Ninth Report Contents

Appendix 1: Data Protection Bill [HL]: Government Response

Letter from Lord Ashton of Hyde, Parliamentary Under Secretary of State at the Department for Digital, Culture, Media and Sport, to Lord Blencathra, Chairman of the Delegated Powers and Regulatory Reform Committee

This document sets out the Government’s response to the recommendations of the Delegated Powers and Regulatory Reform Committee on the Data Protection Bill as given in their sixth report of session 2017–19 published on 24 October 2017.

Clause numbers in this document refer to the Data Protection Bill as introduced [HL Bill 66].

Clause 9(6)—Power to add, vary or omit conditions of safeguards applying to the processing of sensitive personal data and;

Clause 33(6) and 84(3)—Powers to amend Schedules 8 and 10 by adding, varying or omitting conditions for sensitive processing

Clause 9 of the Bill makes provision for the processing of “special categories” of data and criminal convictions data under the General Data Protection Regulation (GDPR); it states that the processing of such data will only be lawful if it satisfies the processing conditions and safeguards in Schedule 1. Clause 9(6) of the Bill enables the Government to make regulations amending Schedule 1 by adding, varying, or omitting the conditions or safeguards. Clause 33 makes similar provision in respect of “sensitive processing” under Part 3 of the Bill (law enforcement processing) and subsection (6) enables regulations to add, vary or omit conditions for such processing as provided for in Schedule 8. Finally, clause 84 makes parallel provision in respect of “sensitive processing” under Part 4 of the Bill (intelligence services processing) and subsection (3) enables regulations to add, vary or omit conditions for such processing as provided for in Schedule 10.

The Committee raised a general concern about the nature and scope of the Henry VIII powers in clauses 9(6), 33(6) and 84(3) and recommended their removal from the Bill. The Committee also considered the justification, put forward by the Government, of “flexibility”, to be inadequate.

The Government recognises the Committee’s concerns and has tabled amendments for Report stage to narrow the powers in these clauses. In respect of clause 9(6) the Government amendment removes the power to “omit” processing conditions and safeguards in Schedule 1. In respect of clauses 33(6) and 84(3) the Government amendments remove the power to “vary” and “omit” the conditions in Schedule 8 and Schedule 10 respectively; this difference of approach compared with clause 9 reflects the fact that Schedules 8 and 10 contain a much narrower list of conditions for sensitive processing, consequently there is not the same requirement to be able to vary the existing conditions.

The Government has reflected at length upon whether it can accept the Committee’s recommendations in their entirety but, on balance, considers it necessary to maintain the powers in clauses 9(6), 33(6) and 84(3) to add processing conditions to Schedules 1, 8 and 10 and, in clause 9(6) to vary the conditions in the Schedule 1. The Government considers this to be the case for the following reasons.

First, the Data Protection Act 1998 makes provision for the Government to “add” to the conditions in which sensitive personal data may be processed. Secondly, whilst only three of the processing conditions in Schedule 3 to the 1998 Act could be varied (those relating to employment, administration of justice, and monitoring of equal opportunities), many of the provisions now contained in the Bill are currently set out in secondary legislation (for example The Data Protection (Processing of Sensitive Personal Data) Order 2000) and can be added to, varied, or omitted through other secondary legislation.

Thirdly, experience, both under the 1998 Act (where five statutory instruments were made under the powers in paragraph 10 of Schedule 3) and during the Committee stage of this Bill has highlighted the frequency with which scenarios can arise which require new processing conditions for sensitive data. During Committee stage, amendments have been tabled to the Bill suggesting new processing conditions for activities undertaken by organisations ranging from the insurance sector to patient support groups. The Government will, where appropriate, make provision for these situations in the Bill. However, these amendments highlight the impossibility of foreseeing, at this stage, all of the possible future developments in processing that may require provision. Given the pace of evolution in the digital economy and the, as yet, untested, practical consequences of the GDPR and the Bill, accepting the Committee’s recommendations in full would leave the Government unable to make accommodation for developments in processing and the changing requirements of certain sectors. This, in turn, could render the UK at a disadvantage internationally, if, for example, we were unable to make appropriate future provision for sectors, including those such as insurance where the UK is a world leader, to reflect advances and changes in their approach to data processing.

