The second session of the Grand Committee’s scrutiny of the Data (Use and Access) Bill took place on 10 December 2024 and was the first substantive opportunity to consider the provisions of Part 5 of the Bill relating to Data protection and privacy. During over 4 hours of debate, peers considered clauses 67 – 72 of the Bill:

• Clause 67 Meaning of research and statistical purposes;

• Clause 68 Consent to processing for the purposes of scientific research;

• Clause 69 Consent to law enforcement processing;

• Clause 70 Lawfulness of processing;

• Clause 71 The purpose limitation; and,

• Clause 72 Processing in reliance on relevant international law.

The Grand Committee rules of procedure mean that while any member of the Lords may attend and participate in its proceedings, voting is not allowed and therefore all decisions must be unanimous, which means that unless a proposed amendment commands the universal support of the attendees (including the Government minister seeking to progress the Bill in its current form – in this case Baroness Jones, The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Information and Technology) it will not pass, with amendments usually not being moved or withdrawn after debate to highlight and record the concern that led to the amendment being laid and enable the matter to be revisited at Report stage by the whole House. Unsurprisingly, therefore, clauses 67 – 72 of the Data (Use and Access) Bill progressed without amendment, but not without significant debate.

Clause 67 Meaning of research and statistical purposes

Clause 67 Data (Use and Access) Bill would incorporate into the UK GDPR a broad definition of what constitutes processing for “scientific research purposes”, being “processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”, and this is explicitly stated to include “processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific”, with a carve out in the context of a study in the area of public health such that the provisions only apply in so far as the study is conducted in the public interest. Such processing would be subject to relaxed obligations when re-using personal data for further purposes, for example. 

As we highlighted in our briefing on the Data (Use and Access) Bill, the proposed definition would be sufficiently broad to include processing of personal data for the purposes of developing and training AI models, and this was the subject of debate, with Viscount Colville laying a series of amendments seeking to prevent this, including to the effect that the exemption would only apply where the further processing was solely for the so-called RAS purposes, could only be carried out in respect of non-commercial activity and that all such processing – not merely that in the field of public health – must be in the public interest to rely on the exemption. These amendments would potentially limit not only the further processing of personal data in the context of artificial intelligence (AI) but also in other contexts, including medical research. Other peers laid or supported amendments seeking to impose an obligation that any research would have to be subject to approval by a research ethics committee to rely on the exemption and Lord Clement-Jones sought an amendment that would grant data subjects a right to object to further processing. Baroness Kidron raised concern that the proposals could permit social media companies to process children’s personal data for their own product development, including to conduct behavioural analysis aimed at increasing user engagement or stickiness, i.e. the amount of time spent on an app or service.

During debate, concern was also raised regarding the scope for children’s data, including that obtained in the context of ed-tech, being re-used without additional protections.

In response, the Minister insisted that the Data (Use and Access) Bill would not expand the definition of scientific research but that “If anything, it is restricting it, because the reasonableness test that has been added to the legislation”. Recital 159 GDPR already provides that “the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research” and that “Scientific research purposes should also include studies conducted in the public interest in the area of public health”.

The Minister rejected the proposal that all scientific research must be in the public interest to rely on the relaxed provisions, arguing that it wouldn’t be possible at the outset to determine whether research would be in the public interest. Given that the exemption for processing for the purposes of journalism, art or literature at Schedule 2 Part 5 paragraph 26 Data Protection Act 2018 is reliant on having a reasonable belief in the public interest of the ultimate output, it is not apparent why a similar approach would not be capable of being adopted.  As to the application of the proposals to artificial intelligence, the Minister indicated that there would be an opportunity to debate this when the government brought forward its promised legislation specifically addressing AI, although Baroness Kidron and Viscount Camrose raised concern that there was not yet even a briefing as to the content of the proposed AI Bill and the government appeared to be reducing data subject rights in favour of AI developers to enable scraping or repurposing of personal data.

 Clause 68 Consent to processing for the purposes of scientific research

Lord Stevenson laid amendments seeking to prevent the reduced consent requirements proposed by the Bill from effectively establishing a new lawful basis for processing and to maintain confidence in the processing of NHS patient data by requiring explicit consent for sharing NHS patient data with commercial entities for no-NHS purposes. The Minister committed to offering peers a technical briefing to reassure them as to the proposals.

