Artificial Intelligence Sector Deal
Margot James Excerpts(6 years, 7 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister for Digital and the Creative Industries (Margot James)
With permission, Mr Speaker, I will make a statement today in response to the Government’s publication of the sector deal for artificial intelligence—a major collaboration with industry to secure the UK’s global leadership in AI and data.
AI holds transformative potential for every aspect of our lives—from how we travel to how we work and live—and for every sector of the economy. For the UK, the prize is clear: potentially adding 10% to our GDP by 2030 if adoption is widespread, with a productivity boost of up to 30%. In pursuing that prize, we start with strong foundations. The UK was recently ranked first among OECD countries in the Oxford Insights Government AI readiness index and is home already to globally recognised AI companies, including DeepMind, Swiftkey and Babylon Health. This success is supported by the UK’s strong combination of world-leading universities that drive skills and research and development, a thriving venture capital market for AI that leads among economies of comparable scale and trusted universal public institutions such as our NHS that can pioneer data-driven innovation and connect the power of AI to the public good.
The sector deal that we have published today on govt.uk outlines how we are intending to build on those foundations and on the independent review led by Professor Dame Wendy Hall and Jérôme Pesenti, reflecting that review’s spirit of partnership and consultation between the Government, industry and academia. In skills, we have made it the UK’s ambition to be home to the world’s best and brightest minds in AI. We will support the Alan Turing Institute’s plans for expansion to become the national academic institute for AI and data science.
We will create 200 additional PhDs in AI and related disciplines by 2021, rising to 1,000 Government-backed PhD places at any one time by 2025. We have set a target of 200 places for an industry-funded AI master’s programme and we will introduce an internationally competitive Turing fellowship programme in AI. We are also doubling tier 1 exceptional talent visas to 2,000 a year to attract the brightest minds to the UK. In infrastructure, we will ensure that the ambition of our AI sector is matched by the means of delivery in communications, in data and in supercomputer capacity.
In telecoms, we are investing more than £1 billion to create a country with world-class digital capabilities from 5G mobile networks to full-fibre broadband. In supercomputer capacity, we are pleased to announce that, as part of the sector deal, the University of Cambridge will make the UK’s fastest academic supercomputer, capable of solving the largest scientific and industrial challenges at speed, available to AI technology companies. This complements Government support for start-ups’ access to hardware via the Digital Catapult’s machine intelligence garage and builds on Cambridge’s existing track record as a hub for AI and technology.
We are also investing in data, because data is infrastructure; just as roads help us to reach a destination, data helps us to reach a decision. For AI systems, data is the experience that they learn from to be able to process information and interact usefully with the world and its citizens. This Government have always valued the economic benefits of pioneers having access to high-quality public datasets, but some of the most useful datasets for AI are those that organisations are reluctant to share with others, perhaps because they have commercial value. The world’s first centre for data ethics and innovation will therefore work to unlock the usefulness of that data, while protecting its value for those organisations and, most importantly, keeping people’s data secure. We want AI-led growth to be both empowering and inclusive, and that applies to our approach to data. This also informs our commitment that the benefits of AI should be felt across the whole country.
The sector deal makes a commitment to establish clusters and regional tech hubs designed to power AI growth across the entire country. We will invest £21 million in Tech City UK over four years so that it can expand into Tech Nation, thus transforming the UK from a series of stand-alone tech hubs into a powerful network that can place the nation firmly at the top of the global tech rankings. The new Tech Nation’s AI programme will operate in two or three key clusters where there is existing AI expertise and a potential to provide the mentoring, growth and support that is needed for ambitious AI businesses to thrive.
Industry shares our ambition to link promising AI clusters into a powerful network of high-growth AI businesses, and the sector deal confirms that. For instance, Barclays is launching the bank’s first Scottish Eagle Lab in Edinburgh, in a new partnership with the UK’s largest tech incubator CodeBase, to help AI businesses go from start-up to scale-up.
Taken together, these measures send a signal to AI business, science and research communities around the world. The UK will attract talent, invest and lead on standards and ethics. That message is made clear by the investment of industry that, along with investment from the Government, forms a total package of almost £1 billion. That sits alongside the £250 million already allocated for connected and autonomous vehicles, and the £1.7 billion that has been announced for the cross-sectoral industrial strategy challenge fund thus far.
Our ambition in AI will not stop at this sector deal. This is only the start of UK plans to seize the opportunities of modern technology and to ensure that it follows the highest ethical standards. By so doing, we will ensure that we can build a Britain that is fit for the future. I commend this statement to the House.
Mr Speaker
Ordinarily, a shadow Minister is expected to take no more than half the length of time taken by the Minister, and they certainly should not exceed five minutes maximum. But I simply say to the right hon. Member for Birmingham, Hodge Hill (Liam Byrne) that it is not obligatory to take that full length of time, and he need not think that he is doing the House or the nation a gross disservice if he takes less time.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
I am grateful for that guidance, Mr Speaker.
It is always good to see the Minister in her place. She certainly knows how to pack the House with her statements. I am sorry that I am not able to respond to the detail of her statement, but it only came to me by email at 11.25 am, so I was not able to see it in advance. None the less, it is good of her to show up and present her plans, which were first presented to The Times, rather than to Parliament. It is welcome that the Government have now decided to step into the breach where a policy should be. It is a shame that the Minister has allowed the French, the Americans, the South Koreans and the Chinese to get there first, but better late than never.
From what I can divine from what the Minister said to the House, no new money has been announced today. Rather, a top-down earmarked amount of cash has already been handed out to research councils. That is fine as far as it goes, but it is an awful long way short of the £1 billion of funding that President Macron has just announced to support artificial intelligence in France.
As the Minister knows, a strong AI sector in this country will be built on three basic foundations: good networks, which support the internet of things; trust, which supports big data; and skills, which require a great education system. Today, our science spend is, I am afraid, in the second league, our digital networks are lamentable, our framework of trust is hopelessly out of date—in fact, we still have no date for the Data Protection Bill returning to this House—and our skills base is alarmingly thin. Indeed, the Government prayed in aid Jérôme Pesenti in their strategy this morning, but he was told by the Government that he was not allowed to look at the maths curriculum, as he told the House of Lords Artificial Intelligence Committee when he was giving evidence to its inquiry. That is why we call for science spend not at 2.4% of GDP, but up at 3%. We think there should be universal provision of networks at 30 megabits per second, a Bill of digital rights to restore trust and a national education service to restore the skills base.
In the interests of brevity, Mr Speaker, I have some specific questions for the Minister. First, the sector plan makes great play of a £2.5 billion investment fund delivered by the British Business Bank. Is this just for AI, or for innovation generally? Is it DEL—departmental expenditure limit—funding or loan guarantees? Is it intended to deliver grants or loans? When does that money come online? Is it, in other words, spin over substance?
Secondly, the Minister will know that artificial intelligence will accelerate the destruction of existing jobs, so when will we have a White Paper on the future of work? This will be a G20 agenda item in November. We have heard nothing about the Government’s plans to explore this and put in place adequate protections for workers today.
Thirdly, where is the strategy to harness Government procurement, with a cross-Whitehall futures unit, to use the power of Government to drive forward this agenda? That is the way that every other western, and eastern, nation drives its science and tech investment. Why are the Government not doing this?
This morning, the Bank of England published figures showing that this Government have presided over the worst productivity figures since the late 18th century. If we are to be masters of the fourth industrial revolution, as we were of the first, the Government will have to do an awful lot better than this.
Margot James
I apologise if the right hon. Gentleman received my statement such a short time ago. That was certainly not my intention. I shortened my statement in anticipation of Mr Speaker’s wish for brevity, and perhaps that delayed matters.
It is a shame that the right hon. Gentleman’s response was pretty overwhelmingly negative, given that we start from a good base in this country with our world-leading institutions and our state of readiness. Oxford Insights, which I mentioned in my statement, has put us at No. 1 across the world on its Government AI readiness index. He referred to other countries, predominantly in Asia, which are indeed investing hugely in this area. [Interruption.] He mentions Macron from a sedentary position; he also mentioned him in his response. We are of course delighted that President Macron is also seeing the potential for AI. There is nothing wrong with that. We are a global-facing country. It is great that our partners in Europe are also committing to this agenda.
The right hon. Gentleman mentioned the importance of data and digital performance in this country. The UK is in a very competitive position in terms of digital performance. We now have 95% access to superfast broadband, which was delivered by the end of last year. Only yesterday, I was at a meeting with all the successful parts of the country that bid for the 5G test bed and pilot programme, which will put us in a pivotal position to take advantage of the internet of things. These test beds and pilots extend right across the country, from the Orkney Islands to the south-west of England, and a new wave of bids will be announced this summer. We are very determined on this front.
The right hon. Gentleman asked about the British Business Bank. I can assure him that this is new money that will be provided to tech start-ups and tech scale-ups via both equity finance and loans. I remind him that as of September last year, the British Business Bank had supported, through a combination of loans and equity finance, very many tech companies to the tune of £350 million. We are building on success.
The right hon. Gentleman talked about the future of work. This is an extremely important issue. Of course, we recognise that we are in for a fast ride here. The pace of technological change is such that momentous changes that are not always predictable can potentially displace groups of workers. We are very cognisant of the need to smooth the path through continuous training. The industrial strategy has at its heart improving the world of work and access to retraining throughout people’s lives, so that no one is left behind by these technological advances.
Finally, on that critical subject, the Government’s response to the Taylor review and the consultations that we announced at the beginning of the year will be out at some point this summer, and I am sure that the points raised by the right hon. Gentleman about the future of work in the context of technological advance will be taken extremely seriously.
Several hon. Members rose—
Tom Brake (Carshalton and Wallington) (LD)
I thank the Minister for her statement. I did not require artificial intelligence to establish DeepMind’s view on Brexit. When I googled “DeepMind” and “Brexit”, it came up immediately with the company’s concerns about the impact of Brexit. How will the Minister ensure that the IT innovation that currently flows around the European Union can continue post Brexit? How will she ensure that top-flight companies such as DeepMind can continue to attract EU citizens to work in that important sector? Finally, she will be aware that the EU investment fund for British start-ups, which was investing £500 million in 2016, has dropped to £53 million. Much of that money would have been spent on artificial intelligence. Is she confident that Government funds will be able to replace that?
Margot James
The right hon. Gentleman makes some very serious points. We are committed to making the UK a destination for global talent and equity finance and venture capital in the years to come, post Brexit. As he says, we already have companies that have invested substantially in the UK; he mentioned DeepMind, and we have many others. We have doubled the number of exceptional talent visas to 2,000, and we are offering scientists who have come to this country on tier 1 visas full settlement rights at three years. I mentioned in my response to the right hon. Member for Birmingham, Hodge Hill (Liam Byrne) that, post the EU investment in this country and AI, the Chancellor has announced substantial additional moneys available through the British Business Bank to replace over the long term EU funding that will be lost once we leave the EU.
Drew Hendry (Inverness, Nairn, Badenoch and Strathspey) (SNP)
I thank the Minister for advance sight of her statement. In Scotland, we believe that this should be the best place to live, work and do business. While we welcome this announcement, a number of questions have to be answered.
We welcome the investment by Barclays in the Edinburgh CodeBase hub, but we want to know what the Government are going to do that is new. As has been pointed out, there is no new money here, and the statement is short on detail and the level of ambition required. The Minister talked about making data secure for people, but are the Government taking seriously people’s right to own their own data in the future?
It is important that 5G is developed to take advantage of AI. Are the Government considering licensing spectrum and an outside-in approach, to make sure that the outlying parts of the nations of the UK, which normally get served last, have a fair shot at getting that connection early? In terms of the customs union, what work has been done to mitigate the negative effects of a hard Brexit on our ability to take advantage of AI trading? What work has been done on the effect on jobs, and does the Minister agree with the Scottish Trades Union Congress that workers should be collectively involved in how automation is introduced?
Finally, on the digital skills gap, what news is there of young people, particularly girls and young women, being encouraged into the sector, and how will we attract the brightest and the best, given the current immigration shambles, particularly the situation facing EU nationals? Will the Minister work with the Scottish Government to set positive targets on immigration, and what discussions has she had with the Scottish Government about these proposals?
Margot James
The hon. Gentleman will forgive me if I fail to address all his questions, for want of time, but I appreciate his positive response to the sector deal. On 5G, I take his point about the licensing of spectrum. The Department is undertaking a telecoms infrastructure review looking at, among other things, the way we license spectrum to make sure it is the most efficient at reaching all the areas currently underserved, including in many parts of Scotland.
The hon. Gentleman asks about jobs and the digital skills gap. We are addressing this through the sector deal and our wider industrial strategy—for example, by placing an emphasis on reskilling throughout people’s lives. He asks particularly about diversity and women. We have launched the tech challenge charter to engage businesses in both AI and the wider technology sectors and to encourage them to commit to looking closely at their recruitment, retention and progression policies— to make sure that women and girls are supported throughout—and to publishing their data in a transparent manner.
I have not personally had discussions with the Scottish Government, but I am sure the Secretary of State has, and I look forward to working with them and Scottish colleagues across the House to make sure that Scotland gets its fair share of the benefits of the sector deal.
Clive Efford (Eltham) (Lab)
Artificial intelligence is coming—we cannot stand in its way—but we must enhance it to the benefit of workers in this country. In that regard, however, the statement was woefully inadequate. The companies developing AI are looking to cut their bottom lines by cutting the number of people they employ: driverless vehicles, aeroplanes with no pilots—the list is becoming endless. What will the Government do to come up with a strategy not just for the UK—the way the Minister put it sounded esoteric—but for people and jobs? We need an AI strategy that will benefit workers in this country.
Margot James
I want to reassure the hon. Gentleman that, just as there will undoubtedly be some job displacement as a result of technology, let alone AI, so new jobs will be created. We are looking at this. I mentioned the response to the Taylor review by colleagues in the Department for Business, Energy and Industrial Strategy, who are looking at this. We are taking it extremely seriously and will come forth with more developments on our projections in due course, but be assured: new jobs will come and replace many of the more routine and repetitive jobs, and we will be upskilling people so that they can take advantage of these new opportunities.
Digital Images and Consent
Margot James Excerpts(6 years, 7 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister for Digital and the Creative Industries (Margot James)
I thank the hon. Member for Hackney South and Shoreditch (Meg Hillier) for securing this debate and I congratulate her on it. This is a very important issue. I associate myself with much of what she said particularly the tribute she paid to her constituent, Emily, about whom we have corresponded, and with whom I have also corresponded.
We are living through a digital and technological revolution. The tech sector is one of our fastest-growing industries, which is creating hundreds of thousands of good high-skilled jobs up and down the country, and is therefore at the heart of our modern industrial strategy. We will continue to invest in the best new innovations and ideas, in the brightest and best talent, and in revolutionary digital infrastructure. It is absolutely right that this dynamic sector has our full backing, but, while we want the sector to remain free to innovate and to continue to do good, we must guard against the harms to our society that it can facilitate. Some of those harms are very considerable indeed, as exemplified by the hon. Lady’s speech today.
When it comes to the use of digital images, there are a number of existing laws that may apply, from data protection to criminal laws, as the hon. Lady mentioned. For example, digital images containing personal features can be considered personally identifiable information and thus their processing may be governed by data protection laws. Organisations and individuals may have a legitimate need to take, store and share digital images of individuals—for example, sporting events wanting to display athletes and spectators, private premises wanting to use digital images in crime prevention and security, and media organisations for journalistic purposes. I mention those things because if we are to consider new law, we must take into account the panoply of potential. In some of these instances, consent is sought. However, consent will not always be a lawful basis for processing personal data. For example, there may be a legitimate interest to process personal data. A legitimate interest could be a commercial interest, an individual interest, or societal benefits. In journalism, for example, our data protection laws enable processing where publication is in the public interest. However, the use of photography will still be subject to regulatory standards and codes of practice adopted by the publishers and the press.
It is unacceptable to photograph individuals without their consent in public or private places where there is a reasonable expectation of privacy. There must not be persistence in questioning, telephoning, pursuing or photographing individuals once asked to desist and journalists cannot remain on a property when asked to leave, or follow people. If requested, journalists must identify themselves and whom they represent.
Regulators also issue separate guidance regarding the photography of children. It is worth noting that data protection laws do not apply to processing activities undertaken in personal household or family settings. The Government have taken the position that to do otherwise would be to improperly extend the reach of regulation into personal lives—although I must say that I was very moved by the example that the hon. Lady read out from the Mumsnet service.
Meg Hillier
I know that the Minister is a thoughtful woman and I am pleased that she is pausing for thought on this matter. There is an interesting point here about regulation in the home. I understand the political difficulty of legislating for things that take place in the home, but we do legislate against domestic violence and child abuse, and on other safety matters. These take place in the privacy of people’s homes, so it is not beyond the wit of Government to tackle this issue, even with those caveats.
Margot James
The hon. Lady makes some good points. I shall consider those examples. Intrusive behaviour and sexual harassment may take place in the home and, as she says, the law does not stop at people’s front doors, nor should it.
As I said, data protection laws do not apply to processing activities undertaken in personal households. Data protection laws do, however, apply when digital images are shared online—as they so often are—or made public in some other way. The Data Protection Bill will empower people to take control of their data, and strengthen their rights to move or delete personal data. That includes the use of images. We expect online platforms to have robust processes in place to remove images or user accounts that do not comply with the law or their own policies.
Our internet safety strategy Green Paper, which was published last October, set out the three key principles that underpin our online safety work. First, what is unacceptable offline should be unacceptable online. Secondly, all users should be empowered to manage online risks and stay safe. Thirdly, technology companies have a responsibility to their users. We will shortly be publishing the Government’s response to the strategy consultation, and this will set out further details on how we plan to tackle a wide range of online harms. When considering privacy rights, individuals or organisations that process personal data should consider alongside data protection law compliance with a wide range of legislation, including the Communications Act 2003, the Protection from Harassment Act 1997 and the European convention on human rights.
In relation to explicit images, some images recorded may depict persons who are, for example, naked, and we would not want the law to prevent that from occurring in all cases. But under data protection law, data controllers are already under duties to keep the data safe and secure, and not to hold on to it longer than necessary. Moreover, if any images recorded were subsequently used by an individual for the purposes of sexual gratification, other offences may then be relevant.
The hon. Lady mentioned the offence of voyeurism, which criminalises non-consensual photography and the filming of certain private acts when taken for the purpose of obtaining sexual gratification, as well as for a number of other offences that may have related relevance—for example, the outraging of public decency and revenge pornography offences.
The hon. Lady also mentioned the specific legislation that has been passed in Scotland since a tailor-made offence was introduced in 2011. I point out that there have been only four prosecutions for upskirting since that Act was introduced. The Act was presumably passed because Scottish law did not previously capture the behaviour that she mentioned. That behaviour is captured to a large extent—although potentially not wholly—by the voyeurism offence set out in sections 67 and 68 of the Sexual Offences Act 2003. The offence applies when someone observes or records another person engaging in a private act without that person’s consent, with the intention of looking at that image or another person looking at that image for the purpose of obtaining sexual gratification.
The hon. Lady also drew attention to the remarks made by my ministerial colleagues in the Ministry of Justice. I am not sure whether this is the exact quote that she read out, but I was encouraged when my right hon. Friend the Justice Secretary said this in reply to a question from the hon. Member for Sheffield, Brightside and Hillsborough (Gill Furniss) about the policy on upskirting:
“I am sympathetic to calls for a change in the law, and my officials are reviewing the current law to make sure that it is fit for purpose. As part of that work, we are considering the private Member’s Bill that is being promoted by the hon. Member for Bath (Wera Hobhouse).”—[Official Report, 24 April 2018; Vol. 639, c. 724.]
I have also had conversations with my right hon. Friend, and we are in agreement that more must be done in Government to look at this very difficult area. Much of it is covered by the offence of voyeurism and, in the upskirting context, by offences that occur in a public place. The two Acts I mentioned deal in large part with the issues of concern that the hon. Lady spoke of, but it seems that they may not wholly cover them. I, too, was encouraged by the letter from the Director of Public Prosecutions.
I can assure the hon. Lady that the Government are considering these matters, including upskirting, and we will continue to do so. I thank her for her very detailed research into this area, which will undoubtedly contribute to the Government’s thinking.
Question put and agreed to.
UK Digital and Tech Industries
Margot James Excerpts(6 years, 7 months ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Minister for Digital and the Creative Industries (Margot James)
It is a great pleasure to serve under your chairmanship, Ms McDonagh. I congratulate my hon. Friend the Member for St Albans (Mrs Main) on securing this debate and on her interesting, comprehensive and inspiring speech. The impact of the digital and tech industries on the UK economy is a vast subject. I will try to respond to as many points as possible.
We heard from many Members about the staggering growth and exciting opportunities that the sector offers our country. The digital economy here is growing 32% faster than the wider economy. I took note of the statistics that my hon. Friend quoted about her constituency. St Albans has access to more than 400,000 digital and tech jobs in and around the surrounding areas and clusters. She mentioned Imagination Technologies in Kings Langley. I am delighted to accept her invitation to visit it to learn more about that exciting new company.
