Data Protection and Digital Information Bill: what happened at Commons Report Stage?

On Wednesday 29 November, the Data Protection and Digital Information Bill came back to the House of Commons for report stage and Third Reading. (You can also watch the video, or catch up on live tweeting from the Open Rights Group.) Report stage is where MPs vote on the amendments made during committee stage (back in May) – and on the 150+ pages of (mainly government) amendments that appeared a few days before the debate on the 29th. A vote on Third Reading sends the Bill to the Lords. Here’s what happened, seen through the various votes (or divisions) on the Bill.

Sending the Bill back to committee – REJECTED

Division 13: Recommittal Motion

• AYES (in favour) 209 – Labour, SNP, Lib Dems, DUP, independents, Plaid Cymru, SDLP, Alliance, 2 Conservative rebels (David Davis, Marcus Fysh)
• NOES (against) 275 – Conservatives, independents

Before any discussion of the Bill’s substance, Labour’s shadow data minister, Chris Bryant MP, laid a ‘recommittal motion’ to send the Bill back to committee stage for further scrutiny. This was necessary because MPs were unable to do their job of properly scrutinising the Bill: on the last possible day, 182 days after committee stage, the government had tabled 240 amendments (‘a bare tenth’ of which would be mentioned by the minister in debate). He had been told at a meeting on 16 November there would be only a few, minor, technical amendments but there were some extremely significant additions, such as powers for DWP to access data about benefit claimants’ bank accounts (see below). Bryant had even offered the government a deal to get the bill back into and out of committee within a fortnight. Without such a recommittal:

“Some measures will barely get a minute’s consideration today. That is not scrutiny; it is a blank cheque… ‘“legislate at speed, repent at leisure” should not be our motto. Some will say something that is commonly said these days: “Let it go through to the Lords so they can amend it.” But I am sick of abdicating responsibility for getting legislation right. It is our responsibility. We should not send Bills through that are, at best, half-considered. We are the elected representatives. We cannot just pass the parcel to the Lords. We need to do our job properly. We cannot do that today without recommitting the Bill”.

Bryant’s anger was echoed by many others throughout the debate:

• David Davis (Con) agreed that ‘this House is responsible to our constituents and these issues will have a direct impact on them, so we ought to have a strong say over what is done with respect to this Bill’
• Marcus Fysh (Con) lamented ‘that we have not been able to go through this in detail, but we should think about it incredibly hard. It might seem an esoteric and arcane matter, but it is not’
• Stephen Timms (Lab) was concerned the new DWP clauses which gave ‘extremely broad powers, with no checks in place’ came with ‘Zero Commons scrutiny and no opportunity for that to occur’, calling the episode a ‘dreadful course of behaviour and procedure… I find it very hard to see how that can possibly be defended’
• Kate Osborne (Lab) thought the last minute changes ‘risk alienating people even further’ and hoped the House would tell ministers it was ‘entirely improper – in fact, it is completely unacceptable’.

Data minister John Whittingdale replied that the Bill had been scrutinised in depth during committee stage; that he would be happy to address the ‘one or two’ amendments that included new aspects; and expressed his surprise that the Opposition could possibly object to anti-fraud measures.

The government won the vote not to send the Bill back to committee stage – debate on the Bill and various amendments, and votes on some of the amendments, then followed.

Employers processing sensitive data should follow established principles – REJECTED

Division 14: Amendment 11 (Kate Osborne, Labour)

• AYES 200 Labour, SNP, Lib Dem, independents, Plaid, Alba, DUP, Green
• NOES 276 Conservatives, independents

This amendment aimed to ensure that special category data (including health) would be adequately protected in workplace settings. Osborne shared the concerns of the British Medical Association and National AIDS Trust about a loss of trust around healthcare data sharing, and cited the latter’s worry that people’s HIV status could be shared without consent, being justified by being ‘necessary for administrative purposes’ which could put people living with HIV at risk of workplace harassment and discrimination. The government argued this was already covered.

Remove new clauses on automated decision making (ADM) – REJECTED

Division 15: Amendment 224 (Patrick Grady, SNP)

• AYES 37 SNP, Plaid, independents, Alba, Green
• NOES 279 Conservatives, DUP, independents

According to the SNP, clause 12 on automated decision-making ‘fails to offer adequate protections against automated decision making’, noting ‘significant and public concern about AI and its increasingly pervasive impact’. Grady cited the Ada Lovelace Institute: “Against an already-poor landscape of redress and accountability in cases of AI harms, the Bill’s changes will further erode the safeguards provided by underlying regulation.”

Protections for solely automated decisions to apply to partially automated ones – REJECTED

Division 16: Amendment 5 (Chris Bryant, Labour)

• AYES 195 Labour, SNP, Lib Dem, independents, Plaid, Green, Alba
• NOES 273 Conservatives, DUP, independents

Labour acknowledged the potential benefits of automated decision making (ADM) – ‘increasingly personalised and efficient services, to increase productivity, and to reduce administrative hurdles’. But while most parts of the world were trying to make exclusively ADM decisions harder in order to mitigate the risks, the UK was going the other way despite extensive research about harms. They wanted protection to be extended to decisions that were partially, as well as solely, based on automated decision making. The government replied that partially automated decisions already have meaningful human involvement, so no further action was necessary.

