Data Protection Bill [HL]
Wednesday 13th September 2017
(7 years, 6 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text
Data Protection Bill [HL]
Tuesday 10th October 2017
(7 years, 5 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am delighted to be moving the Second Reading today and look forward gratefully to the help of my right honourable friend the Minister of State at the Home Office and my noble friends Lady Chisholm and Lady Vere.
New technologies have started innumerable economic revolutions, and the pace of change continues to accelerate. It is 20 years since we passed the last Data Protection Act, and since then we have seen the explosive growth of the world wide web, the rise of social media and faster and faster connectivity, powering new devices like the smartphone. The nature of developing technologies such as artificial intelligence and machine learning suggests that continuing transformation and change is the norm.
This has not escaped the notice of your Lordships’ House. Earlier this year we debated many of these issues in the new Digital Economy Act. We have a new Select Committee to examine artificial intelligence, chaired by the noble Lord, Lord Clement-Jones, who is not able to be in his place today as the committee is hearing evidence this afternoon. In March, the Communications Committee published a timely report on growing up with the internet, and just before the Summer Recess the EU Select Committee gave us a very helpful report on data protection. Just yesterday I moved the Second Reading of the Telecommunications Infrastructure (Relief from Non-Domestic Rates) Bill, which will help pave the way for a full-fibre future and 5G. Personal data is the fuel of all these developments. Data is not just a resource for better marketing, better service and delivery. Data is used to build products themselves. It has become a cliché that data is the new oil.
Twenty years ago data protection rights were used to obtain a copy of your credit record or to find out what information about you a public authority had collected. Today we worry daily about cyberattacks, identity theft and online crime. But we are fortunate that our existing laws have protected us well. For all the technological change I have described, we have successfully preserved our rights and freedoms, and we have strong oversight in the shape of an internationally respected Information Commissioner.
Looking ahead, we have three objectives. First, with all this change we need to maintain trust. Data must be secure, with transparency over how they are used and a proportionate but rigorous enforcement regime in place. Secondly, we must support future trading relationships. The free flow of data across international boundaries, subject to safeguards, must be allowed to continue. Thirdly, we must ensure that we can continue to tackle crime in all its guises and protect national security, making sure that our law enforcement agencies can work in partnership domestically as well as internationally.
The Data Protection Bill meets these objectives. It will empower people to take control of their data, support UK businesses and organisations through the change, ensure that the UK is prepared for the future after we have left the EU, and, most importantly, it will make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed. The Bill meets and exceeds international standards, and, with its complete and comprehensive data protection system, will keep the UK at the front of the pack of modern digital economies.
The Bill makes bespoke provision for data processing in three very different situations: general data processing, which accounts for the vast majority of data processing across all sectors of the economy and the public sector; law enforcement data processing, which allows the effective investigation of crime and operation of the criminal justice system while ensuring that the rights of victims, witnesses and suspects are protected; and intelligence services data processing, which makes bespoke provision for data processed by the three intelligence agencies to protect our national security.
The reform of protections for the processing of general personal data will be of greatest interest to individuals and organisations. We are setting new standards for protecting this data in accordance with the general data protection regulation, known as the GDPR. Individuals will have greater control over and easier access to their data. They will be given new rights and those who control data will be more accountable.
In our manifesto at the general election we committed to provide people with the ability to require major social media platforms to delete information held about them, especially when that information related to their childhood. The new right to be forgotten will allow children to enjoy their childhood without having every personal event, achievement, failure, antic or prank that they posted online to be digitally recorded for ever more. Of course, as new rights like this are created, the Bill will ensure that they cannot be taken too far. It will ensure that libraries can continue to archive material, that journalists can continue to enjoy the freedoms that we cherish in this country, and that the criminal justice system can continue to keep us safe.
The new right to data portability—also a manifesto commitment—should bring significant economic benefits. This will allow individuals to transfer data from one place to another. When a consumer wants to move to a new energy supplier, they should be able to take their usage history with them rather than guess and pay over the odds. When we do the weekly supermarket shop online, we should be able to move our shopping list electronically. In the digital world that we are building, these are not just nice-to-haves; they are the changes that will drive innovation and quality, and keep our economy competitive.
The Bill will amend our law to bring us these new rights and will support businesses and others through the changes. We want businesses to ensure that their customers and future customers have consented to having their personal data processed, but we also need to ensure that the enormous potential for new data rights and freedoms does not open us up to new threats. Banks must still be allowed to process data to prevent fraud; regulators must still be allowed to process data to investigate malpractice and corruption; sports governing bodies must be allowed to process data to keep the cheats out; and journalists must still be able to investigate scandal and malpractice. The Bill, borrowing heavily from the Data Protection Act that has served us so well, will ensure that essential data processing can continue.
Having modernised our protections for general data, in Part 3 the Bill then updates our data protection laws governing the processing of personal data by the police, prosecutors and other criminal justice agencies. The Bill will strengthen the rights of data subjects while ensuring that criminal justice agencies can continue to use and share data to investigate crime, bring offenders to justice and keep communities safe. The Bill does not just implement the recent directive on law enforcement data protection; it ensures that there is a single domestic and transnational regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector.
People will have the right to access information held about them, although there are carefully constructed exemptions to ensure that investigations, prosecutions and public safety are not compromised. People will always have the right to ensure that the data held about them is fair and accurate, and consistent with the data protection principles.
Part 4 protects personal data processed by our intelligence agencies. We live in a time of heightened and unprecedented terrorist threat. We are all grateful for the work done to protect us, especially by those whom we see every day protecting us in this House. The intelligence services already comply with robust data-handling obligations and, under the new Investigatory Powers Act, are subject to careful oversight. My noble friend Lady Williams signed the latest commencement order in August to bring into force provisions relating to the oversight of investigatory powers by the Investigatory Powers Commissioner and the other judicial commissioners.
Data processing by the intelligence agencies requires its own bespoke data protection regime, not least because the GDPR standards were not designed for this kind of processing and data processing for national security purposes is outside the scope of EU law. That is why this part of the Bill will instead be aligned with the internationally recognised data protection standards found in the draft modernised Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data.
Noble Lords will be familiar with the role of the Information Commissioner, whose role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Bill provides for her to continue to provide independent oversight, supervising our systems of data protection, but we are also significantly enhancing her powers. Where the Information Commissioner gives notices to data controllers, she can now secure compliance, with the power to issue substantial administrative penalties of up to 4% of global turnover. Where she finds criminality, she can prosecute.
The Bill modernises many of the offences currently contained in the Data Protection Act, as well as creating two new offences. First, as recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, the Bill creates a new offence of the unlawful re-identification of de-identified personal data. To elaborate, huge datasets are used by researchers, as well as by those developing new methods of machine learning, and these are often pseudonymised to protect individual privacy. We need to ensure that those who seek to gain through re-identification are clear that we will not tolerate assaults on individual privacy, nor on the valuable data assets that are fuelling our innovative industries.
Secondly, the Bill creates a new offence of altering or destroying personal data to prevent individuals accessing it. Such an offence is already in place in relation to public authorities, but now it will apply to data controllers more generally. We are equipping the commissioner with the powers to deal with a wider range of offending behaviour.
Cybersecurity is not just a priority for the Government but a deep running concern of this House. Effective data protection relies on organisations adequately protecting their IT systems from malicious interference. Our new data protection law will require organisations that handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. Generally, that means better cybersecurity controls.
Under the new data protection framework, if a data breach risks the rights and freedoms of an individual, data controllers—both for general data and law enforcement purposes—are required to notify the Information Commissioner within 72 hours of the breach taking place. In cases where there is a high risk, businesses must notify the individuals concerned. This landmark change in the law will put the need for serious cybersecurity at the top of every business priority list and ensure that we are safer as a nation.
As we move into the digital world of the future, the Data Protection Bill will both support innovation and provide assurance that our data is safe. It will upgrade our legislation, allowing the UK to maintain the gold standard in this important field. Of critical importance, strong protections of personal data are the key to allowing free flows of data to continue between the EU and UK as we build a new partnership. I look forward to hearing noble Lords’ comments on the Bill. I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, I thank the Minister for his comprehensive introduction to the Bill. I look forward to working with him, in what seems to be a never-ending stream of legislation from the previously rather quiescent DCMS. This is our sixth Bill together, and long may it continue.
The Minister mentioned his talented team joining him on the Front Bench—this is a joint venture between the DCMS and the Home Office. On my side, I am joined by my noble friend Lord Kennedy and supported by my noble friends Lord Griffiths and Lord Grantchester.
I congratulate the Bill team on the excellence of the paperwork that we have received—I am sure everybody has read it, word for word, all the way through; it is worth it. They are obviously ahead early in the “Bill team of the year” stakes, a prize which they won easily last time on the Digital Economy Bill, and they are building on that.
We also welcome the chance to debate the excellent House Of Lords EU Committee report, not least because of the substantial weight of evidence that it has brought to this debate, which I will refer to later.
This is a tricky Bill to get hold of, first because of its size and volume. It is a bulky package and it is not even complete because we are told to expect a large number of amendments still being processed and not yet available which may—who knows?—change it substantially. Even without that, it has 300 paragraphs and 18 schedules, one of which helpfully signposts the way that the Government intend to make changes to the Bill so that the GDPR becomes domestic law when we leave the EU, even though the amendments to make that happen will actually be made by secondary legislation. This is “Hamlet” without the prince.
The GDPR itself, which runs to 98 paragraphs—or articles, as it calls them—and which will be the new data-processing law that comes into force in May 2018 whether or not we in Parliament have agreed it, is not actually printed in the Bill. That therefore raises the concern that—post Brexit, courtesy of another, separate Bill, probably by secondary legislation—the regulations will become UK law without ever having been scrutinised by either House of Parliament. I wonder if other noble Lords share my feeling that this is a bad precedent and, if so, what we might do about it. I suspect that this decision might have made sense were we to stay in the EU but we are going to leave, so there is a gap in our procedures here. That is compounded by the fact that this is a Lords starter Bill that comes to us without the benefit of consideration in the other place, and particularly without the usual evidence-taking sessions that ensure that a Bill meets the needs of those affected by it.
I have a suggestion: given the expertise displayed in the EU Committee report HL Paper 7 that we are debating in parallel today, could the authorities arrange for that committee to look carefully at the Bill and at the GDPR in its printed form and arrange for that committee to bring forward either a report or simply a testimony about what the GDPR contains, how it is reflected in the Bill and how it works? It would help the House to do the job that we ought to be doing of scrutinising this legislation. I gather that the committee is due to meet shortly and perhaps the noble Lord, Lord Jay, who speaks in a few minutes, might respond if he can. I am sorry for embarrassing him if he is not prepared for that.
The Government claim that the Bill,
“will bring our data protection laws up to date”,
and,
“ensure that we can remain assured that our data is safe as we move into a future digital world”.
We will probe that rather florid assertion in Committee over the next few weeks, paying particular reference to the needs of business to have certainty about the rules that will be applied in this key sector of our economy in the medium and long term and the need for consumers, particularly vulnerable people and children, to be better supported and protected in this brave new digital world. What we are embarking on here is the precursor to the legislative nightmare that will accompany all our Brexit discussions. As we will hear from the noble Lord, Lord Jay, and others from the EU Committee who considered this, the key issues are what will happen if we leave the Common Market and the customs union, and whether there are any ways in which the Government can secure unhindered and uninterrupted flows of data between the UK and EU post Brexit. The report concludes that,
“any arrangement that resulted in greater friction around data transfers between the UK and the EU post-Brexit could hinder police and security cooperation. It could also present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage”.
In his opening remarks, the Minister said all the right things about the Government’s commitment to unhindered and uninterrupted flows of data post Brexit, but the Bill comprehensively fails to set out how they plan to deliver that outcome. Worse, it may contain measures in Parts 3 and 4 that make it impossible to achieve the “adequacy” agreement, which is the only card that they have left to play post Brexit. You could not make it up.
Some 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with EU member states. Even if the Bill successfully aligns UK law with the EU data protection framework as at 25 May 2018, that does not mean that the Bill makes proper provision for the future. On the UK’s exit from the EU, the UK will need to satisfy the European Commission that our legislative framework ensures an “adequate level of protection”, but achieving a positive adequacy decision for the UK is not as uncontentious as the Government think. Under article 45, the GDPR requires the European Commission to consider a wide array of issues such as the rule of law, respect for fundamental rights, and legislation on national security, public security and criminal law when it makes its decision. As has already been pointed out by several commentators, the current surveillance practices of the UK intelligence services may jeopardise a positive adequacy decision, as the UK’s data protection rules do not offer an equivalent standard of protection to that available in the rest of the EU. We will need to pursue this disjuncture in Committee.
The Government seem to have lost sight of the need to ensure continuity during the transition period and afterwards. Surely they must have measures in place to reassure businesses that they will pass the adequacy test and ensure “stability and certainty”, particularly for SMEs, as pointed out by the European Union Committee. If there was any doubt about the importance of this, I draw the attention of your Lordships to a briefing from the ABI which states that the ability to transfer data between firms in different jurisdictions is of particular importance to our insurance and long-term saving providers, who rely on data to provide their customers with the best products at the best price. The association goes on to say that:
“Losing the ability to access, and make use of, European and international data flows risks isolating the UK from the increasingly globalised market. Creating a system where UK insurers have to abide by dual or multiple regulatory systems in order to transfer data internationally will create inefficiencies, legal uncertainty, and risks damaging the global competitiveness of UK insurance”.
My second point was also raised by the European Union Committee. It is about how to establish sustainable longer-term arrangements, about which the Bill is remarkably silent. Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, once we leave the EU, policies will be developed within the EU 27 without our input. The EU will inevitably amend or update its rules either by new regulations or by case law derived from ECJ/EU decisions. This is of course a toxic issue for Brexiteers, but it needs to be addressed in the Bill and, no doubt, in many other areas. Perhaps a way forward here would be for the Information Commissioner to have a duty placed on her to make regulations which reflect the changes taking place in the EU, or the Bill could provide for some form of lock-step arrangement under which statutory instruments would be triggered when UK laws need to be amended. We will look at this again in Committee.
I turn now to data protection. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or the private sector, is important for everyone. If we cannot get this right in the Bill, people will not benefit to the fullest extent possible from the new data-handling services which are coming on stream now and in the future. We welcome the Government’s decision—a rather surprising one—to gold-plate some of the requirements of the legal enforcement directive, particularly the fact that the Bill will ensure that for the first time the data protection regime applies to the intelligence services. Indeed, as the Information Commissioner has observed, including these provisions in a single piece of primary legislation is welcome, although there is a need for much more detail about how this will work in practice.
My point on this is that there seems to be an imbalance in the Bill, with much more consideration being given to the rights of data subjects. At a time of increasing concern about the use and misuse of personal data, is there not a need for a broader and far more ambitious set of regulatory structures for data capitalism, as it is now called? The big tech companies have for far too long got away with the conceit that they are simply neutral platforms. They are not; they are active media and information companies, and their stock market valuations are based on the data flows they generate and how they can be monetised. With that role surely should come broader societal responsibilities, but the Bill does not go into this area at all. There is nothing about regulating fake news, no attempt has been made to ensure that data companies are covered by competition and other regimes which apply to media companies, and there are no proposals to deal with the allegations being made about undue influence by social media companies and others on politics and elections both here and in the US. We will certainly table amendments in this area.
On more concrete issues about the rights of data subjects, we have a number of issues to pursue, although today I shall concentrate on only three: children and the “age of consent”, the rights of data subjects in relation to third-party use of their data, and the proper representation of data subjects. I shall end with some thoughts on the Leveson report and its implications for this Bill.
The Bill proposes to set the age at which children can consent to the processing of their data through “information society services” which include websites and social media platforms at 13 years. That is a surprising decision and no credible evidence has been adduced to support it. Understandably, there is much concern about this low age limit, particularly as the general data protection regulation gives discretion in a range up to 16 years of age. Last month, the Children’s Commissioner for England said:
“The social media giants have … not done enough to make children aware of what they are signing up to when they install an app or open an account”.
These are often the first contracts a child signs in their life, yet,
“terms and conditions are impenetrable, even to most adults”.
I think we can all say “Hear, hear” to that. The commissioner also said:
“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online”.
Setting an age limit of 13, or even 16, would almost certainly be illegal under the UN Convention on the Rights of the Child, to which the UK is a signatory. Perhaps the Government could respond on that point.
The Children’s Society argues that if companies continue to rely on their current practices—whereby they allow only over-13s to have an account but have no age verification process to check that children who are consenting are the age they state themselves to be—then there will continue to be widespread breaches of both the companies’ own rules and this new Data Protection Act. In the Bill, it is unclear how breaches will be handled by the Information Commissioner and what penalties will be put in place for those companies failing to verify age properly.
There is also no consideration in the Bill about capacity, rather than simply age, or protection for vulnerable children. Although there are arguments for setting the age limit higher—or indeed lower—there is surely a need both for proper evidence to be gathered and for a minimum requirement for companies to have robust age verification systems and other safeguards in place before any such legislation is passed. We will pursue that. There is also the question of the overlap this derogation has with the right to be forgotten, which the Minister mentioned. That right kicks in only at age 18; we need to probe why that is the case and how that will work in practice.
During Committee, we want to check that the current rules affecting data subjects’ personal data are unchanged by the new laws. Taking the data of workers and prospective workers as an example, there are concerns about where personal data has been collected: it should be gathered, used and shared by employers only following affirmative, meaningful consent. The recent disgraceful cases of blacklisting come to mind in that respect, and we are also concerned about whistleblowers’ rights. The House has been very strong on that point.
Concern about the increasing use of algorithms and automatic data processing needs to be addressed, perhaps requiring recording, testing and some level of disclosure about the use of algorithms and data analysis, particularly when algorithms might affect employment or are used in a public policy context. Related to that is the question of the restriction on data subjects’ rights in relation to processing data contained in documents relating to criminal investigations. Here, we agree with the Information Commissioner that the provision, as drafted, restricts not just access rights but the right to rectification, the right to erasure and the restriction of processing. We welcome greater clarification on the policy intent behind this as we go into Committee.
We welcome the Government’s proposal for an offence of knowingly or recklessly re-identifying de-identified personal data without the data controller’s consent. The rapid evolution of technology and growth in the digital economy has led to a vast increase in the availability and value of data. There is a clear need for robust safeguards against misuse in this area.
On representation, we welcome the provision in article 80(1) of the GDPR which gives greater ability for civil society and other representative bodies to act on behalf of citizens and mirrors consumer rights in goods and services. However, article 80(2) contains a provision that the Government have chosen not to implement, under which consumer groups that operate in the privacy field can act on behalf of data subjects without a particular complainant. We think that this super-complainant system would help to protect anonymity and create a stronger enforcement framework. We know we are supported in that belief by the Information Commissioner.
The wider question here is perhaps whether data subjects in general, particularly vulnerable ones, have sufficient support in relation to the power of media companies that want to access and use their data. Does any of us know what really happens to our data? The Information Commissioner’s Office already has a huge area of work to cover and may struggle to cover all its new responsibilities. Having a better system for dealing with complaints submitted by civil society bodies may be a good first step, but I wonder whether we might think harder about how this will be organised—perhaps modelled on the Caldicott data guardians.
Finally, there has been a lot of debate since the publication of the Leveson report on the cultural practices and ethics of the press, particularly on the role of a future regulatory framework. There has been far less discussion on Lord Leveson’s recommendations to extend data protection regulation. I reassure the Government that we do not see this Bill as an opportunity to rerun many of the excellent debates or table amendments that we have already considered in your Lordships’ House in recent years. Of course, much remains to be done in this field, and the Government’s lack of action is a national disgrace and a flagrant betrayal of the victims who trusted them and gave them a once-in-a-generation chance to sort out the situation, which they have comprehensively failed to take. However, if amendments of this type come forward, we will consider them on their merits, although a better approach would be for an all-party consensus to try to bridge the gap once and for all between the press and Parliament. I hope to have further discussions on this point.
I give notice that we will table amendments which probe why the Government have decided not to bring forward the Leveson recommendations covering: exemptions from the Data Protection Act 1998, available for investigative newsgathering by journalists; extending the scope for statutory intervention over the press by the Information Commissioner; and changes to the power, structure, functions and duties of the ICO relevant to the press. We will also probe whether the Government intend to implement amendments previously made to Section 55 of the Data Protection Act by virtue of Section 77 of the Criminal Justice and Immigration Act 2008, which would allow terms of imprisonment of up to two years to be imposed for offences of unlawfully obtaining disclosure of personal data. As the Information Commissioner has previously noted, this has much wider application than just to the press, because there is an increasing number of cases of blagging and unauthorised use of personal data which must be stopped.
The Government have set themselves a very tight timetable to pass this Bill into law before the end of April 2018. We will support the main principles of the Bill, but, as indicated above, many areas need to be scrutinised in depth before we can agree to them. I hope that we can gather more evidence and find a way of bringing Hamlet back into the play by looking in detail at the GDPR before it becomes the law of the land. If data is the new oil, we owe it to the country and particularly our children to get this right and to get our laws fit for the digital age.
Lord McNally (LD)
My Lords, I am delighted to follow the noble Lord, Lord Stevenson, in this debate. I am a little puzzled, because some months ago I took part in a rather emotional debate where we said farewell to him on the Front Bench and, since then, they seem to have been working him harder than ever. As the Minister will already have gathered from his intervention, although he can look to the noble Lord’s support for the Bill, in many parts it will be like Lenin’s support for the social democrats: like a rope supports the hanging man. We will look forward to working with the noble Lord, Lord Stevenson, on many of the points that he has raised, not least on part 2 of Leveson.
I open this debate for the Liberal Democrats because, as the Minister has already explained, my noble friend Lord Clement-Jones is chairing the Committee on Artificial Intelligence this afternoon. He will return to the fray later in the Bill’s passage to do a lot of the heavy lifting with my noble friend Lord Paddick.
While wishing the Bill well, our approach will be to try to ensure that individuals have to the maximum extent possible control of their own data and that data are used responsibly and ethically by individuals and by both public and private bodies. This will be of particular concern in law enforcement areas where, for example, the use of algorithms throws up concerns about profiling and related matters.
It is clear that the Brexit decision and timetable will cast a long shadow as we debate the Bill. The Information Commissioner, Elizabeth Denham, has already warned that data adequacy status with the EU will be difficult to achieve within the Government’s Brexit timetable and a major obstacle has been erected by the Government themselves. The European withdrawal Bill makes it clear that the EU Charter of Fundamental Rights will not become part of UK law as part of the replication process, yet Article 8 of the charter relating to personal data underpins the GDPR. How then will we secure adequacy without adhering to the charter?
As the noble Lord, Lord Stevenson, indicated, there are many other issues relating to the GDPR and Brexit, particularly the need to examine and test the derogations in the Bill, which I am sure will be raised by colleagues and others and which we will probe further in Committee.
While referring to the Information Commissioner, I put on record our view that the Information Commissioner’s Office must continue to be adequately funded and staffed during this period of great uncertainty. The biggest changes since our debates on the Data Protection Act 1998, or even the early stages of the GDPR, which I was involved in as a Minister at the MoJ from 2010 to 2013, is that the threat to civil liberties and personal freedoms now comes not only from agencies of the state but from corporate power as well.
A week today, on 17 October, the Royal Society of Arts will host a discussion entitled “The Existential Threat of Big Tech”. The promotion for this event says:
“The early 21st century has seen a revolution in terms of who controls knowledge and information. This rapid change has profound consequences for the way we think. Within a few short decades the world has rushed to embrace the products and services of four giant corporations: Amazon, Facebook, Apple and Google. But at what cost?”.
That question prompts an even more fundamental question. We have become accustomed to the idea that some financial institutions are too big to fail. Are we approaching a situation where these global tech giants are too big to regulate? As a parliamentarian and democrat, every fibre of my being tells me that that cannot be so. We have to devise legislation and have the political courage to bring the global tech giants within the compass of the rule of law, not least in their roles as media operators, as the noble Lord, Lord Stevenson, indicated.
These modern tech giants operate in a world where the sense of privacy which was almost part of the DNA of my own and my parents’ generation is ignored with gay abandon by a generation quite willing to trade their privacy for the benefits, material and social, that the new technology provides. That is why we are so indebted to the noble Baroness, Lady Lane-Fox. Her speech in the debate she initiated in this House on 7 September is required reading in approaching the Bill. That speech contains her oft-repeated warning about sleepwalking to digital disaster, but it also robustly champions the opportunities open to a digitally literate society. I know that she will have an ally in my noble friend Lord Storey in championing better and earlier digital education in schools. The noble Lord, Lord Puttnam, recently pointed out that Ofcom already has an existing statutory duty to promote digital education. It will be interesting to learn how Ofcom intends to fulfil that obligation.
The elephant in the room always in discussing a Bill such as this is how we get the balance right between protecting the freedoms and civil liberties that underpin our functioning liberal democracy while protecting that democracy from the various threats to our safety and well-being. The sophisticated use of new technologies by terrorist groups and organised crime means that we have to make a sober assessment of exactly what powers our police and security services need to combat the terrorist attack and disrupt the drug or people trafficker or the money launderer. The fact that those threats are often overlapping and interconnected makes granting powers and achieving appropriate checks and balances ever more difficult.
On the issue of crime fighting, I recently attended a conference in the Guildhall, sponsored by the City of London Corporation, the Atlantic Council and Thomson Reuters. Its title was “Big Data: A Twenty-First Century Arms Race”. It could have been called “Apocalypse Now”, as the threat to business, the state and the individual was outlined, from existing technologies and from those fast approaching and identified. I was encouraged that there seemed to be an appetite in the private sector to co-operate with the police and government to ensure that big data can be effectively tamed to ensure better compliance, improve monitoring and reporting and prevent illicit financial flows. I will be interested to know whether the Government have a similar appetite for public/private co-operation in this area.
One point was made with particular vigour by Thomson Reuters. With offerings such as World-Check, it plays a key role in Europe and globally in helping many private sector firms and public authorities identify potential risks in their supply chains, customers and business relationships. It made it clear that it will be needing a number of clarifications in the Bill so that it will be able to continue to provide its important services, and we will probe those concerns and the concerns of others in the private sector in Committee.
In Committee we will also seek to raise concerns brought to us by Imperial College London and others about the efficacy of Clause 162 on the re-identification of de-identified personal data. We will need to probe whether the clause is the best way of dealing with the problem it seeks to address. I notice that the noble Lord, Lord Stevenson, gave it his approval, as did the Information Commissioner, but it is a legitimate question.
There is no doubt that the greater transparency and availability of data provided by government has contributed to citizens’ better understanding of and access to government information and services, but public concerns remain about the use of data in certain sectors. For example, although there are clear benefits to medical research from giving researchers access to anonymised medical data, it remains a matter of concern to the public, the media and the profession itself. Your Lordships will have received a briefing from the BMA on the matter and I am sure probing amendments will be required in Committee.
I am by nature an optimist, so I believe the noble Baroness, Lady Lane-Fox, when she tells us, as she did in this House a month ago, that,
“we can harness the power of these technologies to address the other great challenges we face”.—[Official Report, 7/9/17; col. 2110.]
In my youth I read Robert Tressell’s The Ragged Trousered Philanthropists, a parable about how working men were complicit in their own exploitation. We are in danger of becoming the 21st century’s ragged trousered philanthropists if we do not have a framework of law by which we can constrain big data from misusing the information we so profligately provide every day in every way.
I do not believe that sprinkling Bills with Henry VIII clauses is an answer to the challenge of future-proofing. Perhaps there is a case for expanding the remit of the National Data Guardian to act as an early warning system on wider data abuse—or that of the Information Commissioner or our own Select Committee—but there is a need. I fear that without some permanent mechanism in place, we will be for ever running up the down escalator trying to match legal protections to technical capacity. But that is no excuse for not trying to improve the Bill before us. We will work with others so to do. Looking at the speaking list, the Minister is not going to be short of good and expert advice on how to do that.
Lord Jay of Ewelme (CB)
My Lords, it is always a pleasure to follow the noble Lord, Lord McNally. It is always a good thing when one optimist follows another. As chairman of the EU Home Affairs Sub-Committee, I will speak mainly about the EU Committee’s report on the EU data protection package, which we are debating alongside the Second Reading of the Data Protection Bill.
I understand that it is unusual procedure to debate a committee report alongside a Bill but I believe that it makes sense on this occasion. As the noble Lord, Lord Stevenson, said, the committee meets shortly—indeed, tomorrow—and I am sure it will consider his proposal, but taking into account how that would fit in with the traditional role of the committee and the programme we already have before us, I am sure the noble Lord will forgive me if I do not go further than that at this stage. We have not yet received a response to our report from the Government, which we await with keen anticipation, but we are pleased that this Second Reading debate has given us an opportunity to bring the EU Committee’s findings to the attention of the House.
In their recent Brexit position paper, The Exchange and Protection of Personal Data—A Future Partnership Paper, the Government said that they wanted to maintain free and uninterrupted data flows with the EU after we leave; and in proposing a new security and criminal justice treaty between the UK and the EU in her recent Florence speech, the Prime Minister laid out her ambition for a model underpinned by, among other things, high standards of data protection. Our report supports this objective: free and uninterrupted data flows matter to us all. But the committee was struck by the absence of clear and concrete proposals for how the Government plan to deliver that objective. The stakes are high, not least because the introduction of greater friction in data transfers could present a real barrier to future trade. It is hard to overstate the importance of cross-border data flows to the UK economy. Getting on for half of all large EU digital companies are based in the UK, and three-quarters of the UK’s cross-border data flows are with EU countries. What is more, any impediments to data flows following our withdrawal from the EU could seriously hinder police and security co-operation, and that means that lives, not just money, are at stake.
In our report, we considered four elements of the EU’s data protection package: the general data protection regulation—the GDPR—which the Data Protection Bill seeks to transpose into UK law; the police and criminal justice directive; the EU-US privacy shield, and the EU-US umbrella agreement. Both the regulation and the directive will enter into force in May 2018, while we are still a member of the EU. The agreements with the US are already in force, but will cease to apply to the UK after our withdrawal. Our report considers the Government’s policy options both short and long term.
The committee wanted first to look at possible data protection arrangements once the UK becomes a third country outside the EU, and we heard evidence on two broad options. The first option is for the UK Government to secure a so-called adequacy decision from the European Commission which would certify that the UK offered a standard of protection that was “essentially equivalent” to EU data protection standards. To date, the Commission has adopted 12 such decisions. The second option would be for individual data controllers and processors to adopt their own safeguards using tools such as standard contractual clauses and binding corporate rules. Our report comes to a clear conclusion that this second option would be less effective. The tools available to individual data controllers, including small businesses, are bureaucratic and would be vulnerable to legal challenges. We therefore agree with the Information Commissioner that the Government should seek an adequacy decision for the UK as a whole. This should offer certainty for businesses, particularly SMEs. It would also follow the approach taken by Switzerland, which has secured an adequacy decision from the EU. I am therefore pleased that the Government’s position paper also calls for a future relationship that builds on the adequacy model.
But there is a fly in this particular ointment. The general data protection regulation only provides for adequacy decisions for third countries, not countries leaving the EU. Decisions also follow a lengthy procedure, so the chances of having an adequacy decision in place by March 2019 are small. So to avoid a cliff edge, we will need transitional arrangements. The Government’s position paper acknowledges this but lacks detail. I hope that in responding to this debate the Minister will update us on the Government’s thinking on transition and perhaps provide some more of that detail. In particular, I hope that as a Home Office Minister she can comment on the risks facing law enforcement. One of the most striking findings in our inquiry was that as a third country the UK could find itself held to higher standards of data protection than as a member state. This will be the case both when the European Commission considers an adequacy decision and when the UK’s data retention and surveillance regime is tested before the Court of Justice, at which point we will no longer be able to rely on the national security exemption enjoyed by member states under the EU treaties. The United States has fallen foul of EU data protection law in the past, and it is not impossible that the United Kingdom will do the same when it is no longer a member state.
On a related theme, the committee also considered whether the UK’s data protection regime would continue to be influenced by EU legislation after withdrawal. What we found was that the general data protection regulation will continue to apply to transfers of personal data from the EU to the UK, significantly affecting UK businesses that handle EU data. If we obtain an adequacy decision, the rulings of the new European Data Protection Board and the Court of Justice will have an effect, albeit indirectly, by altering the standards that the UK will need to maintain an adequate level of protection. This means that there will be no clean break. We will also continue to be affected by EU rules on the onward transfer of personal data to third countries. This could be a particular problem in the field of security, whereby our approach to sharing personal data with, say, the United States could put any adequacy decision at risk. In summary, it seems likely that EU and UK data protection practices will need to remain alive long after we leave the EU.
The Bill that we are debating today reflects a comprehensive EU data protection regime which has been heavily influenced over the years by the United Kingdom. Withdrawal from the EU means that we stand to lose the institutional platform from which we have exercised that influence. The committee’s report therefore concludes that the Government must aim to retain the UK’s influence wherever possible, starting by securing a continuing role for the Information Commissioner’s Office on the European Data Protection Board. I am glad that the Government’s data protection position paper spells out our aim to do just that, but in the longer term, the Government will also need to find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and the global level. The continued success of our commercial and security relations with the EU will depend on that.
The Lord Bishop of Chelmsford
My Lords, I thank the noble Lord, Lord Jay, for enabling us to discuss the EU data protection package alongside the Data Protection Bill, but I will address my comments to the Bill.
Although I also welcome the rights and protections for children that the Bill offers, not least the right to be forgotten, there is one very important point of detail where reconsideration is urgently needed, which has already been mentioned by the noble Lord, Lord Stevenson, namely the age of consent for children to give their personal information away online in exchange for products and services without a parent or guardian needing to give their permission. The proposals in Clause 8, as we have already heard, set this age of consent at 13. However, a recent YouGov survey of the public commissioned by the BCS, the Chartered Institute for IT, shows very little support for this. Indeed, a whopping majority of 81% thought the age should be set at either 16 or 18. The Bill’s Explanatory Notes state that the Government have chosen this age—the youngest possible allowed under the incoming GDPR rules—because it is,
“in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, Whatsapp, Instagram)”.
In other words, a de facto standard age of consent for children providing their personal information online has emerged, and that age has been set by the very companies that profit from providing these services to children. It might be that 13 is an appropriate age for consent by children to give their information away online, but surely that should be decided in other ways and with much greater reference to the public, and I do not think this has happened. It is certainly at odds with the results of this recent survey.
Moreover, Growing Up with the Internet, the recently published report of the Select Committee on Communications, on which I am privileged to serve, examined the different ways in which children use the internet through the different stages of childhood. We received lots of evidence that lumping together all young people between the ages of 13 and 18 was really not helpful, and that much more research was needed. To bow to the commercial interests of Facebook and others therefore feels at the very least premature, and the example of its usefulness given in the Explanatory Notes—that this would somehow ease access to,
“educational websites and research resources”,
so that children could “complete their homework”—somewhat naïve, particularly in the light of other conclusions and recommendations from the Growing Up with the Internet report, not least that digital literacy, alongside reading, writing and arithmetic, should be considered a “fourth R”; that the Government should establish the post of a children’s digital champion at the centre of government; that children must be treated online with the same rights, respect and care that has been established through regulation offline; and that all too often commercial considerations seem to be put first. So 13 might be the right age but it might not, and at the very least, further consultation with the public and with parents is needed.
Baroness Neville-Jones (Con)
My Lords, it is a great pleasure to follow the right reverend Prelate, who has touched on one of the points that have attracted most attention since the Bill was published and began to generate comment. I also hope that the committee of the noble Lord, Lord Jay, might be able to give us some kind of report and assessment on GDPR because, while I think the Bill is important in its own right, it is quite awkward to discuss it in the absence of a very important part of the regulations that will apply in this country or any assessment of the linkages or potential disparities that may exist between the two. I beg that the committee might consider this a priority.
I think the House will agree that this is an important use of legislation, and its scope is—necessarily, I think—very large. There is no real activity in society these days that does not generate data that is processed in some way. Because of the scale of data creation—the figures are extraordinary—usage continues to grow exponentially and personal data is extremely bound up in all that. All of us are affected by the data world. It is increasingly obvious that the functioning of the economy and of public services depends on the availability, accuracy and security of data. It is also key to wealth creation. It has become very clear in the series of strategies that the Government are producing at the moment that data lies absolutely at the heart of the way in which this country will be able to make its way forward and remain a prosperous society, and therefore that we have to get the regulation of data right. It is the basis on which we will advance general knowledge and welfare in society.
The Government have produced a Bill that enables us to tackle detail, and it is the detail on which this House will focus in later stages. It is impossible in a discussion of this kind to do justice to all the angles. I shall in later stages want to focus on the cyber and national security elements, but today I shall focus on what I regard as a potential opportunity, provided we get the regulatory framework right. That is research, which has not featured much so far in our deliberations.
The abundance of datasets that society simply has not had before opens up to us the possibility of types of research which can lead us to enormous discovery and greater beneficial activity and welfare. For instance, it will enable medicine to be put on an essentially personalised rather than generic basis, and the UK should have a huge advantage in the longitudinal data that the NHS possesses, which no other country can rival. It ought to be something where we can make a real pitch for both advancing welfare and increasing wisdom, knowledge and wealth in our society. Obviously, that depends on the use of data being proper and the regulation of it not getting in the way, which is not a theoretical issue. Existing legislation, which comes largely from the EU, combined with the way in which the precautionary principle has sometimes been applied, means that some kinds of trials in some fields in this country have now become so difficult to conduct within the EU that companies engaging in them have decamped elsewhere—often to the United States—to the intellectual and commercial impoverishment of Europe. That is a practical illustration of how important it is to get the balance between trying to regulate against abuse and the opportunities that you should leave open.
As the UK leaves the EU, it will be essential—I use the word “essential”—for the UK to be able to demonstrate adequacy. I hope the Government will assure us on that point and produce the necessary regulatory framework to enable it to happen. Some very big issues here have already been mentioned and I will not repeat them. Adequacy does not mean that the UK should simply cut and paste all EU legal provisions where reliance on national law and derogations are real options in front of us. There are some where we should be availing themselves of them. Nor do we need to make privacy safeguards—which are very important—so demanding that they become self-defeating, standing in the way of benefiting patients, in the case of medicine, and the community more generally.
The Government have made it clear that they want the Bill to support research, which is extraordinarily welcome. I hope that when she replies, the Minister will be able to say something about how the Government will approach the changes that will be needed to deal with research issues in the UK. The Bill classes universities as public bodies, and universities lie at the core of the research community. It is fair enough for universities to be classed as public bodies—that is what they are—but the legislation then denies them the right to invoke public interest, or even legitimate interest, as a basis for their research, and thus obliges them to seek explicit consent when using data at every stage of processing. This becomes very onerous if you are doing a long study. That may on the face of it seem reasonable but, in practice, it can do real harm. The whole point of research is that often at the outset it cannot be 100% certain where it may lead or whether further processing or trials may be necessary. You can get a situation in which unexpected and unplanned-for research is available and could yield real dividends. That is especially true of interventional research. If, as a result of wanting to take it to a further stage, the data processing demands that there should be another round of explicit consent, you get into a situation whereby universities—unlike some of the public bodies in government, which do not have to follow this procedure—have to go round again to all those who offered their personal data in the first place. Seeking the consent of holders of the data anew may simply not be possible, especially in long-term research projects. People move house or become incapable; they also die.
Even if those problems can be overcome—and I think they are real—there is a question of proportionality. Why make consent so onerous that it makes research too difficult in practice and too costly to engage in? There needs to be greater proportionality on this issue and greater alignment between the various bodies that use data in this way, and there needs to be some alternative to consent as the basis for engaging in some kinds of research. Numerous government mechanisms are available, not least ethics committees, which are a key component of modern research and could provide the necessary safeguards against abuse. I recognise that there need to be safeguards, but I suggest that we should use some imagination in how they could be brought about.
In this country, we are very rich in research conducted by voluntary, not-for-profit and charitable bodies. They often supplement what the public sector and universities are unable or unwilling to do, but they do not find a place in this legislation, which posits that all research of value is conducted by “professional bodies”—a definition that excludes many organisations doing valuable work under the terms of the existing law. That law is to be tightened up, which may create difficulties. I am associated with one such organisation, and I want to give a tiny illustration of the problems that arise as a result of being outside the field of professional bodies.
I am involved with an organisation called Unique, which deals with rare genetic disorders, whereby datasets to be useful have to be gathered globally. The number of people with those afflictions is so tiny in any given population that you have to go across the globe to connect useful datasets, which means in turn that you come up against some of the provisions that govern transnational transmission of data. However, the rarity of such individual disorders also makes every patient’s data precious to other affected individuals, because it is potentially a very tight community. No other organisation is dealing with that affliction in that way, and Unique can give support and advice to otherwise lonely parents and their equally isolated medics, who turn to Unique for information about alike cases. There is a network there.
By insisting on onerous consent regimes, we are in danger of disabling such organisations from continuing their pioneering work. In Unique, it is not uncommon for parents who have not been in touch for a long time suddenly to turn to it with a request for help. Try telling families, many of whom are not in the UK but are in third countries, who are coping with the daily stress of caring for a disabled child or adult, that they must be sure to keep up online with the stringent requirements of UK data legislation and that failing to do so will mean that they run the severe risk of no longer being able to get the kind of individualised attention and support that they seek from the very organisations set up to help them. The problem is that the law will lay down the need for the regular reconsultation and re-consent of individuals in very precise ways, and that such individuals might not reply, not understanding the potential hazards involved in failing to do so. One might say that data anonymisation might solve the problem. It solves some problems, but it creates new ones in an organisation set up for certain purposes where the idea is that one fellow sufferer can help another. So piling difficulties on small organisations—there are other difficulties that I have not even mentioned—might lead ultimately to an unwanted outcome, which will be a reduction in effectiveness.
I am not pleading for essential provisions on privacy to be disregarded. That would not be a sensible plea. However, I suggest that we are still in the foothills of the data-driven world and, while it is right to demand rigorous standards and strict enforcement, that is not the same as passing narrow and inflexible legislation that will have unwanted and unnecessary side-effects. The research base of this country needs a wider base for lawful consent and this legislation should recognise that not all valuable research fits into normal categories. I would like the Government to think about the possibility that they should allow for the creation of governance and accountability regimes that will fit special circumstances—and I am sure that we will come across others as we go through this legislation. The existence of the Information Commissioner should not result just in enforcing the law effectively and well; it should provide an opportunity for creativity under her auspices and the ability to create variations on governance regimes where they are needed.
Baroness Ludford (LD)
My Lords, I welcome the modernisation of data protection law that the Bill represents and the intention to comply with EU law in the regulation and directive—which of course we must do while we are still in the EU. I am particularly concerned with the future and the prospects for an adequacy decision from the Commission if we find ourselves outside both the EU and the EEA. A failure to get such a decision would be extremely harmful for both businesses and other organisations and for law enforcement.
I will look briefly at the past. In 2013 in the European Parliament I was one of the lead MEPs establishing the Parliament’s position on the regulation. I believe that we did a decent job—that was before the negotiations with the Council, which watered it down somewhat. The Government rightly acknowledge that the new system will build accountability with less bureaucracy, alleviating administrative and financial burdens while holding data controllers more accountable for data being processed—backed up by the possibility of remedies for abuse including notable fines. But the purpose is to provide incentives to build in privacy from the beginning through such instruments as data protection impact assessments and having a data protection officer, through data protection by design and default—thereby avoiding getting to the point of redress being necessary. As an aside, the routine registration with the Information Commissioner’s Office will be abolished, and I am not aware of how the ICO will be funded in future, because that was a revenue stream.
I will say briefly that the new rights that are in the regulation include tougher rules on consent, so we should see the end of default opt-ins or pre-selected tick boxes. That will probably be one of the most visible things for consumers; I hope that it does not become like the cookies directive, which has become a bit of a joke. The need for explicit consent for processing sensitive data is important, as is the tightening of conditions for invoking legitimate interests.
There are several matters which will give improved control over one’s own data, which is very important. There is also the right to be told if your data has been hacked or lost—so-called data breach notification—and a strengthened ability to take legal action to enforce rights. All these are considerable improvements. However, I am rather concerned about the clarity of this very substantial Bill. It is explained that the format is chosen to provide continuity with the Data Protection Act 1998, but whether or not as a result of this innocent, no doubt valuable, choice, it seems to me that some confusion is thereby created.
First, there is the fact that the GDPR is the elephant in the room—unseen and yet the main show in town. You could call it Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet without the Prince. Traces exist without the GDPR being visible. Is the consequent cross-referencing to an absent document the best that can be done? I realise that there are constraints while we are in the EU, but it detracts from the aims of simplicity and coherence. Apparently, things are predicted to be simpler post Brexit, at least in this regard, when the GDPR will be incorporated into domestic law under the withdrawal Bill in a “single domestic legal basis”, according to the Explanatory Memorandum. Does that mean that this Bill—by then it will be an Act—will be amended to incorporate the regulation? It seems odd to have more clarity post Brexit than pre-Brexit. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.
Secondly, we seem to have some verbal gymnastics regarding what “apply” means. The departmental briefing says that the Bill will apply GDPR standards, but then we have the so-called “applied GDPR” scheme, which is an extension of the regulation in part 2, chapter III. Can the Minister elaborate on precisely what activities part 2, chapter III covers? The Bill says that manual unstructured files come within that category. I do not know how “structured” and “unstructured” are defined, but what other data processing activities or sectors are outside the scope of EU law and the regulation, and are they significant enough to justify putting them in a different part?
Looking forward, I want to mention some of what I see as the possible weaknesses in the Bill which might undermine the potential for an adequacy decision for data transfers to the EU and the EEA. The future partnership paper published in August, which has already been mentioned by the noble Lord, Lord Jay, referred to a UK-EU model which could build on the existing adequacy model. Can the Minister explain what that really means? As the noble Lord, Lord Jay, said, while national security is outside EU law, when it comes to assessing the adequacy of our level of data protection as a third country, we could find ourselves held to a higher standard because the factors to be taken into account include the rule of law and respect for human rights, fundamental freedoms and relevant legislation, including concerning public security, defence, national security, criminal law and rules for the onward transfer of personal data to another third country. Therefore, our data retention and surveillance regime, such as the bulk collection of data under the Investigatory Powers Act, will be exposed to full, not partial, assessment by EU authorities. This will include data transfers, for instance to the United States, which I would expect to be very much under the spotlight, and could potentially lead to the same furore as other transatlantic transfers. I lived through a lot of that. I remember that in 2013 there was a lot of flak about the actions of the UK, but nothing could be done about it because we are inside the EU. However, in the future it could.
There are also a number of aspects in the Bill in which the bespoke standards applied to intelligence agencies are less protective than for general processing, such as data breach reporting and redress for infringement of rights. We will need to give serious thought to the wisdom of these, looking to the future. This will not just be a snapshot on Brexit day or even on future relationship day, because at issue will be how our standards are kept up to scratch with EU ones. The fact that with another part of their brain the Government intend to decline to incorporate the European Charter of Fundamental Rights into UK domestic law, with its Article 8 on data protection, will not help the part of the governmental brain which looks forward to the free flow of data exchange with the EU. Our Government seem to be somewhat at cross purposes on what their future intentions are.
I will highlight, rather at random, some other examples which need reflection. We may need seriously to look at the lack of definition of “substantial public interest” as a basis for processing sensitive data, or even of public interest. I think the noble Lord, Lord Stevenson, mentioned the failure or the non-taking-up of the option under Article 80(2) of the regulation to confer on non-profit organisations the right to take action pursuing infringements with the regulator or court. This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other consumer rights, including financial rights. Perhaps the Minister could explain that omission.
There is also concern that the safeguards for profiling and other forms of automated decision-making in the Bill are not strong enough to reflect the provisions of Article 22 of the GDPR. There is no mention of “similar effects” to a legal decision, which is the wording in the regulation, or of remedies such as the right of complaint or judicial redress.
Very significant is the power for the Government under Clause 15 to confer exemptions from the GDPR by regulation rather than put them in primary legislation. That will need to be examined very carefully, not only for domestic reasons but also because it could undermine significantly an adequacy assessment in the future.
I will make one or two points in the health and research area. The Conservative manifesto commitment to,
“put the National Data Guardian for Health and Social Care on a statutory footing”,
is not fulfilled in the Bill; perhaps the Minister could explain why not. I would also expect clarification as the Bill proceeds on whether Clauses 162 and 172 sufficiently protect patients’ rights in the use or abuse of medical records. We know this is a sensitive issue given the history in this area, particularly of care data and other attempts to inform patients.