In March 2017 we published our digital strategy, which set out the key pillars of a healthy ecosystem for technology. The foundations can be met when we achieve nationwide access to world-class digital infrastructure. Although London is the capital of European tech investment, almost 70% of that investment is in regional clusters outside London. I find that an encouraging statistic.
In the Budget, we unlocked more than £20 billion of capital funding for digital enterprises through the enterprise investment scheme and the British Business Bank. I very much take on board the point, raised by the hon. Member for Bristol North West (Darren Jones), that it has been easier for start-ups or scale-ups to raise capital if they are located in London. We want to build on that for the regions, so that SMEs no longer have to keep coming to London to raise capital. We announced a further £4.7 billion for the national productivity investment fund, which will benefit the sector, and £75 million of investment to take forward recommendations following the independent review on artificial intelligence and the artificial intelligence grand challenge, which was announced in the industrial strategy.
Several Members mentioned the huge importance of data ethics. The hon. Member for East Dunbartonshire (Jo Swinson) mentioned the debate that she secured a few months ago. I hope the newly announced centre for data ethics and innovation will have discussions with the Nuffield Foundation and will benefit from its Ada Lovelace centre for ethics. Such measures are vital to ensure public trust, which, as the shadow Minister said, is a vital plank of success.
A number of hon. Members mentioned cyber-security and safety. The safety of our citizens and businesses is absolutely crucial. There is an increasing number of risks, which can have damaging implications, as we live and operate online. The digital charter aims to increase public confidence and trust in new technologies and create the best possible basis on which the digital economy can thrive.
Our work on keeping the UK’s cyber-space safe is clear. As we stated in the “Internet Safety Strategy” Green Paper, what is unacceptable offline should be unacceptable online. I look forward to bringing forward the response to that consultation in the next month or two. All users should be empowered to manage online risks and stay safe. Technology companies have a responsibility to their users. We fully understand that it is vital to have strong data protection laws and appropriate safeguards in that area to enable businesses to operate across international borders, as well as empowering citizens with full control over their personal data.
Several hon. Members mentioned digital skills, which are crucial, particularly as we approach Brexit. We need to build a digital economy that works for everyone, and we can do that only if we equip people with the skills that are needed. We are not only looking at training and skills in schools and among the older population, but we want to maintain our position as a go-to country for new talent, so we announced a doubling of the number of tier 1 exceptional talent visas last year. We have introduced an entitlement for adults who lack basic digital skills to enable them to undertake fully funded basic digital skills training from 2020.
I was struck by the statistic about salary levels that the hon. Member for Bristol North West offered. He said that in the digital sector people can expect to be paid 44% more than the average for other employment. We want to open that up. The hon. Member for York Central (Rachael Maskell) also made the point that the tech and digital sector can be a great force for social mobility, but only if we ensure that everybody has access to skills training.
Hon. Members talked about young people. We have a big commitment in schools, and we have the benefit of corporate support for our programme of education. The hon. Member for Strangford (Jim Shannon) talked about the importance of bringing together companies, civil society and everyone with an interest in promoting tech education and improving the technology curriculum. We now have coding classes for children as young as five, with the support of wider society.
Accelerating the growth of the digital tech sector across the country is important. We are supporting 40,000 entrepreneurs and up to 4,000 start-ups as they scale up their businesses. As Tech City UK becomes Tech Nation, we will deliver support in 11 cities across the UK, including Belfast, Cardiff and Newcastle. Our digital skills partnership is central to the skills provision across the whole of the UK.
Several hon. Members were kind enough to invite me to their constituencies. I do not know whether it is rude to say that I am going where I have not been invited, but I am actually going to York. As the hon. Member for York Central said, it is also known for fibre. TalkTalk is investing hugely in connecting fibre to premises in the whole of the city of York. A very interesting piece in the Financial Times just this morning said that York is taking the lead in piloting the use of digital technology to map traffic congestion in realtime, so that traffic signals can be adjusted to improve the flow of traffic, with all the additional benefits that that brings. I was interested to hear about the digital creative labs there and about the importance of the gaming industry, which is absolutely crucial. That industry engages young people, so it has a double advantage. I shall endeavour to visit it while I am there.
My hon. Friend the Member for Aldershot (Leo Docherty) talked about procurement opportunities for UK SMEs, which are very important. In some respects, it will be difficult to secure a preference for UK SMEs in contracting. It will depend on the final terms of our relationship with the EU when we leave, and on any new trade deals that we are successful in negotiating. With that proviso, I certainly share his desire to see better opportunities for SMEs in procurement.
The constituency of my hon. Friend the Member for St Albans is at the centre of a great number of exciting developments in technology, and it is terrific that she is taking the lead in her constituency and making her contribution to the rest of the UK’s development. The Government are committed to making Britain a world leader in the digital and technology sector.
It is fantastic that so many colleagues made excellent contributions this afternoon. I apologise for running over slightly.
Digital, Culture, Media and Sport
Margot James Excerpts(6 years, 7 months ago)
Ministerial CorrectionsRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Mr Jones
I have no doubt that the Minister’s Department keeps the budget under review to see whether the Information Commissioner has enough resources, but what about how the money is spent in practice? As with many such quangos, the question is who is ensuring that the money is spent properly.
Margot James
The Information Commissioner’s Office has a financial controller, a board, and a chief executive. It is held to account not just by my officials, but by the Secretary of State and me.
[Official Report, Second Delegated Legislation Committee, 26 March 2018, c. 8.]
Letter of correction from Margot James:
An error has been identified in the response I gave to the hon. Member for North Durham (Mr Jones).
The correct response should have been:
Margot James
The Information Commissioner is a Corporation Sole, and is accountable to Parliament. The ICO is held to account not just by my officials, but by the Secretary of State and me.
Draft Data Protection (Charges and Information) Regulations 2018
Margot James Excerpts(6 years, 8 months ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
I beg to move,
That the Committee has considered the draft Data Protection (Charges and Information) Regulations 2018.
It is a pleasure to serve under your chairmanship, Mr Bone. The work of the Information Commissioner and her office is of fundamental importance and relevance, as can be seen with the Facebook and Cambridge Analytica incidents in the media last week. Data is a pivotal element of the digital revolution enabling a multitude of technological innovations that support growth and benefit society.
However, for those innovations to be successful, the Government and the general public must be confident that our data is not being misused. For that reason, we are modernising our data protection laws, through the Data Protection Bill, and providing new powers for the Information Commissioner.
An effective data protection regulatory framework is critical to retaining the right balance between innovation and privacy. That is particularly the case now, when data is at the forefront of the political agenda, both domestically, with the Data Protection Bill currently before Parliament, and internationally. That was highlighted in the Prime Minister’s recent Mansion House speech, which mentioned the UK’s high standards of data protection as one of the foundations that will underpin our post-Brexit trading relationship with the EU.
This changing data protection landscape has increased the responsibility of the Information Commissioner and the challenges she faces. With that increased responsibility comes an increased cost of delivery, so it is crucial that we ensure that the Information Commissioner and her office are adequately funded to fulfil their responsibilities, that the Government meet our responsibility under the general data protection regulation—GDPR—and that the ICO is funded for the effective performance of its tasks.
As with other similar organisations, it is only right and appropriate that this funding comes from charges levied on relevant stakeholders—in this case, data controllers. Currently, data controllers pay two tiers of charge: tier 1, for organisations with fewer than 250 staff or turnover of less than £25.9 million, is £35 per annum, and tier 2, for the remaining larger data controllers, is £500 per annum. Those charges have not increased at all since their introduction in 2001 and 2009 respectively.
The draft regulations will implement a new charging structure in order to fund the Information Commissioner’s data protection activities, which will come into force on May 25 this year, when the new Data Protection Act and the GDPR standards are due to take effect. The new structure is made up of three categories of charge: micro-organisations, including individuals, who will pay a charge of £40; small and medium organisations, which will pay £60; and large organisations, which will pay £2,900. The structure is designed to be closely aligned with the standard Government categorisation of businesses and organisations.
Furthermore, a £5 discount applies to all organisations that pay by direct debit. In effect, that will mean that micro-organisations that pay by direct debit will pay the same charge that they have paid since 2001. Similar to the current approach under the Data Protection Act 1998, public authorities will be categorised based only on their number of staff. In addition, charities and small occupational pension schemes will continue to automatically pay the lowest charge.
The new funding model for the Information Commissioner has three main policy objectives. It will ensure an adequate and stable level of funding for the ICO, build regulatory risk into the charge level and, finally, raise awareness of data protection obligations in organisations, thereby increasing their compliance. I will expand on what each will mean in practice.
First, in designing this new charging structure, the Government, in conjunction with the ICO, have given detailed consideration to the income requirements of the ICO now and in the future. The new charge levels recognise the increased funding required by the ICO under the new data protection regime and spread the funding provision appropriately across each of the three tier groups.
The charge levels have primarily been increased from the current level of fees to reflect the increased responsibilities of the ICO under the GDPR and the new Bill. For example, the GDPR will expand the Information Commissioner’s responsibilities in relation to mandatory breach notification and data protection impact assessments, as well as increasing the scope and scale of her existing activities.
In 2016 the Department for Digital, Culture, Media and Sport estimated that the ICO’s income requirements for its data protection functions will increase from approximately £19 million in 2016-17 to approximately £33 million in 2020-21. A financial forecast for the first year of operation under the GDPR—that is, 2018-19—sets the income requirement for the ICO at approximately £30 million. It is imperative for the ongoing success of the UK’s data protection regulatory framework that the ICO has the income it needs to continue fulfilling its vital functions to a standard.
Secondly, large organisations, including public authorities—local and national—often hold the most complex and sensitive datasets and, as such, represent a higher level of information risk. They will generally draw more heavily on the ICO’s resources than small organisations that process small amounts of personal data.
The charging structure has been designed to ensure that overall income from each group of data controllers—micro, small and medium, and large—adequately reflects the proportionate information risk accruing to each group, and to recognise that it would not be appropriate for large businesses and public authorities in effect to be subsidised by small and micro businesses, which make up the majority of the data controllers.
Thirdly and finally, in making the regulations, we are highlighting the importance of compliance with the UK’s data protection regulatory framework to data controllers, and are thereby increasing their awareness of the ICO as regulator and their own obligations.
The new draft regulations substantially replicate the current exemptions from paying notification fees, with some exceptions. The regulations will remove the exemption for some data controllers who are only undertaking processing for the purposes of safeguarding national security, and introduce clarification to the wording of the existing personal and household purposes exemption, to make it clear that homeowners using CCTV for such purposes are no longer required to pay a charge under the new scheme.
I appreciate that there is appetite from stakeholders to review the exemptions in general, and Government have committed to undertake a public consultation on the exemptions later this year. Members may be interested to hear that we are minded to consider an exemption for all elected representatives and Members of the House of Lords.
The Committee will all be aware that the ICO has been at the forefront of the news recently, and I assure Members that the new funding regime was designed to enable the commissioner to meet the challenges of large and complex investigations in the future. In conclusion, the work of the Information Commissioner and her office is fundamental to the success of our digital economy, which can only flourish with a strong data protection regime in place. It is therefore of vital importance that we provide the ICO with the level of income it requires to continue to deliver as a world-class data protection regulator.
Margot James
I thank hon. Members for their constructive and useful comments and questions. In response to the hon. Member for North Durham, we propose to consult on whether MPs and other elected officials, including parish councillors and local councillors, should be exempt. We should proceed with that consultation, and he is absolutely within his rights to contribute his thoughts about whether, if we go ahead with the exemption, it should just apply to local councillors and parish councillors. He can have his views on that.
Mr Kevan Jones
It might have been a good idea to have consulted Members of Parliament, as my right hon. Friend the Member for Birmingham, Hodge Hill said. I am not calling for an exemption. The way it has been constructed is a waste of taxpayers’ money, because in addition to the cost of IPSA administering it, if people do not pay by direct debit, there is an extra £5 that can be claimed. That will add to the costs, which is silly.
Margot James
I shall take the hon. Gentleman’s views back. At the moment, there is a proposal to consult. If hon. Members feel we should just pay it through IPSA, that is a perfectly valid view.
The hon. Gentleman also asked about the Information Commissioner’s accountability for the budget. The majority of micro-payers—very small businesses and organisations—are exempt for various reasons, chief among them that they do not process very much personal data in their day-to-day duties. In my Department, we keep the ICO budget under review on an annual basis, to ensure that the budget is adequate for the Information Commissioner’s requirements, but not overly generous.
I think the Committee is more worried about whether the ICO will have sufficient resources. That was the concern expressed by my hon. Friend the Member for Windsor and the right hon. Member for Birmingham, Hodge Hill.
Mr Jones
I have no doubt that the Minister’s Department keeps the budget under review to see whether the Information Commissioner has enough resources, but what about how the money is spent in practice? As with many such quangos, the question is who is ensuring that the money is spent properly.
Margot James
The Information Commissioner’s Office has a financial controller, a board, and a chief executive. It is held to account not just by my officials, but by the Secretary of State and me. I meet with the Information Commissioner regularly, and we assess through various means whether adequate financial controls are in place. To date, the ICO has proved that they are. Obviously, a significant uplift of at least a third in revenue, and all the additional headcount that that implies, will be a moment of transition, where the sort of problems that we have seen in other organisations may emerge. We will keep a very close eye on that, to ensure that they do not.
My hon. Friend the Member for Windsor was concerned that there were not enough resources, and that £30 million was too low. We will keep that figure under review. Certainly, the events of the past few weeks have shone a torch on just how much could be demanded of the ICO. As well as increasing the budget, and enabling the Information Commissioner to increase the number of staff that she has at her disposal, we have increased her powers. The right hon. Member for Birmingham, Hodge Hill said that in Committee I walked back from the commitments that the Secretary of State gave to reviewing the powers that we have given the Information Commissioner in the Bill. We have strengthened her powers, and we have discussed with her her desire for greater powers. We debated that in Committee, and I confirmed that we would review her powers before Report. The Secretary of State and I are honouring that commitment.
Jo Stevens (Cardiff Central) (Lab)
The Minister mentioned that she speaks regularly to the Information Commissioner. Has she had a discussion with her about why it took more than four days for a warrant to be issued for ICO staff to go into Cambridge Analytica’s offices?
The Chair
Order. The instrument is very tightly drawn, and we are not going to talk about the wider aspects of data protection and Cambridge Analytica.
Margot James
Thank you, Mr Bone, but I am happy to answer the question, as it was asked. I spoke to the Information Commissioner on the telephone at the beginning of last week, before it became apparent that that had taken so long. That indeed is one of the areas of powers that we are looking at, to reassure the hon. Lady.
I hope that I have dealt with the comments and questions to the Committee’s satisfaction and that the draft instrument will be agreed.
Question put.
Oral Answers to Questions
Margot James Excerpts(6 years, 8 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
Superfast broadband is now available to 95% of UK premises, and roll-out will continue to extend coverage to as much of the remaining 5% as possible. By 2020, the universal service obligation will give everyone the legal right to high-speed broadband of at least 10 megabits per second.
John Howell
My constituency consists of some small rural villages that, despite being relatively close to London, do not have good internet access. What can be done to help them?
Margot James
The Government are taking a range of measures to help my hon. Friend’s villages. The Better Broadband scheme is available right now to anyone who cannot access speeds above 2 megabits per second. In the longer term, our universal service obligation will give everyone a right to broadband speeds of 10 megabits per second or higher by 2020.
Jim Shannon (Strangford) (DUP)
Despite the funding that has been poured into securing superfast broadband in Northern Ireland, many people in my constituency have been left literally feet away from having a connection installed. What has been done to ensure that rural broadband is actually rural and gets to the villages and rural communities?
Margot James
Once we have an Administration in Northern Ireland, there are many plans that we want to implement. We have changed the national planning policy framework and, working with the Department for Environment, Food and Rural Affairs, we have rural development programme funding. There is also the £67 million nationwide gigabit broadband voucher scheme, which is available to small and medium-sized enterprises and local communities.
Mr Peter Bone (Wellingborough) (Con)
Unlike the constituency of my hon. Friend the Member for Henley (John Howell), Wellingborough is largely urban. There is a modern housing estate in the middle of the town where 75 people do not have broadband, and there is a small part of a big industrial area that also does not have broadband. I am fed up with the Government’s warm words, so when are they going to do something about Openreach and tell it to connect those people?
Margot James
I heartily endorse my hon. Friend’s sentiments. The changes that we have made to the national planning policy framework propose that local authorities should now prioritise full-fibre connections to all existing and new developments.
Martin Whitfield (East Lothian) (Lab)
Aberdeenshire is currently the only area in Scotland that has been chosen for the Department’s pilot scheme to roll out 1 gigabit per second connections. Will the Minister consider extending that to East Lothian, which more accurately reflects the roll-out problems across both Scotland and the United Kingdom?
Margot James
The hon. Gentleman will be pleased to know that we are developing the pilot into a national scheme, and the local full fibre networks programme will have another wave of offers later in the summer. I congratulate the area of Scotland that managed to win in the first round.
Kevin Hollinrake (Thirsk and Malton) (Con)
Does the Minister agree that those in receipt of public funds to roll out broadband to our hardest-to-reach areas, such as Openreach, should use a combination of the best available technologies, including fixed wireless, to provide those solutions?
Margot James
I agree with my hon. Friend. In fact, the USO that we will introduce by 2020 will enable faster speeds to be delivered by both fixed line and wireless technologies.
Joanna Cherry (Edinburgh South West) (SNP)
Julian Knight (Solihull) (Con)
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
It is clear from recently published gender pay gap data that pay inequality is widespread across the broadcasting sector, and it is imperative that organisations take immediate action to address this imbalance. The new gender pay gap reporting rules have dramatically improved transparency, and shone a light on inequality and bad practice. I expect our public service broadcasters to lead by example and take effective action.
Julian Knight
This week, the Select Committee on Digital, Culture, Media and Sport heard yet more evidence of how BBC management have grossly failed workers over pay and pensions. Given that one estimate we heard put the BBC liability in the tens of millions, will the Minister urge the BBC to come clean: how much will this gender pay mess cost licence fee payers, and when precisely can workers expect redress?
Margot James
Although the BBC is operationally independent of Government, it must act within the law. We welcome the publication of the BBC’s review of on-air pay and plans to establish a pay policy that rewards people fairly, but it is for the Equality and Human Rights Commission to consider whether to investigate, as the regulatory body responsible, and it has already been in touch with the BBC.
Dr Rupa Huq (Ealing Central and Acton) (Lab)
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
I sympathise with the hon. Lady, as I was expecting my other question to go on a bit longer, too.
Music is one of the greatest exports for the UK, and we are determined to ensure that, after Brexit, UK musicians can tour not only the EU but the rest of the world. My Department is working closely with the Department for Exiting the European Union to ensure the best possible outcome for touring musicians on Brexit.
Dr Huq
It is so long since I have had a question, Mr Speaker—[Laughter.]
Ealing, uniquely, boasts a plaque on the spot where the Rolling Stones played their first ever gig, in 1962, but international success such as they went on to achieve is imperilled by the fact that when we leave the EU we will leave behind restriction-free movement for musicians, who travel with all their gear and often at short notice. Will the Government consider UK Music’s proposal for an EU-wide music passport covering crews and haulage, so that bands can continue to bring in £1 billion to the economy and so that fans can enjoy them, too?
Margot James
I assure the hon. Lady that nothing would have stopped the success of the Rolling Stones, but she raises a good idea and we will look into all of those things. We are determined to enable musicians to tour Europe effectively after Brexit, and we are supporting them with the music export growth scheme. More than £2 million has been invested to promote 150 acts, and we have to enable them to travel in the way she suggests.
Thangam Debbonaire (Bristol West) (Lab)
I appreciate that the Minister shares my view that music should be for everyone, but will she agree to meet representatives of the Musicians Union—I declare my entry in the Register of Members’ Financial Interests in that connection—regularly throughout the next 12 months to ensure that its concerns about its members’ ability to tour are dealt with?
Margot James
I certainly meet representatives of the music industry, including Music UK, with which I have already held a roundtable, and I would be happy to meet the Musicians Union as part of my ongoing work to support the sector.
Luke Hall (Thornbury and Yate) (Con)
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
As I said earlier, we have changed the national planning policy framework, we have a £30 million rural development programme with the Department for Environment, Food and Rural Affairs to improve connectivity, and we have a broadband voucher scheme that will provide subsidy for small and medium-sized enterprises and for communities, so that they can connect in an ultrafast way.
Tom Watson (West Bromwich East) (Lab)
When it comes to personal data theft, the Secretary of State said that
“the Leveson inquiry looked into everything in this area, and it was followed by three police investigations…We looked into these things as a society. We had a comprehensive Leveson inquiry.”—[Official Report, 1 March 2018; Vol. 636, c. 974.]
Will he tell me which of the inquiries and investigations that he says were comprehensive surfaced the evidence of the illegal data theft of the personal information of Dr David Kelly, who was very distressed when subsequently a journalist from The Sunday Times turned up unannounced at his home, just a week before he took his own life?