Retain existing definition of high-risk processing – REJECTED

Division 17: Amendment 1 (Chris Bryant, Labour)

• AYES 198 Labour, SNP, Lib Dem, independents, Plaid, Green, Alba
• NOES 275 Conservatives, DUP, independents

Labour was ‘pleased’ that the Bill aimed to clarify record keeping around ‘high-risk processing’ of data. But Bryant was ‘perplexed’ that nowhere was that term defined, which would leave it to the ICO (Bryant adding that the ICO also wanted it to be defined in primary legislation). For the government, Whittingdale said this was putting back into the Bill a ‘burden’ they were trying to remove.

Stop government changing rules on ‘democratic engagement’ (political direct marketing) – REJECTED

Division 18: Amendment 218 (Chris Bryant, Labour)

• AYES 194 Labour, SNP, Lib Dem, independents, Plaid, Green, Alba
• NOES 275 Conservatives, DUP, independents

Labour were concerned that these changes would allow a government to change the rules on direct marketing in the run up to an election, including the Secretary of State having powers to allow parties and candidates to rely on a ‘soft opt-in’ (you can get in touch with previous contacts, assuming they are happy to receive marketing from you even though they haven’t explicitly consented). He noted this had not been supported in the initial consultation on the Bill, and quoted a previous line from John Whittingdale to Labour’s former shadow minister: “A future government may want to encourage democratic engagement in the run up to an election by temporarily ‘switching off’ some of the direct marketing rules.” Bryant said: ‘Switching off the rules ahead of an election—does anyone else smell a rat?’ The SNP asked whether this was aligned with rules in the devolved administrations.

The government said they hoped the amendments would bring greater legal certainty and allowed representatives, candidates and recall and referendum campaigns to process data on political opinions.

New powers to let DWP access bank account data – PASSED

Division 19: New Schedule 1 (government)

• AYES 274 Conservatives, DUP, independents
• NOES 52 SNP, Labour (7), Lib Dem, Plaid, Green, Alba, independent

Perhaps the most controversial addition to the Bill. Whittingdale noted welfare fraud led to DWP overpaying £8.3bn in 2022/23, with the under-declaration of financial assets being a major area of loss. The government’s 2022 fraud plan promised to introduce new powers when parliamentary time allowed. Whittingdale claimed the amendment could help save taxpayers £500m by the end of 2028/29 ‘enabl[ing] the DWP to access data held by third parties at scale where the information signals potential fraud or error’, allowing more proactive detection of fraud and error.

There had been no mention of this in the Second Reading debate, nor during the Committee stage. Several MPs raised concerns:

• Stephen Timms and Chris Bryant (Lab) tried to get the minister to confirm that the new powers would allow DWP to look into the bank accounts of anyone claiming a state pension – the minister said that was not the ‘focus’
• Bryant criticised it as ‘a very broad and… poorly delineated power’ and was concerned that the power could have adverse effects on the most vulnerable in society
• Timms highlighted concerns from Citizens Advice and the Child Poverty Action Group and thought the new powers were unnecessary: ‘Indeed, no one has been able to come up with any reason for why it would ever be used.’
• David Davis (Con) described it as the ‘only time that I am aware of where the state seeks the right to put people under surveillance without prior suspicion, and therefore such a power has to be restricted very carefully indeed’
• Patrick Grady (SNP) said there was cross-party agreement on tackling fraud but questioned why these measures had not been in the original draft, and why – given existing powers – it was needed at all.

Third reading of the Bill – PASSED

Division 20

• AYES 269 Conservatives, DUP, independents
• NOES 31 SNP, Plaid, independents, Green, one Conservative rebel (Marcus Fysh)

The government’s main argument for the Bill was that the ‘one-size-fits-all, top-down’ EU approach to data protection leads to confusion; post-Brexit, the UK is able to adopt its own bespoke model that will ‘unlock the immense possibilities of data use to improve the lives everyone in the UK’. (One might ask how a Bill ‘co-designed with industry, for industry’, ignoring consultation responses in various areas and imposing major new measures at the last moment was not ‘top-down’ itself.) He insisted the Bill would not threaten data adequacy with the EU. Amendments not put to a vote covered:

• The UK/US data access agreement and other treaties
• Data controllers processing Subject Access Requests from the public only needing to make a ‘reasonable and proportionate’ search to answer them
• Allowing supplementary codes to be added to the trust framework for digital identity (where, for example, specific sectors – like mortgages or pre-employment checks – might have additional rules)
• ‘Ease burdens on industry’ by allowing organisations more time to report data breaches
• Allowing reuse of personal data for the purposes of archiving in the public interest
• Retaining biometric data, including that received from international partners
• Providing an underpinning for the National Underground Asset Register, including giving the government power to require information and charge those benefiting from the service rather than the taxpayer
• Enabling Smart Data schemes.

