Skip to the content

Data protection reform faces rough parliamentary ride



Nearly everyone welcomes the spirit of the Data Protection Bill - but many have doubts about its form and content

Any hopes that the Data Protection Bill - drawn up to “Brexit-proof” the UK’s data protection regime - would pass through Parliament on the nod have been severely dented in its first debate.

The bill, which transposes the EU General Data Protection Regulation into UK law while filling out its detail and scope, received its second reading in the House of Lords last week.

While peers lined up to declare their backing for the legislation in principle, several gave notice of attempts at amendment, in areas ranging from the impact on medical research to whether it has the capacity to rein in the activities of giant web businesses such as Google and Amazon.

Age of consent

A focus of particular criticism was the bill’s proposal to designate 13 as the age at which a child can legally sign up to an online social media account. Opening Labour’s response to the bill, Lord Stevenson of Balmacara (Wilf Stevenson) said an age of consent of 13 “would almost certainly be illegal under the UN Convention on the Rights of the Child, to which the UK is a signatory”. 

The lord bishop of Chelmsford (the Reverend Stephen Cottrell), suggested the Government had been too ready to toe the web industry’s line in adopting a “de facto standard age of consent for children providing their personal information online". That standard “has been set by the very companies that profit from providing these services to children,” he said.

While 13 might be an appropriate age, that should be decided in other ways with much greater reference to the public. “I do not think this has happened,” he said. 

A more fundamental question raised by several peers was whether the new data protection regime will hinder progress in healthcare. Cross-bencher Lord Patel (the obstetrician Narendra Patel), noted that GDPR-compliant consent is not always possible in medical research.

“In some studies it is not possible to seek consent, either because a very large sample size is needed to generate a robust result, and that would be practically difficult to obtain, or because seeking consent would introduce bias,” he said, adding: “The use of personal health data without specific explicit consent is sometimes essential for research for the health of the population.” 

Cancer registries

For example, if researchers could not process medical records for research without specific explicit patient consent, they could not run cancer registries. The GDPR would also have obstructed the recruitment of 20,000 suitable people for the study on statins, which has helped transform medical practice throughout the world.

“This began with the identification of 400,000 patients with a hospital record of arterial disease and that information could not have been accessed without their permission,” Patel said.

Lady Pauline Neville-Jones built on the theme, observing that even under existing legislation, some kinds of trials have now become so difficult to conduct within the EU that companies engaging in them have decamped elsewhere - often to the US - to the intellectual and commercial impoverishment of Europe.

“That is a practical illustration of how important it is to get the balance between trying to regulate against abuse and the opportunities that you should leave open,” she said.

Neville-Jones warned that the bill would oblige universities to seek explicit consent when using data at every stage of processing.

“This becomes very onerous if you are doing a long study. That may on the face of it seem reasonable but, in practice, it can do real harm. The whole point of research is that often at the outset it cannot be 100% certain where it may lead or whether further processing or trials may be necessary.

“Seeking the consent of holders of the data anew may simply not be possible, especially in long term research projects. People move house or become incapable. They also die.”

She sounded a particular alarm about the potential threat to research relying on international data: “I am involved with an organisation called Unique, which deals with rare genetic disorders, whereby datasets to be useful have to be gathered globally. By insisting on onerous consent regimes, we are in danger of disabling such organisations from continuing their pioneering work.”

Security factors

Meanwhile, provisions associated with the bill’s attempt to extend the data protection regime into the realm of national security are likely to attract particular attention. 

Introducing the measure, Lord Ashton of Hyde, a junior minister in the Department of Digital, Culture, Media and Sport, said: “Data processing by the intelligence agencies requires its own bespoke data protection regime, not least because the GDPR standards were not designed for this kind of processing, and data processing for national security purposes is outside the scope of EU law.

"That is why this part of the bill will instead be aligned with the internationally recognised data protection standards found in the draft modernised Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data.”

A former justice minister, the Liberal Democrat Lord McNally, questioned whether this would be sufficient. “The elephant in the room… is how we get the balance right between protecting the freedoms and civil liberties that underpin our functioning liberal democracy while protecting that democracy from the various threats to our safety and well-being," he said.

Dystopian future

A further contribution came from Lady (Martha) Lane-Fox of Soho, who stressed that: “Giving people rights is meaningful only if they know that they have them, what they mean, how to exercise them, what infringement looks like and how to seek redress for it.”

She confessed that she found the bill “incredibly hard to read and even harder to understand”, and claimed there is a risk of sleepwalking into a dystopian future “if we do not work hard to simplify the bill and make it accessible to more people, the people to whom I feel sure the Government must want to give power in this updated legislation".

For all the concern expressed across the Palace of Westminster, that seems unlikely to happen.





Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.