As a final point, I am glad that the research community was broadly positive about the compromises reached in the GDPR, although they were less explicit than the Parliament’s position. That leads to some uncertainty. I took note of what the noble Baroness, Lady Neville-Jones, said. Therefore, close examination will be merited of whether the Bill provides a good legal framework with sufficient legal basis for research, which many of us have all sorts of interests in promoting, balanced with a respect for individual rights. I very much hope this will be explored carefully at future stages.
Lord Patel (CB)
My Lords, many of my comments on the Bill are about data collection, usage and storage, particularly as it applies to research and, in particular, health research. In that respect, I will reference many of the comments on research made by the noble Baroness, Lady Neville-Jones, including health research generally and health research for people with rare conditions and how that data might be collected.
Given the rapid advances of data science and our capacity to collect, process and store vast quantities of data, such as genomic data for individuals, ensuring that data subjects have clear rights regarding how their data is used is vital. The recently published life sciences industrial strategy acknowledges both that fact and the significant potential of the data held within the healthcare system, especially for delivering better care and for the research sector.
The importance of getting the governance of personal data right is increasingly being recognised. The Royal Society and the British Academy recently published a report on data governance, calling for careful stewardship of data to ensure that the power and value of data are harnessed in such a way as to promote better human health and human benefit.
The Government have indicated that they recognise the importance of maintaining data flows across borders post Brexit, and that is positive. For instance, three-quarters of the health-related data flow from the UK is to the EU. As far as research is concerned, the relevant provisions of the Data Protection Bill mirror the GDPR and so should not generate problems for international collaborative research as it stands. However, it is imperative that international research that requires the transfer of personal data can continue without disruption post Brexit, and the example of rare diseases used by the noble Baroness, Lady Neville-Jones, is absolutely appropriate. In such situations, research often has to be co-ordinated and conducted across many countries, as there are few individuals with a particular condition in each country. My noble friend Lord Jay referred to the need for adequacy arrangements, and I think that that applies particularly in this area. Therefore, my question to the Minister is: will the UK, as a third country, seek an adequacy decision from the EU for data transfers in this respect?
I now come to Clause 7, which refers to alternatives to consent. The noble Baroness, Lady Neville-Jones, referred briefly to the problems that arise. For many uses of personal data, explicit consent is absolutely the right legal basis for processing that data, and it is positive that, with the GDPR, data subjects’ rights have been strengthened. Medical research will usually rely on a person providing informed consent for ethical reasons, but it is essential that there are alternatives to consent as a legal basis. That is because GDPR-compliant explicit consent sets a high bar for information provision that it may not always be feasible to meet. In many research resources, such as biobanks—I hope that my noble friend Lady Manningham-Buller will refer to that as the chairman of the Wellcome Trust, which is responsible for initiating the UK Biobank—the participants give consent for their pseudonymised data to be used.
In some studies it is not possible to seek consent, either because a very large sample size is needed to generate a robust result, and that would be practically difficult to obtain, or because seeking consent would introduce bias. The use of personal health data without specific explicit consent is sometimes essential for research for the health of the population. If researchers could not process medical records for research without specific explicit patient consent, they could not run cancer registries, which are extremely important in recording all cases of cancer; they could not monitor the hazards of medical procedures, such as the recently discovered implications of CT scans for long-term disease development; they could not assess the unexpected side-effects of routinely prescribed medicines; and they could not identify sufficiently large numbers of people with a particular disease to invite them to take part in trials for the treatment of that disease. The example I would give is the recruitment of 20,000 suitable people for the Heart Protection Study on statins, which has helped transform medical practice throughout the world. I am sure that many noble Lords use statins. This began with the identification of 400,000 patients with a hospital record of arterial disease and that information could not have been accessed without their permission. There are good examples of how this provision would cause a problem as it is enunciated in Clause 7.
We have a well-established, robust system of governance and oversight for non-consensual medical research in the UK; for example, through the Health Research Authority, a confidentiality advisory group, advising on Section 251 approvals to override the common law duty of confidentiality. Patient groups actively advocated for research exemptions during the passage of the GDPR—for example, through the Data Saves Lives campaign. I hope that, in Committee, we might get an opportunity to explore this further to see whether we can somehow modify the Bill to make this possible.
I come now to the public interest issues in the same clause. I understand that the Government intend the functions listed in Clause 7 not to be exhaustive, and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. Again, the noble Baroness, Lady Neville-Jones, briefly touched on that. It would provide much-needed clarity and assurance to the research community, particularly to those in the universities, if this could be made explicit in the Bill. A huge amount of research will rely on public interest as a legal basis. The Government have recognised the value of making better use of data for research, and the recent life sciences industrial strategy confirms the tremendous potential benefits for patients and the public if we can unlock the value of data held by public authorities and promote its use in the public interest.
There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and what they can or cannot do with data for their purposes—hence I referred to the need for better governance of the data. This is why the public interest legal basis matters so much for research. The DP Bill is an opportunity to set out very clearly what the legitimate basis for processing personal data can be. Setting out a clear public interest function for research will give researchers confidence to know when they are operating within the law. If necessary, any specification of research in Clause 7 could be qualified by safeguards to ensure that the legal basis is used only when appropriate.
Can the Minister confirm that research conducted by, for example, universities or hospitals could use the public interest legal basis for processing personal data? Again, we may have an opportunity to explore this further in Committee.
I come now briefly to Clause 18 and the issue of safeguards. Where exemptions from data subject rights exist for research, robust safeguards to protect data subjects’ rights and interests are essential. Clause 18 transposes Section 33 of the Data Protection Act into the new Bill, but it will have wider application than it did in the Data Protection Act. Under the Data Protection Bill, all medical research undertaken without consent as the legal basis will be subject to the safeguards of Clause 18. Clause 18 prohibits the processing of personal data to support measures or decisions with respect to particular individuals. This is clearly problematic for any research that involves an intervention for an individual, which forms the bedrock of our understanding of a vast range of treatment for diseases.
Let me give the House some brief examples. Clinical trials and other interventional research will be undertaken with the consent of patients, which is ethically essential. However, the standard of consent may not be GDPR compliant as it is not always possible to specify how the data might be used beyond the purpose of the trial itself. Consent is therefore not the appropriate legal basis for much interventional research. This means that the safeguards built into the Data Protection Bill for processing or research purposes will apply. Clause 18 should not apply to interventional research. That research requires the processing of personal data to make decisions about the data subject as that is part of the necessary research design and oversight. If researchers cannot process data in that way, they will not be able to process information about a patient’s condition to assess whether they are eligible to participate in a clinical trial. They will not be able to process information about a patient’s condition to determine to which arm of the trial they should be allocated. They will not be able to remove individuals from a clinical trial if evidence arises of potential adverse effects during the course of the trial. There are significant implications.
A potential solution to this problem would be to modify Clause 18 to exempt research that has been approved by an ethics committee or some other such established safeguard. Implementation of the GDPR through the Data Protection Bill is an opportunity to provide clarity for researchers about the legal basis for processing personal data and the requirements of accountability, transparency and safeguards. At present, there is a great deal of conflicting advice about the implications of the GDPR and there is a risk that organisations will adopt an unnecessarily conservative approach to data protection for fear of committing breaches.
I should like to make two minor points. The Government have committed themselves in their response to Caldicott 3 to putting the National Data Guardian on a statutory footing by 2019. Do the Government intend to table an amendment to do that in this Bill? If they do not, the opportunity will be lost.
Lastly, the noble Lord, Lord Stevenson of Balmacara, mentioned the age of consent for children. The age of 13 seems a ridiculously low age for consent and I would support any amendments that he might introduce.
Lord Arbuthnot of Edrom (Con)
My Lords, it is a pleasure to follow the noble Lord and listen to his important comments on health data and particularly consent. I thought how brave he was with his data machine. I would worry that my pearls of wisdom would disappear somewhere into the ether, but luckily that did not happen to him.
This is a welcome and necessary Bill. It is not perfect, but I leap to its defence in at least one respect—namely; the absence of the GDPR regulations themselves from the Bill. On the Government’s website, there is a truly helpful document, the Keeling schedule, which sets out how the GDPR intersects with the text of this Bill. After noble Lords have read it a few times, it comes close to being comprehensible.
I will touch on one or two of the imperfections of the Bill that have been drawn to noble Lords’ attention by bodies such as ISACA, techUK, Citibank, Imperial College and others, and I am grateful to them for doing that. I declare my interest as chairman of the Information Assurance Advisory Council and my other interests as in the register. While the Bill has its flaws, I am sure that in Committee and on Report we shall be able to see whether improvements might be made.
The Commission says that the aim of the new rules is to,
“give citizens back control over their personal data, and to simplify the regulatory environment for business”.
The Commission has estimated that this would lead to savings of around €2.3 billion a year for businesses. But while the rules might make things simpler for businesses in that respect, it is possible that they will also make it easier for citizens to demand to know what information is held on them in paper form as well as in digital form. In fact, that is one of the main purposes of the Bill. So we might find that businesses have more rather than less to do. I wonder whether that has been costed. It is a good thing that citizens should find out what information people hold on them, but we should not pretend that the exercise will be free of cost to businesses. The Federation of Small Businesses estimates an additional cost of £75,000 per year for small businesses, and obviously much more for larger ones.
The Bill contains a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes. The aim of this, which is laudable, is to,
“ensure that there is a single domestic and trans-national regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector”,
but what is the law enforcement sector? To what extent do banks, for example, fall into the law enforcement sector? They have obligations under the anti-money laundering rules to pull suspicions together and to share those across borders—not just across European borders but globally. How are those obligations tied in with the GDPR obligations in the Bill? Businesses, especially banks, will need to understand the interplay between the GDPR regulations, the anti-money laundering regulations and all of the others. The Government would not, I know, want to create the smallest risk that by obeying one set of laws you disobey another.
That sort of legal understanding and pulling things together will take time. It will take money and training for all organisations. There is a real concern that too many organisations are simply hoping for the best and thinking that they will muddle through if they behave sensibly. But that is not behaving sensibly. They need to start now if they have not started already. The Federation of Small Businesses says that:
“For almost all smaller firms, the scope of the changes have not even registered on their radar. They simply aren’t aware of what they will need to do”.
Yet it goes on to say that,
“full guidance for businesses will not be available until next year, potentially as late as spring. The regulator cannot issue their guidance until the European Data Protection Board issue theirs”,
so there is a lot of work to be done.
I shall touch on three other issues at this stage of the Bill. The first is Clause 15, which would allow the alteration of the application of the GDPR by regulations subject to affirmative resolution and that could include the amendment or repeal of any of the derogations contained in the Bill. I share the concern expressed by the noble Baroness, Lady Ludford, on that and we will need to look at it.
Secondly, there are various issues around consent. The only one that I will mention is that the Bill provides that the age of consent for children using information society services should be 13. The right reverend Prelate the Bishop of Chelmsford mentioned the YouGov survey about that. I actually believe that the Government have this right. It recognises the reality of today’s social media and the opportunities that the digital world brings, and the Bill also protects young people to some extent by the right to have information deleted at the age of 18. TechUK agrees and so does the Information Commissioner. But if the public do not—and from the sounds of the YouGov survey they do not—there is a lot of work to be done in explaining to people why the age of 13 is the right one.
There is a technical issue that I simply do not understand. The GDPR rules state that the minimum age a Government can set for such consent is 13, and in this Bill, as we know, the Government have gone for the minimum, except in Scotland. Scotland is dealt with in Clause 187 of the Bill and there it seems that the minimum age is 12, unless I have this completely wrong. How do the Government square that with the GDPR minimum of 13?
My final point echoes one raised by the noble Lord, Lord McNally, relating to the issue of the re-identification of personal data which has been de-identified, as set out in Clause 162. The clause makes it a crime to work out to whom the data is referring. The very fact that this clause exists tells us something: namely, that whatever you do online creates some sort of risk. If you think that your data has been anonymised, according to the computational privacy group at Imperial College, you will be wrong. It says:
“We have currently no reason to believe that an efficient enough, yet general, anonymization method will ever exist for high-dimensional data, as all the evidence so far points to the contrary”.
If that is right, and I believe it is, then de-identification does not really exist. And if that is right, what is it in terms of re-identification that we are criminalising under this clause? In a sense, it is an oxymoron which I think needs very careful consideration. The group at Imperial College goes on to suggest that making re-identification a criminal offence would make things worse because those working to anonymise data will feel that they do not have to do a particularly good job. After all, re-identifying it would be a criminal offence, so no one will do it. Unfortunately, in my experience that is not entirely the way the world works.
We can come back to all of these issues in Committee and consider them further, and I look forward to the opportunity of doing so. This is not just a worthwhile Bill; it is an essential and timely one, and I wish it well.
Baroness Howe of Idlicote (CB)
My Lords, I have spoken extensively about the imperative to maximise online safety for children and of the need to provide the right tools to empower parents to help keep their children safe online. This will continue to be my priority as we discuss the Data Protection Bill at all its stages. Parents often feel that their children know rather more about accessing the technology than they do, but they still have a role and responsibility to guide their children, and this extends to the topic before us today—the child’s personal data.
During the extensive debates in this House on the Digital Economy Bill, we discussed what young people below the age of 18 should and should not see, and we voted to require a code of practice for the providers of online social media platforms, which is now Section 103 of the Act. In all our discussions about children during those debates, we were referring to individuals under the age of 18, and there was no dispute on the point. I am disappointed that nowhere in the Data Protection Bill’s 208 pages is a child defined as a person under the age of 18.
This Bill puts before us another dividing line between childhood and the influence of parents, the effect of which is nothing if not confusing. Clause 8 states that a child of 13 years can consent to providing data to information services; that is, they can sign up to social media sites and so on. By contrast, the default in the European General Data Protection Regulation is that a child should be 16 years old to be able to give “digital consent”.
The Explanatory Notes state of the age of 13:
“This is in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children”.
These are contracts driven by decisions under United States federal law in the form of the Children’s Online Privacy Protection Act of 1998. However, the world of technology and what is at our children’s fingertips has changed significantly since 1998. What might have seemed good then does not mean that it is now.
Furthermore, given all the concerns expressed over recent months about the actions of social media sites, the current contracts of these sites should not be driving government policy; rather, the primary factor should be what is best for children and young people, and what is best should be established through a solid evidence base. I hope that the Minister will set out the Government’s evidence-based reasoning for using the age of 13 and tell us what evidence has been collected by the DCMS from children’s charities and those representing parents and others with an interest in these matters.
Choosing the right age for children to consent to signing up to these websites is far from a straightforward issue. I am aware that there is concern among children’s charities that setting the age of digital consent at 16 could lead to an increase in the grooming of young people by abusers, something that none of us in this House would wish to see. The Children’s Society has said that, if Parliament sets the age in Clause 8 at 16, significant changes should be made to the grooming and sexual offences legislation.
I have also received briefing material from BCS, The Chartered Institute for IT, which suggests that there is significant public support for the age being 16 or 18 and very little support for the age being 13. I understand that parents favour firmly the age of 18, so clearly there is a lot of room for discussion, and no doubt we will have it during Committee. In this context, I would like to suggest that the Government should launch an immediate public consultation on this point so that the House can make a fully informed decision before the Bill moves to the other place. Right now, either end of the age spectrum looks like it has dangers.
I also hope that the Minister will set out some clarification of the intentions of the Bill in relation to the consent of children. Paragraph (6) in Clause 8 includes an exemption for “preventive or counselling services”. Does that mean that a child could give their consent to these websites before the age of 13 or not at all? What is defined as a “preventive or counselling service”?
Clause 187 gives further criteria for the consent of children, but only children in Scotland, where a child’s capacity to exercise their consent should be taken into account, with the expectation that a child aged 12 or over is,
“presumed to be of sufficient age and maturity to have such an understanding”.
The Explanatory Notes to the Bill state that this clause must be read with Clause 8, which provides that the age limit is 13. Is Clause 187 intended to say that the age of digital consent cannot go below 13, which is the position of Article 8(1) of the GDPR, or that there might be circumstances when a child who is 13 cannot consent for genuine reasons? Either of these scenarios seems to give rise to confusion for children, parents and the websites that children access.
After all the detailed discussions about age verification that we had earlier in the year, there is an argument for age verification to apply to Clause 8. How will websites that require a child to verify that they are 13 years old ensure that the child is the age that they say they are without some requirement for the site to prove the age of the child? This is surely a meaningless provision. I hope that when the Minister comes to reply, he will set out the Government’s position on this matter and explain what penalties a website which breaches this age requirement will face.
Finally, I hope that the Minister will give us an update on the publication of the Green Paper on internet safety and how the digital charter that was announced in the Queen’s Speech will play into this Bill during its passage through this House and on to the other place.
Baroness Jay of Paddington (Lab)
My Lords, it is a pleasure to follow the noble Baroness, Lady Howe, and to recognise her expertise in discussing the issues around children’s protection. I share many of her ideas. I welcome the Bill, and echo other noble Lords in recognising that it has enormous significance and is very timely. I am grateful for the clear explanation of the EU Committee’s report, which showed the complexities of the continuing interrelationships between this country’s legislation and that of Europe and the way in which we will have to deal with that for many years to come.
At this stage, it is worth reminding ourselves—or at least reminding myself—that we are talking about so many areas of our society today and so many aspects of 21st century life which we are aware that not all of us understand. I know there are many experts in this field. I refer in particular to the noble Baroness, Lady Lane-Fox, who will speak after me, when I say that there are people who clearly understand all the implications of the wider digital economy. However, I put myself among the majority of the population when I say that, although I am aware of the vast number of ways in which the digital revolution impacts on and, perhaps somewhat frighteningly, dominates our everyday lives, it is almost impossible for most of us to know how and by whom our personal data is being collected, with whom it is shared and to whom it is probably sold. Therefore, robust protection of privacy and the ethical regulation of data are essential if we are to continue with our democratic principles.
My noble friend on the Front Bench, Lord Stevenson, has already referred to some of the gaps that he sees in this legislation; no doubt those will be referred to and returned to at a later stage. I am concerned that the way some of the Bill is drafted already suggests that we are once again moving into that area where the role of this House and the other place is diminished by so much secondary legislation being proposed. I do not apologise for raising yet again, as I have in previous debates, what I see as a paradox: so much of the support for Brexit depended on the restoration of parliamentary sovereignty to Westminster, yet when we come to look at the detail of some of the Bills to implement some of the implications of Brexit—particularly in this kind of complex area—we find that the presentation is often based on secondary legislation where the role of this House, particularly in scrutinising and revising, and that of the other place, is somewhat diminished. It seems an extraordinary paradox to me.
Noble Lords have already referred to Clause 15, which is particularly worrisome in this area. It would clearly permit alterations by the affirmative action procedure. It will be important, when we debate the detail of the Bill, to recognise that professional bodies are already mentioning that as a concern. As was mentioned briefly by a previous speaker—I think it was the noble Lord, Lord McNally—I draw the attention of the House to the British Medical Association having drawn particular attention to the potential problem of regulations being altered in this way. Noble Lords will be aware that the security of sensitive healthcare information is clearly essential to good medical practice. The BMA is now concerned that the centrally important trust in doctor/patient relationships may be threatened in future if changes in data sharing can be fast-tracked without proper scrutiny through the secondary legislation process. Again, the House will be aware that, as the law stands, healthcare information has special protection through the common-law duty of confidentiality. I hope it will be possible for the Government to assure the House, at the earliest opportunity, that the proposed regulatory powers will not be overridden in that way, and in particular that that crucial safeguard will continue to exist. It may be possible to give a general assurance on the general procedures on regulation.
I turn to some of the questions which arise from what I describe as general ignorance about the uses and abuses of personal data in the global digital economy. My noble friend Lord Puttnam, who is unavoidably away today—and who is a greater expert and far more authoritative in this field than me—wanted to contribute to the debate by suggesting some ways of improving the situation of so-called digital literacy by means of the Bill. With his permission, I will mention his proposals, which I am sure he will return to at the later stages. It is, of course, completely extraordinary to me that when my noble friend Lord Puttnam and I worked together in 2003 on the Communications Bill, that Act contained no reference to the internet. In the 14 years since, we have all become familiar with so many digital concepts: standardised algorithms, bots, big data and what is increasingly referred to as “data capitalism”. We are familiar with the words, but I am not sure that we all understand their implications for privacy and personal data.
It has been said this afternoon that national Governments now face the legal and technical challenge of trying to regulate international communication and information flows, which are largely controlled by a handful of American-based internet corporations. In this parliamentary Session, I have the privilege of sitting on your Lordships’ Select Committee on Political Polling and Digital Media. We are investigating the questions of accuracy and transparency thrown up by using internet data in politics. We are only beginning to uncover the complexities and threats that the new systems create. Again, in this context, in the last year we have all heard about so-called fake news and possibly even Kremlin-inspired online intervention in western democracies. Only yesterday, there were reports of operatives using individual Facebook accounts to generate support for President Trump; but is it possible to influence effectively, or control, any of that in the public interest? As a good democrat, the noble Lord, Lord McNally, remains optimistic, but I find it very hard to see how an individual Government can act legislatively to moderate the growing tsunami of online data exchange—and how through the law we can protect individuals from manipulation and exploitation.
A possible route that, optimistically, could influence behaviour and protect citizens from the most egregious breaches of their privacy is through public education. That is obviously a long-term project. Creating better-informed consumers who understand how their shared personal data may be used, and what may happen to data when it is passed on, would clearly be an advantage. That is important when we are talking—as the noble Baroness, Lady Howe, and other contributors did before me—about young people growing up with the internet. They are the greatest users of every type of social media but, although they may be technically adept, they are often the most ignorant about what they are signing up to or giving away when they use seductive sites or post so much information online.
I welcome the provision in the Bill that allows young people to remove content—the right to be forgotten. However, I share the concerns of the noble Baroness, Lady Howe, the right reverend Prelate and others about the age of consent being 13. As a grandmother, as they say, I would be very happy to see that age raised. As referred to by the right revered Prelate, who is not in his place, it is interesting that, when surveyed, 81% of the general public wanted to try to raise that age. I hope we will return to this issue at a later stage.
It is important to look at some of the fundamental issues about how we can achieve better public education in this field. Do we need to think again about how to achieve a digitally literate population in the true sense, which in turn could hopefully influence the attitudes and actions of the big tech companies and change the opinion of the world? That may be a more sensible way to proceed than continuing to make what may be vain attempts to regulate the ever-expanding web. The House will remember, as the noble Lord, Lord McNally, has already said, that in the original Communications Act 2003, Ofcom was given the specific duty of promoting “media literacy”. In that Act—perhaps I may quote from it—the duty is very broadly based. First, it is,
“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”.
Secondly, it is,
“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.
However, since the passage of the Bill, Ofcom seems largely to have interpreted these responsibilities in rather a narrow and perhaps pragmatic way. For example, it has asked how we can ensure that the elderly population has appropriate access to digital technology and how internet drop-out areas, or areas where it is difficult to achieve broadband, can be improved?
My noble friend Lord Puttnam is therefore proposing that in Part 5 of the Bill, which covers the Information Commissioner, a wider duty be placed on the commissioner to act with Ofcom, and indeed with the Department for Education and the DCMS, on the use and abuse of personal data. He sees this as something that could be included by amendment in the “general functions” of the commissioner or established under a separate code of practice. He suggests that a code of practice could, for example, confer special responsibilities on the big technology giants to engage in the collaborative development of digital media skills. It does not seem naively optimistic to think that this type of statutory leverage could be influential. It could be a useful exercise of “soft power” to achieve more informed and responsible internet use by both providers and consumers. Effective and proper digital literacy is an approach that would avoid the continuing search for a national regulatory solution to some of the problems of the global digital economy—it may be long-term but it seems worth undertaking. I am sure my noble friend Lord Puttnam will table amendments in Committee.
I welcome the Government’s intention to update and strengthen a robust system of data protection. It is certainly an ambition that has recently been made more difficult both by corporately owned global technology giants which transcend the authority of national Governments and by the huge expansion of internet technology. I am glad that the Bill has started in this House, as I am sure it will, as always, be improved by your Lordships’ scrutiny and revision.
Baroness Lane-Fox of Soho (CB)
My Lords, happy Ada Lovelace Day. How prescient of the Whips and the Minister to pick today for Second Reading. To remind colleagues who might be wondering: she was one of the great innovators of computing in the 19th century. She worked with Charles Babbage on his computational engine, she was the first to recognise that the machine had applications beyond pure calculation, and, in fact, she probably created the first algorithm intended to be carried out by that machine. As part of that, she is often regarded as the first to recognise the full potential of computing, so it could hardly be more apt to pick today for this Second Reading debate, in which we are probably looking at the consequences of the work that she started all those years ago.
The Government’s ambition is to,
“make Britain the best place to start and run a digital business; and … the safest place in the world to be online”,
as detailed in the Conservative manifesto. This Bill is intended to,
“ensure that our data protection framework is suitable for our new digital age, and cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data”.
This aspiration to be the best, to make the UK a world leader and set a precedent for good regulation of our digital worlds, is admirable, but that means that the Bill must set the bar high. It must be the very best it can be, especially as we head towards Brexit, where having the highest standards around the collection and use of data will be vital not just to digital businesses but to our continued ability to trade. This Bill must be the foundation for that. There is much that is good in the Bill, but I do not believe that it is yet the best that it can be.
I must start with a confession. Despite the kind references today to my career and supposed expertise, I found this Bill incredibly hard to read and even harder to understand. I fear that we will not do enough to stop the notion, referred to by the noble Lord, Lord McNally, that we are sleepwalking into a dystopian future if we do not work hard to simplify the Bill and make it accessible to more people, the people to whom I feel sure the Government must want to give power in this updated legislation. Let us ensure that the Bill is a step forward for individual power in the rapidly changing landscape in which we sit, a power that people understand and, importantly, use. Let us make it an indicator to the world that the UK balances the importance of tech start-ups, innovation, foreign investment and big businesses with consumer and citizen rights.
The Government should be commended for getting ahead of movements that are growing all over the world to free our data from the tech giants of our age. As data becomes one of our most valuable resources—as we have heard, the new oil—individuals have begun to want a stake in determining for themselves when, how and to what extent information about them is held and communicated to others. So I welcome the clear data frameworks, which are important not only for the best digital economy but for the best digital society.
I agree with much that has been said today but want to make three specific points on the Bill. First, from any perspective, the GDPR is difficult to comprehend, comprising sweeping regulations with 99 articles and 173 recitals. The Bill contains some wonderful provisions, of which my favourite is:
“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR … In this Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied by this Chapter”.
Giving people rights is meaningful only if they know that they have them, what they mean, how to exercise them, what infringement looks like and how to seek redress for it. There are questions about the practical workability of a lot of these rights. For example, on the right to portability, how would the average person know what to do with their ported data? How would they get it? Where would they keep it? There was a funny example in a newspaper recently where a journalist asked Facebook to send them all the data that it had collected over the previous eight years and received a printed copy of 800 pages of data—extremely useful, as I think you will agree. What about your right to erase your social media history? I should declare my interest as a director of Twitter at this point. How can you remove content featuring you that you did not post and in which people may have mentioned you? What happens as the complexity of the algorithm becomes so sophisticated that it is hard to separate out your data? How does the immense amount of machine learning deployed already affect your rights, let alone in the future?
Awareness among the public about the GDPR is very low—the Open Data Institute has done a lot of work on this which is soon to be published. It is very unlikely that ordinary people understand this legislation. They will have no understanding of how their rights affect them. A lot of education work needs to be done.
For businesses, too, the learning curve is steep, especially for foreign investors in European companies. Some are betting that the sheer scope of the GDPR means that the European regulators will struggle to enforce it. When the GDPR came up at a recent industry start-up event, one industry source said that none of the people to whom they had spoken could confidently say that they had a plan. Every online publisher and advertiser should ensure that they do, but none of them is taking steps to prepare.
So much has been done by this Government on building a strong digital economy that it is important to ensure that small and start-up businesses do not feel overwhelmed by the changes. What substantial help could be planned and what education offered? What help is there with compliance? By way of example, under Clause 13, companies have 21 days to show bias from algorithms, but what does this mean for a small AI start-up which may be using anonymised intelligence data to build a new transport or health app? What do they have to think about to make good legal decisions? As my noble friend Lord Jay so brilliantly argued, how can we ensure post-Brexit legislative certainty for them in building global successful businesses?
This brings me to my second question: why has the right of civil groups to take action on behalf of individuals been removed from the UK context for the GDPR? Instead, the Bill places a huge onus on individuals, who may lack the know-how and the ability to fight for their rights. As has been mentioned, article 80(1) of the GDPR allows for representative bodies—for example, consumer groups—to bring complaints at the initiation of data subjects. Article 80(2) allows those groups to bring complaints where they see infringements of data rights without an individual having to bring the case themselves. These give consumers power. It supports their rights without them having to specifically understand that the rights exist, or how to exercise them. Unfortunately, article 80(2) is an optional clause and the UK has omitted it. This omission is worrying, given how stretched the ICO’s resources are and the impact this could have on its support for the public. Granting rights over data to individuals is meaningless if individuals lack the understanding to exercise those rights and there is no infrastructure within civic society to help them exercise those rights. However, we have many organisations in this country—Citizens Advice, Which?—which have these kinds of rights of free-standing action in relation to other regulations. There does not seem to be any good reason why the UK has chosen not to take up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws.
Citizens face complex data trails. It is impossible for the average person to be able to know which organisations hold their personal data. Enabling privacy groups to take independent action will ensure these rights are enforced. As it stands, under the Bill the ICO is currently the main recourse for this.
Resourcing the ICO, Part 5 of the Bill, is essential and my third main area of interest. The ICO has considerable responsibilities and duties under the Bill towards both business and individuals: upholding rights, investigating reactively, informing and educating to improve standards, educating people and consumer groups, and maintaining international relationships. I feel exhausted thinking about it. The ICO’s workload is vast and increasing. It lacks sufficient resources currently. In March 2017, the Information Commissioner asked Parliament if it could recruit 200 more staff but the salaries it offers are significantly below those offered by the private sector for roles requiring extremely high levels of skills and experience. These staff are going to become ever more important and more difficult to recruit in the future.
The ICO currently funds its data protection work by charging fees to data controllers. It receives ring-fenced funding for its freedom of information request work from the Government. This income can increase the number of data controllers only as it increases: it is not in line with the volume or complexity of work, and certainly not with that in the Bill. Perhaps it is time for another method of funding, such as statutory funding.
Finally, I would like briefly to add my thoughts on how the Bill affects children. As many noble Lords have said, the YouGov poll does indeed say that 80% of the public support raising the age to 18—currently it is 13, as detailed by the Government. However, there are many other surveys, particularly one by the Children’s Society, which show that 80% of 13 year-olds currently have a social media account and 80% of people under 13 have lied or twisted their age in order to establish one. This is the realpolitik in the war of understanding the internet with our children. I respectfully disagree with the noble Baroness, Lady Howe, and others in the Chamber: I feel strongly that it is wrong to place policing at the heart of how we deal with relationships between children and the internet. We need to take a systems-based approach. I have seen my godchildren set up fake accounts and whizz around the internet at a speed I find alarming. We have to deal on their terms. We have to help educators, parents and people supporting children, not use the long arm of the law.
There are many anomalies, as has already been detailed, as well as discrepancies with Scotland, differences between parental oversight and explicit giving of consent, problems with data collection and how the digital charter will work, and so on, and those are all important. However, I am optimistic too—I always am—and there is much to welcome in the Bill. I am particularly optimistic if we can work in tandem on the wider digital understanding of our society, as so brilliantly detailed by the noble Baroness, Lady Jay. I wish I could discuss the important themes in the Bill with Ada Lovelace, but in her absence I will have many good discussions with people in this Chamber so that we can all work hard to ensure that citizens and consumers reap the benefits of the Bill.
Data Protection Bill [HL]
Tuesday 10th October 2017
(7 years, 5 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
Lord Storey (LD)
My Lords, I am particularly interested in how the Bill enhances the lives of young people and how in Committee we could add to the opportunities that the Bill provides. The word “protection” is immensely important in this digital age, and young people probably need more protection than at any other time in our recent history. They should have control over their own data.
Like your Lordships, I have been sent a large number of briefings on the Data Protection Bill. I was particularly taken with the joint briefing from the Children’s Society and YoungMinds. As we have heard from the noble Baroness, Lady Lane-Fox, they found that almost three in four children and young people have a social media account before the age of 13. The same survey also revealed that four in 10 young people had experienced online bullying. For young people affected by this form of bullying, the right to have contact removed will be very welcome. I have seen first-hand how young people’s lives can be seriously harmed, and I welcome having a longer debate on this issue in Committee.
I was very taken with the noble Baroness’s comments, although they did not quite match my personal experience. As a head teacher of a large 600-place primary school, I would find children who had been seriously bullied and were in meltdown. When we saw the children and talked to their parents, it turned out that the bullying came from social media. This raises the question: how did children as young as eight years old get signed up to Facebook? By their brothers and sisters. Why did their parents not know about this? This is a very serious problem. I do not know if it is about the long arm of the police, which the noble Baroness, Lady Lane-Fox, suggested was not the way, whether it is about young children knowing their rights, or, as I suspect, whether it is a bit of both, including parental education as well.
In the 1960s a baby named Graham Gaskin was put into care by Liverpool local authority after his mother, a local beauty queen, committed suicide by jumping into the River Mersey. Graham was passed from one institution to another; he was sent to over 20 institutions, including 14 different foster homes, over an 18-year period. He claimed that he suffered neglect, mismanagement and sexual abuse. He tried to understand what had happened to him, the family circumstances and the family connections—his back story, if you like. He was prevented from seeing his social services file but managed somehow to purloin it. In those confidential papers he found out about the secrets of his shocking life in care.
Three remarkable people stand out in the Graham Gaskin story: the local solicitor, Mr Rex Makin, who represented Graham and fought to get justice for him; a local journalist, Mr Ian Craig, who spent months checking and cross-checking the details and wrote a series of devastating articles about what had happened to Graham in the Liverpool Echo; and the chair of the social services committee, Mr Paul Clark, who struggled against the legal system to allow his officers to open up the file and had a fiat, which I am told is a type of injunction, issued against him, preventing him releasing those files. In November 1981, the noble Lord, Lord Alton, then my honourable friend and MP for the Edge Hill constituency in Liverpool, spoke in the Commons about the Graham Gaskin case. He said:
“Graham Gaskin is just another name still locked away in a filing cabinet … I hope that encouragement will be given to local authorities to humanise their services so that the tragedy of Graham Gaskin’s lost youth will never happen again”.—[Official Report, Commons, 6/11/81; col. 284.]
Had the files of Graham Gaskin and thousands of other children been allowed to have been opened, they would have revealed a scandal as shocking as the revelations that have come to light about some of our residential homes and might have prevented the abuse of children that was so prevalent at the time.
We have come a long way since those days, and of course the law allows access to files under the Data Protection Act 1998. Since the noble Lord, Lord Alton, made his comments about humanising social services, we have done that very thing. However, opening the files and making them accessible to young people is very different from the sort of legal problems that, for example, solicitors often face. It is of fundamental importance that everyone has the right to their personal data, and the legislation does not restrict or inhibit that right, but I shall talk about it from a practitioner’s point of view. This issue is beyond my comprehension but I have spent several moments talking to solicitors about it, so the language that I use is not of my immediate understanding but it gives some flavour of how we should have not only the spirit of making these files available but the practicalities as well.
If someone makes a request for data a year after making a previous request, and in the intervening period there has been further activity about the requester by the data controller, it will be argued that the substance of previous requests is being repeated. Is not the substance of any request to obtain the relevant data then held by the data controller? It will be argued that if someone has made a previous request, they will not be able to make a subsequent one. I think I understand that and I hope noble Lords do too.
Terminology needs to be clearly defined, not left open to later judicial interpretation. For example, if a right is to be denied on the basis that complying with it would involve disproportionate effort, there needs to be a definition of “proportionate”. More effort is needed for supplying data to someone who has had a lot of dealings with a data controller, especially government departments and numerous agencies because such are regarded as one data controller. We need to ensure that each separate agency has its own data controller. Will it be argued in the courts that it is manifestly unfounded or excessive for someone with a lot of personal data about them to request it? The current law requires all data controllers, with some minor exceptions, to register with the ICO. If they do not, they are acting unlawfully by processing personal data, and the provisions of the criminal law apply.
When the Bill which became the Data Protection Act 1998 was introduced to Parliament, the drafting instructions to parliamentary counsel were as follows: “We regard it as essential that there be a clear sanction for failure to make a mandatory notification. The obligation to notify is itself a cornerstone of the notification regime, and we wish to place a distinct onus on controllers to take responsibility for ascertaining and discharging their obligations in this respect”. Huge numbers have not done so, with a massive loss to the public purse. The law will not be strengthened by removing the cornerstone of the current law.
The Bill is long and detailed, and the devil, as always, is in the detail. The detail needs most careful scrutiny to ensure that the fundamental rights of the citizen are paramount, not those of officialdom. In any balance concerning the rights of the individual, there should be a presumption that those acting in any official capacity should have the official records disclosed. The balancing exercise introduced in the 1998 Act following the Graham Gaskin case, effectively replicated in the Bill, has not worked in practice, and Parliament can and should give further guidance. I look forward to finding out how we may improve some of these detailed issues for people who find themselves in the same situation as the Graham Gaskins of the 1980s.
The Earl of Listowel (CB)
My Lords, it is a great privilege to follow the noble Lord, with all his experience of providing care and support for children and families. It was very troubling to hear of the case of Graham Gaskin.
I hesitate to speak. I do so because I am very interested in child development and issues of age of consent within the development of children. For instance, I very much oppose the lowering of the age of franchise to 16, which many have argued for, because my understanding and experience is that adolescence is hugely challenging and we should not put additional burdens on young people. Reading a survey in which 81% of adults thought that the age of consent for sharing personal information should be at 16 or 18, with the majority of parents thinking that the age should be 18, I was very concerned and wanted to take part in this debate and learn more.
I was recalling our history with access to the internet and pornography. My recollection was that we did not think about those things from the perspective of children and young people. Thanks to the noble efforts of my noble friend Lady Howe, we are now getting on top of that issue, but a report yesterday pointed to a marked rise in sexual assaults by children on children in the past year. Of course it is speculative to say so, but I would not be at all surprised if access by children to the internet has helped to fuel that rise.
We really need to give these issues deep and considered thought and, looking at the briefings, my sense is that it has not been given to the age of consent. It seems to be the default position because that is what Facebook and the other big companies offer. Even the European Union directive did not seem to involve a deep consultation among parents, children—ensuring that children’s voices could be heard—and experts to determine that the age should be between 13 and 16. I join my noble friend Lady Howe’s request for an urgent consultation by the Government with parents, children—in an effective way—and experts on this issue.
I will try to think through what might be the implications. Please forgive my naiveté, but this might be an opportunity for people to market products to 13 year-olds. My experience and research suggests that where children come from family backgrounds of breakdown or depression, that is reflected in the child’s relationships with other children in school. They can find it difficult to relate to others and become isolated. What do they turn to in those circumstances? The research points to the fact that they will be the children with the most expensive articles of clothes. The most expensive trainers will belong to the children who find it most difficult to make relationships with other children. I suppose that we see the same thing in the adult world: often those who are least sociable spend more money on articles of clothing to compensate for that. One concern might be that marketeers will be particularly effective at reaching out to more vulnerable children and encouraging them to pester their parents to buy more products. There will be more pressure on households to go into debt. In our debate on another Bill at the moment, we are seeing that far too many households are experiencing debt. Perhaps that is not a likely eventuality, but it needs to be explored.
Another eventuality might be political lobbying groups seeking to develop a youth wing to reach out to 13, 14 and 15 year-olds and disseminate information to prepare them to join the party later on. All around the world we see hateful political groups gaining ascendance. That is another risk that we need to take into account: how vulnerable are our young people to such groups?
I should be most grateful if the Minister would make clear what is a child in the Bill. Will he ensure that the Bill is clear that anyone under the age of 18 is a child? On the age of consent, what about children with developmental delays or special educational needs? Obviously, chronological age may not be appropriate, so how does one deal with those children? Finally on verification, how do we know that a child who says he is 13 is really 13 and not several years younger?
I share the concern voiced by many Peers about the age of consent. I was to some extent reassured by my noble friend Lady Lane-Fox but, given the history and concern about access to pornography and the lack of consideration for the impact on children and young people, it is our duty to give the Bill the thorough consideration that it needs. I look forward to the Minister’s response.
Lord Black of Brentwood (Con)
My Lords, it is a privilege to follow the noble Earl, who has brought so much wisdom and passion to the issue of child protection, which is rapidly becoming the leitmotiv of this debate—and rightly so. My comments will be about something slightly different: the impact of the Bill on journalism and the right to freedom of expression. I declare my interest accordingly as executive director of the Telegraph Media Group and draw attention to my other media interests in the register.
I first had the dubious pleasure of becoming involved in the issue of data protection more than 20 years ago, when the EU data protection directive was introduced in 1996. During the passage of the Data Protection Bill which implemented it, my noble friend Lord Wakeham, then chairman of the Press Complaints Commission, set out in his customary cogent fashion why that directive was potentially so grave for press and media freedom. He identified two key issues with the directive, and it is worth repeating what he had to say, because those issues are, if anything, more relevant today than they were then:
“The first is that the directive’s definition of ‘personal data’ is extremely wide, covering virtually any information relating to an individual, including details of political opinion, trade union membership, racial or ethnic origin and philosophical beliefs. The second is that the definition of processing specifically includes, for the first time, the use of material for journalistic purposes; and in turn journalism, of course, relies on the use of all the information covered by the directive. The very real danger in the combination”,
of the two is that it,
“could be used to introduce a regime that would gravely damage the freedom of the press, undermine investigative journalism”.—[Official Report, 2/2/1998; col. 462.]
What became the Data Protection Act 1998 avoided such a dismal fate, and indeed through Section 32 struck an appropriate, clever and enduring balance at the time between the right to privacy and the right to freedom of expression. That was in so many ways down to the guiding hand of Lord Williams of Mostyn, who is still much missed in this House. He went out of his way to consult the industry and respond to its concerns. I remember with affection many meetings with him, not least as he was able to make the issue of data protection amusing, which is no small feat. To pick up on the comments of the noble Baroness, Lady Lane-Fox, I do not know whether he would have been able to make it comprehensible—that may have been a challenge too far. But at the end of the day, he succeeded in ensuring that the legislation balanced the right to privacy with the right to free expression, which he treasured so much. We have heard a bit about that in today’s debate.
This Government have been equally as determined as Gareth Williams was to ensure that freedom of expression is protected and have consulted widely all the interested parties. I am particularly grateful to the DCMS Ministers Karen Bradley and Matt Hancock for their understanding and patience in this area of protection not just for journalism but for literary, artistic and academic activities. Great credit is due to all those who were involved in the long and often deeply tortuous negotiations over the general data protection regulation, who ensured that it makes absolutely clear that member states must provide for exemptions and derogations carried out not only for journalistic purposes, but for the purposes of academic, artistic and literary expression as well. Recital 153 of the GDPR is particularly welcome and important as it explicitly recognises how protections for freedom of expression,
“should apply in particular to the processing of personal data in the audiovisual field and in news archives and press libraries”,
and ought to be reflected in the Bill.
The Government have gone to considerable lengths to consult widely on the UK’s implementation of the exemptions and derogations in the directive and have clearly stated, as I am sure the Minister will reiterate again today, that:
“Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded”.
That is what Part 5 of Schedule 2, relating to the exemptions for freedom of expression and information, alongside other clauses in the Bill, seeks to do.
Such protections are vital for us as citizens, who depend on a free press to hold those in positions of power to account. As importantly, particularly in a post-Brexit world—and we have heard a lot about that world today—proper implementation of the exemptions is essential to the continuation of the UK’s shining role as a world leader in the creative, cultural and communications sphere. For all those reasons, it is imperative that the existing protections in the 1998 Act are not just maintained in this legislation but enhanced, and applied consistently throughout the Bill.
I specifically use the word “enhanced” because, through no fault of the existing legislation, which was extremely well crafted, the defences inherent in Section 32 of the 1998 Act have begun to erode. That is mainly an unintended consequence of the Defamation Act 2013, with the passage of which many noble Lords here today were involved. That legislation, so carefully scrutinised in this House, has done much to stop trivial and vexatious libel claims in the courts, but regrettably some people, who are now no longer able to bring libel proceedings, have begun to stretch the boundaries of other laws to do so. Data protection is fast becoming an alternative remedy for those who wish to blunt investigative journalism or seek to launder a justly bad reputation by removing articles from the online record. That is something that we have heard a bit about today.
One issue that we should consider is whether the carefully sculpted defences set out in the Defamation Act 2013 could somehow be replicated in this legislation and applied to data protection claims. It also cannot be right for the Information Commissioner to have the power, set out in Clause 165, to fund legal claims against those pursuing literary, artistic, academic and journalistic activities; that power runs counter to the aims of the Defamation Act. No other sector of activity is singled out in that way, and there is no case for it.
Inevitably as the Bill is scrutinised, much of the devil will be in the detail, as the noble Lord, Lord Storey, said. A number of specific issues—many of them, I suspect, inadvertent or unintended—ought to be addressed if the Bill is not to have a restrictive and damaging impact on freedom of expression, and particularly on the media’s operations, all the way from the initial investigation of a story to the eventual archiving of material. For example, we need to ensure that the investigation and enforcement powers of the Information Commissioner, particularly in the area of pre-publication activities, are not extended, and that the existing checks and balances, which have worked extraordinarily well in the current regime, are rigorously maintained in this legislation, not reduced. If not, there is a danger that the commissioner could become some form of statutory press regulator, which is not what I believe the Government intend, and which most of us would believe to be abhorrent in a free society. Similarly, there needs to be explicit protection for academic, literary and media archives, including a transparent and effective regime for the assessment of “right to be forgotten” requests relating to internet search records. Those records are not just the “first draft of history”; they often now comprise the only record of significant events, which will be essential to historians and others in future, and they must be protected.
We also need to remember that, far more so even than was the case back in 1996, the media today, as with all artistic activities, are completely global. All those processing data for special purposes need to be able to receive and share certain personal data rights across the world. That is particularly true in relation to the protection of sources, and contact or email exchanges with them. We should never forget in this House that in some parts of the world, even partial release of sensitive information can have the most appalling repercussions, putting the lives of sources and reporters in grave, often mortal, danger. The protections and exemptions in this area need to be put in place and be absolutely watertight. Quite apart from the personal risks involved, investigative journalism such as that on the Panama papers could become quite impossible if we did not get this balance right.
I am conscious that I have been talking specifically about Article 10 rights on freedom of expression, but I absolutely understand that those have carefully to be balanced with other rights. My noble friend the Minister in his opening remarks made that point extremely well. It is important to underline that none of the points that I have raised here would in any way undermine an individual’s right to privacy, safeguarded by Article 8 of the convention. These limited changes would continue fully to protect that right, while providing much greater clarity and certainty for those processing data for the special purposes. Therein lies the effective balance which characterised the 1998 Act and which should, I believe, be the guiding principle and hallmark of what will inevitably become the Data Protection Act 2018.
I spoke earlier about the Government’s commitment to consultation on the detail of this Bill, and the constructive and open way in which they have worked with all those impacted in this area. I very much hope that the Minister will continue to undertake such work with all those who have an interest in this vital issue and that we can, during the passage of the Bill, make further amendments to protect what at the end of the day is the foundation stone of our democracy.
Baroness Hamwee (LD)
My Lords, I, too, thank the Minister for his careful introduction of the Bill, and the organisations and individuals who have briefed us, including the individual who wrote, “It does your head in”. I was glad to hear the assurance that the Bill may—I hope I have this right—with repeated readings come close to comprehension.
At later stages, I hope to focus on Parts 3 and 4 of the Bill, but this evening I make some points about young people and the age of consent. I have to say—I may be out of step with other noble Lords—that I am not entirely convinced that the age of 16 would provide more effective protection than 13. I was struck by the recent launch of a report by the Children’s Commissioner for England. The report contains a jargon-busting guide,
“to give kids more power in digital world”.
The commissioner’s launch paper remarked:
“For children, there is no difference between online and offline life. To them, it’s just life … You wouldn’t drop a 12-year-old in the middle of a big city and expect them to fend for themselves. The same should be true online”.
The jargon-busting guide is intended to help children and teachers negotiate and understand what they are signing up to when they use Facebook, Instagram, YouTube, Snapchat, WhatsApp and so on. It uses simplified terms and conditions—it is acknowledged that it is not a legal document but is designed to be an accessible and child-friendly tool to help children understand their digital rights and make informed choices.
