The House of Lords Library, which provides research and information services to Members of the House of Lords, has published a briefing on the Data Protection Bill (“Bill”) which sets out an overview of and reactions to the Bill (“Briefing”). The Briefing was prepared in advance of the Bill’s second reading in the House of Lords, which took place 10 October.
Some of the key points to note from the Briefing are as follows:
The Bill in the context of Brexit
The Briefing highlights the recommendations of the House of Lords European Union Committee that the government should:
- Pursue and maintain regulatory equivalence with the EU for data protection to ensure unhindered data flows between the UK and EU post-Brexit
- Seek an adequacy decision from the European Commission
The Committee noted that “stakes are high” because any post-Brexit arrangement that results in greater friction around data transfers between the UK and the EU could present a non-tariff trade barrier, putting the UK at a competitive disadvantage. It could also hinder police and security cooperation.
This is particularly relevant considering the estimate cited in the Department for Exiting the European Union’s government position paper that 75 percent of the UK’s cross-border data flows are with EU countries.
Concerns about the Bill
The Briefing also highlights concerns about certain provisions of the Bill, specifically regarding the following:
- Clause 15, which would permit alteration of the application of the GDPR by regulations subject to the affirmative resolution procedure, including the amendment or repeal of any of the derogations in the Bill. One particular concern is that this would represent a “massive shift of control over the legal bases for processing personal data from Parliament to the executive”.
- The right of data subjects to request access to their personal data free of charge, particularly in relation to resourcing implications for organisations that currently receive a low number of subject access requests (which may be the result of the cost barrier in place, currently a maximum of £10).
- Journalists, academics, researchers and employers have raised concerns that some of the rights introduced or reinforced by the Bill could be used to “suppress freedom of expression, the ability to carry out research, or the right to run background checks on prospective employees”. It should be noted, however, that the government has indicated that such groups would be shielded by provisions in the Bill.
Reactions to the Bill
The Briefing summarises the political and stakeholder reactions to the Bill, as well as reactions from other industry and privacy groups.
In general, the Bill appears to be welcomed, with the UK Information Commissioner commenting that the Bill would “put in place one of the final pieces of much needed data protection reform”, and the Confederation of British Industry (CBI) noting this as a “crucial milestone in modernising the UK’s data protection framework”. The CBI further highlights that businesses in all sectors will want the Bill to progress through Parliament smoothly to ensure there is enough time to prepare for the new legislation.
The Open Rights Group also welcomes the Bill, but has criticised the government for failing to enact all of the options outlined in the GDPR – in particular, the option which would give consumer privacy groups, like the Open Rights Group, the ability to lodge independent data-protection complaints against companies that fail to protect consumers’ data protection rights.
House of Lords second reading
The Bill received its second reading in the House of Lords on 10 October 2017. This is the first opportunity for members to debate the key principles and flag up any specific areas where they think amendments are needed. The following issues were discussed, and we may expect further debates on these points at the next stage, as well as corresponding amendments to the Bill:
- Brexit – there are concerns around the fact that the EU may amend or update its rules without the UK’s input after it has left the EU. Members called for transitional arrangements with the EU, as they consider it unlikely that an adequacy decision will be in place by March 2019. It was also pointed out that the Bill may contain measures that make it impossible for the UK to achieve adequacy status.
- Age of child’s consent – concerns were expressed that the age limit of 13 was too low, and the need for minimum requirements for companies’ age-verification systems.
- Funding the ICO – there was consensus that the ICO must continue to be adequately funded and staffed.
- Use of health data and clinical trials – another issue that was raised was extending the Bill’s terminology to take into account safeguards beyond consent.
The Bill will now move to the Committee stage, which will allow for detailed line-by-line analysis and amendments to be proposed. There is still some time before the Bill will be finalised, which is not helpful for organisations seeking clarity over how the UK will legislate to align itself with the GDPR. However, both the Briefing and the initial discussions within the House of Lords highlight the need to consider the Bill in the context of Brexit to ensure that cross-border data flows can continue unhindered after the UK leaves the EU.