Oliver Butler: The Data Protection Bill and Public Authority Powers to Process Personal Data: Resurrecting Clause 152 of the Coroners and Justice Bill 2009?

The Data Protection Bill currently before Parliament substantially resurrects the controversial clause 152 of the Coroners and Justice Bill 2009. Careful scrutiny of this provision is needed and it must not be lost in the legislative morass as the UK grapples with data protection reform.

On 13th September 2017, the Data Protection Bill received its First Reading in the House of Lords. This initiates the process of exercising areas of Member State discretion in the implementation of the General Data Protection Directive 2016/679 (GDPR), which comes into force on 24 May 2018. The Bill also implements the Law Enforcement Directive 2016/680, and makes provision for data processing by the security services, as well a data processing that falls outside the scope of the GDPR in other areas. Moreover, it prepares the ground for maintaining equivalence with the EU after Brexit, to ensure the free flow of information is not disrupted.

Data protection in the UK will become subject to an immensely complicated legislative framework, even by current standards. The UK remains a party to the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The majority of data processing will be subject to the GDPR. The GDPR must be read with the Data Protection Bill, which contains provisions to adapt the GDPR in the UK and to extend its material scope. The implementation and interpretation of Part 3, which implements the Law Enforcement Directive, will continue to be informed by that Directive. The Bill contains many powers for the Secretary of State to make more specific or alternative provision by regulations, which will multiply in the future. Given the complexity and speed of change in this field, this desire for flexibility is understandable. Foreseeing the future needs of data protection in a fast changing landscape is difficult, to say the least.

However, there is a very significant change in the Data Protection Bill that risks passing unnoticed through this legislative morass. Clause 15 would allow the Secretary of State to pass regulations, subject to the affirmative resolution procedure, to alter the application of the GDPR by laying down new legal bases for the performance of tasks in the public interest or in the exercise of official authority. This is a wide-ranging power to create new legal bases for sharing personal data about citizens and recalls the controversial clause 152 of the Coroners and Justice Bill 2009. It should not be allowed to pass without careful scrutiny. There are real questions about the desirability of reducing Parliamentary scrutiny of new legal powers to share individual data.

Clause 15(1)(a) provides that “the power in Article 6(3) [GDPR] for Member States law to lay down a legal basis containing specific provisions to adapt the application of rules of the GDPR where processing is necessary for compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of official authority” may be exercised by the Secretary of State by regulations. The reference to Article 6(3) GDPR relates to grounds for the lawful processing of personal data.

Unlike the Data Protection Act 1998, Article 6(1) GDPR is now clear that “public authorities in the performance of their tasks” cannot rely on the ground that processing is necessary for their legitimate interests. This places far more emphasis on Article 6(1)(c) and (e) GDPR: processing which is necessary for “compliance with a legal obligation” and for “the performance of a task carried out in the public interest or in the exercise of official authority”. Article 6(3) GDPR provides that the basis for processing under Article 6(1)(c) or (e) must be laid down by either Union or Member State law.

Article 6(3) GDPR requires that legal basis to determine the purpose of processing and permits “specific provisions to adapt the application of the rules” of the GDPR, including “general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing”. The legal basis must also “meet an objective of public interest and be proportionate to the legitimate aim pursued”.

There is nothing new about the desire to have an executive power to establish new legal powers by secondary legislation for public bodies to process data. It was recommended by the Cabinet Office in its 2002 Privacy and Data Sharing Report. It was also recommended by the Thomas and Walport Data Sharing Review in 2008, which argued for “a new statutory fast-track procedure… subject to the affirmative resolution procedure” to, among other things, “create a new power to share information where that power is currently absent”.

This found expression in 2009 in the Labour Government’s Coroners and Justice Bill. Clause 152 of that Bill made provision for a power to enable the transmission, dissemination, consultation or use of personal data for purposes other than the purpose for which the information was obtained through ministerial “information-sharing orders”. Such information-sharing orders required the Minister’s satisfaction that such sharing was “necessary to secure a relevant policy objective”, was proportionate and struck a fair balance between the public interest and individual interests, specifying the persons, purposes, and information enabled to be shared. The power was immensely wide, allowing orders to confer powers, remove or modify any prohibitions or restrictions on sharing, impose prohibitions or restrictions on onward disclosure, impose other conditions on sharing, provide for the exercise of discretions and modify enactments.

Clause 15 of the Data Protection Bill shares many similarities with this provision. First, and most importantly, it enables the Minister to create new legal powers to process personal data in the public interest, including for purposes different from the purposes for which it was collected. It is not limited to legal duties to share but includes discretionary powers exercised for tasks in the public interest or under official authority in Article 6(1)(e). What clause 15 shares with clause 152 is a massive shift of control over the legal bases for processing personal data from Parliament to the executive. Although clause 15 makes provision for the use of the affirmative resolution procedure, whereas clause 152 relied on consultation and the opportunity for an Information Commissioner report on the proposed order to be laid before Parliament, neither offers the fullness of Parliamentary scrutiny for new legal powers to process personal data. As reuse of personal data becomes increasingly important and controversial, this shift needs to be scrutinized thoroughly. Secondly, we should not be misled by the absence of a power to remove or modify prohibitions or restrictions on sharing in clause 15. Most prohibitions or restrictions make exception for processing pursuant to statute or secondary legislation in any case. It is the existence of the legal basis for processing that is most important. Thirdly, Article 6(3) GDPR provides for the legal basis to impose other conditions on processing, albeit that clause 152 provided for the creation of offences in relation to breach of conditions imposed on the exercise of such powers and this is absent on the face of the Data Protection Bill.

The attempt to introduce clause 152 faced considerable opposition and was ultimately withdrawn by the Government during the Coroners and Justice Bill’s Committee Stage. Dominic Grieve MP, then Shadow Secretary of State for Justice and now Chair of the Intelligence and Security Committee, denounced the clause as a “seismic change in the relationship between the State and the citizen” with potential to enable an “oppressive State”. Richard Thomas, co-author of the 2008 report and then Information Commissioner, similarly criticized the clause for containing inadequate safeguards.

The Explanatory Notes for the Data Protection Bill give little indication of the importance of this provision. The Data Protection Bill will receive its Second Reading in the House of Lords on 10th October. It is a welcome opportunity to clarify and debate the drafting of clause 15 and to properly scrutinize a provision so similar to the controversial clause 152 of the 2009 Coroners and Justice Bill. The pressure to create evermore executive powers to pass secondary legislation will only increase as Brexit significantly increases the workload of Parliament. It is therefore important that legal powers to process personal data are effectively scrutinized both inside and outside Parliament.

Thanks to Professor Alison Young and Dr David Erdos for their helpful comments. Any errors are my own.

Oliver Butler is a Fellow of Wadham College Oxford and Associate Research Fellow at the Bonavero Institute of Human Rights.

(Suggested citation: O. Butler, ‘The Data Protection Bill and Public Authority Powers to Process Personal Data: Resurrecting Clause 152 of the Coroners and Justice Bill 2009?’, U.K. Const. L. Blog (28th Sept. 2017) (available at https://ukconstitutionallaw.org/))