Published by The Lawfare Institute
in Cooperation With
In its 2017 manifesto, the U.K. Conservative and Unionist Party committed itself to “enshrining [the U.K.’s] global leadership in the ethical and proportionate regulation of data” with a new data protection law that codifies “the very best standards for the safe, flexible and dynamic use of data.” In the 2017 Queen’s Speech, Queen Elizabeth II reaffirmed this promise, noting that the new bill would enable the U.K. to “retain its world-class regime protecting personal data.” Both statements anticipate a revolutionary data protection bill. With promises of new rights to ensure better control of personal data, an ethical framework governing data use and an expectation that personal data will be stored in a secure way, Prime Minister Theresa May seems to envision a bill emboldened by yesterday’s privacy concerns while accommodating the needs of tomorrow’s digital innovations.
But does the new data privacy bill deliver?
On Sept. 13, Member of Parliament Thomas Ashton introduced the long-anticipated HL Bill 66, more commonly known as Data Protection Bill 2017–2019 (DPB). At 218 pages and with concomitant explanatory notes, the DPB is no succinct proposal. Yet what it lacks in brevity it makes up in breadth. The bill not only replaces its predecessor of almost twenty years, the Data Protection Act 1998, but also incorporates the General Data Protection Regulation and the Police and Criminal Justice Directive into U.K. law. Recently, parliament amended HL Bill 66 and replaced it with the newest version of the DPB, HL Bill 74. The core differences between the two versions of the bill are insubstantial; the new bill contains, among other small changes, slightly more detail on judicial enforcement mechanisms and a provision allowing for the creation of a framework for government data processing. Shannon Togawa Mercer and I discuss the latter of these two functions, in addition to the status of Brexit data policy negotiations, in an accompanying Lawfare post. The government has also provided a comparison of Schedules 1 to 3 of the DPB with the Data Protection Act 1998 here.
Data Protection Bill
Divided into seven parts, the DPB examines four primary areas of information processing—general, law enforcement, intelligence services, and regulation and enforcement—discussed in Parts 2–6. After Parts 1–7, the DPB also sets forth a number of different schedules, which spell out in more detail the ways the DPB’s provisions will work in practice.
This post will cover the DPB’s four primary areas of information processing, its reception, the current status of the DPB, prior to it becoming an Act of Parliament, and the options it leaves for the U.K. to share data with the EU post-Brexit.
General Data Processing
In Part 2, the DPB covers general data processing—both the types of processing of personal data to which the GDPR applies (Chapter 2) and does not apply (Chapter 3). Part 2 provides a new right to be forgotten (Section 98), a new right to data portability (Section 93), and a new right to know when one’s data has been hacked (Section 106). The right to be forgotten, or the right to erasure contained within Article 17 of the GDPR, means that individuals have the right to request the deletion of personal data when there is no compelling reason for its continued processing. The U.K. has been considering the policy implications of the right to be forgotten for some years now, as discussed in the House of Lords European Union Committee’s 2014 report here, the government’s response here, and the European Commission’s (EC) response here. Similarly contained within Article 20 of the GDPR, the right to data portability means that individuals have the right to obtain and reuse their personal data in the ways that they choose across different services. More information on how data portability will work as implemented by the GDPR can be found in EC FAQ. Finally, the right to know when one’s data has been hacked, contained within Article 33 of the GDPR, means that individuals have the right to be informed about a personal data breach—a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data—where that breach is likely to result in a high risk to the rights and freedoms of the individual.
In addition to creating new rights in line with those created by the GDPR, the DPB also contains key derogations from the GDPR. In many instances, these derogations are intended to align the DPB with the Data Protection Act 1998. Derogations regarding general data processing include:
- Allowing the processing of sensitive and criminal conviction data in the absence of consent where justification exists (GDPR Arts. 9, 10);
- Exemptions for processing personal data for literary, journalistic or academic purposes (GDPR Art. 85);
- Setting 13 as the age for which parental consent is not needed to process data online (GDPR Art. 8);
- Exempting scientific and historical research organizations from certain obligations that would impair their functioning (GDPR Art. 89); and
- Limiting rights “where they could otherwise be abused to commit crime, disrupt legal proceedings, undermine safeguarding by public authorities, or disrupt the investigatory activity of regulators” (GDPR Arts. 14, 15).