Clause 69 Consent to law enforcement processing

Clause 69 of the Data (Use and Access) Bill, the effect of which would be to align the definition of consent for the purposes of processing by competent authorities for law enforcement purposes under Part 3 Data Protection Act 2018 with the UK GDPR, was not debated.

Clause 70 and Schedule 4 Lawfulness of processing

Lord Clement-Jones laid several amendments regarding the introduction of recognised legitimate interests as a lawful basis for processing, referencing the Information Commissioner’s indication that - notwithstanding his welcoming of the Bill - the explanatory notes to the Act should clarify that reliance on a recognised legitimate interest, which would obviate the need for the legitimate interests assessment balancing the rights and interests of the controller against that of affected data subjects, would nevertheless require controllers to consider the proportionality of the proposed processing when determining its necessity, despite proportionality not being considered an element of necessity. He was also concerned by the scope of the Secretary of State’s proposed power to introduce new recognised legitimate interests (and took the opportunity to object to the extent of the powers proposed to be afforded to the Secretary of State under the Data (Use and Access) Bill), and that health data should not be subject to processing under the recognised legitimate interests lawful basis. 

In response, the Minister indicated that it was anticipated that the powers to designate new recognised legitimate interests “are likely to be used sparingly”.

The Minister at the same time dealt with proposals to amend remove Schedule 7 of the Data (Use and Access) Bill. Schedule 7 would significantly reduce the protections for data subjects in respect of restricted international transfers of personal data by introducing the data protection test, which reduces the requirement for the laws of the third country to protect data subject rights from offering essential equivalence to the UK GDPR to a standard that of being not materially lower having regard to a narrower range of factors than at present. In addition, the Secretary of State would be empowered to introduce new bases for transfer. The Minister responded to the amendment, stating “the UK would be unable to respond swiftly to emerging developments and global trends in personal data transfers”.

Clause 71 The purpose limitation

Lord Clement-Jones laid an amendment seeking to exclude data collected concerning children from the new provisions on compatibility of further processing under the Data (Use and Access) Bill, which would introduce Article 8A UK GDPR.

Discussion of the Data (Use and Access) bill’s impact on children led to consideration of several proposed amendments laid by Baroness Kidron, which would explicitly recognise the obligation on the regulator to have regard to the best interests of the child under the UN Convention on the Rights of the Child when carrying out its functions, as well as importing that obligation to apply directly to all controllers and processors, not merely public authorities, in addition to a carve out in respect of children’s data from exemptions to transparency obligations.

In response, the Minister indicated that the Information Commissioner’s strategic objectives and existing guidance would adequately meet the desired outcomes, and that the government’s preference was to “focus on improving compliance with the current legislation, including through the way the ICO discharges its regulatory functions”.

Clause 72 Processing in reliance on relevant international law

While no specific amendments to clause 72 were considered during the debate, which was adjourned, Viscount Camrose did raise several amendments, including to introduce the concept of vexatious requests as opposed to the current manifestly unfounded request capable of being rejected, and requiring AI companies to make transparency information available to data subjects whose personal data has been obtained other than directly from them.

At Handley Gill, we have previously called for any amendments to the legislative framework governing data protection to seek to consolidate the law and to increase its comprehension and accessibility. This was echoed by Lord Thomas, who stated that “I defy anyone, even the experts who drafted this, to think that this is intelligible to any ordinary human being. It is simply not. I am sorry to be so rude about it, but this is the epitome of legislation that is, because of its sheer complexity, impossible to understand”, and Viscount Camrose who recognised in relation to the Bill that “There is a challenge in making it comprehensible and communicating it in a much more accessible way once it goes live”.

The Grand Committee’s next sittings are scheduled for Monday 16 December, when consideration of clause 72 of the Bill will continue, and Wednesday 18 December.

You can access our comprehensive briefing on the Data (Use and Access) Bill here, and our unofficial Keeling schedules showing a mark up of the changes that the Bill (as introduced) would make to the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 (PECR) respectively here.

Keep up to date with developments as the Data (Use and Access) Bill progresses through Parliament on our Data Protection Reform page in our Resources section.

Should you require support understanding how new legislation and regulation will affect you or your organisation, please contact us.

Find out more about our data protection and data privacy services.