Noble Lords will have received a briefing from the Carnegie UK Trust on digital skills. Among other things, it reminds us that so many young people— I think actually that should be “so many people”—are unaware that “delete” does not actually mean “delete”.
I do not think that achieving the age of 14, 15 or 16 would address this. The route of information and education is much more important than a diktat in legislation. I suspect that we could be in danger of being unrealistic about what life is like for children and young people these days. We should not ignore public opinion but, quite honestly, times have changed. We will debate both the age threshold and age verification, which is clearly inseparable from this, during the course of the Bill.
Like other noble Lords, I am concerned about public trust and confidence in the system. At the moment there is a need for guidance on preparation for the new regime. I visited a charity last week and asked about the availability and accessibility of advice. The immediate, almost knee-jerk response was, “It’s pretty dire”—followed by comments that most of what is available is about fundraising and that there is a particular lack of advice on how to deal with data relating to children. The comment was made, too, that the legislation is tougher on charities than on the private sector. I have not pinned down whether that is the case, but I do not disbelieve it. The Federation of Small Businesses has made similar points about support for small businesses.
On confidence and trust, my view is that the use of algorithms undermines confidence. This is not an algorithm but perhaps an analogy: we have been made aware recently—“reminded” would be a better term—of the requirement on banks to check the immigration status of account holders. I took part recently in a panel discussion on immigration. The participants’ names were Gambaccini, Siddiq, Qureshi and Hamwee. With those names, although we are all British citizens, I should think that we are pretty suspect. Algorithms will be used by the policing and intelligence communities, among others. My specific question is: have the Government considered independent oversight of this?
My confidence in the system is also not helped by the fact that the data protection principles applied to law enforcement do not include transparency. I am prepared to be told that this is because of the detail of the GDPR, but I find it difficult to understand why there is not transparency subject to some qualifications, given that transparency is within the principles applying in the case of the intelligence services.
“User notification” is another way of talking about transparency and is a significant human rights issue in the context of the right not only to privacy but to effective remedy and a fair trial. I am sure that we will question some of the exemptions and seek more specificity during the course of the Bill.
We are of course accustomed to greater restrictions—or “protections”, depending on your point of view—where national security is concerned, but that does not mean that no information can be released, even if it is broad brush. I wonder whether there is a role for the Intelligence and Security Committee here—not that I would suggest that that would be a complete answer. Again, this is something we might want to explore.
Part of our job is to ensure that the Bill is as clear as possible. I was interested that the report of the committee of the noble Lord, Lord Jay, referred to “white space” and language. It quoted the Information Commissioner, who noted trigger terms such as “high-risk”, “large scale” and “systematic”. Her evidence was that until the new European Data Protection Board and the courts start interpreting the terms,
“it is not clear what the GDPR will look like in practice”.
I found that some of the language of the Bill raised questions in my mind. For instance—I am not asking for a response now; we can do this by way of an amendment later—the term “legitimate” is used in a couple of clauses. Is that wider than “legal”? What is the difference between “necessary” and “strictly necessary”? I do not think that I have ever come across “strictly necessary” in legislation. There are also judgment calls implicit in many of the provisions, including the “appropriate” level of security and processing that is “unwarranted”. By the by, I am intrigued by the airtime given to exams—and by the use of the term “exams”. Back in the day there would certainly have been an amendment to change it to “examinations”; I am not going to table that one.
Finally, I return to the committee report, which has not had as much attention as the Bill. That is a shame, but I am sure we will come back to it as source material. I noted the observation that, post Brexit, there is a risk that, in the Information Commissioner’s words, the UK could find itself,
“outside, pressing our faces on the glass … without influence”,
and yet having,
“adopted fulsomely the GDPR”.
That image could be applied more widely.
Do the Government accept the committee’s recommendation in paragraph 166 that they should start to address retaining UK influence by,
“seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board”?
My noble friend Lord McNally referred to running up the down escalator, and his alternatives to the Henry VIII clauses are well worth considering—I hope that that does not sound patronising.
This is one of those Bills that is like a forest in the points of principle that it raises. Some of us, I am afraid, will look closely at a lot of the twigs in that forest.
Baroness Manningham-Buller (CB)
My Lords, I will be brief, as the late Lord Walton always said at the start of his speeches. However, I actually mean it. That is because many of the points I want to make have been made by either the noble Baronesses, Lady Neville-Jones or Lady Ludford, or my noble friend Lord Patel, who declared my interest as chair of the Wellcome Trust for me. For those noble Lords who are not familiar with the organisation, we spend about £1 billion a year on improving human health, largely through funding medical research, primarily in this country but also in 16 other countries overseas. We welcome the Bill, although we think it needs improvement. Before Committee, we look for answers to the questions laid out by my noble friend Lord Patel on the need for universities to have real clarity about how they process data.
For the public interest, terminology should be extended so that we can look at issues of safeguards beyond consent and make sure that it is possible to do clinical trials and interventional work. Why is that the case? It is because health data offers the most exciting opportunities to do things which we have only recently been able to do, understand the causes of disease in detail over populations and have a much better chance of getting to diagnosis early. We could deal with many things if we could only diagnose them far earlier and develop treatments for them—indeed, prevent some of them ever materialising. Health data also helps us to measure the efficacy of treatment. We all know of plenty of treatments that over years have proved to be useless, or unexpected ones that have proved to be outstanding. Looking at big-scale data helps us to do that. That data helps in precision medicine, which we are all moving towards having, where the drugs we receive are for us, not our neighbour, although we apparently both have the same illness. Health data can also help with safety as you can collect the side-effects that people are suffering from for particular drugs. It helps us evaluate policy and, of course, should help the NHS in planning.
I know that the Government want to support scientists to process data with confidence and safety. The industrial strategy comments that data should be “appropriately accessed by researchers”. “Appropriate” is a hopeless word; we do not know what it means, but still. The document also states that access for researchers to,
“currently available national datasets should be accelerated by streamlining legal and ethical approvals”.
We are not there yet.
I want to say a word about public support. The Wellcome Trust commissioned an Ipsos MORI poll last year before the Caldicott review to assess public support for the collection of data. In many cases, there is significant public support for that provided it is anonymised—although I know there are questions about that—but what people are fussed about is that their data is sold on for commercial purposes, that it is used for marketing or, worst of all, that it is used to affect their insurance policies and life insurance. Therefore, we need to give reassurance on that. However, it has certainly been the case in our experience, and that of many universities, that you can recruit many people for trials and studies if they believe that their data will help others with similar diseases or indeed themselves.
My noble friend Lord Patel trailed that I would mention the UK Biobank, as this will face real problems if this legislation is not amended. For noble Lords who are not aware of it, the UK Biobank is funded partly by the Wellcome Trust and partly by the Government through the Medical Research Council. Between 2006 and 2010, it recruited half a million people who gave body samples, details about their lifestyles, economic environments and genomes. Some of these details have been accessed but not all. This has produced the most fantastic amount of data, which is helping us to discover causes of cancer, heart disease—there is a long list, and I will read them all out as they are all important—stroke, diabetes, arthritis, osteoporosis, eye disorders, depression and dementia. Other subjects will be added. The conclusions of this data are open to anybody in the world because health has no frontier. There is no other biobank like this in the world. The Chinese have started one called the Kadoorie, but it is neither as extensive nor profound; it will become invaluable, but it is not yet. The UK Biobank is a unique resource for the world. It is based in Oxford and funded by a major British charity and the taxpayer. We must make that data useful and do nothing to damage the way in which it contributes to helping save lives.
Lord Lucas (Con)
My Lords, I have enjoyed the debate very much so far. I hope that the same can be said of my noble friend the Minister, who will clearly find support from all around the House for a large number of amendments. I found myself agreeing with the noble Lord, Lord Stevenson, on several points, not least on the question of adequacy, which seems to me absolutely fundamental to getting this Bill right. I hope that my noble friend will be able to be very clear on how the Government intend to tackle this key aspect.
I agreed with the noble Lord, Lord McNally, too, and his worries about standing up to the tech giants. They are not our friends. They are big, powerful companies that are not citizens of this country. They pay as little tax here as possible and several of them actively help tax evaders in order that they can make more profits out of the transactions that that involves. They control what we see on the internet through algorithms and extract vast quantities of data and know more about us than we know ourselves. In the interests of democracy we really must stand up to them and say, “No, we are the people who matter. It is great you are doing well, but we are the people who matter”. Bills like this are part of that, and it is important that we stand up for ourselves and our citizens.
I agreed very much with my noble friend Lady Neville-Jones that research is crucial. In my context as editor of the Good Schools Guide we use a fair bit of government data and do research with it. I will pick my noble friend’s brain afterwards on what her worries are about the use of data by non-standard researchers because I certainly qualify as that.
My noble friend Lord Arbuthnot referred to a Keeling schedule. It would be wonderful to receive it. For some reason I cannot pick it up on the email. It is not in the documents listed on the Parliament website, not in any location, and it does not Google or come up on GOV.UK. One way or another, I think the simplest thing to ask is: please can we put it on the parliamentary website in the list of documents related to the Bill? I know that it exists, but I just cannot find it. It would be nice if it appeared on the departmental website too.
It seems to me that bits are missing in a number of areas. Where are Articles 3, 27, 22(2)(b) and 35(4) to 35(6)? Where is Article 80(2), as the noble Baroness, Lady Lane-Fox, mentioned? That is an absolutely crucial article. Why has it gone missing? How exactly is recital 71 implemented? I cannot see how the protections for children in that recital are picked up in the Bill. There are a lot of things that Keeling schedules are important for. In a detailed Bill like this, they help us to understand how the underlying European legislation will be reflected, which will be crucial for the acceptance of this Bill by the European Union—I pick up the point made by the noble Lord, Lord Stevenson—and what bits are missing.
And what has been added? Where does paragraph 8 of Schedule 11 come from? It is a very large, loose power. Where are its edges? What is an example of that? I would be very grateful if my noble friend could drop me a note on that before we reach Committee. What is an arguable point under that provision? Where are the limits of our economic interest so far as its influence on this Bill is concerned?
Paragraph 4 of Schedule 10 is another place that worries me. We all make our personal data public, but a lot of the time we do it in a particular context. If I take a photograph with my parliamentary-supplied iPhone, on which there is an app that I have granted the power to look at my photographs for some purpose that I use that app for, I have made that photograph and all the metadata public. That is not what I intended; I made it public for a particular purpose in a particular context—that of social media. A lot of people use things like dating websites. They do not put information on there which is intended to be totally public. Therefore, the wording of paragraph 4 of Schedule 10 seems to be far too wide in the context of the way people use the internet. Principle 2 of the Data Protection Act covers this. It gives us protection against the use of information for purposes which it clearly has not been released for. There does not appear to be any equivalent in the Bill—although I have not picked up the Keeling schedule, so perhaps it is there. However, I would like to know where it is.
On other little bits and pieces, I would like to see the public policy documents under Clause 33(4) and Clause 33(5) made public; at the moment they are not. How is age verification supposed to work? Does it involve the release of data by parents to prove that the child is the necessary age to permit the child access, and if so, what happens to that data? Paragraph 23 of Schedule 2 addresses exam scripts. Why are these suddenly being made things that you cannot retrieve? What are the Government up to here? Paragraph 4 of Schedule 2, on immigration, takes away rights immigrants have at the moment under the Data Protection Act. Why? What is going on?
There are lots of bits and pieces which I hope we can pick up in Committee. I look forward to going through the Bill with a very fine-toothed comb—it is an important piece of legislation.
Lord Janvrin (CB)
My Lords, I welcome the opportunity to speak in this Second Reading debate. It is always slightly daunting to follow the noble Lord, Lord Lucas. We were colleagues on the Digital Skills Committee a few years back, and he was pretty daunting on that too, being a great fund of knowledge on this subject. I mention at the outset my interests as set out in the register, including as a trustee of the British Library and as a member of the parliamentary Intelligence and Security Committee in the last Parliament. I too welcome this important piece of legislation. I will be brief and confine myself to some general remarks.
There is no doubt that data, big data, data processing and data innovation are all absolutely essential ingredients in the digital revolution which is changing the world around us. However, as we have discussed in debates in this House, advances in technology inevitably risk outstripping our capacity to think through some of the social, ethical and regulatory challenges posed by these advances. This is probably true of questions of data protection.
The last key legislation, the Data Protection Act 1998, was ground-breaking in its time. But it was designed in a different age, when the internet was in its infancy, smartphones did not exist and the digital universe was microscopic compared to today. As the Government have said, we desperately need a regulatory framework which is comprehensive and fit for purpose for the present digital age.
As has been mentioned by other noble Lords, the Bill is also necessary to ensure that our legislation is compatible with the GDPR, which comes into force next year. It is absolutely clear that however Brexit unfolds, our ability to retain an accepted common regulatory framework for handling data is essential; the ability to move data across borders is central to our trading future. I was much struck by the lucid explanation given by the noble Lord, Lord Jay, of some of the challenges which lie ahead in achieving this goal of a common regulatory framework for the future.
The Bill before us is undoubtedly a major advance on our earlier legislation. It is inevitably complex, and as today’s debate makes absolutely clear, there are areas which this House will wish to scrutinise carefully and in depth, including issues of consent and the new rights such as the right to be forgotten and to know when personal data has been hacked, and so on. The two areas which will be of particular interest to me as a member of the board of the British Library and as a member of the Intelligence and Security Committee in the last Parliament will be, first and foremost, archiving in the public interest, and secondly, Part 4, on data processing by the intelligence services.
In order to support archiving activities, as was made clear in the British Library’s submission during the DCMS consultation earlier this year, it is essential that this legislation provide a strong and robust legal basis to support public and private organisations which are undertaking archiving in the public interest. As I understand it, this new legislation confirms the exemptions currently available in the UK Data Protection Act 1998: safeguarding data processing necessary for archiving purposes in the public interest and archiving for scientific, historical and statistical purposes. This is welcome, but there may perhaps be issues around definitions of who and what is covered by the phrase “archiving in the public interest”. I look forward to further discussion and, hopefully, further reassurances on whether the work of public archiving institutions such as our libraries and museums is adequately safeguarded in the Bill.
On Part 4, data processing by the intelligence services does not fall within scope of the GDPR, and this part of the Bill provides a regime based on the Council of Europe’s modernised—but not yet finally agreed—Convention 108. The intelligence services already comply with data-handling obligations within the regulatory structures found in a range of existing legislation. This includes the Investigatory Powers Act 2016, which, as was debated in this Chamber this time last year, creates a number of new offences if agencies wrongly disclose data using the powers in that Act.
The new Bill seeks to replicate the approach of the Data Protection Act 1998, whereby there have been well-established exemptions to safeguard national security. It is obviously vital that the intelligence services be able to continue to operate effectively at home and with our European and other partners, and I look forward to our further discussion during the passage of the Bill on whether this draft legislation gives the intelligence services the safeguards they require to operate effectively.
In sum, this is a most important piece of legislation. If, as the noble Baroness, Lady Lane-Fox, suggests, we can set the bar high, it will be a most significant step forward. First, it will redefine the crucial balance between, on the one hand, the freedom to grasp the extraordinary opportunities offered by the new data world we are in and, on the other, the need to protect sensitive personal data. Secondly, and very importantly, it will put the United Kingdom at the forefront of wider efforts to regulate sensibly and pragmatically the digital revolution which is changing the way we run our lives.
Lord Knight of Weymouth (Lab)
My Lords, as the economy becomes more digitised, the politics of data become centrally important. As the Minister himself said, data is the fuel of the digital economy, and public policy now needs an agile framework around which to balance the forces at play. We need to power the economy and innovation with data while protecting the rights of the individual and of wider society from exploitation by those who hold our data. The recent theft of the personal details of 143 million Americans in the hack of Equifax or the unfolding story of abuse of social media in the US elections by Russian agents make the obvious case for data protection.
This Bill attempts to help us tackle some big moral and ethical dilemmas, and we as parliamentarians have a real struggle to be sufficiently informed in a rapidly changing and innovative environment. I welcome the certainty that the Bill gives us in implementing the GDPR in this country in a form that anticipates Brexit and the need to continue to comply with EU data law regardless of membership of the EU in the future.
However, we need e-privacy alongside the GDPR. For example, access to a website being conditional on accepting tracking cookies should be outlawed; we need stricter rules on wi-fi location tracking; browsers should have privacy high by default; and we need to look at extending the protections around personal data to metadata derived from personal data.
But ultimately I believe that the GDPR is an answer to the past. It is a long-overdue response to past and current data practice, but it is a long way from what the Information Commissioner’s briefing describes as,
“one of the final pieces of much needed data protection reform”.
I am grateful to Nicholas Oliver, the founder of people.io, and to Gi Fernando from Freeformers for helping my thinking on these very difficult issues.
The Bill addresses issues of consent, erasure and portability to help protect us as citizens. I shall start with consent. A tougher consent regime is important but how do we make it informed? Even if 13 is the right age for consent, how do we inform that consent with young people, with parents, with adults generally, with vulnerable people and with small businesses which have to comply with this law? Which education campaigns will cut through in a nation where 11 million of us are already digitally excluded and where digital exclusion does not exclude significant amounts of personal data being held about you? And what is the extent of that consent?
As an early adopter of Facebook 10 years ago, I would have blindly agreed to its terms and conditions that required its users to grant it,
“a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content”.
I posted on the site. It effectively required me to give it the right to use my family photos and videos for marketing purposes and to resell them to anybody. Thanks to this Bill, it will be easier for me to ask it to delete that personal data and it will make it easier for me to take it away and put it goodness knows where else with whatever level of security I deem fit, if I can trust it. That is welcome, although I still quite like Facebook, so I will not do it just yet.
But what about the artificial intelligence generated from that data? If, in an outrageous conflagration of issues around fake news and election-fixing by a foreign power to enable a reality TV star with a narcissistic personality disorder to occupy the most powerful executive office in the free world, I take against Facebook, can I withdraw consent for my data to be used to inform artificial intelligences that Facebook can go on to use for profit and for whatever ethical use they see fit? No, I cannot.
What if, say, Google DeepMind got hold of NHS data and its algorithms were used with bias? What if Google gets away with breaking data protection as part of its innovation and maybe starts its own ethics group, marking its own ethics homework? Where is my consent and where do I get a share of the revenue generated by Google selling the intelligence derived in part from my data? And if it sells that AI to a health company which sells a resulting product back to the NHS, how do I ensure that the patients are advantaged because their data was at the source of the product?
No consent regime can anticipate future use or the generation of intelligent products by aggregating my data with that of others. The new reality is that consent in its current form is dead. Users can no longer reasonably comprehend the risk associated with data sharing, and so cannot reasonably be asked to give consent.
The individual as a data controller also becomes central. I have plenty of names, addresses, phone numbers and email addresses, and even the birthdays of my contacts in my phone. Some are even Members of your Lordships’ House. If I then, say, hire a car and connect my phone to the car over Bluetooth so that I can have hands-free driving and music from my phone, I may then end up sharing that personal contact data with the car and thereby all subsequent hirers of the car. Perhaps I should be accountable with the car owner for that breach.
Then, thanks to AI, in the future we will also have to resolve the paradox of consent. If AI determines that you have heart disease by facial recognition or by reading your pulse, it starts to make inference outside the context of consent. The AI knows something about you, but how can you give consent for it to tell you when you do not know what it knows? Here, we will probably need to find an intermediary to represent the interests of the individual, not the state or wider society. If the AI determines that you are in love with someone based on text messages, does the AI have the right to tell you or your partner? What if the AI is linked to your virtual assistant—to Siri or Google Now—and your partner asks Siri whether you are in love with someone else? What is the consent regime around that? Clause 13, which deals with a “significant decision”, may help with that, but machine learning means that some of these technologies are effectively a black box where the creators themselves do not even know the potential outcomes.
The final thing I want to say on consent concerns the sensitive area of children. Schools routinely use commercial apps for things such as recording behaviour, profiling children, cashless payments, reporting and so on. I am an advocate of the uses of these technologies. Many have seamless integration with the school management information systems that thereby expose children’s personal data to third parties based on digital contracts. Schools desperately need advice on GDPR compliance to allow them to comply with this Bill when it becomes law.
Then there is the collection of data by schools to populate the national pupil database held by the Department for Education. This database contains highly sensitive data about more than 8 million children in England and is routinely shared with academic researchers and other government departments. The justification for this data collection is not made clear by the DfE and causes a big workload problem in schools. Incidentally, this is the same data about pupils that was shared with the Home Office for it to pursue deportation investigations. I am talking about data collected by teachers for learning being used for deportation. Where is the consent in that?
I have here a letter from a Lewisham school advising parents of its privacy policy. It advises parents to go to a government website to get more information about how the DfE stores and uses the data, if they are interested. That site then advises that the Government,
“won’t share your information with any other organisations for marketing, market research or commercial purposes”.
That claim does not survive any scrutiny. For example, Tutor Hunt, a commercial tutoring company, was granted access to the postcode, date of birth and unique school reference number of all pupils. This was granted for two years up to the end of March this year to give parents advice on school choice. Similar data releases have been given to journalists and others. It may be argued that this data is still anonymous, but it is laughable to suggest that identity cannot then be re-engineered, or engineered in the first place, from birth date, postal code and school. The Government need to get their own house in order to comply with the Bill.
That leads me to erasure, which normally means removing all data that relates to an individual, such as name, address and so on. The remaining data survives with a unique numeric token as an identifier. Conflicting legislation will continue to require companies to keep data for accounting purposes. If that includes transactions, there will normally be enough data to re-engineer identity from an identity token number. There is a clause in the Bill to punish that re-engineering, which needs debating to legitimise benign attempts to test research and data security, as discussed by the noble Baroness, Lady Manningham-Buller.
The fact that the Bill acknowledges how easy it is to re-identify from anonymous data points to a problem. The examples of malign hacking from overseas are countless. How do we prevent that with UK law? What are the Government’s plans, especially post Brexit, to address this risk? How do we deal with the risk of a benign UK company collecting data with consent—perhaps Tutor Hunt, which I referred to earlier—that is then acquired by an overseas company, which then uses that data free from the constraints of this legislation?
In the context of erasure, let me come to an end by saying that the Bill also allows for the right to be forgotten for children as they become 18. This is positive, as long as the individual can choose what they want to keep for him or herself. Otherwise, it would be like suggesting you burn your photo albums to stop an employer judging you.
Could the Minister tell me how the right to be forgotten works with the blockchain? These decentralised encrypted trust networks are attractive to those who do not trust big databases for privacy reasons. By design, data is stored in a billion different tokens and synced across countless devices. That data is immutable. Blockchain is heavily used in fintech, and London is a centre for fintech. But the erasure of blockchain data is impossible. How does that work in this Bill?
There is more to be said about portability, law enforcement and the intelligence services, but thinking about this Bill makes my head hurt. Let me close on a final thought. The use of data to fuel our economy is critical. The technology and artificial intelligence it generates have a huge power to enhance us as humans and to do good. That is the utopia we must pursue. Doing nothing heralds a dystopian outcome, but the pace of change is too fast for us legislators, and too complex for most of us to fathom. We therefore need to devise a catch-all for automated or intelligent decisioning by future data systems. Ethical and moral clauses could and should, I argue, be forced into terms of use and privacy policies. That is the only feasible way to ensure that the intelligence resulting from the use of one’s data is not subsequently used against us as individuals or society as a whole. This needs urgent consideration by the Minister.
Baroness Kidron (CB)
My Lords, many noble Lords will know that my particular interests, clearly stated on the register, are concerned with making the digital world fit for children and young people, and so the greater part of my comments concern that. However, I wanted to say at the outset that dealing with this Bill without having had the opportunity to scrutinise the GDPR or understand the ambition and scope of the Government’s digital charter, their internet safety strategy or even some of the details that we still await on the Digital Economy Act made my head hurt also.
I start with the age of consent. Like others, I am concerned that the age of 13 was a decision reached not on the advice of child development experts, child campaigners or parents. Perhaps most importantly of all, the decision lacks the voice of young people. They are key players in this: the early adopters of emerging technologies, the first to spot its problems and, so very often, the last to be consulted or, indeed, not consulted at all. Also, like others, I was bewildered when I saw Clause 187. Are Scottish children especially mature or are their southern counterparts universally less so? More importantly, it seems that we have to comply with the GDPR, except when we do not.
As the right reverend Prelate has outlined, the age of 13 is really an age of convenience. We have simply chosen to align UK standards with COPPA, a piece of US legislation that its own authors once described to me as a “terrible compromise”, and which dates from 2000, when the notion of every child carrying a smartphone with the processing power of “Apollo 11” and consulting it every few minutes, hundreds of times day and night, was not even in our imagination, let alone our reality.
Before considering whether 13 is the right age, we should understand what plans the Government have to require tech companies to make any provisions for those aged 13 to 17, or whether it is the considered opinion of the UK Government that in the digital environment a 13 year-old is a de facto adult. Will the Government require tech companies to publish data risk assessments setting out how children are likely to engage with their service at different ages and the steps they have taken to support them, including transparent reporting data? Are we to have minimum design standards in parts of the digital environment that children frequent, and that includes those places that they are not supposed to be? Will the ICO have powers to enforce against ISS providers which do not take steps to prevent very young children accessing services designed for people twice their age? My understanding is that age compliance will continue to be monitored and enforced by the ISS companies themselves.
As Ofcom pointed out, in 2016 in the UK, 21% of 10 year-olds, 43% of 11 year-olds and half of all 12 year-olds had a social media profile, in spite of COPPA. Are the Government planning to adequately resource and train all front-line workers with children, teachers, parents and children in a programme of digital literacy as the House of Lords Communications Committee called for, and in doing so inform all concerned—those 13 and under and those between the ages of 13 and 18—on the impact for young people of inhabiting what is increasingly a commercial environment? Until these questions are answered positively, the argument for a hard age of consent seems weak.
In contrast, in its current code of practice on processing personal data online, the ICO recommends a nuanced approach, advising would-be data collectors that:
“Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly”.
The current system places the obligation on the data controller to consider the context of the child user, and requires them to frame and direct the request appropriately. It underpins what we know about childhood: that it is a journey from dependence to autonomy, from infancy to maturity. Different ages require different privileges and levels of support.
If being GDPR compliant requires a hard age limit, how do we intend to verify the age of the child in any meaningful way without, perversely, collecting more data from children than we do from adults? Given that the age of consent is to vary from country to country—16 in the Netherlands, Germany and Hungary; 14 in Austria—data controllers will also need to know the location of a child so that the right rules can be applied. Arguably, that creates more risk for children, but definitely it will create more data.
In all of this we must acknowledge a child’s right to access the digital world knowledgeably, creatively and fearlessly. Excluding children is not the answer, but providing a digital environment fit for them to flourish in must be. There is not enough in this Bill to fundamentally realign young people’s relationship with tech companies when it comes to their data.
Much like the noble Lord, Lord Knight, my view is that we have got this all wrong. In the future, the user will be the owner of their own data, with our preferences attached to our individual online identity. Companies and services will sign up to our bespoke terms and conditions, which will encompass our interests and tolerances, rather than the other way round. If that sounds a little far-fetched, I refer noble Lords to the IEEE, where this proposal is laid out in considerable detail. For those who do not know the IEEE, it is the pre-eminent global organisation of the electrical engineering professions.
While this rather better option is not before us today, it must inform our understanding that the Bill is effectively supporting an uncomfortable status quo. Challenging the status quo means putting children first, for example by putting the code of practice promised in the Digital Economy Act on a statutory footing so that it is enforceable; by imposing minimum design standards where the end-user is likely or may be a child; by publishing guidance to the tech companies on privacy settings, tracking, GPS and so forth; by demanding that they meet the rights of young people in the digital environment; and by a much tougher, altogether more appropriate, regime for children’s data.
All that could and should be achieved by May, because it comes down to the small print and the culture of a few very powerful businesses for which our children are no match. The GDPR offers warm words on consumer rights, automated profiling and data minimisation, but with terms and conditions as long as “Hamlet”, it is disingenuous to believe that plain English or any number of tick boxes for informed or specific consent will materially protect young people from the real-life consequences of data harvesting, which are intrusive, especially when we have left the data poachers in charge of the rules of engagement.
We could do better—a lot better. I agree wholeheartedly with other noble Lords who are looking for structures and principles that will serve us into the future. Those principles should not only serve us in terms of other EU member states but be bold enough to give us a voice in Silicon Valley. In the meantime, the Government can and should enact the derogation under article 80(2) and in the case of complainants under the age of 18, it should not only be a right but a requirement. We cannot endorse a system where we create poster children on front-line battles with tech companies. We are told that this Bill is about data protection for individuals—a Bill that favours users over business and children over the bottom line. But the absence of Article 8 of the European Charter of Fundamental Rights is an inexcusable omission. The Bill in front of us is simply not robust enough to replace Article 8. I call on the Government to insert that crucial principle into UK legislation. It must be wrong for our post-Brexit legislation to be deliberately absent of underlying principles. It is simply not adequate.
I had a laundry list of issues to bring to Committee, but I think I will overlook them. During the debate, a couple of noble Lords asked whether it was possible to regulate the internet. We should acknowledge that the GDPR shows that it can be done, kicking and screaming. It is in itself a victory for a legislative body—the EU. My understanding is that it will set a new benchmark for data-processing standards and will be adopted worldwide to achieve a harmonised global framework. As imperfect as it is, it proves that regulating the digital environment, which is entirely man and woman-made and entirely privately owned, is not an impossibility but a battle of societal need versus corporate will.
As I said at the beginning, my central concern is children. A child is a child until they reach maturity, not until they reach for their smart phone. Until Mark Zuckerberg, Sergey Brin and Larry Page, Tim Cook, Jack Dorsey and the rest, with all their resources and creativity, proactively design a digital environment that encompasses the needs of children and refers to the concept of childhood, I am afraid that it falls to us to insist. The Bill as it stands, even in conjunction with the GDPR, is not insistent enough, which I hope as we follow its passage is something that we can address together.
Lord Marlesford (Con)
My Lords, I very much agreed with those who said that the regulation must certainly apply to the big boys in the computer and digital world. I shuddered when the noble Baroness, Lady Lane-Fox, quoted from that wholly incomprehensible Brussels jargon from the regulations.
I received last week a letter as chair of Marlesford Parish Council. We have seven members and only 230 people live in Marlesford. Our precept is only £1,000 a year. A letter from the National Association of Local Councils warned me that the GDPR will impose,
“a legal obligation to appoint a Digital Protection Officer … this appointment may not be as straightforward as you may be assuming, as while it may be possible to appoint an existing member of staff”—
we have no staff, just a part-time parish clerk who is basically a volunteer. It continues:
“They must by requirement of regulations possess ‘expert knowledge of data protection law and practices’”.
I am afraid that will not be found in most small villages in the country, so I hope that one result of this Bill will be to introduce an element of proportionality in how it is to apply, otherwise the noble Baroness, Lady Lane-Fox, who was so right to draw our attention to the threat of incomprehensibility, will be right and we will all lose the plot.
The time has come to have a reliable and secure link between the state and its citizens, and the capabilities of the digital world that underlie this Bill give us that opportunity. There are good reasons for that. First, apart from the excellent national census which was founded in 1841, with the latest information having been collected in the 2011 census, Governments have an imperfect knowledge of their customers, paymasters or stakeholders—whatever you would like to call the rest of us. The various links have many defects which result in serious failures in the duties and obligations of the state. The first of those is to ensure that those who need financial help or support get it and do not go short as a result of funds going to those who do not need them or are not entitled to them. In this, the national insurance system has been incredibly difficult to organise properly. Again and again people have tried, and again and again they have failed.
Secondly, the National Health Service, which many of us believe to be a pillar of our British way of life, is chronically short of funds. Large sums are spent on free medical treatment for those who are not entitled to it. For example, under the reciprocal healthcare scheme within the EU, which is based on repayments made by each EU Government, we pay more than 10 times as much to other EU Governments for their treatment of our citizens as we collect for treating theirs. That is a gap of £500 million. In the case of the NHS treatment of non-EU citizens, the failure to collect charges now costs £1 billion a year.
Thirdly, control of our borders is inadequate, largely due to the failure of our passport system, an issue I have raised many times in your Lordships’ House.
Fourthly, there are serious defects in policing, combating digital crime and other aspects of law and order. To give just two examples, there are problems for our security services in protecting us from terrorism and identity theft, which is a growing problem. My proposal involves giving every citizen a unique identification number that would be backed by centrally held biometrics to confirm the identity of the citizen. The UIN would supplement and eventually replace the plethora of other state numbers, which include those for national insurance, the registry of births and deaths, national health, HMRC, passports, driving licences, the police national computer, the national firearms register and custodial sentences. Citizens would be required to know their own UIN and to give it to those with a legitimate reason to ask for it. The UIN would be printed on passports, driving licences and so on. To assist those without such documents, it might be helpful to make available a plastic card with the person’s name and UIN. Such a card would not be mandatory and it would have no validity in and of itself. It would not of course be an identity card, any more than a credit card or business card would be. Needless to say, it would have no biometrics of any sort on it.
Access to the biometrics would be carefully restricted to those on a need-to-use basis, and those with such access would have data relevant only to their need to know. The verification process would be based on real-time use of the biometrics. The authority would take the biometrics from an individual when necessary, and such action would be limited to appropriate members of government agencies. They would include the police, immigration officers, security people and so on. The biometrics could then be compared with the central record. Important decisions to be made would include which biometrics should be used, such as facial recognition techniques, fingerprints and so forth. The introduction of the UIN would be gradual, depending on the logistics of collecting the biometrics. Existing numbers would continue to be used for a while. Proper data protection would be key to the viability, security, integrity and public acceptability of the UIN. All I am asking is for Her Majesty’s Government to set up a study of what I propose. I am afraid I am not very confident that they will.
In 1997, I tabled an amendment to the Firearms (Amendment) Bill to set up a national electronic record of all firearms, similar to the excellent one that had long been in use by the DVLA. The amendment was passed and became part of the Act, but for the next 10 years the Home Office used every technique from the “Yes Minister” book to resist implementing it. Thanks to widespread support in this House—including from, if I may so, the noble Lord, Lord McNally, in his ministerial position—the amendment was eventually accepted and it has been in useful operation for the past 10 years.
However, I am worried about whether the Government always move as fast as they should on these computer matters. Sometimes they seem rather out of their depth. I remember, in 1966, as a keen young member of the Conservative Research Department, I was sent to carry the bag and take notes for Ernest Marples, a great political figure, around the world, to America and Japan, to see how we could use new techniques—electronic techniques and all the rest—to run the Government better. When I came back, all bright-eyed and bushy-tailed, I met a very senior official, a charming Under-Secretary from the Ministry of Health. I said to him, “You know, I’ve just been in America and Conrad Hilton has this wonderful system. He tracks everything that happens in his hotels: where the money goes, what the clients do and all the rest of it. Your hospitals are really rather like hotels—couldn’t you start doing the same?” He looked at me and shook his head and said, “Mark, before we spend government money on computers, we have to be sure they are here to stay”.
The Earl of Lytton (CB)
My Lords, I start by thanking the Minister for the opportunity to meet him and officials earlier today.
I welcome the stated purpose of the Bill. In my mind, it must be sensible to unify and consolidate the law in this area, and to update its application to more recent technologies. Bringing the GDPR into UK law is unquestionably desirable. I have been impressed by the GDPR’s elegance and sense of purpose, following, as it does—or claims to do—the European Charter of Fundamental Rights in 88 pages of self-reinforcing statements of principles.
I cannot go on without welcoming the EU Select Committee’s report, so ably spoken to by the noble Lord, Lord Jay, who I see is not in his place. I think it is a pity that the report did not have its own slot. Despite acknowledging that the Bill fleshes out the regulation to make it member-state applicable, like the noble Lord, Lord Stevenson, I worry about a Bill of 218 pages and an explanatory note of 112 pages, plus a departmental pack of 247 pages to deal with it all. That all adds to the complexity. I admit that the GDPR conceals its highly challenging requirements in wording of beguiling simplicity under the flag of private rights, but it is no wonder that the European Parliament did not want its handiwork contextualised by inclusion in what we have before us. It is not a particularly encouraging start to bringing 40 years of EU legislation into domestic law.
In what I felt was an inspirational contribution, the noble Baroness, Lady Lane-Fox—I am sorry she is not in her place—referred to the tortuous use of language in parts of the Bill. I agree with her—parts of it are gobbledygook that deny transparency to ordinary mortals. She referred also to my direct ancestor, Ada Lovelace, some of whose expressions of mathematical principles, even for a non-mathematician such as me, make a good deal more sense than parts of the Bill.
The Bill sets out to replace the 1998 Act with new GDPR provisions, meaning new and enhanced rights of data subjects for access, portability and transparency, and duties on controllers on specific consent—not by default, it should be noted—procedural audit trails, a more clearly defined regulatory and supervisory framework, and potential for substantially increased fines for infractions. There is enough that is new, apart from public expectations and the revised geometry as between data subject and data controller, which will naturally give rise to a fresh view of precedent and practice.
Consistency of the Bill with the GDPR core principles, as well as the fundamental rights upon which it is based, will be our focus at the Bill proceeds. A lot of organisations will need to review the way in which they are authorised, in their logging of the origins and possible destinations of personal data they hold, as well as the protocols for responding to requests for information from data subjects. I do not doubt that there will be some pitfalls for the unwary. It may no longer be possible to rely on the continuing acceptability and lawfulness of the previous arrangements under which they have operated, nor to second guess with accuracy how regulation and enforcement will unfold henceforward.
So there may be something going well beyond the more benign narrative of updating, modernising and extending the application on its own. There seem to be some particularly uncharted waters here, with the burden of proof as to compliance and adequacy of arrangements being firmly in the lap of the controller on what looks very like a strict liability basis. That alters the geometry of what will be dealt with.
As regards international cross-jurisdictional data— I am thinking of beyond the EU—I wonder how successfully the proposed arrangements will carry forward in the longer term, bearing in mind that the world market contains numerous players who for their own purposes and advantage might not be that keen to match the standards we claim to set for ourselves. Indeed, the construct of ethical data comes to mind, with all the usual caveats previously associated with ethical foreign policy—the noble Lord, Lord Knight, referred to the ethics; I agree with him that there is a strong threat. That would follow a global principle that sits behind GDPR.
The GDPR is hypothecated on the principle of individual compliance of each processor enterprise, so in a data-processing daisy chain across continents the continued tying in to the tenets of the GDPR is an obvious practical problem with some limitations and it should give us cause for reflection, although I have some admiration for the algorithm that the GDPR sets out to create.
I question how the Government view the ongoing processing of more historical personal data, referred to by other noble Lords, when the purpose for collecting it or the basis for any implied or deemed consent either had not been met or should long since have been refreshed or treated as expired. We all know that old data is still sloshing around in the ether, some of it potentially of dubious accuracy, but I merely point to the fact that this is often an ongoing processing operation without beginning or end point or any apparent possibility of amending or deleting records, as mentioned by other noble Lords. The amount of screening needed to ensure accuracy would be vast. I am entirely unclear that this Bill or the GDPR will improve things for those data subjects for whom this sort of thing can be harmful. I am not thinking just of social media. How will legacy data be dealt with, especially as it does not seem to have been entirely successfully corralled by the 1998 Act or by all other member states under the 1995 data protection directive? I see the correction of that as one of the fundamental principles behind the GDPR—it is the trip wire which has been put there deliberately.
I have concerns about some of the “get out” provisions included in the Bill. The first is the “too difficult” excuse; businesses already use this as a blocking measure. How does one get round the argument that it is too difficult to extract the individual personal data despite knowing that it is the targeted agglomeration of such data, relating to a natural individual, that is the outcome of the processing? The second is that the request is regarded as vexatious. This of course can be concocted by the simple expedient of being evasive towards the first two requests and from the third onwards treating it as repetitive or vexatious—it already happens. I would like reassurance from the Minister that the basic individual rights promised under the GDPR cannot be so circumvented.
The third excuse is “too much data”, referred to by other noble Lords; in other words, there is a lot of personal data held on an individual data subject. Here, there is a provision that the data controller may decline to give information if the precise nature of the data sought is not specified. My impression is that failure of a data subject to specify allows the controller to become unresponsive. If that is the intention, it seems to me to fail the broader test of article 14 of the GDPR, the basic premise of which is that the data subject is entitled to accurate and intelligible information.
It cannot be assumed that the data subject already knows what the scale and nature of the data held actually are or precisely who holds it, although it is clear that the GDPR gives an entitlement to this information. It must follow that, at very least, the controller, in making his “too much data” response, has to identify the general nature, categories and type of data held about that person. I invite the Minister to comment on what is intended. I concur very much with the point so eloquently made by the noble Baroness, Lady Lane-Fox, on the asymmetry of technical knowledge, resource and political clout as between the data subject and the controller, particularly when set against the practical challenge of extracting individual personal data in response to a formal request.
I was reminded of something only yesterday, as a result of a question as to whether a person was or was not at a certain place at a certain time, which was averred by a complainant in a harassment case who used CCTV footage they had created themselves. It was pointed out that the person against whom the complaint was made said they were somewhere else, in a retail premises covered by other CCTV footage. However, it appeared that the retail premises operator would not release the data because it also contained images of other people and there were, accordingly, privacy issues. What is the balance of rights and protections to be in such a case, where somebody faces prosecution?
That leads me to the issue of data collected by public bodies and agencies. I do not think it is generally understood what personal data is shared by police, social services, health bodies and others, some of them mentioned by the noble Lord, Lord Marlesford. Indeed, I am clear that I do not know either, but I believe that many of these agencies hold data in a number of different forms and on a variety of platforms, many of which are bespoke and do not readily talk to other systems. The data are collected for one purpose and used for other purposes, as the noble Lord, Lord Knight, rightly observed. It is on record in debates in this House that some of these bodies do not actually know how many data systems they have, even less what data—whether usable, personal, relevant or accurate, as the case may be—they actually contain. How does one enforce that situation? Some of these databases may not even be operating with the knowledge of the Information Commissioner. There will be an expectation that that is going to be tightened up.
A considerable measure of latitude is afforded to the processing of personal data in the public interest. I will be very brief on this point. I would not rest easy that we have an adequate separation of genuine public interest from administrative convenience and I looked in vain for clarification as to what public interest would amount to in this context. I have to say that I am even more confused than I was when I started. In the longer term it remains to be seen how the GDPR will work, incorporated into UK law, interpreted and enforced firstly through our domestic courts under the aegis of the EU but subsequently on a twin-track basis, when we will be dealing with it ourselves through the precedents of our own judicial system and the same GDPR will be being looked at in a European context elsewhere.
I want the Bill to work; I want to enable proper business use of data and to empower data subjects, as the GDPR promises, with a minimum of obfuscation, prevarication and deceit. Transparency has not been the hallmark of UK data businesses or government administration in this respect, but without it there is no justice, due process or citizen confidence in the rule of law and it will be corrosive if we do not get this right. However, I do not see any fundamental mismatch between this and best business practice, so I look forward to further debates on the Bill as we proceed.
Lord Mitchell (Non-Afl)
My Lords, the Data Protection Act was introduced in 1998. In those days, Facebook, Google and Uber did not exist, Amazon was barely four years old, Apple was tottering under the imminent threat of bankruptcy, search engines were rudimentary, as was the internet itself, and it would be another nine years until the iPhone would be launched. It was, indeed, a very different world. While I welcome the Bill, it remains a fact that when it becomes an Act next year it will be 20 years since its predecessor was enacted. Information and digital technology are growing exponentially. No other industry in the history of the world has even come close to this rate of growth. Legislation needs to match and anticipate the speed of these developments. Certainly, we cannot wait until 2037 for the next Data Protection Act.
Today I am going to raise three issues, which I would like the Minister to respond to. They all centre on the dominant and predatory behaviour of the American big tech giants. I will give your Lordships a striking example of such behaviour from one of them: Apple. In an ideal world, I would like every Member here who has an iPhone to take it out and turn it on, but that probably contravenes the Standing Orders of your Lordships’ House. So I will do the next best thing: I will set out five iPhone directions and, in the cool of the evening, when noble Lords have Hansard in front of them, they can replicate what I am now going to demonstrate.
Click on Settings, then Privacy, then Location Services. Then scroll all the way down until you see System Services, and then scroll halfway down and click on something called Significant Locations. If you are a little behind the times and do not have iOS 11, it is called Frequent Locations. You will probably be asked for a password. Then you will see History and a list of locations. Click on any one of them. Your Lordships will be staggered by what is revealed: every single location that you have visited in the past month—when you arrived, when you left, how long you stayed—all this very private and confidential information is starkly displayed. Who gave Apple permission to store this information about me on my iPhone? It is the default setting, but Apple never asked me. It will argue, of course, that it is private information and it has no access to it—maybe. If you think about it, the opportunities for snooping on people very close to you are endless and dangerous. Now the latest iPhone, the iPhone 8, has facial recognition. It does not take much imagination to work out how somebody could get access to a close member of your family and find out where they have been for the past month, without their permission to do it.
I think it was the noble Baroness, Lady Kidron, who spoke about Apple and its terms and conditions. She said that they were longer than “Hamlet”. I read that the iTunes terms and conditions were longer than “Macbeth”. Well, “Macbeth” or “Hamlet”, whatever it is, it is an awful lot of words. Of course, you have no opportunity to change those terms and conditions. You either agree or disagree. If you disagree, you cannot use the phone. So what choice do you have?
I see this as typical big tech behaviour. These companies run the world according to their rules, not ours. I have long campaigned against the cavalier approach of big tech companies in all aspects of business and personal life. These include Facebook, Amazon, Microsoft, Google and, of course, Apple. I was going to make some quip about the west-coast climate and the breezes of the west coast, but I guess with the news of the past two days that is probably not a good thing to be doing. Big tech companies have become mega-libertarians, positioning themselves above Governments and other regulators. They say they are good citizens and abide by the law. They have corporate mantras which say, “Do no evil”, but they stash away hundreds of billions of stateless, untaxed dollars. They promote end-to-end encryption. They are disingenuous when foreign Governments try to influence democratic elections. Perhaps they do no evil, but neither are they the model citizens they say they are.
So full marks to EU Commissioner Margrethe Vestager for bringing Apple, Google and Amazon to task, and full marks to President Macron for his efforts to set up an EU-wide equalisation tax to ensure that corporation tax is based on revenue, not creative accounting. I know that this is a DCMS Bill and international taxation is outside the Minister’s brief, but I have heard the Prime Minister criticise these tax dodges by big tech so I ask him or his colleagues in the Treasury: will the Government support the French President in this campaign?
I now turn to another area which is giving me great concern, which is digital health and health information in general. One of the great treasures we have in this country concerns our population’s health records. The NHS has been in existence since 1948 and in those 70 years the data of tens of millions of patients have been amassed. They are called longitudinal data, and they are a treasure trove. Such data can be instrumental in developing drugs and advanced medical treatment. Few other countries have aggregated such comprehensive health data. It puts us in pole position. However, in 2016 Royal Free London NHS Foundation Trust sold its rights to its data to a company called DeepMind, a subsidiary of—yes, noble Lords have guessed it—Google. The records of 1.6 million people were handed over. In June this year, Taunton and Somerset NHS Foundation Trust signed a similar deal with DeepMind. The data are being used to create a healthcare app called Streams, an alert, diagnosis and detection system for acute kidney injury, and who can object to that? However, patients have not consented to their personal data being used in this way.
Ms Elizabeth Denham, the Information Commissioner, has said that the Royal Free should have been more transparent and that DeepMind failed to comply with the existing Data Protection Act, but the issue is much graver than not complying with the Act. I do not know this for sure, but if I had to bet on who negotiated the better deal, Google or the Royal Free, I know where my money would be. DeepMind will make a fortune. I put this to the Minister: does he agree that NHS patient data are a massive national asset that should be protected? Does he agree that this mass of patient data should not be sold outright in an uncontrolled form to third parties? I know the NHS is strapped for cash, but there are many better ways of maximising returns. One way would be for NHS records to be anonymised and then licensed rather than sold outright, as is common with much intellectual property. I also believe that the NHS should have equity participation in the profits generated by the application of this information. After all, to use the vernacular of venture capital, it, too, has skin in the game.
As today’s debate has shown, there are fundamental questions that need to be answered. I have posed three. First, what protection will we have to stop companies such as Apple storing private data without our express permission? Secondly, will the UK support the French President in his quest for an equalisation tax aimed at big tech? Finally, how can we protect key strategic data, such as digital health, from being acquired without our permission by the likes of Google?
Viscount Eccles (Con)
My Lords, I think I should introduce my wife to the noble Lord, Lord Mitchell. She has some worries about Apple and, come to think of it, she has probably been snooping on me.
