Lords propose a data ethics code of practice

Lord Stevenson of Balmacara (Labour) has proposed that within six months of passing the Data Protection Act, the Information Commissioner should prepare an ethics code of practice for data controllers. He suggested that in issuing the code, the Commissioner could set out the moral and ethical issues around data processing. The code would include a duty of care from the data controller and the processor to the data subject, and define best practice.

The code would consider, among other things, risks and limitations of new technologies. The code would also provide guidance on default privacy settings, data minimisation standards, presentation and language of terms and conditions, transparency, data sharing and accuracy.

The Information Commissioner would be empowered to issues fines for non-compliance with the code.

During the Lords Committee debate yesterday, Lord Ashton of Hyde, the Parliamentary Under-Secretary of State, said that the government is committed to setting up an expert advisory body on data ethics, but did not agree about expanding the Information Commissioner’s role in the way proposed by Lord Stevenson.

Lord Ashton of Hyde continued that the: “Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects.”

He said that the DP Bill allows for a targeted code to be developed, and whilst this is not an issue for the immediate future, the Secretary of State is already looking into setting up a data ethics body which will have an advisory role.

Lord Stevenson also queried the status of the GDPR extraterritoriality provision in the UK DP Bill. He asked the government to confirm whether this provision has been dropped.

“If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty [in making a complaint] if there is no representative, such as in a situation with different foreign laws..”

Lord Ashton of Hyde said that UK residents’ claims against a data controller based in another territory who has breached their data protection rights will be handled with the help of well established international co-operation on enforcement. “Clause 118 of the Bill and article 50 of the GDPR require her [Information Commissioner] to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the government do not feel that additional prescriptive requirements would add value.”

He later added: “The applied GDPR will apply almost exclusively to processing by UK public bodies relating to areas such as defence and the UK consular services. Controllers in these situations either are in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same EU-wide or extraterritorial application as the GDPR.”

See http://hansard.parliament.uk/Lords/2017-11-20/debates/934984CA-96BC-43FB-B747-6A5E09B62DAD/DataProtectionBill(HL)

Privacy Laws & Business is running a GDPR Help! Roundtable in London next Thursday, 30 November which is a peer-to-peer discussion on GDPR compliance challenges and solutions.