Category Archives: parliament

June 3, 2025 · 7:35 am

Could the Data (Use and Access) Bill fall?

[EDIT: in this post I originally said I understood that the current parliamentary session would end when Parliament rises for summer recess. Prompted by Andrew Harvey, on the Jiscmail Data Protection list, I checked this point, and I was wrong: my MP (who, on the two occasions I’ve emailed him, has been impressively responsive), says “With the legislative programme from the King’s Speech barely a quarter of the way through, I would guess this will be at least an 18 month session”). So one of the pressing issues in the post is less pressing, but that still doesn’t get round the issue of the impasse.]

Westminster is at an impasse over the Data (Use and Access) Bill. The Lords have repeatedly introduced amendments, in the form of totally new clauses on AI and copyright which were never intended to be part of the Bill, and the Commons have repeatedly removed them. Yesterday’s reprise of the exercise suggests that ping pong is not stopping any time soon.

This must be of tremendous frustration to the government. In particular, it will be of significant concern to the ministers and civil servants who will be negotiating with the European Commission over the reciprocal data adequacy arrangements which allow free transfer of personal data between the EU and the UK. The Commission had introduced a sunset clause to the original agreement, which was due to expire this month, but this has been extended for a further six months, specially to allow for the passage and enactment of the DUAB (the Commission wants to see what the revised UK data protection scheme will look like).

So what happens now? As the Bill was introduced in the Lords, the Commons cannot invoke its powers to force the Bill through to Royal Assent, under section 2 of the Parliament Act 2011.

The current parliamentary session may well run on for some time yet. Traditionally, all parliamentary business would cease at prorogation, so if a Bill hadn’t passed, it fell. In recent years, however, procedures in both Houses have been developed, whereby, by agreement, a Bill can “carry over” to the next session. This is very unusual, though, with a Bill introduced in the Lords. It is also difficult to see how, or why, there would be agreement to carry over a Bill like the DUAB, over which the two Houses are in actual disagreement.

Maybe the alternative would be to allow the Bill to fall (or withdraw it), and reintroduce it in the Commons, in the next session.

But there would be no winners in such a scenario. The government (and Parliament) would have to go to significant time and cost, and the opponents in the Lords, serried behind Baroness Kidron, would be no closer to getting the artists’ protections from AI models that they seek.

And in the meantime, the extended sunset clause for UK adequacy would be dropping below the horizon.

Is there still time for compromise? The simple answer is yes, but there have been few signs of much movement from either side.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Data (Use and Access) Bill, parliament

Tagged as ,

April 8, 2025 · 7:11 am

Machine learning lawful basis on a case-by-case approach – really?

The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.

The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.

This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.

The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?

I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized

Tagged as , ,

March 11, 2025 · 8:47 am

An offence of unlawful access to records of the dead?

I’m starting to wonder whether Parliament should consider a new offence of accessing and/or retaining records of the deceased without lawful excuse.

The BBC, and others, are reporting concerns that there may have been unauthorised access to medical records of the victim of killer Valdo Calocane. In the last few years we have also seen similar stories emerging in relation to police files on the murders of Sarah Everard, Bibaa Henry and Nicole Smallman (and I am sure there are many others).

The offence at section 170 of the Data Protection Act 2018 cannot be engaged when the records in question relate to someone who is dead, and although there is the potential for prosecutions for misconduct in a public office, or under the Computer Misuse Act 1990, there will be times when these do not apply.

Such unwarranted access seems to be a serious risk which arises wherever there is a high profile killing, and it must cause immense extra distress for the families and friends of the victims.

I wonder if now is the time for a debate on the topic, with an agenda item of whether there is need for a new criminal offence.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Confidentiality, crime, parliament

Tagged as

September 21, 2024 · 10:32 am

Exempt from FOI? Hoyle say it is

[reposted from LinkedIn]

Although the Information Commissioner’s Office is tasked with enforcing the Freedom of Information Act 2000, the Act contains some provisions which have the effect of ousting the ICO’s jurisdiction. A little-seen one appears in a recent decision notice about a request to the House of Commons for information and correspondence in relation to events at the controversial Opposition Day Debate on 21 February 2024. Much of the controversy turned on the actions of the Speaker of the House, Sir Lindsay Hoyle, who later apologised.

Section 34 of FOIA creates an absolute exemption (i.e. not subject to a public interest test) if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament. But section 34(3) goes further, and says that

A certificate signed by the appropriate authority certifying that exemption…is, or at any time was, required for the purpose of avoiding an infringement of the privileges of either House of Parliament shall be conclusive evidence of that fact.