In addition, the Government notes that in the debate at Committee stage on amendment 22 to leave out subsection (6) of clause 9 (Official Report, 6 November 2017, columns 1632–1640), Lord Stevenson of Balmacara and Lord McNally both recognised the challenge of future-proofing the legislation to take account of changing technology and Lord Stevenson further suggested that “the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation”. We have taken these points into consideration in coming to a view on the Committee’s recommendations in respect of the various powers in the Bill to amend provisions in the Schedules.

The Government has also noted that in the debate in Committee there were calls for these and other regulations made under the Bill to be subject to consultation, not just with the Information Commissioner as clause 169(2) already provides, but also with consumer organisations or others representing data subjects. Accordingly, the Government has tabled amendments to clause 169 to require the Secretary of State before making regulations under the Bill (other than those listed in subsection (2)) to consult the Commissioner and such other persons as the Secretary of State considers appropriate; this formula (which is commonly used elsewhere on the statute book) will enable the Government to identify the consultees appropriate to any given regulations. In light of this amendment, which will apply to all regulations made under the Bill (other than those listed in subsection (2)) the Government has also tabled some minor amendments to remove the equivalent requirement from clauses 133(1), 142(9), 148(6) and 152(3)) none of which are exempt from the requirements in clause 169.

Clause 11 and 51—Powers to specify maximum fees

The Committee raised concerns about the powers in clause 11(1) and 51(4) which state that the Government, by negative procedure regulations, may specify a cap on fees that data controllers may charge when dealing with “manifestly unfounded or excessive” requests from data subjects. The Committee argued that, whilst the GDPR and the Law Enforcement Directive (LED) each confer a right on controllers to charge reasonable fees for dealing with excessive requests, there is no provision for those rights to be modified.

The Government accepts that there is no express derogation in the GDPR or the LED but nonetheless considers the powers under clause 11 and 51(4) to be consistent with the GDPR and the Law Enforcement Directive respectively. Controllers will be accustomed to charging data subjects £10 per subject access request, as currently permitted under the Data Protection Act 1998, but the GDPR and LED will require them to comply with such requests, as well as other rights, free of charge from May 2018. The Government recognises a risk that a small number of controllers might too readily treat requests as “manifestly unfounded or excessive” and/or charge fees that exceed what is reasonable in such circumstances, which could impose unreasonable burdens on data subjects. This in turn could transfer burdens onto the Information Commissioner and the Courts in assessing the reasonableness of fees. The powers are intended as a backstop should evidence of excessive fee-charging come to light, to ensure that the interests of data subjects are properly protected and to minimise burdens on them, the Information Commissioner and the Courts.

Clauses 15 and 111—Power to make further exemptions in relation to the rules about the processing of personal data

Clause 15 of, and Schedules 2, 3, and 4 to, the Bill give effect to the provisions in the GDPR which permit Member States to establish exemptions from certain specified data protection principles and data subject rights. Clauses 15(1) and (2) enable the Government, by regulations made under the affirmative procedure, to add, vary, or repeal the provisions in Schedules 2 to 4. Clause 111 contains a similar power to add, vary or repeal, the list of non-national security related exemptions in Schedule 11 to the Bill. The Committee recommend the removal of these provisions, as inadequately justified and widely drawn Henry VIII powers.

The Government has carefully considered the Committee’s recommendations and has tabled amendments to clause 15 and clause 111 to remove the power to “omit” provisions in Schedules 2 to 4 and 11 respectively. The Government amendments also remove clause 15(1)(d) in its entirety and remove the power, in clause 111(2), to vary the existing provisions in Schedule 11. Again this difference of approach as between clauses 15 and 111 reflects the fact that Schedule 11 contain a much narrower list of exemptions as compared to Schedules 2 to 4, consequently there is not the same requirement to be able to vary the existing exemptions.

The Government considers it necessary to retain the power to add and vary the provisions in Schedules 2-4 and add to those in Schedule 11. Several of these provisions have been added to the Bill to address specific and new requirements arising from the new regime and therefore, have not yet been tested in operation. Others have been carried over from secondary legislation, where they can at present be added to, varied or removed. The Government considers it prudent therefore, to retain the ability to amend those in Schedules 2 to 4 if necessary. It should also be noted that in respect of the power, in clause 15, to “vary” the provisions in the Schedules, the Government considers this important to retain due to the large number of references to subordinate legislation contained in the Schedules. The power to make and amend those instruments may not include the power to make consequential amendments of primary legislation.

