) section 159 (guidance about regulatory action);
(r) section 160 (approval of first guidance about regulatory action);
(s) section 161 (rights of appeal);
(t) section 162 (determination of appeals);
(u) section 179(1), (2), (5), (7) and (12) (regulations and consultation);
(v) section 189 (penalties for offences);
(w) section 190 (prosecution);
(x) section 195 (proceedings in the First-tier Tribunal: contempt);
(y) section 196 (Tribunal Procedure Rules).
General modification of references to the Data Protection Act 2018
2 The provisions listed in paragraph 1 have effect as if—
(a) references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;
(b) references to a particular provision of that Act were references to that provision as applied by these Regulations.
Modification of section143 (information notices)
3 (1) Section 143 has effect as if subsections (9) and (10) were omitted.
(2) In that section, subsection (1) has effect as if—
(a) in paragraph (a)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;
(b) paragraph (b) were omitted.
Modification of section144 (information notices: restrictions)
4 (1) Section 144 has effect as if subsections (1) and (9) were omitted.
(2) In that section—
(a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;
(b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 145 or paragraph 15 of Schedule 15”;
(c) subsection (8) has effect as if for “this Act (other than an offence under section 145)” there were substituted “paragraph 15 of Schedule 15”.
Modification of section146 (assessment notices)
5 (1) Section 146 has effect as if subsection (10) were omitted.
(2) In that section—
(a) subsection (1) has effect as if—
(i) for “controller or processor” (in both places) there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”;
(b) subsection (2) has effect as if paragraphs (g) and (h) were omitted;
(c) subsections (7), (8) and (9) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.
Modification of section147(assessment notices: restrictions)
6 (1) Section 147 has effect as if subsections (5) and (6) were omitted.
(2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
Modification of section148 (enforcement notices)
7 (1) Section 148 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
(2) In that section—
(a) subsection (1) has effect as if—
(i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;
(ii) for “sections149 and150” there were substituted “section149”;
(b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
Modification of section149 (enforcement notices: supplementary)
8 (1) Section 149 has effect as if subsection (3) were omitted.
(2) In that section, subsection (2) has effect as if the words “in reliance on section 148(2)” and “or distress” were omitted.
Modification of section151 (enforcement notices: restrictions)
9 Section151 has effect as if subsections (1), (2) and (4) were omitted.
Withdrawal notices
10 The provisions listed in paragraph 1 have effect as if after section152 there were inserted—
“Withdrawal notices
152A Withdrawal notices
(1) The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—
(a) the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and
(b) the condition in subsection (2) or (3) is met.
(2) The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.
(3) The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—
(a) the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and
(b) the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
(4) A withdrawal notice must—
(a) state when the withdrawal takes effect, and
(b) provide information about the rights of appeal under section161.”
Modification of Schedule15 (powers of entry and inspection)
11 (1) Schedule 15 has effect as if paragraph 3 were omitted.
(2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—
(a) there are reasonable grounds for suspecting that—
(i) a trust service provider has failed or is failing to comply with the eIDAS requirements, or
(ii) an offence under section145 or paragraph 15 of Schedule15 has been or is being committed,”.
(3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
(a) in sub-paragraph (1) and (2), for “controller or processor” there were substituted “trust service provider”;
(b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.
(4) Paragraph 5 of that Schedule (content of warrants) has effect as if—
(a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;
(b) in sub-paragraph (2)(c)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “as described in section148(2)” there were substituted “to comply with the eIDAS requirements”;
(c) in sub-paragraph (3)(a) and (c)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”.
(5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
Modification of section154 (penalty notices)
12 (1) Section 154 has effect as if subsections (1)(a), (2)(a), (3)(g), (3A) and (5) to (7) were omitted.
(2) Subsection (2) of that section has effect as if—
(a) the words “Subject to subsection (3A),” were omitted;
(b) in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
(3) Subsection (3) of that section has effect as if—
(a) for “controller or processor”, in each place, there were substituted “trust services provider”;
(b) in paragraph (c), the words “or distress” were omitted;
(c) in paragraph (c), for “data subjects” there were substituted “relying parties”;
(d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.
Modification of Schedule16 (penalties)
13 Schedule16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
Modification of section156 (maximum amount of penalty)
14 Section156 has effect as if subsections (1) to (3) and (6) were omitted.
Modification of section158 (amount of penalties: supplementary)
15 Section158 has effect as if—
(a) in subsection (1), the words “Article 83 of the GDPR and” were omitted;
(b) in subsection (2), the words “Article 83 of the GDPR” and “and section 157” were omitted.
Modification of section159 (guidance about regulatory action)
16 (1) Section 159 has effect as if subsections (4) and (10) were omitted.
(2) In that section, subsection (3)(e) has effect as if for “controllers and processors” there were substituted “trust service providers”.
Modification of section161 (rights of appeal)
17 (1) Section 161 has effect as if subsection (5) were omitted.
(2) In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
(ca) a withdrawal notice;”.
Modification of section162 (determination of appeals)
18 Section162 has effect as if subsection (7) were omitted.
Modification of section179 (regulations and consultation)
19 Section179 has effect as if subsections (3), (4), (6), (8) to (11) and (13) were omitted.
Modification of section189 (penalties for offences)
20 (1) Section 189 has effect as if subsections (3) to (5) were omitted.
(2) In that section—
(a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
(b) subsection (2) has effect as if for “section 132, 145, 170, 171 or 181” there were substituted “section 145”.
Modification of section190 (prosecution)
21 Section190 has effect as if subsections (3) to (6) were omitted.
Modification of section195 (proceedings in the First-tier Tribunal: contempt)
22 Section195 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section161”.
Modification of section196 (Tribunal Procedure Rules)
23 Section196 has effect as if—
(a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 161”;
(b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.
Approval of first guidance about regulatory action
24 (1) This paragraph applies if the first guidance produced under section 159(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
(2) Section 160 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
(3) Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.
(4) Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.
Interpretation
25 In this Schedule—
“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 146A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”
Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)
204X The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.
204Y In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a) Article 5(1) of the GDPR, and
(b) section34(1) of the Data Protection Act 2018.”
204Z In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a) Article 5(1) of the GDPR, and
(b) section34(1) of the Data Protection Act 2018.”
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)
204AA The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
204AB In regulation 3(1) (interpretation), at the appropriate places insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.
204AC In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a) the Data Protection Act 2018 or any other enactment, or
(b) the GDPR.”
204AD In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a) the Data Protection Act 2018 or any other enactment, or
(b) the GDPR.”
204AE For regulation 40(9)(c) (record keeping) substitute—
(c) “data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
(b) “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
204AF (1) Regulation 41 (data protection) is amended as follows.
(2) Omit paragraph (2).
(3) In paragraph (3)(a), after “Regulations” insert “or the GDPR”.
(4) Omit paragraphs (4) and (5).
(5) After those paragraphs insert—
“(6) Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—
(a) for the purposes of preventing money laundering or terrorist financing, or
(b) as permitted under paragraph (3).
(7) In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.
(8) In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 9, 10 and 10A of that Schedule).
(9) In this regulation—
“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”
204AG (1) Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.
(2) In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) For paragraph (11) substitute—
“(11) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
204AH (1) Regulation 85 (publication: the Commissioners) is amended as follows.
(2) In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) For paragraph (10) substitute—
“(10) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
204AI For regulation 106(a) (general restrictions) substitute—
“(a) a disclosure in contravention of the data protection legislation; or”.
204AJ After paragraph 27 of Schedule 3 (relevant offences) insert—
27A An offence under the Data Protection Act 2018, apart from an offence under section173 of that Act.”
Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)
204AK (1) Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) For paragraph (b) of that sub-paragraph substitute—
(b) for the purposes of ensuring that it complies with its data protection obligations.”
(4) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a relevant institution, means—
(a) where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).
National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)
204AL The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.
204AM (1) Regulation 1 (citation and commencement) is amended as follows.
(2) In paragraph (2), omit “Subject to paragraph (3),”.
(3) Omit paragraph (3).
204AN In regulation 3(1) (interpretation)—
(a) omit the definition of “the 1998 Act”,
(b) at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”, and
(c) omit the definition of “GDPR”.
204AO (1) Schedule 6 (other contractual terms) is amended as follows.
(2) In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—
(a) the data protection legislation, or
(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”
(3) For paragraph 64 (meaning of data controller etc.) substitute—
“Meaning of controller etc.
64A For the purposes of this Part—
“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(6) and (14) of that Act);
“data protection officer” means a person designated as a data protection officer under the data protection legislation;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2), (4) and (14) of that Act).”
(4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.
(5) In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i) the data protection legislation, and
(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(6) In paragraph 94(4) (variation of a contract: general)—
(a) omit paragraph (b), and
(b) after paragraph (d) (but before the final “and”) insert—
“(da) the data protection legislation;
(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)
204AP The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.
204AQ (1) Regulation 1 (citation and commencement) is amended as follows.
(2) In paragraph (2), omit “Subject to paragraph (3),”.
(3) Omit paragraph (3).
204AR In regulation 3(1) (interpretation)—
(a) omit the definition of “the 1998 Act”, and
(b) at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”, and
(c) omit the definition of “GDPR”.
204AS (1) Schedule 1 (content of agreements) is amended as follows.
(2) In paragraph 34 (interpretation)—
(a) in sub-paragraph (1)—
(i) omit “Subject to sub-paragraph (3),”,
(ii) before paragraph (a) insert—
(iii) for paragraph (d) substitute—
(b) omit sub-paragraphs (2) and (3),
(c) in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—
(a) the data protection legislation, or
(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and
(d) in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.
(3) In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i) the data protection legislation, and
(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(4) In paragraph 61(3) (variation of agreement: general)—
(a) omit paragraph (b), and
(b) after paragraph (d) (but before the final “and”) insert—
“(da) the data protection legislation;
(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
Part 3
Modifications
Introduction
204AT (1) Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.
(2) That legislation is—
(a) subordinate legislation made before the day on which this Part of this Schedule comes into force;
(b) primary legislation that is passed or made before the end of the Session in which this Act is passed.
(3) In this Part of this Schedule—
“primary legislation” has the meaning given in section204(7);
“references” includes any references, however expressed.
General modifications
204AU (1) References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.
(2) Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.
(3) References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.
Specific modification of references to terms used in the Data Protection Act 1998
204AV (1) References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).
(2) References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).
(3) References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).
(4) References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).
(5) References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—
(a) Article 5(1) of the GDPR and the applied GDPR, and
(b) sections 34(1) and 85(1) of this Act.
(6) References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 123 of this Act.
(7) References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 197 of this Act.
(8) References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 198 of this Act.
Part 2
Supplementary
Definitions
204AW Section3(14) does not apply to this Schedule.”
This amendment makes consequential amendments to secondary legislation including to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (the EITSET Regulations) and to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It also inserts two new Parts into Schedule 18. New Part 3 contains consequential modifications of provisions in certain legislation not amended by Parts 1 and 2 of Schedule 18. New Part 4 contains supplementary provision.—(Margot James.)
Schedule 18, as amended, ordered to stand part of the Bill.
Clause 205
Commencement
Amendments made: 72, in clause 205, page 120, line 37, leave out paragraph (b)
This amendment is consequential on the omission of Clauses 168 and 169 (see Amendments 60 and 61).
Amendment 225, in clause 205, page 121, line 4, at end insert—
‘( ) Regulations under this section may make different provision for different areas.”
This amendment enables regulations under clause 205 bringing provisions of the bill into force to make different provision for different areas.—(Margot James.)
Clause 205, as amended, ordered to stand part of the Bill.
Clause 206 ordered to stand part of the Bill.
Clause 207
Extent
Amendments made: 73, in clause 207, page 121, line 12, after “(2)” insert “, (2A)”
See the explanatory statement for Amendment 74.
Amendment 226, in clause 207, page 121, line 12, leave out “and (3)” and insert “, (3) and (3A)”
See the explanatory statement for amendment 227.
Amendment 74, in clause 207, page 121, line 14, at end insert—
‘(2A) Sections (Representation of data subjects with their authority: collective proceedings) and (Duty to review provision for representation of data subjects) extend to England and Wales and Northern Ireland only.”
This amendment and Amendment 73 provide that NC1 and NC2 extend only to England and Wales and Northern Ireland.
Amendment 227, in clause 207, page 121, line 15, after “extent” insert “in the United Kingdom”
This amendment and amendments 226, 228 and 229 clarify that amendments of enactments made by the bill have the same extent in the United Kingdom as the enactment amended and that certain amendments also extend to the Isle of Man.
Amendment 228, in clause 207, page 121, line 16, leave out “(ignoring extent by virtue of an Order in Council)”
See the explanatory statement for amendment 227.
Amendment 229, in clause 207, page 121, line 17, at end insert—
‘(3A) This subsection and the following provisions also extend to the Isle of Man—
(a) paragraphs 200N and 205 of Schedule18;
(b) sections204(1),205(1) and206, so far as relating to those paragraphs.”
See the explanatory statement for amendment 227. Paragraph 200N in amendment 222 amends the Competition Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008.—(Margot James.)
Clause 207, as amended, ordered to stand part of the Bill.
Clause 208
Short title
Amendment made: 75, in clause 208, page 121, line 24, leave out subsection (2)
This amendment removes the privilege amendment inserted by the Lords.—(Margot James.)
Clause 208, as amended, ordered to stand part of the Bill.
New Clause 1
Representation of data subjects with their authority: collective proceedings
‘(1) The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.
(2) In this section, “relevant claim”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject’s behalf under Article 80(1) of the GDPR or section 183.
