Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.

Donate to our crowdfunder

Data Protection Bill [HL] - Committee (4th Day)

Part of the debate – in the House of Lords at 4:30 pm on 15th November 2017.

Alert me about debates like this

Photo of Lord Stevenson of Balmacara Lord Stevenson of Balmacara Opposition Whip (Lords) 4:30 pm, 15th November 2017

I am grateful to the Minister for that very full response. I shall read it in Hansard, because there is a lot of detail in it, but I want to make sure that I have got the essence of it to help in subsequent discussions.

On Amendment 113A, I think the Minister’s argument was that the provision was mainly a tidying-up and voluntary measure which was not required by the GDPR but was being done by the Government as a matter of good practice to make sure that data controllers in particular—I suppose it would apply also to data subjects—do not have to keep worrying about how the rules might change once we get to Brexit or later. I understand that point. I think he also clarified that this was a UK mainland rather than a total-UK situation —again, it is helpful to have that clarification.

Perhaps I may ask the Minister about extraterritoriality —our second favourite word. The implication from discussion on a previous set of amendments was that the requirements under the GDPR for extraterritorial application—so that when companies are not established in the EU, they need to have a representative here—will be dropped once we leave the EU. I worry that that would make it harder for data subjects in particular to gain access to data held by data controllers from extraterritorial companies—we have one or two in mind —if a representative is not required to be in the UK. I wonder whether the Minister might reflect on that.

On Amendment 119A, I think that the Minister said that the reason for the original requirement for data protection impact assessments was to satisfy any concern that the European Data Protection Board might have that the same standards were not being applied equally in all EU countries. That is fine, and if we leave the EU, it would not apply. Am I right in assuming that the ICO effectively takes the place of the European Data Protection Board in that respect and that to some extent the question of whether comparability is operating throughout the EU is also true of the United Kingdom? Would there not be a case for maintaining the board in that case? I do not know whether the Minister wants to respond in writing or today.