Such a certificate closes things down: it is not open to the ICO (or a court) to say “we disagree – the exemption is not required to avoid informing the privilege of House Houses”.

All very interesting, and the decision notice is still worth reading, to see how it all works.

But, who, you might ask, is the “appropriate authority” who signed this certificate?

Well, dear friends, section 34(4) FOIA says that, when the privilege of the Commons is at issue, the appropriate authority is the Speaker of the House – a certain Sir Lindsay Hoyle MP.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, parliament

Tagged as , ,

June 12, 2024 · 6:14 pm

A violation of the presumption of innocence

This may not be a post directly related to information rights (although it does involve disclosure of information in response to a parliamentary question – which is a potential route to access to information which should never be underestimated). But I’m writing more because it’s on a topic of considerable public interest, and because the efforts and the campaigning of the applicants, and of Appeal, deserve support.

The Grand Chamber of the European Court of Human Rights (ECtHR) has held that the scheme in England and Wales for assessing whether people whose criminal convictions are subsequently overturned is compatible with the European Convention on Human Rights (the “Convention”).

Regardless of whether the ECtHR was correct or not, the underlying issue is, in my view, a national scandal and one that any incoming government should set right as a matter of priority.

Under Section 133(1ZA) of the Criminal Justice Act 1988 (as amended in 2018) the state must pay compensation where a new or newly discovered fact shows beyond reasonable doubt that there has been a miscarriage of justice. But a miscarriage of justice will only have occurred “if and only if the new or newly discovered fact shows beyond reasonable doubt that the person did not commit the offence”. This reverses what would be the normal burden of proof in criminal justice matters, and in effect requires the wrongfully convicted person to prove their innocence to gain compensation, despite the fact that their conviction has been overturned.

Figures given in response to a parliamentary question last year revealed that an extraordinary 93% of cases did not warrant compensation under the scheme. 

At the ECtHR, the applicants contended that the domestic scheme infringed Article 6(2) of the Convention, which provides that “Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law”. Although the ECtHR noted “the potentially devastating impact of a wrongful conviction” it also held that the UK was

free to decide how “miscarriage of justice” should be defined for these purposes, and to thereby draw a legitimate policy line as to who out of the wider class of people who had had their convictions quashed on appeal should be eligible for compensation…, so long as the policy line was not drawn in such a way that the refusal of compensation in and of itself imputed criminal guilt to an unsuccessful applicant

It was not, said the ECtHR, its role “to determine how States should translate into material terms the moral obligation they may owe to persons who have been wrongfully convicted”.

Although there was a strong dissenting opinion which would have held that the compensation scheme resulted in a violation of the presumption of innocence, it must now fall to the next Parliament to take forward the “moral obligation” and put right where a previous Parliament went wrong. This does not, and should not, need to wait for the outcome of the Malkinson Inquiry. That inquiry may well have things to find out, and things to say, in general, about miscarriages of justice but it is not in its remit to consider the compensation point: that can, and should, be resolved sooner.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Article 6, Europe, human rights, Ministry of Justice, parliament, Uncategorized

Tagged as

September 11, 2023 · 9:08 pm

When is a fundamental right no longer fundamental?

Answer – when Parliament approves legislation to remove it

Rather quietly, the government is introducing secondary legislation which will have the effect of removing the (admittedly odd) situation whereby the UK GDPR describes the right to protection of personal data as a fundamental right.

Currently, Article 1(2) of the UK GDPR says “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. For the purposes of the EU GDPR this makes sense (and made sense when the UK was part of the EU) because the Charter of Fundamental Rights of the European Union (“the Charter”) identifies the right to protection of personal data as a free-standing right.

However, the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 will amend Article 1(2) of the UK GDPR so that it will simply say “This Regulation contributes to the protection of individuals’ fundamental rights and freedoms.”

The explanatory memorandum to the draft regulations states that

There is no direct equivalent to the right to the protection of personal data in the UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in our domestic legislation.

None of this addresses the point that the EU specifically decided, in the Charter, to separate the right to protection of personal data from the right to respect for a private and family life. One reason being that sometimes personal data is not notably, or inherently, private, but might, for instance, be a matter of public record, or in the public domain, yet still merit protection.

