The third and penultimate session of the House of Lords’ Grand Committee’s scrutiny of the Data (Use and Access) Bill took place on 16 December 2024, when peers continued their consideration of the provisions of Part 5 of the Bill relating to ‘Data protection and privacy’ following on from the second session on 10 December. Amendments tabled to the Bill were considered from clause 72 Data (Use and Access) Bill onwards.

Peers considered clauses 73 - 90 of the Bill, in addition to amendments proposing new clauses:

• Clause 73 Elected representatives responding to requests

• Clause 74 Processing of special categories of personal data

• Clause 75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

• Clause 76 Time limits for responding to data subjects’ requests

• Clause 77 Information to be provided to data subjects

• Clause 78 Searches in response to data subjects’ requests

• Clause 79 Data subjects’ rights to information: legal professional privilege exemption

• Clause 80 Automated decision-making

• Clause 81 Logging of law enforcement processing

• Clause 82 General processing and codes of conduct

• Clause 83 Law enforcement processing and codes of conduct

• Clause 84 Transfers of personal data to third countries and international organisations

• Clause 85 Safeguards for processing for research etc purposes

• Clause 86 Section 85: consequential provision

• Clause 87 National security exemption

• Clause 88 Joint processing by intelligence services and competent authorities

• Clause 89 Joint processing by intelligence services and competent authorities

• Clause 90 Duties of the Commissioner in carrying out functions

Having regard to the Grand Committee rules of procedure and the requirement for unanimity to pass an amendment, just one amendment to the Bill was agreed, in relation to clause 89 further to Amendment 133, albeit this was a government amendment described as merely technical.

Several amendments laid to Bill proposed entirely new clauses which were the subject of debate, including amendments to: apply the requirements of the European Convention on Human Rights to private bodies in the same way as public bodies (Amendment 87 proposed by Lord Thomas of Cwmgiedd and others); impose the obligations of the UN Convention on the Rights of the Child directly on data controllers and dictate that children warrant a higher standard of data protection (Amendment 88 proposed by Baroness Kidron and others); require the ICO to introduce a code of practice on children and artificial intelligence (AI) (Amendment 137 proposed by Baroness Kidron and others); make provision for data communities and for data subjects to assign their rights to them (Amendments 109A, 139-140 proposed by Baroness Kidron and others); to impose new procedures before controllers can rely on certain exemptions under Schedules 2, 3 and 4 Data Protection Act 2018 stated to be intended to preserve/reinstate the supremacy of EU law and meet the requirements of Article 23(2) GDPR (Amendments 154, 155 and 156 proposed by Lord Clement-Jones); require the Secretary of State to publish guidance on what constitutes a reasonable and proportionate search in response to a data subject access request (DSAR) made under Article 15 UK GDPR (Amendment 107 proposed by Lord Clement-Jones); expand the scope of the considerations data controllers must have regard to when conducting a data protection impact assessment (DPIA) under Article 35 UK GDPR to include consequences for the public interest including to equality and the environment and expand the consultation requirement under Article 35(9) UK GDPR to apply to anyone affected by the proposed processing activities, not merely data subjects or their representatives (Amendment 109 proposed by Lord Clement-Jones); to require the Secretary of State to conduct prior to June 2025 an assessment of the impact of the UK’s legislation, including the Data (Use and Access) Bill and international obligation on the European Commission’s adequacy decision in respect of the UK (Amendment 125 proposed by Lord Clement-Jones); prohibit the development, deployment, marketing and sale of data related to an individual’s image, likeness or personality including name, face, voice or any physical characteristic for AI training or product development without that individual’s express consent.(Amendment 211A proposed by Lord Holmes); extend the soft opt-in under PECR to communications pertaining to workplace pensions (Amendment 161 proposed by Lord Lucas); to create a new category of strictly necessary processing in relation to cookies in connection with the measurement or verification of the performance of advertising services (Amendment 160 proposed by Lord Clement-Jones and others); ban cookie paywalls (Amendment 159B proposed by Lord Clement-Jones); to make clear that cookie paywalls are permissible (Amendment 159A proposed by Viscount Camrose); extend the soft opt-in under PECR to email marketing by charities (Amendment 152 proposed by Lord Clement-Jones and others); to require Action Fraud to record attempted fraud as well as successful frauds (Amendment 201 proposed by Lord Lucas); to grant the courts a power to require the deletion of intimate images from the devices of individuals convicted of relevant offences (Amendment 210 proposed by Baroness Owen); 

Furthermore, Lord Lucas proposed an amendment to to the Bill to exclude communications required by the FCA’s consumer duty from the Privacy and Electronic Communications (EC Directive) Regulations (PECR) restrictions.on direct marketing.

