Commons Sense

Hansard-based summaries and metrics

<-- Back to proposed bills

Data Protection and Digital Information (No. 2) Bill - Sitting 4

16 May 2023

Proposing MP
Philip Hollobone Con
Kettering
Type
Public Bill Committee

At a Glance

Issue Summary

Philip Hollobone is discussing amendments related to automated decision-making and the rights of individuals affected by such decisions. The statement discusses new clause 12 and related amendments aimed at protecting decision subjects who are affected by automated decisions without their personal data being used. Philip Hollobone discusses an amendment related to data protection and automated decision-making under the Data Protection and Digital Information (No. 2) Bill. MP Philip Hollobone is discussing the Data Protection and Digital Information Bill, specifically addressing amendment 120 proposed by Carol Monaghan. Philip Hollobone is proposing amendments related to automated decision-making under the Data Protection Act. Stephanie Peacock discusses amendment 76 in relation to automated decision-making systems under the Data Protection and Digital Information Bill. The MP is discussing amendments related to data protection and automated decision-making under the Data Protection Act. The amendment proposes inserting digital information principles at work into new section 50D of the DPA2018, requiring the Secretary of State to consider these principles when creating regulations for automated decision-making. The statement addresses concerns about the impact of digital technology and automation on workers' rights and protections in the workplace. MP Chi Onwurah discusses the importance of protecting workers' rights in a changing technological landscape and supports an amendment to the Data Protection Bill. MP Philip Hollobone is discussing and moving an amendment related to automated decision-making in the context of data protection legislation. The statement discusses amendments related to automated decision-making and the removal of specific requirements in data protection legislation. The statement discusses the removal of Article 27 of the UK GDPR, which requires overseas controllers or processors to appoint a representative in the UK. The statement discusses the introduction of a new requirement for organisations to designate a senior responsible individual instead of appointing a data protection officer. The statement discusses amendments to clauses 15 and 16 of the Data Protection and Digital Information (No. 2) Bill, addressing record-keeping requirements under GDPR and logging requirements for law enforcement. Philip Hollobone is proposing an amendment to Clause 17 of the Data Protection and Digital Information (No. 2) Bill, which would require public authorities to publish assessments of high-risk processing. The statement discusses concerns over the Data Protection and Digital Information (No. 2) Bill's impact on data processing regulations. The statement discusses amendments to clauses related to data protection impact assessments and codes of conduct for law enforcement agencies. Philip Hollobone discusses the Data Protection and Digital Information (No. 2) Bill, specifically addressing clauses related to consequential amendments for controllers and processors and transfers of personal data. The statement discusses reforms to the UK's international personal data transfers regime under schedules 5 and 6 of the Data Protection and Digital Information Bill. The MP discusses concerns about the Data Protection and Digital Information (No. 2) Bill's schedule 5, which amends the adequacy-based framework for data protection. The statement discusses amendments to the Data Protection and Digital Information (No. 2) Bill, specifically focusing on changes to clauses related to data processing for research, archiving, and statistical purposes. The statement discusses Clause 24 of the Data Protection and Digital Information (No. 2) Bill, which introduces an exemption allowing organisations to process personal data for law enforcement purposes under national security safeguards. MP Stephanie Peacock raises concerns about clauses 24, 25, and 26 in the Data Protection and Digital Information (No. 2) Bill, which increase opportunities for competent authorities to operate with less transparency regarding personal data. MP Philip Hollobone interrupts to announce news from the Whip.

Action Requested

Hollobone proposes multiple amendments to Clause 11 and introduces new clauses that would define 'decision subjects' and grant them similar rights as data subjects under the UK GDPR, including requiring the ICO to consider their interests in codes of conduct and other obligations.

