The Data Protection Bill has been winding its way through the legislative process since it was first introduced to the House of Lords in September 2017. Since then it has completed its passage through the House of Lords and is now being scrutinised by MPs in the House of Commons, having received its second Reading last week. I made some initial observations on the Bill shortly after it was first published and thought that it was about time that I revisited the general subject of the Bill.
The Bill has now reached the committee stage in the House of Commons and is being considered by a Public Bills Committee, the first meetings of which took place yesterday. You can read the first sitting, which took place yesterday the morning, in Hansard, meanwhile the second sitting, which took place yesterday afternoon, can be found in Hansard here.
There was a debate yesterday morning on a proposed amendment (‘new clause 12’) which would insert a new clause into the Bill incorporating Article 8 of the Charter of Fundamental Rights of the European Union. Article 8 of the Charter makes specific provision for the protection of personal data; the amendment was tabled by MPs from opposition parties and was resisted by the Government. The source of the government’s concern, as set out by the Minister of State yesterday, is that new clause 12 would, in the government’s view, create “a new and free-standing right”. The Minister went on to say that “[t]he new right in new clause 12 would create confusion if it had to be interpreted by a court.” This was contested by Liam Byrne MP, who moved the amendment. Mr Byrne noted that this was a refined version of an amendment that was unsuccessfully moved in the House of Lords. Mr Byrne described the suggestion that new clause 12 was creating a new and unfettered right as being “nonsense”. The amendment, while debated yesterday, was not put to a vote; decisions on whether to insert new clauses are not due to be taken until towards the end of the Committee’s consideration of the Bill. We will need to therefore wait to learn whether it is ultimately included in the Bill or not.
Some amendments were considered and agreed to yesterday, while some others were considered and not agreed to. In Clause 3 of the Bill, the definition of ‘processing’ has been amended to remove reference to ‘personal data’ and to replace it with ‘information’. This means that the definition of processing in the Data Protection Bill now reads: “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as”. This means that the definition of processing in Clause 3 of the Data Protection Bill differs from the definition within the GDPR.
The explanation proffered by the Minister in support of these amendments was that they were “designed to improve clarity and consistency of language.” The Minister argued that “the amendments ensure consistency with terminology in other legislation.” She also gave her view that the amendments have “no material impact on the use of the term “processing” in parts 2 to 7 of the Bill”.
Clause 7 of the Bill (which deals with the meaning of ‘public authority’ and ‘public body’) has also been amended so as to provide that Ministers, exercising their delegated powers to designate and undesignated (for the purposes of data protection law) public authorities and public bodies, can do so not simply by identifying specific bodies or organisations, but also by way of description. The changes effectively mean that the provisions in the Data Protection Bill work in the same way as the similar provisions do within the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002.
The controversial immigration exemption in paragraph 4 of Schedule 2 to the Data protection Bill saw a great deal of debate in the afternoon’s sitting. An amendment to remove the immigration exemption entirely from the Bill was moved and a division took place. The amendment to remove the exemption from the Bill was defeated by 10 votes to 9 and therefore the exemption remains in the Bill. The split was among party lines with the Government’s MPs successfully voting down the amendment with all MPs from opposition parties voting in favour of it.
It would not be possible to discuss everything that went on during the course of the committee’s two sittings yesterday, but I have tried to pick out some of the key aspects from yesterday’s proceedings. The amendment to the definition of processing seems to me to be rather odd and quite frankly unfathomable. Personal data is a well understood term within the field of data protection and privacy law. How the courts and Commissioner will interpret “information” is something that we will need to wait and see; if the amendment does in fact make no material change, then it will have been a completely pointless amendment.
I don’t see the controversy of the immigration amendment going away anytime soon. The Government is satisfied that the exemption strikes the right balance and is one that is permissible in terms of the GDPR. Campaign groups in opposition to the amendment say that it goes too far and, in any event, is unlawful as it is not permitted by the GDPR. It will certainly be interesting to see where matters go in that regard.
The attempt to replicate Article 8 of the EU Charter is an interesting proposal; one of the Government’s red lines in relation to the EU withdrawal process is that the EU Charter will cease to apply in the United Kingdom, how the effective inclusion of one article of the Charter would go down with certain members of Parliament is something that remains to be seen. Whether its inclusion will assist with the issue of ‘adequacy’ following the United Kingdom’s withdrawal from the European Union is debatable (for what it is worth, my initial reaction is it’s unlikely that it would have any bearing at all upon the question of adequacy).
The Committee’s consideration of the Bill is due to continue tomorrow (Thursday 15th March 2018) with sittings starting at 11:30am and again at 2pm. This is a large and complex Bill and the task of undertaking a line by line scrutiny of it is no easy task, especially in a timetable that will see this line by line scrutiny come to an end on 27th March 2018.
Alistair Sloan
If you would like advice on the General Data Protection Regulation, the new Data Protection Bill or any other Information Law concern then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send him an E-mail directly.