The Data Protection Bill is currently being debated in the House of Lords. With the Second Reading Debate and Committee Stage having been concluded in October and November 2017 respectively, the Bill's provisions are being further discussed during the Report Stage.
Throughout the legislative process, discussions have been focussing on fundamental rights to data protection, data subjects' rights and protection of children's data and the age of consent, amongst other issues. Some of the key issues that have been at the heart of the debate so far are set out below.
Fundamental right to the protection of personal data
An issue raised at Committee Stage relates to the need to ensure that the fundamental right to the protection of personal data (enshrined in Article 8 of the EU Charter of Fundamental Rights) is guaranteed through including explicit references to that effect in the Bill. The government has accepted the need to include a form of wording in the Bill providing a sufficient level of assurance concerning the protection of personal data.
Protection of children's data
The Bill provides that the age of consent of children using information society services should be 13 years. The Information Commissioner's Office (ICO) appears to favour this approach, provided that organisations have robust safeguards about how they manage data protection and privacy in respect of children's data (see the ICO's Annex and Annex II to its previously published Data Protection Bill briefing).
During the debate, the government has introduced an amendment requiring the ICO to produce a statutory code of practice on age-appropriate website design. This would set standards required of websites and app designers on privacy for children under the age of 16. In its Annex II, the ICO welcomed this amendment but highlighted the importance of having clarity on the contents of the code through guidance from the Secretary of State.
In its Annexes, the ICO stated that it has started a consultation process to receive feedback on draft ICO guidance relating to children's personal data and the GDPR. The ICO is expected to publish its consultation by the end of this year.
Rights of data subjects
Part 3 of the Data Protection Bill (which relates to data processing for law enforcement purposes) would enable a data controller to charge a reasonable fee for a subject access request or refuse to act on a subject request where such as request is "manifestly unfounded or excessive". Concern has been expressed that data controllers might use this provision as a basis for avoiding their transparency obligations. Lord Ashton of Hyde and Baroness Williams responded to this issue by stating that the burden of proof would be on data controllers to show that a data subject access request is "manifestly unfounded or excessive" and that the ICO would scrutinise such claim submitted by data controllers.
Re-identification of de-identified personal data
The Data Protection Bill introduces a criminal offence for the re-identification of de-identified personal data without the consent of the data controller. Some House of Lords members considered that this could allow organisations to relax the methods they use to anonymise data on the basis that people will not attempt to re-identify individuals because it is a criminal offence.
The Data Protection Bill is currently at Report Stage in the House of Lords before it moves to the House of Commons. The House of Lords Report Stage gives all members of the House of Lords a further opportunity to examine the Bill and make changes to it. A date has not yet been set for the Bill's first reading in the House of Commons.