Written by Jeremy Lilley, Programme Manager for Cloud, Big Data & Intellectual Property at techUK
techUK has updated its briefing on the Data Protection Bill ahead of Report Stage beginning in the House of Lords on Monday 11 December 2017.
With discussions at Committee Stage focusing on fundamental rights to data protection, age appropriate design and data ethics, amongst other topics, we can expect to see further discussion at Report Stage on these areas and others.
techUK’s briefing provides the tech sector’s views on the key amendments we expect to be discussed. The briefing can be downloaded below.
Key elements of techUK’s briefing include:
The Data Protection Bill is welcomed by the tech sector as a way of ensuring the UK’s data protection laws are fit for the digital age. Ensuring that the public can trust their data is handled safely is important for everyone.
All major parties agreed to implement the EU General Data Protection Regulation (GDPR) at the 2017 General Election. This Bill should have the narrow focus of legislating for GDPR derogations along with necessary legislation for data processing not covered by EU competencies.
This Bill is time sensitive. It must be in place before May 2018 in order to ensure that UK meets its obligation to implement GDPR. The Bill should be seen through the prism of Brexit, full implementation of GDPR is necessary to ensure that the UK is in the best possible position to secure a mutual adequacy agreement with the EU to allow the continued free flow of data post-Brexit.
The Government is right to set the age of consent at 13. This will allow young people to reap the societal and educational benefits of online activity, as well as helping them to develop the digital skills which are now fundamental for young people to have. A higher age threshold risks excluding people from these tools. The policy goal of protecting young people’s data is accomplished through safeguards within the GDPR designed to prevent harm to young people, such as potential harm from automated decision making.
The Data Protection Bill must allow data to be processed for research purposes, as currently allowed by the Data Protection Act 1998.
The Information Commissioner’s Office must be well-resourced so it can effectively undertake the important work it has to do in developing compliance guidance for new data protection rules.
A new criminal offence against re-identifying de-identified data should not prevent important security research, which would make systems less secure, not more.
The Data Protection Bill must operate in conjunction with the EU (Withdrawal) Bill. It is important that the right to protection of personal data under the European Charter of Fundamental Rights is protected in order to give the public the overall right to recourse over personal data protection.