I shall spend my time on the European Union Committee’s third report. I very much welcome the Motion tabled by the noble Lord, Lord Jay, and the very measured way he introduced the report. I heartily agree with the noble Lord, Lord Stevenson, and my noble friend Lady Neville-Jones that we want the committee to go on studying these matters so that we come to understand them better than we do. That seems very important because an aspect of this Bill is that it is a pre-Brexit negotiation Bill. All the things in the Bill are of massive interest, as has been illustrated, but, as I understand it, in the Government’s mind it is a preparation for the negotiations that will inevitably follow, given the timing of the introduction of the GDPR and the triggering of Article 50. Of course, the provisions of the GDPR come under the single market in the systems of the European Union, which makes it even more important that we think very carefully about where we are and how we can make the best of it.
I have to admit that I do not think the starting point is a very good one. It seems to me that we used to understand that the European Union method of negotiation was that nothing is agreed until everything is agreed, but it has thrown that out of the window and this is not the way this negotiation is going. If nothing is agreed until everything is agreed, you have to have discussed everything before you come to the conclusion, but this is not where we are. The Commission keeps saying, “You are bad boys and have not offered us enough”, so the starting point is not very good, which raises the question of where data protection will come in to these negotiations.
I admire the Explanatory Notes—as I think the noble Lord, Lord Stevenson, did—which are a pretty good document compared to other Explanatory Notes that I have seen in the past. I was also interested in the August statement of intent, which was full of good intentions. But I think I rely more on the evidence that was given to the committee of the noble Lord, Lord Jay, and on that committee’s conclusions. Its central conclusion was that we should seek to achieve an “adequacy” decision. The report goes on, positively, to make recommendations on other difficulties such as the arrangements with the United States, as well as on the maintenance of adequacy, how it might be achieved and the continuance of shared policy.
I will offer just a word about “adequacy” and the use of language. The word “fairly”, which has no meaning in a court, has been used this afternoon. The word “adequacy” is pretty subjective. It has always been the Commission’s tendency to want to use words that are difficult to understand and have no clear meaning in English, such as “subsidiarity”—although that has not come into this part of our campaigning. Common sense tells us that both we and the European Union would be sensible to want to maintain data flows, with adequate protection. That is to say, although the present regime is not perfect, we would want it to continue and to improve.
However, unfortunately, our Brexit vote of no confidence in the Commission and in the project that it pursues has left us in an embarrassing and, it must be said, unfriendly negotiating atmosphere. What is more, our previous contributions following the Council of Europe’s Convention 108 have been very considerable. We not only started the ball rolling, together with many other members of the European Union—Germany, Austria, France and so on—with legislation in 1984, but we assisted a great deal in the run-up to the directive of 1995, when the European Union came into the action, somewhat after it had started; 10 years in fact. Then we had the 1998 Act, on which people have commented. With its 74 clauses and 16 schedules, it has done rather well in the circumstances of a changing world. However, that now seems not to help us with the Commission. We have been very helpful but now we have decided to walk off the pitch, and I think people do not like it if you leave in the middle of the game.
What we need from the Commission, as we have had on other occasions, is a flexibility of response, but I am afraid that is not the Commission’s strong point. Nor is its attitude to the Council of Europe, which started the process of Convention 108. I am not convinced that it will be full of joy at the Council of Europe modernising Convention 108. The EU has made an effort to become a member of the Council of Europe, so far unsuccessful. A personal reflection: if it were to be successful, with 27 or 28 votes out of 47, I suppose it would hope to take charge.
We are the defaulters, seen as obstinate, self-interested and unable to recognise the need for ever-closer union. And so we have this Bill. It is a sensible effort to get and remain in line with EU regulation—to show and share equivalence—even if in two places, I suspect much to the parliamentary draftsman’s distress, we qualify it with the adverb “broadly”. I am also sure we are right that we should be looking for an adequacy decision but, despite the excellent report and its very clear and admirable conclusions, will the Commission reciprocate? It will always be easy to quibble with third-country adequacy. It is a very complex subject and there will never be any difficulty in disagreeing with something; your Lordships have demonstrated that very clearly this afternoon. There is no perfect answer, certainly not one that will withstand the changes that make even a very good answer not such a good one later. So I am afraid my conclusion is that, unless things change, the Commission will continue to find fault with however manfully we try to satisfy its requirements. Is there then a chance that there will be some political intervention, some repetition of the statesmanlike behaviour of European politicians in 1949, the starting year of the Council of Europe? We have about a year to find out. Maybe, but I would not bet on it. No deal on this matter by default seems increasingly likely.
Viscount Colville of Culross (CB)
My Lords, I am going to deal with my concerns about how the Bill might affect journalism and free speech. I declare my interest as a series producer at ITN Productions.
In the fast-changing world of the digital revolution, it is beholden on noble Lords to be vigilant about the way in which our personal data is now so readily available to so many people to be processed in so many ways, more than many of us ever conceived. I am glad that the GDPR has been brought forward and that this Bill protects further the availability and use of personal information. However, I am concerned that these new privacy rights will be balanced with further limitations on the freedom of the press and the ability of journalists to carry out investigative journalism in the public interest, which I believe was one of the original aims of the Data Protection Act 1998.
At the moment, data protection legislation is being used to control unwelcome exposure of incriminating personal information by journalists. We have seen cases such as that of Prince Moulay v Elaph Publishing, in which the original case for defamation was thrown out as not libellous, only for the Prince to instigate proceedings for the incriminating information against him to be removed from the public sphere using data protection law, despite the intention of the original Act being that there should be an exemption for journalism.
I understand the sentiment behind the “right to be forgotten” clause. Of course, many people want their youthful indiscretions to be forgotten and, for most, it is important that they should be. This concept is based on the Costeja v Google Spain case, which stopped links being made to personal information in search results. However, the courts are now being tested to see whether the original information itself can be suppressed.
In the age of fake news, it has never been more important to be able to go back to source material to check original data against more recent updates and deletions. Noble Lords will have heard of click bait, where sites are specifically set up to shock with false information to attract eyeballs—as they call them in the industry—and make money from the resultant advertising. Noble Lords must not suppress the means to refute such fake news and ascertain the truth.
So I am very pleased that GDPR article 17 has an exemption for publication of data for free speech and the holding of archives in the public interest, further safeguarded in article 89. However, Clause 18, which indeed provides welcome protection for many archives held in the public interest—for instance, those for historical, scientific and statistical purposes—does give protection to cover media archives.
My concern is that past media articles are an important source for verifying information. They might hold reports of criminal convictions of the person or information about a politician’s past which, years later, when they are trying to stand for office, might prove embarrassing but informative for voters. Surely business people, voters and many others should have full access to the information in those archives, whether it is embarrassing or not. This information helps them to shape a fuller profile of the person whose reputation they are trying to assess.
In the digital age, there are millions of opinions, but refuting falsehoods or discovering the truth has never been more difficult. The only way to do that is through source material on trusted websites or archives, where the information has been mediated and checked. I suggest that websites holding archives of trusted media organisations should be protected by and covered in the Bill. The inherent public interest in such archives should be explicitly recognised, as provided in the GDPR.
I am pleased that there is an exemption for data processing for journalism in Schedule 2, part 5, paragraph 24. However, in sub-paragraph (2), there is concern that the exemption applies only when the processing of data is used for journalism. If this information, once it has been gathered for journalism, is subsequently used by the regulators or the police, the use of the word “only” will negate that exemption. I ask the Minister to look at that again.
I am also concerned about the extension of the powers of the ICO prior to publication to examine whether information is exempt from data protection provisions because it is being processed for journalism. GDPR article 6 contains an obligation to consult the Information Commissioner, but Clause 164 goes much further. It enhances the power of the ICO to examine the application of the exemptions for journalism prior to publication and unilaterally second-guess editorial decisions made in respect of the provisions in the Bill.
This means that if a journalist is investigating, for instance, people smugglers, involving undercover filming or subterfuge which is deemed to create a high risk to data subjects, the ICO can intervene prior to publication. The commissioner has the power to apply their objective view to the claim, which might overwrite and disregard the reasonable view of an editor. The ICO might, for example, call for the individual being investigated to be notified in advance that their data is being used, or that they should be given access to additional data being held about them as part of the journalistic investigation.
In my view, this is not even consistent with the terms of journalistic exemption. It would result in investigative journalism being delayed or even stopped until the ICO has examined it for compliance with part of the Act prior to publication. The provision could act as a form of censorship. The existing right of the editor to decide whether the story should go ahead in the public interest will therefore be eroded. I suggest that Clause 164 should be amended to ensure that investigative journalism is not chilled by the extension of powers of intervention by the ICO prior to publication.
Finally, I am concerned that there is no time limit on the right to sue in respect of information processed for special purposes, which continues to be retained or published in the media archive. Under the Defamation Act, that limitation was one year from the date of publication. Under this Bill, there is no limitation. Surely, if information is inaccurate, the complainant should sue within a specific period. The longer the case is delayed from the original publication date, the more difficult it is to refute the allegations. The journalist could move on, contact with the original source material might be lost, memories blurred and notes, even those held digitally, mislaid. Complainants must have the right to complain, but there must be a balance with the time period when that can be done. A failure to have a period of limitation will surely be a chilling effect on the publication of information.
I welcome this Bill as an important advance in protecting privacy in the digital age, but I am concerned that some of its provisions do not yet strike the right balance between privacy and free speech. I ask the Minister to take my concerns seriously.
Baroness Neville-Rolfe (Con)
My Lords, I congratulate our Ministers and the Government on bringing this Bill to our House in this timely way. It is extremely technical—and herein lies a danger, because it is also very important and covers matters that can be expected to become even more important over time. We must therefore put aside the temptation to think that technical matters are somehow of lesser importance, simply because we do not fully understand them. I declare an interest as the Minister responsible when the EU parent of this Bill, the GDPR, was adopted. While I saw it as a necessary single market measure and a modernising one, there were a number of provisions that we could have done without, mostly introduced by the European Parliament, such as requiring a specific age of consent, which the Government have now proposed should be 13 in the UK, in line with the United States.
In contrast, as always, our UK approach is market opening. We want a competitive, growing Europe, and we want the digital revolution, with its subset artificial intelligence, to continue to stoke growth. But some in the EU have always been most concerned with giving citizens back control over their personal data, an issues that assumed particular importance following the release of documents involving Chancellor Merkel by WikiLeaks. To be fair, the UK has also in this case stated its wish to simplify the regulatory environment for business, and we need to make sure that that actually happens here in the UK. Committee will give us the chance to talk about the merits of the digital revolution and its darker side, which we touched on during the excellent debate led by the noble Baroness, Lady Lane-Fox. I shall not go over that ground again now, but I add one point to the story told by the noble Lord, Lord Mitchell: my Google Maps app now highlights the location of future engagements in my diary. So that is pretty challenging.
I shall touch as others have done on three concerns. According to the Federation of Small Businesses, the measures represent a significant step up in the scope of data protection obligations. High-risk undertakings could phase additional costs of £75,000 a year from the GDPR. The MoJ did an impact assessment in 2012, which is no doubt an underestimate, since it did not take account of the changes made by the European Parliament, which estimated the cost at £260 million in 2018-19 and £310 million by 2025-26. I am not even sure if that covers charities or public organisations or others who have expressed concerns to me about the costs and the duties imposed. Then there are the costs of the various provisions in the Bill, many levelling up data protection measures outside the scope of the GDPR. It is less confusing, I accept, but also more costly to all concerned.
The truth is that overregulation is a plague that hits productivity. Small businesses are suffering already from a combination of measures that are justified individually—pension auto-enrolment, business rates and the living wage—but together can threaten viability at a time of Brexit uncertainty. We must do all we can to come to an honest estimate of the costs and minimise the burden of the new measures in this legislation.
Also, I know that CACI, one of our leading market analysis companies working for top brands such as John Lewis and Vodafone, thinks that the provisions in the Bill are needlessly gold-plated. Imperial College has contacted me about the criminalisation of the re-identification of anonymised data, which it thinks will needlessly make more difficult the vital security work that it and others do.
The noble Lord, Lord Patel, and the noble Baroness, Lady Manningham-Buller, were concerned about being able to contact people at risk where scientific advance made new treatments available—a provision that surely should be covered by the research exemption.
The second issue is complication. It is a long and complicated Bill. We need good guidance for business on its duties—old and new, GDPR and Data Protection Bill—in a simple new form and made available in the best modern way: online. I suggest that—unlike the current ICO site—it should be written by a journalist who is an expert in social media. The Minister might also consider the merits of online training and testing in the new rules. I should probably declare an interest: we used it in 2011 at Tesco for the Bribery Act and at the IPO for a simple explanation of compliance with intellectual property legislation.
The third issue is scrutiny. I am afraid that, as is usual with modern legislation, there are wide enabling powers in the Bill that will allow much burdensome and contentious subordinate detail to be introduced without much scrutiny. The British Medical Association is very concerned about this in relation to patient confidentiality. Clause 15, according to the excellent Library Note, would allow the amendment or repeal of derogations in the Bill by an affirmative resolution SI, thereby shifting control over the legal basis for processing personal data from Parliament to the Executive. Since the overall approach to the Bill is consensual, this is the moment to take a stand on the issue of powers and take time to provide for better scrutiny and to limit the delegated powers in the Bill. Such a model could be useful elsewhere—not least in the Brexit process.
There are two other things I must mention on which my noble friend may be able to provide some reassurance. First, I now sit on the European Union Committee. I am sorry that duties there prevented me sitting through some of this important debate; we were taking important evidence on “no deal”. As the House knows, the committee is much concerned with the detail of Brexit. Data protection comes up a lot—almost as much as the other business concern, which is securing the continued flow of international talent. I would like some reassurance from my noble friend Lady Williams about the risks of Brexit in the data area. If there is no Brexit deal, will the measures that we are taking achieve equivalence—“adequacy”, in the jargon—so that we can continue to move data around? What international agreements on data are in place to protect us in the UK and our third-country investors? Under an agreed exit, which is my preference, is there a way that our regulator could continue to be part of the European data protection supervisory structure and attend the European Data Protection Board, as proposed by the noble Lord, Lord Jay of Ewelme, the esteemed interim chairman of our European Union Committee—or is that pie in the sky?
Secondly, there is a move among NGOs to add a provision for independent organisations to bring collective redress actions for data protection breaches. I am against this proposal. In 2015 we added such a provision to competition legislation—with some hesitation on my part. This provision needs to demonstrate its value before we add parallel provisions elsewhere. It is in everyone’s interests to have a vibrant economy, but business is already facing headwinds in many areas, notably because of the uncertainty surrounding Brexit. In future it will be subject to a much fiercer data protection enforcement regime under our proposals.
I have talked about the costs and others have mentioned the new duties and there will be maximum fines of up to 4% of turnover for data breaches, compared with £0.5 million at present. We certainly do not need yet another addition to the compensation culture. This could reduce sensible risk taking and perversely deter the good attitudes and timely actions to put things right that you see in responsible companies when they make a mistake. There is a real danger that the lawyers would get to take over in business and elsewhere and give the Bill a bad name. That would be unfortunate.
However, in conclusion, I welcome the positive aspects of this important Bill and the helpful attitude of our Ministers. I look forward to the opportunity of helping to improve it in its course through the House.
Baroness O’Neill of Bengarve (CB)
My Lords, as the last speaker before the winding speeches, I think it is my duty to be extremely brief, so I will try. We have had nearly 20 years of the Data Protection Act. We need this legislation because, if nothing else were the case, the United Kingdom will remain in the European Union on 18 May next year, which is the date of implementation of the new regulation, so we have to do something.
I will make a few rather sceptical remarks about the long-term viability of data protection approaches to protecting privacy. They have, of course, worked, or people have made great efforts to make them work, but I think the context in which they worked, at least up to a point, has become more difficult and they are less likely to work. The definition of personal data used in data protection approaches, and retained here, is data relating to a living individual who is identified, or can be identified, from the data. It is that modal idea of who can be identified that has caused persistent problems. Twenty years ago it was pretty reasonable to assume that identification could be prevented provided one could prevent either inadvertent or malicious disclosure, so the focus was on wrongful disclosure. However, today identification is much more often by inference and it is very difficult to see how inference is to be regulated.
The first time each of us read a detective story, he or she enjoyed the business of looking at the clues and suddenly realising, “Ah, I know whodunnit”. That inference is the way in which persons can be identified from data and, let us admit it, not merely from data that are within the control of some data controller. Data protection is after all in the end a system for regulating data controllers, combined with a requirement that institutions of a certain size have a data controller, so there is a lot that is outside it. However, if we are to protect privacy, there is, of course, reason to think about what is not within the control of any data controller. Today, vast amounts of data are outwith the control of any data controller: they are open data. Open data, as has been shown—a proof of concept from several years ago—can be fully anonymised and yet a process of inference can lead to the identification of persons. This is something we will have to consider in the future in thinking about privacy.
Moreover, throughout the period of data protection, one of the central requirements for the acceptable use of otherwise personal data has been that consent should be sought, yet the concepts of consent used in this area are deeply divisive and various. In commercial contexts, consent requirements are usually interpreted in fairly trivial ways. When we all download new software, we are asked to accept terms and conditions. This is called an end-user licence agreement. You tick and you click and you have consented to 45 pages of quite complicated prose that you did not bother to read and probably would not have understood if you had maintained attention for 45 pages. It does not much matter, because we have rather good consumer protection legislation, but there is this fiction of consent. However, at the other end of the spectrum, and in particular in a medical context, we have quite serious concepts of consent. For example, to name one medical document, the Helsinki Declaration of the World Medical Association contains the delicious thought that the researcher must ensure that the research participant has understood—then there is a whole list of things they have to understand, which includes the financial arrangements for the research. This is a fiction of consent of a completely different sort.
We should be aware that, deep down in this legislation, there is no level playing field at all. There are sectoral regimes with entirely different understandings of consent. We have, in effect, a plurality of regimes for privacy protection. Could we do otherwise or do better? I will not use any time, but I note that legislation that built on the principle of confidentiality, which is a principle that relates to the transfer of data from one party to another, might be more effective in the long run. It would of course have to be a revised account of confidentiality that was not tied to particular conceptions of professional or commercial confidentiality. We have to go ahead with this legislation now, but it may not be where we can stay for the long run.
Lord Paddick (LD)
My Lords, this has been an interesting, and for me at times a rather confusing, debate on the issues associated with the Bill. The Bill is complex, but I understand that it is necessarily complex. For example, under European law it is not allowed to reproduce the GDPR in domestic legislation. The incorporation of the GDPR into British law is happening under the repeal Bill, not under this legislation. Therefore, the elephant and the prints are in the other place rather than here.
We on these Benches welcome the Bill. It provides the technical underpinnings that will allow the GDPR to operate in the UK both before and after Brexit, together with the permitted derogations from the GDPR available to all EU member states. For that reason it is an enabling piece of legislation, together with the GDPR, which is absolutely necessary to allow the UK to continue to exchange data, whether it is done by businesses for commercial purposes or by law enforcement or for other reasons, once we are considered to be a third-party nation rather than a member of the European Union.
We also welcome the extension of the effect of the GDPR—the rules and regulations that the GDPR provides—to other areas that are currently covered by the Data Protection Act 1998 but which are outside the scope of the GDPR, thus, as far as I understand it, providing a consistent approach to data protection across the piece. This leaves law enforcement and national security issues outside of the scope of GDPR and the “applied GDPR”, which are covered in Parts 3 and 4.
The enforcement regime, the Information Commissioner, is covered in Part 5, because we will repeal the Data Protection Act 1998 and so we need to restate the role of the Information Commissioner as the person who will enforce, and we will need to explore concerns that we have in each part of the Bill as we go through Committee. However, generally speaking, we welcome the Bill and its provisions.
Of course, what the Government, very sensibly, are trying to do but do not want to admit, is to ensure that the UK complies with EU laws and regulations—in this case in relation to data protection—so that it can continue to exchange data with the EU both before and after Brexit. All this government hype about no longer being subject to EU law after Brexit is merely the difference between having to be subject to EU law because we are a member of the EU and having to be subject to EU law because, if we do not, we will not be able to trade freely with the EU or exchange crime prevention and detection intelligence, and counterterrorism intelligence, with the EU. That is the only difference.
For most aspects of data exchange, compliance with the GDPR is required. The GDPR is directly applicable, so it cannot simply be transposed into this Bill. Coupled with the derogations and applying the GDPR to other aspects of data processing not covered by the GDPR makes this part of the Bill complex—and, as I suggest, probably necessarily so.
For law enforcement purposes, data exchange is covered by an EU law enforcement directive, which can be, and has been, transposed to form Part 3 of the Bill as far as I understand it. A data protection regime for the processing of personal data by the intelligence services—in the case of the UK, MI5, MI6 and GCHQ —is covered by Council of Europe Convention 108. Part 4 of the Bill is based on a modernised draft of Convention 108, which has yet to be formally agreed, but this puts the UK in effect slightly ahead of the curve on that aspect of regulation.
Clearly, we need to probe and test the derogations allowed under the GDPR that are proposed in the Bill, particularly when hearing about the potential consequences, as outlined by, for example, the noble Viscount, Lord Colville of Culross. We also need to examine whether applying GDPR rules and regulations to other areas of data processing provides equivalent or enhanced safeguards compared with those provided by the Data Protection Act, and we need to ensure that the safeguards provided by the law enforcement directive and Council of Europe Convention 108 are provided by the Bill.
As regards our specific concerns, as my noble friend Lord McNally mentioned in his opening remarks and as reinforced by my noble friend Lady Ludford, if the Bill results in a refusal to allow not-for-profit bodies to exercise Articles 77 to 79 to pursue data protection infringements on their own accord, we will have to challenge that, but perhaps the Minister can clarify whether that is the case.
As my noble friend Lady Ludford also mentioned, along with the noble Baroness, Lady Jay of Paddington, various provisions to allow Ministers to alter the application of the GDPR by regulation is something that we need much further scrutiny of, albeit that Ministers’ hands are likely to be tied by the requirement to comply with changing EU law after Brexit—de facto even if not de jure. Could it be—perhaps the Minister can help us here—that the purpose of these powers, put into secondary legislation, is to enable the UK to keep pace with changes in EU law after Brexit?
Although we welcome the ability of individuals to challenge important wholly automated decisions, requiring human intervention at the request of the data subject, research shows that the application of algorithms and artificial intelligence, even in machine learning of language, can result in unfair discrimination. Even when human decision-making is informed by automated processes, safeguards still need to be in place to ensure fairness, such as transparency around what the automated processes involve. While decisions around personal finance, such as credit scoring and the assessment of insurance risk, are important, in the United States the application of algorithms in the criminal justice arena has resulted in unfair discrimination that has even more serious consequences for individuals. Even if such automated processes are yet to apply to the UK criminal justice system, the Bill must safeguard against future developments that may have unintended negative consequences.
As other noble Lords have said, we have concerns about the creation of a criminal offence of re-identification of individuals. As the noble Lord, Lord Arbuthnot of Edrom, said, criminalising re-identification could allow businesses to relax the methods that they use to try to anonymise data on the basis that people will not try to re-identify individuals because it is a criminal offence.
Despite what is contained in this Bill, we have serious concerns that there are likely to be delays to being granted data adequacy status by the European Commission when we leave the EU. That means that there would not be a seamless continuation of data exchange with the EU 27 after Brexit. We also have serious concerns, as does the Information Commissioner, that there are likely to be objections to being granted data adequacy status because of the bulk collection of data allowed for under the Investigatory Powers Act, as the noble Lord, Lord Stevenson of Balmacara, said in his opening remarks. We also intend to revisit the issue of the requirement under international human rights law, and upheld by the European Court of Human Rights in 2007, that as soon as notification can be made without prejudicing the purpose of surveillance after its termination, information should be provided to the persons concerned.
As the noble Baroness, Lady Lane-Fox, mentioned, it is essential that the Information Commissioner is provided with adequate resources. My understanding is that there has been a considerable loss of staff in recent times, not least because commercial organisations want to recruit knowledgeable staff to help them with the implementation of GDPR, plus the 1% cap on public sector pay has diminished the number of people working for the Information Commissioner. It is absolutely essential that she has the resources she needs, bearing in mind the additional responsibilities that will be placed upon her.
The age of consent will clearly be an interesting topic for discussion. What we are talking about here is at what age young people should be allowed to sign up to Facebook or other social media. Most of us would acknowledge that children have a greater knowledge and are more computer literate than their parents and grandparents. As one of the surveys mentioned this evening showed, it would be very easy for young people to circumvent rules around the age of consent as set in legislation. For example, any teenager would know how to make the internet believe that they were in the United States when they were physically in the United Kingdom, and therefore they would have to comply only with any age of consent set in America. While I understand the burning desire for people to protect children and ensure that they are not exploited through social media, one has to live in the real world and look for solutions that are actually going to work: for example, educating young people on how to avoid being groomed online and the dangers of social media, and informing parents about how they can keep an eye on their children’s activities, rather than trying to set an unrealistic target for the age at which someone could sign up.
Finally, the noble Lord, Lord Mitchell, talked about the data privately stored on iPhones, which was informative. Last week, I was rather shocked when, in California, I went to a gym that was rather busy. I looked on Google Maps, which very helpfully informed me when the busiest times were in that particular gym on that particular day. I found that very useful, but I found it very frightening that it also told me that I had been at that gym three hours before.
Lord Kennedy of Southwark (Lab)
My Lords, we welcome the Bill generally and support the main principles, but that is not to say that we do not have issues that we intend to raise during the passage of the Bill where we believe that improvements could be made. We will certainly test the Government’s assertion that the Bill will ensure that we can be confident that our data is safe as we make the transition into a future digital world.
My noble friend Lord Knight of Weymouth highlighted some of the challenges that we face in the use of data, the consent that we give and how we can have greater control—or, in fact, any control at all—as data and the use of data grow exponentially. In his contribution, the noble Lord, Lord Marlesford, highlighted the complexity of these matters. That is the problem—the constant growth in complexity and our ability to understand the changes as they run away with themselves. We are aware that there will be a number of government amendments to the Bill. When we see those, we will be able to take a view on them. But the fact that we can expect such a large number at this early stage of the Bill makes one wonder how prepared the Government are for this new challenge.
The broad aim of the Bill is to update the UK’s data protection regime in accordance with the new rules, as agreed at European level. It is important as we prepare to leave the European Union that we have strong, robust laws on data protection that ensure that we have up-to-date legislation that is on a par with the best in the world to protect individuals, businesses and the UK as a whole and to play our part in ensuring that the UK remains a place where it is difficult for criminals to operate. As the noble Lord, Lord Jay, said in his contribution covering the report of the European Union Home Affairs Sub-Committee, the amount of cross-border data flows to the UK cannot be overstated, with services accounting for 44% of the UK’s total global exports and three-quarters of the UK’s cross-border data flows being with other EU countries. The UK must remain a place where people and organisations all over the world want to do business and a place that has safety and robust protection at its heart.
The noble Baroness, Lady Lane-Fox of Soho, made important points about the need for the UK to be the best and safest place in the world to trade online. Her contribution to debates in your Lordships’ House to make the Bill the best it can be will be of vital importance as the Bill makes progress. The noble Baroness is right that a lot of education is needed to prepare the public and business for the changes.
The concerns of business must be taken into account. When the noble Baroness, Lady Williams of Trafford, responds to the debate, I hope she will refer to the concerns expressed by small businesses. In particular, will she explain what plans the Government have to ensure that small businesses are aware of the changes and the action that they need to take? These are the sorts of businesses that are the backbone of the country. They are not able to employ expensive lawyers or have compliance departments to advise them on the action that needs to be taken. We need a targeted awareness campaign from the Government and the regulator and small-business-friendly support and guidance rolled out in good time so that the necessary changes can be made. I fully understand the concerns that businesses have in this regard and the Government must respond to those positively.
The Bill implements the general data protection regulation—GDPR—standards across all general data processing and the Opposition support that. As we have heard in the debate, the UK will need to satisfy the European Commission that our legislative framework ensures an adequate level of protection. The Commission will need to be satisfied on a wide variety of issues to give a positive advocacy decision, and when we leave the European Union we will still have to satisfy the high adequacy standards to ensure that we can trade with the European Union and the world. Those too are matters that we will test in Committee.
Important principles of lawfulness in obtaining data and the consent of individuals to their data being held are set out in the Bill. My noble friend Lady Jay of Paddington made important points about how to achieve a better-educated public about the use of their data, the media and online literacy, and the risks to them of the abuse of their data.
The additional GDPR rights which strengthen and add to an individual’s rights, as set out in the Data Protection Act 1998, are a positive step forward. We have all seen examples of people’s data being held unlawfully and the measures in this Bill should help in that respect. There is also the issue of data held about all of us that is confidential, such as medical and health data, and ensuring that it is processed in a confidential way is something we would all support, alongside the proper use of health data to combat disease and improve healthcare through proper research. A number of noble Lords have made reference to that, and certainly nothing should be done which would endanger research that saves lives.
The right to be forgotten is an important concept, particularly where the consent was given as a child, although we will want to probe why the right of erasure of personal data is restricted to 18 years and above, particularly when the consent may have been given when the individual was 13 years of age. Cyberbullying is a dreadful experience for anyone and it is important that we are very clear during the passage of the legislation on how people are able to protect themselves from this abuse. The Bill will formalise the age at which a child can consent to the processing of data at 13 years in the UK, which is the lowest possible age in the EU. The right reverend Prelate the Bishop of Chelmsford referred to this point in his contribution and I agree with him about the need for further consultation with parents and the public, a point also made by the noble Baroness, Lady Howe.
The noble Baroness, Lady Kidron, made an excellent contribution and she is right to say that children are no match for a number of the very powerful tech companies. I too read carefully the briefings from the Children’s Society and YoungMinds on this matter. All the major online platforms have a minimum user age of 13, although the vast majority of young people—some 73% according to the survey—have their first social media account before they are 13. This is an issue that will rightly get a lot of attention from noble Lords. On reading the briefing note I could see the point being made that setting the age at 16 could have an adverse effect in tackling grooming, sexual exploitation and abuse. If we wanted to go down the route of increasing the age when someone can consent to the use of their personal data, we must at the same time make significant changes to the grooming and sexual offences legislation, again a point made by the noble Baroness, Lady Howe, in her remarks. It would be wrong to make this change in isolation because it actually risks making the online world more dangerous for young people.
In responding to the debate, will the noble Baroness, Lady Williams of Trafford, set out how the Government decided that 13 was the appropriate age of consent for children to access social media and does she believe, as I do, that the social media companies need to do much more to protect children when they are online? What consultation did the Government undertake before deciding that 13 years was the correct age, a question put by many noble Lords in the debate?
There are also the important issues of protecting vulnerable people in general, not only children but the elderly as well. As my noble friend Lord Stevenson of Balmacara said, the Government have an opportunity to allow independent organisations acting in the public interest to bring collective redress actions or super-complaints for breaches in data protection rules. They have not done so, and this may be an error on their part as the super-complaint system works well in other fields. It would enable an effective system of redress for consumers to be put in place. It could also be contended that just having such a system in place would have a positive effect in terms of organisations making sure that they are compliant and not tempted to cut corners, and generally make for a stronger framework.
The Opposition support the approach of transposing the law enforcement directive into UK law through this Bill. It is important that we have consistent standards across specific law enforcement activities. In the briefing, the Information Commissioner raised the issue of overview and scope as detailed in Clause 41. It would be helpful, when responding to the debate, if the Minister could provide further clarification in respect of the policy intention behind the restriction on individuals being able to approach the Information Commissioner to exercise their rights.
The processing of personal data by the intelligence services is of the utmost importance. Keeping their citizens safe is the number one priority of the Government. We need to ensure that our intelligence services have the right tools and are able to work within modern international standards, including the required safeguards, so that existing, new and emerging threats to the safety and security of the country are met. These are fine lines and it is important that we get them right.
The point made by a number of noble Lords, including the noble Lord, Lord Jay, and the noble Baroness, Lady Ludford, that our position as a third country on leaving the EU may leave us subject to meeting a higher threshold is a matter for concern. I hope the noble Baroness, Lady Williams, will respond to that specific point when she replies to the debate.
The Information Commissioner having an independent authority responsible for regulating the GDPR—which will also act as the supervisory authority in respect of the law enforcement provisions as set out in Part 3 of the Bill—is welcome, as is the designation of the commissioner as the authority under Convention 108. I welcome the proposal to consult the commissioner on legislation and other measures that relate to data processing. The commissioner has an important international role and I fully support her playing a role in the various EU bodies she engages with, up until the point when we leave the EU. We must also be satisfied in this House that we have sufficiently robust procedures in place so that we will work closely with our EU partners after we have left the EU. Failure to do so could have serious repercussions for the UK as a whole, our businesses and our citizens. Data flows in and out of the UK are a complex matter and the regulator needs authority when dealing with others beyond the UK. That is something we will have to test carefully as the Bill passes through your Lordships’ House.
The clauses of the Bill in respect of enforcement are generally to be welcomed. It is important that the commissioner retains the power to ensure data is properly protected. I agree very much with the noble Lord, Lord McNally, about the importance of ensuring that the Information Commissioner remains adequately funded. It is right that those powers are used proportionally in relation to the specific matters at hand, using, where appropriate, non-criminal enforcement, financial penalties and, where necessary, criminal prosecution. As I said, we need a proper programme of information to ensure that small businesses in particular are ready for the changes and new responsibilities they will take on.
One of the issues we have to address is the challenge that technology brings and how our legislation will remain fit for purpose and accepted by other competent authorities outside our jurisdiction—particularly by the European Union after we leave it.
In conclusion, this in an important Bill. As the Opposition, we can support its general direction, but we have concerns about the robustness of what is proposed. We will seek to probe, challenge and amend the Bill to ensure that it really does give us the legalisation the UK needs to protect its citizens’ data and its lawful use.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, this has been a lengthy but excellent debate. I very much welcome the broad support from across the House for the Bill’s objectives; namely, that we have a data protection framework that is fit for the digital age, supports the needs of businesses, law enforcement agencies and other public sector bodies, and—as the noble Lord, Lord Kennedy, said—safeguards the rights of individuals in the use of their personal data.
In bringing the Bill before your Lordships’ House at this time, it is fortunate that we have the benefit of two recent and very pertinent reports from the Communications Committee and the European Union Committee. Today’s debate is all the better for the insightful contributions we have heard from a number of members of those committees, namely the noble Lord, Lord Jay, the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, the right reverend Prelate the Bishop of Chelmsford and my noble friend Lady Neville-Rolfe.
In its report Growing Up with the Internet, the Communications Committee noted with approval the enhanced rights that the GDPR would confer on children, including the right to be forgotten, and asked for those rights to be enshrined in UK law as a minimum standard. I am pleased to say the Bill does just that. The European Union Committee supported the Government’s objective to maintain the unhindered and uninterrupted flow of data with other member states following the UK’s exit from the EU. Understandably, the committee pressed the Government to provide further details of how that outcome will be achieved.
With the provisions in the Bill, the UK starts from an unprecedented point of alignment with the EU in terms of the legal framework underpinning the exchange and protection of personal data. In August, the Government set out options for the model for protecting and exchanging personal data. That model would allow free flows of data to continue between the EU and the UK and provide for ongoing regulatory co-operation and certainty for businesses, public authorities and individuals. Such an approach is made possible by the strong foundations laid by the provisions in the Bill.
In other contributions to this debate, we have had the benefit of a wide range of experiences, including from noble Lords who are able to draw on distinguished careers in business, education, policing or the Security Service. In doing so, noble Lords raised a number of issues. I will try to respond to as many of those as I can in the time available, but if there are specific points, as I am sure there will be, that I cannot do justice to now, both my noble friend Lord Ashton and I will of course follow up this debate with a letter.
A number of noble Lords, including the noble Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady Neville-Rolfe, asked whether the Bill was too complex. It was suggested that data controllers would struggle to understand the obligations placed on them and data subjects to understand and access their rights. As the noble Lord, Lord Paddick, said, the Bill is necessarily so, because it provides a complete data protection framework for all personal data. Most data controllers will need to understand only the scheme for general data, allowing them to focus just on Part 2. As now, the Information Commissioner will continue to provide guidance tailored to data controllers and data subjects to help them understand the obligations placed on them and exercise their rights respectively. Indeed, she has already published a number of relevant guidance documents, including—the noble Lord, Lord Kennedy, will be interested to know this—a guide called Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It sounds like my type of publication.
Other noble Lords rightly questioned what they saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the Bill would impose a new layer of unnecessary regulation on businesses—for example, in requiring them to respond to subject access requests. Businesses are currently required to adhere to the Data Protection Act, which makes similar provision. The step up to the new standards should not be a disproportionate burden. Indeed, embracing good cybersecurity and data protection practices will help businesses to win new customers both in the UK and abroad.
A number of noble Lords, including the noble Lord, Lord Jay, asked how the Government would ensure that businesses and criminal justice agencies could continue, uninterrupted, to share data with other member states following the UK’s exit from the EU. The Government published a “future partnership” paper on data protection in August setting out the UK’s position on how to ensure the continued protection and exchange of personal data between the UK and the EU. That drew on the recommendations of the very helpful and timely report of the European Union Committee, to which the noble Lord referred. For example, as set out in the position paper, the Government believe that it would be in our shared interest to agree early to recognise each other’s data protection frameworks as the basis for continued flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements came into force. While the final arrangements governing data flows are a matter for the negotiations—I regret that I cannot give a fuller update at this time—I hope that the paper goes some way towards assuring noble Lords of the importance that the Government attach to this issue.
The noble Baroness, Lady Kidron, queried the status of Article 8 of the European Charter of Fundamental Rights, which states:
“Everyone has the right to the protection of personal data concerning him or her”.
The Bill will ensure that the UK continues to provide a world-class standard of data protection both before and after we leave the European Union.
Several noble Lords, including the noble Lord, Lord Paddick, in welcoming the Bill asked whether the Information Commissioner would have the resource she needs to help businesses and others prepare for the GDPR and LED and to ensure that the new legislation is properly enforced, especially once compulsory notification has ended. The Government are committed to ensuring that the Information Commissioner is adequately resourced to fulfil both her current functions under the Data Protection Act 1998 and her new ones. Noble Lords will note that the Bill replicates relevant provisions of the Digital Economy Act 2017, which ensures that the Information Commissioner’s functions in relation to data protection continue to be funded through charges on data controllers. An initial proposal on what those changes might look like is currently being consulted upon. The resulting regulations will rightly be subject to parliamentary scrutiny in due course.
Almost every noble Lord spoke in one way or another about protecting children online, particularly the noble Baroness, Lady Kidron, and the right reverend Prelate the Bishop of Chelmsford, who referred to the Select Committee on Communications report Growing Up with the Internet. The focus of that report was on addressing concerns about the risk to children from the internet. The Government believe that Britain should be the safest place in the world to go online and we are determined to make that a reality. I am happy to confirm that the Government will publish an internet safety strategy Green Paper imminently. This will be an important step forward in tackling this crucial issue. Among other things, the Green Paper will set out plans for an online code of practice that we want to see all social media companies sign up to, and a plan to ensure that every child is taught the skills they need to be safe online.
The other point that was brought up widely, including by the noble Lord, Lord Kennedy, was whether it was appropriate for 13 year-olds to be able to hand over their personal data to social media companies without parental consent. We heard alternative perspectives from my noble friend Lord Arbuthnot and the noble Baroness, Lady Lane-Fox. Addressing the same clause, the right reverend Prelate the Bishop of Chelmsford questioned the extent to which the Government had consulted on this important issue. The noble Baroness, Lady Howe, and the noble Lord, Lord Kennedy, made a similar point. In answer to their specific questions, 170 organisations and numerous individuals responded to the Government’s call for views, published in April, which addressed this issue directly. The Government’s position reflects the responses received. Importantly, it recognises the fundamental role that the internet already plays in the lives of teenagers. While we need to educate children on the risks and to work with internet companies to keep them safe, online platforms and communities provide children and young people with an enormous educational and social resource, as the noble Baroness, Lady Lane-Fox, pointed out. It is not an easy balance to strike, but I am convinced that, in selecting 13, the Government has made the right choice and one fully compatible with the UN Convention on the Rights of the Child, to which the noble Lord, Lord Stevenson, referred.
The noble Baronesses, Lady Jay and Lady Hamwee, stressed the importance of adequate understanding of digital issues, particularly among children. Improving digital skills is a priority of the Government’s digital strategy, published earlier this year. As noble Lords will be aware, the Digital Economy Act created a new statutory entitlement to digitals skills training, which is certainly an important piece of the puzzle. As I have already said, the Government will publish a comprehensive Green Paper on internet safety imminently which will explore further how to develop children’s digital literacy and provide support for parents and carers.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Paddick, I think it was, asked about the Government choosing not to exercise the derogation in article 80 of the GDPR to allow not-for-profit organisations to take action on behalf of data subjects without their consent. This is a very important point. It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.
The noble Baroness, Lady Manningham-Buller, the noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady Neville-Jones all expressed concern about the effect that safeguards provided in the Bill might have on certain types of long-term medical research, such as clinical trials and interventional research. My noble friend pointed out that such research can lead to measures or decisions being taken about individuals but it might not be possible to seek their consent in every case. The noble Lord, Lord Patel, raised a number of related issues, including the extent of Clause 7. I assure noble Lords that the Government recognise the importance of these issues. I would be very happy to meet noble Lords and noble Baronesses to discuss them further.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Patel, noted that the Bill is not going to be used to place the National Data Guardian for Health and Social Care on a statutory footing. I assure them that the Government are committed to giving the National Data Guardian statutory force. A Bill to this end was introduced in the House of Commons on 5 September by my honourable friend Peter Bone MP, and the Government look forward to working with him and parliamentary colleagues over the coming months.
My noble friend Lord Arbuthnot and others questioned the breadth of delegated powers provided for in Clause 15, which allows the Secretary of State to use regulations to permit organisations to process personal data in a wider range of circumstances where needed to comply with a legal obligation, to perform a task in the public interest or in the exercise of official authority. Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation. The Government believe that the use of regulations, rightly subject to the affirmative procedure, is entirely appropriate to achieve that. But we will of course consider very carefully any recommendations made on this or any other regulation-making power in the Bill by the Delegated Powers and Regulatory Reform Committee, and I look forward to seeing its report in due course.
The noble Viscount, Lord Colville, queried the role of the Information Commissioner in relation to special purposes processing, including in relation to journalism. In keeping with the approach taken in the 1998 Act, the Bill provides for broad exemptions when data is being processed for journalism, where the controller reasonably believes that publication is in the public interest. I reassure noble Lords that the Information Commissioner’s powers, as set out in Clause 164, are tightly focused on compliance with these requirements and not on media conduct more generally. There is a right of appeal to ensure that the commissioner’s determination can be challenged. This is an established process which the Bill simply builds upon.
The noble Lord, Lord Black, questioned the power given to the Information Commissioner to assist a party or prospective party in special purposes proceedings. In this sense, “special purposes” refers to journalistic, literary, artistic or academic purposes. The clause in question, Clause 165, replicates the existing provision in Section 53 of the 1998 Act. It simply reflects the potential public importance of a misuse of the otherwise vital exemptions granted to those processing personal data for special purposes. In practice, I am not aware of the commissioner having provided such assistance but the safeguard is rightly there.
The noble Lord, Lord Janvrin, spoke eloquently about the potential impact of the Bill on museums and archives. The Government agree about the importance of this public function. It is important to note that the Data Protection Act 1998 made no express provision relating to the processing of personal data for archiving purposes. In contrast, the Bill recognises that archives may need to process sensitive personal data, and there is a specific condition to allow for this. The Bill also provides archives with specific exemptions from certain rights of data subjects, such as rights to access and rectify data, where this would prevent them fulfilling their purposes.
The noble Lord, Lord Knight, queried the safeguards in place to prevent the mining of corporate databases for other, perhaps quite distinct, purposes, and the noble Lord, Lord Mitchell, made a similar point. I can reassure them that any use of personal data must comply with the relevant legal requirements. This would include compliance with the necessary data protection principles, including purpose limitation. These principles will be backed by tough new rules on transparency and consent that will ensure that once personal data is obtained for one purpose it cannot generally be used for other purposes without the data subject’s consent.
My noble friend Lord Marlesford raised the desirability of a central system of unique identifying numbers. The Bill will ensure that personal data is collected only for a specific purpose, that it is processed only where there is a legal basis for so doing and that it is always used proportionately. It is not clear to me that setting out to identify everybody in the same way in every context, with all records held centrally, is compatible with these principles. Rather, this Government believe that identity policy is context-specific, that people should be asked to provide only what is necessary, and that only those with a specific need to access data should be able to do so. The Bill is consistent with that vision.
I look forward to exploring all the issues that we have discussed as we move to the next stage. As the Information Commissioner said in her briefing paper, it is vital that the Bill reaches the statute book, and I look forward to working with noble Lords to achieve that as expeditiously as possible. Noble Lords will rightly want to probe the detailed provisions in the Bill and subject them to proper scrutiny, as noble Lords always do, but I am pleased that we can approach this task on the basis of a shared vision; namely, that of a world-leading Data Protection Bill that is good for business, good for the law enforcement community and good for the citizen. I commend the Bill to the House.
Data Protection Bill [HL]
Monday 30th October 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-I(Rev)(a) Amendment for Committee, supplementary to the revised marshalled list (PDF, 58KB) - (30 Oct 2017)
“( ) Section (Right to protection of personal data) makes provision for a general right to the protection of personal data.”
Lord Stevenson of Balmacara (Lab)
My Lords, in moving Amendment 1 in my name I shall speak also to Amendment 4A, which I hope the Government will agree is consequential. We now commence seven days in Committee on the Bill in your Lordships’ House with a simple amendment. It sets out a principle that we think is important enough to ensure that it is at the heart of the Bill. As in all Committee debates, Her Majesty’s loyal Opposition hope to engage the Government on issues of both principle and detail, and thereby improve the Bill by the time it leaves this House. As witness to our willingness to work with the Government, we have been reading the rather florid statements that the Government put out over the weekend and have tabled an amended version of our Amendment 4 in manuscript, which I gather significantly reduces the gap between us and the Government on a number of key points. But we will not resile from ensuring that the principles which underpin this Bill are securely in place.
As we made clear at Second Reading, we broadly support the Bill but we cannot ignore the fact that if the European Union (Withdrawal) Bill receives Royal Assent as it currently stands, it will remove rights which the people of this country currently enjoy, care deeply about, and are essential to UK business going forward. We think that the status quo has worked well for the UK up until now, so if it is not broken, why change it? I hope that the noble Lord has a convincing argument to make on this point when he comes to respond.
Much has already been said in your Lordships’ House about how complicated this Bill is. It has to deal with a fast-growing and crucial part of our economy and the pace of technological change will create services that we cannot even imagine today. Legislating for this is complicated, but getting the principles right is the key here. It gets even more complicated. The Bill deals with the situation that will obtain after the general data protection regulation is implemented across Europe on 25 May 2018. It provides for the period from that date until such time as the UK leaves the EU and it covers the period after that when what is called the “applied GDPR” will become the law of the land. It has been remarked on that all this is happening without Parliament actually scrutinising the basic text. I suggest again that principles are the key.
One of the key principles which underpinned earlier data protection legislation is Article 8 of the EU Charter of Fundamental Rights. It is indeed the basis of much of what is in the GDPR and applies to the whole of the EU, but when we try to find references in the Bill to the right to privacy and to the protection of personal data which Article 8 guarantees, they are not mentioned explicitly. We believe that the Government approach is wrong for three reasons. These principles matter and have been the subject of recent decisions in the courts, not least the one mounted by the Secretary of State for Exiting the European Union when he was David Davis MP, along with Tom Watson MP. Secondly, the removal of the right to protection of personal data risks weakening, or being perceived as weakening, UK data protection post Brexit. That may have significant consequences for UK data processing businesses, a point that I want to come back to.
The third reason is a broader point, one that the Government do not seem or perhaps do not want to get: rights and specific law act together to make a whole that is greater than the sum of the parts. If we were continuing in our membership of the EU, the fact that the Bill does not explicitly cover our rights to privacy and protection of our personal data might not matter because the EU Charter of Fundamental Rights would continue to be in force and individual data subjects such as Mr Davis and Mr Watson could rely on it if required. But while the EU withdrawal Bill currently in another place contains thousands of provisions that will be converted into our law, only one provision has been singled out for extinction—the EU Charter of Fundamental Rights. This omission from the Data Protection Bill really does matter because as well as underpinning personal rights to privacy, the wording of Article 8 will in effect be right across the rest of Europe and underpinning the legal framework permitting the free flow of data across European borders. It is the removal of the references to Article 8 that will provide a significant and totally unnecessary risk when the time comes for the EU to assess whether our regime is essentially equivalent to the rest of the EU, because that will be the test.