Of these, Baroness Jones on behalf of the government indicated that it considered that the concept of data communities was worthy of further consideration.

Clause 73 Elected representatives responding to requests

Clause 73 would extend the period during which elected representatives who lose their seat are permitted to continue to process special category personal data in the context off responding to a request from 4 days after the relevant election to 30 days thereafter. Clause 73 Data (Use and Access) Bill was agreed as introduced.

Clause 74 Processing of special categories of personal data

The effect of clause 74 Data (Use and Access) Bill would be to enable the Secretary of State to expand the scope of the restrictions on processing special category personal data under the UK GDPR and on sensitive processing under Part 3 Data Protection Act 2018, and to introduce new exemptions in respect of those newly restricted processing activities, referred to as ‘added processing’. Clause 74 was agreed as introduced.

Clause 75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

Clause 75 Data (Use and Access) Bill would enable the Secretary of State to make regulations to require controllers, or certain controllers, to publish guidance as to the fees they charge if they opt to comply with a data subject access request (DSAR) which is deemed to be manifestly unfounded or excessive.

Amendment 91 laid by Viscount Camrose and Lord Markham would have served to reduce the threshold at which a DSAR could be rejected by a controller or a fee charged in respect of it to where the request was deemed to be vexatious or excessive. Ultimately, Amendment 91 was not moved and clause 75 was agreed as introduced. 

Clause 76 Time limits for responding to data subjects’ requests

The effect of clause 76 Data (Use and Access) Bill would be to make clear that it is not the overall number and complexity of requests being dealt with by a controller that is relevant to whether the time period for compliance may be extended from one month for up to a further two months, but the number and complexity of requests from the relevant data subject. Furthermore, clause 76 would clarify when the applicable time period for complying with a request commences, dependent upon receipt of any relevant information or applicable fee. Clause 76 Data (Use and Access) Bill was agreed as introduced. 

Clause 77 Information to be provided to data subjects

The effect of clause 77 Data (Use and Access) Bill would be to exclude from the obligation to provide the information required by Article 13 UK GDPR to a data subject from whom personal data are collected in connection with further processing for the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes where provision would be impossible or involve disproportionate effort and to extend the exemption from the obligations at Article 14(1)-(4) UK GDPR to provide information to data subjects where personal data have not been collected from them where impossible or involving disproportionate effort to all types of processing activity, as well as to insert an additional exemption where the impact of compliance would render impossible or seriously impair the objectives of processing.

Viscount Colville and others put forward amendments to make clear that the sheer number of affected data subjects would not be sufficient to render compliance disproportionate, with the explicit stated intention of preventing  (Amendments 92 - 93). Amendment 97 proposed by Viscount Camrose and Lord Markham would have narrowed the scope of the exemption to provide information only to cases where it would be impossible to do so, and Amendment 99 would have removed the new additional exemption. By contrast, Lord Clement-Jones and others proposed Amendment 98 which would have narrowed the exemption where compliance would involve disproportionate effort to circumstances where notification was not warranted by the impact on the individual. Baroness Harding called for a further exemption from the obligation to provide information to data subjects under Article 14 UK GDPR where the data was gathered from the Open Electoral Register (Amendment 96).and to reflect whether the information was collected and made publicly available by a public body as a factor in determining disproportionality (Amendment 104).as well as any damage or distress to data subjects (Amendment 102). 

Baroness Jones on behalf of the government quoted from the ICO’s recent guidance on data protection and generative artificial intelligence (AI) that “Generative AI developers, it’s time to tell people how you’re using their information” and asserted that in relation to existing non-compliance “The ICO is on the case on this issue, and is pursuing it”.