Law Enforcement Data Processing
In Part 3, Parliament sets forth its updated laws surrounding law enforcement data processing. For the purposes of this part, “law enforcement purposes” are defined as “the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” (Section 29). With regard to law enforcement processing, the government intends to both “[p]rovide a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes” and “[a]llow the unhindered flow of data internationally whilst providing safeguards to protect personal data.” In addition, per a House of Lords debate at the bill’s second reading, the DPB “does not just implement the recent directive on law enforcement data protection; it ensures that there is a single domestic and transnational regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector.”
Notably, Chapter 2 of Part 3 sets out six data protection principles that apply to personal data processed by a law enforcement agency. These principles are:
1. That the processing be lawful and fair (Section 33.1);
2. That the purposes of processing be specified, explicit, and legitimate (Section 34.1);
3. That personal data be adequate, relevant, and not excessive (Section 35);
4. That personal data be accurate and kept up to date (Section 36.1);
5. That personal data be kept for no longer than is necessary (Section 37.1); and
6. That personal data be processed in a secure manner (Section 38).
Chapter 3 details the rights of individuals over their data, and Chapter 6 subsequently illuminates the circumstances under which those rights can be restricted. The Minister of the Crown can restrict certain rights as are necessary and proportionate to protect national security (Section 77). Discussed in more detail below and relevant to data sharing between the U.K. and the U.S. is Chapter 5, which covers transfers of personal data to third countries.
Intelligence Services Data Processing
Parliament then details intelligence services data processing in Part 4. Because national security, as contrasted with law enforcement cooperation, is reserved for domestic legislation the provisions regarding the processing of personal data for national security purposes are entirely separate from the GDPR and the PCJ Directive. With regard to national security processing, the DPB is intended to “[e]nsure that the laws governing the processing of personal data by the intelligence services remain up-to-date and in-line with modernised international standards, including appropriate safeguards with which the international community can continue to tackle existing, new and emerging security threats.”
In Chapter 2, Parliament lays out the principles governing the processing of personal data by intelligence services. These principles are the same as those governing the process of personal data by law enforcement, save for the addition of requirement of transparent processing, in addition to the requirements that processing be lawful and fair (Section 84.1). In a similar manner to the other parts, Chapter 3 iterates rights of the data subject. These rights include the right to certain general information (Section 91), the right of access by the data subject (Section 92) and the right not to be subject to automated decision-making (Section 94).
Regulation and Enforcement of Data Processing
Parts 5 and 6 cover DPB regulation and enforcement, with Part 5 primarily sustaining and further detailing the role of the U.K. Information Commissioner.
Part 6 of the DPB relates to enforcement. Some of these provisions include the powers of entry and inspection (Section 147), guidance about regulatory action (Section 153), offenses relating to personal data (Sections 161–63), and jurisdiction (Section 167). Among the offenses relating to personal data are the deliberate or reckless obtaining, disclosing and retention of personal data without the consent of the data controller (Section 161) and the alteration of personal data to prevent disclosure following the exercise of a subject access right (Section 163).
According to a House of Lords briefing paper in advance of the second reading, the Labour Party, Liberal Democrats, the Information Commissioner, and other stakeholders have welcomed the DPB. Information Commissioner Elizabeth Denham stated, “The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much needed data protection reform.” In a similarly positive vein, Tom Thackray, Innovation Director at the Confederation of British Industry, called the DPB “a crucial milestone in modernising the U.K.’s data protection framework.”
