Data Protection Bill [HL] - Commons Amendments

Part of the debate – in the House of Lords at 3:09 pm on 14th May 2018.

Alert me about debates like this

Photo of Lord Ashton of Hyde Lord Ashton of Hyde The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport 3:09 pm, 14th May 2018

My Lords, with the leave of the House, I beg to move that this House do agree with the Commons in their Amendments 1 to 28. I will speak also to the other amendments in this group.

It is my pleasure to be able to open Lords Consideration of Commons amendments to the Data Protection Bill this afternoon. As we discussed at length when the Bill first passed through your Lordships’ House, this is a detailed and often quite technical Bill, intended to make our data protection laws fit for the digital age. It went through a period of review and revision under your Lordships’ supervision, and it has since been refined further in the other place. It now falls on us to review, and I hope agree, those refinements. I am very grateful to my noble and learned friend Lord Keen and my noble friend Lady Williams for helping me with some of these key areas today.

In setting out the reasoning behind the Commons amendments today, I will focus my remarks on the substantive changes made rather than the technical tweaks, of which there are many. This first group of amendments addresses the Commons amendments to Parts 1 and 2. I shall start with the subject of parish councils, a cause previously championed by my noble friend Lord Marlesford, and I declare an interest in that my wife is a parish councillor.

Parish and community councils are not exempt from the new law. Nonetheless, by describing parish and community councils as “public authorities”, the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement—for example, by exploring options for parish councils to share a data protection officer.

However, since the Bill left your Lordships’ House, we have concluded that as parish and community councils process very little personal data and often have few staff and small budgets, the burden that they will face may be disproportionate in some instances. I am therefore pleased to say that Commons Amendments 8, 9, and 10 would take these councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected.

Since the introduction of this Bill, it has been brought to our attention by a range of stakeholders from all sides of the political divide that there is concern about how processing for the purpose of democratic engagement should be treated for the purposes of the GDPR. I remember especially the contributions from the noble Lord, Lord Kennedy, and others on this subject, and I have met him to discuss these issues. I am grateful for his time and commitment.

As I have said before, the Government believe that there is a strong public interest in political parties and elected representatives and officials being able to engage with the public both inside and outside elections, which may sometimes include the processing of personal data. Having considered the matter further since then, the Government have concluded that it would be prudent to make provision in the Bill, to provide greater clarity to those operating in this space. Helpfully, Clause 8 already provides high-level examples of processing activities which the Government consider could be undertaken on the grounds of public interest.

As a consequence of the importance that the Government attach to the matter, Commons Amendment 12 would add,

“an activity that supports or promotes democratic engagement”,

to that list. This term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of democracy. That could include activities such as communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveying and opinion gathering, and fundraising to support such activities. We will ensure that the Explanatory Notes include such examples to assist the interpretation of what this provision means in practice.

However, any processing of personal data in connection with these activities would have to be necessary for the purpose and have a legal basis. That is why we can be clear that firms like Cambridge Analytica will not be able to claim public interest irrespective of whether Amendment 12 is agreed today. The amendment does not seek to create partisan advantage for any one side or to create new exemptions from the data protection legislation; it is intended to provide greater clarity and allow legitimate political activity to continue. The amendment is also technology neutral, given that in a short time we have moved from physical post to email, text, Twitter, Facebook, WhatsApp and Snapchat, and no doubt other means that I do not know about.

Of course, the Government are always open to suggestions of what else could be done to ensure legal and operational clarity for political parties and elected representatives. We will, for example, be undertaking further work on a cross-party basis to ensure that parties’ current activities have the sufficient legal basis required to rely on the public interest condition. Shortly we will engage with political parties via the Parliamentary Parties Panel to discuss the matter further.

Other amendments in this group, Commons Amendments 13 to 15, 27, 28, 45 and 46, relate to automated decision-making under the GDPR and the Bill. It is a broad category that includes everything from personalised music playlists to quotes for home insurance, mortgages and far beyond. While many benefits are to be had from the proper use of automated decision-making, the Government are not blind to the risks that these technologies present. Noble Lords will recall that article 22 of the GDPR provides a right not to be subject to a significant decision based solely on the automated processing of data. As set out in article 22(2)(b), this right does not apply if the decision is authorised by law as long as the data subject’s rights, freedoms and legitimate interests are safeguarded. Clause 14 provides those safeguards, including a right to be told that an automated decision has been made and the right to request the controller to take a new decision that is not based solely on automated processing.

The purpose of Commons Amendments 13, 14 and 15 is to bring Clause 14 into alignment with the directly applicable time limits in article 12 of the GDPR, thereby ensuring that both data subjects and data controllers have easily understandable rights and obligations. This includes giving the data subject longer to request that the decision be reconsidered, requiring that the controller should action the request without undue delay and permitting an extension of up to two months where necessary. In other words, the time limit has been increased from 21 days to one month, as mentioned in the GDPR. Furthermore, to ensure consistency across the different regimes in this Bill, not just between the Bill and the GDPR, Commons Amendments 27, 28, 45 and 46 would extend the time limit provisions for responding to requests in the other regimes in the Bill.

Article 34 of the GDPR requires data controllers to communicate a personal data breach to a data subject if it is likely to result in a high risk to the rights and freedoms of natural persons. Since the Bill left your Lordships’ House we have had further representations about cases where a person is the subject of an ongoing investigation. This requirement could alert that person to the investigation. To avoid this, Commons Amendments 16, 17, 173 and 192 would add article 34 to the list of GDPR provisions that may be disapplied by paragraphs 2 and 24 of Schedule 2. Importantly, data controllers will still be required to notify the Information Commissioner of breaches under article 33 and could be liable to enforcement action if they fail adequately to protect personal data. On that basis, I beg to move.