(3) The power under subsection (1) includes power—
(a) to make provision about the proceedings;
(b) to confer functions on a person, including functions involving the exercise of a discretion;
(c) to make different provision in relation to England and Wales and in relation to Northern Ireland.
(4) The provision mentioned in subsection (3)(a) includes provision about—
(a) the effect of judgments and orders;
(b) agreements to settle claims;
(c) the assessment of the amount of compensation;
(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e) costs.
(5) Regulations under this section are subject to the negative resolution procedure.”
This new clause confers power on the Secretary of State to make regulations enabling representative bodies (defined in Clause 183) to bring collective proceedings in England and Wales or Northern Ireland combining two or more claims in respect of data subjects’ rights.—(Margot James.)
Brought up, read the First and Second time, and added to the Bill.
New Clause 2
Duty to review provision for representation of data subjects
‘(1) Before the end of the review period, the Secretary of State must—
(a) review the matters listed in subsection (2) in relation to England and Wales and Northern Ireland,
(b) prepare a report of the review, and
(c) lay a copy of the report before Parliament.
(2) Those matters are—
(a) the operation of Article 80(1) of the GDPR,
(b) the operation of section183,
(c) the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject’s rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject), and
(d) the merits of making equivalent provision in relation to data subjects’ rights under Article 82 of the GDPR (right to compensation).
(3) “The review period” is the period of 30 months beginning when section 183 comes into force.
(4) After the report under subsection (1) is laid before Parliament, the Secretary of State may by regulations—
(a) exercise the powers under Article 80(2) of the GDPR in relation to England and Wales and Northern Ireland, and
(b) make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject’s rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject.
(5) The powers under subsection (4) include power—
(a) to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject’s rights;
(b) to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject’s rights,
(c) to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;
(d) to confer functions on a person, including functions involving the exercise of a discretion;
(e) to amend sections164 to166,177,183,196,198 and199;
(f) to insert new sections and Schedules into Part 6 or 7;
(g) to make different provision in relation to England and Wales and in relation to Northern Ireland.
(6) The provision mentioned in subsection (5)(b) and (c) includes provision about—
(a) the effect of judgments and orders;
(b) agreements to settle claims;
(c) the assessment of the amount of compensation;
(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e) costs.
(7) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause imposes a duty on the Secretary of State to review the operation of provisions enabling a representative body to exercise data subjects’ rights with their authority in England and Wales and Northern Ireland and to consider exercising powers under the GDPR to enable a representative body to exercise such rights there without being authorised to do so by the data subjects.—(Margot James.)
Brought up, read the First and Second time, and added to the Bill.
New Clause 5
Bill of Data Rights in the Digital Environment
Schedule [Bill of Data Rights in the Digital Environment] shall have effect.
This new clause would introduce a Bill of Data Rights in the Digital Environment.—(Liam Byrne.)
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
My response will encompass our digital charter, as the right hon. Member for Birmingham, Hodge Hill mentioned, and I will also answer some of the points he made in his interesting exposition of his rights-based approach. I agree with him: the internet is a powerful force for good, serving humanity and spreading ideas, freedom and opportunity across the world. Yet, as he rightly states, there are considerable trust issues, which can have only worsened in recent days.
I would like to emphasise the point made by my hon. Friend the Member for Gordon that the UK has a strong digital economy accounting for over 12.5% of GDP, which makes us the leading digital economy in the G20.
The right hon. Gentleman was critical of Government sites and services, but we have developed a system that is being taken up by several other countries, including New Zealand, which are adopting our approach to providing Government services online. I am sorry that his experience on the tax side was not great, and there are always exceptions, but on the whole we are leaders in the provision of Government services online.
Citizens rightly want to know that they will be safe and secure online. Tackling these challenges in an effective and responsible way is absolutely critical. The digital charter is our response. It is a rolling programme of work to agree norms and rules for the online world and to put them into practice. In some cases, that will be through shifting expectations of behaviour and resetting a settlement with internet companies. In some cases, we will need to agree completely new standards; in others, we will want to update our laws and regulations. Our starting point is that we expect the same rights and behaviour online as we do offline, with the same ease of enforcement.
The charter’s core purpose is to make the internet work for everyone—for citizens, businesses and society as a whole—and it is based on liberal values. Every country is grappling with these challenges. The right hon. Gentleman suggested last week that the Government are not averse to making declaratory statements of rights and interpreting them into law, but his key example related to human rights. The Human Rights Act provides a detailed and well-considered legislative framework for those rights and ensures that they are meaningful.
When the right hon. Member for Surrey Heath (Michael Gove), who is now the Secretary of State for Environment, Food and Rural Affairs, was Secretary of State at the Ministry of Justice, he launched a consultation about an English Bill of Rights, which was about not simply human rights but a much broader set of rights. I do not think there is a big difference in our approaches to rights. Actually, I think there is a shared approach, as has been recognised down the years.
Yes, much of our approach is shared. The Government decided not to proceed with that Bill of Rights, but the right hon. Gentleman rightly points out that both our parties have a keen interest in this area. However, to set out his proposed bill of data rights in primary legislation would cut across the GDPR. It would impose its own rights of rectification and erasure, its own notion of control and its own obligations on controllers to keep data secure, but, of course, the GDPR already does that, and comparable rights are provided for in the Bill. I am concerned about how the Commission would react to such an attempt to redefine data protection standards. That is one of our main concerns with his new clauses and new schedule, no matter how much we might agree with the sentiments behind them. Given that, and the fact that we are proceeding with our digital charter, I feel that the Bill, in essence, covers this issue, and I need say no more about it.
Our proposed bill of data rights seeks not to redefine but to enshrine, so the rights reflected in the GDPR are no more than enshrined in it. The point is that it would go over and above the rights and obligations set out in this Bill. The right of equal access to the internet, the crystallisation of the right to expression and the advancement of the debate about the right to data ownership are important provisions whose time will come. At some point, due to the way the world is changing, our citizens and constituents will begin to demand both a democratisation of the privileges of this new age and of progress, and the right to effective defences and new protections.
I am glad that the Minister agrees with the sentiment behind the new clause, and I recognise that she perhaps does not see this Bill as the place to consolidate our brilliant ideas into the law of the land. I listened with interest to what she said about a rolling programme of ideas in the digital charter. There is a challenge with that approach: it will end up following the cones hotline model of public service reform. It will not live or sing; it will be bedevilled by voluntary codes, bureaucracy and operational procedures, and it will end up not really making a difference to the world. Our bill of data rights is clear.
If rights are to be a reality, they need not to be a mystery but to be understood. They need to be something that people can talk about in a pub. They need to be something not that is set out in 250 pages of primary legislation but that can be set out on the back of a fag packet. In our bill of data rights, we set out a clear agenda that would make a difference and be easily understood and enforced. It would be an improvement and would take forward the rights and liberties of the citizens of this country.
(6 years, 9 months ago)
Public Bill CommitteesI admire the Minister’s concern and ambition for administrative tidiness. She reminds me of an old quote by Bevin, who said once, “If you are a purist, the place for you is not a Parliament; it is a monastery.”
In the case of the Minister, a nunnery, although Bevin was less enlightened than the hon. Lady. Here is a Bill; here is a new clause; the new clause is within scope. The object of the new clause is to deliver a Government objective, yet it is rejected. That is hard logic to follow. We have had the tremendous assurance, however, that there will be nothing less than a code of practice, so these huge data giants will be shaking in their boots in California, when they wake up. They will be genuinely concerned and no doubt already planning how they can reform their ways and stop the malpractice that we have grown all too used to. I am afraid that these amount to a collection of warm words, when what the country needs is action. With that in mind, I will push the new clause to a vote.
Question put, That the clause be read a Second time.
I will be brief in answering some of the serious matters raised by the right hon. Gentleman. The Information Commissioner, as the data regulator, is investigating alleged abuses as part of a broader investigation into the use of personal data during political campaigns. I have said many times that the Bill will add significantly to the commissioner’s powers to conduct investigations, and I have confirmed that we keep an open mind and are considering actively whether further powers are needed in addition to those set out in the Bill.
The Electoral Commission is the regulator of political funding and spending. The commission seeks to bring transparency to our electoral system by enforcing rules on who can fund and how money can be spent, but new clause 21 is about sending the commission into a whole new field: that of personal data regulation. That field is rightly occupied by the Information Commissioner. We can debate whether she needs more powers in the light of the current situation at Cambridge Analytica, and as I have said we are reviewing the Bill.
While the Electoral Commission already has the power to require the disclosure of documents in relation to investigations under its current remit, new clause 21 would provide the commission with new powers to require the disclosure of the settings used to disseminate material. However, understanding how personal data is processed is outside the commission’s remit.
The right hon. Gentleman suggested that his amendment would help with transparency on who is seeking to influence elections, which is very much needed in the current climate. The Government take the security and integrity of democratic processes very seriously. It is absolutely unacceptable for any third country to interfere in our democratic elections or referendums.
On new clause 22, the rules on imprints in the Political Parties, Elections and Referendums Act 2000 are clear. The current rules apply to printed election material no matter how it is targeted. However, the Secretary of State has the power under section 143 to make regulations covering imprints on other types of material, including online material. New clause 22 would therefore not extend the type of online material covered by such regulations. We therefore believe the new clause is unnecessary. The law already includes printed election material disseminated through the use of personal data gathered by whatever means, and the Government will provide further clarity on extending those rules to online material in due course by consulting on making regulations under the power in section 143(6).
On that basis, I ask the right hon. Gentleman to withdraw his new clause.
That is a deeply disappointing answer. I was under the impression that the Secretary of State said in interviews today that he is open-minded about the UK version of the Honest Ads Act that we propose. That appears to be in some contrast to the answer that the Minister offered.
What this country has today is an Advertising Standards Authority that does not regulate political advertising; Ofcom, which does not regulate video when it is online; an Electoral Commission without the power to investigate digital campaigning; and an Information Commissioner who cannot get a search warrant. Worse, we have a Financial Conduct Authority that, because it does not have a data sharing gateway with the Electoral Commission, cannot share information about the financial background of companies that might have been laundering money going into political and referendum campaigns. The law is hopelessly inadequate. Through that great hole, our enemies are driving a coach and horses, which is having a huge impact on the health and wellbeing of our democracy.
That is not a day-to-day concern in Labour constituencies, but it is for the Conservative party. Voter Consultancy Ltd took out targeted dark social ads aimed at Conservative Members, accusing some of them of being Brexit mutineers when they had the temerity to vote for common sense in a vote on Brexit in this House. Voter Consultancy Ltd, for those who have not studied its financial records at Companies House, as I have, is a dormant company. It has no accounts filed. There is no cash flowing through the books. The question that provokes is: where does the money come from for the dark social ads attacking Conservative Members? We do not know. It is a matter of public concern that we should.
The law is out of date and needs to be updated. I will not press the matter to a vote this afternoon because I hope to return to it on Report, but I hope that between now and then the Minister and the Secretary of State reflect on the argument and talk to Mark Sedwill, the National Security Adviser, about why the national security strategy does not include an explicit objective to defend the integrity of our democracy. I hope that that change is made and that, as a consequence, further amendments will be tabled to ensure that our democracy is protected against the threats we know are out there.
I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
Question proposed, That the Chair do report the Bill, as amended, to the House.
On a point of order, Mr Streeter. I wanted to thank you, and Mr Hanson in his absence, as well as, in the House of Lords, my noble Friends Lord Ashton, Baroness Williams, Lord Keen, Baroness Chisholm and Lord Young, and the Opposition and Cross-Bench peers. I also thank the Under-Secretary of State for the Home Department, my hon. Friend the Member for Louth and Horncastle, and the Opposition Front Bench Members—the right hon. Member for Birmingham, Hodge Hill, with whom it has been a pleasure debating in the past two weeks, and the hon. Member for Sheffield, Heeley, who was not able to be in her place this afternoon.
I offer great thanks to both Whips. It was the first Bill Committee for my hon. Friend the Member for Selby and Ainsty in his capacity as Whip, and my first as Minister, and it has been a pleasure to work with him. I also thank the hon. Member for Ogmore. My hon. Friend the Under-Secretary and I are grateful to our Parliamentary Private Secretary, my hon. Friend the Member for Mid Worcestershire, who has worked terribly hard throughout the proceedings, as indeed have the Clerks, the Hansard writers, the Doorkeepers and the police. Without the officials of my Department and, indeed, the Home Office, we would all have been bereft, and I am most grateful to all the officials.
Question put and agreed to.
Bill, as amended, accordingly to be reported.
(6 years, 9 months ago)
Public Bill CommitteesThat is a fascinating philosophical question, but I can only tell the right hon. Gentleman that I would not have voted for it. I appreciate that he will say that it is easy for me to say that now, but the idea that people in this place would be convinced that it is the best possible model is simply not plausible after the statements that my hon. Friend the Member for North Devon and I have made today. Surely we need a set of press regulations that preserves the independence of the media, and their ability to invest in journalism at local and national level, which we all want if we are to hold the powerful to account. We also need regulations that allow hon. Members to say with a clear conscience that we have done nothing that puts those businesses in serious jeopardy.
It does not seem to me that a costly Leveson 2 is the best use of public money, or that the threat of section 40 will ever be the best use of private money, putting legitimate local and national media out of business. Those arguments seem to me like a powerful case for IPSO, and for a sensible look at the sustainability of the press, as the Prime Minister has set about doing. They do not under any circumstances seem to me like a good reason to vote for the amendments.
