at end insert— Section (Right to protection of personal data) makes provision for a general right to the protection of personal data.”
Bill texts 8
- HL Bill 66 (as introduced)download soon
- HL Bill 74 (as amended in Committee)download soon
- HL Bill 77 (as amended on Report)download soon
- Bill 153 2017-19, as brought from the Lordsdownload soon
- Bill 190 2017-19, as amended in Public Bill Committeedownload soon
- HL Bill 104 Commons amendmentsdownload soon
- Bill 209 2017-19, Lords Amendment instead of words left out by a Commons Amendmentdownload soon
- HL Bill 106 Commons disagreement to and amendments in lieu of a Lords amendmentdownload soon
Amendments 60
Committee stage — Lords 20
Insert the following new Clause— “Right to protection of personal data
at end insert— This Act does not apply to any organisation employing five employees or fewer.
at end insert— In this Act, unless the context otherwise requires—
at end insert— In Article 6(1) of the GDPR, reference to “the public interest” is to be read as a reference to the overall good of the general public.”
at end insert “and to section 183”
leave out “includes” and insert “means”
after second “data,” insert “including data held by providers of Information Society Services,”
at end insert— does not apply in the course of an activity which falls outside the scope of EU law.”
leave out “broadly equivalent” and insert “identical in all major respects”
at end insert— Reference to the GDPR in this Act includes reference to the recitals thereof.”
at end insert— Reference in this section to “the public interest” is not restricted to the substantial public interest as referred to in Part 2 of Schedule 1 to this Act.”
leave out paragraph (b)
at end insert— A college, school or university is not a public authority or public body for the purposes of the GDPR.”
Leave out Clause 8 and insert the following new Clause— “Child's consent in relation to information society services
Insert the following new Clause— “Parental consent in relation to children under the age of 13 years
after “includes” insert “, without prejudice to the generality of the expression “necessary for the performance of a task carried out in the public interest”,”
at end insert— The Secretary of State may by regulation made under the affirmative resolution procedure add to the illustrative examples of processing that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority set out in subsection (1).”
leave out from “as” to “and” and insert “an age between 13 and 16 years, to be decided by the Commissioner based on relevant evidence and consultation,”
Insert the following new Clause— “Right to protection of personal data
Report stage — Lords 20
leave out line 34
leave out “, subject to subsection (2)”
at end insert— “subject to subsections (1A) and (2).
after “enactment” insert “or rule of law”
leave out paragraphs (a) and (b) and insert— amend Schedule 1 —
leave out paragraph (d)
leave out “affirmative resolution procedure” and insert “super-affirmative resolution procedure under section 18 of the Legislative and Regulatory Reform Act 2006, with references in that section to section 14 to be read as references to this section of this Act”
at end insert— The processing of biometric data meets the requirements of Article 9(4) of the GDPR for authorisation by the law of the United Kingdom or part of the United Kingdom only if it meets the condition in paragraph 11A of Part 2 of Schedule 1.”
at end insert “or a group sharing a protected characteristic, within the meaning of the Equality Act 2010, to which the data subject belongs”
at end insert— A decision is “based solely on automated processing” for the purposes of this Act if, in relation to a data subject, there is no meaningful input by a natural person in the decision-making process.”
at end insert— provide an explanation of the decision reached.”
at end insert— If a request is made to a controller for an explanation of a qualifying significant decision under subsection (4), the information the controller must provide must include, at least—
at end insert— Where a controller takes or expects to take a qualifying significant decision in relation to a data subject based solely or partially on automated processing, the controller must ensure that the following information is made available to the public via electronic means—
Insert the following new Clause— “Right to protection of personal data
Insert the following new Clause— “Protection of personal data
at end insert— the controller must provide meaningful information to the data subject which will be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests,”
Insert the following new Clause— “Automated decision-making concerning a child
at end insert— The Secretary of State must as soon as practicable after the passing of this Act by regulations require the Commissioner to set standards for the age-appropriate design of relevant information society services accessed by children and that such standards are to be set out in a code in accordance with section (Age-appropriate design code).”
at end insert— A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exemption from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject's rights, freedoms and legitimate interests).”
Insert the following new Clause— “Use of private personal data accounts
3rd reading — Lords 20
at end insert— An information notice does not require a person to give the Commissioner information to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.”
at end insert— An assessment notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.”
at end insert— An enforcement notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.”
at end insert— The Commissioner may not give a controller or processor a penalty notice with respect to the processing of personal data where the purposes and manner of the processing are determined by or on behalf of either House of Parliament.”
leave out “under” and insert “by virtue of”
leave out from beginning to end of line 34 and insert— As regards criminal liability—
leave out subsection (7)
leave out from beginning to end of line 16 and insert— As regards criminal liability—
leave out subsection (6)
leave out paragraphs (a) and (b)
at end insert— This condition is met if the processing is necessary—
at end insert— This condition is met if the processing—
after “provisions” insert “and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject)”
leave out “and (d)”
leave out “a purpose listed in sub-paragraph (2)” and insert “the exercise of a function conferred on a person by an enactment or rule of law”
at end insert— The protection of personal data may not be lawfully restricted or limited unless such restrictions and limitations are consistent with the principle of proportionality.”
after “lawfully” insert “and fairly”
after “data” insert “and to require inaccurate personal data to be rectified”
at end insert— ““children” means people under the age of 18;”
leave out from beginning to end of line 34 on page 128 and insert— This condition is met if the processing—