Data Protection Bill returns to the Lords

The Data Protection Bill returned to the House of Lords on Monday 21 May for consideration of Commons amendments in 'ping pong'.

Members discussed subjects including data protection breaches by national news publishers, reviewing processing of personal data for the purposes of journalism and the effectiveness of the media’s dispute resolution procedures.

As both Houses have agreed on the text of the bill it now awaits Royal Assent when the bill will become an Act of Parliament (law).

Royal Assent is scheduled for Wednesday 23 May.

Consideration of Commons amendment: Monday 14 May

Members discussed subjects including a code of practice for journalists, falsifying information and guidance on complaints against media organisations.

There was one division (vote) on a proposed change to the bill.

The vote concerned a Commons amendment to the bill to leave out a clause regarding inquiries into alleged data protection breaches committed by or on behalf of news publishers and media organisations.

Members of the Lords considered the insertion of new clause which would require the government to launch an inquiry into data protection breaches, but would alleviate concerns raised by the Commons by requiring the Secretary of State for Digital, Culture, Media and Sport to:

consult Scottish Ministers and members of the Northern Ireland Assembly in regard to legal context
consult representatives of press and media organisations prior to any investigation taking place

The new clause would also define the terms of the inquiry to include:

the extent of improper conduct by press and media organisations
the role of politicians and other public servants in failing to investigate any wrongdoing
the provisions around media coverage and public naming of individuals subject to police inquiries
the circulation of information – including false news – by social media companies
the resources, powers and approach of the Information Commissioner and other relevant authorities

The clause would also require that the Secretary of State undertaking any inquiry must:

have regard to current context of the media, news and publishing industry
set appropriate parameters in determining which allegations should be considered
define the meaning and scope of references to ‘national news publishers’ and ‘other media organisations’
design limitations to exclude local and regional publishers from the inquiry
consult a judge or any other relevant person on whom they intend to chair the inquiry

Lastly, the clause would permit any inquiry to take account of evidence given to previous investigations, particularly in regard to events in Northern Ireland.

252 members voted in favour of the new clause and 213 voted against, and so the change was made.

Lords third reading: Wednesday 17 January

Members discussed a range of subjects including penalty notices, criminal liability and how the bill applies to Parliament.

Lords report stage day three: Wednesday 10 January

Members discussed a wide range of subjects, including national security certificates, data protection in schools and support for small organisations.

There were also three divisions (votes) on proposed changes (amendments) to the bill.

Members considered a change to increase the responsibilities of the Information Commissioner to include:

maintaining a register of publicly controlled personal data of national significance
preparing a code of practice with practical guidance in relation to nationally significant data

The change would also empower the Commissioner to decide if personal data is of national significance, if:

the data furthers collective economic, social or environmental well-being, or has the potential to do so in the future
a financial benefit may be derived from processing the data or the development of associated software

235 members were in favour of this amendment, with 204 against, and so the change was made.

The next vote was on the insertion of a new clause to require the government to set up an inquiry within three months of the bill’s passing to investigate breaches of data protection rules by, or on behalf of, news publishers.

The inquiry’s terms of reference would include:

the extent of unlawful or improper conduct by news publishers and other organisations within the media
the extent of corporate governance and management failures within news publishers in regard to data protection
the implications for data protection in regards to freedom of speech

The change would also empower the inquiry to make recommendations on actions to be taken in the public interest.

238 members voted for this change and 209 voted against, and so the change was made.

The final vote was on the insertion of a new clause to define the rules when a relevant claim made against a defendant for data protection breaches is connected to the publication of news-related material.

The clause seeks to clarify the criteria for a court’s decision to award costs and damages in favour of the claimant, depending on whether the defendant was a member of an approved regulator at the time the claim was made.

217 members were in favour with 200 against, so this change was made.

Lords report stage day two: Wednesday 13 December

Members discussed subjects including the use of private personal data accounts, organisations responsible for anti-doping in sport and data protection breaches due to ransomware attacks. There were two divisions (votes) on proposed changes (amendments) to the bill.

Members considered a change to specify that references to an association that is responsible for eliminating doping in sport are to be read as references to UK Anti-Doping (Ukad), its successor bodies or a body designated by the secretary of state. The change would also require the secretary of state to define the responsibilities of Ukad and its relationship with other sporting bodies and associations. 229 members were in favour of this amendment, with 232 against, and so the change was not made.

The next vote was on a change to remove a paragraph in the bill which listed examples of personal data processing where the provisions of the General Data Protection Regulation (GDPR) would not apply, and further examples where an individual processing such data would be exempt from certain obligations. 92 members voted for this change and 222 voted against, and so the change was not made.

Lords report stage day one: Monday 11 December

Members discussed a range of subjects including national security certificates, children's consent in relation to information society services and data processing by patient support groups and health organisations.

There was one division (vote) on a proposed change to the bill.

Members considered the insertion of new clause into the bill entitled 'Protection of personal data'. This clause would protect individuals (data subjects) under the General Data Protection Regulation (GDPR) by:

requiring personal data to be processed lawfully under the consent of the data subject
conferring rights on the data subject to obtain information about the processing of personal data
conferring responsibility on the Information Commissioner for monitoring and enforcing provisions under the GDPR, applied GDPR and this Act

The clause would also require the Commissioner to be particularly aware of the importance of appropriate levels of personal data protection, taking account of the interests of data subjects, controllers and others.

172 members voted in favour of the new clause and 139 voted against, and so the change was made.

Lords committee stage day six: Wednesday 22 November

Members are expected to discuss enforcement notices, compensation for the contravention of General Data Protection Regulation and the alteration of personal data.

Lords committee stage day five: Monday 20 November

Members discussed a code of practice for processing of personal data, enforcement notices and the confidentiality of information.

Lords committee stage day four: Wednesday 15 November

Members discussed regulations and the General Data Protection Regulation (GDPR) after Brexit.

Lords committee stage day three: Monday 13 November

Members discussed processing of personal data and the right to be informed about the commercial use of personal data.

Lords committee stage day two: Monday 6 November

Members discussed parental consent for use of minors' data and education for schoolchildren on their rights relating to data protection.

Lords committee stage day one: Monday 30 October

Members discussed subjects including the GDPR, the right to protection of personal data and the age of child's consent in relation to information society services.

Lords second reading: Tuesday 10 October

Members discussed the key points raised by the bill including data protection reform, the processing of personal data for security and law enforcement purposes and minimum requirements for companies' age verification systems.

Members also raised issues relating to European Union withdrawal legislation and the flow of data between the EU and the UK post-Brexit.