Clause 17—Power to make provision in respect of transfers of personal data to third countries and international organisations

The Committee recommended that the affirmative, rather than negative, procedure should apply to regulations made under clause 17(1)(a). The Government accepts this recommendation and has tabled amendments to make regulations under clause 17(1)(a) and all other regulations made under clause 17 subject to the affirmative procedure. In cases of urgency, the ‘made affirmative’ procedure will apply. In such cases the Government will be required to provide a reasoned urgency statement.

Clause 21—Power to make provision in consequence of regulations related to the GDPR

Clause 21(1) confers a power on the Government, by affirmative procedure regulations, to amend Chapter 3 of Part 2 of the Bill. The Committee raised concerns about this power and recommended the removal of the clause. The Government has carefully considered the Committee’s recommendation but maintains the view that the clause is both necessary and appropriate. This power allows the Government to make regulations, in respect of the applied GDPR, which mirror any made under section 2(2) of the European Communities Act 1972 in respect of the GDPR. As the Committee is aware, section 2(2) powers may only be used to implement EU law and as such, any regulations made under those powers in respect of the GDPR could not be extended to the applied GDPR. The purpose of clause 21 therefore is to provide for equivalent provisions to be made and so ensure that the applied GDPR does not fall ‘out of kilter’ with the GDPR through lack of a legislative mechanism. As the Committee will recognise this power is inherently limited in time; once the power to make regulations under section 2(2) of the 1972 Act ceases to exist through the provisions in the European Union (Withdrawal) Bill, the power in clause 21(1) will no longer be available to the Government.

Clause 132(1) and (6)—Power to require controllers to pay specified charges and provide information to the Commissioner

The Committee raised a concern that clause 132 of the Bill would permit the Government, by regulations, to establish a fees regime which raised funds beyond those required to cover the maintenance of the Information Commissioner’s office. The Government notes the Committee’s concerns, which were also raised during the passage of the Digital Economy Act 2017, but does not agree that the power allows the activity that the Committee suggests. If the Government wanted to extend the charges to cover additional functions, clause 132(4)(a) would need to be amended. The Committee suggest that the Government may want to cross-subsidise the cost of other activities, for example the Commissioner’s functions under the Freedom of Information Act 2000. This would not be possible without primary legislation to amend 132(4)(a).

The £35 annual fee charged to 90% of data controllers by the Information Commissioner has not risen since 2001 and the £500 fee charged to large data controllers has not risen since 2009. Throughout the negotiations on the GDPR, the Government fought hard to minimise the burdens on business, whilst protecting the privacy rights of individuals. It is not the Government’s intention to raise fees unnecessarily and in the Government’s view, the powers to do so are extremely limited. Further, in the recent consultation on fees that will apply from April 2018, the Government consulted on raising the £35 lower fee to £55. Over the 17 years since the fees were last set that would represent an annual increase of less than 3%.

The Bill also provides further safeguards. There is a requirement to consult the Information Commissioner and representatives of data controllers before bringing forward regulations to set or amend fees and a requirement for the Secretary of State to review fees every 5 years to ensure they are still relevant and proportionate.

Clause 142(8) and 148(5)—Power to confer power on the Commissioner to give an enforcement notice or a penalty notice in respect of other failures.

The Committee have raised concerns about the powers in clauses 142(8) and 148(5) which provide that the Government may, by regulations, determine the types of additional failure of compliance that will attract an enforcement or penalty notice from the Information Commissioner and also the amount of the corresponding penalties the Commissioner may impose. The Government accepts the Committee’s concern about the scope of the additional failures of compliance that may be added and the absence of any tie to the data protection legislation. The Government also accepts the Committee’s concern regarding the absence of any maximum limit on the amount of penalty that may be introduced. The Government has therefore tabled appropriate amendments to respond to the Committee’s recommendations and make explicit that any additional failures must be tied to the data protection legislation and to impose a limit on the maximum penalty that may be imposed in respect of these additional failures.

Clause 151(1)—Duty to publish a document specifying the amount of the penalty for a failure to comply with charging regulations

Clause 151 requires the Information Commissioner to publish a document setting out the penalty that may be imposed for failure to comply with regulations under clause 132 (fees). The document has to be published and laid before Parliament. The Committee raised concerns about the Information Commissioner’s ability, pursuant to this clause, to determine penalties for non-compliance and about the nature of the parliamentary oversight for which it provides.