Colin Clark (Gordon) (Con)
What assessment has the Department made of the costs of data protection officers for community and parish councils?
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
We are aware of the issues facing community and parish councils. As public authorities, they do come under the GDPR. They are able to share a data officer, so that is some help, but we will be reviewing the concerns that they have as a matter of urgency.
Sandy Martin (Ipswich) (Lab)
One of my friends took his own life, at least partly as a result of online bullying. Why are the Government still pursuing a model of voluntary codes for social media when they have already demonstrably failed?
Data Protection Bill [ Lords ] (Seventh sitting)
Margot James Excerpts(6 years, 8 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
I beg to move amendment 127 in schedule 17, page 206, line 15, leave out paragraph (a) and insert—
“(a) a relevant health record (see paragraph 1A),”.
This amendment, with Amendment 128, limits the types of health records (defined in Clause 198) which count as “relevant records” for the purposes of Clause 181 (prohibition of requirement to produce relevant records) to those obtained by a data subject in the exercise of a data subject access right (defined in paragraph 4 of Schedule 17).
Margot James
A subject access request gives individuals the right to ask for all the personal information that an organisation holds about them. That is a powerful right, designed to ensure that individuals may access information held about them within a specified time and, as such, it needs to be protected. The Bill provides such protection by making it an offence to require someone to exercise the right as a condition of employment, a contract or the provision of a service or goods. That is set out in clause 181 and schedule 17 and is intended to substantively replicate and in places build on the comparable provision in section 56 of the Data Protection Act 1998.
Amendments 127 and 128 insert a definition of a “relevant health record” for the purposes of clause 181, to ensure that the scope is consistent with that of other types of “relevant record” set out in schedule 17. Amendment 181 is technical in nature and simply updates a reference to a piece of legislation in Northern Ireland to reflect the fact that the legislation has been replaced.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
I thank the Minister for that explanation. She is absolutely right to say that subject access requests are extremely powerful in how they operate. It is therefore such a shame that they are not a right or a power that the Government will see fit to extend to newcomers to this country, who will seek to use and have in the past sought to use subject access requests to access important information about their immigration status and history, and the decision-making processes in the Home Office and UK Border Agency about their immigration status. I am sure that we will come back to this debate on Report, and I hope that it is something that the Minister will reflect on.
Amendment 127 agreed to.
Amendments made: 128 in schedule 17, page 206, line 21, at end insert—
“Relevant health records
1A ‘Relevant health record’ means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.”.
See the explanatory statement for Amendment 127.
Amendment 181 in schedule 17, page 207, line 22, leave out sub-paragraph (iii) and insert—
“(iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));”.—(Margot James.)
In a list of functions of the Secretary of State in relation to people sentenced to detention, this amendment removes a reference to section 73 of the Children and Young Persons Act 1968 (which has been repealed) and inserts a reference to Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (which replaced it).
Schedule 17, as amended, agreed to.
Clause 182 ordered to stand part of the Bill.
Clause 183
Representation of data subjects
Amendments made: 63, in clause 183, page 105, line 42, leave out “80” and insert “80(1)”.
This amendment changes a reference to Article 80 of the GDPR into a reference to Article 80(1) and is consequential on NC2.
Amendment 64, in clause 183, page 105, line 44, leave out “certain rights” and insert “the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy)”.
In words summarising Article 80(1) of the GDPR, this amendment adds information about the rights of data subjects that may be exercised by representative bodies under that provision.
Amendment 65, in clause 183, page 106, line 7, leave out “under the following provisions” and insert “of a data subject”.
This amendment and Amendments 66, 67 and 68 tidy up Clause 183(2).
Amendment 66, in clause 183, page 106, line 9, at beginning insert “rights under”.
See the explanatory statement for Amendment 65.
Amendment 67, in clause 183, page 106, line 10, at beginning insert “rights under”.
See the explanatory statement for Amendment 65.
Amendment 68, in clause 183, page 106, line 11, at beginning insert “rights under”.—(Margot James.)
See the explanatory statement for Amendment 65.
Clause 183, as amended, ordered to stand part of the Bill.
Clause 184
Data subject’s rights and other prohibitions and restrictions
Amendment made: 69, in clause 184, page 106, line 41, leave out “(including as applied by Chapter 3 of that Part)”.—(Margot James.)
This amendment is consequential on Amendment 4.
Clause 184, as amended, ordered to stand part of the Bill.
Ordered,
That clause 184 be transferred to the end of line 39 on page 105.—(Margot James.)
Clause 185
Framework for Data Processing by Government
Question proposed, That the clause stand part of the Bill.
Margot James
The right hon. Gentleman makes a very good point. It might help if I say a little about the framework that the Secretary of State has to issue, as directed by clause 185, about the processing of personal data in connection with the exercise of functions within Government. Before the framework is issued, it has to be subject to parliamentary scrutiny. Some of these practical issues can be explored at that point. The framework will provide guidance to Departments on all aspects of their data processing. The content is being developed and we will definitely take into account the right hon. Gentleman’s concerns.
Question put and agreed to.
Clause 185 accordingly ordered to stand part of the Bill.
Clause 186
Approval of the Framework
Question proposed, That the clause stand part of the Bill.
Liam Byrne
I am grateful to the Minister for taking those points on board. I suppose it begs the question of when she thinks we might see this framework. The process set out in the clause is a wise and practical course of action. We all have constituency experience that could have a bearing on how this piece of guidance is drafted and presented. We have the luxury of serving our constituents week in, week out. That is not a privilege that the civil servants who are asked to draft these frameworks enjoy.
It is important that the Minister goes through a good process, which allows her not to present the House with a fait accompli or something for an up and down motion. That will not be in any of our interests. My concern is how we practically operationalise this in a way that allows us continually to strengthen and improve the service that we provide to our constituents. It is very hard for us to do that if we have a data management regime operationalised by Her Majesty’s Government that gets in the way.
When does the Minister expect to issue this framework? How will she ensure that there is a period of soft consultation with, perhaps, the Speaker’s Committee here in the House so that we are not presented with a final draft of a document that we have 40 days to consider, moan about and make representations about, all of which will then basically be ignored because the approval process requires an up-down vote at the end.
Margot James
I cannot be precise as to when, but it will be a priority to issue the framework for all the reasons that the right hon. Gentleman set out. We intend to engage fully with officials across Government, in particular the Departments that he has mentioned, and will consult other areas of expertise and the Information Commissioner herself. Indeed, clause 185(5) sets a requirement for consultation. Most importantly, the framework will then come to Parliament for proper scrutiny. At that point the right hon. Gentleman will have every chance to contribute further to the practicality of establishing this framework as speedily as possible.
Question put and agreed to.
Clause 186 accordingly ordered to stand part of the Bill.
Clause 187
Publication and review of the Framework
Question proposed, That the clause stand part of the Bill.
Liam Byrne
The only issue arising from this clause is the frequency with which the Minister expects the framework to be updated. I welcome the steer that she has given the Committee about how clause 186(5) will be operationalised, but that does not quite get round the problem that I am concerned about. Sometimes, and it has been known to happen, regulations get somewhat hard wired before they are presented to the House. Although it is in the Bill, sometimes that 40-day consultation period does not provide an opportunity to revise and update a measure if we do not think that it is practical.
If, for example, a code of practice is brought forward that says, “For the DWP, the data controller is going to be the accounting officer of the Department or someone associated with the accounting officer of the Department,” that is not going to be a practical strategy for operationalising this Bill within a Department as big and complicated as the DWP. So it may not be possible. We have to accept that. We have to accept the way statutory instruments are put through this place, and the political reality of that. Let us be mature about that. However, we have a belt-and-braces approach set out in clause 187, in that we have the chance to review it. Perhaps the Minister could say a word about how frequently she expects to review and update the legislation, so that it continually improves in the light of experience?
Margot James
Clause 187 requires the Secretary of State to publish the framework, and under clause 185 he must keep it under review, and commit to updating it as appropriate. Furthermore, although the Information Commissioner has to take the framework into account, were she investigating a data breach by a Government Department, for example, she might consider it relevant to consider whether that Department had applied the principles set out in the framework. She is also free to disregard the framework if she considers it irrelevant or getting in the way.
It will be a moving thing, and the legislation provides for the Secretary of State to keep it under continual review. If the right hon. Gentleman wishes to have some input before it arrives in the House in the form of a Statutory Instrument, I would be very happy to engage with him.
Question put and agreed to.
Clause 187 accordingly ordered to stand part of the Bill.
Clause 188 ordered to stand part of the Bill.
Clause 189
Publication and review of the Framework
Question proposed, That the clause stand part of the Bill.
Liam Byrne
We now come to offences, and crucially in clause 189, the question of penalties for offences. The real world has provided us with some tests for the legislation over the past few days. We have reviewed clauses 189 to 192 again in the light of this week’s news. Some quite serious questions have been provoked by the Cambridge Analytica scandal, and the revelations about the misuse of data that was collected through an app that sat on the Facebook platform.
For those who missed it, the story is fairly simple. A Cambridge-based academic created an app that allowed the collection not only of personal data but of data associated with one’s friends on Facebook. The data was then transferred to Cambridge Analytica, and that dataset became the soft code platform on which forensic targeting was deployed during the American presidential elections. We do not yet know, because the Mueller inquiry has not been completed, who was paying for the dark social ads targeted at individuals, as allowed by Cambridge Analytica’s methodology.
The reality is that under Facebook’s privacy policy, and under the law as it stood at the time, it is unlikely that the collection and repurposing of that data was illegal. I understand that the data was collected through an app that was about personality tests, and then re-deployed for election targeting. My understanding of the law is that that was not technically illegal, but I will come on to where I think the crime actually lies.
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
I will be very brief, because I will largely echo what the right hon. Member for Birmingham, Hodge Hill said. It is absolutely fair to say that our understanding of the potential value of personal information, including that gained by people who break data protection laws, has increased exponentially in recent times, as has our understanding of the damage that can be done to victims of such breaches. I agree that it is not easy to see why the proposed offences stop where they do.
I have a specific question about why there is a two-tier system of penalties. There is a set of offences that are triable only in a summary court and for which there is a maximum fine. I think the maximum in Scotland and Northern Ireland is £5,000. There is a second set of offences that could conceivably be triable on indictment, and there is provision there for an unlimited fine, but not any custodial sentence.
For some companies, if they were in trouble, a £5,000 fine for essentially obstructing justice would be small beer, especially if it allowed them to avoid an unlimited fine. It would be interesting to hear an explanation for that. Many folk would see some of the offences that are triable on indictment as morally equivalent to embezzlement, serious theft or serious fraud, so it is legitimate to ask why there is no option for a custodial sentence in any circumstance.
Margot James
I certainly share the concerns that hon. Members have expressed in the light of the dreadful Cambridge Analytica scandal. I will set out the penalties for summary only offences, which lie in clause 119, “Inspection of personal data in accordance with international obligations”; clause 173, “Alteration etc of personal data to prevent disclosure”; and paragraph 15(1) of schedule 15, which contains the offence of obstructing the execution of a warrant. The maximum penalty on summary conviction for those offences is an unlimited fine in England and Wales or a level 5 fine in Scotland and Northern Ireland.
Clause 189(2) sets out the maximum penalties for offences that can be tried summarily on indictment, which include offences in clause 132 “Confidentiality of information”; clause 145 “False statements made in response to an information notice”; clause 170 “Unlawful obtaining etc of personal data”; clause 171 “Re-identification of de-identified personal data”; and clause 181 “Prohibition of requirement to produce relevant records”. Again, the maximum penalty when tried summarily in England or Wales, or on indictment, is an unlimited fine. In Scotland and Northern Ireland, the maximum penalty on summary conviction is a fine
“not exceeding the statutory maximum”
of an unlimited fine when tried on indictment.
Liam Byrne
I was listening carefully to the Minister’s reply. She said that the sanction is an unlimited fine in England and Wales. Let us take the hypothetical case of Cambridge Analytica, which is a one-man shell company, in effect; in the UK, it is wholly owned by SCL Elections. I am concerned about what happens if that holding company—let us say it is SCL Elections—is registered outside England and Wales, in the United States or Uruguay, for example? Will the fine bite on the one-man shell company, Cambridge Analytica? If so, the shell company will just go out of business—the directors will be struck off and that will be the end of it. That is not much of a sanction.
Margot James
The sanctions are as I outlined. The right hon. Gentleman talks about more complex corporate structures. Later in our proceedings, we will touch on the jurisdiction of the general data protection regulation when it comes to dealing with cross-border situations outside the European Union. Perhaps we can throw some light on what he is saying when we come to that point.
The GDPR strengthens the rights of data subjects over their data, including the important right of consent and what constitutes consent by the data subject to the use and processing of their data. That right must now be clear, robust and unambiguous. That is a key change that will provide some protection in the future.
The right hon. Gentleman should remember that, in addition to data protection laws, other sanctions are available, including prosecution for computer misuse, fraud and, potentially, in the case of the example we have been talking about, electoral laws, depending on the circumstances.
Question put and agreed to.
Clause 189 accordingly ordered to stand part of the Bill.
Clause 190 ordered to stand part of the Bill.
Clause 191
Liability of directors etc
Question proposed, That the clause stand part of the Bill.
Liam Byrne
The debate presents what is potentially a good opportunity to offer a flow of advice to the Minister, if I might pose my question like this: if a company based in the UK has committed an offence, but its holding company is based somewhere else, in what way will clause 191 bite not on the UK operations, but on the holding company elsewhere?
My reading of the extraterritoriality provisions is that the implementation of GDPR and the sanctions around it may well bite in Europe—we will get on to this issue in the debate on extraterritoriality, as the Minister has said—but where companies are registered in, heaven forbid, various tax havens around the world such as Panama or Belize, will the Information Commissioner be able to, in effect, bring prosecutions that will result in action biting on a director of a holding company domiciled somewhere abroad, such as Belize? That is a pretty plausible scenario. Again, this touches on whether the sanctions in the Bill are sufficient to deter the kind of misbehaviour that we now know is running loose around the wild west that the Secretary of State described.
Margot James
The clause allows proceedings to be brought against a director, or a person acting in a similar position, as well as the body corporate, where it has been proven that breaches of the Act have occurred with the consent, connivance or negligence of that person. The clause will have the same effect as that of section 61 of the Data Protection Act 1998. I might have to come back to the right hon. Gentleman on some of the points he raised in that hypothetical circumstance, which I have no doubt could certainly exist in the future.
Liam Byrne
I would be grateful if the Minister wrote to me on that this afternoon, because if there are deficiencies we will have to get on with preparing amendments for consideration on Report.
Question put and agreed to.
Clause 191 accordingly ordered to stand part of the Bill.
Clauses 192 to 195 ordered to stand part of the Bill.
Clause 196
Tribunal Procedure Rules
Question proposed, That the clause stand part of the Bill.
Liam Byrne
Questions have arisen on the procedure rules associated with tribunals. The Opposition are concerned that the rights conferred in the Bill are rights in reality, not in theory. That is why we moved important amendments earlier, which were unwisely rejected by the Government, on collective forms of class action.
If we are to ensure that our constituents genuinely have access to the kind of justice mechanisms set out in the clause, we are obviously required to confront the reality that people will sometimes not have the resources for the financing of solicitors or representatives to help them to make their cases. Will the Minister say a word about whether our constituents will have access to resources such as legal aid to fight those cases in a tribunal?
Margot James
The clause provides a power to make tribunal procedure rules to regulate how the rights of appeal before the tribunal and the right to apply for an order from the tribunal, conferred under the Bill, are exercised. It sets out the way a data subject’s right to authorise a representative body to apply for an order on his or her behalf under article 80 of the GDPR and clause 183 can be exercised. For somebody who does not have the means to pursue an individual claim, that is obviously a way forward in some circumstances. In addition, it provides a power to make provision about
“securing the production of material used for the processing of personal data,”
and
“the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.”
The provisions are equivalent to paragraph 7 of schedule 6 of the 1998 Act.
Liam Byrne
That is a helpful explanation. It is obvious from the Minister’s response that those tribunal rules will be incredibly important in providing democratic access to justice where our constituents have been maligned and their data rights abused. The tribunal procedure rules, given what she has said, will be of great interest to right hon. and hon. Members.
Will the Minister clarify what oversight and scrutiny we may have in the House of those tribunal procedure rules, or whether they are purely rules that are the child of the tribunal authorities? Are they something the tribunal authorities can just issue, or is there some oversight, amendment or improvement that we in the House can provide?
Margot James
I cannot be precise about the level of scrutiny that the tribunal procedure rules may or may not be subject to, but in further answer to the right hon. Gentleman’s earlier question, legal aid is also available, as set out in the Legal Aid, Sentencing and Punishment of Offenders Act 2012, where a failure to fund would breach the European convention on human rights. There is that protection over and above the right of people to join a group action. The rules set by the Tribunal Procedure Rules Committee will be set, I am told, by applying its own consultation process, which the Lord Chancellor lays before Parliament.
Question put and agreed to.
Clause 196 accordingly ordered to stand part of the Bill.
Clause 197 ordered to stand part of the Bill.
Clause 198
Other definitions
Amendments made: 70, in clause 198, page 114, line 25, at end insert
“the following (except in the expression “United Kingdom government department”)”.
This amendment makes clear that the definition of “government department” does not operate on references to a “United Kingdom government department” (which can be found in Clause 185 and paragraph 1 of Schedule 7).
Amendment 71, in clause 198, page 115, line 8, at end insert—
“(2) References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—
(a) section 125(4), (7) and (8);
(b) section 160(3), (5) and (6);
(c) section 176(2);
(d) section 179(8) and (9);
(e) section 180(4);
(f) section 186(3), (5) and (6);
(g) section 190(3) and (4);
(h) paragraph 18(4) and (5) of Schedule1;
(i) paragraphs 5(4) and 6(4) of Schedule3;
(j) Schedule5;
(k) paragraph 11(5) of Schedule12;
(l) Schedule 15;
(and the references in section 5 to terms used in Chapter 2 or 3 of Part 2 do not include references to a period expressed in hours, days, weeks, months or years).”
This amendment provides that periods of time referred to in the bill are generally to be interpreted in accordance with Article 3 of EC Regulation 1182/71, which makes provision about the calculation of periods of hours, days, weeks, months and years.
Amendment 182, in clause 198, page 115, line 8, at end insert—
“( ) Section 3(14)(aa) (interpretation of references to Chapter 2 of Part 2 in Parts 5 to 7) and the amendments in Schedule 18 which make equivalent provision are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978, or any similar provision in another enactment, as it applies to other references to, or to a provision of, Chapter 2 of Part 2 of this Act.” —(Margot James.)
Clause 3(14)(aa) (inserted by amendment 4) and equivalent provision contained in amendments in Schedule 18 state expressly that references to Chapter 2 of Part 2 of the bill in Parts 5 to 7 of the bill, and in certain amendments in Schedule 18, include that Chapter as applied by Chapter 3 of Part 2. This amendment secures that they are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978. Section 20(2) provides that where an Act refers to an enactment that reference includes that enactment as applied, unless the contrary intention appears.
Clause 198, as amended, ordered to stand part of the Bill.
Clause 199 ordered to stand part of the Bill.
Clause 200
Territorial application of this Act
Amendments made: 183, in clause 200, page 117, line 15, leave out subsections (1) to (4) and insert—
‘(1) This Act applies only to processing of personal data described in subsections (2) and (3).
(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.
(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—
(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—
(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.’
This amendment replaces the existing provision on territorial application in clause 200(1) to (4). In the amendment, subsection (2) provides that the bill applies to processing in the context of the activities of an establishment of a controller or processor in the UK. Subsection (3) provides that, in certain circumstances, the bill also applies to processing to which the GDPR applies and which is carried out in the context of activities of an establishment of a controller or processor in a country or territory that is not part of the EU.
Amendment 184, in clause 200, page 118, line 8, leave out “(4)” and insert “(3)”.
This amendment is consequential on amendment 183.
Amendment 185, in clause 200, page 118, leave out line 10 and insert “processing of personal data”.
This amendment is consequential on amendment 183.
Amendment 186, in clause 200, page 118, line 10, at end insert—
‘(5A) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (2).
(5B) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).’
New subsection (5A) secures that the reference to “processing” in the new subsection (2) inserted by amendment 183 includes all types of processing of personal data. It disapplies clause 3(14)(b), which provides that references to processing in Parts 5 to 7 of the bill are usually only to processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies. New subsection (5B) secures that the reference in the new subsection (3) to Chapter 2 of Part 2 of the bill does not include that Chapter as applied by Chapter 3 of Part 2.
Amendment 187, in clause 200, page 118, line 11, leave out “established” and insert “who has an establishment”.
This amendment is consequential on amendment 183.
Amendment 188, in clause 200, page 118, line 21, after “to” insert “a person who has an”.
This amendment is consequential on amendment 183.
Amendment 189, in clause 200, page 118, line 23, leave out subsection (7).—(Margot James.)