I will set out the Government’s position on clauses 142, 168, 169 and 205, before returning to the amendments in the name of the hon. Member for Argyll and Bute.
As we have heard, clause 142 requires the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. The Government set out our intention not to reopen the Leveson inquiry in our response to the consultation on the future of the inquiry on 1 March. I will not repeat the arguments in full, but I will say that the Government’s firm focus is on the problems faced by the media right now.
The Government recognise that there is a great deal of feeling on both sides of the debate. We have listened to all views, including those of victims, in reaching a decision. No one seeks to excuse the past behaviour of individual media organisations, nor to legitimise it. As the right hon. Member for Birmingham, Hodge Hill said, some of the stories we heard at the beginning of the Leveson inquiry were horrific. The Government have a duty, however, to make decisions that are proportionate and in the public interest. In the light of all the evidence available, it is apparent that part 2 of the inquiry is no longer appropriate or proportionate.
Part 1 of the inquiry lasted over a year, and heard evidence from more than 300 people, including journalists, editors and victims. Since then, the majority of the Leveson recommendations have been implemented. Three major police investigations examining a wide range of offences have been completed. More than 40 people were convicted, some of whom were sent to prison. There have also been extensive reforms to policing practices, and significant changes to press self-regulation.
As a result, the terms of reference for part 2 have largely been met, and the culture that allowed phone hacking to become the norm has changed. Meanwhile, the media are facing critical challenges that threaten their sustainability, including fake news, declining circulations and gaining revenue from online content. Free and vibrant media are vital to democratic discourse, and we need to tackle those challenges urgently. Holding a costly and time-consuming public inquiry looking predominantly backwards is not the right way to go.
The Government are committed to addressing these issues, and we are developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to keep people safe online and to ensure that personal information is used appropriately. As part of that, we are also undertaking work to ensure that there are sustainable business models for high-quality media online. The media landscape is different and the threats are different, too. Issues such as fake news mean there is a need to protect the reliability and objectivity of information.
Likewise, clauses 168 and 169 are similar to the provisions contained in sections 40 and 42 of the Crime and Courts Act 2013, but apply to breaches of data protection law only. The Government do not believe that introducing a provision similar to section 40 of the 2013 Act into the Bill is appropriate, but in relation to data protection only. That is particularly so given our decision earlier this month to repeal section 40 when there is a suitable legislative vehicle. In coming to that decision, we considered all the available evidence, including the views of respondents to the public consultation that we undertook last year. Many respondents cited concerns about the chilling effect that section 40 would have on the freedom of the press, which was so ably summed up by my hon. Friend the Member for Boston and Skegness.
Will the Minister tell the Committee why she supported it when it came to a vote last time?
The right hon. Gentleman has made great play of the former Prime Minister’s statement. I remind him that that statement was given six years ago. Much has changed since. My hon. Friend the Member for North Devon tried to make the point that, although we cannot rule out that egregious conduct is still going on in the press, as I imagine there is in virtually every other sector of society, we can agree that much has changed and improved. That is why the Government have changed their direction. I hope that satisfies the right hon. Gentleman.
I do not accept that this Bill represents a reduction in the powers of the Information Commissioner, and I do not think that that is her view either. Obviously, I accept what she said in response to questioning from Select Committee on Digital, Culture, Media and Sport. As I have already said, my right hon. Friend the Secretary of State is considering her request, and we are working on the areas where she feels there is a shortfall.
I reassure the Committee that the Bill strengthens ICO’s overall powers. The hon. Member for Sheffield, Heeley has mentioned fines. There are fines of up to 4% of global turnover, or £17 million, both for malpractice itself and for blocking investigations and inquiries mounted by the ICO.
One way in which the Government could row in behind a frustrated Information Commission would be to deny Government contracts to companies that are behaving badly. I understand that Cambridge Analytica has Government contracts with both the Foreign Office and the Ministry of Defence. Are they under review?
I cannot speak for either of those Departments. We are debating the powers of the ICO rather than contractual matters between private companies and Government Departments. I accept that that is a moot point, but it is not the purpose of this Bill Committee to go into those details.
To return to the points raised by the hon. Member for Sheffield, Heeley, we are strengthening the powers of the Commissioner. We are extending her current power to serve assessment notices on data controllers in public sector bodies to all data controllers across the private sector as well. Those assessment notices will require them to provide evidence of their compliance with the law, and there is now the power to enforce assessment notices by obtaining a warrant to exercise search and seizure powers on behalf of the ICO. The Bill also creates a criminal offence for obstructing a warrant, which is subject to both fines and a criminal record. We are strengthening in those areas and also increasing fines substantially.
I understand that the Minister cannot answer the detailed question about Government contracts with, for example, Cambridge Analytica, but does she think, philosophically, that a Government would and should reconsider contracts with companies that are not complying with a reasonable request made by the Information Commissioner?
The right hon. Gentleman makes an entirely reasonable point. As I said earlier, I cannot go into it in a debate on this particular Bill, other than to say that he makes a reasonable point.
Clause 143 provides the commissioner with the power to issue an information notice. This is a type of notice that requires a controller or processor to provide the commissioner with specified information within a certain time period.
Question put and agreed to.
Clause 143, as amended, accordingly ordered to stand part of the Bill.
Clause 144 ordered to stand part of the Bill.
Clause 145
False statements made in response to an information notice
Question proposed, That the clause stand part of the Bill.
The operation of clause 145 is a matter of great public concern this week, because of the revelations that an app that sat on Facebook collected data for a particular purpose, but they were then re-used by Cambridge Analytica for an entirely different purpose, to bend the outcome of particular elections and, quite possibly, referendums too. Facebook had made a statement that the matter had been resolved a couple of years ago and that the relevant data in question had been deleted. The story has developed over the past 24 hours and former Facebook employees are now alleging that it was not simply 50 million records that were collected for one purpose and re-used for another; there may have been hundreds of millions of records collected for one purpose and used for another.
How will clause 145 bite on a company such as Facebook that may be responding to an information notice issued by the Information Commissioner? The company may have told the Information Commissioner that it was all fine, the data was all deleted and everyone was perfectly satisfied, but a couple of years later it transpires that that is not the case. What would then happen to a company such as Facebook? Is the Minister satisfied that the proposed sanctions and penalties are strong enough? It is not clear to me, given what we now know, that these sanctions are strong enough at all.
We are debating a suite of powers as part of the overall powers with which the Bill reinforces the Information Commissioner’s Office. It is not just about clause 145. If a company discloses information unlawfully, there is also a separate offence in clause 170. We are not relying on one clause alone.
The clause gives the commissioner the power to issue an enforcement notice, which requires a person to take steps or refrain from taking steps specified in the notice. For example, the commissioner can use an enforcement notice to compel a data controller to give effect to a data subject if they have otherwise failed to do so. Section 40 of the Data Protection Act 1998 made similar provision. In respect of the hon. Lady’s questions concerning the law enforcement aspects of the clause and the need for impact assessments, and the powers that the ICO might need to ensure that those impact assessments are done and are appropriate, I will have to write to her on the details of those latter points.
Question put and agreed to.
Clause 148 accordingly ordered to stand part of the Bill.
Clause 149
Enforcement notices: supplementary
Amendment made: 56, in clause 149, page 83, line 36, leave out “with the day on which” and insert “when”.—(Margot James.)
This amendment is consequential on Amendment 71.
Clause 149, as amended, ordered to stand part of the Bill.
Clause 150
Enforcement notices: rectification and erasure of personal data etc
Question proposed, That the clause stand part of the Bill.
The clause bites on the question of individuals’ rights to the erasure of personal data and rectification. I want to give the Minister an opportunity to update the Committee on her conversations with media, culture and other organisations about how she is going to balance the implementation of clause 150 with the ambitions of those organisations to protect archives—not just archives of very large sets of artefacts, such as the Natural History Museum, but those that are run by News UK or Trinity Mirror or the BBC.
The risk that is obviously posed by those organisations is that they often rely on very good, detailed and often quite old archives of news information. The scenario that was put to us last night by lawyers representing a number of those organisations that wanted to give us their views about clauses 168 and 169 was that successful journalism—whether The Daily Telegraph or the Swindon Advertiser—will often rely on excellent archives.
If rich individuals are seeking to create a different truth and a different history, and to exercise their rights under the clause, a risk will be created for those media organisations. I am more worried about the media organisations’ rights than I am about the Natural History Museum and the BBC, because I think the Minister’s Department will do a good job of working out where to put that grey line round what should be protected and what is up for grabs. The example put to us last night was of rich individuals seeking to create a different kind of history—a different kind of past—to bend deliberately the future of reporting by eradicating a record that might be true. The risk that was put to us is that, very often, newspaper legal directors—the poor things often have to advise on this decision—will sometimes conclude that the game is just not worth it and therefore give in to the rich individual to avoid damaging and expensive legal action and delete the records from their archives.
This is a difficult area, where balances have to be struck, but it is a form of litigation that will doubtless continue into the future. We might have just decided to deny access to ordinary people to correct media malpractice, but rich individuals will continue to bring their cases. Will the Minister tell us how the balance will play out in practice? How do we protect the rights of news organisations to run good archives for the benefit of public interest journalism in the future?
The clause makes additional provision for enforcement notices where the subject matter of the notice relates to the controller or processor’s failure to comply with the data protection principle of ensuring accuracy. The clause may also apply where a controller or processor has failed to comply with the data subject’s rights on rectification, erasure or restriction of processing under articles 16 to 18 of the general data protection regulation.
We touched on the issue of archives in one of the Committee sittings last week. I explained to the Committee that there is protection for archives under the GDPR, whether they be those of news organisations or of academic sources. We are aware of the concerns expressed by organisations representing archives, and I agree with the right hon. Gentleman that quality journalism often depends on the use of such archives. However, I assure him that my Department will defend the rights of journalists and the press as tenaciously as we would defend the rights of archivists in the great museums of our country against the distortions that he gave as examples of people perhaps wanting to use the right to be forgotten in an excessive manner and in a bid to rewrite history. We are aware of such individuals, and we are comfortable that the GDPR prevents those abuses.
Question put and agreed to.
Clause 150 accordingly ordered to stand part of the Bill.
Clauses 151 and 152 ordered to stand part of the Bill.
Clause 153
Powers of entry and inspection
Question proposed, That the clause stand part of the Bill.
Again, on this point, we would benefit from some clarification from the Minister. The story that broke this morning was that the Information Commissioner had, in effect, to go to court to get her warrant to investigate what Cambridge Analytica was up to. There was some speculation as to why Facebook was able to exercise some contractual rights and turn up at the offices of Cambridge Analytica to conduct an inspection. The reports are that, as the situation played out, the Information Commissioner had to tell Facebook legal officers to stand down and to stop what they were doing. As it happened, Facebook wisely decided to follow the Information Commissioner’s orders.
A matter of great concern is that the Information Commissioner has to go through what sounds like a laborious process to get the warrant needed to conduct an investigation that is obviously in the public interest. When we secure, for example, emergency injunctions to stop the publication of material that people do not want published, or when magistrates issue search warrants, most of us with experience of this at a local level would observe that such warrants are often issued in a much faster and less high-profile way than the process the Information Commissioner appears to have to go through.
In effect, Cambridge Analytica has had 48 hours’ notice of the Information Commissioner’s concerns—[Interruption.] I am sorry, but I do not know whether the Minister wants to intervene on that—
I have just been advised that the existing law is non-custodial criminal sanctions. I have referred to the criminal sanctions with respect to assessment notices, and I will get back to the hon. Lady on the question of the sanctions on the information notices that she has asked about. I am told what I am told; the existing law is non-custodial.
Question put and agreed to.
Clause 154, as amended, accordingly ordered to stand part of the Bill.
Schedule 16
PENALTIES
Amendments made: 123, page 203, line 26, leave out “with the day after” and insert “when”.
This amendment is consequential on Amendment 71.
124, page 204, line 10, leave out “with the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
125, page 205, line 5, leave out “with the day after the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
126, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”.—(Margot James.)
This amendment is consequential on Amendment 52.
Schedule 16, as amended, agreed to.
Clause 155 ordered to stand part of the Bill.
Clause 156
Maximum amount of penalty
Question proposed, That the clause stand part of the Bill.
I think we could all do with a bit of clarity, which did not quite emerge in the last debate. My hon. Friend the Member for Sheffield, Heeley, makes an important point: in light of this week’s news, there is real concern that the maximum possible sentences should be on the books to punish people who try to get in the way of investigations by the Information Commissioner. Can the Minister say whether the Information Commissioner is currently able to prosecute people for getting in her way, and whether they could go to jail? That would be clarification No. 1. Clarification No. 2 would be whether, under the Bill the Minister is asking us to agree, that custodial sentence would still remain.
I understand that under the current law there are no custodial sentencing provisions, so therefore I cannot argue that they will remain. That does not seem logical at all. The existing DPA offences are for fines only, according to section 60 of the Data Protection Act 1998.
Question put and agreed to.
Clause 156 accordingly ordered to stand part of the Bill.
Clause 157
Fixed penalties for non-compliance with charges regulations
Question proposed, That the clause stand part of the Bill.
Given the clarity that the Minister has now furnished for the Committee, and given the scale of wrongdoing that is alleged about Cambridge Analytica and potentially Facebook this week, the question on clause 157 is whether she is satisfied that financial penalties are going to do the job in the years to come. Otherwise, is this a clause on which we need to reflect on Report if not now so that if custodial sentences are not currently available, we might consider introducing them for people who appear determined to move heaven and earth to get in the way and obstruct an Information Commissioner inquiry? Could we perhaps come back to that on Report, rather than simply rely on sanctions such as fixed penalty notices?