The government rejected any suggestion that the Data Protection Act 2018 should be amended to provide for new statutory codes to produced to specifically address children and AI. The Minister did confirm that the government was already in “Discussions with the ICO… about the scope and intention of a number of issues around AI”.

Baroness Jones asserted that, in relation to the use of personal data in the context of generative AI which produces a likeness of an individual, there were already “firm safeguards in place”.

The government rejected any easing of restrictions on data made publicly available by public bodies, instead favouring transparency. The existing non-exhaustive list of factors determining disproportionality were preferred to including additional specific considerations.

As to legislating specifically in relation to cookie paywalls, the government indicated that it would await the outcome of the Information Commissioner’s call for views on consent or pay business models. In relation to proposals to treat the measurement and verification of advertising as being strictly necessary, the government indicated that it had already “been actively engaging with the advertising and publishing sectors on this issue” and suggested that this could be an appropriate use of the powers it proposed to grant the Secretary of State through the Bill to make regulations adding to the activities falling within the scope of the exemption on what is strictly necessary.

Clause 78 Searches in response to data subjects’ requests

Clause 78 of the Data (Use and Access) Bill would import the jurisprudence on the scope of data controllers’ obligations in relation to the conduct of searches in response to data subject requests by making clear that the scope of controllers’ obligations is limited to the conduct of reasonable and proportionate searches, and (unusually) would be backdated in its application to 01 January 2024.

Concern was raised that this would effectively reduce the rights available to date subjects, albeit that there is a line of jurisprudence under the preceding legislation, the Data Protection 1998, to the effect that data controllers are only obliged to carry out a reasonable and proportionate search (see Ezsias v Welsh Ministers [2008] EWCA Civ 874, Dawson-Damer v. Taylor Wessing LLP [2017] EWCA Civ 7417 and Ittihadieh v Cheyne Gardens & Ors and Deer v University of Oxford [2017] EWCA Civ 121 for example).

Clause 78 was agreed as introduced.

Lord Clement-Jones had proposed under Amendment 107 a new clause which would require the Secretary of State to issue guidance on what constitutes a reasonable and proportionate search within 6 months of the Act being passed, but this was ultimately not moved.

Clause 79 Data subjects’ rights to information: legal professional privilege exemption

Clause 79 of the Data (Use and Access) Bill would introduce an exemption in respect of personal data protected by legal professional privilege to the right of access under Part 3 Data Protection Act 2018, i.e. in respect of personal data processed by competent authorities for law enforcement purposes.

In the context of this clause, Lord Clement-Jones raised an amendment of wider applicability, calling for data protection rights to be enforceable in in the First-Tier Tribunal (Information Rights) as opposed to the courts (Amendment 153), citing the “confusing division of jurisdiction between different courts and tribunals, which not only complicates the legal process but wastes considerable public resources”, and calling for a right of appeal against decisions of the information Commissioner (Amendment 151). While Conservative peer Lord Holmes spoke in favour of these amendments, Conservative Shadow Minister for AI and IP spoke against the amendments. 

A separate amendment to transfer responsibility for the Tribunal Procedure Rules to the Lord Chancellor (Amendment 152) was debated at the same time.

Lord Vallance, on behalf of the government, rejected the need for the amendments, asserting that the existing right of judicial review in respect of decisions of the Information Commissioner was preferable.

While Lord Clement-Jones agreed to withdraw his amendments, he vowed to “keep on pressing this”.

Clause 79 was agreed as introduced. 

Clause 80 Automated decision-making

The effect of clause 80 Data (Use & Access) Bill would be to reform and relax the law restricting automated decision making.

Lord Clement-Jones proposed several amendments the cumulative effect of which would be to diminish the harm that could occur to data subjects as a consequence of the government’s proposed relaxation, specifically to clarify what constitutes meaningful human involvement in automated decision making by requiring that the person must have “the necessary competence, training, authority to alter the decision and analytical understanding of the data” (Amendment 110), prohibiting decision making based on processing in breach of the Equality Act 2010 (Amendment 112), making protections applicable not only to decisions based solely on automated decision making but those predominantly so (Amendment 114), to require public authorities to implement an Algorithmic Impact Assessment prior to deploying an algorithmic or automated decision making system other than for the formulation of policy (Amendment 120), to legislate for public authorities to complete an Algorithmic Transparency Record (Amendment 121) (compliance with the Algorithmic Transparency Recording Standard is already mandated by government policy for central government departments), to impose certain transparency obligations in respect of the use of a relevant algorithmic or automated decision-making system (Amendment 122) and, to require the Secretary of State to make regulations defining meaningful human involvement (Amendment 123). The debate occurred just days after the Second Reading in the Lords of Lord Clement-Jones’ private members bill, the ‘Public Authority Algorithmic and Automated Decision-Making Systems Bill [HL]’. Amendments 110, 111 and 112 were proposals originally put forward by Labour Ministers to the Data Protection and Digital Information Bill when they were in opposition. 