This amendment is consequential on amendment 183.
Question proposed, That the clause, as amended, stand part of the Bill.
Liam Byrne
This is where we get into some of the whys and wherefores of the territorial application of the Bill. We can see in clause 200(1) that the Bill essentially bites on a data controller who is domiciled here in the United Kingdom. A question of public concern—it should also concern us in this Committee—is whether the bite and sanctions of the Bill will touch on people who are registered here, but not necessarily on directors of holding companies who are domiciled elsewhere.
I expect that the things we will learn about over the weekend and into next week will confirm for us all that very small companies—essentially corporate shells—that are perhaps registered as data controllers and might have committed offences under the 1998 Act or under the Bill, once it has received Royal Assent, might be controlled by directors who are domiciled elsewhere. If the Bill is to be worth anything and if it is to change anything in the real world in which we happen to live, there is a real question about how offences committed under it by people here will be limited by the corporate realities, which mean that shell companies are data controllers, but actually the wealth, assets and operating mind of a company are somewhere else. Perhaps the Minister will say a little about how she will tackle that particular problem, because we know it is going to arise.
Margot James
First, a word on the clause, which sets out the territorial application with respect to the circumstances in which the Bill applies to the processing of personal data. Article 3 of the GDPR says that the GDPR applies where the processing of personal data occurs in the context of the activities of a controller or a processor established in the EU, and that it will also apply where a controller or processor is based outside the EU, but is processing the data of people within the EU in connection with the offering of goods and services to them, or for monitoring their behaviour.
We have revisited the clause to ensure that, as far as possible, the scope of the Bill aligns with the scope of the GDPR, albeit in a UK-only context. The Bill will allow the sanction to be given to an overseas entity where it is in the control of a UK-based company. Whether it can be enforced will depend on international arrangements for bringing people to justice, including those beyond the area of data protection.
One additional point, regarding the global nature of these crimes, is that under UK law we already have stronger data protection laws than many other countries—indeed, considerably stronger than in the United States. That means that American citizens with an interest in this Cambridge Analytica debacle are using the British courts and British legislation to enforce things such as data subject access requests, which have revealed a great deal of the evidence that is coming out of Cambridge Analytica. So we benefit as well from the strength of the data provisions that we have at the moment, which we are of course strengthening through the Bill.
Question put and agreed to.
Clause 200, as amended, accordingly ordered to stand part of the Bill.
Clause 201 ordered to stand part of the Bill.
Clause 202
Application to the Crown
Question proposed, That the clause stand part of the Bill.
Liam Byrne
I think we would all benefit from a little bit of explanation about how this clause will work in practice. For those who have not read clause 202 in detail, it basically explains how this Bill will operate when it comes to the Crown. That is obviously important, because within Her Majesty’s estates there are particular estates such as the Duchy of Lancaster and indeed the Duchy of Cornwall, which are often quite big businesses. I remember from my own time as Chancellor of the Duchy of Lancaster that there are some quite significant property holdings in that Duchy, and they make a not insignificant contribution to the funds that Her Majesty uses to work with, day to day. How will this clause be put into practice and are there any relevant exemptions that we should know about?
Margot James
Clause 202 does not contain any provision to exempt the Crown from the requirements of the GDPR. Likewise, section 63 of the 1998 Act also binds the Crown. This clauses makes similar and related provision. For example, where Crown bodies enter into controller-processor relationships with each other, subsection (3) provides that the arrangement may be governed by a memorandum of understanding, rather than a contract. This is to meet the requirements of article 28 of the GDPR. “the data protection legislation section 1261(1)”. “the data protection legislation section 1173(1)”.” “Data Protection Act 2018 Section145 False statements made in response to an information notice””
Question put and agreed to.
Clause 202 accordingly ordered to stand part of the Bill.
Clause 203 ordered to stand part of the bill.
Clause 204
Minor and consequential amendments
Amendment made: 190, in clause 204, page 120, line 12, leave out subsection (1) and insert—
‘(1) In Schedule 18—
(a) Part 1 contains minor and consequential amendments of primary legislation;
(b) Part 2 contains minor and consequential amendments of other legislation;
(c) Part 3 contains consequential modifications of legislation;
(d) Part 4 contains supplementary provision.”
This amendment sets out the contents of Schedule 18 and is consequential on the amendments being made to Schedule 18 including in particular the insertion of new Parts 3 and 4 into that Schedule by amendment 224.—(Margot James.)
Clause 204, as amended, ordered to stand part of the Bill.
Schedule 18
Minor and Consequential Amendments
Amendments made: 191, in schedule 18, page 208, line 25, at end insert—
“Registration Service Act 1953 (c. 37)
A1 (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.
(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 122 of the Data Protection Act 2018 (data-sharing code)”.
(3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
Veterinary Surgeons Act 1966 (c. 36)
A2 (1) Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.
(2) In subsection (8)—
(a) omit “personal data protection legislation in the United Kingdom that implements”,
(b) for paragraph (a) substitute—
“(a) the GDPR; and”, and
(c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.
(3) In subsection (9), after “section” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”
This amendment makes consequential amendments to primary legislation.
Amendment 192, in schedule 18, page 210, line 4, at end insert—
“Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))
8A The Pharmacy (Northern Ireland) Order 1976 is amended as follows.
8B In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.
8C In article 8D (European professional card), after paragraph (3) insert—
“(4) In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
8D In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—
“(za) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
8E (1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “the GDPR”.
(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
8F (1) The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
8G (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.
(2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”.
(3) For sub-paragraph (3) substitute—
“(3) In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4) After sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
Representation of the People Act 1983 (c. 2)
8H (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.
(2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
(3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.
(4) In paragraph 11A—
(a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and
(b) omit sub-paragraph (2).”
This amendment makes consequential amendments to primary legislation.
Amendment 193, in schedule 18, page 210, leave out lines 5 to 39 and insert—
“Medical Act 1983 (c. 54)
9 The Medical Act 1983 is amended as follows.
10 (1) Section 29E (evidence) is amended as follows.
(2) In subsection (5), after “enactment” insert “or the GDPR”.
(3) For subsection (7) substitute—
“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4) In subsection (9), at the end insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”
11 (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.
(2) In subsection (4), after “enactment” insert “or the GDPR”.
(3) For subsection (5A) substitute—
“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”
(4) In subsection (7), at the end insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act).”
12 In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
13 In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.
13A (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.
(2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”.
(3) After sub-paragraph (3) insert—
“(4) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
13B (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.
(2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.
(3) For sub-paragraph (8A) substitute—
“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”
(4) After sub-paragraph (13) insert—
“(14) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
13C (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.”
This amendment replaces the existing consequential amendments of the Medical Act 1983.
Amendment 194, in schedule 18, page 211, line 18, leave out from “GDPR”” to “(see” in line 19 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 33B of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 195, in schedule 18, page 211, line 20, at end insert—
15A In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”
This amendment makes further consequential amendments to the Dentists Act 1984.
Amendment 196, in schedule 18, page 211, line 39, leave out from “GDPR”” to “(see” in line 40 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 36Y of the Dentists Act 1984 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 197, in schedule 18, page 211, line 41, at end insert—
16A In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.
16B (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
Companies Act 1985 (c. 6)
16C In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.”
This amendment makes consequential amendments to primary legislation, including further consequential amendments to the Dentists Act 1984.
Amendment 198, in schedule 18, page 212, line 16, leave out from “GDPR”” to “(see” in line 17 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 13B of the Opticians Act 1989 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 199, in schedule 18, page 212, line 18, at end insert—
“Access to Health Records Act 1990 (c. 23)
18A The Access to Health Records Act 1990 is amended as follows.
18B For section 2 substitute—
“2 Health professionals
In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”
18C (1) Section 3 (right of access to health records) is amended as follows.
(2) In subsection (2), omit “Subject to subsection (4) below,”.
(3) In subsection (4), omit from “other than the following” to the end.”
This amendment makes consequential amendments to the Access to Health Records Act 1990.
Amendment 200, in schedule 18, page 213, line 2, at end insert—
“Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))
21A (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.
(2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After paragraph (6) insert—
“(7) In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Industrial Relations (Northern Ireland) Order 1992.
Amendment 201, in schedule 18, page 216, line 10, leave out from “data”” to “(see” in line 11 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 40 of the Freedom of Information Act 2000 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 202, in schedule 18, page 219, line 15, leave out from “GDPR”” to “(see” in line 16 and insert “and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 references to Schedule 2 to the bill include that Schedule as applied by Chapter 3 of Part 2 of the bill.
Amendment 203, in schedule 18, page 220, line 7, at end insert—
“Enterprise Act 2002 (c. 40)
64A (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.
(2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
(3) After subsection (6) insert—
“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Enterprise Act 2002.
Amendment 204, in schedule 18, page 221, line 21, leave out from “data”” to “(see” in line 22 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in section 38 of the Freedom of Information (Scotland) Act 2002 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 205, in schedule 18, page 222, line 21, at end insert—
“Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)
75A (1) Section 279 of the Mental Health Care and Treatment (Scotland) Act 2003 (information for research) is amended as follows.
(2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.
(3) After subsection (9) insert—
“(10) In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).””
This amendment makes consequential amendments to the Mental Health (Care and Treatment) (Scotland) Act 2003.
Amendment 206, in schedule 18, page 222, line 29, at end insert—
“Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)
76A The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.
76B (1) Section 15A (disclosure of information by tax authorities) is amended as follows.
(2) In subsection (2)—
(a) omit “within the meaning of the Data Protection Act 1998”, and
(b) for “that Act” substitute “the data protection legislation”.
(3) After subsection (7) insert—
“(8) In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”
76C (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.
(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After subsection (7) insert—
“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to the Companies (Audit, Investigations and Community Enterprise) Act 2004.
Amendment 207, in schedule 18, page 225, line 10, at end insert—
88A (1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.
(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After subsection (3) insert—
(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes further consequential amendments to the National Health Service Act 2006.
Amendment 208, in schedule 18, page 225, line 28 at end insert—
“Companies Act 2006 (c. 46)
92A The Companies Act 2006 is amended as follows.
92B In section 458(2) (disclosure of information by tax authorities)—
(a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and
(b) for “that Act” substitute “the data protection legislation”.
92C In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
92D In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.
92E In section 1173(1) (minor definitions: general), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.
92F In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.
92G In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.
92H In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”.
92I In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—
92J In Schedule 8 (index of defined expressions: general), at the appropriate place insert—
This amendment makes consequential amendments to the Companies Act 2006.
Amendment 209, in schedule 18, page 225, line 38, at end insert—
96A (1) Section 45 (information held by HMRC) is amended as follows.
(2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.
(3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.”
This amendment makes further consequential amendments to the Statistics and Registration Service Act 2007.
Amendment 210, in schedule 18, page 230, line 16, at end insert—
“Coroners and Justice Act 2009 (c. 25)
122A In Schedule 21 of the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).”
This amendment makes a consequential amendment to the Coroners and Justice Act 2009 and is consequential on the amendments being made to section 3 of the Access to Health Records Act 1990 by amendment 199.
Amendment 211, in schedule 18, page 232, line 39, after “after “” insert “this”
Paragraph 130(3) of Schedule 18 to the bill amends paragraph 8(8) of Schedule 2 to the Welsh Language (Wales) Measure 2011 by inserting new text. This amendment clarifies where that new text is to be inserted in the English language version of that Measure.
Amendment 212, in schedule 18, page 242, line 40, at end insert—
“Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)
186A (1) Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.
(2) In the English language text—
(a) in subsection (9), omit from “and in this subsection” to the end, and
(b) after subsection (9) insert—
“(9A) In subsection (9)—
“data subject” (“testun y data”) has the meaning given by section3(5) of the Data Protection Act 2018;
“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section3(2) and (14) of that Act).”
(3) In the Welsh language text—
(a) in subsection (9), omit from “ac yn yr is-adran hon” to the end, and
(b) after subsection (9) insert—
“(9A) Yn is-adran (9)—
mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran3(2) a (14) o’r Ddeddf honno);
mae i “testun y data” yr ystyr a roddir i “data subject” gan adran3(5) o’r Ddeddf honno.”
This amendment makes consequential amendments to the Additional Learning Needs and Educational Tribunal (Wales) Act 2018.
Amendment 213, in schedule 18, page 243, line 14, at end insert—
“Estate Agents (Specific Offences) (No. 2) Order 1991 (S.I. 1991/1091)
187A In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—
This amendment makes a consequential amendment to the Estate Agents (Specific Offences) (No. 2) Order 1991.
Amendment 214, in schedule 18, page 243, line 22, after “controller”,” insert—
(ba) after “in the context of” insert “the activities of”,”
This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.
Amendment 215, in schedule 18, page 243, line 27, after “controller”,” insert—
(ba) after “in the context of” insert “the activities of”,”
This amendment to the consequential amendment to the Channel Tunnel (International Agreements) Order 1993 is consequential on amendment 183.
Amendment 216, in schedule 18, page 243, line 28, at end insert—
“Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))
188A The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.
188B In Article 4 (health professionals), for paragraph (1) substitute—
“(1) In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”
188C In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.
Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)
188D In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—
“(2) For the purposes of section 200 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).
(3) For the purposes of section 200 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”
European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)
188E The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.
188F (1) Regulation 2(1) (interpretation) is amended as follows.
(2) Omit the definition of “Directive 95/46/EC”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
188G (1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)
188H For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—
“7 Data Protection Act 2018
(1) The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—
(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)
188I For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—
“9 Data Protection Act 2018
(1) The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Commission is to be treated as a government department for the purposes of the following provisions—
(a) section8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)
188J The Representation of the People (England and Wales) Regulations 2001 are amended as follows.
188K In regulation 3(1) (interpretation), at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
188L In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188M In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188N In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188O In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188P (1) Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.
(2) After sub-paragraph (b) insert—
“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3) Omit sub-paragraphs (c) and (d).
188Q In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
188R In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188S In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188T In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188U In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188V In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
(i) Article 89 GDPR purposes;”.
Representation of the People (Scotland) Regulations 2001 (S.I. 2001/ 497)
188W The Representation of the People (Scotland) Regulations 2001 are amended as follows.
188X In regulation 3(1) (interpretation), at the appropriate places, insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
188Y In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188Z In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188AA In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.
188AB In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188AC In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes;”.
188AD (1) Regulation 92(2) (interpretation of Part VI etc) is amended as follows.
(2) After sub-paragraph (b) insert—
“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”
(3) Omit sub-paragraphs (c) and (d).
188AE In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
188AF In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AG In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AH In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
188AI In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—
(i) Article 89 GDPR purposes;”.
Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)
188AJ (1) Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.
(2) In paragraph (2B), for sub-paragraph (a) substitute—
“(a) the disclosure is made in accordance with Chapter V of the GDPR;”.
(3) After paragraph (5) insert—
“(6) In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Nursing and Midwifery Order 2001 (S.I. 2002/253)
188AK The Nursing and Midwifery Order 2001 is amended as follows.
188AL (1) Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.
(2) In paragraph (18), after “enactment” insert “or the GDPR”.
(3) After paragraph (18) insert—
“(19) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
188AM (1) Article 25 (the Council’s power to require disclosure of information) is amended as follows.
(2) In paragraph (3), after “enactment” insert “or the GDPR”.
(3) In paragraph (6)—
(a) for “paragraph (5),” substitute “paragraph (3)—”, and
(b) at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act).”
188AN In article 39B (European professional card), after paragraph (2) insert—
“(3) For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
188AO In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
188AP (1) Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.
(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).
188AQ (1) The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
188AR In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.
Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)
188AS Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.
188AT In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.
188AU In paragraph (3)—
(a) omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and
(b) at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”
This amendment makes consequential amendments to secondary legislation, including to the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 and the Northern Ireland Assembly Commission (Crown Status) Order 1999.
Amendment 217, in schedule 18, page 244, line 1, at end insert—
(d) for “data controller” substitute “controller”, and
(e) after “in the context of” insert “the activities of”.
Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)
191A The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.
191B (1) Regulation 2 (interpretation) is amended as follows.
(2) Omit the definition of “the 1998 Act”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
191C (1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.
(2) After “any information” insert “to the extent that any of the following conditions are satisfied”.
(3) For paragraphs (a) to (c) substitute—
(aa) the pupil to whom the information relates would have no right of access to the information under the GDPR;
(ab) the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.
(4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.
(5) In paragraph (e), for “that” substitute “the information”.
191D In regulation 9 (fees), for paragraph (1) substitute—
“(1A) In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.
(1B) Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—
(a) exceeds the cost of supply, or
(b) exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”
European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)
191E Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.
191F (1) Paragraph 74(1) (interpretation) is amended as follows.
(2) Omit the definitions of “relevant conditions” and “research purposes”.
(3) At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
191G In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.”
This amendment makes consequential amendments to secondary legislation, including to the Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003. The amendment to that Order is consequential on amendment 183, and also changes the reference in article 11(4) of that Order to a “data controller” to a “controller”.
Amendment 218, in schedule 18, page 244, line 13, leave out from “GDPR”” to “(see” in line 14 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in the Environmental Information Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 219, in schedule 18, page 246, line 31, leave out from “GDPR”” to “(see” in line 32 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in the Environmental Information (Scotland) Regulations 2004 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 220, in schedule 18, page 247, line 40, at end insert—
“Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)
199A (1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.
(2) In paragraph (1)(b)—
(a) for paragraph (iii) (but not the final “, and”) substitute—
“(iii) the results of a request made under Article 15 of the GDPR or section45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and
(b) in the words following paragraph (iii), omit “search”.
(3) After paragraph (2) insert—
“(3) In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”
Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)
199B The Education (Pupil Information) (England) Regulations 2005 are amended as follows.
199C In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section3(4) of the Data Protection Act 2018”.
199D (1) Regulation 5 (disclosure of curricular and educational records) is amended as follows.
(2) In paragraph (4)—
(a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and
(b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.
(3) After paragraph (6) insert—
“(7) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.””
This amendment makes consequential amendments to secondary legislation.
Amendment 221, in schedule 18, page 248, line 37, leave out from “GDPR”” to “(see” in line 38 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”
This amendment makes clear that in regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 references to a provision of Chapter 2 of Part 2 of the bill include that provision as applied by Chapter 3 of Part 2 of the bill.
Amendment 222, in schedule 18, page 249, line 1, at end insert—
“Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)
200A In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—
(a) for the definition of “data protection principles” substitute—
““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and
(b) at the appropriate place insert—
““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);”.
Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)
200B The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.
200C (1) Regulation 39 (sensitive information) is amended as follows.
(2) In paragraph (1)(d)—
(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.
(3) After paragraph (1) insert—
“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a) Article 21 of the GDPR (general processing: right to object to processing), or
(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).
(1C) The condition in this paragraph is that—
(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section15,16 or26 of, or Schedule2,3 or4 to, the Data Protection Act 2018,
(b) on a request under section45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c) on a request under section94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.
(1D) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);
“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).
(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
(4) Omit paragraphs (2) to (4).
National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)
200D (1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(4) After that sub-paragraph insert—
“(2) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)
200E In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—
“(b) any material used consists of or includes human cells or human DNA,”.
National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)
200F For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—
“5 Data Protection Act 2018
(1) The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.
(2) The Assembly Commission is to be treated as a government department for the purposes of the following provisions—
(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),
(b) section202 (application to the Crown),
(c) paragraph 6 of Schedule1 (statutory etc and government purposes),
(d) paragraph 7 of Schedule2 (exemptions from the GDPR: functions designed to protect the public etc), and
(e) paragraph 8(1)(o) of Schedule3 (exemptions from the GDPR: health data).
(3) In the provisions mentioned in paragraph (4)—
(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and
(b) references to a person in the service of the Crown are to be treated as including a person so employed.
(4) The provisions are—
(a) section24(3) (exemption for certain data relating to employment under the Crown), and
(b) section202(6) (application of certain provisions to a person in the service of the Crown).
(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))
200G In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity) —
(a) in the English language text, for paragraph (c) substitute—
“(c) any material used consists of or includes human cells or human DNA; and”, and
(b) in the Welsh language text, for paragraph (c) substitute—
“(c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.
Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)
200H (1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.
(2) In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—
“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.
(3) After paragraph (1) insert—
“(2) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)
200I In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a) in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—
(i) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after paragraph (3) insert—
“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)
200J The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 is amended as follows.
200K In regulation 2 (interpretation), at the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
200L In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.
Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)
200M In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—
(a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and
(b) after paragraph (3) insert—
“(4) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)
200N In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”.
Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))
200O The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.
200P In regulation 2(1) (interpretation)—
(a) at the appropriate place in the English language text insert—
““the GDPR” (“y GDPR”) and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”, and
(b) at the appropriate place in the Welsh language text insert—
“mae i “y GDPR” a chyfeiriadau at Atodlen2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran3(10), (11) a (14) o’r Ddeddf honno);”.
200Q (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
(2) In paragraph (7)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (8)—
(a) in the English language text substitute—
“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
200R (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
(2) In paragraph (6)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (7)—
(a) in the English language text substitute—
“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
200S (1) Regulation 29 (occurrence reports) is amended as follows.