But not all reception has been positive. The House of Lords briefing paper highlights concerns raised by journalists, academics, researchers and employers about the way the DPB could be used to “suppress freedom of expression, the ability to carry out research, or the right to run background checks on prospective employees.” Though the Open Rights Group welcomes the DPB, it also criticizes the way that the government “has failed to enact all of the options outlined in the GDPR.” Specifically, the Open Rights Group highlights the government’s failure to implement a GDPR provision which “gives privacy groups like Open Rights Group the ability to lodge independent data protection complaints.” Additionally, a number of individuals have raised concerns about Section 15, which provides the secretary of state with the power to “make regulations altering the application of the GDPR under Articles 6(3), 23(1), 85(2) and 89, including amending or repealing any of the derogations contained in the Bill.” Much of the public concern is encapsulated by Oxford Legal Fellow Oliver Butler’s warning that Section 15 should not be passed “without careful scrutiny,” as it allows a “wide-ranging power to create new legal bases for sharing personal data about citizens.”
In response to the third concern cited above, Members of Parliament Thomas Ashton and Susan Williams issued this “will write letter” on Nov. 24. In the letter, Ashton and Williams clarify how “[t]he scope of the powers in clause 15 is ... limited by the scope of the derogations themselves.” Emphasizing Section 15’s relation to the derogations permitted in GDPR Articles 6(3), 23(1), 85(2) and 89, Ashton and Williams note that Section 15 “no more permits the Secretary of State to amend, repeal or revoke the GDPR” than the aforementioned amendments do themselves.
The government has also responded more generally to higher level concern with Section 15—a concern about delegated powers—in the Sept. 14 Delegated Powers Memorandum and the Nov. 14 Supplementary Delegated Powers Memorandum. These memoranda address the parts of the DPB that confer powers to make delegated legislation, explain why those powers have been conferred, and justify the selected procedure for exercise of those powers. Regarding Section 15, the Delegated Powers Memorandum elucidates how flexibility in the selection and execution of derogations from the GDPR is necessary in order to reflect current public policy, both now and post-Brexit. Armed with the flexibility derived from Section 15, the U.K. will be able to “make full use of the permissible derogations, including by adapting ... or extending these derogations in the light of changing public policy requirements.”
Current Status of the DPB
On Nov. 22, after its sixth and final sitting in the committee stage of the House of Lords, HL Bill 74 supplanted HL Bill 66 as the DPB. This new version of the bill includes amendments as proposed, and subsequently voted upon, by the whole House of Lords in committee. These amendments augment provisions ranging from a framework for data processing by the government (Sections 175–78) and standards of behavior in sport (Schedule 1.24) to minor and consequential amendments to other bills to reflect the rules in the DPB (Schedule 19). These changes do not impact the fundamental structure nor character of the DPB. A redlined version of the bill, showing the changes made in Committee, is available here.
With the committee stage having concluded last Wednesday, the DPB is now in the report stage of the House of Lords. There is an additional opportunity for amendments in the report stage, after which the bill will be reprinted to include all the agreed amendments. The final stage in the House of Lords is the third reading, which is the final chance for the House of Lords to amend the DPB.
After the DPB has concluded its time in the House of Lords, it will move to the House of Commons, where the five stages—first reading, second reading, committee stage, report stage and third reading—will occur in substantially the same way. There will then be a final consideration of amendments wherein both Houses reach agreement on the exact wording of the bill, sometimes resulting in a bill “ping pong.” Finally, after an agreement on wording has been reached by both Houses, the DPB will be presented for royal assent. There, the Queen formally agrees to make the bill into an Act of Parliament.
With the House of Lords report stage scheduled for Dec. 11 and 13, the DPB still has a long way to go. Stakeholders will likely continue to closely monitor the DPB’s trajectory, especially in light of the substantial effect it could have on EU-U.K. data sharing post-Brexit.
U.K. - EU data regulation options
Despite the fact that the cooperation in data regimes between the U.K. and EU is fundamental to sustaining functional data flow post-Brexit, the future of data relations between the U.K. and the EU is still uncertain. While the U.K. has stated that it “will seek to maintain the stability of data transfer between EU Member States and the U.K.,” the House of Lords European Union Committee has been “struck by the lack of detail” affiliated with such assurances. So, what are the possible mechanisms by which the U.K. and the EU could continue to share data freely post-Brexit?