The explanatory memorandum also says, quite understandably, that the UK GDPR has to be amended so as to ensure that

references to retained EU rights and freedoms which would become redundant at the end of 2023 are replaced with references to rights under the European Convention on Human Rights (ECHR) which has been enshrined in the UK’s domestic law under the Human Rights Act 1998

Nonetheless, it was interesting for a while that the UK had a fundamental right in its domestic legislation that was uncoupled from its source instrument – but that, it seems, will soon be gone.

1 Comment

Filed under Data Protection, human rights, parliament, UK GDPR

Tagged as ,

February 11, 2023 · 12:07 pm

SNP MP private email hack

UPDATE 13.02.23: it’s been drawn to my attention that Mr McDonald says that his private account is “not used for constituency or parliamentary business” END UPDATE

It was reported last week that the email account of Stewart McDonald, an SNP MP, had been compromised in what he described as a “sophisticated and targeted spear phishing hack”. The BBC appeared to agree with him, describing it as a “highly targeted and sophisticated attack”.

Maybe it was, although surely MPs are told to be wary of unexpected email attachments, and not to put enter system passwords when asked to in palpably suspicious circumstances (McDonald had attempted to open a document apparently sent by a member of his staff, with a military update on Ukraine, and clicking on it brought up a login page for the email account he was using).

But what I haven’t seen raised much in the media is the fact that the account which was compromised appears to have been McDonald’s private email account, and that the offending attachment was sent (or was spoofed to make it look like it was sent) from his staffer’s private email account. The reporting has referred to “personal” email account, from which it is reasonable to infer that these are not official accounts (such as McDonald’s one given on his parliamentary page).

Only last year the Information Commissioner presented a report to Parliament on the use of private communications channels in government. Although the report was prompted by concerns about the use of such private channels within the Department for Health and Social Care, it made clear that it had general application in relation to the “adopting [of] new ways of working without sufficient consideration of the risks and issues they may present for information management”. The report stresses throughout the importance of “maintaining the security of personal and official information” and the risks that private channels present to such security.

Did Mr McDonald and his staff read it? If not, this tweet he made only a couple of years ago is ironic, to say the least.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under data security, Information Commissioner, national security, parliament, security

Tagged as , ,

October 3, 2022 · 8:21 pm

Certainly uncertain – data protection reform developments

In recent weeks the future of data protection law in the UK has been not just hard to predict, but also hard to keep up with.

Since Brexit, the UK has had its own version of the EU’s GDPR, called, obviously enough, the “UK GDPR“. Then, on 18 July, a Data Protection and Digital Information Bill was presented in Parliament – it proposed some significant (but possibly not hugely so) changes to the current regime, but it retained the UK GDPR. It was scheduled to have its second reading in the House of Commons on 5 September, but this was postponed “to allow Ministers to consider the legislation further”.  

Following this, on 22 September, the Retained EU Law (Revocation and Reform) Bill was introduced. This appeared to propose the “sunsetting” (i.e. the repeal) of multiple data and information laws, including the UK GDPR, by the end of 2023.

The next development, on the first day of the Conservative Party conference, is the announcement by the Culture Secretary, Michelle Donelan, that

we will be replacing GDPR with our own business and consumer-friendly data protection system… Many…smaller organisations and businesses only in fact employ a few people. They don’t have the resources or money to negotiate the regulatory minefield that is GDPR. Yet right now, in the main, they’re forced to follow this one-size-fits-all approach.

She also suggested that businesses had suffered from an 8% reduction in profit from GDPR. It is not immediately clear where this figure comes from, although some have suggested that an Oxford Martin School paper is the source. This paper contains some remarkably complex equations. I have no competence in assessing, and no reason to doubt, the authors’ economic and statistical prowess, but I can say (with a nod to the ageless concept of “garbage in, garbage out”) that their understanding of data protection law is so flawed as to compromise the whole paper. They say, for instance

websites are prohibited from sharing user data with third parties, without the consent from each user

and

companies that target EU residents are required to encrypt and anonymise any personal data it [sic] stores

and (probably most bizarrely)

as users incur a cost when prompted to give consent to using their data, they might reduce online purchases, leading to lower sales

To be quite clear (as politicians are fond of saying): websites are not prohibited from sharing data without the consent from “users” (if they were, most ecommerce would grind to a halt, and the internet economy would collapse); companies subject to GDPR are not required to anonymise personal data they store (if they did, they would no longer be able to operate, leading to the collapse of the economy in general); and “users” do not have to consent to the use of their data, and I am still scratching my head at why even if they did they would incur a cost.