It is common ground among all the parties that it is essential that immediately after Brexit, the Government should obtain an adequacy agreement from the Commission so that UK businesses can continue to exchange personal data with EU countries and vice versa. If we are unable to reach such an agreement with the EU, there will be no legal basis for the lawful operation of countless British businesses and there will also be a significant question of whether EU companies will be able to trade with us if we do not enjoy the Article 8 protections that they will have. That, in fact, is double jeopardy. The Government seem to have forgotten that the frictionless transfer of data is critical to the functioning of our economy. Roughly 70% of the UK’s trade and services is reliant on the free flow of personal data. The EU’s data economy is expected to be worth £643 billion by 2020 and millions of UK citizens regularly share their lives online. To operate, UK businesses require clarity on the legal basis for data transfer post Brexit, but so do EU companies.
The rights outlined in our Amendment 4A are at the cutting edge of global data protection law and are essential for our tech industry in the UK. Indeed, the wording of the amendment was suggested to us by techUK, which is the industry voice of the UK tech sector, representing more than 950 companies, which collectively employ more than 800,000 people. That is about half of the tech jobs in the United Kingdom. If compliance with the Charter of Fundamental Rights is required to secure regulatory harmony and thus business confidence, the Government’s commitment to jettison these references in the charter appears rather odd.
Finally, concerns have been raised as to whether the amendment, even as redrafted, cuts across the GDPR. This is not the intention. The amendment does not undermine the role of the GDPR or the derogations to the GDPR set out elsewhere in the Data Protection Bill, which we support.
We will listen very carefully to the debate. I make it clear that we hope the Government will agree that the principles we outline in these amendments are important and will offer to work with us to make sure the Bill is amended on Report to achieve the objectives I have outlined. I beg to move.
Baroness Ludford (LD)
My Lords, I am also pleased, as co-signatory, to support the amendment, the purpose of which is to retain in domestic law wording from the European Charter of Fundamental Rights concerning data protection. This is for the benefit of British citizens and to help ensure that vital data flows for business and law enforcement can continue if we Brexit.
The specific article in the EU charter, Article 8 on data protection, is stronger in this respect than the older non-EU European Convention on Human Rights, which deals with privacy only under the rubric of protection of family and personal life. The Government plan that the charter should cease to be part of UK domestic law after Brexit in Clause 5(4) of the European Union (Withdrawal) Bill. This broader issue will be considered as part of the scrutiny of that Bill, and there is a cross-party amendment tabled in the House of Commons and led by Dominic Grieve MP to remove that clause such that the charter continues to apply domestically in the interpretation of retained EU law. Liberal Democrats strongly support that amendment, but it seems appropriate not to wait for or depend on the success of that broader effort and at least effectively to embed the thrust of the charter as it concerns data protection in this Bill, which largely concerns EU law.
This is extremely important because if we Brexit, the UK will seek from the European Commission an adequacy decision on UK data protection so that transfers between the UK and the EU can continue smoothly—an objective the Prime Minister has singled out for mention. If we leave, EU states may no longer be able to share data with us unless our legal regime on matters including state surveillance powers aligns with EU requirements. The adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the UK. The embedding of the charter’s data protection right in this Bill would be an important safeguard for business continuity—especially for tech companies, which depend crucially on the free flow of data—as well as ensuring that essential cross-border police and intelligence co-operation is not disrupted.
I, my noble friends Lord McNally and Lord Paddick, and other noble Lords raised at Second Reading the need for measures to protect us from threats, not to undermine our civil liberties. We are used to the European Court of Human Rights ruling on privacy issues, several times finding the UK in breach of the convention, but more recently in the digital age it is the European Court of Justice—the EU court—that has come into play as EU law on protection of electronic communications and the provisions of the Charter of Fundamental Rights has begun to bite. The Snowden revelations brought heightened sensitivity about the extent of the legitimacy of the activities of our intelligence services.
The EU data retention directive—the EU law on mandatory mass data retention—was pushed through Brussels in 2005 when the UK had the presidency of the EU by the then UK Home Secretary in an expert piece of lobbying after the London bombings of that year. In a landmark 2014 judgment, the court struck it down as incompatible with the right to respect for private life and data protection under Articles 7 and 8 of the charter. Then, as mentioned by the noble Lord, Lord Stevenson, the judgment on DRIPA last December—technically, the Tele2/Watson case, although initially also involving the then Back-Bench David Davis MP—continued in the same vein, declaring that mass data retention was “disproportionate” to citizens’ rights to privacy. Its implications for the Investigatory Powers Act and the question of whether bulk collection of communications data could be permitted to infringe privacy on the grounds of pursuit of serious crime or threats to national security may be ascertained by the reference to the European court made by the Investigatory Powers Tribunal in September. Certainly, the wide range of powers in the Investigatory Powers Act might look vulnerable to being found in conflict with EU law. The Independent Reviewer of Terrorism Legislation, Max Hill, suggested that it was unclear whether the ruling in the Watson case on safeguards for data retention regimes could be interpreted as applicable to national security.
It is true that while in the EU the national security exemption from EU competence applies but, as was brought out at Second Reading, if we were outside the EU the arrangements for our intelligence agencies would go into the whole mix that is assessed for compliance with EU standards. The court’s decision in July, rejecting the legality of the EU agreement with Canada on the transfer of passenger name record details, provides a salutary lesson in how the court approaches third-country transfers. It struck down the agreement because several of its provisions were incompatible with EU fundamental rights. It is therefore crucial that we embed the wording of Article 8 of the charter.
The Labour Opposition have tabled an amended version of Amendment 4, namely Amendment 4A. This is an interesting variation and I look forward to learning a bit more as we progress about exactly how the new wording would work. As I understand it, the safeguards in subsection (1) of the proposed new clause and the first part of subsection (2), which are replicated from Amendment 4, would and should still govern the,
“provisions, exceptions and derogations of this Act”,
otherwise, the point of writing in safeguards is undermined.
I wonder about the reference to,
“purposes as set out in the GDPR”,
since the GDPR is concerned only with the processes for data manipulated in accordance with purposes set down in other instruments. I am slightly unclear about that.
I believe that there has been concern about a conflict with press freedom. Of course we are suffering here from the fact that we have only a partial bite from the charter, which contains a firm provision on freedom of expression and information as well as on the right to security. When we succeed in retaining the whole charter in domestic law via the EU withdrawal Bill, the whole balancing exercise will become more apparent than with this snapshot. In the meantime, we have to proceed with entrenching this partial aspect of the charter as concerns data protection.
Lord Pannick (CB)
My Lords, the problem with Amendment 4 is that it would not incorporate the charter provision relating to personal data. The reason for that is that it addresses the prima facie right to the protection of personal data, but not the limitations and exceptions recognised by the European charter itself. Article 8, like all the other rights in the European charter, is subject to the limitations stated in Article 52. That says that there can be limitations on protected rights if they are provided for by law, are necessary and meet,
“objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.
It is because there has to be a balance between this prima facie right and exceptions and limitations that the Bill contains a very large number of exemptions which cover a whole range of circumstances in which the rights of the data subject have to give way to other considerations, such as national security, the detection of crime, taxation, judicial appointments or confidential references for employment. There are many such exemptions.
The Bill contains exemptions because there are other interests in this area, and other rights, which conflict with the right to protection of personal data, and a fair balance is required. The Committee will want to debate the scope of those exceptions and limitations and be satisfied that the balance has been struck correctly. But Amendment 4 suggests that there is some absolute right to the protection of personal data. That is simply wrong. That is why, I imagine, the noble Lord, Lord Stevenson, has tabled manuscript Amendment 4A, which attempts to address the defect in Amendment 4.
I would have wished for more time to consider Amendment 4A, which I understand was tabled only this morning, particularly if the noble Lord, Lord Stevenson, intends to divide the Committee today. I am concerned that Amendment 4A poses two difficulties of its own. First, the value of including Amendment 4A is not clear to me. The Bill already sets out in considerable detail the domestic implementation of the charter obligation; that is, Article 8 read with Article 52. I fear that including Amendment 4A in the Bill would be likely to cause legal confusion and uncertainty in an area where precision and clarity are essential—and, indeed, are provided by the substance of the detailed provisions in the Bill.
Secondly, I fear that the purpose of Amendment 4A is to confer some special, elevated legal status on Article 8 rights concerning personal data for the future, as subsection (4) suggests. I think that would be very unwise because, as I have said, Article 8 rights often conflict with other rights—whether it is freedom of expression, which we heard about, or the right to property—or other interests. The detailed provisions of the Bill illustrate the difficult choices that have to be made in this area.
Amendment 4A seeks to give a special legal status to one charter right in isolation and that is simply inappropriate. For those reasons, I hope that the noble Lord, Lord Stevenson, will not divide the Committee on Amendment 4A. If he does, I will vote against it.
Lord Faulks (Con)
My Lords, this is a complex Bill—necessarily so as it balances the need to access data and the need, in appropriate circumstances, to protect data from access, as the noble Lord, Lord Pannick, said. Most of the amendments in the Marshalled List seem to me to be about fine-tuning the provisions to alter the balance a little, one way or another. However, Amendment 4A—charmingly introduced as it was by the noble Lord, Lord Stevenson—seems to be in a different category. It seeks to incorporate the provisions of the Charter of Fundamental Rights into the Bill by including the wording of Article 8.
I do not claim particular expertise in data protection, except to say that every business and every professional is or should be aware of their obligations in this area. I do, however, have considerable experience of the interaction of detailed legislative provisions and rights instruments. My experience stems from legal practice and as a former Minister in the Ministry of Justice. A particular focus of my attention was the European Convention on Human Rights and, to a lesser extent, the charter.
There is always a difficulty in marrying up detailed legislative provisions and broad-based charters or conventions, which are inevitably framed in generalisations. I have always thought that a combination of our Parliament and our courts should be capable of protecting citizens’ rights. However, to help in that pursuit we have the Human Rights Act, which incorporates the European convention into our law and gives the Strasbourg court a significant role.
Lord Lester of Herne Hill (LD)
My Lords, one of my many character defects is party loyalty. That has led me in the past even to vote against my own amendment, which I will never do again. Today, I have the misfortune to disagree with my party. I will explain briefly why I cannot possibly support the original amendment, which is constitutionally illiterate, or the attempt to rescue it in the manuscript amendment.
The Minister has rightly put on the front page of the Bill his opinion that the Bill is compatible with the convention rights. Those rights include the right to free speech in Article 10 and the right to respect for privacy in Article 8. The Minister could certify in that way because the Bill rightly carries forward from the previous Act journalists’ rights—for example, to protect their sources—which you can find buried away in Schedule 2(5). The Minister was able to do that because we have the Human Rights Act, which requires him to do so, and the European convention, which strikes a balance between free speech and privacy.
I do not understand what on earth the charter has to do with that. As the noble Lord, Lord Faulks, rightly explained in the better part of his speech—the first part—the charter is there as a shield against the abuse of power by EU institutions. Maybe he did not say that, but he would like to have done, I am sure. It is not intended to be a source of rights in parallel with the European convention. The amendment in its original form, and its amended form, seeks to give legal force to one bit of the charter. It squints. It looks at Article 8 of the charter on privacy and data protection, but it does not look at the other bit of the charter that deals with free speech. Then, because it is obvious that the original version was constitutionally illiterate, the manuscript amendment seeks to repair that by saying that it is subject to the exceptions and derogations in the Bill. That is not good enough because it then seeks to give fundamental importance to the right of data protection, as though it were in the Human Rights Act and the European convention, and then it completely fails to explain how on earth any court is meant to reconcile the amendment, if it became law, or the amended amendment, if that became law, with what we already have in the European convention.
I agree with every word of my noble friend Lord Pannick’s speech, and I agree with the first part of the speech by the noble Lord, Lord Faulks. I am afraid I cannot possibly support this amendment. I very much hope that it will be a probe and nothing more at this stage. We are at the beginning of Committee stage. We need to think about some of these issues carefully. If we were now to divide the House and vote to incorporate either version, we would be doing an injustice to the arguments and intelligence of the House.
When I first joined the House, I remember Lord Alexander of Weedon saying to me, “Anthony, you must remember that the House of Lords is not a Court of Appeal; it is essentially a jury”. He was right about that. Most noble Lords, including me, will have understood only half of what was said in some of the original speeches. What is surely clear is that we would be failing in our duty today if we were to amend the very beginning of the Bill at this stage, rather than consider it properly and come back to it at Report.
Lord Arbuthnot of Edrom (Con)
My Lords, it is a daunting thing to have to follow such an enjoyable speech. I simply say that, as I read Amendment 4 alongside Amendment 4A, it appears that the original opposition amendment had the unintended consequence that it destroyed all the exemptions already contained in the Bill. So Amendment 4A must be an improvement, but I am unclear precisely what is the purpose of Amendment 4A, because it expressly adds the principle of its being subject to all the general provisions of the Bill, so it adds nothing. I hope that we will not be pressed to a Division.
Lord Goldsmith (Lab)
The amendment raises an important question of principle, and one which this House will have to consider further when we scrutinise the European Union (Withdrawal) Bill. One reason why the charter was brought into being was to give visibility to rights which existed elsewhere. As at least some noble Lords will know, I speak with some experience, having spent a number of months involved in the negotiation and conclusion of the European Charter of Fundamental Rights. It was a key aim behind the decision of the European Council at Tampere and Cologne to bring together a group of people to set out in the charter the rights which would affect them, largely in their relations with the EU institutions.
I emphasise the word “visibility”, because the point just made by the noble Lord, Lord Lester, about laypeople not understanding what lawyers say is all too familiar to those of us who are lawyers. It is a very good reason why we should attempt, when we are saying things which are important, to say them in a way which is clear and comprehensible. Both amendments—I shall come to the difference between them as I see it—start by saying that we all have the right to protection of personal data concerning ourselves. That is a very important principle, and one which is very reassuring, whatever the exceptions, derogations and limitations on it may be. That is what the charter sought to do: to make these things clear to everybody.
What are the objections to the amendments? The first is that they do not allow for the exceptions and reservations which apply. The noble Lord, Lord Pannick, referred to the provisions of the charter, which state that all of the rights in the charter, with almost no exception—although there are one or two—can be subject to exceptions and limitations. I agree with the noble Lord about that; that is the position taken in the charter, and rightly so. There is a balance between different rights of different people and of different rights between the citizen and the state.
That is what I understand that Amendment 4A is intended to correct, by making it clear that the general statement of principle, which I still believe is important, is none the less subject to certain exceptions and derogations set out in the Bill. The Bill in Clause 13 and the regulation-making power under Clause 14 provide for the ability to make exceptions, reservations and derogations. I sympathise with the noble Lord, Lord Pannick, when he says that he is not sure, in the time available, whether this will achieve the objective of turning something which he was concerned appeared to be too absolute into something which works. There are ways to deal with that and ensure that further time is available or—this is not for me to say—if my noble friend Lord Stevenson moves the amendment and it is passed, it can be corrected afterwards. But that is a point of timing, albeit an important detail. With respect, it appears to me that what matters is for us to give a clear statement that this principle of data protection applies to all of us.
It is then asked, “Well, what about other provisions in the charter?”. No doubt that is a debate that we will have when we come to the withdrawal Bill. Will those other provisions also be allowed to stand? That will be a matter for this House and the other place when the Government bring forward that Bill. However, there is a need for visibility and for reassurance to all that there will still be a principle of data protection that we will uphold. For that reason, while it is apparent from what I have said that my preference is for Amendment 4A as opposed to Amendment 4, I think that that amendment ought to receive the support of this House.
Lord Cormack (Con)
My Lords, I appeal to the noble Lord, Lord Stevenson, not to rush the House on this matter. The amendment is clearly deficient. This morning I was with the director of the Victoria and Albert Museum, Dr Tristram Hunt, who urged me, if I possibly could, to say something briefly this afternoon. He gave me a brief that I have not had a chance to master, but it is quite clear that all the directors of our great national museums and galleries have real misgivings about Amendment 4 and, from what I have heard, would have similar misgivings—or most of them—about Amendment 4A. There is no constitutional need for us to divide this afternoon. Shortly after I came into your Lordships’ House, I remember that the late Lord Jenkin of Roding said, “We don’t normally vote at Committee stage in our House. It’s better to air the arguments and then to come back to them on Report”. That was wise advice and the House should heed it today.
Lord McNally (LD)
My Lords, I suspect that this is going to be a shorter debate than perhaps was at first imagined, but I feel it is important that I add one or two words. When I was Minister at the Ministry of Justice, preceded by the noble Lord, Lord Faulks, I met a distinguished American lawyer. I said to him by way of introduction, as I regularly did, “Now, I’m not a lawyer”. He looked at me and said, “Then I’ll speak very, very slowly”.
I feel a bit like that after all the howitzers have been rolled out this afternoon—the noble Lords, Lord Faulks, Lord Lester and Lord Pannick, along with a more helpful contribution from the noble and learned Lord, Lord Goldsmith. I intervened because it would be very wrong, or very misleading, if Ministers were to take this mini-debate as an escape from a real problem. I was, although the post may have been slightly misnamed, Minister for Data Protection for three and a half years. Between 2010 and 2013 I had the job of going across to Brussels for negotiations on a lot of the issues that we are now discussing. What struck me there was how much influence we had in bringing together legislation that met the concerns mainly of western Europeans about a light-touch form of regulation and the concerns mainly of eastern Europeans who had fairly recent experience of how state abuse of power could be used against the citizen and the individual.
The point that I want to leave with Ministers is that, whatever fault our legal experts have found with the amendment, it underpins a real concern, which the noble and learned Lord, Lord Goldsmith, picked up: the layman, the ordinary citizen, wants to be assured that by the end of the Bill’s passage, on which we are only just starting, it will very much protect civil rights, civil liberties and individual freedoms. One of the great challenges we face is that this extraordinary change in the structure of our society, brought about by this fourth industrial revolution based on data, really calls into question a lot of the protections that we thought we had.
I hope the Minister will take and grab hold of what was said in introducing this Bill. We are attempting in these amendments, particularly in Amendment 4A, to meet a real and genuine concern of ordinary people who are perhaps not as clever as the noble Lords, Lord Pannick, Lord Lester, and others, but who have a concern about the abuse of power. There has been no sense of shame or regret. I understand and have been passionate all my life about the defence of the freedom of the press, but I wish that the press did not rush so quickly to scream, “They’re trying to curb the freedom of the press”, when all that the press has done since Leveson is try to sabotage any proper press regulation. I worry about saying, “Well, it will stop various parts of our society using this new data”, without seeing and recognising the huge amount of evidence already of massive abuses of data which impinge on our very democracy. I felt it worth saying, even if I had to listen to the lawyers, that the layman also has a voice in this, and we have a real duty to make sure that this legislation is up to the task presented by the new data world.
The Earl of Lytton (CB)
I realise that, in rising to speak on this particular part of the Bill, I depart slightly from the purpose of the noble Lord, Lord Stevenson—but I thank him for raising the issue all the same.
Of course, we are dealing with the overview of the Bill. The noble Lord, Lord McNally, almost wrote my introduction. What has worried me for some considerable time, notwithstanding the Bill’s provisions that provide for data subject to error correction, is the manifest inclusion of data in the data processing function, which is broadly drawn—namely, the inclusion of information that is knowingly false or recklessly included in that process, and which can affect the life chances of individuals. We know of significant and high-profile circumstances in which false information has been included and has either affected a significant class of people or has seriously damaged the life prospects of individuals.
Given that the collection of data is part of the processing function, it seems to me that very little is being said about responsibility for those sorts of errors—in other words, the things that one could or should have realised were incorrect or where there was a disregard for the norms of checking information before it got into data systems. We heard at Second Reading how difficult it is to excise that information from the system once it has got in there and been round the virtual world of information technology.
Could the noble Lord, Lord Stevenson, or the Minister in replying, say whether there is anything apart from the Bill—I do not see it there at the moment—that enables there to be some sort of sanction, for want of a better word, against knowingly or recklessly including data that is false and which affects the life chances and prospects of individuals because it is capable of being identified with them and can be highly damaging? That is something that we may need to look at further down the line. If I am speaking in error, I shall stand corrected.
Baroness Hamwee (LD)
My Lords, I say to my noble friend Lord McNally that it is even worse having people say to you, “You’re a lawyer, you must understand this”, when too often you do not.
I have a question for the Minister. Am I right in thinking that the Charter of Fundamental Rights will apply to all member states after Brexit? Is it not the objective that we are on all fours with them as other users of data and, therefore, if there is no provision such as the ones that we have been debating contained in the Bill, how will that affect the adequacy arrangements?
The Earl of Erroll (CB)
My Lords, I want to say a couple of words about privacy. A very important basic point has been raised here. I am not going to argue with lawyers about whether this is the right way in which to do it, but the right to privacy is something about which people feel very strongly—and you will also find that the Open Rights Group and other people will be very vociferous and worry about it, as should all of us here. When we go out and do things on the internet, people can form some interesting conclusions just by what we chance to browse on out of interest, if they can record that and find it out. I became very aware of this, because I have been chairing a steering group that has been producing, along with the British Standards Institution, a publicly available specification, PAS 1296, on age verification. It is designed to help business and regulators to comply with Section 3 of the Digital Economy Act, which we passed just the other day, which is about protecting children online. The point is to put age verification at the front of every website that could be a problem. We want it to be anonymous, because it is not illegal for an adult to visit sites like that; if it was recorded for certain people in certain jobs, it could destroy their careers, so it must be anonymous. So a question arises about trying to put in the specification a right to privacy.
One thing that we have to be very careful about is not to interpret laws or regulations or tread on the toes of other standards. Therefore, when this Bill and the GDPR are passed, we must make sure that people processing any of that material ensure that any data is kept completely secure, or anonymised, or is anonymous in the first place. Websites, first of all, should not know the identity of a temporary visitor when they get verified—there are ways of doing that—so that there are rights to privacy. The thing about the right to privacy is that it is a right that you, the individual, should have. The GDPR and this Bill are about how you process data; in other words, it is about what you do with the data when you have it. The legislation builds in lots of safeguards, but there is nothing that says, when you decide what data to keep or whatever it is, that people should have a right to know that it will not be revealed to the general world.
The question is where we should put it in. People used to think that Article 8 of the European Convention on Human Rights covered them, but I realised just now that it covers only your relationship with Governments. What about your relationship with other corporates, other individuals or ordinary websites? It should cover everybody. So there is an issue here that we should think about. How do we protect ourselves as individuals, and is this the right place to do it? I think that this is probably the only place where we can put something in—but I leave that to the very bright lawyers such as the noble Lord, Lord Pannick, to think about.
Lord Clement-Jones (LD)
My Lords, I remind the Committee that this is an intensely practical issue. We have managed to lure many of our learned noble Lords from their chambers today—so clearly it has been a fairly expensive afternoon. I am only a humble solicitor and I tend to focus on what is practical and necessary for those whom we advise. The fundamental basis of these amendments is the concern in many sectors—manufacturing, retail, health, information technology and financial services in particular—that the free flow of data between ourselves and the EU continues post Brexit with minimum disruption. With an increasingly digital economy, this is critical for international trade.
We have been briefed by techUK, TheCityUK, the ABI, our own Lords EU affairs sub-committee, and the UK Information Commissioner herself. They have persuasively argued that we need to ensure that our data protection legislation is ruled as adequate for the purposes of permitting cross-border data flow into and out of the EU post Brexit. The first question that arises is: will the Government, even before any transition period, start the process needed to obtain an adequacy decision from the EU before we arrive at the status of a third country for EU data adequacy purposes?
However, as the Committee has heard today, if an adequacy ruling is to be sought, a major obstacle has been erected by the Government themselves in the European Union (Withdrawal) Bill, which makes it clear that the European Charter of Fundamental Rights will not become part of UK law as part of the replication process. Many noble Lords have spoken of their fears about the interaction with Article 8 of the charter, yet this article, relating to the protection of personal data, underpins the GDPR. How will we secure adequacy without adhering to the charter? Will the Government separately state that they will adhere to Article 8? We are not trying today to confer “special status”, in the words of the noble Lord, Lord Faulks, on Article 8. The wording of the amendment reflects Article 8, but it is designed to create certainty, post Brexit, for the sectors of business which I mentioned earlier.
Let us not forget that the EU Select Committee heard from witnesses who highlighted the ongoing role of the European Court of Justice and the continued relevance of the Charter of Fundamental Rights in relation to adequacy decisions. The amendment is not frivolous: it is essential to underpin an adequacy decision by the EU post Brexit. Does the House really want to put that decision at risk? I am sure that it does not. Whether now or in the future, we need to pass this kind of amendment. I look forward to hearing what the Minister has to say, which will determine whether or not the House divides.
Lord Brown of Eaton-under-Heywood (CB)
My Lords, when I came into the Chamber, I had not the faintest intention of speaking in this debate. I do so, above all, for one reason: not because I am opposed to the amendment, although I am, very substantially, for the reasons given by the noble Lord, Lord Pannick. I do so because, in my experience, it is very unusual nowadays to vote at the outset of Committee stage on so fundamental a question as that raised by the amendment. It is surely yet more unusual—spectacularly so—to do so on a manuscript amendment filed this morning, which none of us has had sufficient time to deal with, on a very tricky area of the law, which so fundamentally alters the original amendment. As we have heard, that amendment was completely hopeless. The noble Lord, Lord Lester, described it as “constitutionally illiterate”. At least this one tries to introduce the concept of a balanced right which previously was missing.
It is true that I come from a different tradition where you do not vote on anything or decide anything unless you have heard the arguments. I rather gather that there may be a whipped vote on the other side, so the amendment is going to be voted on by noble Lords who have not heard the arguments of the noble Lords, Lord Pannick, Lord Faulks and Lord Lester, and who do not recognise the difficulties and the fundamental importance of this amendment. I seriously urge that it is not pressed to a Division today.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken, many of whom do not appear to support these amendments. I particularly thank the lawyers in the House, who have instructed us on the legal position. I feel slightly like the lay person who was talked about, which I am, I hasten to add.
On a political view, it is important to remember that only three weeks ago at Second Reading it was clear that the Bill was widely supported across the House. Many noble Lords highlighted areas where further scrutiny and perhaps improvement were desired, but the House was unanimous in the view that data protection laws needed updating, that the general data protection regulation standards were the right standards, and that we must do everything to maintain future free flows of data. We shared those conclusions because we understand the role and value of data in our digital world and how it is the basis of delivering education, social mobility and economic advantage. That is why it is so sad that in this first group of amendments, on the first of seven days of Committee, for a Lords starter Bill, the opposition parties have threatened to suspend the usual business arrangements whereby we can debate in Committee, meet subsequently outside the Chamber and often come to agreement before the Bill leaves our House—an arrangement which does not prevent votes when they are needed, but which has worked well in the past. I urge noble Lords not to put this at risk. The Data Protection Act has stood the test of time because it was not a partisan piece of legislation, and we must not allow this Bill to become one.
Many noble Lords have said that these amendments are made in good faith to ensure that the UK is given a data protection adequacy agreement by our largest trading partner. This is the right ultimate objective, but it is the wrong route to get there. Contrary to the charge of the noble Lord, Lord Stevenson, we have not forgotten the importance of a free flow of data. In fact, ensuring we maintain a free flow of data is our number one priority, and we want to achieve that from the moment of Brexit, not wait to become a third country and then start the application process for adequacy. I direct those remarks especially to the noble Lord, Lord Clement-Jones. That is why last year we committed to ensuring that the UK adopts GDPR standards. That is why in August we published our plans and ambitions for the free flow of data once we leave the EU. That is why we have presented this House with this Bill: a Bill which builds a comprehensive regulatory system for personal data that covers everything that could be scrutinised in future adequacy negotiations, including areas which are not currently subject to EU jurisdiction. That answers the question of the noble Baroness, Lady Hamwee, on adequacy and the point made by the noble Lord, Lord Clement-Jones.
In the past, 12 countries have negotiated adequacy agreements with the EU Commission, including Canada, Israel, New Zealand and the USA. None of these was forced by the EU Commission to put the charter into their law in order to obtain adequacy. It is not a requirement and it is peculiar to suggest that it will be. It is a myth that we need this amendment to secure a future agreement. Why is that? The GDPR itself, which will become part of our law, says in Recital 4:
“This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data”.
Recital 173 says:
“This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data”.
The noble Lord, Lord Stevenson, was reported over the weekend to be claiming that the Government were scaremongering. We were not. We were deadly serious about the risks, so I am delighted that the noble Lord has now recognised that Amendment 4 needs further thought. What a pity, therefore, that he was unable to discuss it with the Government.
I listened to the noble Baroness, Lady Ludford, who addressed the original Amendment 4. The problem, which I think has been alluded to, is that subsection (3) of the proposed new clause creates an absolute unqualified right to data protection. As attractive as that sounds, it is fatal, for two reasons. First, data protection is not an absolute right, as many noble Lords have said, and the GDPR says it explicitly, too:
“The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.
Secondly, both the GDPR and the Bill create a number of exemptions from data rights, which we will debate over the next few weeks. However, while we may disagree on some exemptions, I think that we all agree on the important ones. Terrorists must not be given unrestrained access to information held about them by the security services. Scientists must not usually be prevented from advancing research and furthering understanding. Therefore, the original Amendment 4 creates a risk at precisely the time we need reassurance.
However, Amendment 4A is a welcome improvement. We received this amendment just before noon today. Data protection is not the simplest area of our law, and at Second Reading many noble Lords commented on the complexity of the subject. It would be irresponsible of the Government to accept an amendment of this sort with just a few hours to consider it. What does it mean for future data flows and trade? How does it interlock with the rest of our legislation on information rights? What will the courts make of it?
At best, Amendment 4A is unnecessary or may not achieve what it seeks to achieve. Two particular problems with it were mentioned by the noble Lord, Lord Pannick. First, it has no value, and it only creates legal confusion. Secondly, subsection (4) of the proposed new clause is unwise. Rights often conflict; the Bill and the Human Rights Act manage those conflicts, while subsection (4) does not. At worst, as my noble friend Lord Faulks, outlined, it may have unintended consequences which nobody has been able to consider. Our initial analysis is similar to that given by the noble Lord, Lord Pannick, that Amendment 4A probably does very little. It does little other than summarise what the Bill does. The Bill protects personal data rights, and Amendment 4A reminds us of this. None the less, with so much at stake, we must give this amendment full and careful legal analysis.
The noble Lord, Lord Stevenson, has been placed in a difficult position. Labour is in a muddle over this. But that is exactly why we do not usually vote in Committee. This stage is for resolving muddles and for understanding the issues. It is not the stage for tabling amendments on the day and voting on them hours later, without even discussing it with the Government. I cannot see how this is a service to the House, which prides itself on careful reflection.
The noble Lord, Lord Stevenson, reminded us at Second Reading about the number of Bills that he and I have worked on together. He said that this was the sixth. I pay tribute to the careful, detailed—and sometimes even enjoyable—scrutiny he has given. We have had many useful meetings. Today is the first day in Committee and the first group of amendments on the Bill. We should continue with the positive spirit that we have built together, setting out our arguments and concerns. We can continue to meet outside the Chamber, and I and the Bill team are always happy to listen to and meet other interested noble Lords. On Report, we can reflect and, where we disagree, we can divide.
Therefore, I hope that noble Lords will see that now is not the time and these are not the amendments on which we should divide at this stage. They are unnecessary and they may be deficient. This Bill is essential for our social and economic future, and we risk wrecking it at the first hurdle. I therefore ask the noble Lord to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, I thank all those who have contributed to this debate—at some personal cost, I understand. There are points that we will certainly reflect on as we read Hansard.
I shall start with a slightly unusual point. I want to commiserate with the Minister for the unfortunate loss of his data just before he came into the Chamber this afternoon. His speaking notes and apparently much other data were stolen from him. That just shows the sorts of difficulties that one has with data, privacy and the issues that we have been talking about. I am surprised that he did not mention it, but he did not and I can only assume that things have worked out all right. However, if he wants help in drafting the personal victim statement, we will be very happy to meet him outside the Chamber on a number of occasions if that will be of assistance.
I do not have much luck with my drafting. I seem to recall being in this place only a few months ago and being coruscatingly attacked by a Cross-Bencher who thought that I had got a lower second with an amendment that I put forward to the higher education Bill. Mind you, I had quite a good result on that Bill. It was amended on the first day in Committee and that seemed to concentrate the minds of Ministers rather effectively. Therefore, I do not agree with those who have felt that this is a constitutional absurdity. In this House we have always reserved the right to vote “inappropriately” at any point, and Committee is one of those occasions. I am not saying whether we will do that today; I am just saying that it is not barred and it often has a purpose to serve.
However, the general tenor of the responses has been that we should not rush this. I was particularly pleased that the Minister suggested that we should meet outside the Chamber to discuss this issue, possibly reach agreement on it—those were his words—and perhaps come back on Report. I should remind him that Amendment 4 was tabled three weeks ago and no invitation to such a discussion reached my ears, so I am a bit surprised. The amendment was published and was available, and it could have been discussed. The fact that we are not going to move it today is slightly irrelevant but it raises all the issues that we are now engaging with. Indeed, at the meeting only last week, we did not really get on to the discussion about what we are about—we talked about other matters.
However, I do not want to fall out with the Minister because I enjoy working with him. Six Bills may seem a lifetime to many people but it has been a time enlivened by the ability to talk inside and outside the Chamber and to reach agreement. I hope that that is a genuinely meant proposal and, if it is, I will consider it very carefully.
My noble and learned friend Lord Goldsmith pointed out a really important issue. As I said in my speech—he picked it up and exemplified it—in order to achieve what the Government want to do, we need a combination of the rights that exist and the statutes that deliver the particularities of the issues concerned. I take on board all the points that have been made about drafting and the inability to do so, and I will reflect on those. However, if we have the right objective, which is to ensure that that balance is available to the people of the United Kingdom and that it will support our businesses in the future, surely we have a duty to make sure that it is delivered to a final conclusion and, if necessary, voted on.
In passing, I observe that it is interesting that the Minister had to resort to the recitals to the GDPR to be convincing about the fact that the GDPR has the effect of bringing the rights in the charter into the discussions about data processing. That is amusing because one very striking thing about the regulation, apart from the fact that we do not have it in front of us to discuss it, is that, in the form in which it will appear in law in the United Kingdom at the end of this process, the recitals will not be part of it. Therefore, his reliance on them is ironic to the point of being rather difficult to accept, but he made points of substance, so I think we will move over that.
Despite the rightful criticisms, there is a general feeling across the Committee that we need to do a bit more work on this. I think that we are on to something that is important enough to spend time on, and we are prepared to do that. We do not think that we are in a muddle on this—we think that there is an issue—but I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Monday 30th October 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-I(Rev)(a) Amendment for Committee, supplementary to the revised marshalled list (PDF, 58KB) - (30 Oct 2017)
Lord Patel
Lord Patel (CB)
My Lords, I shall speak also to my Amendments 14 and 111. Perhaps I may first thank the Minister and his team, who kindly agreed to see me and others to discuss what amendments I might have following my Second Reading speech. I am not sure that we resolved any issues, but I at least thank him for his courtesy and hope that, after today, we will resolve those issues.
I will speak first to Amendments 12 and 14. I beg the Committee’s indulgence for taking slightly more time than your Lordships might expect for a group of amendments, partly because I think this is the only time we are dealing with the major sector issues—the sector being the universities and other research institutions on which we are about to rely a lot for our economic growth; I will come to that. I am supported enthusiastically by the Wellcome Trust, the MRC, Cancer Research UK, the AMRC, the Sanger Institute, the Academy of Medical Sciences, the ESRC and many others. They are extremely anxious that what we do with the Bill does not in any way counter their ability to use data for productive research—and I do mean productive research. I declare an interest: I am a fellow of the Academy of Medical Sciences and of the Royal Society of Edinburgh, and I have a strong association with Dundee University. I cannot miss the opportunity to say that last week Dundee University was ranked number one globally for science innovation, beating every university in the United States. That is a fantastic achievement in science research. It beat all the so-called elite universities in England that we hear about, as well.
Clause 7 sets out a legal basis for processing personal data in the public interest. This reflects article 6(1)(e) of the GDPR. It is incredibly important to get the clause right as it will be the only legal gateway available for many research purposes. Why is this the case? Most research purposes rely on informed consent as a legal basis for processing. Consent is the basis of article 6(1)(a) of the GDPR. However, GDPR-compliant consent for the use of personal data is not always a feasible option as a legal basis. Consent is often important in the interests of fairness and transparency but will not be the appropriate legal basis for much research.
I will highlight two relevant sets of circumstances to illustrate why public interest is a necessary legal basis for many valuable research purposes. The first is where consent is not possible. There are a number of situations in which it is problematic to seek consent. Seeking consent may be impracticable where health data have been collected in the past and the time and expense seeking and approaching individuals for consent would be prohibitive. It may compromise effective population coverage; for example, requiring consent has been shown to have a negative impact on the quality of data for cancer registries. It may cause distress or harm in situations where patients may be inconvenienced or upset by being contacted for their consent to use their data for a research project, even if they do not subsequently object to the research going ahead; for example, contacting people about a study examining unexplained child deaths could cause serious distress. It may lead to bias because of self-selection bias among data subjects when asked a question. It may prevent studies large enough to produce meaningful results because the cost of seeking consent across a large number of people can be very high.
I will give one or two examples pertaining to the five issues that I have described. A study of more than 40,000 people demonstrated a highly significant association between the use of minor tranquillisers such as Diazepam and the risk of serious road traffic accidents. This was done through linking prescriptions issued by GPs and data on hospital admissions and deaths. By the way, this study had considerable implications for the safety of patients prescribed Diazepam, and their treatment, and of course also for other road users, but would not have been possible if data could not be processed on a consent basis. A study of the incidence of breast cancer in women was used to show that affluent women have a higher incidence than socially deprived women, but that socially deprived women had poorer survival statistics. This study used identifiable data without consent; it used hospital and GP records to look at a number of factors involved in cancer treatment.
Access to patient records also helps researchers to identify suitable participants to be invited to take part in studies. This is essential for evaluating new medicines, technologies and interventions for the prevention, diagnosis and treatment of disease. For example, in my own field, when the UK collaborative trial of ovarian cancer screening was set up to investigate different ovarian cancer screening methods, 1.2 million patients were invited to take part by post, leading to 200,000 women consenting to take part. It is a world-renowned study whose results have benefited the whole world. If consent were the only available legal basis, that recruitment strategy would not have been possible as these women had not given consent to the initial contact. Of the 1.2 million women contacted, only 32 women raised any concerns about being contacted.
These are just some of the many examples of vital research that, although very much in the public interest, cannot be done on the basis of consent. The research community has developed a system of robust and proportionate safeguards for these situations, to ensure that research on important topics can be undertaken using personal data where consent is not possible while protecting the research subjects. The use of personal data in these circumstances is controlled through safeguards. Studies using health data are reviewed by the Health Research Authority’s confidentiality advisory group; they must also receive a positive opinion from a research ethics committee to be eligible. The use of this data must be considered to be in the public interest, so we have safeguards.
In this country, we also have the benefit of a National Data Guardian for health and social care—a position I very much hope will be placed on a statutory footing through a Private Member’s Bill that is progressing through the other place. This guardian’s role is to protect patients’ rights and interests over data about them, within and beyond health and care services. The reason for this exposition into the governance of personal data in health research is to illustrate that the UK has a robust, well-established system of safeguards and oversight for processing personal data in the public interest when it comes to health and medical research.
I turn to the second issue: where consent cannot meet GDPR standards. Even with the most rigorous standards and through engagement with participants, consent may not meet the new, stricter standards specified by the GDPR as a basis for processing under article 6(a). The working party of EU data protection regulators—the article 29 working party—produced an opinion in 2011 on the definition of consent that ran to 38 pages. It is not a straightforward legal basis for researchers to use. Furthermore, data collected for research purposes often has significant value beyond the limited, original purpose of its collection. Research can proceed in unanticipated ways, with different teams using the data and processing it in such a way that the data subjects could not feasibly be informed at the outset of the full extent of how their data could be used, for what purposes or by whom.
My own unit started collecting data in 1958, before I even started as a junior doctor, and carried on collecting information manually for over 50 years. The consent we had from the pregnant women who had had babies was to us using the data to improve the services. Subsequently, 45 years later this was the only data available—in this country or worldwide—to prove that the intrauterine environment and the effect on that environment produces adult diseases. That is now well established. That information would never have been available if we did not have that data. We are proud that we have collected it.
Another example is UK Biobank. It relies on broad consent where the participants give consent for pseudonymised data to be used for a variety of research studies under certain conditions. This broad consent approach is approved by an ethics committee and reduces the burden on participants because they do not need to be contacted for consent for each new study. I have no doubt that my noble friend Lady Manningham-Buller will have something to say about this as she is the chairman of the Wellcome Trust, which is the holder of the data.
Baroness Manningham-Buller (CB)
My Lords, it is late and I have little to add to what my noble friend Lord Patel said. I declare an interest as chair of the Wellcome Trust, and I was also closely involved with Imperial until conflicts of interest preventing my going on. I have a lot of sympathy with those who spoke earlier on the issue of fundraising for universities. I speak tonight briefly about the concern I raised on Second Reading: the Bill as drafted just does not offer the clarity we need for people dealing with medical research in universities and other institutions, such as the Crick Institute.
The noble Lord, Lord Patel, amply illustrated the value of such research in understanding fundamental disease, the efficacy of treatment, and following on and learning from big datasets which give us the power to do things in medical research that were once not possible. We are not looking for medical researchers to be given particularly special treatment—there are quite a lot of exceptions here anyway—but to clarify what they are doing and how, so they can do it safely and with confidence.
I come back to where the noble Lord, Lord Patel, started. Researchers need to be able to do this work to improve global health—the health of everyone. Health does not stop at boundaries. Results are shared and we all learn from each other. We heard examples from the noble Lord. In a more parochial sense, this is a critical part of the industrial strategy we need to implement to deal with the economy post-Brexit. That document said that we have to streamline our legal and ethical approvals for medical research. This is one of the ways to get economic growth, so over and above the health aspects, there are strong economic reasons for being sure we can provide absolute clarity for people doing this sort of work. The consent issues are not straightforward but provided there are other safeguards—proper ethical committees and proper supervision—I think we can get there. However, we need to say a bit more in the Bill so that people are confident that they can do this.
Lord Stevenson of Balmacara (Lab)
I am conscious that we have had had a full and interesting introduction to this group of amendments from the noble Lord, Lord Patel, which builds on earlier discussions. It was difficult to get into this debate without having a little more than he was able to give us—and I do not want to push him too hard on this, but it would be helpful to hear a bit more about ethical committees.
As I understand it, the argument is a three-pronged one. An additional point was made about the need to think about the industrial strategy and not to hold back the research that will be influential in driving forward our brilliant life sciences. But the issue here is whether we could have a parallel system, changing the nature of the public interest test as described by the noble Lord, Lord Patel, and relying on an agency basis. We are calling that an ethics committee, which will basically take on the burden of determining what is appropriately done outside the narrow scope of the Bill as drafted. It would provide the measures of assurance that the Bill seeks, because it deals with a particular type of operation that would not fit naturally into the GDPR more generally. That is the main burden of the argument. I need a bit more information on how the noble Lord sees ethics committees more generally taking on that burden; perhaps he could share that with us.
Lord Clement-Jones (LD)
My Lords, that provokes me to add something. I am not entirely clear whether we are talking about something that is too narrow within the GDPR, or whether it is a lack of a suitably wide derogation on the part of the Government as part of the Bill. For all the reasons that the two noble Lords have mentioned, it seems extraordinary that the beneficial activities that they are discussing are not included as exemptions, whether explicitly or implicitly. It may be that the Minister can give us greater comfort on that, but I am not clear what is giving rise to the problems. As we heard in earlier groupings, I am a fan of having something more explicit, if anything, in the Bill, which is particular perhaps to medical research and other forms of research in that sort of area. But it is not clear whether that is going to be permissible under the GDPR or whether the Government can actually derogate from it in those circumstances.
Lord Patel
I shall respond to some of the points raised. First, on the research ethics committee, we established through legislation—and I remember the debates that we had—a national Research Ethics Committee to deal with all applications for biomedical research, but particularly research involving patient data and transfer of data. If I as a clinician want to do a trial, I have to apply to that committee with a full protocol as to what consent procedures and actual research there will be, and what will be the closing time of that consent. If I subsequently found the information that I had could lead to further research, or that the research that I had carried out had suddenly thrown up a next phase of research, I would have to go back to the committee and it would have to say, “Yes, that’s part of the original consent, which is satisfactory to progress with the further research”. It is a robust, nationally driven, independently chaired national ethics committee, apart from the local ethics committee that each trust will run. So the national ethics committee is the guardian.
Furthermore, there is a separate ethics committee for the 500,000 genomes project, run by the Wellcome Trust and other researchers; it is specifically for that project, for the consent issues that it obtains, the information given at the time when the subject gives the consent and how the data can be used in future. The genomes project aims to sequence all the 500,000 genomes, and to link that genome sequence data with the lifestyles that people had and diseases that they developed to identify the genes that we can subsequently use for future diagnosis and treatment—and to develop diagnostic tests that will provide early diagnosis of cancers, for instance. The future is in the diagnostic tests. Eventually we will find them for diseases which have not developed but which have a likelihood of developing. Those diagnostic tests will identify the early expression of a protein from a gene and then find a treatment to suppress that expression well before the diseases develop, rather than waiting until the cancer develops and then treating it.
All this is based on the data originally collected. At this stage, it is impossible to know where that research will lead—that is the history—apart from the clinical trials which are much more specific and you get consent for them. I realise that there is a limit to how much the text of the Bill can deviate from the GDPR, unless it is dealing with specific issues which the GDPR permits member states to provide derogations for. I realise that, post exit, the UK will need an adequacy agreement and some equivalent, neutral recognition of data protection regimes between the UK and the EU. We need that for the transfer of data. For instance, the noble Baroness, Lady Neville-Jones, has talked about extremely rare diseases, which require the exchange of data across many countries because their incidence is low and no one country could possibly have enough information on that group of patients.
The research exemption does not undermine agreement on Clause 7—which is what the noble Lord, Lord Clement-Jones, was leading up to when he asked about the ethics committee. The noble Baroness, Lady Neville-Rolfe, suggested that medical research should be possible through the research exemption, but that has to be wide enough yet not specific enough to encompass wider exemptions. I hope that the Minister will come up with that trick in an amendment which he might bring forward. It will not be restrictive, yet protect the patient’s personal interest.
There is a research exemption for processing specific categories of data, including health data. The legal basis for this is through article 9 of the GDPR, referred to in Part 1 of Schedule 1 to the Bill. However, all processing of personal data also needs an article 6 legal basis: research is not exempt from needing this. I am arguing today that research needs that exemption, defined in wide enough terms. For processing special categories, you need both an article 6 and an article 9 legal basis. We need to have provision for both in the Bill. One of the article 6 legal bases is consent and I have explained why this is not suitable for much research. The other feasible route for universities and other public bodies processing personal data for research is public interest. This is why it is so important to be clear on what processes can use this legal basis.
There was serious concern about the likely impact of the GDPR on research as it was being drafted. However, this was successfully resolved and it provides the necessary flexibility for the UK to create a data protection regime that is supportive of research in the public interest. The Government, and other UK organisations, worked hard to make sure that this was the case. The provision is there: it is now for the Government to act on it. It is also important to seek an adequacy agreement post Brexit: we will have to have one. It will be vital to consider the need to retain, post Brexit, cross-border transfers of data for research. I give the same example of rare diseases as the noble Baroness, Lady Neville-Jones, used. The Government have recognised the value of retaining a data protection regime consistent with the EU, but the research community would welcome knowing whether it will seek a status of adequacy as a third country or an equivalent agreement.
The plea I make is that unless we include a provision, and there are exemptions which can be written in the Bill in the format that is required, we will not be able to carry out much of the research. A question was asked about the life sciences industrial strategy. It is the key pillar of the Government’s industrial strategy Green Paper. It relies on data that the NHS collects and the data that the science community collects and marrying up the two to produce, and lead the world in, treatments and developing technologies. If we are not able to do this, the whole thing will be unworkable.