(2) In paragraph (3)—
(a) in the English language text, at the end insert “or the GDPR”, and
(b) in the Welsh language text, at the end insert “neu’r GDPR”.
(3) For paragraph (4)—
(a) in the English language text substitute—
“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and
(b) in the Welsh language text substitute—
“(4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”
Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)
200T (1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.
(2) In paragraph (3)—
(a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and
(b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.
(3) After paragraph (3) insert—
“(3A) The condition in this paragraph is that the disclosure of the information to a member of the public—
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—
(a) Article 21 of the GDPR (general processing: right to object to processing), or
(b) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4) After paragraph (4) insert—
“(5) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”
Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)
200U (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Overseas Companies Regulations 2009 (S.I. 2009/1801)
200V (1) Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Provision of Services Regulations 2009 (S.I. 2009/2999)
200W In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—
“(d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”
This amendment makes consequential amendments to secondary legislation including to the National Assembly for Wales Commission (Crown Status) Order 2007.
Amendment 223, in schedule 18, page 249, line 32, at end insert—
“INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)
201A (1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.
(2) In paragraph (2)—
(a) omit “or” at the end of sub-paragraph (a),
(b) for sub-paragraph (b) substitute—
“(b) Article 21 of the GDPR (general processing: right to object to processing), or
(c) section99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and
(c) omit the words following sub-paragraph (b).
(3) After paragraph (6) insert—
“(7) In this regulation—
“the data protection principles” means the principles set out in—
(a) Article 5(1) of the GDPR,
(b) section34(1) of the Data Protection Act 2018, and
(c) section85(1) of that Act;
“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(10), (11) and (14) of that Act);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).
(8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)
201B The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.
201C In regulation 2(2) (interpretation), at the appropriate place insert—
““the GDPR” and references to Schedule2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.”
201D (1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.
(2) In paragraph (7), at the end insert “or the GDPR”.
(3) For paragraph (8) substitute—
“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
201E (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.
(2) In paragraph (6), at the end insert “or the GDPR”.
(3) For paragraph (7) substitute—
“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
201F (1) Regulation 29 (occurrence reports) is amended as follows.
(2) In paragraph (3), at the end insert “or the GDPR”.
(3) For paragraph (4) substitute—
“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
Pharmacy Order 2010 (S.I. 2010/231)
201G The Pharmacy Order 2010 is amended as follows.
201H In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.
201I (1) Article 9 (inspection and enforcement) is amended as follows.
(2) For paragraph (4) substitute—
“(4) If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”
(3) After paragraph (4) insert—
“(5) In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
201J In article 33A (European professional card), after paragraph (2) insert—
“(3) In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”
201K (1) Article 49 (disclosure of information: general) is amended as follows.
(2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.
(3) For paragraph (3) substitute—
“(3) In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”
(4) After paragraph (5) insert—
“(6) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
201L (1) Article 55 (professional performance assessments) is amended as follows.
(2) In paragraph (5)(a), after “enactment” insert “or the GDPR”.
(3) For paragraph (6) substitute—
“(6) In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”
(4) After paragraph (8) insert—
“(9) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”
201M In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—
“(aa) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
201N (1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.
(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.
(3) In paragraph 9 (processing data)—
(a) omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and
(b) after sub-paragraph (2) insert—
“(3) In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”
201O (1) The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.
(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.
National Employment Savings Trust Order 2010 (S.I. 2010/917)
201P The National Employment Savings Trust Order 2010 is amended as follows.
201Q In article 2 (interpretation)—
(a) omit the definition of “data” and “personal data”, and
(b) at the appropriate place insert—
““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2) and (14) of that Act).”
201R (1) Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.
(2) In paragraph (1)—
(a) for “disclosure of data” substitute “disclosure of information”, and
(b) for “requested data” substitute “requested information”.
(3) In paragraph (2)—
(a) for “requested data” substitute “requested information”,
(b) for “those data are” substitute “the information is”, and
(c) for “receive those data” substitute “receive that information”.
(4) In paragraph (3), for “requested data” substitute “requested information”.
(5) In paragraph (4), for “requested data” substitute “requested information”.
Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)
201S (1) Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(1) (interpretation and general)—
(a) omit the definition of “research purposes”, and
(b) at the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.
Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))
201T (1) Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.
(2) In paragraph (5)—
(a) in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—
(a) which the head teacher could not lawfully disclose to the pupil under the GDPR, or
(b) to which the pupil would have no right of access under the GDPR.”, and
(b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—
(a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu
(b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”
(3) After paragraph (5)—
(a) in the English language text insert—
“(6) In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”, and
(b) in the Welsh language text insert—
“(6) Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”
Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)
201U In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.
Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)
201V The Police and Crime Commissioner Elections Order 2012 is amended as follows.
201W (1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.
(2) In paragraph 20 (absent voter lists: supply of copies etc)—
(a) in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (10) insert—
“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b) after that sub-paragraph insert—
“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
201X (1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3) In paragraph 5 (restriction on use of documents or of information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and
(b) after sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)
201Y Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.
201Z (1) Paragraph 29(1) (interpretation of Part 8) is amended as follows.
(2) At the appropriate places insert—
““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.
(3) For the definition of “relevant conditions” substitute—
““relevant requirement” means the requirement under Article 89 of the GDPR, read with section19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.
(4) Omit the definition of “research purposes”.
201AA In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section123(5) of the Data Protection Act 2018”.
201AB In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AC In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AD In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.
201AE In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—
(a) Article 89 GDPR purposes (as defined in paragraph 29),”.
Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)
201AF (1) Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.
(2) For paragraph (4) substitute—
“(4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”
(3) In paragraph (5), after “enactment” insert “or the GDPR”.
(4) After paragraph (6) insert—
“(7) In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”
Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)
201AG (1) Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.
(2) The existing text becomes paragraph (1).
(3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(4) After that paragraph insert—
“(2) In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””
This amendment makes consequential amendments to secondary legislation.
Amendment 224, in schedule 18, page 250, line 7, at end insert—
“Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)
204A (1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(4) In paragraph (c) of that sub-paragraph—
(a) omit “or” at the end of sub-paragraph (i), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice);”.
(5) After paragraph (c) of that sub-paragraph insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”
(6) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)
204B The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.
204C (1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.
(2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) After paragraph (2) insert—
“(3) In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
204D (1) Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.
(2) For paragraph (1) substitute—
“(1) Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”
(3) After paragraph (3) insert—
“(4) In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”
European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)
204E The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.
204F (1) Regulation 2(1) (interpretation) is amended as follows.
(2) Omit the definition of “Directive 95/46/EC”.
(3) At the appropriate place insert—
““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.
204G In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.
204H In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.
204I In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.
204J In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).
204K In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.
Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
204L The Scottish Parliament (Elections etc) Order 2015 is amended as follows.
204M (1) Schedule 3 (absent voting) is amended as follows.
(2) In paragraph 16 (absent voting lists: supply of copies etc)—
(a) in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (10) insert—
“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
(3) In paragraph 20 (restriction on use of absent voting lists)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after that sub-paragraph insert—
“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
204N (1) Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.
(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).
(3) In paragraph 5 (restriction on use of documents or of information contained in them)—
(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—
(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and
(b) after sub-paragraph (4) insert—
“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)
204O In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.
Register of People with Significant Control Regulations 2016 (S.I. 2016/339)
204P Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.
204Q (1) Paragraph 6 (disclosure to a credit reference agency) is amended as follows.
(2) In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—
(i) for the purposes of ensuring that it complies with its data protection obligations;”.
(3) In sub-paragraph (c)—
(a) omit “or” at the end of paragraph (ii), and
(b) at the end insert “; or
(i) section145 of the Data Protection Act 2018 (false statements made in response to an information notice); and”.
(4) After sub-paragraph (c) insert—
“(d) has not been given a penalty notice under section154 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”
204R In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—
(b) for the purposes of ensuring that it complies with its data protection obligations.”
204S (1) In Part 3 (interpretation), after paragraph 13 insert—
14 In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—
(a) where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).”
Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)
204T The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.
204U In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.
204V In regulation 3(3) (supervision), omit “under the 1998 Act”.
204W For Schedule 2 substitute—
SCHEDULE 2
Information commissioner’s enforcement powers
Provisions applied for enforcement purposes
1 For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 24—
(a) section 140 (publication by the Commissioner);
(b) section 141 (notices from the Commissioner);
(c) section 143 (information notices);
(d) section 144 (information notices: restrictions);
(e) section 145 (false statements made in response to an information notice);
(f) section 146 (assessment notices);
(g) section 147 (assessment notices: restrictions);
(h) section 148 (enforcement notices);
(i) section 149 (enforcement notices: supplementary);
(j) section 151 (enforcement notices: restrictions);
(k) section 152 (enforcement notices: cancellation and variation);
(l) section 153 and Schedule 15 (powers of entry and inspection);
(m) section 154 and Schedule 16 (penalty notices);
(n) section 155(4)(a) (penalty notices: restrictions);
(o) section 156 (maximum amount of penalty);
(p) section 158 (amount of penalties: supplementary);
(q) section 159 (guidance about regulatory action);
(r) section 160 (approval of first guidance about regulatory action);
(s) section 161 (rights of appeal);
(t) section 162 (determination of appeals);
(u) section 179(1), (2), (5), (7) and (12) (regulations and consultation);
(v) section 189 (penalties for offences);
(w) section 190 (prosecution);
(x) section 195 (proceedings in the First-tier Tribunal: contempt);
(y) section 196 (Tribunal Procedure Rules).
General modification of references to the Data Protection Act 2018
2 The provisions listed in paragraph 1 have effect as if—
(a) references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;
(b) references to a particular provision of that Act were references to that provision as applied by these Regulations.
Modification of section143 (information notices)
3 (1) Section 143 has effect as if subsections (9) and (10) were omitted.
(2) In that section, subsection (1) has effect as if—
(a) in paragraph (a)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;
(b) paragraph (b) were omitted.
Modification of section144 (information notices: restrictions)
4 (1) Section 144 has effect as if subsections (1) and (9) were omitted.
(2) In that section—
(a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;
(b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 145 or paragraph 15 of Schedule 15”;
(c) subsection (8) has effect as if for “this Act (other than an offence under section 145)” there were substituted “paragraph 15 of Schedule 15”.
Modification of section146 (assessment notices)
5 (1) Section 146 has effect as if subsection (10) were omitted.
(2) In that section—
(a) subsection (1) has effect as if—
(i) for “controller or processor” (in both places) there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”;
(b) subsection (2) has effect as if paragraphs (g) and (h) were omitted;
(c) subsections (7), (8) and (9) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.
Modification of section147(assessment notices: restrictions)
6 (1) Section 147 has effect as if subsections (5) and (6) were omitted.
(2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
Modification of section148 (enforcement notices)
7 (1) Section 148 has effect as if subsections (2) to (5) and (7) to (9) were omitted.
(2) In that section—
(a) subsection (1) has effect as if—
(i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;
(ii) for “sections149 and150” there were substituted “section149”;
(b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.
Modification of section149 (enforcement notices: supplementary)
8 (1) Section 149 has effect as if subsection (3) were omitted.
(2) In that section, subsection (2) has effect as if the words “in reliance on section 148(2)” and “or distress” were omitted.
Modification of section151 (enforcement notices: restrictions)
9 Section151 has effect as if subsections (1), (2) and (4) were omitted.
Withdrawal notices
10 The provisions listed in paragraph 1 have effect as if after section152 there were inserted—
“Withdrawal notices
152A Withdrawal notices
(1) The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—
(a) the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and
(b) the condition in subsection (2) or (3) is met.
(2) The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.
(3) The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—
(a) the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and
(b) the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.
(4) A withdrawal notice must—
(a) state when the withdrawal takes effect, and
(b) provide information about the rights of appeal under section161.”
Modification of Schedule15 (powers of entry and inspection)
11 (1) Schedule 15 has effect as if paragraph 3 were omitted.
(2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—
(a) there are reasonable grounds for suspecting that—
(i) a trust service provider has failed or is failing to comply with the eIDAS requirements, or
(ii) an offence under section145 or paragraph 15 of Schedule15 has been or is being committed,”.
(3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—
(a) in sub-paragraph (1) and (2), for “controller or processor” there were substituted “trust service provider”;
(b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.
(4) Paragraph 5 of that Schedule (content of warrants) has effect as if—
(a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;
(b) in sub-paragraph (2)(c)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “as described in section148(2)” there were substituted “to comply with the eIDAS requirements”;
(c) in sub-paragraph (3)(a) and (c)—
(i) for “controller or processor” there were substituted “trust service provider”;
(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”.
(5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.
Modification of section154 (penalty notices)
12 (1) Section 154 has effect as if subsections (1)(a), (2)(a), (3)(g), (3A) and (5) to (7) were omitted.
(2) Subsection (2) of that section has effect as if—
(a) the words “Subject to subsection (3A),” were omitted;
(b) in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.
(3) Subsection (3) of that section has effect as if—
(a) for “controller or processor”, in each place, there were substituted “trust services provider”;
(b) in paragraph (c), the words “or distress” were omitted;
(c) in paragraph (c), for “data subjects” there were substituted “relying parties”;
(d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.
Modification of Schedule16 (penalties)
13 Schedule16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.
Modification of section156 (maximum amount of penalty)
14 Section156 has effect as if subsections (1) to (3) and (6) were omitted.
Modification of section158 (amount of penalties: supplementary)
15 Section158 has effect as if—
(a) in subsection (1), the words “Article 83 of the GDPR and” were omitted;
(b) in subsection (2), the words “Article 83 of the GDPR” and “and section 157” were omitted.
Modification of section159 (guidance about regulatory action)
16 (1) Section 159 has effect as if subsections (4) and (10) were omitted.
(2) In that section, subsection (3)(e) has effect as if for “controllers and processors” there were substituted “trust service providers”.
Modification of section161 (rights of appeal)
17 (1) Section 161 has effect as if subsection (5) were omitted.
(2) In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—
(ca) a withdrawal notice;”.
Modification of section162 (determination of appeals)
18 Section162 has effect as if subsection (7) were omitted.
Modification of section179 (regulations and consultation)
19 Section179 has effect as if subsections (3), (4), (6), (8) to (11) and (13) were omitted.
Modification of section189 (penalties for offences)
20 (1) Section 189 has effect as if subsections (3) to (5) were omitted.
(2) In that section—
(a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted;
(b) subsection (2) has effect as if for “section 132, 145, 170, 171 or 181” there were substituted “section 145”.
Modification of section190 (prosecution)
21 Section190 has effect as if subsections (3) to (6) were omitted.
Modification of section195 (proceedings in the First-tier Tribunal: contempt)
22 Section195 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section161”.
Modification of section196 (Tribunal Procedure Rules)
23 Section196 has effect as if—
(a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 161”;
(b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.
Approval of first guidance about regulatory action
24 (1) This paragraph applies if the first guidance produced under section 159(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).
(2) Section 160 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).
(3) Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.
(4) Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.
Interpretation
25 In this Schedule—
“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;
“the EITSET Regulations” means these Regulations;
“withdrawal notice” has the meaning given in section 146A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”
Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)
204X The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.
204Y In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a) Article 5(1) of the GDPR, and
(b) section34(1) of the Data Protection Act 2018.”
204Z In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—
(a) Article 5(1) of the GDPR, and
(b) section34(1) of the Data Protection Act 2018.”
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)
204AA The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
204AB In regulation 3(1) (interpretation), at the appropriate places insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”;
““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section3(10), (11) and (14) of that Act);”.
204AC In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a) the Data Protection Act 2018 or any other enactment, or
(b) the GDPR.”
204AD In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a) the Data Protection Act 2018 or any other enactment, or
(b) the GDPR.”
204AE For regulation 40(9)(c) (record keeping) substitute—
(c) “data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
(b) “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
204AF (1) Regulation 41 (data protection) is amended as follows.
(2) Omit paragraph (2).
(3) In paragraph (3)(a), after “Regulations” insert “or the GDPR”.
(4) Omit paragraphs (4) and (5).
(5) After those paragraphs insert—
“(6) Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—
(a) for the purposes of preventing money laundering or terrorist financing, or
(b) as permitted under paragraph (3).
(7) In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.
(8) In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 9, 10 and 10A of that Schedule).
(9) In this regulation—
“data subject” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”
204AG (1) Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.
(2) In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) For paragraph (11) substitute—
“(11) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
204AH (1) Regulation 85 (publication: the Commissioners) is amended as follows.
(2) In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.
(3) For paragraph (10) substitute—
“(10) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
204AI For regulation 106(a) (general restrictions) substitute—
“(a) a disclosure in contravention of the data protection legislation; or”.
204AJ After paragraph 27 of Schedule 3 (relevant offences) insert—
27A An offence under the Data Protection Act 2018, apart from an offence under section173 of that Act.”
Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)
204AK (1) Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.
(2) The existing text becomes sub-paragraph (1).
(3) For paragraph (b) of that sub-paragraph substitute—
(b) for the purposes of ensuring that it complies with its data protection obligations.”
(4) After sub-paragraph (1) insert—
“(2) In this paragraph, “data protection obligations”, in relation to a relevant institution, means—
(a) where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b) where the institution carries on business in a EEA State other than the United Kingdom, obligations under—
(i) the GDPR (as defined in section3(10) of the Data Protection Act 2018),
(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii) legislation implementing the Law Enforcement Directive (as defined in section3(12) of the Data Protection Act 2018).
National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)
204AL The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.
204AM (1) Regulation 1 (citation and commencement) is amended as follows.
(2) In paragraph (2), omit “Subject to paragraph (3),”.
(3) Omit paragraph (3).
204AN In regulation 3(1) (interpretation)—
(a) omit the definition of “the 1998 Act”,
(b) at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”, and
(c) omit the definition of “GDPR”.
204AO (1) Schedule 6 (other contractual terms) is amended as follows.
(2) In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—
(a) the data protection legislation, or
(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”
(3) For paragraph 64 (meaning of data controller etc.) substitute—
“Meaning of controller etc.
64A For the purposes of this Part—
“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(6) and (14) of that Act);
“data protection officer” means a person designated as a data protection officer under the data protection legislation;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section3(2), (4) and (14) of that Act).”
(4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.
(5) In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i) the data protection legislation, and
(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(6) In paragraph 94(4) (variation of a contract: general)—
(a) omit paragraph (b), and
(b) after paragraph (d) (but before the final “and”) insert—
“(da) the data protection legislation;
(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)
204AP The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.
204AQ (1) Regulation 1 (citation and commencement) is amended as follows.
(2) In paragraph (2), omit “Subject to paragraph (3),”.
(3) Omit paragraph (3).
204AR In regulation 3(1) (interpretation)—
(a) omit the definition of “the 1998 Act”, and
(b) at the appropriate place insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section3 of that Act);”, and
(c) omit the definition of “GDPR”.
204AS (1) Schedule 1 (content of agreements) is amended as follows.
(2) In paragraph 34 (interpretation)—
(a) in sub-paragraph (1)—
(i) omit “Subject to sub-paragraph (3),”,
(ii) before paragraph (a) insert—
(iii) for paragraph (d) substitute—
(b) omit sub-paragraphs (2) and (3),
(c) in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—
(a) the data protection legislation, or
(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and
(d) in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.
(3) In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—
(i) the data protection legislation, and
(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
(4) In paragraph 61(3) (variation of agreement: general)—
(a) omit paragraph (b), and
(b) after paragraph (d) (but before the final “and”) insert—
“(da) the data protection legislation;
(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.
Part 3
Modifications
Introduction
204AT (1) Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.
(2) That legislation is—
(a) subordinate legislation made before the day on which this Part of this Schedule comes into force;
(b) primary legislation that is passed or made before the end of the Session in which this Act is passed.
(3) In this Part of this Schedule—
“primary legislation” has the meaning given in section204(7);
“references” includes any references, however expressed.
General modifications
204AU (1) References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.
(2) Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.
(3) References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.
Specific modification of references to terms used in the Data Protection Act 1998
204AV (1) References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).
(2) References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).
(3) References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).
(4) References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).
(5) References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—
(a) Article 5(1) of the GDPR and the applied GDPR, and
(b) sections 34(1) and 85(1) of this Act.
(6) References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 123 of this Act.
(7) References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 197 of this Act.
(8) References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 198 of this Act.
Part 2
Supplementary
Definitions
204AW Section3(14) does not apply to this Schedule.”
This amendment makes consequential amendments to secondary legislation including to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (the EITSET Regulations) and to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It also inserts two new Parts into Schedule 18. New Part 3 contains consequential modifications of provisions in certain legislation not amended by Parts 1 and 2 of Schedule 18. New Part 4 contains supplementary provision.—(Margot James.)
Schedule 18, as amended, ordered to stand part of the Bill.
Clause 205
Commencement
Amendments made: 72, in clause 205, page 120, line 37, leave out paragraph (b)
This amendment is consequential on the omission of Clauses 168 and 169 (see Amendments 60 and 61).
Amendment 225, in clause 205, page 121, line 4, at end insert—
‘( ) Regulations under this section may make different provision for different areas.”
