Data Protection Bill [HL]

Legal background

General processing

52 The Council of Europe "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" became open for signature in 1981. The Convention contained a set of principles to govern data processing, including that there should be fair and lawful obtaining and processing of personal data and storage of data only for specified purposes. In addition, states should not restrict trans-border data flows to other states which signed the Convention. States could only sign up to the Convention where they had national law in place guaranteeing compliance with the standards set out in it.

53 Accordingly, Parliament passed the Data Protection Act 1984 and ratified the Convention in 1985, partly to ensure the free movement of data. The Data Protection Act 1984 contained principles which were taken almost directly from Convention 108 - including that personal data shall be obtained and processed fairly and lawfully and held only for specified purposes.

54 The Data Protection Directive (95/46/EC) ("the 1995 Directive") provides the current basis for the UK’s data protection regime. The 1995 Directive stemmed from the European Commission’s concern that a number of Member States had not introduced national law related to Convention 108 which led to concern that barriers may be erected to data flows. In addition, there was a considerable divergence in the data protection laws between Member States. The focus of the 1995 Directive was to protect the right to privacy with respect to the processing of personal data and to ensure the free flow of personal data between Member States.

55 The 1995 Directive was implemented in the UK through the 1998 Act which came into force on 1 March 2000. The 1998 Act repealed the Data Protection Act 1984. The scope of the 1998 Act is wider than the 1995 Directive, and covers all general data processing, including data processing for national security purposes, albeit with a broad exemption.

56 The 2000 Act introduced a new category of data which extended the definition of "data" in the 1998 Act to include any information held by a public authority which would not otherwise be caught by the definition. Public authorities must consider whether the release of information about identifiable individuals under a freedom of information request would breach the 1998 Act.

57 The GDPR was published in the Official Journal of the European Union 1 on 4 May 2016 and directly applies on 25 May 2018. It replaces the 1995 Directive. Regulations do not normally require implementation as they are directly applicable as a result of Article 288 of the Treaty on the Functioning of the European Union ("TFEU"). In Case 39/72 Commission v Italy [1973] ECR 101 the court held it was wrong to duplicate the provisions of EU regulations in domestic law. The Bill therefore does not reproduce the text of the GDPR but instead exercises available derogations.

Law enforcement processing

58 The legal basis of the LED is Article 16(2) of the TFEU. Article 16 (which relates to the protection of personal data) measures in the area of police co-operation and judicial co-operation in criminal matters are subject to Article 6a of the UK (and Ireland’s) opt-in Protocol No. 21 for measures in Title V of the TFEU (which covers the Area of Freedom, Security and Justice). Article 6a provides that the UK (and Ireland) are not bound by rules laid down on the basis of Article 16 of the TFEU which relate to the processing of personal data by the Member States in certain circumstances. These are when carrying out activities which fall within the scope of Chapters 4 or 5 of Title V of the TFEU where the UK (and Ireland) are not bound by the rules governing the forms of judicial co-operation in criminal matters or police co-operation which require compliance with the provisions laid down on the basis of Article 16. The terms of Article 6a are reflected in recital 99 of the LED. Given this, the LED only applies to the UK in circumstances where data sharing is done under Title V measures in the area of police co-operation or judicial co-operation in criminal matters that bind the UK. For the reasons set out in paragraph 40 above, however, the provisions in Part 3 of the Bill apply to all processing – domestic and trans-national - for law enforcement purposes.

59 In accordance with the Government’s Transposition Guidance 2 , the approach taken in Part 3 of the Bill is broadly to copy-out the LED wherever possible and only to elaborate where such elaboration is necessary to reflect UK-drafting style, clarify the legal effect of a provision or to take advantage of flexibility afforded by the terms of the LED. Annex B to these Explanatory Notes contains transposition notes describing substantive departures from the text of the LED and the reasons for these.

Intelligence services processing

60 Convention 108 establishes a number of principles for states to transpose into their domestic legislation, these include the requirement to ensure that data is processed through procedures set out by law for a specific purpose, and data is stored no longer than is necessary for the intended purpose. An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles and lays down rules on trans-border data flows to non Parties.

61 In keeping with the Convention’s philosophy, the provisions consist of general, simple and concise principles allowing signatories a certain measure of discretion when implementing them through national legislation.

62 The main innovations in the modernised Convention 108 will include:

● proportionality (formerly implicit);

● accountability, in particular of data controllers and processors;

● renewed focus on data security;

● additional obligations to declare data breaches

● enhanced transparency of data processing;

● additional safeguards for the data subject such as the right not to be subject to a decision solely based on an automatic processing without having his or her views taken into consideration, the right to obtain information about the logic underlying the processing, and the right to object.

63 Article 9 of the modernised Convention 108 will continue to allow Parties to exempt controllers from some of these requirements for specified purposes. Of particular relevance for the intelligence services, one such purpose is the protection of national security.

64 The table at Annex C to these Explanatory Notes maps across the provisions of the draft modernised Convention 108 to the provisions of the Bill.

Parliamentary scrutiny

65 The GDPR and LED cleared scrutiny by the House of Commons European Scrutiny Committee (22nd Report of session 2015/16, HC342-xxi) and the House of Lords EU Select Committee (Progress of Scrutiny, 3rd edition session 2016/17, EUC-3) in February 2016. In addition the GDPR and LED were the subject of inquiries by the House of Commons Justice Committee (The Committee’s opinion on the European Union Data Protection framework proposals, 3rd Report of session 2012/13, HC 572) and the House of Lords EU Home Affairs Sub-Committee (Brexit: the EU data protection package, HL paper 7 3 ).