Lord Stevenson of Balmacara
I am very grateful to the noble Lord for a very full response. It was quite a narrow question. I did not need all of that response but I have learned a lot more in the last few minutes—
Lord Stevenson of Balmacara
It might have been. The noble Lord has exposed a much greater issue than we thought we were grappling with. The case has now been well made that there are four pillars rather than the three that I adumbrated before. We seem to have a case for special treatment. I am sure that the noble Lord, Lord Patel, with his assiduous workload and high work rate will have made this point several times to officials and Ministers. However, if he is not getting the answers he needs, we have a bit of a problem here, so I hope that the Minister will be able to help us on that.
This goes back to an earlier debate about the public interest. It again worries me—I think the noble Lord, Lord Clement-Jones, touched on this—that “public interest” is becoming an overworked term for rather too many issues. In other words, the argument here is not about the public interest at all; it is about the public good that would come from a differential approach, safeguarded by the ethics approach—I said that was new to me and I am grateful to hear about it—and about reinforcing the contribution that would make to an industrial strategy covering a much broader range of understanding about what we are doing, thus making this country a world centre for all that. So there is a power behind this that I had not appreciated and I am grateful to the noble Lord for explaining it. It is easy to analyse it in this way and come up with the answer that he might want, but is it the right way forward on this?
The noble Lord was wise to point out that there are constraints within the GDPR and limits on what the Government can do, but it must be possible to think more creatively about the problem that has come forward. If, as the noble Lord said, the GDPR opens up the question of not requiring consent in that very formal sense, and we are looking for an evidence-led policy initiative which addresses the public good, it behoves Ministers to think very carefully about how one might take it forward.
This may or may not be the only issue that requires this sort of approach, but the case has been made on its merits that more needs to be done. Listing existing bodies that are not included, to put it in the positive, in a list of issues—for example, the administration of justice is a function of the Houses of Parliament—is not the way into this issue. I appeal to the Minister to think creatively about this because it seems to me that we need a new approach here. I am very convinced by that and look forward to hearing what the Minister says.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, first, I thank the noble Lord, Lord Patel, for his insightful remarks and for providing us with evidence of his knowledge of this subject, and of the Bill’s potential implications for pioneering medical research. I am grateful to him for sharing his expertise on these issues. I am also grateful to the noble Baroness, Lady Manningham-Buller, who speaks on behalf of the Wellcome Trust. Other reputable medical research organisations and universities have also expressed concern about this issue. I understand about the issue of consent and whether it is GDPR-compliant.
On the concerns the noble Lord raised in relation to Clause 7, I mentioned at Second Reading, and on a previous group of amendments, that the list of tasks in Clause 7 is deliberately designed to be indicative and non-exhaustive. When I wrote to noble Lords after that debate, I committed to make this clearer in the Explanatory Notes and the Government will honour that commitment.
The noble Lord, Lord Stevenson, mentioned that we might have to have a new approach to this problem. We are happy to think about these issues. At the moment we find that it is difficult to expand Clause 7 to cover every scenario where personal data has been processed in the public interest. Each addition to the list, however justified on its own merits, would cast greater uncertainty on the public interest tasks that continue to be omitted. However, I can reassure universities and research groups carrying out legitimate medical research, that, in the Government’s view, such tasks are in the public interest for these purposes. I will come later to how we take this forward.
Lord Clement-Jones
My Lords, the Minister gave the impression that medical research of the type described by the noble Lord, Lord Patel, was encompassed, or allowable, by the GDPR. Can he give chapter and verse on where in the mixture of article 6 and article 9 that occurs? That would be extremely helpful. I understand that obviously the Minister was also agreeing to look further in case those articles did not cover the situation, but it would be good to know which articles he is referring to.
Lord Ashton of Hyde
I re-emphasise to the noble Lord that we think these tasks are in the public interest. However, I understand his desire for even more clarity than that. It would be sensible if I wrote to him and to other noble Lords taking part in the debate. I want to make sure that I get the legal basis right rather than just doing it on the hoof, so I agree to write to him and to all noble Lords who have spoken tonight. Again, as I say, we will work towards what I hope will be a more acceptable solution for everyone. Fundamentally, we do not want to impede medical research that is for the public good.
Baroness Manningham-Buller
May I correct an impression that medical research does not seek consent? It seeks consent whenever possible, and extensively. However, there are categories where something else is needed. I would not want to leave the House with the impression that there is a substitute for that. In some circumstances we need an additional safeguard.
Lord Ashton of Hyde
I believe also that even when consent is obtained, the worry is that it may not be subject to GDPR compliance, even if consent was acceptable before.
Lord Stevenson of Balmacara
I think we have already made the point and we do not need to come back to it. What I took from the noble Lord’s earlier contribution was that one way in which medical research is developed and carried out involves a consent process, and we would not want to change anything in that sense. However, for lots of reasons—the noble Lord gave three or four—you cannot always use consent. You may not want to go to the patient, or perhaps you cannot go to or find the patient. Alternatively, the noble Lord made the more general point that you often collect data without any real sense of where it might go in the future. We are not saying that any of that is good, bad or indifferent—one is no better than the other—but they all need to be considered in a broader understanding of the public good being best served by having the least restrictive system concomitant with appropriate procedures being in place. That is the line, with the ethics committee sitting at the top, that gets you to the point where that would be a fruitful conversation to have with Ministers.
Lord Patel
I must make the issue absolutely clear. If I did not do so before, I will set it out again slowly and carefully. Medical researchers are not asking to be allowed to do research without consent. They are asking for consent to be interpreted not in a narrow sense but in a sense that will allow research to continue with consent having been obtained. I shall give an example. When I chaired the UK Stem Cell Bank, we made it clear that consent would have to be obtained from those who donated stem cell material, including embryonic stem cells. Consent was given on the basis that the embryonic stem cells would be used for research to improve healthcare, but at that time it was not possible to say which healthcare.
Embryonic stem cells, properly kept, are immortal: they can survive for generations. There is a classic example of this. Most of your Lordships are familiar with the lady whose tissue was taken in 1950. Her name was Henrietta Lacks—hence the cells are called HeLa cells. These aggressive cervical cancer cells were taken from her in the United States without consent, but they still exist in every laboratory in the world. A billion dollars-worth of drugs have been developed and marketed using HeLa cells. If consent had been obtained, what would that consent have been for? Exactly the same applies to consent for stem cells—it is for the development of drugs.
Researchers are not saying that we should not have consent. They are saying that there ought to be an authority like the ethics committee that gives consent and to which you can go back and say, “By the way, I have that material and I have found more. I am still developing drugs but this is not the same”. I hope I have been clear about that. We are looking for exemptions that are wide enough.
Perhaps I may come back to the matters raised by the Minister and refer, first, to the public interest issues. I understand that the Government do not intend the functions listed in Clause 7 to be exhaustive and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. It would provide much needed clarity and assurance for the research community if that could be made explicit in the Bill. That, basically, is all we are saying on the public interest. There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and about what they can or cannot do with that data and for what purposes. If it is made clear what they can do or where they have to go to make it clear, that will be helpful. This is why the public interest legal basis matters so much for research. The Data Protection Bill is an opportunity to set out very clearly the legitimate basis for processing personal data, setting out a clear public interest function for research that will give researchers the confidence to know when they are operating within the law.
I will now make a comment about what the Minister said about the safeguards. My Amendment 111 is to Clause 18, which prohibits the processing of personal data to support measures or decisions with respect to particular individuals. This is clearly problematic for any research that involves an intervention for an individual, which forms the bedrock of our understanding of a vast range of treatment of diseases. The range of law covering the use of personal data for research is complex, governed both by data protection law and common law, where duties of confidentiality toward the data subject exist. In my view, the implementation of GDPR through the Bill is an opportunity to provide clear information to researchers about the legal basis for processing personal data and the requirements of accountability, transparency and safeguards.
It is therefore essential that authoritative, comprehensive and unambiguous guidance is created to assist with this transition to a new data protection law. The Health Research Authority is working on guidance for health research, but researchers are urgently in need of this advice to ensure they are compliant by May 2018.
Those are my comments in response to the Minister. I am labouring these points today because this is the only opportunity I will have in Committee to debate these issues at length. I do not wish to rehearse this at Third Reading if we can resolve these issues by communication and find a way out.
Baroness Howe of Idlicote
Baroness Howe of Idlicote (CB)
My Lords, there are a series of amendments to Clause 8 that we are debating today. I hope your Lordships will allow me to give some background to set the context. Clause 8 sets the age at which children can first provide their personal data online in relation to information society services, without the permission of a parent or guardian. Given that the provision of such personal data is in exchange for online products or services, this age of consent is effectively the age at which companies can begin making money from young people online without a parent or guardian’s involvement. Article 8(1) of the GDPR states that the age of so-called digital consent should be 16, but allows member states to lower the age as long as it does not go below 13. The UK Government have set the age at 13, the minimum age possible in Clause 8.
Amendment 16 is a probing amendment to explore the evidence for whether the UK should be opting for 13. As was mentioned at Second Reading, there is concern that the Government have sleepwalked into this position without having provided much in the way of evidence for the decision to this House or the public. Such evidence is needed, not least because a recent YouGov survey for BCS, the Chartered Institute for IT, has suggested that the Government’s thinking is a long way from where public opinion sits. In the survey, the public were asked what the most appropriate age of consent for providing personal data online should be. The findings were rather stark. A mere 2% believed 13 was the most appropriate age. The vast majority, 81%, believed it should be set to either age 16 or 18, with non-parents tending to favour 16 and parents favouring 18. These findings indicate that, even if 13 is the most appropriate age, the Government have some way to go in convincing the public that this is the case.
There is little evidence provided by the Bill’s Explanatory Notes, which simply note that the age of 13,
“is in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, Whatsapp, Instagram)”.
Given that these are the very companies that stand to profit the most from children providing their personal data to them, it seems counterintuitive that they have effectively been allowed to set a de facto standard age of consent for them doing so. This was recognised in the Children’s Charities’ Coalition on Internet Safety’s open letter to the Information Commissioner’s Office earlier this year.
Lord Arbuthnot of Edrom (Con)
My Lords, I shall speak only to Amendment 188, and I do so because, as so often, I am confused. In Scotland, a person aged 12 is presumed to have capacity to exercise rights under the Data Protection Act 1998, and that position is perpetuated in the Bill. How does that mesh with the general data protection regulations, which provide that consent to process personal data is lawful below the age of 13 only if given by a parent? I think that is the position and that is why I have tabled my probing amendment. Perhaps my noble friend could explain why Scottish children are so much more mature than English children.
I was persuaded by the view expressed by the noble Baroness, Lady Lane-Fox, at Second Reading when she said that we do not want to bring in lots of new and different laws for 13 year-olds and we need to recognise the reality that children will wish to do what their peers are doing. We do not want to incentivise them to tell lies online. So I am perfectly happy with the Government’s position on the age of 13 and just a bit bewildered about Scotland.
Lord Stevenson of Balmacara
As a Scot I can hardly complain, and I am always bewildered, too—not only about this but about many other things. Our Amendment 17 in this group is also one of bewilderment. Clause 8 is headed:
“Child’s consent in relation to information society services”,
and refers to “preventive or counselling services” not being included. This goes back to an earlier amendment, when we established that these references are actually recitals and not part of the substantive GDPR, so we are back in what is not normative language and issues that we cannot possibly talk about in relation to the wider context because we are talking about the law that will apply.
There are three points that need to be made and I would be grateful if the noble Lord would either respond today or write to me about them. The first is to be clear that the reference to “information society services”, which is defined, has nothing in it that would suggest that it is a problem in relation to the lack of inclusion of preventive or counselling services. The answer is probably a straightforward yes. Secondly, what are the preventive or counselling services that we are talking about? I think the context is that these are meant to exclude any data processing relating to a data subject if the data subject concerned—with parental consent if the subject is younger than 13 and on their own if they are older than 13—who is taking a form of counselling that may be related to health or sexual issues would not be allowed to be included. Is my understanding of that right? I am sure that it is.
Thirdly, could we have a better definition of preventive or counselling services because those are very wide-ranging terms? Yes, they come from a recital and perhaps in that sense they can be tracked back to earlier discussions around the formation of the GDPR, but they have to be applied in this country to situations in real life. I am not sure what a preventive service is and I should like to have it explained. Counselling services I probably do get, but do they include face-to-face counselling or is this about only online counselling services? Is it the same if the child is being accompanied by a parent or guardian? There are other issues that come into this and there is a need for clarity on the point.
While I am on my feet I should like to respond to the amendment moved by the noble Baroness, Lady Howe, who has campaigned long and hard on these issues. We would be bereft if she did not enter into this Bill with all its implications for children, given the wisdom and experience that she brings to the table. The point she makes is one of simple clarity. There is a need to be very careful about the evidence gathering on this issue and it is probably not appropriate for it to be left to Ministers in regulations. There needs to be a wider discussion and debate on the matter, perhaps involving the Children’s Commissioner and other persons with expertise. She has made her point very well and I should like to support it.
Lord McNally (LD)
My Lords, I associate myself with the amendment in the name of the noble Baroness, Lady Howe. We are in Committee and it is a probing amendment. When we discussed it with colleagues the feeling was that 13 might be the right age but, as the noble Baroness indicated, it needs probing and some thinking about.
There is a danger, particularly in a House with our age group, that we assume these technologies are understood by the young—even the very young. We all hear anecdotes of parents or grandparents who have to consult their eight year-olds on how to make various gadgets work, but that misses the point. A frightening amount of information is being freely given. I mentioned at Second Reading that my generation and my parents’ generation had thoughts of personal privacy that my daughter and her contemporaries seem to have no thought of. They are very happy to exchange information about themselves, what they do and where they are with gay abandon.
When we get to the very young it is very important to make sure—we will discuss this in later amendments, if not tonight—that there is sufficient understanding and information to make informed choices, otherwise we get into very dangerous territory indeed. Therefore we are, not for the first time, in the noble Baroness’s debt for raising these questions. Late as it is, it is right that we put on record that these things, along with the amendments that will follow in the next couple of groupings, need to be taken as a whole before we make a final judgment as to the right age.
Lord Ashton of Hyde
My Lords, I echo the comments of the noble Lord, Lord McNally, to say we are grateful to the noble Baroness, Lady Howe. I acknowledge, particularly after her Second Reading speech, that she has not immediately demanded that the age be put back up to 16, which I thought she might. She has produced an interesting amendment.
Amendment 16 would give the Information Commissioner the power to determine the age threshold at which children can consent to their data being processed by online information services. This would be based on consultation and evidence. While it is certainly a preferable proposal to a blanket increase to 16, I am afraid I still cannot agree.
First, the Information Commissioner’s role as an independent regulatory authority is to administer and enforce the application of data protection legislation. As part of that role the Commissioner provides advice to businesses, organisations and individuals on the proper implementation of the legislation and on their rights under that legislation, and provides redress for breaches of individuals’ personal data. It also has an advisory function in relation to Parliament, the Government and other institutions. By contrast, the question of affixing the age below which parental consent is required has much broader-ranging considerations and implications, including an important moral dimension. Requiring the Information Commissioner to be the one to answer it would place on the officeholder an extra demand for which the office is neither designed nor resourced.
Secondly, the GDPR specifies that it is member states that should make this important decision. It does not give the power for states to delegate this choice to another regulatory body. Therefore, this amendment would make the Bill as a whole non-compliant with the GDPR. It is for those reasons that the Government consider that the question should be decided by this House and the other place rather than by a regulatory body. I realise that, in saying that, we leave ourselves open to further discussions on this matter.
Baroness Howe of Idlicote
My Lords, I am most grateful to the Minister for his explanation, even though he cannot agree with my amendment. I think quite a number of my colleagues are still not just confused as regards Scotland and England, but concerned about how this is going to be interpreted in real life. We have time to think about it before Report. In the meantime, I am not pleased but I will withdraw my amendment and hope that there may be opportunities between now and Report to get a little more clarity on this subject.
Data Protection Bill [HL]
Monday 6th November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Baroness Kidron
“Child's consent in relation to information society services
In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation to information society services)—(a) references to “16 years” are to be read as references to “13 years” provided that the information society service meets the minimum standards of age-appropriate design as determined by the Commissioner, and (b) the reference to “information society services” does not include preventive or counselling services.”
Baroness Kidron (CB)
My Lords, I shall also speak to Amendments 19, 155, 156 and 157 and in so doing I thank the many noble Lords who have voiced their support, particularly the noble Baroness, Lady Harding of Winscombe, and the noble Lords, Lord Storey and Lord Stevenson of Balmacara, who have put their names to them. In Clause 8, the Government have chosen with nothing more than a tick of a box to treat a child of 13 as if they were an adult when in the digital environment, with the explanation that they are merely aligning legislation with the age used by popular sites. That cannot be right.
Children have special protections and privileges evident in our culture, embedded in our law and determined by our being signatory to the charter on the rights of the child. Collectively, the amendments affirm that a child is a child even online, a principle that is not sufficiently articulated in the Bill. I shall go to each amendment in turn.
Amendment 18 would make the consent of a child aged 13 to 16 lawful only when a service seeking that child’s consent meets,
“minimum standards of age-appropriate design”.
Amendment 19 would make consent given by a person with parental responsibility on behalf of a child under 13 lawful only when the service seeking the consent meets the,
“minimum standards of age-appropriate design”.
Passing these amendments would make it unlawful to seek a child’s consent or parental consent on a child’s behalf without providing a service that recognises the age of that child.
Amendment 155 would require the Information Commissioner to create guidance on age-appropriate design and take into account such matters as a child’s need for high privacy settings by default, not revealing their GPS location, using their data only to enable them to use a service as they wish and no more, and not automatically excluding them if they will not give up vast swathes of data however nicely you ask. If the commissioner so wished, it could also mean giving a child time off by not sending endless notifications during school hours or sleep hours and deactivating features designed to promote extended use; making commercially driven content, whether a vlogger or a direct marketing campaign, visible to and understood by a minor; and insisting on reporting processes with an end-point and a reasonable expectation of resolution. The amendment would require the commissioner to consult a wide group of stakeholders before coming to that decision and, crucially, sets out that she must also consult children, who are so often the first to adopt emerging technologies—early to spot the issues yet rarely asked to contribute meaningfully to how their needs might be met in the digital environment. Government has been widely criticised for not consulting children, so I wish to put on the record that where their views have been captured, children have consistently called for better privacy and data management, clearer guidance on content, transparent reporting strategies and greater visibility of how their data are shared and commoditised, calls which industry and government steadfastly choose to ignore. Amendments 156 and 157 would ensure that both Houses were able to scrutinise the guidance before it came into force.
The GDPR is the substantive law which the Bill supplements. While the GDPR acknowledges that children enjoy enhanced rights online, it says little about what this means in practice, and the majority of the provisions for children sit in the recitals, which, as we heard last week, are not binding. The limitations of Article 8 of the GDPR are pointed out by Professor Sonia Livingstone OBE, who writes that:
“article 8 of the GDPR is beginning to seem to me increasingly irrelevant. When kids tick the box the companies will then bear no responsibility to them by reason of their age”.
Meanwhile, John Carr OBE says:
“If you entice or allow 13 year-olds on your site, you must … treat them in a manner relevant to their age”.
Professor Livingstone and John Carr are arguably the most renowned experts in the field of childhood online. On this matter, they are joined by the NSPCC, Parent Zone, YoungMinds, the Anti-Bullying Alliance, the CHIS and the Children’s Commissioner—among many others—in supporting the amendments. The amendments provide clarity, allow our legislation to reflect our values, and are necessary to make industry respond to the needs of children.
Baroness Harding of Winscombe (Con)
My Lords, I should draw the attention of the House to my interests in various digital organisations as set out in the register. I put my name to the amendments tabled by the noble Baroness, Lady Kidron, with a heavy heart, if I am honest. I have spent the past eight years running an internet service provider and arguing that competition is the route to delivering better services for consumers, and a large part of me would really like to believe that the fierce competition that exists among social media companies and other web applications would drive to the right outcomes for our children and for parents looking to protect their children, but the sad truth is that that is not the case. I have worked for and with many very well-meaning and talented people who lead these businesses, but the truth is that some of the largest companies in the world are simply not putting in place the most basic protections for our children. It is clear that our children are not protected. What is more, children say that themselves. They love social media platforms, but in research conducted by the Children’s Society, 83% of children said that they think that social media companies should do more to protect them, and we know that if we ask parents we get very similar statistics.
It is also clear that we know what could be done. It is no good saying we should set minimum standards if we do not have a sense of what those basic minimum standards would be. As the noble Baroness, Lady Kidron, has just set out, the children’s charities, led mainly on this by the NSPCC and the Anti-Bullying Alliance, are very clear about what some very basic standards would look like: the strongest privacy settings being default on for anyone under 18; geolocation turned off as a default if you are under 18; regular prompts about your privacy settings targeted in language that under-18s will understand; age being a required field when signing up for a service; and clear, transparent reporting processes if a child reports abusive behaviour on that platform in children’s language.
These are not difficult things, and I hope they are not contentious, yet they are not being done. We owe it to our children to step back and ask why these basic things are not being done. People attempted to argue that this is because these are small start-ups scrambling in the rush to build a tech business, but I am afraid the basic things I have just listed are by and large not done by the largest businesses on the planet, providing services to the vast majority of our children.
The second reason people argue these things are not being done is that these are global businesses that will develop only one, global, product and they cannot—they are terribly sorry—adjust for our children’s needs when they are working on their global technology road map. That is just not a good enough argument. In every other form of regulation the world over, good regulation begins in one geographical area and then spreads. We should not allow these large companies to tell us that because they are global they cannot engage with us locally. Actually, they are all learning that that is not true.
I suspect that the real reason we are not getting change is a very practical one, which is that every technology company in the world has a contended development pipeline, by which I mean they have more things they want to do to improve their product for their customers than they have the resource or capability to deliver. I say this having been a chief executive of a tech company: you spend your life trying to prioritise the list of ideas and innovations, and the harsh reality is that protecting children is not coming high enough up that contended technology stack in any of these businesses. That is probably not surprising, because children themselves will be asking for other things as well, and it is exactly why you need to have regulation.
We accept absolutely, almost as an act of faith, that minimum health and safety standards are necessary in the physical world and that factories have to meet basic regulatory standards. The digital world is no different. We know what those basic standards should be now. I am sure they will change over time, but we know enough to set them. Our children’s mental health is every bit as important as people’s physical health as they grow up. This is something that we have to face.
I hope your Lordships will forgive me if I am getting the procedures of the House wrong, but my noble friend Lady Lane-Fox asked me to add her voice to this debate. Although she is currently in her place, she says:
“I cannot be in my place for the length of the debate today but I would like to add my voice to the amendment. There is a clear need for more to be done to protect children and to ensure that they can realise the multiple benefits of engaging with the internet while recognising that they are not yet experienced users.
I welcome the opportunity to design accessible and clear services that help children to navigate around safely. As others may already have raised, designing for children is not technically difficult—the BBC has been doing it well online for many years, but it is right to ensure more services are as careful and do not shirk their responsibilities. As I raised in Second Reading, I would very much hope that the ICO will be given the necessary resources to be able to handle Baroness Kidron’s sensible suggestions alongside the other sizeable new areas of activity that they are being given in this Bill”.
Switching back to my own voice, I join the noble Baroness in being convinced of the good that the digital world can do, but as with all technology, we need to mould it to meet our needs, not vice versa, and it is high time we set out the basic safety requirements our children need. That is what this set of amendments intends to do, which is why I support it.
Lord Storey (LD)
My Lords, as I have said on a number of occasions, my previous job for 40 years was a teacher, 20 of those as a head teacher. One of my prime responsibilities as a head teacher was the safeguarding of children in my school. That was the most important thing I did: to make sure they were safe, so that those primary-age children, aged from five to 11, and nursery as well, could enjoy their childhood and their parents could know that they were safe and enjoying their innocence.
The Government did a lot with their education policies about safeguarding. Anyone visiting the school had to be checked and double-checked and had to wear identification. Children who went out of school had to be escorted properly and correctly. As part of our personal and social health education, we made sure that young people themselves understood. Yet, when it comes to this area, we seem not to take the role as seriously as we should. I was reading the newspapers on the train from Liverpool this morning. I just could not believe the Times headline:
“Children as young as ten are sexting”.
The article says that,
“according to figures from the National Police Chiefs Council. In 2015-16, there were 4,681 cases”,
where children as young as 10 were either sending inappropriate messages or photographs to other pupils or receiving them. Imagine it was your daughter who at the age of seven or eight—and some of them are that young—was receiving inappropriate pictures from other pupils. How would you feel as a parent? Is that really protecting or safeguarding those children?
I do not want to speak at length in this debate; I think the noble Baronesses, Lady Kidron and Lady Harding, have said it all. It is not beyond our wit to do these simple things. I have seen for myself that self-regulation does not work. I hope that between now and Report the Government will put aside any feeling that, “We can’t do this because of the EU, because of our own lethargy, because of what we have said in the past or because it will create more regulation”. This is about children. Let us all agree that on Report we can agree these eminently sensible amendments.
Lord Knight of Weymouth (Lab)
My Lords, I support the amendments. I remind the House of my interests in relation to my work at TES, the digital education company.
The noble Baroness, Lady Kidron, and the others who have supported the amendment have given the Government a pretty neat way out of the problem that 13 as the age of consent for young people to sign up to “information society services”, as the Bill likes to call them, feels wrong. I have found that for many Members of your Lordships’ House, 16 feels like a safer and more appropriate age, for all the reasons that the noble Lord, Lord Storey, has just given in terms of defining when children are children. There is considerable discomfort about 13 in terms of where the Bill currently sits.
However, I think many noble Lords are realists and understand that to some extent the horse has bolted. Given the huge numbers of young people currently signing up to these services who are under 13, trying to pretend that we can find a way of forcing the age up to 16 from the accepted behavioural norm of 13 looks challenging. Yet we want to protect children. So the question is whether these amendments would provide that solution. That hinges on whether it is reasonable to ask the suppliers of information society services to verify age, and whether it is then reasonable to ask them to design in an age-appropriate fashion. From my experience, the answer to both is yes, it is. Currently, all you do is tick a box to self-verify that you are the age you are. If subsequently you want to have your data deleted, you may have to go through a whole rigmarole to prove that you are who you are and the age you say you are, but for some reason the service providers do not require the same standard of proof and efficacy at the point where you sign up to them. That is out of balance, and it is effectively our role to put it back into balance.
The Government themselves, through the Government Digital Service, have an exceedingly good age-verification service called, strangely, Verify. It does what it says on the tin, and it does it really well. I pay tribute to the GDS for Verify as a service that it allows third parties to use: it is not used solely by Government.
So age verification is undoubtedly available. Next, is it possible—this was explored in previous comments, so I will not go on about it—for age-appropriate design to be delivered? From our work at TES, I am familiar with how you personalise newsfeeds based on data, understanding and profiling of users. It is worth saying, incidentally, that those information society services providers will be able to work out what age their users are from the data that they start to share: they will be able to infer age extremely accurately. So there is no excuse of not knowing how old their users are. Any of us who use any social media services will know that the feeds we get are personalised, because they know who we are and they know enough about us. It is equally possible, alongside the content that is fed, to shift some aspects of design. It would be possible to filter content according to what is appropriate, or to give a slightly different homepage, landing page and subsequent pages, according to age appropriateness.
I put it to the Minister, who I know listens carefully, that this is an elegant solution to his problem, and I hope that he reflects, talks to his colleague the right honourable Matthew Hancock, who is also a reasonable Minister, and comes back with something very similar to the amendments on Report, assuming that they are not pressed at this stage.
Baroness Hollins (CB)
My noble friend made a very strong case. The internet was designed for adults, but I think I am right in saying that 25% of time spent online is spent by children. A child is a child, whether online or offline, and we cannot treat a 13 year-old as an adult. It is quite straightforward: the internet needs to be designed for safety. That means it must be age appropriate, and the technology companies need to do something about it. I support the amendments very strongly.
Lord Alton of Liverpool (CB)
My Lords, I, too, support my noble friend Lady Kidron. Last week, with her and my noble friend Lord Best, I was able to attend a briefing session with the right honourable Karen Bradley, the Secretary of State. I found that very helpful. We were looking at the Green Paper on internet safety published on 11 October. It is curious that we are here in Committee talking about some of the same issues when that significant consultation is being undertaken by the Government. I hope that when the noble Lord, Lord Ashton of Hyde, comes to reply to the debate, he will say something about how the Government intend to synchronise the discussion of and consultation on the Green Paper that is under way with the moving horse of legislation that is proceeding through your Lordships’ House.
During our discussions last week, my noble friend raised again the duty to protect. I agree with what the noble Lord, Lord Knight, just said about this providing an elegant way forward. I guess that many of us would want to turn the clock back if that were possible, but we recognise that it is not, and this may well be, therefore, a better way to proceed. It is certainly one to which the Government should be giving considerable attention.
While I am on my feet, perhaps I may remind the noble Lord, Lord Ashton, of the amendment that I moved with my noble and learned friend Lady Butler-Sloss during the debate in April on the digital legislation. I particularly draw his attention to col. 40 on 20 March and the remarks made by his right honourable friend the Minister of State for Digital in the other place on 26 April, when he described the question of prohibited material and definitions, which we had argued should be consistent across varying media platforms. They both said that this was unfinished business that would be returned to. I have studied the Green Paper but have not been able to find the solution to that unfinished business, and wonder whether it will be addressed as the legislation proceeds.
Perhaps I may also ask the Minister about the protection of minors. It has been stated again and again, by all noble Lords who have participated so far, including the noble Lord, Lord Storey, that the protection of children should be a paramount consideration at all times. The Minister may recall the case, which I raised with the Secretary of State and in your Lordships’ House, of some young people who had visited suicide sites. I was horrified to learn from the headmaster of a school in Lancashire, where I arrived to distribute prizes, that a child who had visited a suicide site had taken their own life only that morning. What further protections are being provided to require service providers, for whom self-regulation is clearly not enough, to do rather more about that question?
It has been said that parents do not have a chance in this situation; that is absolutely right. As my noble friend Lady Hollins said, young people spend a vast amount of time on the internet. Many parents do not understand how it works. It is therefore crucial that we do all we can to place pressure on the service providers. I remind the House of the advice that Aristotle gave parents. He said that only a bad parent would place their children in the hands of a foolish storyteller. I fear that many of us, maybe inadvertently and without knowing the full consequences of placing our children in the hands of the Twittersphere and the digital world, with all the information that pours into their minds on a massive scale, have placed them into bad hands. We need to do more to protect them. This is what my noble friend is trying to do and I commend her amendment to the House.
Baroness Jay of Paddington (Lab)
My Lords, I support the aim of these amendments, as do other noble Lords who have spoken. They were extraordinarily well introduced, given the scope of what they are intended to achieve. As I said at Second Reading, I do not have the same authority and technical background in the industry as many noble Lords who have taken part, particularly the noble Baroness, Lady Harding. However, I have a legitimate question for the noble Baroness. The Minister, who will have heard the general support around the House, will also be aware of this. However good the intentions of the amendments—and I support their aims—it is difficult to regulate in a world in which technical capacity is international. As the noble Baroness, Lady Harding, said, these matters are rather low on the agendas of the major, global corporations which are responsible for producing the technology, delivering the content and organising the platforms that children may be accessing, appropriately or not. It is legitimate to ask, as she did, whether what we say and how we regulate in this country can be a beacon. I think she said that this could be the beginning of a geographical spread of better regulation. It would be pointless to ignore the fact that we are dealing not with an internal issue of domestic regulation as we would be with terrestrial broadcasting, but with global corporations, most of them based on the west coast of the United States, which do not necessarily even agree with the aims of these amendments—which I very certainly do.
Baroness Howe of Idlicote (CB)
My Lords, the intention for a minimum level of design to help children and their parents, set out in Amendments 18, 19, and 155, is indeed laudable and provides an excellent opportunity for us to debate the role of the Information Commissioner. However, I am concerned that these amendments continue legal uncertainty in a number of ways. The revised Clause 8, introduced by Amendment 18, would uphold the age of 13 as the age of digital consent—but only when a website,
“meets the minimum standards of age-appropriate design as determined by the Commissioner”.
Similarly, Amendment 19 seeks to ensure that sites which children under 13 are likely to visit have a certain minimum design to help children and parents. Details for establishing those standards are in Amendments 155, 156 and 157.
My first concern is how a consumer—a child or parent—will know whether a website meets the minimum standards and therefore which age of consent applies. Secondly, what would happen were a site not to meet the minimum standards set by the Information Commissioner but still used 13 as the age for when a parent is no longer required to consent to the use of the child’s data?
The Earl of Erroll (CB)
My Lords, we have to face the reality that children are going online at a younger and younger age, so anything that facilitates that and makes it work more sensibly is essential. We need to think about the interface with the right of erasure in Clause 44 and the clauses just after it. I am not sure whether parental consent is still required for this when someone is under 16. There have been problems where children or younger people have put images and other material online which they want removed but are far too embarrassed to tell their parents about them. The problem is that data processors are not allowed to remove them without parental consent, so the children do not tell their parents, the images stay there and a lot of trouble is caused. That area should be looked at in relation to these clauses and Clause 44. I would love to leave it to someone else to sort this out who is better qualified to deal with the legal position.
Lord Puttnam (Lab)
My Lords, I support this amendment and apologise to the Minister and the House for not being present at Second Reading as I was overseas. However, my noble friend Lady Jay more than adequately set out some of my concerns around Part 5 of the Bill. However, this is also a very important amendment. In the debate initiated by the noble Baroness, Lady Lane-Fox, on 7 September, the noble Baroness, Lady Kidron, said:
“There is an awkward tension in having a technology that is able to help us to confront our societal needs … and a corporate culture that aggressively balks at … long-term societal responsibilities”.—[Official Report, 7/9/17; col. 2118.]
In the end, that is precisely what this comes down to. The noble Baroness, Lady Harding, made a very important point a little earlier. She referred to barriers to entry being used by corporations to not do the things that they should do, and at the time they should do them.
Today is the 20th anniversary of my entering your Lordships’ House and, if I had to count the number of times I have been told that barriers to entry are the reason for not doing something, we would all be here all day. I well remember the noble Lord, Lord Oxburgh, who is in his place, and I having a meeting with the then Ministers for Energy and being told that “barriers to entry” were one reason that the large energy companies could not do the things that we suggested they might do at the time. Therefore the idea that the Silicon Valley companies have not reached a sufficient size or sophistication to be able to carry out the de minimis changes to their platforms—the effect of the amendment which the noble Baroness, Lady Kidron, set out so beautifully—is a nonsense. Please can the noble Lord, Lord Ashton, beg Matt Hancock, the Minister, to put to one side any more arguments about unacceptable barriers to entry being raised by this and indeed other amendments on the same subject?
Lord Stevenson of Balmacara (Lab)
My Lords, this has been a terrific debate on an important subject. We probably all agree that of all the issues that will come up on the Bill, we care about this one the most and would like to see it settled in a way that balances, as has been said, the wish for people to enjoy the use of the internet—which brings so much in so many different ways—with an appropriate regulatory structure that means that harm is prevented where it is appropriate to do so.
I was struck by what the noble Baroness, Lady Harding, said. Obviously, she is in a difficult position, speaking against her Government on a matter about which she has so much expertise and knowledge. However, she made the case so well that it is worth paying tribute to her for that. If we find a situation in any aspect of our public life where those responsible for an issue are unwilling or unable to deal with it appropriately, the public authorities have to take that step. We are in that situation—she made that clear so well.
Other arguments have been used today that were knocked back by the noble Baroness, Lady Kidron, when she spoke, but it is important to bear this in mind. There is no question here about us affecting our adequacy issues. This is definitely left to the government agencies in the countries involved to act on, and there is no issue here with regard to what we would say to the European Union should that be required in terms of adequacy, so we should not be dissuaded by that. As the recitals attached to the GDPR say, it is still a question of needing to balance the lower age of consent with the appropriate safeguards required. Age is one of those—it is important, but not the only one; capacity has also been raised before. However, we have the issue here about age, and there is a need for guidance around that.
The Government will not address the issue in any future sense. The internet strategy, which was referred to, is a bit of a red herring here, and, as we have heard, self-regulation, on which it is largely based, does not work. Therefore, action is probably required. As I said, if the industry will not do it, the public authorities should. We want this country to be the best place in the world to be online, and we want it to be safe to do so. If it is possible to design an age-appropriate environment, we should look very hard at that. The case that has been made today is incredibly important. The Government have a good sense of that from all around the Committee, as was said, and I hope they will be able to respond positively to it.
I will speak briefly to Amendment 20A, which picks up points made by the noble Baroness, Lady Howe. One issue that affects all those who wish to work in this area is the lack of information about what is happening on the ground: who is using what and how, with regard to time, effort and use of the internet? Amendment 20A, in my name, suggests to the Government that there is need at some point for a proper review which will require the companies to divest the information they currently have but which they do not share on information society services. Only then will the evidence of which the noble Baroness, Lady Howe, spoke, which will inform us as we go forward, be available. However, it should not stand in the way of the need to act in this way in this amendment, which I fully support.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.
At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.
The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.
The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.
The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.
I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.
The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.
Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.
We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.
Lord Knight of Weymouth
I apologise to the Minister for interrupting. I am just interested in that confusion that he talks about. Perhaps I am incorrect, but I understand that images, for example, are data. There is a lot of concern about sexting and about platforms such as Snapchat and the sharing of data. Where is the confusion? Is it in the Government, or in the Chamber?
Lord Ashton of Hyde
I do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.
Baroness Kidron
I also apologise for interrupting but I have to support the noble Lord, Lord Knight. When I read out the list, I said that Instagram takes information such as your phone number, your birthday and who you are chatting with. That is data, so I come at this from a very clear position on children’s rights. I am very keen for children to be online. I agree with the noble Lord, Lord Knight, that we are beyond an age of consent, as he said on Second Reading. Consent is meaningless if you do not change the service on the other side of that consent. It is not simply about the bad things that happen. It is about abusing the entire data of a child when they are online. I hope that is helpful to put it back into scope of the Bill.
Lord Ashton of Hyde
There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.
We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.
It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.
First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.
Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.
Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.
Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.
Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.
I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.
Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.
In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.
There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.
Lord Alton of Liverpool
My Lords, the Minister has just referred to the round table. He will recall that I mentioned in my remarks the issue of definitions and suicide sites that were raised during that round table last week. Can he tell the House any more about that?
Lord Ashton of Hyde
I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.
Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.
I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.
First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.
Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.
Lord Stevenson of Balmacara
I do not think that the Minister answered the point made by my noble friend Lady Jay on extraterritoriality—a word that I know he will want to use. Also, before the noble Baroness, Lady Kidron, replies, the main thrust of the Minister’s points was that government action on a code and on the digital charter would take most of the issues away. He relied on that in terms of his main argument. But am I right in saying that the code that has been consulted on is voluntary and that there will be no statutory basis for the digital charter? I would be grateful if he could help us on those two points.
Lord Ashton of Hyde
I am happy to confirm those two points. On extraterritoriality, I agree with the noble Baroness that it is difficult to control. Commercial sites are easier—an example of which is gambling. We can control the payments, so if they are commercial and cannot pay people, they may well lose their attractiveness. Of course, the only way to solve this is through international agreement, and the Government are working on that. Part of my point is that, if you drive children away to sites located abroad, there is a risk in that. The big, well-known sites are by and large responsible. They may not do what we want, but they will work with the Government. That is the thrust of our argument. We are working with the well-known companies and, by and large, they act responsibly, even if they do not do exactly what we want. As I say, however, we are working on that. The noble Baroness is right to say that, if we drive children on to less responsible sites based in jurisdictions with less sensible and acceptable regimes, that is a problem.
Lord Knight of Weymouth
Could the Minister help me with any information he might have about when the GDPR was drawn up? It must have been envisaged when Article 8 was put together that some member states would go with something different—be it 13, 16, or whatever. The issue of foreign powers must have been thought about, as well as verifying age, parental consent, or the verification of parental identity to verify age. Article 8 just talks about having to have parental sign-off. These issues of verification and going off to foreign powers must have been thought about when the article was being put together in Europe. Does he have any advice on what they thought would be done about this problem?
Lord Ashton of Hyde
I cannot give the noble Lord chapter and verse on what the European bureaucrats were thinking when they produced the article, but age verification is not really the issue on this one, because it is extremely difficult to verify ages below 18 anyway. Although one can get a driving licence at 17, it is at the age of 18 when you can have a credit card. As I say, the issue here is not age verification—rather, it is about how, when we make things too onerous, that has the potential to drive people away on to other sites which take their responsibilities less seriously. That was the point I was trying to make.
Baroness Jay of Paddington
My Lords, the Minister was kind enough to respond to the point I sought to make about the extraterritorial nature of all this, which of course goes way beyond individual sites to corporate ownership, the issue that I am most concerned about. I am glad that the Government are having conversations with, or at least dealing with, what he describes as the most responsible players in this market. None the less, we are dealing with a global environment in which most countries, not just a few rogue countries, have a very different environment and understanding of the culture and nature of the regulation of broadcasting than we do in this country. We have had a very particular and sophisticated way of dealing with terrestrial broadcasting for several generations. The real problem lies in addressing how we can translate some of those values and regulatory formats into the global internet age.
Lord Ashton of Hyde
I take that point completely. So that I get it right, it would be best if I write to the noble Baroness about what we are doing. I am afraid that I cannot recall whether it is the G8, the G20 or whatever. Ownership is obviously a key point as well, so I will write to the noble Baroness on those points.
Baroness Kidron
I thank everyone who has contributed to this fantastically supportive debate with their very interesting comments. I am grateful to the Minister for saying that he is sure that we will return to this issue.
I am going to try to tackle a couple of points, but I do not have the organising skills with all my pieces of paper to pick up on what all noble Lords have said. I think there is a bit of a muddle in the Room about this approach, which is aimed deliberately at all data controllers. Those people who have for many years been designing with children in mind will have less far to go to meet the regulations than the people who have not been thinking about children at all. I am deliberately saying that it is a data question; I believe it to be one. This is not supposed to be in the gift of a few big companies; these amendments are supposed to deliver what children deserve and need in the digital environment. It is excellent that it is in a data environment, because it becomes a price of doing business. To the people who have misunderstood the point, we are saying that it will be unlawful to process data unless you provide these services—and, when that is the case, just watch the gold rush toward smart age verification. If children’s data is being processed unlawfully, we would expect there to be some sort of enforcement. I admit to the Minister that our amendment could perhaps do with a bit more work on enforcement and what that might look like.
Secondly, I want to make a point about resilience and education. I believe we are about to discuss education, which is an enormous component of online safety and resilience for children. But we must not make the mistake of thinking that children have to adapt to the needs of data controllers; it is data controllers who must meet the needs of children. That is what these amendments are about. I am absolutely committed to working with the Government, because all their public pronouncements on this subject are in that direction. We have to make it work, so that at least some of the work is done on the other side of the equation. I am unhappy about it being put in the context of getting a few big companies paying for some digital champions. In fact, I was very concerned that the Secretary of State chose to announce the internet safety strategy alongside Facebook, which has a programme it charges schools for that also teaches young people to be very good Facebook users. Before we get to that point, arm in arm with some of these people, we must first work out what our standards are. That is the role of this House. It may not be outsourced to Silicon Valley; that is not appropriate.
On data controllers raising the age, it is worth noting that nearly 3 billion people are online and one-third of them are under the age of 18. That is not a marginal group; that is a huge group. I find it hard to believe that data controllers will abandon that consumer group, just because we have asked them to behave a little better and be a little more moderate in the data they are taking. Again, regulatory compliance is a cost of doing business. Every business has it; this is just another example. I want to discuss this issue with the noble Baroness, Lady Howe, and write to her. She made some excellent points; some of them were perhaps on the misunderstanding of whether such compliance was for everybody or just some sites. I absolutely support her on the question of evidence and evidence-based legislation in this area; I do an immense amount of research work with children and academics. I agree with her, and will write to her in detail because her points were so specific.
Finally, I hope that the Minister, Matt Hancock, will forgive me for quoting him one more time. He said that the Bill’s purpose was to give,
“consumers confidence that Britain's data rules are fit for the digital age in which we live”.
I do not think that having millions of young kids in the United Kingdom treated as adults is a fit outcome for the digital age. I welcome the noble Lord’s clear sign that he is willing to talk to us. I will definitely be doing that. I hope he will also show me his legal opinion, as well as wanting to see mine. With that, I beg leave to withdraw the amendment.
Lord Storey
“Education for children of school age relating to the rights of data subjects
(1) Upon the passing of this Act, the Secretary of State must make arrangements for all children of school age to receive education relating to the rights of data subjects, appropriate to their age.(2) For the purposes of subsection (1) “the rights of data subjects” must include—(a) rights under this Act and other Acts and Regulations relating to data protection and privacy,(b) security of personal data, and(c) other matters related to the understanding and exercise of rights under this Act and other Acts and Regulations relating to data protection.”
Lord Storey
My Lords, the second pillar of protection of children and young people is education. In my view, that would be achieved through personal, social and health education. The noble Baroness, Lady Massey, has championed this issue for as long as I have been in the House of Lords.
One of the sad casualties of the last general election was the then Schools Minister, Edward Timpson, who was very keen that not only relationship and sex education would become a compulsory part of the curriculum, but PSHE would be part of the curriculum of all schools. Indeed, last year I asked an Oral Question on the subject. The then education Whip, now the Leader of the House, the noble Baroness, Lady Evans, said she thought it important that PSHE is taught in schools. Sadly, she missed two little words: in “all” schools and for “all” children. That has been the nagging issue. It is a question of not just having the subject, but ensuring it is taught in all schools, whether academies, free schools, independent schools or whatever, for the well-being of all our children.
On 24 October 2017 the Education Select Committee published the Government’s response to the joint report by the Education and Health Committees, Children and Young People’s Mental Health—the Role of Education. In response to the recommendation that,
“schools should include education on social media as part of PSHE, including educating children on how to assess and manage the risks of social media and providing them with the skills and ability to make wiser and more informed choices about their use of social media”,
the Government responded:
“All young people should have access to a curriculum that ensures they are prepared for adult life in modern Britain. Personal, Social, Health and Economic education … Relationships Education, and Relationships and Sex Education … help to provide pupils with the key knowledge and skills to ensure that they can keep themselves safe, develop healthy and positive relationships, maintain good mental health, build resilience and successfully navigate the changing world in which they are growing up”.
The Children and Social Work Act 2017 gives the Secretary of State the power to make PSHE or elements therein mandatory, subject to careful consideration. It has also given a duty to the Secretary of State to make relationships education in primary and relationships and sex education in secondary mandatory in all schools. The department will be conducting a thorough and wide-ranging engagement process on the scope and content of these subjects, considering school practice and quality of delivery to determine the content of the regulations and statutory guidance. Sadly, that consultation has slipped further behind the promised date originally given.
Lord Knight of Weymouth
My Lords, does the Minister agree with the noble Lord, Lord Storey, that PSHE would be the most appropriate way to educate young people about data rights? If so, I note that the Secretary of State, Justine Greening, has today announced that Ian Bauckham will lead the review on how relationship and sex education for the 21st century will be delivered. Can the Minister, who is clearly prepared to think about this appointment today, ask whether it is within his scope to think about how data rights education may be delivered as part of that review, and whether the review will draw on the work of the previous person who reviewed the delivery of PSHE, Sir Alasdair Macdonald, the last time Parliament thought that compulsory SRE was a good idea?
Baroness Kidron
I support the amendment. I was on the House of Lords Communications Committee, to which the noble Lord just referred. We recommended that digital literacy be given the same status as reading, writing and arithmetic. We set out an argument for a single cross-curricular framework of digital competencies—evidence-based, taught by trained teachers—in all schools whatever their legal status.
At Second Reading, several noble Lords referred to data as the new oil. I have been thinking about it since: I am not so certain. Oil may one day run out; data is infinite. What I think we can agree is that understanding how data is gathered, used and stored, and, most particularly, how it can be harnessed to manipulate both your behaviour and your digital identity, is a core competency for a 21st-century child. While I agree with the noble Lord that the best outcome would be a single, overarching literacy strategy, this amendment would go some small way towards that.
Lord Puttnam
My Lords, I add my voice to that of the noble Baroness, Lady Kidron. President Clinton memorably said that the first step in solving a problem is recognising there is one. If anyone does not believe there is one, we rehearsed some of it in the previous debate; I would also advise them to watch two very recent TED Talks by Zeynep Tufekci and Sam Harris. If, having seen these, they can convince themselves there is not a serious and urgent problem, then their judgment is very different from mine.