This amendment enables regulations under clause 205 bringing provisions of the bill into force to make different provision for different areas.—(Margot James.)
Clause 205, as amended, ordered to stand part of the Bill.
Clause 206 ordered to stand part of the Bill.
Clause 207
Extent
Amendments made: 73, in clause 207, page 121, line 12, after “(2)” insert “, (2A)”
See the explanatory statement for Amendment 74.
Amendment 226, in clause 207, page 121, line 12, leave out “and (3)” and insert “, (3) and (3A)”
See the explanatory statement for amendment 227.
Amendment 74, in clause 207, page 121, line 14, at end insert—
‘(2A) Sections (Representation of data subjects with their authority: collective proceedings) and (Duty to review provision for representation of data subjects) extend to England and Wales and Northern Ireland only.”
This amendment and Amendment 73 provide that NC1 and NC2 extend only to England and Wales and Northern Ireland.
Amendment 227, in clause 207, page 121, line 15, after “extent” insert “in the United Kingdom”
This amendment and amendments 226, 228 and 229 clarify that amendments of enactments made by the bill have the same extent in the United Kingdom as the enactment amended and that certain amendments also extend to the Isle of Man.
Amendment 228, in clause 207, page 121, line 16, leave out “(ignoring extent by virtue of an Order in Council)”
See the explanatory statement for amendment 227.
Amendment 229, in clause 207, page 121, line 17, at end insert—
‘(3A) This subsection and the following provisions also extend to the Isle of Man—
(a) paragraphs 200N and 205 of Schedule18;
(b) sections204(1),205(1) and206, so far as relating to those paragraphs.”
See the explanatory statement for amendment 227. Paragraph 200N in amendment 222 amends the Competition Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008.—(Margot James.)
Clause 207, as amended, ordered to stand part of the Bill.
Clause 208
Short title
Amendment made: 75, in clause 208, page 121, line 24, leave out subsection (2)
This amendment removes the privilege amendment inserted by the Lords.—(Margot James.)
Clause 208, as amended, ordered to stand part of the Bill.
New Clause 1
Representation of data subjects with their authority: collective proceedings
‘(1) The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.
(2) In this section, “relevant claim”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject’s behalf under Article 80(1) of the GDPR or section 183.
(3) The power under subsection (1) includes power—
(a) to make provision about the proceedings;
(b) to confer functions on a person, including functions involving the exercise of a discretion;
(c) to make different provision in relation to England and Wales and in relation to Northern Ireland.
(4) The provision mentioned in subsection (3)(a) includes provision about—
(a) the effect of judgments and orders;
(b) agreements to settle claims;
(c) the assessment of the amount of compensation;
(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e) costs.
(5) Regulations under this section are subject to the negative resolution procedure.”
This new clause confers power on the Secretary of State to make regulations enabling representative bodies (defined in Clause 183) to bring collective proceedings in England and Wales or Northern Ireland combining two or more claims in respect of data subjects’ rights.—(Margot James.)
Brought up, read the First and Second time, and added to the Bill.
New Clause 2
Duty to review provision for representation of data subjects
‘(1) Before the end of the review period, the Secretary of State must—
(a) review the matters listed in subsection (2) in relation to England and Wales and Northern Ireland,
(b) prepare a report of the review, and
(c) lay a copy of the report before Parliament.
(2) Those matters are—
(a) the operation of Article 80(1) of the GDPR,
(b) the operation of section183,
(c) the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject’s rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject), and
(d) the merits of making equivalent provision in relation to data subjects’ rights under Article 82 of the GDPR (right to compensation).
(3) “The review period” is the period of 30 months beginning when section 183 comes into force.
(4) After the report under subsection (1) is laid before Parliament, the Secretary of State may by regulations—
(a) exercise the powers under Article 80(2) of the GDPR in relation to England and Wales and Northern Ireland, and
(b) make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject’s rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject.
(5) The powers under subsection (4) include power—
(a) to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject’s rights;
(b) to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject’s rights,
(c) to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;
(d) to confer functions on a person, including functions involving the exercise of a discretion;
(e) to amend sections164 to166,177,183,196,198 and199;
(f) to insert new sections and Schedules into Part 6 or 7;
(g) to make different provision in relation to England and Wales and in relation to Northern Ireland.
(6) The provision mentioned in subsection (5)(b) and (c) includes provision about—
(a) the effect of judgments and orders;
(b) agreements to settle claims;
(c) the assessment of the amount of compensation;
(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e) costs.
(7) Regulations under this section are subject to the affirmative resolution procedure.”
This new clause imposes a duty on the Secretary of State to review the operation of provisions enabling a representative body to exercise data subjects’ rights with their authority in England and Wales and Northern Ireland and to consider exercising powers under the GDPR to enable a representative body to exercise such rights there without being authorised to do so by the data subjects.—(Margot James.)
Brought up, read the First and Second time, and added to the Bill.
New Clause 5
Bill of Data Rights in the Digital Environment
Schedule [Bill of Data Rights in the Digital Environment] shall have effect.
This new clause would introduce a Bill of Data Rights in the Digital Environment.—(Liam Byrne.)
Brought up, and read the First time.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
I beg to move, That the clause be read a Second time.
Darren Jones
Then you agree with hon. Members on both sides of the Committee, Mr Streeter. Of course we do, but as we have seen this week with the Cambridge Analytica scandal, rules must be set, and there must be a balance between allowing innovation to flourish and people’s rights not to be harmed in the process.
Darren Jones
I agree—that is why I welcome the Bill. I am saying that we ought to go further, which is why I support the new schedule, and having conversations about ownership.
Returning to the issue of health data, I have personal views about how we might tax revenues from platforms in a better way. I welcome the comments made by the Chancellor of the Exchequer, in line with his counterparts in Europe, about looking at how we tax revenues where they are made, not where the company is headquartered. That is a positive move, but surely if all this NHS data is creating profits for other companies and organisations, we can create a situation in which patients also benefit from that, by sharing in the profits that are made and by seeing value redirected into the health service.
All that becomes anchored in the question of ownership. There is still this legal space that says that data subjects do not own their own data. We need a much broader debate on that. [Interruption.] Members are shaking their heads. I am happy to take interventions, if Members would like.
Margot James
My response will encompass our digital charter, as the right hon. Member for Birmingham, Hodge Hill mentioned, and I will also answer some of the points he made in his interesting exposition of his rights-based approach. I agree with him: the internet is a powerful force for good, serving humanity and spreading ideas, freedom and opportunity across the world. Yet, as he rightly states, there are considerable trust issues, which can have only worsened in recent days.
I would like to emphasise the point made by my hon. Friend the Member for Gordon that the UK has a strong digital economy accounting for over 12.5% of GDP, which makes us the leading digital economy in the G20.
The right hon. Gentleman was critical of Government sites and services, but we have developed a system that is being taken up by several other countries, including New Zealand, which are adopting our approach to providing Government services online. I am sorry that his experience on the tax side was not great, and there are always exceptions, but on the whole we are leaders in the provision of Government services online.
Citizens rightly want to know that they will be safe and secure online. Tackling these challenges in an effective and responsible way is absolutely critical. The digital charter is our response. It is a rolling programme of work to agree norms and rules for the online world and to put them into practice. In some cases, that will be through shifting expectations of behaviour and resetting a settlement with internet companies. In some cases, we will need to agree completely new standards; in others, we will want to update our laws and regulations. Our starting point is that we expect the same rights and behaviour online as we do offline, with the same ease of enforcement.
The charter’s core purpose is to make the internet work for everyone—for citizens, businesses and society as a whole—and it is based on liberal values. Every country is grappling with these challenges. The right hon. Gentleman suggested last week that the Government are not averse to making declaratory statements of rights and interpreting them into law, but his key example related to human rights. The Human Rights Act provides a detailed and well-considered legislative framework for those rights and ensures that they are meaningful.
Liam Byrne
When the right hon. Member for Surrey Heath (Michael Gove), who is now the Secretary of State for Environment, Food and Rural Affairs, was Secretary of State at the Ministry of Justice, he launched a consultation about an English Bill of Rights, which was about not simply human rights but a much broader set of rights. I do not think there is a big difference in our approaches to rights. Actually, I think there is a shared approach, as has been recognised down the years.
Margot James
Yes, much of our approach is shared. The Government decided not to proceed with that Bill of Rights, but the right hon. Gentleman rightly points out that both our parties have a keen interest in this area. However, to set out his proposed bill of data rights in primary legislation would cut across the GDPR. It would impose its own rights of rectification and erasure, its own notion of control and its own obligations on controllers to keep data secure, but, of course, the GDPR already does that, and comparable rights are provided for in the Bill. I am concerned about how the Commission would react to such an attempt to redefine data protection standards. That is one of our main concerns with his new clauses and new schedule, no matter how much we might agree with the sentiments behind them. Given that, and the fact that we are proceeding with our digital charter, I feel that the Bill, in essence, covers this issue, and I need say no more about it.
Liam Byrne
Our proposed bill of data rights seeks not to redefine but to enshrine, so the rights reflected in the GDPR are no more than enshrined in it. The point is that it would go over and above the rights and obligations set out in this Bill. The right of equal access to the internet, the crystallisation of the right to expression and the advancement of the debate about the right to data ownership are important provisions whose time will come. At some point, due to the way the world is changing, our citizens and constituents will begin to demand both a democratisation of the privileges of this new age and of progress, and the right to effective defences and new protections.
I am glad that the Minister agrees with the sentiment behind the new clause, and I recognise that she perhaps does not see this Bill as the place to consolidate our brilliant ideas into the law of the land. I listened with interest to what she said about a rolling programme of ideas in the digital charter. There is a challenge with that approach: it will end up following the cones hotline model of public service reform. It will not live or sing; it will be bedevilled by voluntary codes, bureaucracy and operational procedures, and it will end up not really making a difference to the world. Our bill of data rights is clear.
If rights are to be a reality, they need not to be a mystery but to be understood. They need to be something that people can talk about in a pub. They need to be something not that is set out in 250 pages of primary legislation but that can be set out on the back of a fag packet. In our bill of data rights, we set out a clear agenda that would make a difference and be easily understood and enforced. It would be an improvement and would take forward the rights and liberties of the citizens of this country.
Data Protection Bill [Lords] (Sixth sitting)
Margot James Excerpts(6 years, 8 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Chair
It is up to the Minister to decide whether she wishes to respond to that point of order.
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
I hesitated, Mr Streeter, because I am not quite sure that I can clarify the matter. I cannot answer the right hon. Gentleman’s question. I reiterate that in answer to the important question about strengthening the Information Commissioner’s powers, my right hon. Friend the Secretary of State said yesterday:
“We are considering those new proposals, and I have no doubt that the House will consider that as the Bill passes through the House.”—[Official Report, 19 March 2018; Vol. 638, c. 49.]
In the context of the commissioner’s request for additional powers, he said:
“We are therefore considering the Information Commissioner’s request.”—[Official Report, 19 March 2018; Vol. 638, c. 52.]
The right hon. Gentleman’s point was recently made by the commissioner, so it is a point worth listening to. I can confirm that we are listening and reviewing, but beyond that, I cannot go.
The Chair
As the Speaker himself might say, the right hon. Gentleman has been here a long time and will no doubt find other ways to pursue the matter. I am grateful for the point of order.
Clause 132 ordered to stand part of the Bill.
Clauses 133 to 139 ordered to stand part of the Bill.
Clause 140
Publication by the Commissioner
Question proposed, That the clause stand part of the Bill.
Margot James
I was not planning to speak to this clause, but as it is relevant I will use the opportunity to give the right hon. Member for Birmingham, Hodge Hill further information. He asked about the code of conduct where the commissioner has a responsibility to publish the document about child-friendly regulation of websites. Clause 140 provides that the document can be published in a way the commissioner considers appropriate. Under clause 126, the Bill contains a duty to publish various codes of practice, including the age-appropriate design code. The Bill requires the commissioner to publish the age-appropriate design code within 18 months of Royal Assent, but as the matter is important and urgent, we will endeavour to do so sooner.
Question put and agreed to.
Clause 140 accordingly ordered to stand part of the Bill.
Clause 141 ordered to stand part of the Bill.
Clause 142
Inquiry into issues arising from data protection breaches committed by or on behalf of news publishers
Brendan O'Hara (Argyll and Bute) (SNP)
I beg to move amendment 137, in clause 142, page 77, line 34, at end insert—
“(3) The Secretary of State must consult the Scottish Government and obtain its consent before establishing an inquiry under subsection (1).”
This amendment would ensure that before any inquiry was established, the UK Government must have consent from Scottish Government.
Matt Warman
That is a fascinating philosophical question, but I can only tell the right hon. Gentleman that I would not have voted for it. I appreciate that he will say that it is easy for me to say that now, but the idea that people in this place would be convinced that it is the best possible model is simply not plausible after the statements that my hon. Friend the Member for North Devon and I have made today. Surely we need a set of press regulations that preserves the independence of the media, and their ability to invest in journalism at local and national level, which we all want if we are to hold the powerful to account. We also need regulations that allow hon. Members to say with a clear conscience that we have done nothing that puts those businesses in serious jeopardy.
It does not seem to me that a costly Leveson 2 is the best use of public money, or that the threat of section 40 will ever be the best use of private money, putting legitimate local and national media out of business. Those arguments seem to me like a powerful case for IPSO, and for a sensible look at the sustainability of the press, as the Prime Minister has set about doing. They do not under any circumstances seem to me like a good reason to vote for the amendments.
Margot James
I will set out the Government’s position on clauses 142, 168, 169 and 205, before returning to the amendments in the name of the hon. Member for Argyll and Bute.
As we have heard, clause 142 requires the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. The Government set out our intention not to reopen the Leveson inquiry in our response to the consultation on the future of the inquiry on 1 March. I will not repeat the arguments in full, but I will say that the Government’s firm focus is on the problems faced by the media right now.
The Government recognise that there is a great deal of feeling on both sides of the debate. We have listened to all views, including those of victims, in reaching a decision. No one seeks to excuse the past behaviour of individual media organisations, nor to legitimise it. As the right hon. Member for Birmingham, Hodge Hill said, some of the stories we heard at the beginning of the Leveson inquiry were horrific. The Government have a duty, however, to make decisions that are proportionate and in the public interest. In the light of all the evidence available, it is apparent that part 2 of the inquiry is no longer appropriate or proportionate.
Part 1 of the inquiry lasted over a year, and heard evidence from more than 300 people, including journalists, editors and victims. Since then, the majority of the Leveson recommendations have been implemented. Three major police investigations examining a wide range of offences have been completed. More than 40 people were convicted, some of whom were sent to prison. There have also been extensive reforms to policing practices, and significant changes to press self-regulation.
As a result, the terms of reference for part 2 have largely been met, and the culture that allowed phone hacking to become the norm has changed. Meanwhile, the media are facing critical challenges that threaten their sustainability, including fake news, declining circulations and gaining revenue from online content. Free and vibrant media are vital to democratic discourse, and we need to tackle those challenges urgently. Holding a costly and time-consuming public inquiry looking predominantly backwards is not the right way to go.
The Government are committed to addressing these issues, and we are developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to keep people safe online and to ensure that personal information is used appropriately. As part of that, we are also undertaking work to ensure that there are sustainable business models for high-quality media online. The media landscape is different and the threats are different, too. Issues such as fake news mean there is a need to protect the reliability and objectivity of information.
Likewise, clauses 168 and 169 are similar to the provisions contained in sections 40 and 42 of the Crime and Courts Act 2013, but apply to breaches of data protection law only. The Government do not believe that introducing a provision similar to section 40 of the 2013 Act into the Bill is appropriate, but in relation to data protection only. That is particularly so given our decision earlier this month to repeal section 40 when there is a suitable legislative vehicle. In coming to that decision, we considered all the available evidence, including the views of respondents to the public consultation that we undertook last year. Many respondents cited concerns about the chilling effect that section 40 would have on the freedom of the press, which was so ably summed up by my hon. Friend the Member for Boston and Skegness.
Liam Byrne
Will the Minister tell the Committee why she supported it when it came to a vote last time?
Margot James
The right hon. Gentleman has made great play of the former Prime Minister’s statement. I remind him that that statement was given six years ago. Much has changed since. My hon. Friend the Member for North Devon tried to make the point that, although we cannot rule out that egregious conduct is still going on in the press, as I imagine there is in virtually every other sector of society, we can agree that much has changed and improved. That is why the Government have changed their direction. I hope that satisfies the right hon. Gentleman.
Gareth Snell (Stoke-on-Trent Central) (Lab/Co-op)
It is a pleasure to serve under your chairmanship, Mr Streeter.
On that point, the Minister accepts that egregious activity could be taking place across the industry but does not think that the proposal is the appropriate vehicle for dealing with it. She believes that the digital charter is the appropriate vehicle, but what evidence is she using to ensure that that addresses the egregious activity?
Margot James
I want to correct one thing that the hon. Gentleman said: I did not say that that activity was taking place across the industry; I said that it was still taking place. Indeed, we have heard the horrendous allegations made by John Ford, albeit referring to behaviour that predates 2011. He alleges that it is still going on. I am not denying that it probably is still carrying on in pockets, but I would not say that it is widespread.
Press self-regulation has changed significantly in recent years with the establishment of IPSO, which follows many of the principles set out in the Leveson report. As so few publishers have joined a regulator recognised under the royal charter, commencement of section 40 would have a chilling effect on investigative journalism, which is so important to a well-functioning democracy.
Daniel Zeichner (Cambridge) (Lab)
It is a pleasure to serve under your chairmanship, Mr Streeter. We keep hearing about the chilling effect—it is well rehearsed—but could the Minister confirm that it could be entirely avoided if newspapers sign up to an appropriate regulator, which does not have to be IMPRESS? It is not a difficult thing to do.
Margot James
Currently, IMPRESS is the only regulator recognised under the royal charter. I cannot speak for the press. There was a heated debate when the legislation went through Parliament. The press decided as one not to join what they perceived as a state-backed regulator. IPSO now does the job, albeit the Financial Times and The Guardian alone among the broadsheets have not joined IPSO.
The media landscape has changed. As I noted earlier, high-quality journalism is under threat from the rise of clickbait and fake news, from difficulties in generating revenue online to replace the revenue that used to flow from printed sources, and from the dramatic, continued rise of largely unregulated social media. If implemented, section 40 could impose further financial burdens on publishers, particularly at local level—200 local papers have closed in the last decade.
On top of that, the amendments made in the other place undermine our Scotland and Northern Ireland devolution settlements—that point was ably made by the hon. Member for Argyll and Bute. The proposed new clauses seek to legislate on a UK-wide basis despite press regulation being a reserved matter for the devolved Administrations, which brings me to amendments 137, 138 and 139 in the name of the hon. Gentleman.
The Government are sympathetic to the hon. Gentleman’s arguments for reasons I have set out. We will nevertheless push instead for the removal of those clauses from the Bill in their entirety. Similarly, while we agree with the sentiment of amendment 137, which seeks to require the Government to obtain the Scottish Government’s consent before establishing an inquiry under clause 142, we note that there is already a consultation requirement to that effect in the Inquiries Act 2005. Such an amendment is therefore unnecessary.
To conclude, high-quality news provision is vital to our society and democracy. I know there is shared interest across the House in safeguarding its future, and the Government are passionate about and working to deliver it. We believe that the clauses would work against those aims and cut across the work we are doing to help strengthen the future of high-quality journalism, and will therefore oppose their continued inclusion in the Bill.
Brendan O'Hara
I take on board what the Government say and appreciate that they have accepted the principle of the amendment, but I still intend to push it to the vote. It is essential that the devolution settlement is protected in as broad and deep a way as possible. I understand that they would seek to remove the entire clause, but if the clause is passed and de-amended, it has serious consequences for the devolution settlement. For that reason we will be pushing it to the vote.
Question put, That the amendment be made.
Margot James
I beg to move amendment 51, in clause 143, page 77, line 37, after “notice”)” insert “—
(a) ”.
See the explanatory statement for Amendment 52.
The Chair
With this it will be convenient to discuss Government amendments 52, 54, 126 and 58.
Margot James
The Information Commissioner has a breadth of corrective powers at her disposal to investigate breaches of data protection legislation. One such power is the ability to issue an information notice on a data controller requesting that they provide the commissioner with specified information. Article 2 of the general data protection regulation states that certain types of processing of personal data, including purely personal or household activities, are exempt from the provisions of the GDPR. That includes the list of all those hon. Members who deserve a Christmas card this year.
Although such processing is exempt, it is important that in certain situations the Information Commissioner is able to verify that the processing actually meets this test and does not fly under the radar of GDPR requirements unduly. Government amendments 51 and 52 will ensure that the Information Commissioner is able to issue an information notice, in order to determine whether the process is genuinely being undertaken in the course of a purely personal or household activity.
Government amendment 54 is a consequential amendment. It ensures that the reference to processing of personal data in the subsection added by Government amendment 52 means any type of processing, pulling on the definitions provided in subsections (2) and (4) of clause 3, rather than those under parts 2, 3 or 4, none of which apply to processing in the course of purely personal or household activities.