Labour agreed with some parts of the Bill, including:

• Some of the changes to the ICO, including strengthening its enforcement powers, restructuring it as the Information Commission, and providing it with a clearer framework of objectives. Labour also welcomed a government amendment meaning the Secretary of State could merely make recommendations about codes of practice, rather than having to approve them
• Establishing a digital identity verification framework (though they thought the government may have underestimated ‘the sheer technicality of such an endeavour’ leading to a lot of amendments, which might not survive the Lords)
• Urging the government to move faster on Smart Data schemes, though noting the Financial Conduct Authority wanted a more phased approach rather than a ‘big bang’
• Agreeing with the intentions around cookies, nuisance calls, and registration of births and deaths but thinking many practical holes remained.

Labour concerns (beyond the amendments covered above) included Subject Access Requests, specifically around changing the threshold for refusals from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ (noting opposition from the EHRC, Reset, the TUC and Which?), and wanting data controllers to have to provide evidence of why they considered a request vexatious or excessive. The government thought such evidence was not always appropriate and a possible burden.

Labour was in favour of ‘greater clarity and flexibility’ for researchers, public service providers and the private sector with ‘common-sense changes to data protection where it is overly rigid, but the Government do not need to water down essential protections for data subjects to do that’. Their main worries were around ‘extensive’ powers for ministers, direct marketing rules before an election, and the Lords needing to knock the DWP insertions into better shape. It thought the regulatory divergence (read: Brexit dividend) the government wanted from the bill was ‘a bit of a chimera’ and that ultimately convergence between international regulatory systems would give UK businesses more stability and certainty. Despite that, Labour said it supports the Bill, and abstained on the Third Reading vote.

The SNP wondered if this Bill was what Brexit was for – ‘to hand the Government yet more sweeping powers to regulate and legislate without any meaningful oversight in this place? To create additional burdens on businesses and public services, just for the sake of being different from the European Union?’ SNP amendments not moved to a vote included:

• Transferring the powers of the (soon to be abolished) Surveillance Camera Commissioner to the Investigatory Powers Commissioner to avoid a gap in oversight (the government said its changes were removing duplication)
• Removing the government’s ‘crackdown’ on Subject Access Requests from the Bill altogether
• Requiring people to be informed if they had been subject to an automated decision
• Some measures on data use for national security.

The SNP thanked the Public Law Project among others for their work. The SNP said it would oppose the Bill, and voted against – it said the bill ‘risks doing exactly the opposite of what the Government say they want it to achieve: making life easier for business, and improving public confidence in data handling and the use of artificial intelligence’, and that the government should start from scratch.

Other amendments raised in debate but not voted on included:

• Robin Millar (Con) on interoperability and comparability of data (particularly health) between the devolved administrations, something he raised in the Second Reading debate. Labour and the SNP had sympathy for the amendment but could not support it because the devolved governments had not been consulted, while the government said it was committed to comparable UK-wide data.
• David Davis (Con) on ensuring a right to offline or non-digital identity verification, so people lacking the digital literacy or hardware would not be left behind. The government said the digital framework is not mandatory, and contains ‘inclusion’ which would cover such issues.
• Marcus Fysh (Con), chair of the digital identity All Party Parliamentary Group, with various amendments on digital identity verification schemes (including ensuring that companies using data ‘should have to think about what the balance is between a legitimate interest and the data rights, privacy rights and all the other rights that people may have in relation to their data’). He also opposed various Henry VIII clauses giving powers to the Secretary of State, which ‘fundamentally alter the balance… in terms of how individuals and their data relate to the state’ and could concentrate more power with big tech. The government was happy to continue discussion on the technical details of digital identity.
• Jane Hunt (Con) on removing ‘unnecessary and burdensome redaction obligations on police forces’ when sharing data with the Crown Prosecution Service. The government sympathised with the aims of this but didn’t think the drafting would deliver it correctly.
• Kate Osborne (Lab) on removal of checks on police processing and on international data transfers.
• John Penrose (Con) on more detail about the timetable for smart data roll out and interoperability of standards across sectors. The government shared his ‘enthusiasm’ but was worried it could inadvertently cause a hindrance.

And two points carried over from discussions on the Online Safety Act: Jeremy Wright (Con) asked about researcher access to data from social media platforms (the government said that, though there was no amendment, it had been debated in committee and they would be happy to talk further); and Layla Moran (Lib Dem) noted an amendment on allowing coroner access to children’s data needed to be wider (the government said it would continue to work with bereaved families and those raising concerns).

The Bill is expected to be introduced to the House of Lords soon, where it will once again have to go through three readings, committee and reports stages.

Connected by Data is maintaining a page of resources on the Bill, and is also convening regular meetings for civil society on the Bill and other data and AI policy developments – get in touch if you would like to know more.