Lord Clement-Jones also spoke against the easing of restrictions on automated decision making under Parts 3 and 4 Data Protection Act 2018 in respect of processing by competent authorities for the law enforcement purposes and intelligence services processing respectively..

Viscount Colville proposed an amendment to require government departments, public authorities and all persons exercising a public function using algorithmic tools to process personal data to use the Algorithmic Transparency Recording Standard (Amendment 119), effectively legislating for and extending the scope of the existing ATRS, and supported Viscount Camrose’s amendment to remove the Secretary of State’s power to make regulations in relation to automated decision making (Amendment 115A). 

Lord Lucas proposed an amendment that would require individuals affected by automated decision making to be informed of the the fact of automated decision-making, the reasoning and the extent of any human involvement (Amendment 115). Ina  similar vein, Lord Holmes proposed amendments to require personalised explanations of decision making (Amendment 123A). 

Labour’s Lord Knight spoke in favour of Lord Clement-Jones’ amendment to require a report to be produced by the Secretary of State within 12 months on the impact of AI and automated decision-making on work and workers (Amendment 123C).

Baroness Kidron sought clarification of the government’s position on protections for children, generally in the context of the legislation, and specifically in relation to automated decision-making.

Viscount Camrose on behalf of himself and Lor Markham commended their proposed amendment to introduce in the legislation the five principles in the AI Regulation White Paper, i.e.: safety, security, and robustness; appropriate transparency and explainability; fairness; accountability and governance; contestability and redress (Amendment 111). Further amendments proposed would require the Secretary of State to publish guidance on obtaining explicit consent for the purposes of automated decision-making (Amendment 114) and to prevent children from consenting to the processing of their special category personal data for the purposes of automated decision-making (Amendment 117). 

While Baroness Jones committed to write to Lord Lucas in connection with the explainability requirements proposed by Amendment 115, and Lord Clement-jones emphasised that the Lords would require “a will write letter on stilts” in relation to the government’s proposals to relax the regulation on automated decision-making, the government did not accede to any amendments and clause 80 passed as introduced.

Schedule 6 Automated decision-making minor an consequential amendments

Schedule 6 Data (Use and Access) Bill passed as introduced.

Clause 81 Logging of law enforcement processing

Clause 81 Data (Use & Access) Bill would remove the obligation on competent authorities such as police forces processing personal data for law enforcement purposes to record the justification for processing personal data as part of their logging obligations under section 62 Data Protection Act 2018.

Lord Clement-Jones argued that there should be no amendment to section 62 DPA 2018 and proposed several amendments aimed at preventing any significant departure from the EU Law Enforcement Directive (Amendments 126, 127, 128 and 129). 

Baroness Morgan proposed to exempt competent authorities processing personal data for law enforcement purposes and the CPS from complying with certain data protection principles, including those of necessity and fairness, in connection with the preparation and consideration of case files prepared for the CPS, which was stated to be supported by the Police Federation (Amendment 124), to avoid the review and redaction exercise required to be carried out. 

The government noted that the logging requirement for justification was an ineffective safeguard and the National Police Chiefs Council did not consider that there would be any inhibition to investigations into unlawful accessing or other processing of personal data as a consequence.

Clause 81 was passed as introduced.

Clause 82 General processing and codes of conduct

Clause 82 was passed as introduced without debate.

Clause 83 Law enforcement processing and codes of conduct

Clause 83 was passed as introduced without debate.

Clause 84 Transfers of personal data to third countries and international organisations

Clause 84 was passed as introduced without debate.

Schedule 7 Transfers of personal data to third countries etc General processing

Schedule 7 was passed as introduced without debate.