If the authors base their findings on the economic cost of GDPR on these bases, then there are some very big questions for them to answer from anyone reviewing their paper.

I may have the wrong paper: I actually really hope the government will back up its 8% figure with something more sensible.

But regardless of the economic thinking this paper, or underpinning the developments in the statutory regime, it is possible that all the developments cohere: that the Data Protection and Digital Information Bill, when it re-emerges, will have been amended so as to have the effect of removing references to “GDPR” or the “UK GDPR”, and that this will mean that, in substance, if not in name, the principles of the UK GDPR are assimilated into a new piece of domestic legislation.

But (given that the government’s focus is on it) business, just as nature, abhors a vacuum – many business owners (and indeed many data protection practitioners) must be hoping that there is a clear route forward so that the UK’s data protection regime can be considered, and applied, with at least a degree of certainty.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, consent, Data Protection, Data Protection Act 2018, Data Protection Bill, GDPR, parliament, UK GDPR

Tagged as ,

April 26, 2022 · 9:39 am

An Open Letter to Jacob Rees-Mogg

Dear Mr Rees-Mogg

I suspect you and I wouldn’t agree on many things, but, before I moved into private practice I spent many years in the public sector. I saw many examples of efficient and inefficient working there (as well as countless dedicated officers who rarely had time to be sitting at their desks when senior management deigned to visit).

So, despite our different worldviews, and in the spirit of helping improve the efficiency of the offices of Members of Parliament, may I make a couple of suggestions about data protection compliance?

First, you said recently, before the European Scrutiny Committee, that constituents who come to see you at surgery are asked to sign a two-page disclaimer. Nothing in our data protection law requires this (in fact, expecting them to sign one is likely to be contrary to those laws). You should give anyone whose personal data you collect certain information, generally in the form of a notice, but that’s just a matter of being fair and transparent – there’s no reason at all to require a signature or a disclaimer. You could even just refer them to a notice on your own website (your current one is rather well hidden). That should save you a bit of time and money.

Second, at the same hearing, you were concerned that you needed to delete files on constituents prematurely. Again, this appears to be a misapprehension on your part. Personal data should be kept for as long as is necessary in relation to the purpose for which it was collected: if you still need it, you keep it. There – another efficiency tip!

Third, and more generally, I do find that there is a lot of misunderstanding of data protection law. It has a dual objective – to offer protection to individuals and to allow for free movement of data (both of which are obviously subject to qualifications and provisos). I don’t pretend that the law couldn’t do with some revisions, and I’ve even spoken to some of the people helping with the reform programme to suggest a few. But in general, it’s quite possible to run the public bodies and businesses efficiently and also comply with the data protection law – but I fear that training and awareness of that law have been, and continue to be, handled rather inefficiently at government level.

Yours
Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, parliament, Uncategorized

Tagged as

August 16, 2020 · 7:32 pm

Cometh the hour…

One thing in particular struck me about the statement from the Information Commissioner’s Office (ICO) in response to the huge distress and uncertainty facing thousands of students and their families, following the announcement of A-level grades:

Anyone with any concerns about how their data has been handled should raise those concerns with the exam boards first, then report to us if they are not satisfied

In some ways, this is standard. Even the ICO’s “contact us” page leads a potential complainant through various stages before telling people who haven’t raised their concerns by “contacting the [offending] organisation in writing” to “Raise your concern with the organisation handling your information”.

Whilst I can understand the reason for this general approach (ICO’s resources are limited, and many complaints can no doubt be resolved at source), it is difficult to reconcile it with what the law requires the ICO to do. Article 77 GDPR says that a supervisory authority must handle complaints lodged by a data subject, and investigate, to the extent appropriate, the subject matter of the complaint. There is no caveat, no exemption. It does leave the option open for the ICO to handle a complaint, and choose not to investigate it all, but that is not what the ICO is doing here (and in its general approach).

But it must be said that sometimes, as it is permitted to, under Articles 57 and 58, the ICO does conduct investigations of its volition. It also has a range of powers, including the power to give an opinion to parliament and/or the government. Given that its Norwegian counterpart has indicated it will take strong action against the International Baccalaureate Organisation, I am hopeful that, as a new week of uncertainty for students approaches, the ICO will take this particular bit between its teeth, and properly investigate such a pressing issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fairness, GDPR, Information Commissioner, parliament

Tagged as , ,