I referred to the public interest defence as a flexible defence that would encapsulate non-criminal activities. I do not know whether that satisfies the hon. Gentleman, but a flexible public interest defence is indeed required.
For those reasons, I reassure hon. Members that a further defence providing for whistleblowing is unnecessary. It is telling that there is no such defence in section 55 of the 1998 Act, and we are not aware of any problems with its operation. Hon. Members mentioned section 58 of the Digital Economy Act 2017. That is a difficult comparison. Unlike clauses 170 and 171, section 58 does not contain a straightforward public interest defence, so, unlike the offences in the Bill, there may be no alternative protection for such disclosures. I hope I have given hon. Members sufficient reassurance that they feel confident withdrawing their amendments.
I am grateful to the Minister for that reply. She says that she wants to try to update the legislation. I understand what she is trying to do and why she does not accept that there is a complete parallel with the Digital Economy Act. None the less, the new definition will need to be tested in court, new guidance will need to be issued and new ambiguity will therefore be created, which brings with it the risk that important whistleblowers will be dissuaded from bringing forward information that is in our interest and letting it see the light of day.
I hope the Minister reflects on that further. She seeks to create an extension in law to ensure that there is a public interest definition in the round—I can see the enlargement that she is trying to make—but I hope she reflects before Report stage on the challenge that new definitions will have to be tested in court, which will create ambiguity and risk. I do not think she wants to create that risk, but the strategy she sets out does not completely delete it and it remains a concern. I will happily withdraw the amendment, but I ask the Minister to reflect on that point before Report.
I am happy to reflect on what the right hon. Gentleman proposes. The last thing we want is to have any chilling effect on would-be whistleblowers.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 170 ordered to stand part of the Bill.
Clause 171
Re-identification of de-identified personal data
Question proposed, That the clause stand part of the Bill.
I would like to say a word in support of this important amendment. We had a rich and unsatisfactory debate on the incorporation of article 8 of the European charter of fundamental rights into British law. We think that that would have helped the Government considerably in ensuring that there is no divergence between the European data protection regime and our own. If the Government are successful, they will operate on different constitutional bases, and there is therefore a real risk of divergence over the years to come. I think that everyone on the Committee is now pretty well versed in the damage that that would do to British exports, many of which are digitally enabled. This is a really helpful amendment. It tries to tighten to lockstep that we have to maintain with European data protection regimes, which will be good for exports, services and the British economy, and the Government should accept it.
When we leave the European Union, the direct jurisdiction of the Court of Justice of the European Union in the UK will come to an end. Clause 6 of the European Union (Withdrawal) Bill gives effect to that and takes a clear and logical approach to how our domestic courts should approach the case law of the CJEU as a result. In short, where a judgment precedes our exit, it is binding on courts below the Supreme Court. Where a judgment post-dates our exit, our courts may have regard to it if they consider it appropriate, but EU law and the decisions of the ECJ will continue to affect us. The ECJ determines whether agreements that the EU has struck are legal under the EU’s own law. If, as part of our future partnership, Parliament passes an identical law to an EU law, it may make sense for our courts to look at the appropriate ECJ judgments so that we interpret those laws consistently, but our Parliament would ultimately remain sovereign.
I would not rule it out, but the negotiations are between two parties, so however much we may wish to maintain our membership of the European data protection board, that might not be something that the EU will grant us. As I say, it is a matter for negotiation and I am sure things will become clearer over the next 12 months. To take an approach now that would require our courts to follow future case law of the CJEU, even if only in some areas, would place limitations on the discretion and independence of our courts.
The Minister is trying to protect a discretion that sounds like the defence of a right to depart from EU case law to such an extent that we might jeopardise an adequacy agreement. Surely the point of this amendment is to keep us in lockstep, to de-risk that adequacy agreement for the years to come. That surely must be an object of her Government’s policy.
The Government are absolutely committed to getting an adequacy agreement. The Prime Minister has said she wishes to go beyond adequacy in the negotiations. I would like to reassure the right hon. Gentleman that the very opposite is the case. Our courts can have regard to, and that is good enough. There is no reason for this to be different in the area of data protection from what it might be in any other area.
The provision has been discussed at length and agreed to by the House. Hon. Members will be aware that the other place is now scrutinising the EU (Withdrawal) Bill and has focused on this very matter. There is broad agreement that we need to consider how best to ensure that the Bill achieves the policy aim with sufficient clarity. We want to reach agreement on a proposition that commands the greatest possible support. We should, however, be wary of seeking to provide for something that alters the underlying policy in a way that binds or steers our courts towards a particular outcome, for example, by saying that they must have regard in only certain areas of law.
I do not quite follow the Minister’s argument. On the one hand, she says that it is the object of Government policy to secure an adequacy agreement and presumably keep that adequacy agreement, if not, indeed, go beyond it. She is now seeking to defend a flexibility that would allow some kind of departure from European norms. I cannot understand how she can quite want her cake and eat it.
Courts will be allowed to follow the jurisprudence of the ECJ in this area of data protection. Nothing I am saying is prompting a departure from that position. We see the amendment as going further than we would like to go. By contrast, the Government’s proposed approach to CJEU oversight respects the referendum result and is clear, consistent and achievable.
(6 years, 9 months ago)
Public Bill CommitteesI am ill-qualified to answer the hon. Gentleman’s question. Hypothetically, it would probably make it more difficult, but that is not our purpose in objecting to clause 121, which we do not see as being consistent with the role of the Information Commissioner, for the reasons I set out. However, he raises an interesting question.
I agree with Lord Mitchell that the issues that surround data protection policy, particularly with regard to NHS patient data, deserve proper attention both by the Government and by the National Data Guardian for Health and Care, but we have not yet established that there is any evidence of a problem to which his provisions are the answer. We are not sitting on our laurels. As I have already said, NHS England and the Department of Health and Social Care are working to ensure that they understand the value of their data assets. Further work on the Government’s digital charter will also explore this issue. When my right hon. friend the Prime Minister launched the digital charter on 25 January, she made it clear that we will set out principles on the use of personal data.
Amendment 122 removes Lord Mitchell’s amendment from schedule 13. We do this because it is the wrong tool; however, we commit to doing everything we can to ensure that we further explore the issue and find the right tools if needed. [Interruption.] I have just received advice that the amendments will make no difference in relation to the hon. Gentleman’s question, because anonymised data is not personal data.
I commend amendment 122 and give notice that the Government will oppose the motion that clause 121 stand part of the Bill.
I am grateful that the Minister made time to meet my former noble Friend Lord Mitchell. These are important amendments and it is worth setting out the background to why Lord Mitchell moved them and why we give such priority to them.
In 2009-10, we began to have a debate in government about the right approach to those agencies which happen to sit on an enormous amount of important data. The Government operate about 200 to 250 agencies, and some are blessed with data assets that are more valuable than those of others—for example, the Land Registry or Companies House sit on vast quantities of incredibly valuable transactional data, whereas other agencies, such as the Meteorological Office, the Hydrographic Office and Ordnance Survey, sit on sometimes quite static data which is of value. Some of the most successful American companies are based on Government data—for example, The Weather Channel is one of the most valuable and is based on data issued from, I think, the US meteorological survey. A number of Government agencies are sitting on very valuable pots of data.
The debate that we began to rehearse nearly 10 years ago was whether the right strategy was to create public-private partnerships around those agencies, or whether more value would be created for the UK economy by simply releasing that data into the public domain. I had the great pleasure of being Chief Secretary to the Treasury and the Minister for public service reform. While the strong advice inside the Treasury was that it was better to create public-private partnerships because that would release an equity yield up front, which could be used for debt reduction, it was also quite clear to officials in the Cabinet Office and those interested in public service reform more generally that the release of free data would be much more valuable. That is the side of the argument on which we came down.
After the White Paper, “Smarter Government”, that I brought to the House, we began the release of very significant batches of data. We were guided by the arguments of Tim Berners-Lee and Professor Nigel Shadbolt, who were advising us at the time, that this was the right approach and it was very good to see the Government continue with that.
There are still huge data pots locked up in Government which could do with releasing, but the way in which we release them has to have an eye on the way we create value for taxpayers more generally. Beyond doubt, the area of public policy and public operations where we have data that is of the most value is health. The way in which, in the United States, Apple and other companies have now moved into personal health technology in a substantial way betrays the reality that this is going to be a hugely valuable and important market in years to come. If we look at the US venture industry we can see significant investment now going into health technology companies.
The Minister is very generous. From that vantage point in the City, I was able to watch the level of ingenuity, creativity and innovation that was unlocked simply by the Government telling the world, “Here are the assets that are in public hands.” All sorts of ideas were floated for using those assets in a way that was better for taxpayers and public service delivery.
To the best of my knowledge, we do not have a similar data catalogue today. What Lord Mitchell is asking is for Ministers to do some work and create one. They can outsource that task to the Information Commissioner. Perhaps the Information Commissioner is not the best guardian of that particular task, but I am frustrated and slightly disappointed that the Minister has not set out a better approach to achieving the sensible and wise proposals that Lord Mitchell has offered the Government.
The reason why it is so important in the context of the NHS is that the NHS is obviously a complicated place. It is an economy the size of Argentina’s. The last time I looked, if the NHS were a country, it would be the 13th biggest economy on earth. It is a pretty complicated place and there are many different decision makers. Indeed, there are so many decision makers now that it is impossible to get anything done within the NHS, as any constituency MP knows. So how do we ensure that, for example, in our neck of the woods, Queen Elizabeth Hospital Birmingham does not strike its own data sharing agreement with Google or DeepMind? How do we ensure that the NHS in Wales does not go in a particular direction? How do we ensure that the trust across the river does not go in a particular direction? We need to bring order to what is potentially an enormous missed opportunity over the years to come.
The starting point is for the Government, first, to ensure we have assembled a good catalogue of data assets. Secondly, they should take some decisions about whether the organisations responsible for those data assets are destined for some kind of public-private partnership, as they were debating in relation to Companies House and other agencies a couple of years ago, or whether—more wisely—we take the approach of creating a sovereign wealth fund to govern public data in this country, where we maximise the upside for taxpayers and the opportunities for good public service reform.
The example of Hinkley Point and the unfortunate example of the Google partnership with DeepMind, which ran into all kinds of problems, are not good precedents. In the absence of a better, more concrete, lower risk approach from the Government, we will have to defend Lord Mitchell’s wise clause in order to encourage the Government to come back with a better solution than the one set out for us this morning.
I enjoyed the right hon. Gentleman’s speech, as it went beyond some of the detail we are debating here today, but I was disappointed with the conclusion. I did not rest my argument on it being just too difficult to organise such a database as proposed by Lord Mitchell; there are various reasons, chief among them being that we are here to debate personal data. A lot of the databases the right hon. Gentleman referred to as being of great potential value do not contain personal data. Some do, some do not: the Land Registry does not, Companies House does, and so forth. Also, the Information Commissioner has advised that this is beyond her competence and her remit and that she is not resourced to do the job. Even the job of defining what constitutes data of public value is a matter for another organisation and not the Information Commissioner’s Office. That is my main argument, rather than it being too difficult.
Happily, what sits within the scope of a Bill is not a matter for Ministers to decide. First, we rely on the advice of parliamentary counsel, which, along with the Clerks, was clear that this amendment is well within the scope. Secondly, if the Information Commissioner is not the right individual to organise this task—heaven knows, she has her hands full this week—we would have been looking for a Government amendment proposing a better organisation, a better Ministry and a better Minister for the work.
I can only be the Minister I am. I will try to improve. I was not saying that Lord Mitchell’s amendment is not within the scope of the Bill; I was making the point that some of the databases and sources referred to by the right hon. Gentleman in his speech went into the realms of general rather than personal data. I therefore felt that was beyond the scope of the Information Commissioner’s remit.
I share the right hon. Gentleman’s appreciation of the value and the uniqueness of the NHS database. We do not see it just in terms of its monetary value; as the hon. Member for Edinburgh South made clear in his intervention, it has tremendous potential to improve the care and treatment of patients. That is the value we want to realise. I reassure the right hon. Gentleman and put it on record that it is not my place as a Minister in the Department for Digital, Culture, Media and Sport, or the place of the Bill, to safeguard the immensely valuable dataset that is the NHS’s property.
The debate rehearsed in the other place was whether we should acquiesce in a derogation that the Government have exercised to set the age of consent for personal data sharing at 13, as opposed to 16, which other countries have adopted. There was widespread concern that 13 was too young. Many members of the Committee will have experienced pressing the agree button when new terms and conditions are presented to us on our updates to software on phones, or privacy settings presented to us by Facebook; privacy settings, it is now alleged, are not worth the paper that they were not written on.
Debates in the other place centred on what safeguards could be wrapped around children if that derogation were exercised and the age of consent left at 13. With Baroness Kidron, we were keen to enshrine in legislation a step towards putting into operation the objectives of the 5Rights movement. Those objectives, which Baroness Kidron has driven forward over the past few years, are important, but the rights therein are also important. They include not only rights that are enshrined in other parts of the Bill—the right to remove, for example—but important rights such as the right to know. That means that someone has the right to know whether they are being manipulated in some way, shape or form by social media technologies.
One of the most interesting aspects of the debate in the public domain in the past few months has been the revelation that many of the world’s leading social media entrepreneurs do not allow their children to use social media apps, because they know exactly how risky, dangerous and manipulative they can be. We have also heard revelations from software engineers who used to work for social media companies about the way they deliberately set out to exploit brain chemistry to create features of their apps that fostered a degree of addiction. The right to know is therefore very powerful, as is the right to digital literacy, which is another important part of the 5Rights movement.
