The Data Protection Bill (the “Bill”) applies new EU data protection laws (the General Data Protection Regulation, or “GDPR”) to processes in the UK which EU law has no jurisdiction over, introduces the Law Enforcement Directive for policing and law enforcement powers, and sets out the data protection and privacy rules for the processing of personal data by the secret services (MI5, MI6 and GCHQ). It also provides a legislative “parking space” so that, if the UK leaves the EU, GDPR is copied and pasted into UK law (via the EU Withdrawal Bill) to maintain the same level of laws between the UK and the EU post-Brexit. This is important, because the EU needs to agree that UK laws are adequate in order to allow the continued flow of data between the UK and EU after Brexit.
The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This line-by-line review of the Bill kicked off today. Here’s my report of day one.
The most contentious issue of the day was the Government’s power to excuse itself of having to comply with the General Data Protection Regulation (“GDPR”) for the purposes of effective “immigration control”.
The small problem for the Government is that such an exemption doesn’t exist in the GDPR, and – according to the Joint Committee on Human Rights – is a new power for the Home Office compared to the law today (found primarily in the Data Protection Act 1998).
The Home Office Minister – Victoria Atkin MP – did a grand job of trying to sell what is an unnecessary and poorly drafted clause. But there was no hiding from the fact that this exemption has no clear basis in law (or at least not a clear basis which the Minister could point to). In trying to deal with our concerns on the Opposition side, Ms Atkin reassured us that the exemption would only be used for a short period of time (i.e., a citizen’s data protection and privacy rights would only be “paused”). But in failing to answer my question, the Minister was unable to point to any clause in the Bill which restricted its use for a time limited period. If that is the case, it should be set out on the face of the Bill.
It was also made clear that this new exemption would apply to a wide range of citizens – non-EU citizens and EU citizens, but also British citizens connected to migrants. My wife, for example, is Australian and so I assume that I could lose my data protection and privacy rights should the Government wish to use my personal data to check on the effective immigration control of my wife! If that were to happen I would lose pretty much every single right made available to me by the GDPR.
The fact of the matter is that the clause isn’t needed (there are other clauses which allow for exemptions for the management of criminal offences), it’s too broad and – in my view – the Government has no legal basis to introduce it if it wishes to comply with EU law now, and into the future. We will no doubt return to this issue at Report stage.
The other contentious issue of the day was that of fundamental rights: namely rights included within the European Charter of Fundamental Rights (“the Charter”), which the Government seeks to repeal by way of the EU Withdrawal Bill.
GDPR is built on the fundamental rights to privacy and the protection of personal data included in the Charter. And so the Opposition tabled amendments to include, specifically, Article 8 of the Charter on the face of the Bill. This would seek – in our view – to maintain the level of legal protections enjoyed by citizens today and would assist the Government in securing a decision of adequacy with the EU (which would allow us to continue to share data between the UK and the EU after Brexit day). Following debate in the House of Lords, our amendment was further refined to make it clear that the fundamental right was subject to any legal exemptions and derogations in the Bill and the GDPR, and that the Information Commissioner would have the power to enforce that fundamental right.
However, the Government disagreed with this assessment and even though the Department for Exiting the EU confirmed that no other directly comparable right exists in UK law today, it voted down our amendment anyway. What I fail to understand is – but for any example whatsoever of an issue with Article 8 of the Charter today – why the Government feels so strongly about excluding it for the future.
The Bill provides a legislative parking space in which to copy and paste GDPR (which is directly applicable to the UK for as long as we are members of the EU), so that after Brexit day we continue to apply it in the UK. But by seeking to build a replica GDPR without Charter fundamental rights, we are in essence seeking to build a replica house with no foundations. I hope this risk being taken by the Government doesn’t result in our attempts to seek an adequacy decision sinking as soon as we’ve done the building work.
Lastly, two final points.
Children and the Age of Consent
Firstly, a short debate took place about the age of consent for the purposes of legal processing of personal data. The EU took the view that children aged under 16 require parental consent, but allowed Member States to make that age as young as 13. In the UK today, the age applied is 12, but the Government has used its right to shift it up one year to 13. That means that children from 13 years of age can consent to handing over their personal data without parental consent.
Whilst I appreciate that some companies are investing time and money into building more children friendly privacy policies and consent mechanisms, I do worry about the fact that our children’s data can be processed (for example, for the purposes of targeted advertising online) without parental consent. 13 seems to me to be too young as a matter of public policy, and so I was pleased that the Digital Minister Margot James MP agreed with me that the Government ought to keep an open mind about regulation in this space in the future. Namely, that when the technology exists to verify the age of children (which exists today for adults but is less easy for children), that we consider voluntary and – if required – legislative means to check the age of users online and to apply suitable protections for them.
Secondly, an amendment was included today which made it clear that data controllers can process personal data without consent if it is for the purposes of “democratic engagement”. This is a clarification in the Bill that the UK Government considers “democratic engagement” to be an example of “public interest” and the exercise of “official duties” by office holders. This would mean that politicians are able to use information on the electoral register, for example, without first seeking the consent of their constituents. Without this right, it would be very hard for parties and politicians to send voters information at election time, for example.
However, I raised a concern with the Minister that people or organisations other than political parties or elected politicians could rely on “democratic engagement” as a “public interest” matter in processing citizens’ data without their consent. I, for example, would not want Leave.EU to start using my personal data without my consent merely because they think they are supporting democratic engagement.
The Minister failed to give me a suitable answer to this, and I will return to it at Report Stage.
These, in my view, were the main contentious issues of the day. The Government passed many sensible amendments to tidy up the Bill, and introduced useful amendments on issues such as the safe guarding of children and the processing of personal data to track ethnic diversity on company boards. We also started the debate on the regulation of algorithms, but we will return to this in more detail in later days.
So that’s Day One down. Four more to go. On Thursday, I will be the first to rise to beg that my amendment be moved, ensuring the UK Government recognises its obligations in adhering to EU law via the European Data Protection Board in the future. Until then!
Darren Jones is the Labour MP for Bristol North West, a member of the EU Scrutiny Select Committee and Science and Technology Select Committee and is currently serving on the Public Bill Committee for the Data Protection Bill. He tweets at @darrenpjones.