The Data
Protection Bill currently before Parliament substantially resurrects the
controversial clause 152 of the Coroners and Justice Bill 2009. Careful
scrutiny of this provision is needed and it must not be lost in the legislative
morass as the UK grapples with data protection reform.
On 13 September 2017, the Data Protection Bill received its First Reading in the
House of Lords. This initiates the process of exercising areas of Member State
discretion in the implementation of the General Data Protection Directive 2016/679 (GDPR), which
comes into force in May 2018. The Bill also implements the Law Enforcement
Directive 2016/680, and makes provision for data processing by the security
services, as well as data processing that falls outside the scope of the GDPR
in other areas. Moreover, it prepares the ground for maintaining equivalence
with the EU after Brexit, to ensure the free flow of information is not
disrupted.
Data
protection in the UK will become subject to an immensely complicated
legislative framework, even by current standards. The UK remains a party to the
1981 Council of Europe Convention for the Protection of Individuals with regard
to Automatic Processing of Personal Data. The majority of data processing will
be subject to the GDPR. The GDPR must be read with the Data Protection Bill,
which contains provisions to adapt the GDPR in the UK and to extend its
material scope. The implementation and interpretation of Part 3, which
implements the Law Enforcement Directive, will continue to be informed by that
Directive. The Bill contains many powers for the Secretary of State to make
more specific or alternative provision by regulations, which will multiply in
the future. Given the complexity and speed of change in this field, this desire
for flexibility is understandable. Foreseeing the future needs of data
protection in a fast-changing landscape is difficult, to say the least.
However,
there is a very significant proposal in the Data Protection Bill that risks
passing unnoticed through this legislative morass. Clause 15 would allow the
Secretary of State to pass regulations, subject to the affirmative resolution
procedure, to alter the application of the GDPR by laying down new legal bases
for the performance of tasks in the public interest or in the exercise of
official authority. This is a wide-ranging power to create new legal bases for
sharing personal data about citizens and recalls the controversial clause 152
of the Coroners and Justice Bill 2009. It should not be allowed to pass without
careful scrutiny. There are real questions about the desirability of reducing
Parliamentary scrutiny of new legal powers to share individual data.
Clause
15(1)(a) provides that ‘the power in Article 6(3) [GDPR] for Member States law
to lay down a legal basis containing specific provisions to adapt the
application of rules of the GDPR where processing is necessary for compliance
with a legal obligation, for the performance of a task in the public interest
or in the exercise of official authority’ may be exercised by the Secretary of
State by regulations. The reference to Article 6(3) GDPR relates to grounds for
the lawful processing of personal data.
Unlike the Data Protection Act 1998, Article 6(1) of the GDPR is now
clear that ‘public authorities in the performance of their tasks’ cannot rely
on the ground that processing is necessary for their legitimate interests. This
places far more emphasis on Article 6(1)(c): processing which is necessary for ‘compliance
with a legal obligation’ and for ‘the performance of a task carried out in the
public interest or in the exercise of official authority’. Article 6(3)
provides that the basis for processing under Article 6(1)(c) or (e) must be
laid down by either EU or Member State law.
Article
6(3) requires that legal basis to determine the purpose of processing and
permits ‘specific provisions to adapt the application of the rules’ of the
GDPR, including ‘general conditions governing the lawfulness of processing by
the controller; the types of data which are subject to the processing; the data
subjects concerned; the entities to, and the purposes for which, the personal
data may be disclosed; the purpose limitation; storage periods; and processing
operations and processing procedures, including measures to ensure lawful and
fair processing’. The legal basis must also ‘meet an objective of public
interest and be proportionate to the legitimate aim pursued’.
There is nothing new about the
desire to have an executive power to establish new legal powers by secondary
legislation for public bodies to process data. It was recommended by the
Cabinet Office in its 2002 Privacy and Data Sharing Report. It was also recommended by
the Thomas and Walport Data Sharing Review in 2008, which argued for ‘a new
statutory fast-track procedure… subject to the affirmative resolution procedure’
to, among other things, ‘create a new power to share information where that
power is currently absent’.
This found expression in 2009 in
the Labour Government’s Coroners and Justice Bill. Clause 152 of that Bill made
provision for a power to enable the transmission, dissemination, consultation
or use of personal data for purposes other than the purpose for which the
information was obtained through ministerial ‘information-sharing orders’. Such
information-sharing orders required the Minister’s satisfaction that such
sharing was ‘necessary to secure a relevant policy objective’, was
proportionate and struck a fair balance between the public interest and
individual interests, specifying the persons, purposes, and information enabled
to be shared. The power was immensely wide, allowing orders to confer powers,
remove or modify any prohibitions or restrictions on sharing, impose
prohibitions or restrictions on onward disclosure, impose other conditions on
sharing, provide for the exercise of discretions and modify enactments.
Clause
15 of the Data Protection Bill shares many similarities with this provision.
First, and most importantly, it enables the Minister to create new legal powers
to process personal data in the public interest, including for purposes
different from the purposes for which it was collected. It is not limited to
legal duties to share but includes discretionary powers exercised for tasks in
the public interest or under official authority in Article 6(1)(e) of the GDPR.
What clause 15 shares with clause 152 is a massive shift of control over the
legal bases for processing personal data from Parliament to the executive.
Although clause 15 makes provision for the use of the affirmative resolution
procedure, whereas clause 152 relied on consultation and the opportunity for an
Information Commissioner report on the proposed order to be laid before
Parliament, neither offers the fullness of Parliamentary scrutiny for new legal
powers to process personal data. As reuse of personal data becomes increasingly
important and controversial, this shift needs to be scrutinized thoroughly.
Secondly, we should not be misled by the absence of a power to remove or modify
prohibitions or restrictions on sharing in clause 15. Most prohibitions or
restrictions make exception for processing pursuant to statute or secondary
legislation in any case. It is the existence of the legal basis for processing
that is most important. Thirdly, Article 6(3) of the GDPR provides for the
legal basis to impose other conditions on processing, albeit that clause 152
provided for the creation of offences in relation to breach of conditions
imposed on the exercise of such powers and this is absent on the face of the
Data Protection Bill.
The attempt to introduce clause
152 faced considerable opposition and was ultimately withdrawn by the
Government during the Coroners and Justice Bill’s Committee Stage. Dominic Grieve MP, then Shadow Secretary of
State for Justice and now Chair of the Intelligence and Security Committee,
denounced the clause as a ‘seismic change in the
relationship between the State and the citizen’ with potential to enable an ‘oppressive State’. Richard
Thomas, co-author of the 2008 report and then Information Commissioner, similarly
criticised the clause for containing inadequate safeguards.
The Explanatory Notes for the Data Protection Bill give
little indication of the importance of this provision. The Data Protection Bill
will receive its Second Reading in the House of Lords on 10 October. It is a
welcome opportunity to clarify and debate the drafting of clause 15 and to
properly scrutinize a provision so similar to the controversial clause 152 of
the 2009 Coroners and Justice Bill. The pressure to create evermore executive
powers to pass secondary legislation will only increase as Brexit significantly
increases the workload of Parliament. It is therefore important that legal
powers to process personal data are effectively scrutinized both inside and
outside Parliament.
Oliver Butler is a Fellow of Wadham College Oxford and Associate
Research Fellow at the Bonavero Institute of Human Rights.
He offers
his thanks to Professor Alison Young and Dr David Erdos for their helpful
comments. Any errors are his own.
This article first appeared as a blog post on the blog of
the UK Constitutional Law
Association.