I will speak for a couple of moments on this because I regard it as a very significant issue. Karl Marx—who knew a thing or two—said that if you change the dominant mode of production that underpins a society, the social and political structure will change, too. I believe we have changed the fundamental mode of production that underpins society. It is now called digital. We have to address that and we are not addressing it anything like seriously enough. There are two issues I would like to raise, and if there is a note of frustration in my voice, I apologise.
In 2003, through very torturous processes in this House, we managed to persuade the then Labour Government to impose a duty on Ofcom—and I spend most of my life defending Ofcom—which was very clear; it was laid out by the noble Baroness, Lady Jay, at Second Reading. Ofcom was given the specific duty of promoting media literacy. The wording was that Ofcom was required,
“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”,
and,
“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.
Fifteen years later, in respect of these duties, Ofcom has wholly failed. By taking a very narrow, technical view of its responsibility, it has done almost nothing to promote notions of digital literacy in the electronic media. If we are not careful, the same will happen in the digital world. The noble Baroness, Lady Lane-Fox, used a much better phrase than “digital literacy”. She used the phrase “digital understanding” in a recent debate in your Lordships’ House. That is really what this is about.
To emphasise something that the noble Baroness, Lady Kidron, said, this is all about data. Ten days ago in Los Angeles, Lachlan Murdoch—who I think also knows a thing or two about this business—said the following:
“We’re in the beginning of an incredible transformation … we’re in the first months of something that will have a multi-decade life and future. Businesses that have large data sets and robust data sets will be the companies that win in the future”.
Every company in Silicon Valley and every communications company in the world knows that. This is why this is such a fundamental issue.
To my delight and surprise, the Italians appear to have picked up on this. In the New York Times of 18 October there is a long piece about a new law that was passed on 31 October by the Italian parliament that entirely acknowledges that young people have to have a far greater understanding of the modes of information, the nature of information and the ramifications of information than is presently the case. Some 8,000 schools in Italy are now receiving instructions on how to get across to children the seriousness and importance of, first, the manner in which they give and use their data and, secondly, the means by which they are informed.
Finally, in a very recent book Move Fast and Break Things by Jonathan Taplin, a man I happen to know, he says:
“Part of our role as citizens is to look more closely at the media surrounding us, think critically about its effects, and whose agenda is being promoted”.
I put it to your Lordships that every single front page of every newspaper over the past four months has made this extraordinarily evident. In the words of the noble Baroness, Lady Lane-Fox, we are “sleepwalking” into a situation over which we have little control and of which the companies that do have control are not taking sufficient notice. As proved by the Communications Act 2003, you can crunch out the best possible wording and it is still possible for that wording to have absolutely no lasting effect on society as a whole.
Lord McNally (LD)
My Lords, my name is also on this amendment. It is a great pleasure to follow the noble Lord, Lord Puttnam, who has championed these issues for 20 years or more. It is worth while having a reality check for ourselves. One of the good things about the House of Lords is a certain continuity. I was in this House for the Data Protection Act 1998, which we are now reviewing, and for the Communications Act to which the noble Lord, Lord Puttnam, referred, and I served on his committee. We had no idea what revolution was coming our way. Indeed, in the Communications Committee, we were asked not to look at the internet; it was for the future. If we think about what has happened in those 20 years, what on earth is going to happen in the next 20, when we are reliably told we are on the verge of a fourth industrial revolution driven by data?
We were quietly asked by the noble Baroness, Lady Kidron, not to include this amendment in the previous group in case the whole thing became hijacked by a debate about education, and she was shrewd in that, but it was useful that she pointed out—I love this point—that data literacy should be as important as the three Rs as a core competency for the 21st-century child. If we are going to achieve that, we have to get out of the silo mentality: “It’s not our job, it’s the Information Commissioner’s job”; “It’s the Department for Education’s job”; “It’s DCMS’s job”. Somebody has to take responsibility for what we are saying because it is one of the great challenges.
There is a danger, particularly in a House of this age group, that we overestimate the capacity of the young. We all have our anecdotes about our grandchildren or our children being able to work the gadgets that we cannot work, but that does not mean that they have the competence or the maturity to make proper rational, responsible decisions about some of the factors that come within their ambit with this new technology. My noble friend Lord Storey referred earlier to a story in today’s paper about the increase in sexting among young children. We also know the extent of cyberbullying that goes on between children and about the naivety of children in being willing to reveal personal information online. Navigating the digital world is very complex.
The noble Lord, Lord Lexden, is in his place, and I am always worried about quoting history, but when the reform Act was passed in 1867, somebody said, “We now must educate our masters”, and that brought about the Elementary Education Act 1870. Nobody can now be in any doubt about the enormity of the task of preparing the whole population, but especially our children, to handle the new powers that are coming down the track at us. Educating for digital is one of the most important tasks facing us. I enjoyed and appreciated the way the noble Baroness, Lady Kidron, delivered her amendments. She made the point that that education is not to make this generation of children able to fit into the needs of Silicon Valley; it is to give them the power to make sure that Silicon Valley responds to their needs as citizens. That is the task that this amendment is trying to promote.
Lord Lucas (Con)
My Lords, I will speak briefly to support this amendment and particularly what the noble Lord, Lord McNally, has just said. We are asking our children to take on a whole set of responsibilities for which we, let alone they, are not prepared. The social consequences of social media and how to handle them produce enormous stresses on friendship. As for where this amendment is directed, there are also the consequences for children in the way their data are gathered and used, which we do not understand. The House of Lords can now track where each of us was geographically over the last month. It is all on our phones. A complete record is kept unless you happen to have turned it off. When did we give permission for that? If we cannot handle it, how can we expect our children to be able to handle it?
It is also quite clear that the sort of middle-range teenagers—14 and 15 year-olds, boys in particular—are living in a world of extreme pornography, in quality and content, that is quite unprecedented. What effects we can expect that to have on relationships between the genders when they get through to university and life afterwards I do not know. We cannot abrogate our responsibility to make sure that children are looked after properly and that we are not exposing them to amoral companies—I am not aware that any of these companies have a deep moral sense, whatever they may claim. We entrust their upbringing and education to that, but we care very much about their mental health, their sense of society, their sense of relationship to each other and the qualities that they will bring to the world as young people. We ought to be doing something about it in schools. We probably need a bit of thought as to what that should be, but we absolutely should not be doing nothing.
Lord Stevenson of Balmacara
My Lords, I am very sorry for interrupting the noble Lord, Lord McNally, as what he had to say was very apposite and appropriate. I thought at one stage that he was going to say that he had been around for the passing of the first reform Act as well as everything else he was talking about, but I must have misheard him.
This has been a good debate, which has tended to range rather widely, mainly because it is so important we get this right. I confidently expect the Minister to respond by saying that this is a very good idea but he lacks the power to be able to give any response one way or another because it lies in the hands of one of his noble friends. That of course is the problem here, that we have another linked issue. Whitehall is useless at trying to take a broader issue that arises in one area and apply it in another. Education seems to be one of the worst departments in that respect. I mean that, as it has come up time and again: good ideas about how we need to radicalise our curriculum never get implemented because there seems to be an innate inability in the department to go along with it. It may well be that the changes to the structure of education in recent years have something to do with that. It is good to see in the second line of this amendment that this would apply to “all children” irrespective of the type of school or type of organisational structure that school is in, so that it applies to everyone. We support that.
However, two worries remain that still need to be looked at very hard, and the noble Lord who just spoke was on the point here. Do we have the skills in the schools to teach to the level of understanding that we are talking about? I suspect that we do not. If so, what are we going to do about that? Thirdly, I suspect that our kids are way ahead of us on this. They have already moved across into a knowledge and understanding of this technology that we cannot possibly match. Teaching them to go back to basics, as has been the case in previous restructuring of the curriculum, is not the right way. We need a radical rethink of the overall curriculum, something which is urgent and pressing. It is raised, interestingly enough, in a number of publications that are now appearing around the industrial strategy. If we do not get this right, we will never have a strategy for our industries that will resolve all the issues we have with improving productivity. I hope the Minister will take this away.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.
The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.
I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.
Lord Puttnam
I accept entirely that the economic drivers for the digital economy are being handled quite well. I am suggesting that the societal end of that debate is not keeping pace with the commercial and that, if we allow too great a disconnect to occur between societal impacts and commercial success, we will reap a very unfortunate harvest. The Minister was good enough to see me last week, together with an official from the Department for Education. I am not pretending for a moment that nothing is being done, but I am suggesting that there is nothing like enough urgency in trying to correct the societal aspects of this issue.
Lord Ashton of Hyde
I take that point. I also understand the difference that the noble Baroness, Lady Lane-Fox, highlighted between digital skills and digital understanding, and we need to address that. One of the issues that the data ethics body is going to look at is how society deals with these technical problems, albeit that they are changing incredibly fast.
I have talked about younger pupils. Older pupils are also taught citizenship as part of the national curriculum. That equips pupils to take their place in society as active and responsible citizens, including providing them with the knowledge and skills that they need to think critically and to research and interrogate evidence. These vital skills help our children understand how their data can be used and why data protection is important.
Amendment 20 would require the Secretary of State for Education to make changes to the current maintained schools national curriculum, and would create new requirements for independent schools and academies. In our view, now is not the time to make further changes to these subjects. We need to allow schools to fully embed the new curriculum in order to provide a period of stability for schools so that they can focus on ensuring that pupils are taught this new curriculum well, including the new aspects on data protection.
Having said that, we are not complacent. We realise that companies’ use of data in the online world is increasingly complex and that we need to support children to understand that. The changes introduced in the Children and Social Work Act 2017 represent a step change in education on online safety. For the first time it will be compulsory for all primary-aged children at school in England to be taught relationships education, and all secondary-school children will be taught relationships and sex education. In addition, we will carefully consider whether also to make personal, social, health and economic education compulsory in all schools.
The noble Lord, Lord Knight, took my lines to a certain extent. I was going to confirm that the Department for Education confirmed today that it has begun its engagement with stakeholders. This is a point that has come up before: that will help it reach evidence-based decisions on the content. I can tell the noble Lord that the head teacher who is running it will advise the Department for Education on what will be included in relationships and sex education and PSHE, whether it should be compulsory and, if so, what content may be included. It will be live to online issues and include what children need to know to be safe online, beyond what is already in the computing curriculum.
The Government will ensure that these new compulsory subjects in England address the challenges experienced by young people online and are seeking views to work out exactly what this should cover and how best to do so. The Department for Education will support schools to ensure that content is pitched at the right level for each school year and builds knowledge as children grow up. Engagement and consultation will help us to get the detail right.
My department, DCMS, and the Department for Education are working together on the online safety aspects of these subjects. We will work with partners, including social media and technology companies, subject experts, law enforcement—
Baroness O'Neill of Bengarve (CB)
I thank the Minister for giving way. Is he suggesting that the aim should be to adapt children to the realities of the online world and the internet service providers, rather than to adapt the providers to the needs of children?
Lord Ashton of Hyde
I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.
We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.
I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.
Lord Storey
I am very grateful for the Minister’s helpful reply and to noble Lords who have contributed to this debate. I do not particularly like the phrase “digital literacy”: I much prefer “digital understanding”. I always understood that the fourth “r” was religion, so perhaps, with a small “r”, this is a religion for some of these large tech companies.
I can accept everything the Minister said, with the exception of two points. He said that these things are happening in the maintained sector. However, over 70% of our secondary schools are no longer in the maintained sector and they can choose whether or not to follow the programmes that he has suggested. Free schools are also increasing in number and, again, they do not have to take any part in this activity if they do not want to.
I agree with the Minister that this is not a discrete package where you tick the box when you have done it. It has to be part of a wider programme which goes through all aspects of learning. I also agree with the noble Lord, Lord Stevenson, who raised the question of whether we have the skills in our schools. It is not just digital issues: we do not have teachers for A-level maths or physics but we do not stop doing maths or physics. This might ensure that we actually started training teachers to work in this area.
I am grateful for the Minister’s helpful reply and look forward to considering this again on Report. I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Monday 6th November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Lord Tope (LD)
My Lords, it is a pleasure at last to move Amendment 26. I do not think that I will detain the Committee for very long on this relatively straightforward amendment. I was alerted to concerns about this matter by London Councils, which represents the 32 London borough councils and the City of London. London Councils operates services on behalf of the London boroughs on a non-statutory basis. It is concerned about the present wording of the Bill, particularly Schedule 1 and the part to which my amendment applies, which fails to consider non-statutory services in relation to the conditions that must be satisfied to meet the exemptions set out in Schedule 1.
In particular, London Councils provides the Taxicard service, which is a non-statutory subsidised mobility service for people with severe sight and/or mobility impairments. The service currently provides around 70,000 disabled, and in many cases vulnerable, Londoners with subsidised transport, for which eligibility is determined at borough level.
When applying for the service, applicants provide special categories of data to demonstrate their eligibility. London Councils is therefore data controller and processor of such data. The Taxicard service falls within the definition of social protection and is a social protection scheme as set out in EU regulation 458/2007—however, it is delivered on a non-statutory basis. The current wording of the Bill is ambiguous as to whether services such as Taxicard would comply with the exemptions set out in the Bill. Despite fulfilling the definition of “social protection” set out in EU law it is a non-statutory service in respect of UK law. As the Bill refers to,
“the law relating to social protection”,
there are concerns about the extent to which organisations such as London Councils can rely on the exemption.
Were the exemption not to apply to the scheme, London Councils would have to take measures to comply with the provisions of the GDPR. These would include periodically writing to all 70,000 members to ask their explicit consent to process their special categories of data. Given the particular cohort of members of Taxicard, it is likely that some will not understand or be sufficiently informed of the GDPR to know why they are being written to or, probably, not sufficiently capable or motivated to respond, given their underlying health conditions. In taking such measures there is a real risk that many disabled Londoners who currently benefit from the scheme would no longer be able to do so, because anyone who did not respond would have to be deemed to have withheld their consent. In such cases, London Councils would have to stop providing the Taxicard service.
I am quite certain that it is not the intention of the Government that that should happen; still less that the Bill should be the means by which it happens. I understand that London Councils met officials at the department some three weeks ago, so I hope that the Minister will be able to say, preferably, that he accepts my amendment this evening—victory is always pleasant, if unusual—but if he cannot, that he can at least give some comfort that the Government are cognisant of the problem, that they are working on it and that appropriate amendments will be made to this schedule to ensure that there is no question of any ambiguity. I beg to move.
Baroness Chisholm of Owlpen (Con)
My Lords, as the Minister said in responding to the previous group of amendments, in order for special categories of personal data, for example, data concerning health, to be processed, controllers must demonstrate that the processing meets one of the conditions for processing set out in Article 9. Article 9(2)(b) permits processing without the consent of the data subject where necessary for purposes of employment law, social security law and social protection law, provided that a legal basis is set out in UK law. Paragraph 1 of Schedule 1 therefore introduces the necessary processing condition.
The noble Lord queried whether the reference to “social protection law” could be removed in favour of a more general provision on social protection. I am aware that some local councils have raised concerns about whether some of the services they provide would be covered by the current wording. We are somewhat restricted by the wording of Article 9, which specifically refers to “social protection law”, so limited change is allowed. Nevertheless, I can reassure the noble Lord that the term has a broad interpretation. This is because paragraph 1(3) of Schedule 1 provides that “social protection” would include any intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament. I am sure all here read the regs every night, but for those who are not familiar with that regulation, Article 2(b) covers interventions that are needed to support people who may be suffering difficulties in relation to healthcare or sickness; disability; old age; survivorship; family and children; unemployment; housing; and social exclusion. Given the breadth of issues covered, I think it would be fair to say that the current wording of the clause would cover a wide range of social services interventions.
It is worth adding that social protection law is a new ground for processing special categories of data in the Bill. It was not included in the Data Protection Act 1998 as a specific category. From that point of view, it should be more helpful to social service providers than the previous provisions in the Data Protection Act 1998 on which they currently rely.
I recognise the concern that Taxicard is a non-statutory service and therefore may not be able to use the derogation in Part 1 of Schedule 1, which uses the term,
“law relating to social protection”.
As I have already illustrated, the Government’s intention is to apply this derogation broadly. There is no desire to see vital services, which are often a lifeline to their clients, stopped. I am happy to take away the specific issue the noble Lord raised and to work with the Information Commissioner and her office to consider it further. I hope that reassures the noble Lord, Lord Tope, and I respectfully invite him to withdraw his amendment.
Lord Tope
My Lords, I am most grateful to the Minister for setting that out so fully and clearly. As I think I said when moving the amendment, I am quite sure it is not the intention of the Government that the Bill should have this effect, but at this stage of any legislation we always have to be particularly concerned about any unintended consequences. I will seek advice from those better able to determine such matters than I am. I am grateful to hear from the Minister that the Government are cognisant of the issue and are considering it. If necessary we can return to it at a later stage of the Bill with appropriate amendments. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Stevenson of Balmacara (Lab)
My Lords, at Second Reading I touched on the question of whether the Bill might be used as a vehicle for rehearsing some of the arguments that we have heard in your Lordships’ House about the issues raised by Sir Brian Leveson in his report. I opined at the time, and am still of the belief, that this would not be the right place to put forward those amendments again, because I would favour an initiative from the other side of the House which tried to build on some of the work that was done in the run-up to the work that was done after the Leveson report was first published, which saw all party groups coming together to try and find a way forward. It seemed that we were beginning to get ourselves into a cul-de-sac on many of these issues. Although there were strong passions and strong beliefs, and good intellectual and other reasons for taking forward some of these issues, the times had changed and the climate had moved on. It was therefore important to try and think again about what would happen.
However, I also said that maybe others would take a different view of that and come forward with amendments on these and related issues. I expressed the view that, if they did, Her Majesty’s Loyal Opposition would look at them on their merits and respond to them as and when they came up. This explains why we have not signed up to some of the amendments that are before your Lordships’ House today.
I also said that our main concern going into Committee would be to make sure that the arrangements under which we currently operated, which were largely set out in the Data Protection Act 1998, were continued. It was very important that all concerned had confidence that the transposition between 1998 and today, and going forward to 25 May 2018, was adequate and sufficient, in terms of how we approached them in relation to that Bill. I am therefore introducing Amendment 42, which is largely a probing amendment aimed at getting Ministers on the record as to whether or not they feel that the transposition has been made fairly and effectively. To the extent that there is an addition to the existing law, as I understand that to be the case, it is in response to a particular aspect of the current regime which does not seem to work well in practice. The Information Commissioner’s Office has made it clear that it feels that it could do with an additional power, which I think is provided for in the Bill, to assist with the ability to reimburse those who have been affected by actions arising from a complaint they have taken forward in relation to the press. If that is the case, I would be happy to have that confirmed. That is the reason for Amendment 42, and I look forward to hearing from Ministers how they respond to that.
In pursuit of a perfectly normal and natural wish to scrutinise the Bill as it is before us, we have two other amendments in this group. Amendment 87B was offered to us by the NUJ, and is on a question which comes up a lot when talking about intellectual property issues relating to photography—not that this is actually about that, but journalism has a common-sense meaning which is often used in language other than that of Bills to reflect all aspects of journalism, including photojournalism. But of course it is not the totality of what photographers do, so this amendment is an attempt to get on the record what Ministers believe to be the sense on page 136, in Part 5, where paragraph 24(2) states that GDPR provisions do not apply,
“to personal data that is being processed only for the special purposes to the extent that … the personal data is being processed with a view to the publication by a person of journalistic, academic, artistic or literary material”.
Given the absence of the term “photography” or “photographer”, I have a slightly rhetorical question, but one to which I am looking for an answer. Can I assume that the sense of that paragraph is that this would catch photographers?
If that is the case, since photography is often done in a way that would not always result in publication, could we have clarity about the situation if the photographers were to rely on this provision in relation to material? Say, for instance, they were taking a number of photographs of a demonstration, some of which would be used but a lot would not be, and then it was felt that there was some other purpose that those photographs could be used for—that was an example given to us by the NUJ. It was concerned that the photographer should not be discriminated against, in the sense that the work of building up a personal archive of photographs taken on the job that did not result in specific publication might not necessarily fit particularly well with that. This is just a probing amendment to see what the response to that is.
The other amendment in our name in this group is Amendment 87E, relating to an issue that has been raised by others in this group. There is what I think is meant to be a transposition from the Data Protection Act 1998 to refer to the question of whether or not the public interest is engaged, and various rules and regulations around that. The notion behind our amendment is that we are not sure it is helpful nowadays for the legislation to refer in specifics to a list of codes and practices, particularly because one of those—I reference paragraph 24(5)(c)—is not correctly described. I think others will speak to this as well. Obviously there is a code of practice that editors of major newspapers have contributed to and which works reasonably well in practice, but the danger about that as an example is that it cuts out a lot of other codes of practice that could easily be mentioned there. Having them there does not seem to advance the argument, which is that the controller must have regard to appropriate codes of practice or guidelines that exist. In the event that any question is raised by the Information Commissioner or others, it is more appropriate for that to be left more general than specific. With that, I look forward to the responses. I beg to move.
Baroness Hollins (CB)
My Lords, I will speak to the amendment in my name. I am grateful to the noble Earl, Lord Attlee, who has added his name in support. I will also speak in support of the amendment in the name of my noble friend Lord Skidelsky.
First, I want to explain why the Bill in its current form does not provide an adequate balance between privacy and freedom of expression, despite claims to the contrary by some parts of the media this weekend. Freedom of expression is essential to hold power to account and to expose wrongdoing, and it must be protected. However, the public also need to be protected from those who might seek to abuse such freedoms with the primary business purpose of selling newspapers.
The need for balance was recognised by Lord Justice Leveson in his 2012 report, and these amendments seek simply to implement some of the Leveson recommendations on data protection. It is worth remembering how some newspapers exploited private data in the past. Operation Motorman was a lengthy police investigation. The Information Commissioner reported on it in 2006, detailing the kinds of information that private investigators were buying unlawfully or obtaining by deception, including bank records, medical records, tax records, benefits records, phone records—thousands of transactions obtained from just one private investigator and commissioned by journalists. The victims whose data had been illegally accessed were not celebrities or public figures being investigated for genuine public interest reasons. They were just ordinary people with tenuous connections to those in the public eye: the sister of a well-known MP’s partner; the mother of a man once linked romantically to a “Big Brother” contestant; the decorator who had once worked for a lottery winner; and the GP who was doorstepped by a Sunday newspaper in the mistaken belief that he had inherited a large sum from a former patient. All these were victims of data misuse, and we are still learning how widespread those practices were.
Some argue that that is history and that newsroom practices have changed since the Leveson report, but the economic pressures which drove newspapers to desperate practices before are even more acute now. Many of the same editors and senior executives are still in place, and many in this House will remember similar promises of reform made by newspaper editors in the wake of the Calcutt report nearly 25 years ago. Does the Minister agree that this time, it is our responsibility to act decisively to protect the public from the less scrupulous elements of the press?
There is an exemption in the Data Protection Act 1998 for journalism, and this is reproduced in the Bill, but the exemption as drafted effectively offers a blank cheque to publishers and would allow them to breach data rights with little protection for the public from abuse. The GDPR is clear: exemptions should be made only when they are necessary to reconcile the right to protection of personal data with freedom of expression. My amendments are designed to ensure that this balance is properly preserved. They have been drafted by a senior QC and are based on recommendations made by Lord Justice Leveson, himself an independent senior judge, after a public inquiry in which he heard evidence and arguments from all sides, including the newspaper industry. I should declare an interest here and remind the Committee that I gave evidence to the Leveson inquiry.
Lord Skidelsky (CB)
My Lords, Amendment 89A in my name would remove the reference on page 137, line 14, to the IPSO editors’ code—written mainly by newspaper editors and enforced by their own, industry-controlled regulator—and replace it with a reference to any code operated by a regulator which meets Leveson’s criteria for independence and effectiveness. It is wrong, in principle, to place the IPSO Editors’ Code of Practice in the Bill alongside the BBC guidelines and Ofcom code of practice, which are the approved codes of statutory bodies. Parliament has approved a procedure whereby a press regulator may apply for recognition from the Press Recognition Panel, which is an integral part of the charter system, devised by Parliament to oversee press regulation. One of the criteria set out by the panel for effective self-regulation is that the regulator,
“should be independent of the publishers it regulates”.
I do not know whether the IPSO code would pass this test, because it has never been tested; IPSO has never applied for recognition. However, I doubt it, because the code is drawn up and managed by the editors’ code committee, which is made up of nine editors and newspaper executives and three lay people, with the chairman as an ex officio member. What is more, that code could be changed by that particular committee of the newspaper industry any time it wants and there is nothing that Parliament could do about it. That means that it is quite wrong for the IPSO code to be singled out, for reasons of freedom and information, for the full range of exemptions to which the noble Baroness, Lady Hollins, referred. It would be quite wrong for it to get that status.
My amendment seeks to confine the media code of conduct to the BBC guidelines, the Ofcom code and any code recognised by the Press Recognition Panel set up by the royal charter to provide a credible balance between freedom of expression and the right to privacy. I hope that the Government and the whole House will give it sympathetic consideration. I am sorry that I did not consult more widely beforehand: I am trying to finish a book which the publishers are screaming for, but I should have done that. However, I hope that this amendment will receive consideration.
Earl Attlee (Con)
My Lords, I am grateful to the noble Baroness, Lady Hollins, and the noble Lord, Lord Skidelsky, for speaking to these important amendments. The noble Lord, Lord Skidelsky, need not worry about not priming the House, as it were, as we are only in Committee and this is a very early stage in the process.
I am sure the Committee will agree that data protection requires the proper balancing of rights, and the amendments in the name of the noble Baroness, Lady Hollins, address that balance in the key area of journalism. Freedom of expression must include genuine public interest journalism. It must be right that journalists and the media have special rights in respect of data protection. It is obvious that the media have a vital role in ensuring that parliamentarians and others in public life adhere to the seven principles of public service. That role would be frustrated if there was a general right for everyone, not just politicians, to know what, if anything, the media “had on them”, if I may put it that way. These amendments do no more than strike that balance correctly: to protect public interest journalism while preventing the systemic abuse of citizens’ data rights. That abuse happened at the News of the World most infamously, but it also happened on an industrial scale at Trinity Mirror titles and other newspapers.
However, these amendments would also achieve something further and equally desirable. In retaining the broader exemption for newspapers that have agreed to sign up to an independent regulator, these amendments, while protecting the public, would also encourage newspapers to sign up to a genuinely independent regulator. Your Lordships will recall that in 2013, we voted in support of implementing the Leveson recommendations to provide an incentive for newspapers to sign up to an independent regulator. This was the system the former Prime Minister, David Cameron, recommended to Parliament, which was signed up to by all major parties in Parliament at that time. That system came with incentives because Leveson was not naive enough to believe that newspapers would sacrifice control over their own regulator without those incentives, and neither was this House. It is extremely regrettable, therefore, that the Government have so far not commenced Section 40 of the Crime and Courts Act, which was passed by this House to provide the most critical of those incentives.
The former Prime Minister, Sir John Major, warned at the Leveson inquiry that there was a serious risk of one party breaking ranks on press regulation policy. Making policy sacrifices to the press is a temptation that afflicts Governments of all colours, of course. However, I hope that the Government will recognise the strength of feeling in this House. This amendment would add to the work of the incentive passed by this House in 2013: it would incentivise newspapers to sign up to an independent regulator while still protecting the public.
I turn to the amendment in the name of the noble Lord, Lord Skidelsky. The proposed designation of the editors’ code is very odd indeed, first, because the Bill names an NGO in primary legislation which might not necessarily exist even next week. Of course, I can fully understand why it would not be appropriate to have the Secretary of State designate a regulator. It would smack of state regulation of the media, which we all want to avoid. Secondly, however, it is because the Crime and Courts Act and the royal charter combined already provide a mechanism for ensuring that any press regulator is genuinely independent and effective. I therefore support the amendment in the name of the noble Lord, Lord Skidelsky, which would replace the code used by IPSO with that of any regulator which was approved by the Press Recognition Panel under the royal charter. Of course, that could include the code of IPSO, if it reformed itself to pass the modest Leveson tests for independence and effectiveness. Clearly, Parliament put the Press Recognition Panel—the independent panel free from politicians and the press—in the sole position of judging the independence and effectiveness of press regulators. The Government should not seek to override their role by specifying the editors’ code in this manner.
Finally, I make it clear that I have already written formally to my noble friend the Chief Whip, indicating that I will vote in support of these amendments on Report if there is a Division. Tonight, however, we should confine ourselves to having a thorough discussion about them.
Baroness O’Neill of Bengarve (CB)
My Lords, I add my voice to those of my noble friends and the noble Earl, Lord Attlee. We sometimes forget that in talking about an approved regulator, we do not mean that the Press Recognition Panel is a regulator; it is an audit body—an auditor of self-regulating bodies. The press requires self-regulation, but which meets a standard in which members of the public can have confidence. They can have confidence if the process that we have already agreed of setting up a self-recognition panel is used. It is of course open to IPSO to apply for recognition by that process, remaining self-regulating but recognised, as it is open to other self-regulating bodies to be recognised in that way. This is a satisfactory way of accommodating the interests we all have in having media that are self-regulating but also meet standards.
Lord Black of Brentwood (Con)
My Lords, I declare an interest in this group of amendments as executive director of Telegraph Media Group and draw attention to my other media interests in the register.
When I saw, not with a great deal of surprise, that this group of interlocking amendments relating to press regulation had been tabled—perhaps their second or third outing in as many years—I was reminded fleetingly of that famous line of President Reagan to Jimmy Carter in a presidential debate: “There you go again”. That is what this feels like. We have another Bill—with only the most tangential link to the media—and yet another attempt to hijack it to bring about some form of statutory press control. As the Times put it last week:
“The Data Protection Bill is meant to enhance protection of personal data. It is not meant to be a press regulation bill by another name”.
But this profoundly dangerous set of amendments seeks to warp the Bill in just that way.
Can we please be crystal clear about the impetus behind these amendments? It is certainly nothing to do with data protection. It is to try, yet again, to force the British press—national papers, regional and local papers, and magazines: in other words, everything from the Guardian and the Daily Telegraph to the Birmingham Mail, the Radio Times and Country Life—into a state-sponsored regulator, with virtually no members and no prospect of any, and almost wholly funded by the anti-press campaigner Max Mosley. Indeed, it is the very same regulator which was recently brought into disrepute when an internal report found that its chief executive and two members of its board had breached internal standards by distributing tweets attacking major national newspapers and journalists. These amendments try to do that by seeking to remove vital journalistic exemptions enshrined in the GDPR from all those who will not, on grounds of principle, be bullied into a system of state-sponsored regulation. Other amendments seek to remove the protection for freedom of expression, which has worked very well in the Data Protection Act 1998, to balance convention rights and make privacy in effect a trump card.
Let us be clear: the amendments would be a body blow to investigative journalism—at a time when, as we have seen in recent days and weeks, it has never been more vital—by giving powerful claimants with something to hide the ammunition to pursue legal claims and shut down legitimate public interest investigations into their activities even before anything is published. All UK news operations, none of which will under any circumstances join Impress or any body recognised by the Press Recognition Panel, would find themselves under incessant legal challenge, with a profound impact not just on investigations but on news, features and even the keeping of archives. In my view, it is no exaggeration to say that that would overturn the principle that has underpinned free speech in Britain for two centuries: that journalists have the right to publish what they believe to be in the public interest and answer for it after publication—a right upheld by the courts here and all the way up to the European Court of Human Rights.
The protections which make investigative journalism possible would in effect be enjoyed by only a handful of hyper-local publishers which have signed up to a state-backed regulator. Are the noble Lords in whose names these amendments stand really content to see the future of investigative journalism in this country invested in The Ferret or insideMoray, rather than in the teams from the Observer, the Liverpool Echo, the Scotsman and the many others which over the years have broken story after story in the public interest? Frankly, if this were not so deadly serious, it would be funny.
If these amendments ever found their way into this legislation, it would be not just a massive blow for investigative journalism and public interest reporting but a further knock to our international reputation as a beacon for press freedom. No other country in the free world has a system such as the one proposed here, where publications are bullied by politicians into some form of state-backed regulation.
It is six years since the Leveson inquiry took place. In those six years, the world has changed—not just in terms of the commercial position of newspapers and magazines, many of which now fight daily battles simply to survive, but also in terms of strong independent regulation. It is time that we moved on too, and I am very pleased that my party has done so by committing itself to the repeal of Section 40.
This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20. To unpick it in the way that this set of amendments tries to do, making so much public interest reporting impossible, is grossly irresponsible, and I hope that the Committee will reject it.
Earl Attlee
My Lords, my noble friend has made a very interesting speech, which is very helpful to the Committee, but it would also be helpful to the Committee if we could understand what it is in the requirements of the Press Recognition Panel that makes it impossible, or makes IPSO unwilling, to meet those requirements. What is so difficult about becoming an approved regulator?
Lord Black of Brentwood
My Lords, it is not a question of meeting the requirements of the Press Recognition Panel. It is my belief that IPSO probably would meet the requirements. It is a fundamental belief that self-regulation cannot be self-regulation if it is approved by a state-run body. The Press Recognition Panel was set up by royal charter, which is a method of state regulation in all but name, and the press will not and cannot—and in my view absolutely should not—submit itself to something that has state backing in that way.
Earl Attlee
My Lords, that is extremely helpful to the Committee but I still do not understand how the state and government Ministers would be able to influence the work of the Press Recognition Panel.
Lord Black of Brentwood
My Lords, the Press Recognition Panel was set up by royal charter, underpinned by legislation in this House, legislation to which I was fundamentally opposed. The Press Recognition Panel was set up—I forget the exact figure—with £3 million of taxpayers’ money. It is a state-run body. To have a state-run body which in some way recognises a system of self-regulation negates the whole concept of self-regulation.
Earl Attlee
The noble Lord, Lord Black, is being very helpful. The courts are supposed to be independent and they are, but they are funded by the state as well.
Lord Black of Brentwood
My Lords, I am going to give way to judicial friends who are probably waiting to speak and will be able to deal with the question about the courts better than I can.
Lord Lester of Herne Hill (LD)
I remember Lord Campbell of Alloway once saying to me, “Never make a serious point after the dinner hour”. I think I now understand what he meant. I am in some difficulty, because my noble friends have not moved Amendment 88. I was hoping to make a speech explaining why I profoundly disagree with Amendment 88. Even given the flexibility of the rules of procedure of the House, I am not sure that I can do that until one of them moves Amendment 88. I am going to give them the opportunity of doing so.
Lord Skidelsky
The noble Lord, Lord Black, paints an incredibly rosy picture of the state of press regulation in the last 20 years. What he ignores is the background to the Leveson inquiry itself and the statutory system—the royal charter and so on—which followed it. There were years in which many newspapers grossly abused their freedom of speech. That is why this interlocking set of propositions, as he calls them, got going and produced a system which all the parties in Parliament accepted in 2013. He says that no other country in the world has a system like ours. No other country has had such an abusive press in parts, though not all the press by any means. These amendments seek to create a balance between freedom of speech and the right of privacy by setting up an auditor to determine how that balance is kept. It is an independent auditor, not part of the Government or the state. The noble Lord, Lord Black, seems to confuse the role of the state with that of an independent auditor, so the argument falls to the ground.
Lord McNally (LD)
My Lords, so that my noble friend Lord Lester can come in in due order, I will speak to Amendment 88. I also draw the Minister’s attention to Amendment 91, which relates to the City. It is clear from the ICO guidance that journalistic exemption was intended to apply to non-media companies, but this is not made explicit in the Bill. In addition, the Bill does not address whether material can be considered published if it is behind a paywall, or mainly addressed to corporate subscribers. That is the thinking behind Amendment 91. We were discussing earlier the concerns of some in financial services and companies such as Thomson Reuters about how the Bill affected them, and that is my probing for them.
I would like to speak to Amendment 88. I was one of the four privy counsellors who signed off the royal charter. I was in government when this went on. It was not an attempt by government to regulate the press. In fact, the coalition Government twisted and turned to try to find ways of taking this forward, as far away from state regulation as we possibly could.
Lord Lester of Herne Hill
My Lords, I wonder whether it might be helpful for me to begin by trying to find what we can all agree on and then look at what we cannot agree on. Everyone here, I am sure, will agree that the right to freedom of speech and the right to freedom of the press are essential foundations of a democratic society. Everyone would agree that the proper functioning of a modern participatory society requires the media to be free, active, professional—I underline the word “professional”—and inquiring. That is why the courts recognise the cardinal importance of press freedom and the need for any restriction on that freedom to be proportionate and no more than is necessary. As a great American judge once put it, one should not burn the house down in order to roast the pig.
Everyone would also agree, including the noble Lord, Lord Black, that freedom of expression and press freedom are not absolute rights; they carry responsibilities. The fate of the News of the World and the journalists convicted of gross abuses of privacy are examples of the need for effective regulation of the press and a fair balance between competing rights and interests. The way in which the family of the noble Baroness, Lady Hollins, was treated by the press was completely disgraceful and I am not surprised that ever since, she has pursued these issues with courage and determination. That does not mean that she is necessarily right, but it does mean that we should acknowledge that she and her family are real victims of real press abuse.
My noble friend Lord McNally will remember, since he and I made the Defamation Act 2013, how that Bill was hijacked in the House of Lords in order to try to coerce the press into what is now seen as a desirable system of regulation. Members of the House will remember that the Prime Minister refused to allow progress to be made on the then Defamation Bill until it was no longer taken hostage. What happened was that a deal was done, with Oliver Letwin as the broker, I think, to try to reach a compromise between the conflicting interests of privacy and free speech. Hacked Off got into the room without the press being represented and the result was the striking of a bargain that the press was profoundly opposed to. It was profoundly opposed to it because of the swingeing penalties by way of punitive damages and arbitrary costs rules as a punishment for the press if it did not join the system that was seen to be post Leveson. The reason why the press did not follow that path was that, among other things, it was advised by the noble Lord, Lord Pannick, and by me that it would be entirely unlawful for the press to be subject to arbitrary costs rules so that even if the press won, it would be liable to pay the other side’s legal costs and punitive damages. The noble Lord, Lord Pannick, advised in particular, and I agreed with him, that these were clearly contrary to the European Convention on Human Rights.
It is not true, as my noble friend Lord McNally seems to think, that nothing then happened, because something major did happen. The press barons who had for years been negligent and I would say stupid in opposing effective press regulation through the Press Complaints Commission, which was a useless and toothless regulator, realised in the end that the writing was on the wall. They appointed Sir Alan Moses, a very independent Court of Appeal judge, to become chairman of the Independent Press Standards Organisation. IPSO tackles media abuse. Although I know that not all agree, it is the independent regulator under a very independent chair for the newspaper and magazine industry in the UK. It regulates more than 1,500 print and 1,100 online titles. It handles complaints about possible breaches of the editors’ code. It gives guidance for editors and journalists. It advises about the editors’ code and it maintains a journalists’ whistleblowing hotline. Members of its staff are available to advise the public, complainants, editors and journalists, and it monitors its members’ compliance with the editorial code. It also carries out standards investigations where it believes that there have been serious and systemic breaches of the code.
Amendment 88, spoken to by my noble friend Lord McNally, would remove the reference in Schedule 2 to the IPSO Editors’ Code of Practice as a code of practice to be taken into account in determining whether it is reasonable for the controller to believe that publication is in the public interest. It would leave reference to the BBC Editorial Guidelines and the Ofcom Broadcasting Code, but make it more difficult for a publisher governed by IPSO to defend itself by relying on IPSO’s professional code.
Lord Skidelsky
I wonder how relevant all those last bits are to the subject we are discussing.
Lord Lester of Herne Hill
The relevance of what I have just said is that Max Mosley, who funds Impress, is fanatical in his desire for a privacy law that involves prior restraints. That simply indicates a complete lack of balance in his approach.
Lord Skidelsky
I have one more question. I thought we were discussing the substance of the argument, not the personalities of the people who may support one side or the other.
Lord Lester of Herne Hill
I was not discussing personalities, but what happened in the case in Strasbourg. I was about to say that, ironically, the Strasbourg court of human rights had regard to the editors’ code in the course of giving its judgment, so it certainly regarded the old editors’ code as relevant for that purpose.
The Explanatory Notes to the Bill state:
“Article 85 of the GDPR requires Member States to provide exemptions or derogations from certain rights and obligations in the context of processing personal data for journalistic purposes or the purpose of academic, artistic or literary expression”.
The notes go on to explain how that works. Article 10 is engaged, as there is an inherent tension between data protection and the right to freedom of expression. The Government were right to recognise those inherent tensions, which are not new. Personal data is about private information. I am reliably told that those public figures who wish to keep their private information away from inquiry now, as a matter of course, use data laws to protect publication in newspapers. If the correct balance is not struck, the ability of the press to act as a watchdog will be impaired to the detriment of democracy. Investigations, such as those into sex grooming, will become more difficult to publish.
The exemptions in Part 5 of Schedule 2 to the Bill are not new. They carry forward similar provisions in the Data Protection Act 1998. There is no good reason to amend them to the detriment of IPSO titles. It would be punitive to do so. Article 88 treats the majority of the print media, regulated by IPSO, less favourably than the BBC, broadcasters regulated by Ofcom and, if the amendment of the noble Lord, Lord Skidelsky, is accepted, members of Impress. That would mean that members of IPSO would be unable to rely on their compliance with the editors’ code—to which they are bound by contract—in their defence. It is difficult to understand the justification for this form of discrimination against editors and journalists working for our national and regional newspapers.
Lord McNally
I do not know how many more pages my noble friend has of this. Somewhere in it must be the recognition that IPSO has not applied for recognition, which would have given it all the protections he is calling for. He does not do himself a service. One of the reasons why people get irritated by the lawyers in this House is that they think that if they make a long enough speech it must be so and only the wicked would disagree. The reason why IPSO would be under threat is that it has not sought recognition. He gave a long list of IPSO’s supposed strengths. It is a sweetheart organisation. It is run by the newspaper owners. That is what we are trying to move away from.
I have now found something on the independent overseas press regulation. David Wolfe QC has said that it is disappointing that there continue to be attempts to prevent the recognition system working and that it is frustrating that Section 40 of the Crime and Courts Act has not been commenced. I would be a lot more impressed with my noble friend if he got behind that, or at least gave his friends in IPSO some really good advice and asked them to try to find a way forward with press regulation, instead of giving them an absolute veto on seeking a solution to this matter. I have finished—for the time being.
Lord Lester of Herne Hill
My Lords, I have tried to explain that the objection to the post-Leveson deal was that it was punitive and unfair. That is why the press chose, as is its right, not to be part of it. It chose instead a system of self-regulation with a very independent Court of Appeal judge, who, when he took office, made it clear that he would insist upon the system working properly and independently, as he has ever since. It is true that he has had to struggle against resistance by some newspapers, but that is the system we have.
Baroness Hollins
The noble Lord’s support for IPSO as being substantially better than the PCC is surprising. It has done no standards investigations, issued no fines and made no front-page corrections. I do not understand how that can be seen as regulation.
The noble Lord described Hacked Off as a movement set up to support celebrities. It was actually motivated by the Dowlers and sustained because of concerns about people like the McCanns and Christopher Jefferies. It is not about celebrities. Celebrity money has provided some of its support because they were motivated by hearing about those appalling abuses. That is what it is about.
All my amendments would do is incentivise a regulator to seek approval of its independence. Why will IPSO not seek approval and recognition of its independence? Why is it so afraid? Is it because it is not independent?
Lord Lester of Herne Hill
My Lords, I am not here on behalf of IPSO; I am not counsel for IPSO. I have simply tried to explain historically why we are where we are and the arguments the press made in the past that I was party to at the time, as was the noble Lord, Lord Pannick. If there are points to be made about the way in which IPSO works, no doubt they will be made by Members of the House. I stand corrected by the noble Baroness, Lady Hollins, who reminds me that it was not only celebrities who were abused, which is completely true.
What I am trying to say is that no democracy in the world has a system of press regulation that has been formulated post Leveson. It is objectionable to our national and regional newspapers. They will not change and suddenly agree to a different system because of anything which your Lordships say or do. It is a free press and the sensible thing to do is to make the system work. I believe that under Sir Alan Moses it is working, but if it is not working sufficiently, I am sure that they would be interested in any suggestions. It is hopeless if your Lordships believe that you can bully them into giving up their self-regulation in favour of the statutory system which they reject.
Earl Attlee
The noble Lord has been very helpful to the Committee. He told us what the disadvantages would be for a media operator if they were not signed up to an approved regulator. Can he tell the Committee what the advantages would be for a media operator if they were signed up to an approved regulator?
Lord Lester of Herne Hill
I do not understand the question. It depends on which regime we are talking about. Right now, there would be no advantages.
Lord Skidelsky
I have never heard a more absurd argument than that we can trust IPSO because Sir Alan Moses is chairman of it. Sir Alan is an admirable person; he is personal friend. How long is he going to be chairman? Who is the next chairman going to be? What about the independence of the editors’ code? The code may be fine at the moment, but it can be changed any time the committee decides without Parliament having any say in it at all.
Lord Lester of Herne Hill
I have been very careful not to traduce Impress or Max Mosley, nor will I seek to defend Alan Moses. We are not concerned with individual personalities; we are concerned with a political problem.
Lord Skidelsky
With great respect, we are concerned with the permanence of arrangements set up and put into primary legislation. The chairman of IPSO is not there for ever, and the code can be rewritten whenever the committee decides to do so.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, of course, we appreciate the contributions from all sides of the Committee on this issue, but let us be clear: this Bill is about data protection—it is not about press regulation. It is not about distinguishing between journalists, nor between the regulators they may or may not belong to.
The Government are committed to defending not only hard-won liberties but the operation of a free press. That is a fundamental principle of any liberal democracy. This Bill seeks to preserve the balance found in the 1998 Act, where journalists can process personal and special categories of personal data, but only when their processing is in the public interest and the substantial public interest respectively. The Bill also seeks to ensure that journalists are exempt from compliance with certain data protection requirements where to do so would undermine the operation of a free press, a key part of a strong and effective democracy where Governments are held to account and corruption and criminal behaviour can be challenged. No one seeks to condone the past misbehaviour of individual media organisations, nor to legitimise it.
Amendment 42 is moved by the noble Lord, Lord Stevenson. As we discussed last week in reference to Part 2 of Schedule 1, there is an exhaustive list of the types of processing which could be in the substantial public interest. When the Government consider that processing of a particular type will not always be in the substantial public interest, the Bill makes it a requirement that the data controller satisfies himself that any particular instance of processing is in the substantial public interest. Amendment 42 concerns the condition allowing journalists to process data in connection with unlawful acts and dishonesty, as dealt with in paragraph 10. The Bill, however, needs to balance freedom of expression with privacy and it may be that in some cases an act of dishonesty is not important enough and does not engage the substantial public interest to the extent that it justifies the processing of sensitive data by journalists. That is why the distinction is made.
To pick up on a point made by the noble Lord, Lord Stevenson, about continuity of arrangements in the 1998 Act, this processing condition is the same as that which currently appears under the existing Data Protection Act. It would appear that journalists have been dealing with that effectively and making the appropriate judgments for the last 20 years. I hope that that goes some way to explaining why we resist Amendment 42.
On Amendment 87B, I reassure the noble Lord that the specific inclusion of “photographic material” in paragraph 24(2)(a) of the schedule is unnecessary. This is because photographic material is likely to fall within one or more of the categories listed in that paragraph—for example, journalistic material or artistic material. We suggest that there is no requirement for express reference to photographic material. As for the point that was raised with the noble Lord by the NUJ, I think, about the use, the test is,
“with a view to publication”.
As long as that test is met, it does not necessarily follow that there must have been publication in order to legitimise the material in question. The position would, of course, be radically different if one had regard to one of the amendments moved by the noble Baroness, Lady Hollins.
Amendment 87E would remove the list of codes and guidelines in paragraph 24 of Schedule 2 that help controllers assess whether a publication would be in the public interest for data protection purposes and would replace it, as I understand it, with the term “appropriate codes”. I confess that I am a lawyer, to respond to a point made by the noble Lord, Lord McNally, or at least it is alleged that I am. That would certainly make it more difficult, as a matter for interpretation, for both publishers and the Information Commissioner to evaluate whether the publication of an individual’s personal data was in the public interest. Indeed, rather than the clarity of a list, one could instead be faced with years of potential litigation before an adequate body of case law was in place to establish what was appropriate. That is why we suggest it is appropriate that there should be a specific list, as reflected in the current legislation, the 1998 Act.
