Data Protection Bill 2017

See Data Protection Act 1998 for previous legislation

A new Data Protection Bill was announced in the 2017 Queen's Speech, and announced by government on the 7th August[1]

The Bill was introduced in the House of Lords on 13 September 2017.

Notes from the Second Reading in the House of Lords

Transcripts of the debate (10 October 2017): 1, 2

Government front bench: Lord Ashton of Hyde, Lady Chisholm, Lady Vere

Labour: Lord Stevenson, Lord Kennedy, Lord Griffiths, Lord Grantchester

Lib Dem: Lord Clement-Jones, Lord Paddick, Lord McNally (opening on behalf of L. Clement-Jones), Baroness Ludford

EU Home Affairs Sub-Committee: Lord Jay of Ewelme (chair)

Response to Article 80(2)

Baroness Williams of Trafford (on behalf of the Government):

“It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.”

Lord Stevenson (on behalf of Labour):

“On representation, we welcome the provision in article 80(1) of the GDPR which gives greater ability for civil society and other representative bodies to act on behalf of citizens and mirrors consumer rights in goods and services. However, article 80(2) contains a provision that the Government have chosen not to implement, under which consumer groups that operate in the privacy field can act on behalf of data subjects without a particular complainant. We think that this super-complainant system would help to protect anonymity and create a stronger enforcement framework. We know we are supported in that belief by the Information Commissioner.”

Baroness Ludford (on behalf of Lib Dems):

”This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other consumer rights, including financial rights. Perhaps the Minister could explain that omission.”

Other peers who voiced support for 80(2): Baroness Lane-Fox, Lord Lucas, Baroness Kidron, Lord Kennedy, Lord Paddick

Peers who came out against 80(2): Baroness Neville-Rolfe

Other topics raised during the reading:

  • Age of consent - difference between Scotland and the rest of UK
  • Will the Bill deliver unhindered data flows post-Brexit -adequacy.
  • Henry VIII clauses will not make the Bill future-proof.
  • Need for transparent and effective regime for assessment of right to be forgotten requests
  • How does the Bill interact with blockchain?
  • Call for NHS patient data to be protected as a national asset.
  • Limitation for single processing for special purposes - Gov is likely to address these issues.

Notes from Queen's Speech


“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”

The purpose of the Bill is to:

  • Make our data protection framework suitable for our new digital age, allowing citizens to better control their data.

The main benefits of the Bill would be:

  • To meet the manifesto commitments to give people new rights to “require major social media platforms to delete information held about them at the age of 18” (p.79) and to “bring forward a new data protection law” (p.80).
  • To ensure that our data protection framework is suitable for our new digital age, and cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data.
  • To allow police and judicial authorities to continue to exchange information quickly and easily with our international partners in the fight against terrorism and other serious crimes.
  • To implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.

The main elements of the Bill are:

  • To establish a new data protection regime for non-law enforcement data processing, replacing the Data Protection Act 1998. The new rules strengthen rights and empower individuals to have more control over their personal data, including a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it.
  • To modernise and update the regime for data processing by law enforcement agencies. The regime will cover both domestic processing and cross-border transfers of personal data.
  • To update the powers and sanctions available to the Information Commissioner.

Territorial extent and application

  • The Bill would apply to the UK. Data protection is a reserved matter.

Key facts

  • Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.
  • The digital sector contributed £118 billion to the economy and employed over 1.4 million people across the UK in 2015.[2]
"The forthcoming Data Protection Bill will introduce a number of new rights and safeguards for individuals, including considering where to set the age at which children can consent to their data being processed on social media sites."[3]


External links