The U.K. has several options regarding EU data sharing post-Brexit. These options include: receiving an “adequacy decision” from the EC certifying that the U.K. provides an “essentially equivalent” standard of protection to EU standards; allowing individual data controllers and processors to adopt their own adequate protections for personal data to be transferred out of the EU, utilizing, for example, Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR); and a bespoke agreement between the U.K. and the EU, possibly “buil[t] on the existing adequacy model.” Kenneth Propp discusses some of the U.K.’s options in his Lawfare post. Apart from an adequacy decision, the GDPR allows for these alternative transfer authorizations, including a bespoke agreement or SCCs and BCRs (GDPR Article 45.3, as referenced in Article 46).
The first option is for the U.K. to obtain an adequacy decision, meaning that personal data can flow from EU member states and the European Economic Area member countries to the U.K. without any further safeguards. In order for the U.K. to receive an adequacy decision under Article 25.6 of the DPD, the EC must employ the “comitology procedure” to analyze U.K. domestic policies. The procedure considers the following factors: “the rule of law ... legal protections for human rights and fundamental freedoms; access to transferred data by public authorities; existence and effective functioning of [Data Protection Authorities]; and international commitments and other obligations in relation to the protection of personal data.”
The House of Lords European Union Committee, the House of Lords Library, and the information commissioner have all suggested that the U.K. government seek an adequacy decision. However, there is reason to think that it might be difficult for the U.K. to obtain an adequacy decision in light of its current surveillance practices, especially those under the Investigatory Powers Act.
An additional factor cutting against an adequacy decision is the fact that once it has received one, the EU might amend or update its rules, thus creating uncertainty around the U.K.’s ability to retain an adequacy judgment. As the information commissioner has stated, “If the Government decide [sic] to proceed and obtain an adequacy finding for the U.K. as a third country, that will limit how much manoeuvre we have. We will have to keep our laws up to an equivalent standard, which will be assessed every three or four years. There will be some constraints around that.” Member of Parliament Ed Davey has also highlighted this issue: “The reality is that adopting EU standards after Brexit will be crucial to allow U.K. digital firms to carry on handling data and trading easily across Europe.”
Under the second option, individual data controllers and processors would adopt their own safeguards for the transfer of data. This option, however, would not resolve the law enforcement cooperation aspect of personal data protection. Nevertheless, it is important to understand the mechanisms: Binding Corporate Rules (BCRs) are “internal rules (such as a code of conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.” BCRs make it possible for countries to comply with the principles set out in Articles 25 and 26 of the Data Protection Directive for all data flows within the group which are covered by the BCR’s scope. Standard Contractual Clauses (SCCs) can operate in a similar way to BCRs with regard to the processing of data under the DPD. The European Council and the European Parliament have given the EC the power to decide, on the basis of Article 26.4 of the 1995 DPD, that certain SCCs provide “adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.”
The House of Lords European Union Committee has pushed back against the idea of using SCCs and BCRs to transfer data, noting that it views these arrangements as “less effective than an adequacy decision.”
Under the third option, the U.K. would develop a novel, bespoke data sharing agreement with the EU. On Oct. 12 during the Leaving the EU: Data Protection debate, Minister for Digital Matt Hancock, expressed government intent to develop “something akin” to an adequacy agreement. When asked specifically what he meant by “something akin” to an adequacy agreement from the EU, Hancock stated that the U.K.’s “future relationship will be bespoke,” as the U.K. is “looking at an enhanced mechanism that is not just the normal adequacy deal that other third countries have,” but one that “goes further and ensures ... a stronger technical relationship between our regulator, the Information Commissioner, and the European regulators.” Similarly, in the U.K. government’s Oct. 26 response to the committee’s report, the government states that it is “looking at an enhanced mechanism that builds on what the existing model of adequacy provides for third countries.” While it is largely unclear what this third bespoke option might entail, the U.K. does appear to have some belief in the availability of a third option that constitutes something similar to an adequacy decision.