Key Facts

  • Amendments 78-101 aim to apply rights given to data subjects to decision subjects.
  • New clause 12 proposes defining 'decision subject' in Article 4 as an identifiable individual subject to automated decision-making.
  • Amendment 106 would require the ICO to have regard to decision subjects along with data subjects.
  • New clause 12 would insert a definition of 'decision subject'.
  • Amendments seek to extend rights for decision subjects at various points in the Bill.
  • The Government argues current reference to data subjects covers decision subjects.
  • Amendment 120 aims to ensure data controllers notify data subjects of decisions made via automated processing.
  • The amendment seeks to balance power between those conducting automated decisions and those affected by them.
  • Hollobone supports transparency and awareness of rights for individuals subject to automated decision-making.
  • The statement is about the Data Protection and Digital Information Bill.
  • Amendment 120 seeks to require data controllers to inform subjects whenever a significant decision about them was based solely on automated processing.
  • Carol Monaghan indicates she may bring amendment 120 back during the Report stage.
  • Amendment 75 requires the ICO to prepare a code of practice under section 124A of the Data Protection Act 2018.
  • The code must interpret references to 'meaningful human involvement' and 'similarly significant'.
  • The code must include examples of processing that do, and do not, fall within these definitions.
  • The rise of AI has happened at an unprecedented speed.
  • PwC UK suggests that UK GDP could be up to 10.3% higher by 2030 due to artificial intelligence.
  • In 2020, nearly 40% of students received grades lower than expected from an automated system.
  • The GDPR article 21 gives data subjects the right to object to processing unless there are compelling legitimate grounds for overriding their rights.
  • Amendment 76 aims to prevent the Secretary of State from arbitrarily changing definitions and safeguards.
  • Statutory guidance would be provided by the Information Commissioner on how terms apply in practice.
  • The amendments address clause 44 and article 22 provisions under UK GDPR.
  • The MP suggests that statutory guidance is necessary for defining 'meaningful human involvement' and 'similarly significant'.
  • Proposed digital information principles include worker protection, transparency, and control over personal data.
  • Amendment 122 would insert digital information principles into new section 50D of the DPA2018.
  • The amendment aims to ensure that automated decision-making regulations consider fairness, trustworthiness, protection from harmful systems, and meaningful consultation with workers.
  • Workers should have control over their data and be able to seek human review and redress when algorithmic systems impact them significantly.
  • Royal Mail uses a digital assistant service to monitor worker activity.
  • Amazon collects data from handheld scanners to assess worker performance.
  • WeClock is a free mobile app helping workers track their own data profiles.
  • Just Eat fired 11 couriers robotically after allegations of fraudulent activity, with average undeserved payments amounting to £1.44.
  • Chi Onwurah previously worked at Ofcom as head of technology.
  • The amendment proposes 'digital information principles at work' to ensure a fair, inclusive and trustworthy digital environment.
  • John Whittingdale acknowledges the need for wider regulatory frameworks beyond data protection law.
  • Amendment 17 addresses consequential amendments under Article 12(2) of the UK GDPR.
  • The amendment aims for consistency with other amendments involving new Articles 22A to 22D.
  • Philip Hollobone is discussing government amendments 18 to 23.
  • Schedule 3 sets out consequential changes related to automated decision-making.
  • Amendments 17 to 23 are minor technical updates to ensure consistency across data protection regulations.
  • Clause 12 improves terminology in the UK GDPR and Data Protection Act, replacing 'appropriate technical and organisational measures' with 'appropriate measures, including technical and organisational measures'.
  • Clause 13 removes article 27 of the UK GDPR, ending the requirement for overseas controllers or processors to appoint a representative in the UK under certain conditions.
  • Article 27 of the UK GDPR currently requires controllers and processors based outside the UK to appoint a UK-based representative unless they process only occasionally or are public authorities.
  • The Government’s impact assessment acknowledges limited data on the benefits of having an Article 27 representative due to its newness and exclusive application to non-UK entities.
  • Removing the requirement could save large organisations up to £50,000 per year but stakeholders argue this figure may be overestimated.
  • Clause 12 to 18 aim to give organisations greater flexibility regarding policies and procedures.
  • The existing prescriptive rules are seen as imposing unnecessary burdens on businesses.
  • A senior responsible individual will be designated where appropriate, overseeing data protection risks and ensuring compliance with the legislation.
  • Clauses 15 and 16 aim to simplify record-keeping requirements under GDPR.
  • Small businesses find current exemptions difficult to understand and apply.
  • Clause 16 removes the justification requirement for logging personal data consultations or disclosures by officers.
  • The change is estimated to save approximately 1.5 million policing hours.
  • Amendment 103 would insert a new requirement into Article 35(11) of UKGDPR.
  • Public authorities and government departments using public data must publish assessments of high-risk processing conducted under Article 35.
  • Assessments published must be redacted where necessary for removing sensitive details, protecting public interests, or ensuring the security of data processing operations.
  • The Bill loosens restrictions on processing personal data.
  • The amendment would require publication of high-risk assessments completed by Government Departments or public authorities.
  • DPIAs (Data Protection Impact Assessments) are crucial legal tests that weigh up whether an infringement of human rights is justified.
  • Clause 17 reduces prescriptive requirements for data protection impact assessments.
  • Clause 18 makes prior consultation with the ICO optional but allows it as a factor in administrative fines.
  • Amendment 1 replaces mandatory submission of draft codes to the Information Commissioner with encouragement.
  • Amendments 42 and 43 are made consequential on Amendment 40.
  • Government amendments 24 to 29 aim to address technical changes for data transfers.
  • Amendment 104 seeks to reinsert a principle in Article on general principles for international data transfers.
  • Clause 21 introduces reforms to the UK’s international personal data transfers regime under schedules 5 and 6.
  • Schedule 5 consolidates provisions for transferring personal data internationally and introduces articles 44A, 45A, 45B, 45C, and 47A.
  • Schedule 6 amends parts of the Data Protection Act 2018 governing international transfers under the law enforcement processing regime.
  • The Bill amends the adequacy-based framework and replaces it with a new outcomes-based approach through the data protection test.
  • Stakeholders like Reset.tech and TUC are concerned that the new test could mean UK data is transferred to countries with lower standards of protection than previously allowed under the regime.
  • Losing the EU’s data adequacy status would have real-world consequences for UK consumers and businesses, potentially costing hundreds of millions of pounds.
  • Amendments 34 to 39 are minor, technical changes.
  • The amendments clarify that controllers must use anonymous data unless personal data is necessary for research purposes.
  • Processing to anonymise personal data is permitted under these amendments.
  • Clause 24 introduces an exemption for processing personal data under the law enforcement regime for the purpose of safeguarding national security.
  • It aligns existing exemptions with the UK GDPR and intelligence services regime.
  • Subsection (2) removes organisational self-exemption powers regarding individual complaint rights under article 77 of the UK GDPR.
  • Clauses 24, 25, and 26 increase opportunities for competent authorities to operate with reduced transparency regarding personal data.
  • Rights and Security International warns that these clauses could violate UK’s obligations under the Human Rights Act 1998 and European convention on human rights.
  • Clause 25(2) allows the Secretary of State alone to specify which competent authorities can apply for designation notices.
  • The debate was adjourned.
  • The next sitting date is set for Thursday 18 May at half-past Eleven o'clock.
Assessment & feedback
Summary accuracy