It would be useful to hear from the Minister of State, who—let me put this beyond doubt—is an excellent Minister, what steps she plans to take to ensure that the age-appropriate design code is set out pretty quickly. We do not want the clause to be passed but then find ourselves in a situation akin to the one we are in with section 40 of the Crime and Courts Act 2013 where, five years down the line, a misguided Secretary of State decides that the world has changed completely and that this bit of legislation should not be commenced.
We would like the Minister to provide a hard timetable— she may want to write to me if she cannot do so today—setting out when we will see an age-appropriate design code. We would also like to hear what steps she will take to consult widely on the code, what work she will do with her colleagues in the Department for Education to ensure that the code includes some kind of ventilation and education in schools so that children actually know what their rights are and know about the aspects of the code that are relevant to them, and, crucially, what steps she plans to take to include children in her consultation when she draws up the code.
This is an important step forward, and we were happy to support it in the other place. We think the Government should be a little more ambitious, which is why we suggest that the rights set out by the 5Rights movement should become part of a much broader and more ambitious digital Bill of Rights for the 21st century, but a start is a start. We are pleased that the Government accepted our amendment, and we would all be grateful if the Minister told us a little more about how she plans to operationalise it.
I thank the right hon. Gentleman for his generous remarks. To recap, the idea that everyone should be empowered to take control of their data is at the heart of the Bill. That is especially important for groups such as children, who are likely to be less aware of the risks and consequences associated with data processing. Baroness Kidron raised the profile of this issue in the other place and won a great deal of support from peers on both sides of that House, and the Government then decided to introduce a new clause on age-appropriate design to strengthen children’s online rights and protections.
Clause 124 will require the Information Commissioner to develop a new statutory code that contains guidance on standards of age-appropriate design for online services that are likely to be accessed by children. The Secretary of State will work in close consultation with the commissioner to ensure that that code is robust, practical and meets children’s needs in relation to the gathering, sharing and storing of their data. The new code will ensure that websites and apps are designed to make clear what personal data of children is collected, how it is used and how both children and parents can stay in control of it. It will also include requirements for websites and app makers on privacy for children under 18.
The right hon. Gentleman cited examples of the consultation he hopes to see in preparation for the code. In developing the code, we expect the Information Commissioner to consult a wide range of stakeholders, including children, parents, persons who represent the interests of children, child development experts and trade associations. The right hon. Gentleman mentioned the Department for Education, and I see no reason why it should not be included in that group of likely consultees.
The commissioner must also pay close attention to the fact that children have different needs at different ages, as well as to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. The code interlocks with the existing data protection enforcement mechanism found in the Bill and the GDPR. The Information Commissioner considers many factors in every regulatory decision, and non-compliance with that code will weigh particularly heavily on any organisation that is non-compliant with the GDPR. Organisations that wish to minimise their risk will apply the code. The Government believe that clause 124 is an important and positive addition to the Bill.
Will the Minister say a word about the timetable? When can we expect the consultation and code of practice to be put into operation?
There should be no delay to the development of the code and the consultation that precedes it. If I get any additional detail on the timetable, I will write to the right hon. Gentleman.
Question put and agreed to.
Clause 124, as amended, ordered to stand part of the Bill.
Clause 125
Approval of data-sharing, direct marketing and age-appropriate design codes
Amendment made: 49, in clause 125, page 69, line 9, leave out “with the day on which” and insert “when” —(Margot James.)
This amendment is consequential on Amendment 71.
Clause 125, as amended, order to stand part of the Bill.
Clauses 126 to 130 ordered to stand part of the Bill.
Clause 131
Disclosure of information to the Commissioner
Question proposed, That the clause stand part of the Bill.
Clause 131 deals with disclosure of information to the Information Commissioner, and this is probably a good point at which to ask whether the Information Commissioner has the right level of power to access information that is pertinent to her investigations into the misuse of information. Thanks to The Guardian, The New York Times, and particularly the journalist Carole Cadwalladr, we have had the most extraordinary revelations about alleged misbehaviour at Cambridge Analytica over the past couple of years. Indeed, Channel 4 News gave us further insight into its alleged misdemeanours last night.
We have a situation in social media land that the Secretary of State has described as the “wild west”. Some have unfairly called the Matt Hancock app one of the features of that wild west, but I would not go that far, despite its slightly unusual privacy settings. None the less, there is now cross-party consensus that the regulatory environment that has grown up since the 2000 e-commerce directive is no longer fit for purpose. Yesterday, the Secretary of State helpfully confirmed that that directive will be modernised, and we will come on to discuss new clauses that suggest setting a deadline for that.
One deficiency of today’s regulatory environment is the inadequate power that the Information Commissioner currently has to access information that is important for her investigations. We have a wild west, we have hired a sheriff, but we have not given the sheriff the power to do her job of keeping the wild west in order. We now have the ridiculous situation that the Information Commissioner must declare that she is going to court to get a warrant to investigate the servers of Cambridge Analytica, and to see whether any offence has been committed.
If I wanted to hide something from a newspaper and I thought that the newspaper was going to print it inappropriately, I would apply for an emergency injunction to stop the newspaper running it. I do not understand why the Information Commissioner has had to broadcast her intentions to the world, because that has given Cambridge Analytica a crucial period of time in which to do anything it likes, frankly, to its data records. The quality of the Information Commissioner’s investigation must be seriously impaired by the time that it has taken to get what is tantamount to a digital search warrant.
Is the Minister satisfied in her own mind that clause 131 and its associated clauses are powerful enough? Will she say more about the Secretary of State’s declaration to the House last night that he would be introducing amendments to strengthen the Commissioner’s power in the way that she requested? When are we going to see those amendments? Are we going to see them before this Committee rises, or at Report stage? Will there be a consultation on them? Is the Information Commissioner going to share her arguments for these extra powers with us and with the Secretary of State? We want to see a strong sheriff patrolling this wild west, and right now we do not know what the Government’s plan of action looks like.
I just want to recap on what clause 131 is about. It is intended to make it clear that a person is not precluded by any other legislation from disclosing to the commissioner information that she needs in relation to her functions, under the Bill and other legislation. The only exception relates to disclosures prohibited by the Investigatory Powers Act 2016 on grounds of national security. It is therefore a permissive provision enabling people to disclose information to the commissioner.
However, the right hon. Member for Birmingham, Hodge Hill has taken the opportunity to question the powers that the Information Commissioner has at her disposal. As my right hon. Friend the Secretary of State said yesterday in the Chamber, we are not complacent. I want to correct something that the right hon. Member for Birmingham, Hodge Hill said. My right hon. Friend did not say that he would table amendments to the Bill on the matter in question. He did say that we were considering the position in relation to the powers of the Information Commissioner, and that we might table amendments, but we are in the process of considering things at the moment. I presume that that goes for the right hon. Gentleman as well; if not, he would surely have tabled his own amendments by now, but he has not.
The Minister will notice that I have tabled a number of new clauses that would, for example, bring election law into the 21st century. I think that the Secretary of State left the House with the impression yesterday that amendments to strengthen the power of the Information Commissioner would be pretty prompt. It is hard to see another legislative opportunity to put that ambition into effect, so perhaps the Minister will tell us whether we can expect amendments soon.
I can certainly reassure the right hon. Gentleman that we are looking at the matter seriously and, although I cannot commit to tabling amendments, I do not necessarily rule them out. I have to leave it at that for now.
On a more positive note, we should at least acknowledge that, although the Bill strengthens the powers of the Information Commissioner, her powers are already the gold standard internationally. Indeed, we must bear it in mind that the data privacy laws of this country are enabling American citizens to take Cambridge Analytica to court over data breaches.
I want to review some of the powers that the Bill gives the commissioner, but before I do so I will answer a point made by the right hon. Member for Birmingham, Hodge Hill. He said that the commissioner had had difficulties and had had to resort to warrants to pursue her investigation into a political party in the UK and both the leave campaigns in the referendum. She is doing all that under existing data protection law, which the Bill is strengthening. That is encouraging.
I did not want to intervene, but I have been struggling with the matter myself. There are allegations that a significant donor to Leave.EU was supported in that financial contribution by organisations abroad. As I spoke to the Financial Conduct Authority and tabled questions to the Treasury, it was revealed that there were no data sharing gateways between the Electoral Commission and the FCA.
I shall come back to the right hon. Gentleman on the relationship between the Information Commissioner and the FCA. I am sure that the information that he has already ascertained from the Treasury is correct, but there may be other ways in which the two organisations can co-operate, if required. The allegations are very serious and the Government are obviously very supportive of the Information Commissioner as she grapples with the current investigation, which has involved 18 information notices and looks as if it will be backed up by warrants as well. I remind the Committee that that is happening under existing data protection law, which the Bill will strengthen.
Question put and agreed to.
Clause 131 accordingly ordered to stand part of the Bill.
(6 years, 9 months ago)
Public Bill CommitteesIt is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
(6 years, 9 months ago)
Public Bill CommitteesIt is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
(6 years, 9 months ago)
Public Bill CommitteesFollowing engagement with local government stakeholders, we have recognised that the maximum time period permitted for responses to the subject access request set out in parts 3 and 4 of the Data Protection Bill subtly differs from that permitted under the GDPR and part 2 of the Bill. That is because the GDPR and, by extension, part 2 rely on European rules for calculating time periods, whereas parts 3 and 4 implicitly rely on a more usual domestic approach. European law, which applies to requests under part 2, says that when one is considering a time period in days, the day on which the request is received is discounted from the calculation of that time period. In contrast, the usual position under UK law, which applies to requests under parts 3 and 4 of the Bill, is that that same seven-day period to respond would begin on the day on which the request was received. In a data protection context, that has the effect of providing those controllers responding to requests under parts 3 and 4 with a time period that is one day shorter in which to respond.
To provide consistency across the Bill, we have decided to include a Bill-wide provision that applies the European approach to all time periods throughout the Bill, thus ensuring consistency with the directly applicable GDPR. Having a uniform approach to time periods is particularly helpful for bodies with law enforcement functions, which will process personal data under different regimes under the Bill. Without these amendments, different time periods would apply, depending on which regime they were processing under. Ensuring consistency for calculating time periods will also assist the information commissioner with her investigatory activities and enforcement powers, for example by avoiding the confusion and potential disputes that could arise relating to her notices or requests for information.
Amendment 71 provides for a number of exemptions to the European approach where deviating from our standard approach to time periods would be inappropriate. For example, where the time period refers to the process of parliamentary approval of secondary legislation, it would clearly not be appropriate to deviate from usual parliamentary time periods. The unfortunate number of amendments in this group comes from the need to modify existing language on time periods, currently worded for compliance with the usual UK approach, so that it applies the approach of the EU rules instead. I hope that this has provided the Committee with sufficient detail on the reasons for tabling this group of amendments.
Amendment 92 agreed to.
Question proposed, That the schedule, as amended, be the First schedule to the Bill.
We had a useful debate this morning about the whys and wherefores of whether the article 8 right to privacy should be incorporated into the Bill. Although we were disappointed by the Minister’s reply, what I thought was useful in the remarks she made was a general appreciation of the importance of strong data rights if the UK is to become a country with a strong environment of trust within which a world of digital trade can flourish.
I will briefly alert the Minister to a debate we want to have on Report. The reality is that we feel schedule 1 is narrowly drawn. It is an opportunity that has been missed, and it is an opportunity for the Minister to come back on Report with a much more ambitious set of data rights for what will be a digital century. When we look around the world at the most advanced digital societies, we can see that a strong regime of data rights is common to them all.
I was recently in Estonia, which I hope the Minister will have a chance to visit if she has not done so already. Estonia likes to boast of its record as the world’s most advanced digital society; it is a place where 99% of prescriptions are issued online, 95% of taxes are paid online and indeed a third of votes are cast online. It is a country where the free and open right to internet access is seen as an important social good, and a good example of a country that has really embraced the digital revolution and translated that ambition into a set of strong rights.
The Government are not averse to signing declaratory statements of rights that they then interpret into law. They are a signatory to the UN universal declaration of human rights and the UN convention on the rights of the child; the Human Rights Act 1998 is still in force—I have not yet heard of plans to repeal it—and of course the Equality Act 2010 was passed with cross-party support. However, those old statements of rights, which date back to 1215, were basically to correct and guard against dangerous imbalances of power. Things have moved on since 1215 and the worries that the barons had about King John. We are no longer as concerned as people were in 1215 about taking all the fish weirs out of the Thames, for example.
I understand the hon. Gentleman’s concerns. The GDPR requires data controls to have a legal basis laid down in law, which can take the form, for example, of a statutory power or duty, or a common-law power. Any organisation that does not have such legal basis would have to rely on one of the other processing conditions in article 6. With regard to the amendment that was agreed to this morning, we think that further restricting clause 8 might risk excluding bodies with a lawful basis for processing. However, the hon. Gentleman is free to raise the issue again on Report.
Question put and agreed to.
Schedule 1, as amended, accordingly agreed to.
Clauses 11 to 13 ordered to stand part of the Bill.
Clause 14
Automated decision-making authorised by law: safeguards
I beg to move amendment 153, in clause 14, page 7, line 30, at end insert—
“(1A) A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exception from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).”
This amendment would clarify that the exemption from prohibition on taking significant decisions based solely on automated processing must apply to purely automated decisions that engage an individual’s human rights.