Government amendments 58 and 126 make further consequential changes to clause 159 and paragraph 9 of schedule 16. The amendments ensure that certain safeguards for controllers and processors in the context of enforcement action extend to all persons, since their exact status may in fact be the source of dispute.
All in all, this is a common sense set of changes that enjoy the full support of the Information Commissioner’s Office.
Amendment 51 agreed to.
Amendments made: 52, in clause 143, page 77, line 40, at end insert “, or
(b) require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.”
This amendment and Amendments 51 and 54 enable the Information Commissioner to obtain information in order to work out whether processing is carried out in the course of purely personal or household activities. Such processing is not subject to the GDPR or the applied GDPR (see Article 2(2)(c) of the GDPR and Clause 21(3)).
Amendment 53, in clause 143, page 78, line 23, leave out
“with the day on which”
and insert “when”.
This amendment is consequential on Amendment 71.
Amendment 54, in clause 143, page 78, line 30, at end insert—
“(10) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (1)(b).”—(Margot James.)
This amendment secures that the reference to “processing” in the new paragraph (b) inserted by Amendment 52 includes all types of processing of personal data. It disapplies Clause 3(14)(b), which provides that references to processing in Parts 5 to 7 of the bill are usually to processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.
Question proposed, That the clause, as amended, stand part of the Bill.
Louise Haigh (Sheffield, Heeley) (Lab)
In this of all weeks, it is particularly relevant that we debate this clause, which relates to information notices, and the powers and enforcement sanctions available to the Information Commissioner, given the horrendous breaches of our data regulation that have been exposed by Channel 4 and The Guardian.
The Secretary of State for Digital, Culture, Media and Sport told the House yesterday that the Information Commissioner was seeking further powers to compel compliance with information notices, testimony from other individuals in complex investigations, such as that into Cambridge Analytica, and criminal sanctions for breaches of information notices.
Under the current data protection legislation, breach of information notice is a criminal offence that carries a custodial sentence. The maximum sentence under this Bill is only a fine. That is a significant weakening of the data protection regime and its sanctions. Indeed, in her own evidence, the Information Commissioner said:
“The new approach in the Bill of failure to comply with an”
information notice
“no longer being a criminal offence but punishable by a monetary penalty issued by the ICO is likely to be less of a deterrent, as data controllers with deep pockets might be inclined to pay the fine, rather than disclose the information being requested.”
I would be grateful if the Minister could set out exactly why the Government have decided to weaken the powers given to the Information Commissioner and the sanctions available to her.
Crucially, the Information Commissioner has requested the power to compel compliance with information notices. As things stand, it is an offence not to deliver information, but the Information Commissioner does not have the power to demand compliance with information notices. She has said that that puts us out of step with our closest EU member state neighbour, Ireland, which has a much stronger data protection regime, with much tougher sanctions and, indeed, powers to compel compliance with an information notice.
That gap in the Information Commissioner’s enforcement powers has not caused significant problems up to now, because formal action has largely centred on security breaches or contraventions of the privacy and electronic communications regulations. In such cases, the commissioner rarely needs to use her information notice powers, because the evidence of a contravention is usually clear and in the public domain.
Where the Information Commissioner has used her enforcement powers against a data controller for contraventions of the data protection principles under the Data Protection Act, she has generally found data controllers to be co-operative because, under the current framework, financial penalties are reserved only for the most serious contraventions of the law. However, as investigations become more complex—and as we are seeing this week—the Commissioner will be unable to obtain the information she needs.
The Minister has said that the Government are considering potential amendments to the Bill, as laid out by the Secretary of State yesterday. It is baffling, however, that those amendments have not already been tabled, given that the Information Commissioner suggested them in her written evidence earlier in the process. The provisions represent a serious weakening of the existing regime and a failure of the Government to step up to the plate on the matter of the complex investigations conducted by the Information Commissioner.
Margot James
I do not accept that this Bill represents a reduction in the powers of the Information Commissioner, and I do not think that that is her view either. Obviously, I accept what she said in response to questioning from Select Committee on Digital, Culture, Media and Sport. As I have already said, my right hon. Friend the Secretary of State is considering her request, and we are working on the areas where she feels there is a shortfall.
I reassure the Committee that the Bill strengthens ICO’s overall powers. The hon. Member for Sheffield, Heeley has mentioned fines. There are fines of up to 4% of global turnover, or £17 million, both for malpractice itself and for blocking investigations and inquiries mounted by the ICO.
Liam Byrne
One way in which the Government could row in behind a frustrated Information Commission would be to deny Government contracts to companies that are behaving badly. I understand that Cambridge Analytica has Government contracts with both the Foreign Office and the Ministry of Defence. Are they under review?
Margot James
I cannot speak for either of those Departments. We are debating the powers of the ICO rather than contractual matters between private companies and Government Departments. I accept that that is a moot point, but it is not the purpose of this Bill Committee to go into those details.
To return to the points raised by the hon. Member for Sheffield, Heeley, we are strengthening the powers of the Commissioner. We are extending her current power to serve assessment notices on data controllers in public sector bodies to all data controllers across the private sector as well. Those assessment notices will require them to provide evidence of their compliance with the law, and there is now the power to enforce assessment notices by obtaining a warrant to exercise search and seizure powers on behalf of the ICO. The Bill also creates a criminal offence for obstructing a warrant, which is subject to both fines and a criminal record. We are strengthening in those areas and also increasing fines substantially.
Liam Byrne
I understand that the Minister cannot answer the detailed question about Government contracts with, for example, Cambridge Analytica, but does she think, philosophically, that a Government would and should reconsider contracts with companies that are not complying with a reasonable request made by the Information Commissioner?
Margot James
The right hon. Gentleman makes an entirely reasonable point. As I said earlier, I cannot go into it in a debate on this particular Bill, other than to say that he makes a reasonable point.
Clause 143 provides the commissioner with the power to issue an information notice. This is a type of notice that requires a controller or processor to provide the commissioner with specified information within a certain time period.
Question put and agreed to.
Clause 143, as amended, accordingly ordered to stand part of the Bill.
Clause 144 ordered to stand part of the Bill.
Clause 145
False statements made in response to an information notice
Question proposed, That the clause stand part of the Bill.
Liam Byrne
The operation of clause 145 is a matter of great public concern this week, because of the revelations that an app that sat on Facebook collected data for a particular purpose, but they were then re-used by Cambridge Analytica for an entirely different purpose, to bend the outcome of particular elections and, quite possibly, referendums too. Facebook had made a statement that the matter had been resolved a couple of years ago and that the relevant data in question had been deleted. The story has developed over the past 24 hours and former Facebook employees are now alleging that it was not simply 50 million records that were collected for one purpose and re-used for another; there may have been hundreds of millions of records collected for one purpose and used for another.
How will clause 145 bite on a company such as Facebook that may be responding to an information notice issued by the Information Commissioner? The company may have told the Information Commissioner that it was all fine, the data was all deleted and everyone was perfectly satisfied, but a couple of years later it transpires that that is not the case. What would then happen to a company such as Facebook? Is the Minister satisfied that the proposed sanctions and penalties are strong enough? It is not clear to me, given what we now know, that these sanctions are strong enough at all.
Margot James
We are debating a suite of powers as part of the overall powers with which the Bill reinforces the Information Commissioner’s Office. It is not just about clause 145. If a company discloses information unlawfully, there is also a separate offence in clause 170. We are not relying on one clause alone.
Louise Haigh
Earlier, we debated the requirement for law enforcement agencies to conduct data protection impact assessments ahead of developing or using any new filing system, and we debated several examples of what those filing systems or methods of data collection could be, including automated facial recognition software, automatic number plate recognition and the use of algorithms to determine decisions made in the criminal justice system.
In relation to the clause, the Information Commissioner has requested that she be given the power to impose corrective measures where necessary, when a data protection impact assessment has revealed that the processing of that personal data is of high risk to individuals and where there are no measures to mitigate that risk in relation to law enforcement processing, as she has for other processing. She maintains that a different approach to law enforcement is not justified and might lead to adverse consequences in an important area affecting individuals. That is important because it gives weight to the important aspects raised earlier that require law enforcement agencies to conduct that DPIA. There is little point asking organisations and data controllers to conduct impact assessments and then, even when they are falling short dramatically, to let them carry on conducting assessments and collecting data in that way.
In evidence, the Information Commissioner has said that part 3 of the Bill
“requires these types of assessment to be undertaken”
and provides
“for requirements to consult the Commissioner where such a high risk is present but measures cannot be put in place to mitigate these. They also provide requirements for the Commissioner to use her corrective powers in relation to GDPR but the way the Bill is drafted these corrective powers will not be available in relation to concerns arising from a DIPA involving law enforcement processing. Nor are there any powers available to ensure that the Information Commissioner can take action if a DIPA for law enforcement processing is not carried out when required.”
Not only are there no enforcement powers if the DPIA is conducted and falls short, but the Information Commissioner is not provided with any powers under this legislation to compel a DPIA to take place. Given, as we discussed earlier, the serious threats not just to data rights, but to prevention with respect to an individual’s rights to liberty and freedom, it is very serious indeed if law enforcement agencies will be able to carry out impact assessments without any adherence to the provisions in the Bill.
The Information Commissioner says:
“Having the ability to issue corrective measures based upon the DPIA or indeed requiring a DPIA to be undertaken when it should have been, is an important measure which is missing in relation to law enforcement processing”.
The commissioner has raised her concerns with the Government and suggested drafting solutions. Will the Minister clarify why those were not introduced in Committee?
Margot James
The clause gives the commissioner the power to issue an enforcement notice, which requires a person to take steps or refrain from taking steps specified in the notice. For example, the commissioner can use an enforcement notice to compel a data controller to give effect to a data subject if they have otherwise failed to do so. Section 40 of the Data Protection Act 1998 made similar provision. In respect of the hon. Lady’s questions concerning the law enforcement aspects of the clause and the need for impact assessments, and the powers that the ICO might need to ensure that those impact assessments are done and are appropriate, I will have to write to her on the details of those latter points.
Question put and agreed to.
Clause 148 accordingly ordered to stand part of the Bill.
Clause 149
Enforcement notices: supplementary
Amendment made: 56, in clause 149, page 83, line 36, leave out “with the day on which” and insert “when”.—(Margot James.)
This amendment is consequential on Amendment 71.
Clause 149, as amended, ordered to stand part of the Bill.
Clause 150
Enforcement notices: rectification and erasure of personal data etc
Question proposed, That the clause stand part of the Bill.
Liam Byrne
The clause bites on the question of individuals’ rights to the erasure of personal data and rectification. I want to give the Minister an opportunity to update the Committee on her conversations with media, culture and other organisations about how she is going to balance the implementation of clause 150 with the ambitions of those organisations to protect archives—not just archives of very large sets of artefacts, such as the Natural History Museum, but those that are run by News UK or Trinity Mirror or the BBC.
The risk that is obviously posed by those organisations is that they often rely on very good, detailed and often quite old archives of news information. The scenario that was put to us last night by lawyers representing a number of those organisations that wanted to give us their views about clauses 168 and 169 was that successful journalism—whether The Daily Telegraph or the Swindon Advertiser—will often rely on excellent archives.
If rich individuals are seeking to create a different truth and a different history, and to exercise their rights under the clause, a risk will be created for those media organisations. I am more worried about the media organisations’ rights than I am about the Natural History Museum and the BBC, because I think the Minister’s Department will do a good job of working out where to put that grey line round what should be protected and what is up for grabs. The example put to us last night was of rich individuals seeking to create a different kind of history—a different kind of past—to bend deliberately the future of reporting by eradicating a record that might be true. The risk that was put to us is that, very often, newspaper legal directors—the poor things often have to advise on this decision—will sometimes conclude that the game is just not worth it and therefore give in to the rich individual to avoid damaging and expensive legal action and delete the records from their archives.
This is a difficult area, where balances have to be struck, but it is a form of litigation that will doubtless continue into the future. We might have just decided to deny access to ordinary people to correct media malpractice, but rich individuals will continue to bring their cases. Will the Minister tell us how the balance will play out in practice? How do we protect the rights of news organisations to run good archives for the benefit of public interest journalism in the future?
Margot James
The clause makes additional provision for enforcement notices where the subject matter of the notice relates to the controller or processor’s failure to comply with the data protection principle of ensuring accuracy. The clause may also apply where a controller or processor has failed to comply with the data subject’s rights on rectification, erasure or restriction of processing under articles 16 to 18 of the general data protection regulation.
We touched on the issue of archives in one of the Committee sittings last week. I explained to the Committee that there is protection for archives under the GDPR, whether they be those of news organisations or of academic sources. We are aware of the concerns expressed by organisations representing archives, and I agree with the right hon. Gentleman that quality journalism often depends on the use of such archives. However, I assure him that my Department will defend the rights of journalists and the press as tenaciously as we would defend the rights of archivists in the great museums of our country against the distortions that he gave as examples of people perhaps wanting to use the right to be forgotten in an excessive manner and in a bid to rewrite history. We are aware of such individuals, and we are comfortable that the GDPR prevents those abuses.
Question put and agreed to.
Clause 150 accordingly ordered to stand part of the Bill.
Clauses 151 and 152 ordered to stand part of the Bill.
Clause 153
Powers of entry and inspection
Question proposed, That the clause stand part of the Bill.
Liam Byrne
Again, on this point, we would benefit from some clarification from the Minister. The story that broke this morning was that the Information Commissioner had, in effect, to go to court to get her warrant to investigate what Cambridge Analytica was up to. There was some speculation as to why Facebook was able to exercise some contractual rights and turn up at the offices of Cambridge Analytica to conduct an inspection. The reports are that, as the situation played out, the Information Commissioner had to tell Facebook legal officers to stand down and to stop what they were doing. As it happened, Facebook wisely decided to follow the Information Commissioner’s orders.
A matter of great concern is that the Information Commissioner has to go through what sounds like a laborious process to get the warrant needed to conduct an investigation that is obviously in the public interest. When we secure, for example, emergency injunctions to stop the publication of material that people do not want published, or when magistrates issue search warrants, most of us with experience of this at a local level would observe that such warrants are often issued in a much faster and less high-profile way than the process the Information Commissioner appears to have to go through.
In effect, Cambridge Analytica has had 48 hours’ notice of the Information Commissioner’s concerns—[Interruption.] I am sorry, but I do not know whether the Minister wants to intervene on that—
Margot James
I remind the right hon. Gentleman that, in this case, the Information Commissioner is acting under the existing powers in the Data Protection Act 1998, but she is pursuing warrants where she has to get them to continue her investigation. She has issued 12 information notices—I might have said this earlier—pertaining to Cambridge Analytica, and she plans to issue another six this week. One of those notices has been challenged, but she is now issuing a demand for access and she is getting where she needs to get. She was very surprised to read that Facebook had decided to plough into the offices of Cambridge Analytica when it was itself under investigation. She must have thought that an extraordinary course of action, but as soon as she intervened, Facebook desisted and removed itself from the offices of Cambridge Analytica to enable her to undertake her inquiries.
That is of course all happening under the existing legislation. The Bill will provide new powers, including the ability to serve assessment notices, backed up by warrants if they are not complied with.
Question put and agreed to.
Clause 153 accordingly ordered to stand part of the Bill.
Schedule 15 agreed to.
Clause 154
Penalty notices
Margot James
I beg to move amendment 179, in clause 154, page 85, line 39, leave out from the beginning to “when” and insert “Subject to subsection (3A),”.
This amendment and amendment 180 provide that the requirement in clause 154(2) and (3) for the Commissioner to have regard to listed matters when deciding whether to give a penalty notice, and determining the amount of a penalty, applies not only in the case of failures described in clause 148(2), (3) or (4) but also in the case of failures to comply with an information notice, an assessment notice or an enforcement notice.
Margot James
As part of the Information Commissioner’s suite of corrective powers, she can issue penalty notices to data controllers requiring them to pay a fine. Fines can be issued where a controller has failed to comply with a previous notice or where significant breaches of data protection legislation have taken place. Members will be aware from our debate this afternoon that the maximum such penalty will increase from £0.5 million to £17 million, or 4% of global turnover, for the most serious breaches.
When imposing a penalty for breaches of the GDPR, the commissioner must follow the procedures set out in article 83 of the GDPR, which include acting on a case-by-case basis; ensuring that the fine is effective, proportionate and dissuasive; and taking into account various factors. Because law enforcement and intelligence services processing falls outside the scope of the GDPR, the clause makes parallel provision in respect of breaches of those parts of the Bill, including by listing matters that the commissioner must take into account when deciding whether to issue a fine for that type of processing and when determining the magnitude of that fine.
Government amendments 179 and 180 make it clear that, when considering a person’s failure to comply with notices—an information notice, for example—the commissioner is to have regard to the matters listed in article 83(2) of the GDPR and, in relation to law enforcement processing and intelligence processing, to clause 154(3) and (4) of the Bill. Clause 154 prescribes such requirements only for decisions regarding the issuing of a monetary penalty notice in relation to certain failings. The commissioner has powers to prepare guidance on how she uses her enforcement powers, so she could decide, as a matter of policy, to have regard to those matters in relation to other failings. However, the Government’s view is that there should be a requirement for her to do so in the Bill.
Government amendment 57 makes an addition to clause 154(3)(c) to ensure that the Information Commissioner takes into account any actions the controller has taken to mitigate not only damages, but distress suffered by the data subject. The amendment will bring the clause into line with other similar clauses in the Bill, where the Information Commissioner must take into account damage or distress caused. They include clause 149 regarding enforcement notices, where the Information Commissioner must take into account the magnitude of the damage or distress caused by the controller. I am sure right hon. and hon. Members will agree that providing consistency across the Bill is important; the amendment is a step to ensure that that is provided.
Amendment 179 agreed to.
Amendments made: 57, in clause 154, page 86, line 10, at end insert “or distress”.
This amendment is for consistency with Clause 149(2). It requires the Commissioner, when deciding whether to give a penalty notice to a person in respect of a failure to which the GDPR does not apply and when determining the amount of the penalty, to have regard to any action taken by the controller or processor to mitigate the distress suffered by data subjects as a result of the failure.
Amendment 180, in clause 154, page 86, line 28, at end insert—
“(3A) Subsections (2) and (3) do not apply in the case of a decision or determination relating to a failure described in section 148(5).” —(Margot James.)
See the explanatory statement for amendment 179.
Question proposed, That the clause, as amended, stand part of the Bill.
Louise Haigh
I am sorry to labour the point; it is pertinent to the clause but also relates to the debate that we just had on information notices. The Minister has failed to set out why the Government have removed the custodial sentence as an enforcement power of the Information Commissioner when data controllers or processors breach information notices. The Minister said earlier that she does not accept that it is the Information Commissioner’s view that that weakens the existing data protection regime, but the commissioner explicitly set that out in her written evidence to the Committee:
“The new approach in the Bill of failure to comply with an IN no longer being a criminal offence but punishable by a monetary penalty issued by the ICO is likely to be less of a deterrent”.
We very much welcome the increased penalty as a sanction by the Information Commissioner, but the Minister has so far failed to set out why she has removed that custodial sentence, which, as the Information Commissioner has laid out, is a serious deterrent. That could weaken her abilities to investigate complex situations and, as I mentioned earlier, it is in direct contrast to the Irish Government’s approach, which carries a fine but also a custodial sentence of up to five years’ imprisonment if the data controller fails to comply with an information notice.
In written evidence, again, the Information Commission suggests that the Government’s approach pales in comparison to that taken by Ireland. Will the Minister take this opportunity to explain why she has so significantly weakened the Information Commissioner’s important powers?
Margot James
The clause replicates section 55(a) of the 1998 Act, which gives the commissioner a power to serve a monetary penalty, requiring the data controller to pay the commissioner an amount determined by the commissioner. The maximum penalty is specified in clause 156. Before the commissioner can issue a penalty notice, she must be satisfied that a person has failed to comply with certain provisions of the GDPR or the Bill, or has failed to comply with an information notice, assessment notice or enforcement notice.
Clearly, it is up to the commissioner to decide whether a penalty notice is appropriate. She has stated:
“It’s about putting the…citizen first. We can’t lose sight of that…It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us.”
Daniel Zeichner
For reasons that are entirely understandable, my constituents in Cambridge take a particularly close interest in some of the things that have been happening with Cambridge Analytica this week. They will be astonished that the Minister does not seem to be answering the question raised by my hon. Friend the Member for Sheffield, Heeley. Financial penalties, yes, but criminal proceedings surely should be uppermost when we have seen these dreadful things that have been going on.
Margot James
I was coming on to answer the hon. Member for Sheffield, Heeley, but as the hon. Member for Cambridge has raised her question again, I will jump to it. We are not removing all criminal powers under this new legislation. Under paragraph 2 of schedule 15, the commissioner may enforce assessment notices. That power includes the new offence of obstructing a warrant, which is a criminal offence, so criminal offences do remain. As I said, we are looking at the commissioner’s desire for stronger powers in certain areas, but under the current law there is a criminal sanction only for non-compliance with a notice, and that offence is not used. A civil penalty is a better way forward and is provided as the appropriate sanction by the GDPR itself.