The Government is concerned that, at this stage, it would not be practical for the penalty regime for non-compliance with clause 132 to be set out in regulations. This is for two reasons: first, the fees themselves under clause 132 have not yet been established. The Government intends to bring forward a statutory instrument in the New Year, pursuant to the provisions in the Digital Economy Act 2017. Secondly, the Government is concerned that accepting the Committee’s recommendation would also create an unhelpful delay between the fees regime coming into effect and the corresponding non-compliance penalty regime. This would render the Information Commissioner unable, for a period of months, to enforce compliance with her new fees regime to the detriment of both the new regime and the Commissioner’s resourcing.

Allowing an independent regulator to determine the scale of penalties without Parliamentary procedure is not without precedent. Section 392 of the Communications Act 2003 requires Ofcom to prepare and publish a statement containing the guidelines it proposes to follow in determining the amount of penalties imposed by Ofcom under the Act or any other enactment apart from the Competition Act 1998. There is no Parliamentary procedure for considering these guidelines. Ofcom was given further powers to set fees and charges in respect of spectrum licences, without Parliamentary procedure, in the Digital Economy Act 2017.

Clause 153 (1)—Guidance about regulatory action

Clause 153(1) places a duty on the Information Commissioner to prepare and publish guidance about the exercise of her enforcement functions. The guidance has to be laid before Parliament but is not subject to parliamentary procedure.

The Committee has set out their concerns about the absence of parliamentary oversight for this guidance in light of the Commissioner’s new enforcement powers under the GDPR and the Bill, for example, the power to impose financial penalties of up to 20 million euros and the central role the guidance will play in determining the level of those penalties.

Generally, the Government believes that guidance should not be subject to a Parliamentary procedure. However, exceptionally, in this instance the Government accepts the Committee’s recommendation that that the guidance should be subject to some form of parliamentary procedure and that the negative procedure would be appropriate. This reflects the substantial and significant public interest in understanding how the Commissioner will implement and deploy her new powers in light of the significant and ever growing number of data controllers and processors who may become subject to them. The UK has the largest internet economy in the G20 and the continuing explosive growth of the digital economy means that the number of data controllers and processors is increasing exponentially. However, this guidance will not only be relevant to large companies, but also to the full spectrum of data controllers across the UK. This includes SMEs, individuals, and organisations ranging from charities to parish councils. The Government recognises, given the volume and breadth of organisations for whom this guidance will be relevant, that, on this occasion, parliamentary scrutiny would be appropriate. However, amendments to the guidance and/or replacements to the guidance will not be subject to parliamentary procedure.

Clause 170—Power to reflect changes to the Data Protection Convention

The Committee recommended that the regulation-making power in clause 170 be limited in scope to Part 4 of the Bill (which relates the processing of data by the intelligence services) and limited in time to three years from Royal Assent. The Government wishes to ensure that the regulation-making power in this clause is applicable to those parts of the Bill which may require further provision when the Council of Europe completes the negotiations on a replacement Convention 108. As well as Part 4 of the Bill, any replacement to the current Convention 108 may also require provision to be made to Chapter 3 of Part 2 of the Bill given that both the applied GDPR and Part 4 schemes govern processing that falls outside of EU law and therefore Part 4 and aspects of Chapter 3 of Part 2 will be subject to the modernised Convention 108 standards. Subject to that caveat, the Government has tabled an amendment to limit the scope of the regulation-making power in line with the Committee’s recommendation.

The amendment will also limit the government’s ability to make provision about the functions of the Commissioner, courts and tribunals in Parts 5 to 7 of the Bill in connection with updates to Convention 108. The power will be limited to such functions relating to processing under Chapter 3 of Part 2 or Part 4 of the Bill, or for the functions of the Commissioner in relation to a revised Convention 108 (such as under Part 2 of Schedule 14 to the Bill).

Finally, the Government accepts the Committee’s recommendation that the power is time limited so that it cannot be exercised after the expiry of three years from the date of Royal Assent and has tabled a ‘sunsetting’ amendment to this end.

4 December 2017

© Parliamentary copyright 2017