The amendments relate to automated decision making under the GDPR and the Bill. It is a broad category, which includes everything from trivial things such as music playlists, as mentioned by the hon. Member for Argyll and Bute, and quotes for home insurance, to the potentially more serious issues outlined by the right hon. Member for Birmingham, Hodge Hill of recruitment, healthcare and policing cases where existing prejudices could be reinforced. We are establishing a centre, the office for artificial intelligence and data ethics, and are mindful of these important issues. We certainly do not dismiss them whatsoever.
Article 22 of the GDPR provides a right not to be subject to a decision based solely on automatic processing of data that results in legal or similarly significant effects on the data subject. As is set out in article 22(2)(b), that right does not apply if the decision is authorised by law, so long as the data subject’s rights, freedoms and legitimate interests are safeguarded.
The right hon. Member for Birmingham, Hodge Hill, mentioned those safeguards, but I attribute far greater meaning to them than he implied in his speech. The safeguards embed transparency, accountability and a right to request that the decision be retaken, and for the data subject to be notified should a decision be made solely through artificial intelligence.
The Minister must realise that she is risking an explosion in the number of decisions that have to be taken to Government agencies or private sector companies for review. The justice system is already under tremendous pressure. The tribunal system is already at breaking point. The idea that we overload it is pretty optimistic. On facial recognition at public events, for example, it would be possible under the provisions that she is proposing for the police to use facial recognition technology automatically to process those decisions and, through a computer, to have spot interventions ordered to police on the ground. The only way to stop that would be to have an ex post facto review, but that would be an enormous task.
The right hon. Gentleman should be aware that just because something is possible, it does not mean that it is automatically translated into use. His example of facial recognition and what the police could do with that technology would be subject to controls within the police and to scrutiny from outside.
As the hon. Lady says, the police are trialling those things. I rest my case—they have not put them into widespread practice as yet.
Returning to the GDPR, we have translated the GDPR protections into law through the Bill. As I said, the data subject has the right to request that the decision be retaken with the involvement of a sentient individual. That will dovetail with other requirements. By contrast, the amendments are designed to prevent any automated decision-making from being undertaken under article 22(2)(b) if it engages the rights of the data subject under the Human Rights Act 1998.
Will the Minister explain to the Committee how a decision to stop and search based on an automated decision can be retaken? Once the person has been stopped and searched, how can that activity be undone?
I am not going to get into too much detail. The hon. Member for Sheffield, Heeley mentioned an area and I said that it was just a trial. She said that facial recognition was being piloted. I do not dispute that certain things cannot be undone. Similar amendments were tabled in the other place. As my noble Friend Lord Ashton said there, they would have meant that practically all automated decisions under the relevant sections were prohibited, since it would be possible to argue that any decision based on automatic decision making at the very least engaged the data subject’s right to have their private life respected under article 8 of the European convention on human rights, even if it was entirely lawful under the Act.
Amendments 10, 11 and 12 relate to clause 14, which requires a data controller to notify a data subject of a decision based solely on automatic processing as soon as is reasonably practicable. The data subject may then request that the data controller reconsider such a decision and take a new decision not based solely on automated processing.
The purpose of the amendments is to bring clause 14 into alignment with the directly applicable time limits in article 12 of the GDPR, thereby ensuring that both data subjects and data controllers have easily understandable rights and obligations. Those include giving the data subject longer to request that a decision be reconsidered, requiring that the controller action the request without undue delay and permitting an extension of up to two months where necessary.
Furthermore, to ensure that there is consistency across the different regimes in the Bill—not just between the Bill and the GDPR—amendments 23, 24, 41 and 42 extend the time limit provisions for making and responding to requests in the other regimes in the Bill. That is for the simple reason that it would not be right to have a data protection framework that applies one set of time limits to one request and a different set of time limits to another.
In a similar vein, amendments 27 and 28 amend part 3 of the Bill, concerning law enforcement processing, to ensure that controllers can charge for manifestly unfounded or excessive requests for retaking a decision, as is permitted under article 12 of the law enforcement directive. To prevent abuse, amendment 28 provides that it is for the controller to be able to show that the request was manifestly unfounded or excessive.
It would be useful if the Minister could say a little more about the safeguards around the controllers charging reasonable fees for dealing with requests.
It is quite easy to envisage situations where algorithms take decisions. We have some ex post facto review; a citizen seeks to overturn the decision; the citizen thinks they are acting reasonably but the commercial interest of the company that has taken and automated the decision means that it wants to create disincentives for that rigmarole to unfold. That creates the risk of unequal access to justice in these decisions.
If the Minister is not prepared to countenance the sensible safeguards that we have proposed, she must say how she will guard against another threat to access to justice.
The right hon. Gentleman asks a reasonable question. I did not mention that data subjects have the right of complaint to the Information Commissioner if the provisions are being abused. I also did not mention another important safeguard, which is that it is for the data controller to show that the request is manifestly unfounded or excessive. So the burden of proof is on the data controller and the data subject has the right of involving the Information Commissioner, if he or she contests the judgment taken in this context, concerning unfounded or excessive requests in the opinion of the data controller. I hope that satisfies the right hon. Gentleman.
Amendment 10 agreed to.
Amendments made: 11, in clause 14, page 8, leave out line 10 and insert “within the period described in Article 12(3) of the GDPR—”
This amendment removes provision from Clause 14(5) dealing with the time by which a controller has to respond to a data subject’s request under Clause 14(4)(b) and replaces it with a requirement for the controller to respond within the time periods set out in Article 12(3) of the GDPR, which is directly applicable.
Amendment 12, in clause 14, page 8, line 16, at end insert—
‘(5A) In connection with this section, a controller has the powers and obligations under Article 12 of the GDPR (transparency, procedure for extending time for acting on request, fees, manifestly unfounded or excessive requests etc) that apply in connection with Article 22 of the GDPR.” —(Margot James.)
This amendment inserts a signpost to Article 12 of the GDPR which is directly applicable and which confers powers and places obligations on controllers to whom Clause 14 applies.
Clause 14, as amended, ordered to stand part of the Bill.
Clause 15
Exemptions etc.
I have just had a request to remove jackets, because of the warm temperature in the room. I give my permission to do so. I call the Minister.
Thank you, Mr Hanson. I agree with the tribute paid by the right hon. Member for Birmingham, Hodge Hill to the custodians of some of the most wonderful archives in the world. I will comment on his proposals with regard to such archives shortly, but I hope that recent debates have left no doubt in hon. Members’ minds that the Government are absolutely committed to preserving the freedom of the press, and maintaining the balance between privacy and freedom of expression in our existing law, which has served us well for so many years.
As set out in the Bill, media organisations can already process data for journalistic purposes, which includes media archiving. As such, we believe that amendment 170 is unnecessary and could be unhelpful. I agree with the right hon. Gentleman that it is crucial that the media can process data and maintain media archives. In the House of Lords, my noble Friend Lord Black of Brentwood explained very well the value of media archives. He said:
“Those records are not just the ‘first draft of history’; they often now comprise the only record of significant events, which will be essential to historians and others in future, and they must be protected.”—[Official Report, House of Lords, 10 October 2017; Vol. 785, c. 175.]
However, recital 153 indicates that processing for special purposes includes news archiving and press libraries. Paragraph 24 of schedule 2 sets out the range of derogations that apply to processing for journalistic purposes. That includes, for example, exemption from complying with requests for the right to be forgotten. That means that where the exemption applies, data subjects would not have grounds to request that data about them be deleted. It is irrelevant whether the data causes substantial damage or distress.
However, if media organisations are archiving data for other purposes—for example, in connection with subscriber data—it is only right that they are subjected to the safeguards set out in article 89(1), and the Bill provides for that accordingly. For that reason, I hope that the right hon. Gentleman agrees to reconsider his approach and withdraw his amendment.
I am happy to withdraw the amendment, although I would say to the Minister that the helpful words we have heard this afternoon will not go far enough to satisfy the objections that we heard from organisations. We reserve the right to come back to this matter on Report. We will obviously consult the organisations that helped us to draft the amendment, and I urge her to do the same. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Schedule 2, as amended, agreed to.
Schedule 3
Exemptions etc from the GDPR: health, social work, education and child abuse data
Amendments made: 111, in schedule 3, page 160, line 21, leave out
“with the day on which”
and insert “when”.
This amendment is consequential on Amendment 71.
Amendment 112, in schedule 3, page 162, line 3, leave out paragraph 16 and insert—
“16 (1) This paragraph applies to a record of information which—
(a) is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),
(b) relates to an individual who is or has been a pupil at the school, and
(c) originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).
(2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.
(3) The schools referred to in sub-paragraph (1)(a) are—
(a) a grant-aided school;
(b) an independent school.
(4) The persons referred to in sub-paragraph (1)(c) are—
(a) a teacher at the school;
(b) an employee of the Education Authority, other than a teacher at the school;
(c) an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;
(d) the pupil to whom the record relates;
(e) a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).
(5) In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).”
This amendment expands the types of records that are “educational records” for the purposes of Part 4 of Schedule 3.
Amendment 113, in schedule 3, page 164, line 7, leave out
“with the day on which”
and insert “when”.—(Margot James.)
This amendment is consequential on Amendment 71.
Schedule 3, as amended, agreed to.
Schedule 4 agreed to.
Clause 16
Power to make further exemptions etc by regulations
Question proposed, That the clause stand part of the Bill.
We agree that the clause offers Ministers a rather sweeping power to introduce new regulations. Over the course of what has been quite a short day in Committee we have heard many reasons to be alarmed about equipping Ministers with such sweeping powers. We proposed an amendment to remove the clause, which I think was not selected because we have this stand part debate. What we need to hear from the Minister are some pretty good arguments as to why Ministers should be given unfettered power to introduce such regulations without the effective scrutiny and oversight of right hon. and hon. Members in this House.
I am glad that the right hon. Gentleman feels we have had a short day in Committee. In answer to his questions and those of the hon. Gentleman, the order making powers in clauses 16 and 113 allow the Secretary of State to keep the list of exemptions in schedules 2 to 4 and 11 up to date. As I mentioned when we discussed order making powers in relation to clause 10 and schedule 1, we carefully reviewed the use of such powers in the Bill following recommendations from the Delegated Powers and Regulatory Reform Committee. We think an appropriate balance has now been struck. It might be helpful if I explain the reasons for our thinking.
Clause 16 includes order making powers to ensure that the Secretary of State can update from time to time the particular circumstances in which data subjects’ rights can be disapplied. That might be necessary if, for example, the functions of a regulator are expanded and exemptions are required to ensure that those new functions cannot be prejudiced by a data subject exercising his or her right to object to the processing.
We believe it is very important that the power to update the schedules is retained. Several of the provisions in schedules 2 to 4 did not appear in the Data Protection Act 1998 and have been added to the Bill to address specific requirements that have arisen over the last 20 years.
For example, the regulatory landscape has changed dramatically since the 1998 Act. Organisations such as the Bank of England, the Financial Conduct Authority and the National Audit Office have taken on a far broader range of regulatory functions, and that is reflected in the various amendments we have tabled to paragraphs 7 to 9 of schedule 2, to provide for a broader range of exemptions. No doubt, there will be further changes to the regulatory landscape in the years to come. Of course, other exemptions in schedule 2 have been carried over from the 1998 Act, or indeed from secondary legislation made under that Act, with little change. That does not mean, however, that they will never need to be amended in the future. Provisions made under the 1998 Act could be amended via secondary legislation, so it would seem remiss not to afford ourselves that same degree of flexibility now. If we have to wait for primary legislation to make any changes, it could result in a delay of months or possibly years to narrow or widen an extension, even where a clear deficiency had been identified. We cannot predict the future, and it is important that we retain the power to update the schedules quickly when the need arises.
Importantly, any regulations made under either clause would be subject to the affirmative resolution procedure. There would be considerable parliamentary oversight before any changes could be made using these powers. Clause 179 requires the Secretary of State to consult with the Information Commissioner and other interested parties that he considers appropriate before any changes are made.
I hope that that reassures Members that we have considered the issue carefully. I commend clause 16 to the Committee.
Question put, That the clause stand part of the Bill.
The Committee proceeded to a Division.
(6 years, 9 months ago)
Public Bill CommitteesIt is a pleasure to serve under your chairmanship, Mr Hanson. Clause 1 is a signposting overview of the Bill. It is not intended to have any effect other than to help us to navigate such a large Bill; I trust that hon. Members agree that it achieves its purpose.
It is a pleasure to serve under your chairmanship, Mr Hanson. Looking around the Committee Room, I see that you have an extremely unruly bunch of hon. Members to police in the next couple of weeks, but I know that you will do so with skill and care.
The Opposition do not wish to object to clause 1, which is basically the foundation stone of the Bill. We wish only to underline the Bill’s peculiarity in that it seeks to incorporate a piece of European legislation into British law without actually reproducing the legislation in question. Throughout the debate, we will hear references to the general data protection regulation—GDPR—a text that appears nowhere in the Bill. I hope that over the coming weeks the Committee will therefore focus on a series of principles for data protection. The Opposition will move amendments to enshrine those principles more firmly into our law. Beyond that, I have no objections to this foundation stone of the Bill.
Question put and agreed to.
Clause 1 accordingly agreed to.
Clause 2
Protection of personal data
Question proposed, That the clause stand part of the Bill.
I thank speakers for their thoughtful contributions. I share many of their concerns, as do the Government, particularly with regard to adequacy, which I will talk about in more detail. I think we are all agreed that after Britain leaves the European Union we must be able to negotiate an adequacy agreement for the free flow of data between us and the EU. That is absolutely essential.