Louise Haigh
The Minister has just confirmed that under the existing arrangements a custodial sentence is the maximum penalty if an individual fails to comply with an information notice. She has not given a coherent reason why she is removing that through the Bill. Is she really arguing that criminal sanctions are less of a deterrent than civil? That is a direct contradiction of the Information Commissioner’s evidence.
Margot James
I have just been advised that the existing law is non-custodial criminal sanctions. I have referred to the criminal sanctions with respect to assessment notices, and I will get back to the hon. Lady on the question of the sanctions on the information notices that she has asked about. I am told what I am told; the existing law is non-custodial.
Question put and agreed to.
Clause 154, as amended, accordingly ordered to stand part of the Bill.
Schedule 16
PENALTIES
Amendments made: 123, page 203, line 26, leave out “with the day after” and insert “when”.
This amendment is consequential on Amendment 71.
124, page 204, line 10, leave out “with the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
125, page 205, line 5, leave out “with the day after the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
126, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”.—(Margot James.)
This amendment is consequential on Amendment 52.
Schedule 16, as amended, agreed to.
Clause 155 ordered to stand part of the Bill.
Clause 156
Maximum amount of penalty
Question proposed, That the clause stand part of the Bill.
Liam Byrne
I think we could all do with a bit of clarity, which did not quite emerge in the last debate. My hon. Friend the Member for Sheffield, Heeley, makes an important point: in light of this week’s news, there is real concern that the maximum possible sentences should be on the books to punish people who try to get in the way of investigations by the Information Commissioner. Can the Minister say whether the Information Commissioner is currently able to prosecute people for getting in her way, and whether they could go to jail? That would be clarification No. 1. Clarification No. 2 would be whether, under the Bill the Minister is asking us to agree, that custodial sentence would still remain.
Margot James
I understand that under the current law there are no custodial sentencing provisions, so therefore I cannot argue that they will remain. That does not seem logical at all. The existing DPA offences are for fines only, according to section 60 of the Data Protection Act 1998.
Question put and agreed to.
Clause 156 accordingly ordered to stand part of the Bill.
Clause 157
Fixed penalties for non-compliance with charges regulations
Question proposed, That the clause stand part of the Bill.
Liam Byrne
Given the clarity that the Minister has now furnished for the Committee, and given the scale of wrongdoing that is alleged about Cambridge Analytica and potentially Facebook this week, the question on clause 157 is whether she is satisfied that financial penalties are going to do the job in the years to come. Otherwise, is this a clause on which we need to reflect on Report if not now so that if custodial sentences are not currently available, we might consider introducing them for people who appear determined to move heaven and earth to get in the way and obstruct an Information Commissioner inquiry? Could we perhaps come back to that on Report, rather than simply rely on sanctions such as fixed penalty notices?
Margot James
I have mentioned before to the right hon. Gentleman that there are criminal offences set out in the Bill, such as an offence of obstructing a warrant, which would enable the ICO to go in and exercise search and seizure powers. Although obstruction carries potential fines and a criminal record, I do not believe that it carries the threat of a custodial sentence, which is no change from the current situation.
As I have said before, and as my right hon. Friend the Secretary of State said yesterday, we are reviewing the enforcement powers of the ICO, and we are working with the commissioner to ensure that we get the whole suite absolutely right. I cannot say any more than I already have on that point.
Question put and agreed to.
Clause 157 accordingly ordered to stand part of the Bill.
Clause 158 ordered to stand part of the Bill.
Clause 159
Guidance about regulatory action
Amendment made: 58, in clause 159, page 89, line 37, leave out from “a” to end of line 38 and insert
“person to make oral representations about the Commissioner’s intention to give the person a penalty notice;”—(Margot James.)
This amendment is consequential on Amendment 52.
Clause 159, as amended, ordered to stand part of the Bill.
Clauses 160 to 163 ordered to stand part of the Bill.
Clause 164
Orders to progress complaints
Amendment made: 59, in clause 164, page 93, line 4, leave out “with the day on which” and insert “when”
This amendment is consequential on Amendment 71.—(Margot James.)
Clause 164, as amended, ordered to stand part of the Bill.
Clauses 165 to 167 ordered to stand part of the Bill.
Clause 168
Publishers of news-related material: damages and costs
Question put, That the clause stand part of the Bill.
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
The right hon. Gentleman is correct: it is essential that we do not create an offence in the clause that will snare whistleblowers. I am sure the Committee shares that goal. Indeed, if we created such an offence, whistleblowers would no longer be whistleblowers—a qualifying disclosure would no longer be a qualifying disclosure if it were an offence under different legislation, including the Bill.
We will listen carefully to what the Minister says, but, to come at it from a slightly different angle, as I understand it, the Employment Rights Act currently requires a “reasonable belief” by the worker making the whistleblowing disclosure that it is in the public interest to disclose that information. That seems a slightly easier test than the one contained in a defence in subsection (2) of the clause, which requires not a “reasonable belief”—those words do not appear—but proof that disclosure was justified in the public interest. There is also a contrast with subsection (3), where a reasonable belief test is applied to a defence but only in circumstances of publication of either journalistic, artistic or literary material.
It is not clear to me why there is a reasonable belief test in subsection (3) but not in subsection (2). I am interested to hear what the Minister has to say about that distinction.
Margot James
The amendments concern offences relating to personal data provided for by part 6 of the Bill. Hon. Members will be aware that the offence of unlawful obtaining of personal data has been carried over and updated from the 1998 Act to include the unlawful retention of personal data without the controller’s consent. By contrast, the offence of re-identification of de-identified personal data is new to data protection legislation, underlining our intention to bring data protection laws up to date with the digital age.
Amendment 157 would add an additional defence to clause 170 where the conduct is in the process of a disclosure by an employee raising public interest concerns about wrongdoing or malpractice to the extent that such disclosures would be protected by the Employment Rights Act 1996 and equivalent legislation for Northern Ireland. Amendment 158 adds the same defence to clause 171.
I share the sentiment of the amendments, but believe they are unnecessary. Clauses 170 and 171 provide defences in cases where the processing is necessary for the prevention or detection of crime or can be justified as being in the public interest. We believe that the crime prevention defence would cover a disclosure by an employee who suspected that an offence had been committed, and that the flexible public interest defence would encapsulate the other non-criminal activities envisaged by the amendments. In particular, as set out in section 43B of the Employment Rights Act 1996 and article 67B of the Employment Rights (Northern Ireland) Order 1996, a disclosure is protected in the first place only if the disclosing worker reasonably believes the disclosure to be in the public interest.
Stuart C. McDonald
This is a narrow question that I raised in my speech. There is a “reasonable belief” test in the 1996 Act. It is easier for someone to prove that they had a reasonable belief that a disclosure was in the public interest than to prove that it was in the public interest. That slight difference in wording may be significant. There are in fact two different tests in the clause, so I wonder whether the Minister might look at that again.
Margot James
I referred to the public interest defence as a flexible defence that would encapsulate non-criminal activities. I do not know whether that satisfies the hon. Gentleman, but a flexible public interest defence is indeed required.
For those reasons, I reassure hon. Members that a further defence providing for whistleblowing is unnecessary. It is telling that there is no such defence in section 55 of the 1998 Act, and we are not aware of any problems with its operation. Hon. Members mentioned section 58 of the Digital Economy Act 2017. That is a difficult comparison. Unlike clauses 170 and 171, section 58 does not contain a straightforward public interest defence, so, unlike the offences in the Bill, there may be no alternative protection for such disclosures. I hope I have given hon. Members sufficient reassurance that they feel confident withdrawing their amendments.
Liam Byrne
I am grateful to the Minister for that reply. She says that she wants to try to update the legislation. I understand what she is trying to do and why she does not accept that there is a complete parallel with the Digital Economy Act. None the less, the new definition will need to be tested in court, new guidance will need to be issued and new ambiguity will therefore be created, which brings with it the risk that important whistleblowers will be dissuaded from bringing forward information that is in our interest and letting it see the light of day.
I hope the Minister reflects on that further. She seeks to create an extension in law to ensure that there is a public interest definition in the round—I can see the enlargement that she is trying to make—but I hope she reflects before Report stage on the challenge that new definitions will have to be tested in court, which will create ambiguity and risk. I do not think she wants to create that risk, but the strategy she sets out does not completely delete it and it remains a concern. I will happily withdraw the amendment, but I ask the Minister to reflect on that point before Report.
Margot James
I am happy to reflect on what the right hon. Gentleman proposes. The last thing we want is to have any chilling effect on would-be whistleblowers.
Liam Byrne
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 170 ordered to stand part of the Bill.
Clause 171
Re-identification of de-identified personal data
Question proposed, That the clause stand part of the Bill.
Margot James
I am sure you did, Mr Streeter.
Clause 171 creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller who de-identified the data. It is a response to concerns about the security of de-identified data held in online files. For example, recommendations in the review of data security, consent and opt-outs by the National Data Guardian for Health and Care call for the Government to introduce stronger sanctions to protect de-identified patient data, to which I think the hon. Member for Bristol North West was referring.
Subsection (3) provides the defendant with a defence if he or she can prove that re-identification was necessary for the purposes of preventing crime or complying with a legal obligation, or that it was justified in the public interest. Subsection (4) provides further defences where the defendant can prove they reasonably believed that they had or would have had the consent of the data subjects to whom the information relates or of the data controller responsible for de-identifying the information, or that they acted for the special purposes, with a view to publication, and the re-identification was reasonably believed to be justified in the public interest, or if the effectiveness testing conditions in clause 172 were met.
I have perhaps strayed rather far into the matter of defences in answering the hon. Gentleman, and may not have entirely satisfied him as to his question. If he is agreeable I will write to him, and get from my officials the latest as to the oversight of the important questions he raises.
Louise Haigh
My hon. Friend the Member for Bristol North West has raised important questions about social media providers. Before I entered this place, I worked in the insurance industry. Will the Minister confirm whether insurers would be covered by the clause if they re-identified individuals from datasets to inform the pricing of risk? That is potentially serious when considering the implications of loyalty card, bank or shopping information for health insurance.
Margot James
I will have to write to the hon. Lady on that. I do not think it would provide cover for insurance companies in those circumstances, but I would like to double-check before I give a definitive answer to her question.
Question put and agreed to.
Clause 171 accordingly ordered to stand part of the Bill.
Clauses 172 to 176 ordered to stand part of the Bill.
Clause 177
Jurisdiction
Darren Jones (Bristol North West) (Lab)
I beg to move amendment 151, in clause 177, page 102, line 13, at end insert—
“(4) Notwithstanding any provision in section 6 of the European Union (Withdrawal) Act 2018, a court or tribunal shall have regard to decisions made by the European Court after exit day so far as they relate to any provision under this Act.”.
For fear of sounding like a broken record, my arguments in favour of the amendment are broadly similar to those for amendment 152—in seeking to assist the Government in our shared aim of getting a decision of adequacy with the European Commission, it would be helpful to set out in the Bill our commitment to tracking and implementing European jurisprudence in the area of data protection. Members will remember that amendment 152 dealt with the European data protection board. Amendment 151 makes the same argument, but in respect of the European Court.
I appreciate that there may be some political challenges in stating the aim that the UK will mirror the European Court’s jurisdiction, but the reality is that developing European data protection law, either directly from the courts or through the European data protection board, will in essence come from the application of European law at the European Court of Justice. The amendment does not seek to cause political problems for the Government, but merely says that we ought to have regard to European case law in UK courts, in order to provide the obligation to our learned friends in the judiciary to have regard to European legal decision making and debates in applying European-derived law in the United Kingdom. This short amendment seeks merely to put that into the Bill, to assist the Government in their negotiations on adequacy with the European Commission.
Liam Byrne
I would like to say a word in support of this important amendment. We had a rich and unsatisfactory debate on the incorporation of article 8 of the European charter of fundamental rights into British law. We think that that would have helped the Government considerably in ensuring that there is no divergence between the European data protection regime and our own. If the Government are successful, they will operate on different constitutional bases, and there is therefore a real risk of divergence over the years to come. I think that everyone on the Committee is now pretty well versed in the damage that that would do to British exports, many of which are digitally enabled. This is a really helpful amendment. It tries to tighten to lockstep that we have to maintain with European data protection regimes, which will be good for exports, services and the British economy, and the Government should accept it.
Margot James
When we leave the European Union, the direct jurisdiction of the Court of Justice of the European Union in the UK will come to an end. Clause 6 of the European Union (Withdrawal) Bill gives effect to that and takes a clear and logical approach to how our domestic courts should approach the case law of the CJEU as a result. In short, where a judgment precedes our exit, it is binding on courts below the Supreme Court. Where a judgment post-dates our exit, our courts may have regard to it if they consider it appropriate, but EU law and the decisions of the ECJ will continue to affect us. The ECJ determines whether agreements that the EU has struck are legal under the EU’s own law. If, as part of our future partnership, Parliament passes an identical law to an EU law, it may make sense for our courts to look at the appropriate ECJ judgments so that we interpret those laws consistently, but our Parliament would ultimately remain sovereign.
Ian Murray (Edinburgh South) (Lab)
The Prime Minister said in her Mansion House speech earlier this month that as a country we may have to stay under the jurisdiction of the ECJ for the purposes of organisations such as Euratom and other EU-wide organisations that the UK may wish to remain part of. Is the Minister saying that that is a possibility with regard to data protection laws in this legislation?
Margot James
The future of our membership of the European Data Protection Board will be subject to negotiations. I cannot prejudge how those negotiations will develop and finalise in respect of our membership of that important body.
Ian Murray
Am I right in saying that the Minister is not ruling it out as part of the legislation?
Margot James
I would not rule it out, but the negotiations are between two parties, so however much we may wish to maintain our membership of the European data protection board, that might not be something that the EU will grant us. As I say, it is a matter for negotiation and I am sure things will become clearer over the next 12 months. To take an approach now that would require our courts to follow future case law of the CJEU, even if only in some areas, would place limitations on the discretion and independence of our courts.
Liam Byrne
The Minister is trying to protect a discretion that sounds like the defence of a right to depart from EU case law to such an extent that we might jeopardise an adequacy agreement. Surely the point of this amendment is to keep us in lockstep, to de-risk that adequacy agreement for the years to come. That surely must be an object of her Government’s policy.
Margot James
The Government are absolutely committed to getting an adequacy agreement. The Prime Minister has said she wishes to go beyond adequacy in the negotiations. I would like to reassure the right hon. Gentleman that the very opposite is the case. Our courts can have regard to, and that is good enough. There is no reason for this to be different in the area of data protection from what it might be in any other area.
The provision has been discussed at length and agreed to by the House. Hon. Members will be aware that the other place is now scrutinising the EU (Withdrawal) Bill and has focused on this very matter. There is broad agreement that we need to consider how best to ensure that the Bill achieves the policy aim with sufficient clarity. We want to reach agreement on a proposition that commands the greatest possible support. We should, however, be wary of seeking to provide for something that alters the underlying policy in a way that binds or steers our courts towards a particular outcome, for example, by saying that they must have regard in only certain areas of law.
Liam Byrne
I do not quite follow the Minister’s argument. On the one hand, she says that it is the object of Government policy to secure an adequacy agreement and presumably keep that adequacy agreement, if not, indeed, go beyond it. She is now seeking to defend a flexibility that would allow some kind of departure from European norms. I cannot understand how she can quite want her cake and eat it.
Margot James
Courts will be allowed to follow the jurisprudence of the ECJ in this area of data protection. Nothing I am saying is prompting a departure from that position. We see the amendment as going further than we would like to go. By contrast, the Government’s proposed approach to CJEU oversight respects the referendum result and is clear, consistent and achievable.
Darren Jones
The Minister gave a full answer, largely in agreement with the points I made.
Darren Jones
I agree. I would therefore invite the Government to reconsider their position and support the amendment, because it reflects what is in the EU (Withdrawal) Bill, it talks about having regard to ECJ jurisprudence in future and, as the Minister pointed out, Government policy and the Government’s intention are that we are going to end up in that position anyway. By putting that in the Bill, we would put it into law and give a very clear signal to our colleagues in the European Union that that is our intention and we will stand by it.
The Minister’s arguments do not seem to stack up. If I were saying in the amendment that we must apply ECJ case law directly and that the UK courts had no power to disregard EU jurisprudence I would probably agree, but that is not what it seeks to do. I am not convinced it goes beyond the Government’s policy position nor what is said in the EU (Withdrawal) Bill. I merely seek to help the Government by making this simple amendment to the Bill. With your permission, Mr Streeter, I will push it to a vote.
Question put, That the amendment be made.
Data Protection Bill [ Lords ] (Third sitting)
Margot James Excerpts(6 years, 8 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liam Byrne
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
Daniel Zeichner (Cambridge) (Lab)
It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?
Margot James
I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.
Darren Jones
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
Margot James
I beg to move amendment 115, in schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—
“(b) in paragraph 2, for ‘Member States’ substitute ‘The Secretary of State’;
(c) after that paragraph insert—
‘3 The power under paragraph 2 may only be exercised by making regulations under section (Duty to review provision for representation of data subjects) of the 2018 Act.’”
This amendment is consequential on NC2.
The Chair
With this it will be convenient to discuss the following:
Government amendments 63 to 68.
Amendment 154, in clause 183, page 106, line 24, at end insert—
“(4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject’s mandate—
(a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority),
(b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority),
(c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor).
(4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and—
(a) for the purposes of this subsection ‘proceedings’ includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court,
(b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’s own rights have been infringed,
(c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions,
(d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court’s own motion, and
(e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court.
(4C) Subsections (4A) and (4B)—
(a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section,
(b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and
(c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Amendment 155, in clause 205, page 120, line 38, at end insert—
“(ca) section 183 (4A) to (4C);”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Government amendments 73 and 74.
Government new clause 1—Representation of data subjects with their authority: collective proceedings.
Government new clause 2—Duty to review provision for representation of data subjects.
Margot James
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
Liam Byrne
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
The Chair
Before I call the Minister to respond, it might help the Committee to know that, although we are properly debating Opposition amendments 154 and 155 at the moment, if they are to be put to a Division, that cannot happen until we reach clause 183. However, that does not prevent the Minister from indicating she might accept them at this stage. That is entirely up to her.
Margot James
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Liam Byrne
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
Margot James
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
Liam Byrne
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
Margot James
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
Liam Byrne
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
Margot James
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
Brendan O'Hara
Does the Minister not accept, as I said earlier, that individuals are often the last people to know that their data has been breached and their rights have been infringed? For collective rights in hugely complicated areas, there must be a presumption that those rights are protected, and the Bill does not do that. I do not believe it reflects the principle that individuals are often the last people to know, and that they are the ones who need protecting.
Margot James
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
Liam Byrne
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
Data Protection Bill [ Lords ] (Morning sitting)
Margot James Excerpts(6 years, 8 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liam Byrne
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
Daniel Zeichner (Cambridge) (Lab)
It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?
Margot James
I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.
Darren Jones
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
Margot James
I beg to move amendment 115, in schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—
“(b) in paragraph 2, for ‘Member States’ substitute ‘The Secretary of State’;
(c) after that paragraph insert—
‘3 The power under paragraph 2 may only be exercised by making regulations under section (Duty to review provision for representation of data subjects) of the 2018 Act.’”
This amendment is consequential on NC2.
The Chair
With this it will be convenient to discuss the following:
Government amendments 63 to 68.
Amendment 154, in clause 183, page 106, line 24, at end insert—
“(4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject’s mandate—
(a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority),
(b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority),
(c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor).
(4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and—
(a) for the purposes of this subsection ‘proceedings’ includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court,
(b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’s own rights have been infringed,
(c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions,
(d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court’s own motion, and
(e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court.
(4C) Subsections (4A) and (4B)—
(a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section,
(b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and
(c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Amendment 155, in clause 205, page 120, line 38, at end insert—
“(ca) section 183 (4A) to (4C);”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Government amendments 73 and 74.
Government new clause 1—Representation of data subjects with their authority: collective proceedings.
Government new clause 2—Duty to review provision for representation of data subjects.
Margot James
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
Liam Byrne
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
The Chair
Before I call the Minister to respond, it might help the Committee to know that, although we are properly debating Opposition amendments 154 and 155 at the moment, if they are to be put to a Division, that cannot happen until we reach clause 183. However, that does not prevent the Minister from indicating she might accept them at this stage. That is entirely up to her.
Margot James
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Liam Byrne
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
Margot James
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
Liam Byrne
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
Margot James
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
Liam Byrne
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
Margot James
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
Brendan O'Hara
Does the Minister not accept, as I said earlier, that individuals are often the last people to know that their data has been breached and their rights have been infringed? For collective rights in hugely complicated areas, there must be a presumption that those rights are protected, and the Bill does not do that. I do not believe it reflects the principle that individuals are often the last people to know, and that they are the ones who need protecting.
Margot James
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
Liam Byrne
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.