Schedule 8 Transfers of personal data to third countries etc Law enforcement processing

Schedule 8 was passed as introduced without debate.

Schedule 9 Transfers of personal data to third countries etc Minor and consequential amendments and transitional provision

Schedule 9 was passed as introduced without debate.

Clause 85 Safeguards for processing for research etc purposes

Clause 85 was passed as introduced without debate.

Clause 86 Section 85: consequential provision

Clause 86 was passed as introduced without debate.

Clause 87 National security exemption

Clause 87 was passed as introduced without debate.

Clause 88 Joint processing by intelligence services and competent authorities

Clause 88 was passed as introduced without debate.

Clause 89 Joint processing by intelligence services and competent authorities

Government Amendment 133 would serve to amend section 82 in Part 4 Data Protection Act 2018 and in turn the definition of personal data in section 199(2)(a) Investigatory Powers Act 2016.

This amendment was described as merely technical, and clause 89 was passed as amended by the government.

Clause 90 Duties of the Commissioner in carrying out functions

Clause 90 would introduce new obligations on the data protection regulator when carrying out its duties, to promote public trust and confidence and  expanding on the existing obligation under section 108 Deregulation Act 2015 to “have regard to the desirability of promoting economic growth”.in the exercise of its functions and requiring the regulator to also have regard to matters including the desirability of promoting innovation and competition.

Clause 90 would also require the regulator to prepare and publish a strategy and consult with other regulators.

Lord Clement-Jones advocated for the exclusion of such additional factors, and instead sought to impose obligations on the regulator to “fully enforce” the data protection legislation and to act upon complaints, rejecting the premise that data protection and innovation were competing interests that must be balanced against each other.(Amendment 134). This and other amendments were precipitated by the concern that “The Information Commissioner’s Office has a poor track record on enforcement”, having taken only 8 UK GDPR related enforcement actions against private sector entities while issuing 28 reprimands to the public sector in the preceding financial year, which were being used inappropriately for serious infringements and had no deterrent effect on law breakers, and the current Information Commissioner John Edwards having stated that he did not intend to enforce against large private sector organisations because “fines against big tech companies are ineffective”. It was stated that this was in the hope that “the ICO will take notice”. 

By contrast, Lord Lucas proposed to provide the Secretary of State power to prepare a statement of strategic priorities to which the regulator would be required to have regard (Amendment 135A).

Amendment 134 was withdrawn and clause 90 passed as introduced.

More generally in relation to the Bill, of particular note was Lord Thomas’ intervention asserting that “This legislation is ghastly; I am sorry to say that, but it is. It imposes huge costs on SMEs—not to say on others, but they can probably afford it—and if you are going to get trust from people, you have to explain things in simple principles”. At Handley Gill, we had previously argued for data protection law reform to seek to consolidate and simplify the UK’s data protection legislation in favour of a risk-based approach. 

During the debate it is perhaps noteworthy that the ICO’s position on processing of personal data through web scraping for the purposes of training AI models was referenced, leading Lords to query what - if any - enforcement action the ICO had taken as a consequence of its position that such processing constitutes a high risk activity. The government committed to writing providing further information as to the ICO’s position.

Other concerns raised included the Information Commissioner presenting contrary submissions in cases being heard in different courts.

Perhaps suggestive that the government will depart from its commitment to legislate to regulate only AI models posing the greatest risk, Baroness Jones on behalf of the government acknowledged that “data protection is not the only lens through which AI should be regulated, and that we cannot address all AI risks through the data protection legislation”.

The fourth and final session of the Grand Committee is scheduled for 18 December 2024, subsequent to which the Bill as amended in Grand Committee will be published and the revised Bill would be considered by the whole House of Lords at Report stage.

Access our comprehensive briefing on the Data (Use and Access) Bill, and our unofficial Data (Use and Access) Bill Keeling schedules showing a mark up of the changes that the Bill (as introduced) would make to the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 (PECR) respectively.

Keep up to date with developments as the Data (Use and Access) Bill progresses through Parliament on our Data Protection Reform page in our Resources section.

Should you require support understanding how new data protection legislation and regulation will affect you or your organisation, please contact us.

Find out more about our data protection and data privacy services.