First, the GDPR implements the right to data protection and more. It is limited in scope, but the Bill also implements data protection rights on four areas beyond GDPR. It applies GDPR standards to personal data beyond EU competence, such as personal data processed for consular purposes or national security. Secondly, the Bill applies the standards to non-computerised and unstructured records held by public authorities that the GDPR ignores. Thirdly, the Bill regulates data processed for law enforcement purposes. Fourthly, it covers data processed by the intelligence services.
There is no doubt in our minds that we have fully implemented the right to data protection in our law and gone further. Clause 2 is designed to provide additional reassurance. Not only will that be clear in the substance of the legislation, but it is on the face of the Bill. The Bill exists to protect individuals with regard to the processing of all personal data. I think this is common ground. We share Opposition Members’ concern for the protection of personal data. It must be processed lawfully, individuals have rights, and the Information Commissioner will enforce them.
New clause 12 creates a new and free-standing right, which is the source of our concern. Subsection (1) is not framed in the context of the Bill. It is a wider right, not constrained by the context of EU law. However, the main problem is that it is not necessary. It is not that we disagree with the thinking behind it, but it is not necessary and might have unforeseen consequences, which I will come to.
Article 6 of the treaty on European Union makes it clear that due regard must be had to the explanations of the charter when interpreting and applying the European charter of fundamental rights. The explanations to article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection. The Government have absolutely no plans to withdraw from the European Court of Human Rights.
The new right in new clause 12 would create confusion if it had to be interpreted by a court. For rights set out in the Human Rights Act, there is a framework within which to operate. The Human Rights Act sets out the effect of a finding incompatible with rights. However, new clause 12 says nothing about the consequences of potential incompatibility with this new right to the protection of personal data.
The Minister is rehearsing the argument that was made in the other place before the requirements that we put into our amendments. She can see as well as me that the new clause was rewritten so that, under subsection (2), it is to be interpreted only
“in accordance with the provisions, exceptions and derogations of this Act;”.
So the idea that we are creating some kind of new and unfettered right is nonsense. We had this debate in the other place. We made refinements and they have been presented in the new clause.
If there is no dispute about the importance of adequacy and of putting it beyond risk, what is the problem with putting the question beyond doubt and dispute and incorporating the same foundation that is enjoyed in the European Union into British law?
New clause 12 takes article 8 of the charter outside that context and creates a free-standing right. That is the potential for confusion. New clause 12 says nothing about the consequences of incompatibility with the new right to the protection of personal data. That would create, legal, regulatory and economic uncertainty. We are endeavouring not just to ensure adequacy after we leave the European Union, but to go beyond the mere requirement for adequacy, as the Prime Minister set out in her speech almost two weeks ago.
Further, how would the courts approach other legislation in the light of this new right? One has to ask how they would approach other rights. Could this new right be balanced against other rights?
It is not a new right; it is a roll-over of an existing right. I have not heard of a case prosecuted in British courts where there was a problem with balancing the right that we currently enjoy with anything else. We simply seek to roll this right over into the future.
That brings me on to my other point: not only does this roll-over, as the right hon. Gentleman puts it, threaten to create confusion and undermine other rights, but it is unnecessary. The charter of fundamental rights merely catalogues rights that already exist in EU law; it is not the source of those rights. The rights, including to data protection, which is, importantly, what we are here to debate, arise from treaties, EU legislation and case law. They do not arise from the European charter of fundamental rights, so we argue that the new clause is completely unnecessary.
The European Union (Withdrawal) Bill fully protects the rights to data protection in our law. As I said earlier, we are seeking not only adequacy after Brexit, but a continuing role in conjunction with the bodies in Europe that govern the GDPR, with the idea that we continue to contribute our expertise and benefit from theirs.
I am afraid we have heard a very weak argument against new clause 12. The Minister sought to prosecute two lines of argument: first, that new clause 12 risks confusion in the courts; and, secondly, that it is not needed. Let me take each in turn.
First, there can be no risk of confusion because this is not a new right. It is a right we already enjoy today, and our courts are well practised in balancing it with the other rights we enjoy. We are simply seeking to roll over the status quo into the future to put beyond doubt an adequacy agreement not just in the immediate years after we leave the European Union but in the decades that will follow.
Secondly, the Minister sought to persuade us that the new clause was not needed, and she had a couple of different lines of attack. First, she said that the source of our new protections would be the incorporation of EU case law and legislation as enshrined by the European Union (Withdrawal) Bill. Of course, that is simply not applicable to this case, because the one significant part of European legislation that the withdrawal Bill explicitly does not incorporate is the European charter of fundamental rights. The Minister slightly gave the game away when she read out the line in her briefing note that said that the rights we currently have in EU law would be enshrined and protected “so far as it is possible to do so.” That is exactly the kind of risk we are seeking to guard against.
As noble peers argued in the other place, the challenge with incorporating the GDPR into British law is that this is a piece of regulation and legislation that reflects the world of technology as it is today. It is not the first bit of data protection legislation and it will not be the last. At some point in the years to come, there will be a successor piece of legislation to this Bill and the courts’ challenge will be to make judgments that interpret an increasingly outmoded and outdated piece of legislation. We have to ensure that judgments made in the British courts and in the European courts remain in lockstep. If we lose that lockstep, we will jeopardise the future of an adequacy agreement. That will be bad for Britain, bad for British businesses and bad for technology jobs in all our constituencies.
The challenge we have with regulating in this particular field is that sometimes we have to be anticipatory in the way we structure regulations. Anyone who has spent any time with the British FinTech industry, which Ministers are keen to try and enhance, grow and develop for the years to come, will know that FinTech providers need to be able to test and reform bits of regulation in conjunction not only with the Information Commissioner but with other regulators such as the Financial Conduct Authority. For those regulators to be able to guarantee a degree of regulatory certainty, sometimes they will need to look beyond the letter of a particular piece of legislation, such as the Data Protection Bill when it becomes an Act, and reflect on the spirit of that legislation. The spirit is captured best by fundamental rights. The challenge we have is in the thousands of decisions that our regulators must take in the future. How do we put beyond doubt or dispute the preservation of regulatory lockstep with our single most important market next door?
The Uruguayan defence offered by the Minister will reassure few people. We should not be aspiring to the Uruguayan regime; we should be aspiring to something much deeper, more substantive and more harmonious. The Minister’s proposal will create a field day for lawyers. We all like lawyers; some of our Committee members are former lawyers—recovering lawyers in some cases. Lawyers should enjoy a profitable and successful future, but we in this House do not necessarily need to maximise their profit-making possibilities in the future. However, that is exactly what the Minister is doing by creating a pot pourri of legislation, which lawyers and judges will have to pick their way through. It is much simpler, much lower-risk, much safer and better for economic growth if we put beyond doubt, dispute and question the harmonisation of our data protection regime with our single most important market. That is why we need to incorporate article 8.
Clause 7 defines the meaning of “public authority” for the purposes of the GDPR. Generally speaking, “public authority” will have the same meaning as the definition used in the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002. Those Acts list a wide range of public authorities, including Departments, local authorities and NHS bodies. As the new legislation beds in, the list of authorities imported from those Acts may need to be adapted to function properly in a data protection setting rather than a freedom of information setting. Clause 7(1) therefore allows the Secretary of State to specify in regulations that additional bodies are public authorities for the purposes of data protection legislation. Conversely, subsection (3) allows the Secretary of State to specify that certain bodies are not to be treated as public authorities, even if they are defined as such for the purposes of freedom of information legislation.
Amendments 7 and 8 clarify that the Secretary of State may describe bodies that are or are not public authorities in addition to specifying them. They are technical amendments designed to improve the terminology used in relation to the Secretary of State’s regulation-making powers. Amendments 18 and 19 make corresponding provisions in relation to part 3 of the Bill.
Amendment 62 is designed to ensure that regulations made under clause 7 will not be considered as hybrid instruments. Regulations made under the clause are already subject to the affirmative resolution procedure, and the general duty to consult before making regulations, which is set out in clause 179, also applies. In this setting, the hybrid procedure would add nothing but bureaucracy.
The amendments look like tidying-up amendments, but it would help if the Minister put on the record the extent to which they will allow the Bill to bite effectively on the nation’s schools. Obviously, schools collect a great deal of data. They often hold not only exam data but data relating to eligibility for free school meals, and most schools operate systems such as ParentPay, which means that they capture children’s biometrics. Anything to do with the protection of children’s data has to be treated incredibly seriously. The school system in this country has been balkanised—often, academies are set up as private sector entities in complex chains and have problematic governance arrangements—so I think we would all benefit from the Minister saying a few words about the Bill’s bite on schools, academies and colleges. Will she also say a little more about her plans to ensure that there are statutory codes of practice to which everyone who provides education services must adhere?
I thank the right hon. Gentleman for his comments. Obviously, we share his concern about the protection of children. He cites important and highly sensitive personal data such as biometrics. Schools, like all bodies, must have a legal basis—the public interest or the normal course of their business—for processing personal data.
The right hon. Gentleman raises safeguarding. Later in our deliberations, my hon. Friend the Under-Secretary of State for the Home Department will introduce Government amendments to strengthen the safeguarding aspects of the processing of personal data. Schools are public authorities, and GDPR protections intended for authorities will apply, as I said. Schedule 3 provides further and specific protection on the points that he raises.
Will the Minister set on the record explicitly the fact that academies are covered in the same way as schools? An academy may be set up by a private sector organisation, set up as a charitable body, or set up in a way that is outwith the formal education system. Ofsted has raised concerns about unregulated schools, for example. Can she confirm whether organisations that provide education services—whether they are academies, charities or local education authority schools—are governed by the codes? Crucially, can she confirm that she will publish the code of practice?
I certainly can confirm that the schools that the right hon. Gentleman has cited—academies run by private sector organisations and/or charities—are public authorities for the purposes of the Bill, and will be subject to the same protections.
Question put and agreed to.
Amendment made: 8, in clause 7, page 5, line 13, after “specified” insert “or described”.—(Margot James.)
See the explanatory statement for Amendment 7.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Lawfulness of processing: public interest etc
I beg to move amendment 9, in clause 8, page 5, line 29, at end insert—
“( ) an activity that supports or promotes democratic engagement.”
This amendment adds a reference to processing of personal data that is necessary for activities that support or promote democratic engagement to Clause 8 (lawfulness of processing: public interest etc).
Since the Bill’s introduction, it has been brought to our attention by a range of stakeholders from all sides of the political divide that there is concern about how processing for the purpose of democratic engagement should be treated for the purposes of the GDPR. As my noble Friend Lord Ashton set out in the other place, the Government believe that there is a strong public interest in political parties and elected representatives and officials being able to engage with the public both inside and outside elections, which may sometimes include the processing of personal data.
Having considered the matter further since the debates in the other place, the Government have concluded that it would be prudent to include a provision in the Bill to provide greater clarity to those operating in the area of democratic engagement. Helpfully, clause 8 already provides high-level examples of processing activities that the Government consider could be undertaken on grounds of public interest if the data controller can demonstrate that the processing is necessary for the purposes of the processing activity. As a consequence of the importance that the Government attach to the matter, amendment 9 adds to that list
“an activity that supports or promotes democratic engagement.”
That term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights. We think that that could include communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveys and opinion gathering and fundraising to support any of those activities. Any processing of personal data in connection with those activities would have to be necessary for their purpose and have a legal basis. We will ensure that the explanatory notes to the Bill include such examples, to assist the interpretation of what this provision might mean in practice.
The amendment does not seek to create a partisan advantage for any one side or to create new exemptions from the data protection legislation. It is intended to provide greater clarity. It is also independent of any particular technology, given that in a short time we have moved from physical post to email, Twitter, text messages, WhatsApp, Facebook and so forth.
The Government are always open to suggestions of what else could be done to ensure legal and operational clarity for political parties and elected representatives. Further work might be needed to ensure that their current activities have the legal basis required to rely on the public interest condition. The Government will shortly engage with political parties via the parliamentary parties panel to discuss the matter further and in more detail.
I was surprised and not a little troubled that the Minister did not include the opportunity of creating Member-specific apps in her list—especially those which suck out the pictures from someone’s phone without their permission. Presumably that was not included in her list because that is already illegal.
I am grateful to the Minister for tabling the amendment and for her earlier correspondence with my noble Friend Lord Kennedy. She undertook to reflect on that correspondence and bring forward amendments. She helpfully set out a list of some of the activities that may be undertaken by a political party that fall within the ambit of the amendment. She gave a pretty comprehensive list, but will she put beyond doubt whether canvassing and collecting canvass returns were in her mind when she tabled the amendment and are therefore covered by the amendment? That would be extremely helpful.
The amendment is well intentioned. The health of our democracy is important to all parties. We look forward to the conversations that she will broker through the parliamentary parties panel.
The clause is an important topic of debate because it enshrines the Government’s derogation from European frameworks in law and sets the minimum age of consent for data processing at 13 rather than 16.
That derogation was invented before social media companies arrived at their current strength and delivered the very wide and sophisticated range of tools that help ensure that children become almost addicted to social media devices. In the debate on this topic over the last two or three months there have been fresh revelations from leaders of social media firms that they forbid their children to engage in the apps that their companies deliver. We have had revelations from engineers who have worked at companies such as Facebook, Twitter and Instagram that a great deal of thought goes into how they create devices and forms of interaction that encourage that basic addiction to their apps.
We are at the beginning of what I hope is a period of re-regulation and better regulation of these firms, so that we can do away with many of the risks that affect our children. In a way, I was encouraged to see the Secretary of State’s interview with The Times on Saturday, in which he said very clearly that he would like to see better regulation of social media firms in this country before his own children are tempted to engage in this exciting online world. Many of us have children who are already engaged in this and, as a parent, I have real concerns about the freedom with which social media companies can develop and deliver these techniques, as well as their freedom to take a rather relaxed view of taking down often unfortunate and extremist content. I know that we will have this debate later, and we have tabled amendments to encourage the Government to set a deadline for reforming the electronic commerce directive.
It is important to draw a little more out of the Government about how they see the safeguards coming into place around clause 9. We have not sought to challenge the derogation the Government seek to enshrine in the Bill, but we ensured widespread support for Baroness Kidron’s amendment on the creation of an age-appropriate code. However, rather than simply wave clause 9 through, it is incumbent on the Minister to say a little about how she will ensure that there are adequate safeguards in place to protect our children from the very threats the Secretary of State lit up in lights on Saturday.
I support the general tone of the right hon. Gentleman’s comments. I too was pleased to see the interview with the Secretary of State, his focus on the addictive nature of some of these apps and the idea that there could be within the technology a means of limiting the time children spend on them, which parents could click on. The Information Commissioner’s Office will publish guidance shortly on how clause 9 will work and what those safeguards will be. She will take into consideration an age-appropriate design, as suggested by Baroness Kidron.
Overall, where online services referred to in the Bill as “information society services” choose to rely on consent as the basis for their processing, article 8 of the GDPR sets the age below which a website must obtain the parents’ and not the child’s consent. Most websites will be captured by this additional safeguard, ranging from online banking to search engines to social media, with social media probably being the most relevant to the age group in question.
The GDPR gives member states the flexibility to set this age within a prescribed range of between 13 and 16. The Bill sets it at 13, with an exception for preventive and counselling services, for which the test is based purely on the child’s capacity to understand what they are being asked to consent to. The Government are satisfied that the Information Commissioner’s Office has adequate enforcement powers, including large fines for any offences committed in this area.
We support these amendments very strongly, and if possible we would like to test the Committee’s will on this. The Bill has a succession of Henry VIII powers at a number of different clauses, which in effect give the Secretary of State the power to vary and amend regulations that are incredibly important. We cannot detach this debate from the earlier debate on the incorporation of article 8. We now have a Bill that is pretty weak on the fundamental principles of law that it seeks to enshrine; the Government want to set their face against incorporating some protections that we have in the European charter of fundamental rights. Therefore, the idea that we leave out some fundamental protections of rights, but then hand over to the Minister unfettered power to make regulations as he or she sees fit, does not seem to be in Parliament’s best interest. We think that the Government need to think again.
The powers in this particular clause create the possibility that exemptions to data protection rights, which have not been considered or debated in Parliament, go through effectively at the whim of the Minister. Those powers are enshrined in clause 10, and in clauses 35 and 86; we will come on to those debates, but the powers that clause 10 proposes to grant the Minister are in effect unilaterally to vary the conditions and safeguards governing the general processing of sensitive personal data—the general data set out in schedule 1—and then to add new conditions to schedules 1, 8 and 10.
That means that we would basically give the Secretary of State the power to expand the permissible reasons to allow processing of sensitive personal data, both generally and particularly for law enforcement and intelligence agencies. That is something that has been considered extensively in the other place. The House of Lords Constitution Committee said:
“The Government’s desire to future-proof legislation…must be balanced against the need for Parliament to scrutinise and, where necessary, constrain executive power.”
The Delegated Powers and Regulatory Reform Committee said that
“it is not good enough for Government to say that they need ‘flexibility’ to pass laws by secondary instead of primary legislation without explaining in detail why”.
The Ministers slightly let the cat out of the bag when Baroness Chisholm spoke up for the Government and said that if they were to accept the Committee’s recommendations in full that would
“leave the Government unable to accommodate developments in data processing and the changing requirements of certain sectors”—[Official Report, House of Lords, 11 December 2017; Vol. 787, c. 1464.]
That includes, for example, the insurance sector. That is patently nonsense. It would not constrain the Government’s ability to introduce wise regulations in this place; it would simply constrain the Government’s ability to do that unilaterally without effective recourse to Parliament. We are seeking a very clear Government explanation as to why the Secretary of State, not Parliament, should be empowered to alter the data protection regime to keep it up to date, and that explanation needs to be all the more robust following the remarks that the Minister has made about her attitude towards incorporating the fundamental right of privacy in British law.
We think that the amendments would be sensible constraints on Henry VIII powers. There is wide consensus across both Houses that they are necessary. They will not damage or diminish the Secretary of State’s ability to keep regulation up to date. Many of us have been in this place long enough to know that it is perfectly within the Executive’s power to keep regulatory reform on track if the political will is there. We are asking for a defence of Parliament’s right to oversee, scrutinise and, where necessary, constrain the powers of the Secretary of State to regulate in this field.
Following recommendations by the Delegated Powers and Regulatory Reform Committee, we have considered carefully the use of the Bill’s order-making powers and amended the Bill in the House of Lords to provide additional safeguards for the exercise of those powers, but Members of the Lords on all sides of the House agreed that it was essential to retain the order-making powers in the Bill as amended.
I will explain how the powers will be used in practice. Article 9 of the GDPR prohibits the processing of special categories of personal data unless one of the exemptions in paragraph 2 of article 9 applies. The exemptions include, for example, the situation where processing is necessary for reasons of substantial public interest. Schedule 1 to the Bill provides a series of processing conditions for special categories of data under article 9 and criminal convictions data under article 10. Most of those processing conditions have been imported from the Data Protection Act 1998 and statutory instruments made under that Act, but some of them are new—for example, the conditions on anti-doping in sport or processing for insurance purposes. They have been added to reflect the way in which the use of data has changed over the past 20 years.
Amendment 129 would remove the ability to amend schedule 1 via secondary legislation. That would be particularly damaging because it would mean that primary legislation might be needed every time the need for a new processing activity involving special categories of data arose. The 1998 Act was itself amended several times through secondary legislation, and it is important that we retain the flexibility to respond to emerging technologies and the different ways in which data might be used in the future.
It is interesting to note that the hon. Member for Sheffield, Heeley has tabled an amendment to schedule 1 that would add a completely new processing condition in relation to maintaining the missing persons register. My hon. Friend the Under-Secretary of State for the Home Department will touch on the merits of that proposal later, but the fact that others in the Committee are considering further changes to schedule 1 illustrates the point that schedule 1 cannot simply freeze the regimes in parts 3 and 4 of the Bill. I urge colleagues to resist the amendment.
It does happen. That is not a new provision, but one that was imported from the current law. Unfortunately, some crucial words were accidentally lost in the process of importing it. The amendment reinstates them.
Schedule 1 sets out UK domestic legislation to allow the processing of particularly sensitive data in certain circumstances. The Government’s view is that the processing of such data must be undertaken with adequate and appropriate safeguards to ensure that individuals’ most sensitive data is appropriately protected. One of those safeguards is the new requirement for an appropriate policy document to be maintained in most circumstances when special categories of data and criminal convictions data are processed. That is set out in paragraph 5 and part 4 of the schedule.
Since the Bill’s introduction, we have reflected on whether there are cases where the requirement to hold an appropriate policy document is so disproportionate that, rather than improving protections, it effectively prevents the necessary processing from taking place. Amendments 79, 82 and 90 remove the requirement for a controller to have an appropriate policy document where processing involves the disclosure of special category data to a competent authority for the detection or prevention of an unlawful act, the disclosure of special category data for specific purposes in connection with journalism, or the disclosure of special category data to an anti-doping authority. Amendment 80 defines what is meant by “competent authority”. The aim of those amendments is to avoid a scenario in which an individual who never normally processes data under schedule 1 wishes to report a crime, report something of public interest to the media or report doping activities in sport and, in so doing, processes special categories of data and would have to have in place an appropriate policy document.
Amendment 76 reflects that change to the requirement to have an appropriate policy document by inserting the words, “Except as otherwise provided” in paragraph 5 of the schedule. Amendments 87 and 89 make it clear that, in the context of schedule 1, “withholding consent” means doing something purposeful, not just neglecting to reply to a letter from the data controller. That avoids a world in which data controllers have an incentive not to bother requesting consent in the first place.
Paragraph 31 of the schedule requires the controller to have an appropriate policy document in place when relying on a processing condition in part 2 of the schedule to process criminal convictions data. However, all the provisions in part 2 are subject to the policy document requirement except where noted, so there is no reason to state it again in paragraph 31. Amendment 91 removes that duplicate requirement. It is simply a tidying-up amendment to improve the coherence of the Bill.
(6 years, 9 months ago)
Commons ChamberI thank all Members for their contributions to this excellent and wide-ranging debate and their lordships for the immense amount of work that they have done on the Bill thus far. Members on both sides of the House want a Bill that protects personal data and allows individuals to maintain control over what is their property and what is important to them, and we want these rights to be enforceable. That is a positive start on which we can all agree.
Various Members, including the hon. Member for Bristol North West (Darren Jones), the right hon. Member for East Ham (Stephen Timms) and the shadow Minister, stressed the importance of the continuity of adequacy post Brexit. The hon. Member for Bristol North West asked what the Prime Minister meant by saying that she wanted to achieve more than adequacy. It was, I am sure, to ensure that the Information Commissioner can continue her excellent contribution to the evolution of the GDPR through her association with the European data protection board, when that comes into being.
The hon. Member for Argyll and Bute (Brendan O’Hara), the hon. and learned Member for Edinburgh South West (Joanna Cherry), the right hon. Member for Kingston and Surbiton (Sir Edward Davey) and many others mentioned immigration. I want to reassure the House that we are seeking not a blanket exemption, but something that can be applied only when complying with a certain right would be likely to prejudice the maintenance of effective immigration control. Every request to exercise a right under the GDPR would still have to be considered on its individual merits, and the rights of appeal required by the GDPR remain in place.
There was a great deal of debate about the freedom of the press. In the short time that I have, I cannot do justice to the fantastic contributions from my hon. Friends the Members for North Devon (Peter Heaton-Jones) and for South Dorset (Richard Drax) and the hon. Members for Edinburgh West (Christine Jardine) and for Keighley (John Grogan). We heard the real show stopper from my hon. Friend the Member for North East Somerset (Mr Rees-Mogg), who was listened to with rapt attention as he contrasted the pretence of freedom of speech with the reality of control, which would be the result of the amendments to which we have been asked to agree. The Government have been clear that we will attempt to defeat them in this place.
We have had a very valuable debate. We have touched on various issues—children and social media, artificial intelligence and cyber-resilience—and there are others that we will address subsequently.
I will have plenty of time in Committee to debate with the right hon. Gentleman. I am sure that we all agree that the Bill is important and timely.
(6 years, 10 months ago)
General CommitteesI thank my right hon. Friend for confirming what I suspected. My right hon. Friend the Secretary of State is extremely able in the digital world, and I am sure that what he has put out is of very high quality.
I wish to respond to some of the criticisms and questions from the debate. First and foremost, over the choice of the BBFC—
Tom Bateman, a political editor with BBC politics, tells us he denied the app access to his photos and yet it uploaded pictures anyway, so it is not clear to me how the Secretary of State has been able to produce this app in a way that is violating the country’s privacy laws.
(7 years, 5 months ago)
Commons ChamberI do agree with my hon. Friend. The figures suggest that nearly 20% of people on zero-hours contracts are students. Such flexibility also benefits many people who have parenting or caring responsibilities and do not want to work full-time. We certainly do not want to end that flexibility but, as I have said, we do want to improve protection.
The gig economy brings insecure work. Insecure work demands new rights, but those rights will be worthless unless the Government are prepared to put more resources into enforcement, regulation and inspection. Will the Minister commit herself to providing those additional resources when implementing the Taylor review?
I very much agree with the right hon. Gentleman that enforcement is crucial. As I said, we have doubled the resources available to HMRC for enforcing the minimum wage and they will continue to rise throughout this Parliament. We have also strengthened the powers of the Gangmasters and Labour Abuse Authority, and the recently appointed director of labour market enforcement has been tasked with bringing the work of the three major enforcement bodies together to understand the extent of the abuse and to recommend ways of giving those agencies the resources that will enable them to deal with it. I hope that the right hon. Gentleman will be pleased with the outcome, in due course.
(11 years, 11 months ago)
Commons ChamberI shall give way to people who were here at the start of the debate, rather than to those who have wandered in late. This is an important debate. The point that I want to make, before I give way to the hon. Member for Stourbridge (Margot James), is that we are learning today who is being asked to pick up the bill for this catastrophic economic failure. It is not Britain’s richest citizens, who are now so hard pressed and under the cosh that they are being given a tax cut. From next year, millionaires will have £107,000 more to help them to heat their swimming pools. It is not Britain’s millionaires who are picking up the tab; it is Britain’s working families. The measures in the Bill are a strivers’ tax, pure and simple.
Is the right hon. Gentleman going to acknowledge the 1 million extra jobs that have been created since 2010? Will he also acknowledge that the number of people claiming tax credits escalated to an unsustainable level under his Government? The country cannot afford to have 50% of the population either claiming tax credits or in receipt of benefits. That is unsustainable.
I look forward to coming to Stourbridge and helping to explain to the 6,500 people there who are on tax credits that their Member of Parliament thinks that the money they are getting is unsustainable. I happen to think that those 6,500 people, whom the hon. Lady has just dismissed, need every pound of the tax credits that Labour delivered when we were in office.