Amendments 88 and 89A concern the specific industry codes listed in the Bill. I start by saying that the codes currently listed in the Bill reflect those that are listed in the existing legislation. The editors’ code listed in the Bill—now enforced by IPSO rather than the Press Complaints Commission, I acknowledge —is one of these, and the Information Commissioner has already reflected this change in her current guidance on Section 32 of the existing Act. That follows from the Data Protection (Designated Codes of Practice) (No. 2) Order 2000, which set out the various codes of practice and included the editors’ code of practice. While there is a suggestion that the editors’ code of practice might change, in the light of any such change the Information Commissioner’s view and guidance as to the applicability of that code may also change. So it is not as if it is entirely without control.
Lord Clement-Jones (LD)
The Minister said that it could change, but the word IPSO is actually in the Bill, so I do not quite understand the point that the Minister has just made.
Lord Keen of Elie
Let me elaborate on the point for a moment to make it clear. IPSO did not exist in 1998; the editors’ code did and therefore the editors’ code was incorporated as such by reference to the 1998 Act and the 2000 order. The relevant editors’ code is now known as the IPSO code. It is essentially the same code, as I understand it. I see that the noble Lord, Lord Stevenson, is shaking his head on this point, but it is essentially the editors’ code that is now incorporated within the IPSO code.
Lord Stevenson of Balmacara
I could not resist jumping up. I think the nub of the argument is the four letters IPSO. It is an editors’ code. IPSO is a separate body. I think there would be less concern if it were just simply the editors’ code because we understand what that is. That would be the right reference, but I think we will return to this later.
Lord Keen of Elie
The terms of the editors’ code are now referred to as the IPSO code, but I take the noble Lord’s point and I will take away and consider whether there is any material issue about using the designation of that code in the schedule. However, it is, with respect, essentially the editors’ code as it was originally recognised. As I understand it, that is reflected in the Information Commissioner’s current guidance under reference to Section 32, which is why it appears in the schedule in the form that it does.
Lord Lester of Herne Hill
I shall be corrected in due course if I am wrong, but I think the position is that the editors’ code was the code that was formulated under the PCC, and then when Sir Alan Moses became chair of IPSO the code was then amended to strengthen it—but I shall be corrected if that turns out to be mistaken.
Lord Keen of Elie
The noble Lord is quite right that it had its origin as the editors’ code before the PCC, but I am reflecting the fact that the Information Commissioner, being aware of the genesis of that code and its approval, has, as I understand it, under current guidance under reference to Section 32 of the existing Act acknowledged it as a relevant code. It seems to me that we may be arguing around designation rather than content, and I will give further consideration to the question of designation.
Removing that code—I will call it “that code” for present purposes—as proposed in the amendments would be a quite extraordinary step. Whatever one might think of IPSO, we should recognise that it has more than 2,500 members, including most of the major tabloids and broadsheets. Removing the code from the Bill would therefore remove protections for the vast majority of our press industry and cause significant detriment to what is a free press.
No codes adopted by a Press Recognition Panel-approved regulator are listed—and of course there is only Impress in that context. Under current legislation the Information Commissioner’s guidance on Section 32 does not include that code. That does not mean that such a code cannot be included in the future. However, before amending the list of codes, the current and proposed legislation makes it clear that the Secretary of State must consult the Information Commissioner. The self-regulator Impress has applied for its standards code to be included in the schedule, and the Secretary of State is currently considering that application—but in due course, once she has considered the application, she will have to refer to the Information Commissioner and consult her about that application.
I should also emphasise that the current list of codes, allowing for the point about designation, does not represent an endorsement of any one press regulator over another. This is about ensuring that the codes listed are appropriate, having regard to the need for data protection.
It is also worth noting that the exemption the Bill provides to those processing data for special purposes will be available to all journalists where the criteria set out in paragraph 24(2) of Schedule 2 are met. Where a publication is subject to one of the listed codes of conduct, it must take that code into account when determining whether publication is in the public interest. However, although the commissioner’s current guidance emphasises that compliance with industry codes will help demonstrate compliance, those publications that are not subject to a code are not somehow excluded from qualifying under the relevant exemptions, if they meet the three-part test in paragraph 24.
I appreciate that the intention of Amendment 91 is to ensure that we interpret the notions relating to journalism broadly and, in doing so, protect the right to freedom of expression. However, there is no requirement for this amendment if one has regard to Clause 184, the relevant interpretation clause, which makes it clear and underlines that material need be available only to a section of the public, and that would include those who subscribe by way of a fee for particular access to material. So these exemptions will extend to the sort of body that was referred to by the noble Lord in relation to Amendment 91. If anything, there is duplication, because we have not only paragraph 24(9), which refers to the public and a “section of the public”, but Clause 184, which defines the public by reference to, and includes, a section of the public. I believe that there was an earlier proposal to take paragraph 24(9) out in order to avoid that duplication.
I turn to the amendment tabled by the noble Baroness, Lady Hollins, and supported by my noble friend Lord Attlee. Article 85 of the GDPR requires member states to reconcile the right of protection of personal data with the right to freedom of expression and information, which is of course embraced by the European Convention on Human Rights. Although like, clearly, other Members of the Committee, I have great sympathy for the noble Baroness’s own experience, I firmly believe that the Bill strikes the right balance in reconciling these interests and aligns with the requirements of the regulation.
By contrast, the proposed amendments seek to reset that balance, so that the right to personal information privacy trumps that of the right to freedom of expression and information. This would be inconsistent with Article 85, which recognises the special importance of freedom of expression and provides a wide power to derogate from the regulation for processing for the special purposes. That point was elaborated by the noble Lord, Lord Lester of Herne Hill, when he underlined the importance of the freedom of the press in this context.
Amendment 87A seeks to amend the journalistic data protection exemption to make it available only where the processing of data is necessary for publication, rather than simply being undertaken with a view to publication. I fear that this does not reflect the realities of how journalists work and how stories, including the most sensitive and important pieces of investigative journalism, are put together and published. A journalist will not know what is necessary until the data has been gathered, reviewed and assessed.
Amendments 87C and 87D relate to what factors the controller must take into account when considering whether publication of data would be in the public interest. The amendments would remove the requirement on the controller to take account of the special importance of the public interest in freedom of expression and information, and make the exemption available only where, objectively, the likely interference with privacy resulting from the processing of the data is outweighed by the public interest.
Controllers already have to consider issues of privacy when considering the public interest. But this amendment goes too far in saying that public interest can be trumped by privacy, weighting the test away from freedom of expression. This is again contrary to Article 85, which requires a reconciliation of these rights. I understand the noble Baroness’s intent here, and the harm that she seeks to prevent, but the rebalancing that she suggests goes too far.
Finally, Amendments 89B and 91A aim to narrow the exemptions for journalists who are not members of an approved regulator as defined by the Crime and Courts Act 2013. Fundamentally, these provisions are about protections that journalists should be able to legitimately rely on in going about their important work. We should view these clauses through that lens—as vital protections that give journalists the ability to inform us about the world in which we live and to effectively hold those in power to account.
The Government do not condone the past behaviour of individual media organisations, nor, as I noted earlier, do we seek to legitimise it. Equally, though, we do not think the problems that Sir Brian Leveson and others have identified can, or indeed should, be fixed through the medium of data protection law. Indeed, the Government feel strongly that these important protections for journalists should be maintained.
We must strike the right balance in reconciling the right to privacy with the right to freedom of expression and information. I hope I have gone some way towards explaining how the Bill seeks to do that. I hope I have addressed the concerns that have been expressed through the amendments, and I urge noble Lords to withdraw them.
Lord Stevenson of Balmacara
My Lords, this has been a very interesting debate. It has lasted one hour and 25 minutes and there is a little more to go. The hour is late and I do not think one wants to rush to judgment on the many important things that have been said today. As I am sure many other noble Lords do when faced with such an intense and important debate, I want to reflect a little on it, read what it looks like in Hansard the next day and then form a view on it. However, I shall share one or two things with the Committee that come to my mind and I think we should take away from this.
Of course this is about the balance between privacy and freedom of expression. It was interesting that the noble Lord, Lord Black, was at pains to point out in his intervention that he did not think there would be any country in which the sort of systems that are discussed in some of the amendments here took place. I ask him: is there a country that he would be happy to live in that did not have a statutory protection of privacy and freedom of expression, however well balanced and proportionate that would have to be? The answer would be very interesting.
My memories from this will be of the long campaign that the noble Baroness, Lady Hollins, has fought to try to get this troubled area of our law into better shape. The perhaps reluctant speech by the noble Lord, Lord McNally, in opening up the way for the noble Lord to debate issues relating to earlier approaches to this area, struck home for me. I thought it was a powerful intervention and one we should think hard about.
My ultimate feeling about this is that we may be talking about the very narrow issue of data processing in relation to journalism, but of course it engages all the issues that arise from any decision that we make about the balance between privacy and freedom of expression. As I tried to demonstrate in the discussions on day one of Committee, if there were better protections between a right to privacy and the right to freedom of expression than there currently are in the Bill, maybe this would be an easier process, but they are not there yet. We need some movement here. The genuine offer that I made to the noble and learned Lord to try to find common ground on this and move forward, which was picked up by others, seems to have been rejected. That is sad, and we will not get very far if that is the attitude we are going to encounter.
At the end of the day, we may not have a choice on this. If Parliament is unable to act, it may well be that the privacy law we end up with will be judge-led, arising from cases that happen to come in, out of which a body of law will be built up that does not suit the noble and learned Lord and his friends. He should think very carefully about where we are at the moment, where the political power lies, where the interests of those engaging with this are coming from and how long it would be before we got to a point where we could take this forward.
I think we will come back to this on Report more than once. There are issues here that will survive the helpful comments made by the noble and learned Lord, who covered the detail of the amendments very fully. I will read what he said very carefully. I do not think we have got to the bottom of how you get the balance in law for a long time so that it works. It is not to do with definitions of which code or otherwise we are talking about; we are talking about real principles here that need to be addressed.
Baroness Hollins
My Lords, I want to make a couple of comments. I take exception to the suggestion that my amendments are in some way bullying. If anything, it is the newspapers that are bullying: for example, bullying the Government not to commence Section 40 of the Crime and Courts Act 2013. This is not the wrong Bill: it is about data protection. All that my amendments would do is implement Lord Justice Leveson’s recommendations on data protection. It is a data protection Bill, and that is what they are about.
The so-called IPSO code is owned by the Regulatory Funding Company and, as I understand it, only its sub-committee can change it. IPSO then has to take it or leave it. The RFC also refused to allow IMPRESS to use it. It seems very strange to have that code named in the Bill. I will think carefully and review what needs to come back on Report, but I would welcome an opportunity to discuss this further with the noble and learned Lord to try to understand why there is such a difference of view about it.
Lord Skidelsky
I should like to make just one point. The noble and learned Lord, Lord Keen, came close to admitting that to put IPSO in the Bill was a mistake—I say came close to admitting—whereas it would have been perfectly all right to have just said, “the editors’ code”. There is something there to discuss, because if you call it the IPSO editors’ code, that looks as if you are favouring a particular organisation, rather than a code. The code is owned by the newspaper publishers; it is their code; we need to take that into account. It is less obnoxious just to have “the editors’ code”, than to have an organisation named in the Bill as the effective carrier of that code. I do not know whether the noble and learned Lord is willing to consider leaving out mention of the organisation. If so, it would be interesting to discuss how best to do that. I may come back to this on Report, but thank him very much for his speech.
Data Protection Bill [HL]
Monday 13th November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
The Earl of Kinnoull
“(1) This condition is met if the processing—(a) is necessary for the purposes listed in sub-paragraph (2), and(b) is necessary for reasons of substantial public interest.(2) The purposes mentioned in sub-paragraph (1)(a) are—(a) the arrangement, underwriting, performance or administration (or assisting in the arrangement, underwriting, performance or administration) of a contract of insurance or reinsurance;(b) the handling or administration (or assisting in the handling or administration) of a claim made under a contract of insurance or reinsurance.”
The Earl of Kinnoull (CB)
My Lords, I will speak also to Amendments 46A, 47A, 48A and 50A. We move to a series of probing amendments relating to insurance. I am concerned about many practical things in the Bill, and what I see as unnecessary and unwise obstacles for insurance in general, and for motor insurance and employer liability insurance in particular. I declare my interests as set out in the register of the House and, in particular, those in respect of the insurance industry.
I thank the noble Lord, Lord Clement-Jones, for his support for these amendments—indeed, he was emailing me late last night—and I thank the Minister for a generous slice of his time last week. I also thank the Association of British Insurers and the Lloyds Market Association for their help in preparing my remarks. They, in turn, have had input from the four other major insurance market associations and other bodies.
The insurance industry delivers products in the public interest. Indeed, some of the major classes, such as motor insurance and employer liability insurance, are compulsory. It is greatly to society’s benefit that there is a wide choice of good products available at a reasonable price. It is less well understood in the wider world what an important part reinsurance plays in supporting insurers by protecting insurance companies from large unexpected losses and providing temporary extra capital when it is needed. In other words, insurers, too, need a wide choice of good products available at a reasonable price. It is a complex ecosystem, and unintended consequences tend almost invariably to hurt the man in the street.
The impact assessment called for the setting of new standards in accordance with the GDPR,
“whilst preserving the existing tailored exemptions from the Data Protection Act”.
Later on in the same page of the impact assessment there is a call for,
“exercising the derogations in the best interest of the UK”.
In fact, the impact assessment has several references to business and insurance business which make it plain that the Government do not intend to place an undue extra burden on business. I am grateful to the Government and the Bill team for having gone some way to alleviating the problems—but I fear that we need to go a lot further.
Sensitive personal data under the current Data Protection Act 1998 has become special category personal data in the GDPR. The treatment of special category personal data looks similar under the GDPR and the DPA, with consent as the applicable legal ground under which data can be processed in most cases. However, what has changed is the definition of consent, with the threshold for valid consent under GDPR now being much higher.
For insurers and reinsurers, the two most common types of special category personal data are information relating to health and information relating to criminal convictions. Being able to consider health and criminal conviction data is hugely important for insurers uniformly and throughout the world. The ABI estimates that the ability to process these types of data helped in detecting around £1.3 billion in fraudulent claims in 2015 alone, and I fear that the Bill unamended would therefore potentially increase costs for millions of motor insurance policyholders. To get an idea of the size of the market where health data is required for underwriting and claims purposes, the LMA has advised me that it identifies annual Lloyd’s market premiums alone of at least £2.3 billion a year.
Processing special-category data, including health data, is fundamental to calculating levels of risk and underwriting the majority of retail insurance products. ICO draft guidance infer that consent as a precondition of accessing a service, as would be the case for a proposal for an insurance contract, would not be a legitimate basis for processing special-category personal data.
Let us take the example of a daily smoker who at retirement age tries to buy an annuity. They would be asked to provide their medical details. This health data would establish that the individual has a below-average life expectancy. The insurer is therefore able to offer an enhanced annuity that pays the individual a higher percentage of income every year.
Under the Bill and its associated draft ICO guidance, insurers would not be able to access the individual’s medical records as consent is a precondition of accessing the enhanced annuity market and therefore such consent cannot be freely given. Insurers would be unable to offer an enhanced annuity and the individual would be treated as a consumer with average life expectancy and receive a lower income from their annuity. This would be a highly undesirable state of affairs.
Take the situation where an insurer has a direct relationship with the insured—a personal motor policy, let us assume. It would seem relatively easy for them to obtain a consent for all processing. However, it is not. More than half the motor insurers in the UK make use of the Motor Insurance Bureau’s MyLicence anti-fraud facility. This third-party service, available to all insurers, allows them at the quote stage to understand a driver’s record using DVLA data. Express consent is not possible and nor, for the same ICO reasoning as my annuity example, would any consent anyway be valid. If the Bill is unamended, this would be bound to drive up premiums for motor insurers, as a principal defence against fraud would cease to exist.
The Lord Speaker (Lord Fowler)
I should notify the Committee that if Amendment 45B is agreed, I cannot call Amendments 46 to 50A by reason of pre-emption.
Lord Clement-Jones (LD)
My Lords, the noble Earl, Lord Kinnoull, has clearly and knowledgeably introduced the amendment, which I strongly support. He made clear through his case studies the Bill’s potential impact on the insurance industry, and I very much hope that the Minister has taken them to heart. Processing special category data, including health data, is fundamental to calculating levels of risk, as the noble Earl explained, and to underwriting most retail insurance products. Such data is also needed for the administration of insurance policies, particularly claims handling.
The insurance industry has made the convincing case that if the implementation of the Bill does not provide a workable basis for insurers to process that data, it will interrupt the provision to UK consumers of retail insurance products such as health, life and travel insurance, and especially products with health-related consumer benefits, such as enhanced annuities. The noble Earl mentioned a number of impacts, but estimates suggest that, in the motor market alone, if this issue is not resolved, it could impact on about 27 million policies and see premiums rise by about 3% to 5%.
There is a need to process criminal conviction data for the purposes of underwriting insurance in, for instance, the motor insurance market. Insurers need to process data to assess risk and set the prices and terms for mainstream products such as motor, health and travel insurance.
The key issue of concern is that new GDPR standards for consent for special category data, including health, such as the right to withdraw consent without experiencing detriment, are incompatible with the uninterrupted provision of these products. As the noble Earl, Lord Kinnoull, has clearly stated, there is scope for a UK derogation represented by these amendments, which would be in the public interest, to allow processing of criminal conviction and special category data when it is necessary for arranging, underwriting and administering insurance and reinsurance policies and insurance and reinsurance policy claims. I very much hope that the Minister will take those arguments on board.
Lord Stevenson of Balmacara (Lab)
My Lords, the noble Earl, Lord Kinnoull, has done us a great favour in introducing with great skill these amendments, which get to the heart of problems with some of the language used in the Bill. We are grateful to him for going through and picking out the choices that were before the Government and the way their particular choices seem to roll back some of the advances made in the insurance industry in recent years. I look forward to the Minister’s response.
Our probing Amendment 47 in this group is on a slightly higher level. It is not quite as detailed—nor was it intended to be—as the one moved by the noble Earl. We were hoping to raise a more general question, to which I hope the Minister will be able to respond. Our concern, which meets the concerns raised by the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, is where the Government want to get to on this. It must be true that insurance is one of the key problems facing many people in our country. It is the topic that will be discussed in the QSD in today’s dinner break as it bears heavily on financial inclusion issues. So many people in this country do not take out insurance, personal or otherwise, and suffer as a result. We have to be very careful as we take this forward as a social issue.
However, an open-ended derogation to allow those who wish to gather information to make a better insurance market surely also raises risks. If we are talking about highly personal profiling—we may not be because there are constraints in the noble Earl’s amendment—it would lead to a more efficient and cheaper insurance industry, but at what personal cost? For instance, if it is possible to pick up data from those who perhaps unadvisedly put on Facebook or Twitter how many times they get drunk—I am sure that is not unusual, particularly among the younger generation—information could be gathered for a profile that ought to be taken into account for their life, health or car insurance. I am not sure that we would be very happy with that.
Underlying our probing amendment is to ask the Minister to respond—it may be possible by letter rather than today—on protections the Government have in mind. What sort of stock points are there that we can rely on as we move forward in this area? As processing becomes more powerful and more data is available, pooled risks are beginning to look a little old-fashioned. The old traditional model under which insurance is gathered is that the more the pool is expanded, the risks are spread out more appropriately across everybody. The trouble is that the more we know, we will be including people who are perhaps more reckless and therefore skewing the pooling arrangements. We have to be careful about that.
There is obviously a social objective in having a more efficient and effective insurance market but this ought to be counterbalanced to make sure that those people who are vulnerable are not excluded or uninsurable as a result. The state could step in, obviously, and has done so, as we have been reminded already in our Committee discussions about the difficulty of getting insurance for those who build on flood plains. However that is not the point here. This is about general insurance across the range of current market opportunities being affected by the fact that we are not ensuring that the data gathered is both proportionate and correct in terms of what it provides for the individual data subjects concerned.
The Earl of Erroll (CB)
I want to say a couple of words on consent, because it is something I have been thinking about for a while. Consent is often seen as a great panacea to this whole thing about protecting people, but I do not think it really is. The requests that really irritate me are the ones that ask for unnecessary information such as your date of birth, when all you are trying to do is to sign up for a warranty on a bit of equipment or whatever, because firms are trying to profile their customers. Those I agree should be stopped. But other consent requests are essential to giving a good service.
There are two things to say about such requests. One is that most people do not mind, because they assume that people know everything about them anyway—particularly the Government and the big boys. They just want the thing to be done properly so that they can get their money, or whatever it is. To put blocks in the way so that they have to click on or sign lots of different consent forms does not get them any further and just irritates them more. Those provisions are very sensible.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken and for the opportunity to speak to Schedule 1 in relation to an industry in which I spent many years. I accept many of the things that the noble Earl, Lord Kinnoull, described and completely understand many of his points—and, indeed, many of the points that other noble Lords have made. As the noble Lord, Lord Clement-Jones, said, I have taken the noble Earl’s examples to heart, and I absolutely accept the importance of the insurance industry. The Government have worked with the Association of British Insurers and others to ensure that the Bill strikes the right balance between safeguarding the rights of data subjects and processing data without consent when necessary for carrying on insurance business—and a balance it must be. The noble Lord, Lord Stevenson, alluded to some of those issues when he took us away from the technical detail of his amendment to a higher plane, as always.
The noble Earl, Lord Kinnoull, and the noble Lords, Lord Clement-Jones and Lord Stevenson, have proposed Amendments 45B, 46A, 47, 47A, 48A and 50A, which would amend or replace paragraphs 14 and 15 of Schedule 1, relating to insurance. These amendments would have the effect of providing a broad basis for processing sensitive types of personal data for insurance-related purposes. Amendment 45B, in particular, would replace the current processing conditions for insurance business set out in paragraphs 14 and 15 with a broad condition covering the arrangement, underwriting, performance or administration of a contract of insurance or reinsurance, but the amendment does not provide any safeguards for the data subject.
Amendment 47 would amend the processing condition relating to processing for insurance purposes in paragraph 14. This processing condition was imported from paragraph 5 of the 2000 order made under the Data Protection Act 1998. Removal of the term might lessen the safeguards for data subjects, because insurers could potentially rely on the provisions even where it was reasonable to obtain consent. I shall come to the opinions of the noble Earl, Lord Erroll, on consent in a minute.
Amendments 46A, 47A, 48A and 50A are less sweeping, but would also remove safeguards and widen the range of data that insurers could process to far beyond what the current law allows. The Bill already contains specific exemptions permitting the processing of family health data to underwrite the insured’s policy and data required for insurance policies on the life of another or group contract. We debated last week a third amendment to address the challenges of automatic renewals.
These processing conditions are made under the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited—this partly addresses the point made by the noble Lord, Lord Stevenson—by the need to meet the “substantial public interest test” in the GDPR and the need to provide appropriate safeguards for the data subject. A personal or private economic or commercial benefit is insufficient: the benefits for individuals or society need to significantly outweigh the need of the data subject to have their data protected. On this basis, the Government consider it difficult to justify a single broad exemption. Taken together, the Government remain of the view that the package of targeted exemptions in the Bill is sufficient and achieves the same effect.
Nevertheless, noble Lords have raised some important matters and the Government believe that the processing necessary for compulsory insurance products must be allowed to proceed without the barriers that have been so helpfully described. The common thread in these concerns is how consent is sought and given. The noble Earl, Lord Kinnoull, referred to that and gave several examples. The Information Commissioner has published draft guidance on consent and the Government have been in discussions with her office on how the impact on business can be better managed. We will ensure that we resolve the issues raised.
I say to the noble Earl, Lord Erroll, that consent is important and the position taken by the GDPR is valid. We do not have a choice in this: the GDPR is directly applicable and when you are dealing with data, it is obviously extremely important to get consent, if you can. The GDPR makes that a first line of defence, although it provides others when consent is not possible. As I say, consent is important and it has to be meaningful consent, because we all know that you can have a pre-tick box and that is not what most people nowadays regard as consent. Going back to the noble Earl, Lord Kinnoull—
Lord Clement-Jones
My Lords, I am sorry to interrupt. The Minister mentioned the guidance from the Information Commissioner. From what he said, I assume he knows that the insurance industry does not believe that the guidance is sufficient; it is inadequate for its purposes. Is he saying that a discussion is taking place on how that guidance might be changed to meet the purposes of the insurance industry? If it cannot be changed, will he therefore consider amendments on Report?
Lord Ashton of Hyde
Of course, it is not for us to tell the Information Commissioner what guidance to issue. The guidance that has been issued is not in all respects completely helpful to the insurance industry.
The Earl of Kinnoull
Following up the noble Lord’s point, I would like to say a couple of things. First, I sort of understand where the Information Commissioner’s Office is coming from. I have article 7 in my hands, which contains the definition of consent from the GDPR, and article 9(2)(a). My concern is that even if the Government are very nice to an Information Commissioner and persuade them to change the guidance, it could change at any time. It is important to ensure that the Bill will work for the ordinary man in the street. As for compulsory classes, it is not about looking after the insurers but every small business in Britain and every small person who wants to get motor insurance, especially those who have problems with either criminal convictions or their health.
Lord Ashton of Hyde
I agree; I think I mentioned compulsory classes before. Going back to the guidance, we are having discussions. We have already had constructive discussions with the noble Earl, and we will have more discussions on this subject with the insurance industry, in which he has indicated that he would like to take part. I am grateful to him for coming to see me last week.
Lord Clement-Jones
My Lords, I am sorry to interrupt the Minister again but he is dealing with important concepts. Right at the beginning of his speech he said he did not think this could be covered by the substantial public interest test. Surely the continuance of insurance in all those different areas, not just for small businesses but for the consumer, and right across the board in the retail market, is of substantial public interest. I do not quite understand why it does not meet that test.
Lord Ashton of Hyde
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
Lord Stevenson of Balmacara
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
Lord Ashton of Hyde
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
Lord Clement-Jones
I am sure that the noble Earl, Lord Kinnoull, will come back at greater length on this. The issue that the Minister has outlined is difficult, partly because the Information Commissioner plays and will play such an important role in the interpretation of the Bill. When the Government consider the next steps and whether to table their own amendments or accept other amendments on Report, will they bring the Information Commissioner or her representative into the room? It seems that the guidance and the interaction of the guidance with the Bill—and, eventually, with the Act—will be of extreme importance.
Lord Ashton of Hyde
I agree, which is why I mentioned the guidance that the Information Commissioner has already given. I am certainly willing to talk to her but it is not our place to order her into the room. However, we are constantly talking to her, and there is absolutely no reason why we would not do so on this important matter.
The Earl of Kinnoull
I thank all noble Lords who have taken part in this short but interesting debate. Of course, the Information Commissioner reports to Parliament, so if we held a meeting here, we probably could ask her, quite properly, to come. That might be quite helpful in this complex area. As I said, when you mess around in these areas, the person who suffers is the man in the street, not the insurance companies. The noble Lord, Lord Stevenson of Balmacara, in particular made a number of interesting points in speaking to his amendment, which need to go into the mix as regards how we sort through this difficult area.
I am very grateful to the Minister for confirming that we will continue discussions in this area. I do not think for a moment that I necessarily have all the right answers, but we have started on the journey and will continue. We will certainly be talking about the same issues again in different formats on Report and I look forward to that very much. On that basis, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“15A(1) This condition is met if—(a) the processing is necessary for the purposes of—(i) automatically renewing a pre-GDPR insurance contract, or(ii) carrying out, or managing the expiry of, an insurance contract resulting from the automatic renewal of a pre-GDPR insurance contract,(b) the controller has taken reasonable steps to obtain the data subject’s consent to the processing of personal data necessary for those purposes in accordance with sub-paragraph (2), and(c) the controller is not aware of the data subject withholding such consent. (2) The steps described in sub-paragraph (1)(b) must have been taken—(a) in the case of a contract which automatically renews after a period of less than 10 months, on at least one automatic renewal of the contract in each period of 12 months that has ended since 25 May 2018;(b) in any other case, each time the contract has automatically renewed since 25 May 2018.(3) For the purposes of this paragraph, an insurance contract is automatically renewed if—(a) a new insurance contract between the same parties is made without the insured person taking any steps, and(b) the new contract provides cover which is the same as, or substantially similar to, the cover provided by the expired contract,and references in this paragraph to the automatic renewal of a contract include both the first automatic renewal on the expiry of that contract and subsequent automatic renewal originating with that contract.(4) For the purposes of sub-paragraph (3)(a), the new contract and the expired contract are to be treated as made with the same insurer if they are made with different insurers but arranged by the same intermediary.(5) In this paragraph—“insurance contract” means a contract of general insurance or long-term insurance;“insurer” means a person carrying on business which consists of effecting or carrying out insurance contracts;“pre-GDPR”, in relation to an insurance contract, means made before 25 May 2018.(6) Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.”
Lord Kennedy of Southwark
Lord Kennedy of Southwark (Lab)
My Lords, as this amendment involves data provided by local authorities, I should declare my interests as a councillor of the London Borough of Southwark and as a vice-president of the Local Government Association.
Amendment 53 in my name and that of my noble friend Lord Stevenson of Balmacara would delete the first occurrence of the word “substantial” from paragraph 17(2) of Schedule 1 and Amendment 54 would delete its second occurrence from the same provision.
Healthy-functioning political parties are a vital part of our democracy. Campaigners and campaigning have moved on a long way from the days of hand writing envelopes to encompass much more sophisticated methods of contacting voters using all available mechanisms.
Political parties and their members need clarity and certainty as to what they are required to do, what they are able to do and what they are not able to do, so that they act lawfully at all times and in all respects. We cannot leave parties, campaigners and party members with law that is grey and unclear, and with rules that mean that campaigners, in good faith, make wide interpretations that are then found to be incorrect, due largely to the required clarity not having been given to them in the first place by government and Parliament.
I am also very clear that political parties are volunteer armies, with people volunteering to campaign to get members of their party elected to various positions in Parliament and in local authorities and to run various campaigns.
I have a number of questions for the Minister. I do not necessarily expect to get answers today but I hope that when he responds he will agree to meet me along with other interested Peers on the matters I am raising. I know that the noble Lord, Lord Hayward, from the Minister’s Benches would certainly like to meet him, and I am sure that the noble Lord, Lord Tyler, would also wish to be involved in those discussions. I hope that the Minister will agree to that. I also think that it would be useful if any such meeting involved officials from the three parties to discuss how we can get this right; otherwise, there will be all sorts of problems for parties, party members and campaigners, and none of us wants that.
Therefore, my questions to the Minister are as follows—as I said, I shall be happy for him to write to me. Will he provide a list of the characteristics or activities that are required for a political party to conduct operations? Does he believe that the terms in relation to political activity in paragraph 17 of Schedule 1 definitively cover the required activities of UK political parties? Will he clarify what constitutes profiling with regard to the activities of political parties? What activities or operations with reference to paragraph 17(1)(c) of Schedule 1 would be considered necessary for a political party? Does he think that the procedure detailed in paragraph 17(3)(a), whereby a data subject can give written notice to require the data controller—in this case, a political party—to cease the processing of their data, is consistent with Section 13(3) of the RPA 1983, where parties hold and process data on the basis not of consent but of being supplied that data by a local authority via the electoral register? Given the regular transfer of registers to political parties, does the Minister think it is practical or enforceable for a party to cease processing the data, which will likely be resupplied by an authority?
Let me make the point this way: take elector A, who instructs the party to stop processing their data, and the party complies. But the party then gets given data from the local authority in the next round, and elector A’s information is included. As soon as the party processes that data, it will technically have infringed the law. This is very complicated and it would be useful if the Minister’s officials could meet people interested in this area and come back to us. Whatever we end up with following this process, it must be consistent and work, and it should not bring into conflict two different Acts of Parliament. I beg to move.
Baroness Hamwee (LD)
My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.
The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?
The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.
I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.
Lord Ashton of Hyde
My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.
Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.
The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.
I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.
The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.
The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.
Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.
I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.
Lord Whitty (Lab)
I fully support my noble friend’s assertions and the Minister’s response. It is very important that registered political parties can operate effectively. I wonder whether, in the discussions he is proposing to undertake, the Minister will also address the issue of other organisations and political parties attempting to influence the political process. I do not think I need to spell it out, in view of recent news, but the use of social media by organisations that are not covered by our electoral law or by registration as a political party must not have the same provisions that registered political parties would have under the Bill or my noble friend’s amendments. I wonder if that could be addressed directly in these discussions.
Baroness Jay of Paddington (Lab)
My Lords, before the Minister replies to my noble friend Lord Whitty, I want to emphasise the importance of his arguments and ask him to reflect again on what he said about the point made by the noble Baroness, Lady Hamwee, on the Electoral Commission’s involvement. Although, as the Minister said, he wrote in general terms to the commission—or it was asked to give evidence to the Government on the matter—that may have been around the time of the general election, when perhaps it was engaged in immediate problems. It is important that it be included in discussions on the broader issues, particularly the ones just raised by my noble friend Lord Whitty. Perhaps it would be worth the Government reflecting on attempting to draw it into the conversation now.
Lord McNally (LD)
It is easier for me to intervene now, so the Minister can answer everything in one go. In two small amendments, there is a massive issue that needs to be addressed with great seriousness. The Minister referred to the Information Commissioner’s study on the interrelationship between data and the political process. I wonder whether her findings will be available before the Bill becomes law, because that will have a great impact. The other thing we must learn, as the noble Lord, Lord Whitty, said, is that it is often wise to look across the Atlantic to find out what is coming to us. There is a massive problem coming down the road concerning how data are used during the political process. On the one hand, there is the issue, referred to by the noble Lord, Lord Kennedy, of political parties being mostly volunteers, trying their best to deal with complex laws. They must be protected as best they can. On the other side of the argument, there is a degree of sophistication in applying data to politics, which could become a threat to the democratic process. These are two small amendments, but they are an iceberg in terms of the problems that lie beneath them.
Lord Lucas (Con)
My Lords, I want to pick up on the last point of the noble Lord, Lord McNally. We are getting into a situation where political parties are addressing personal messages to individual voters and saying different things to different voters. This is not apparent; there must be ways to control it. We will have to give some considerable thought to it, so I see the virtue of the amendments.
Lord Ashton of Hyde
Quickly, because I will not remember all the questions and points, I want to emphasise that they are all very good points and I will reflect on them. My main mission is to get the GDPR and law enforcement directive in place by May 2018. I absolutely accept the point made by the noble Lord, Lord McNally—that this is the tip of iceberg—but we must bear in mind that this is about data protection, both today and on Report, so I will focus on that. We have already had other avenues to raise a lot of the points the noble Lord made, but I agree that it is a huge issue. He asked when the report from the Information Commissioner will be available. I would expect it before Christmas, so it will be before the Bill becomes law.
I certainly undertake to reflect on what the noble Baroness, Lady Jay, said about the Electoral Commission. I believe that our call for views was after the election; nevertheless, I take her point. I am very sorry but I cannot remember what the point from the noble Lord, Lord Whitty, was, but I accept these things have to be taken into account. When we have our meeting—it is becoming a big meeting—it will be for people concerned specifically with the Data Protection Act, not some of the issues that lie outside that narrow area, important though they are.
I ask noble Lords not to press their amendments.
Lord Lucas
My Lords, picking up on the last point from the noble Baroness, Lady Hamwee, is this the first time the privileges of Members of this House have been reduced in relation to Members of the other House? If so, will the Government consult the Speaker of this House on whether he considers that desirable?
Lord Ashton of Hyde
My Lords, they have not been reduced. This is the position that exists today.
Lord Lucas
My Lords, privileges are being given to Members of another place—and indeed to Members of the Parliaments of Scotland and other places—that are being denied to us. Is this the first time that has been done?
Lord Ashton of Hyde
No, it is not the first time because this is the position that exists under the Data Protection Act 1998.
Lord Kennedy of Southwark
My Lords, I thank all noble Lords for speaking in this debate. As I think the noble Lord, Lord McNally, said, these amendments would delete just two words, but we have had a very important debate. We tabled the amendments to probe these issues, which are very important.
I am pleased that the noble Lord, Lord Ashton of Hyde, has agreed to meet us because we need to discuss this. It would be much better if we could get interested Peers from this House and officials from various parties together to sort this matter out, rather than leave it and let it go to the other place. We have a much better record of sitting down and sorting such issues out. I hope, if we need to amend the Bill, we do so on Report. Before we have our meeting—I accept it will be quite a big meeting—it would be useful if the noble Lord wrote to me, if he can, and to other interested Lords so we can have the Government’s position on paper before we sit down. That would help our discussions and move them on. There is a community of interest among noble Lords.
I certainly agree with the points made by the noble Lord, Lord McNally, and by my noble friends Lord Whitty and Lady Jay, but we need to focus on these issues, get them right and get proper amendments in place to protect parties and campaigners as they do their proper and lawful work. At this stage, I am happy to withdraw the amendment.
Lord Ashton of Hyde
“20A_ This condition is met if the processing—(a) consists of the publication of a judgment or other decision of a court, or(b) is necessary for the purposes of publishing such a judgment or decision.”
Lord Moynihan
“21(1) This condition is met if the processing is carried out—(a) in connection with measures designed to protect sport in the United Kingdom from athletes taking performance enhancing substances listed in the World Anti-Doping Code which are undertaken by UK Anti-Doping (UKAD) or any successor body mandated by the Secretary of State as a non-departmental public body responsible for such objectives, or(b) for the purposes of national governing bodies of sports, sports clubs, institutions of higher education, schools or managers of sporting events providing information about individual athletes who may be in receipt of performance enhancing substances to UKAD or its successor body.(2) The reference in sub-paragraph (1)(a) to measures designed to protect sport in the United Kingdom from athletes taking performance enhancing substances include measures designed to identify or prevent doping including, but not limited to, requesting information about the gender of the data subject if thought to be relevant to the use of banned performance enhancing substances.(3) For the purposes of this paragraph—(a) data controllers include, but are not limited to, the UK Anti-Doping Agency, medical practitioners recognised by the British Medical Association, national governing bodies of sport, sports clubs, higher education institutions, schools and managers of sporting events;(b) data processors include but are not limited to all sports bodies and individuals appointed by the controller; and(c) data subjects are athletes competing in national junior and senior teams aged 12 years and above.”
Lord Moynihan (Con)
My Lords, at Second Reading, the Government described the exemption of doping in sport as a flexibility permitted within the GDPR. This is welcome. My understanding is that anti-doping in sport comes under Part 2, relating to the permissibility of collecting personal data for reasons of public interest. Therefore, biometric data, for example, may be collected and processed to prevent doping without the explicit consent of the data subject—in this case the athlete. Member states are able to pass into their domestic legislation further restrictions on the processing of special categories of data. This is what the Government do under Part 4 of Schedule 1.
The relevant data controller—a role which currently is not clear in the Bill in the case of sport—will have to produce a document that explains how its procedures comply with article 5 of the GDPR and what its policies on retention and use of personal data within its control are. It will also be under an obligation to maintain a record of the processing it or its data processors have undertaken to comply with article 30 of the GDPR. With respect to this, the data controller has to show how they comply with article 6 of the GDPR and whether they have deleted or retained the data under their control. Sport would be wise to reflect that the Government have said that what is proposed is not an exemption to the Bill but flexibility permitted within the GDPR, which will require sporting bodies to exercise a number of important responsibilities, and that ignoring such responsibilities comes with significant sanctions, some criminal in nature. I would be grateful if the Minister could confirm that my understanding is correct on that subject.
From the perspective of the athletes, the fact that—across the party divide, I understand—we are supportive of this flexibility does not underestimate what we are asking for. The doping regime in sport requires the athlete to be totally responsible for what is in their body at all times. I know of few spheres of activity where the onus on an individual is so severe. Our athletes are guilty before being proven innocent. It is intrusive, to say the least, to have a regime whereby a young gymnast eating beef which may have been imported from a country where the farmer used steroids to fatten his cattle for market is immediately found guilty of a doping offence in this country. It is equally important to recognise that the “whereabouts test” required of all our leading professional and amateur athletes requires them to inform the doping authorities of where they are for a given period each and every day including their holidays, where in all other forms of employment this intrusive and onerous requirement goes beyond the freedom that an employee can legitimately expect, not least under European law, as well as the freedom to have their holidays uninterrupted on a daily basis by their employers.
I appreciate that these exemptions must respect the essence of fundamental rights and freedoms, and be a necessary and proportionate measure in a democratic society for the purposes of safeguarding the doping regime in British sport, necessary for reasons of public interest and providing for suitable and specific measures to safeguard the fundamental rights and interests of data subjects. I would be grateful if the Minister could confirm that this is the case. This law, which enshrines in UK law a right to be forgotten and for an athlete not to provide a test sample, claiming protection under this Bill, would drive a coach and horses through the anti-doping regime that we have developed in this country under the aegis of UKAD, or UK Anti-Doping, if it was not treated with the flexibility permitted within the GDPR. Thus, I fully support the decision taken by the Government.
I am also in full support of the work of the governing bodies, UKAD and the world of sport in the fight against doping, which poses the greatest threat to clean sport in our generation, particularly since it was reported only two weeks ago by the World Anti-Doping Agency in publishing its 2016 anti-doping testing figures that the number of adverse analytical findings is increasing. We face a world where new technologies and pharmaceutical products, changes in doping patterns, gene editing and state-sponsored doping both within and beyond the borders of Russia are growing issues, providing not a diminishing but an increasing menace to clean sport.
The amendments that I have tabled are set against this background, probing in nature at this stage, and underline a number of important points which may require further consideration by the House. Currently, the relevant provision, paragraph 21 in Schedule 1, is broadly drawn and would lead to unintended consequences, for there is no definition of doping nor of sport, and the definition of the bodies to be covered by it is non-existent. This could become a lawyer’s paradise. If I and another noble Lord establish an organisation with the broad aims set out in paragraph 21, it seems to me that we would be deemed a “relevant body”. Indeed, there is no mention of the framework currently in place to eliminate doping—namely UKAD, the government-funded UK anti-doping body, which should be referenced in the legislation, providing it with the necessary powers. Looking further at the wording, I would like to ask the Minister whether he agrees with me that,
“doping … at a sporting event”,
covers spectators as well as competitors. If so, we need further work on the wording.
I have stated that I believe that UKAD should be named on the face of the Bill, since UKAD is the arm’s-length body, or ALB, accountable to Parliament through the Secretary of State at the DCMS and mandated to deliver the Government’s treaty commitments under the UNESCO International Convention against Doping in Sport to protect a culture of clean sport in the UK. This is achieved through the implementation and management of the UK’s national anti-doping policy, which requires funded sports bodies in the UK to comply with the World Anti-Doping Code.
Lord Hayward (Con)
Is there not always a risk in naming a specific body in any piece of legislation, because government have the habit, on occasion, of changing the name of a body and you then have to change the name on the primary legislation?
Lord Moynihan
I hear what my noble friend says. I recognise that the wording may need to recognise any successor body to UKAD, but the importance of putting UKAD in the legislation now arises from the fact that it is an arm’s-length body accountable to Parliament; that it is honour bound—and, indeed, legally bound, at the moment, through the Secretary of State—to deliver the requirements of the UNESCO International Convention against Doping in Sport; and it is the recognised and funded body in this country. It would be possible to add “and to any successor body” to my amendment.
Lord Maxton (Lab)
My Lords, how does the noble Lord define sport? That is a major question. For instance, in snooker, which I believe is defined as a sport, it is recognised that beta blockers are a banned substance whereas in other sports they would not necessarily be banned. Dancing is not defined as a sport although it demands very much more activity than either darts or snooker, which is a sport.
Lord Moynihan
The noble Lord raises an issue that could well keep the Committee late into the evening and indeed has taxed the minds of many individuals both inside and outside this Chamber. For example, if we consider sport to require physical activity and competition, gardening at the Chelsea Flower Show might well be covered by that broad definition. I hope that my noble friend in sport, and indeed the noble Lord, will forgive me if I do not pursue that path. However, I did say at the outset that there is an important issue here in that we need to define what the Government mean by sport in their amendment, because it is unclear to many people outside this Chamber—and oft debated—what exactly a sporting activity is.
I shall close by touching on the performance-enhancing substances listed in the World Anti-Doping Code and why I believe it is critical that we should cover those. I have reservations about exempting sports bodies from requiring sensitive personal data from athletes simply because they are deemed to be “contrary to the spirit of sport” or, while legal, “could cause harm to an athlete”. My objective has always been focused on tackling doping in sport and I believe that it may go too far to seek an exemption for these additional categories. However, I remain open to persuasion by the Minister on this issue and will listen carefully to both UKAD and to the UK governing bodies of sport if they feel otherwise. If so, in a future amendment we will need to be specific about exactly what we mean by the “spirit of sport” by defining it in primary legislation and being clear about who determines what does cause “harm to an athlete”, and why such protection from the GDPR rights is appropriate in that context.
On the final question of gender, this is a probing amendment since the current position in UK law is that competitive sports men and women who have undertaken a change in their gender are currently prohibited from participating in certain competitions under the Gender Recognition Act 2004. As a result, an athlete who changes their gender would be subject to the onerous sanctions in this Bill if in the process of any medical treatment to assist their change-in-gender process they used banned performance-enhancing substances. This is not unusual where testosterone is prescribed.
In conclusion, I hope that this is the beginning of a legislative path where those who knowingly cheat fellow athletes out of their careers, recognition, selection or financial gain by taking a cocktail of banned drugs are recognised for what they are doing—namely, committing fraud. We also believe that tailor-made legislation should be put in place to criminalise that activity, as it is in every other sphere of life. UK Anti-Doping has the national duty to ensure that all sports comply fully with anti-doping policies and procedures. Under its new chair, Trevor Pearce, its new director of communications, Emily Robinson, and its CEO, Nicole Sapstead, I believe that an effective team is now in place who recognise that a globally leading NADO has to be well resourced, truly independent of the governing bodies of sport and granted additional powers. My amendments to the Bill begin to provide it with the tools it needs and I believe that it is best positioned to lead the campaign. This legislation should make it unequivocally clear that that is the case because that is the best way of protecting the interests of athletes. I beg to move.
The Deputy Chairman of Committees (The Countess of Mar) (CB)
My Lords, if this amendment is agreed to, I cannot call Amendments 58 to 62 because of pre-emption.
Lord Clement-Jones
I must say how delighted I am that on this occasion we had the noble Lord advocating his own amendment. I was nearly in the hot seat last week, but we have just avoided it. I was delighted at his powerful advocacy because of course the noble Lord is extraordinarily well informed on all matters to do with sport, and this goes to the heart of sport in terms of preventing cheats who prevent the rest of us enjoying what should be clean sport, however that may be defined. All I have to do is pick out one or two of the elements of what the noble Lord said in my supportive comments.
There is the fact that neither “doping” nor “sport” is defined in the Bill, as the noble Lord pointed out. There is no definition of the bodies to be covered by paragraph 21, which is extremely important. He also made an extraordinarily important point about UKAD. Naming UKAD in the Bill, as the amendment seeks to do, would add to its authority and allow it to carry out all the various functions that he outlined in his speech. If it is necessary to add other bodies, as he suggested, that should of course be considered.
The noble Lord’s reference to performance-enhancing substances, which again are mentioned in the amendment and included in the World Anti-Doping Code, ties the Bill together with that code and was very important as well. Finally, the point that he made about gender and the substances used in connection with gender change was bang up to the minute. That, too, must be covered by provisions such as this. So if the Minister is not already discussing these issues with the noble Lord, Lord Moynihan, I very much hope that he is about to and will certainly do so before Report.
Lord Stevenson of Balmacara
My Lords, once again your Lordships’ House is very grateful to the noble Lord, Lord Moynihan, for raising this issue and, as the noble Lord, Lord Clement-Jones, said, for doing so in such a comprehensive way. It is in the context of the much wider range of issues that the noble Lord, Lord Moynihan, has been pursuing regarding how sport, gambling and fairness are issues that all need to be taken together. We have been supporting him on those issues, which need legislation behind them.
Noble Lords may not be aware that we have been slightly accused of taking our time over the Bill. I resist that entirely because we are doing exactly what we should be doing in your Lordships’ House: going through line-by-line scrutiny and making sure that the Bill is as good as it can be before it leaves this House. We saw the noble Lord, Lord Moynihan, at the very beginning of Committee and he then dashed off to Australia to do various things, no doubt not unrelated to sport. He has had time to come back and introduce these amendments—but, meanwhile, the noble Lord, Lord Clement-Jones, and I were debating who was going to pick the straw that would require us to introduce them. We were very lucky not to have to do so because they were introduced so well on this occasion.
Our amendment in this group is a probing amendment that picks up on some of the points already made. It raises the issue of why we are restricting this section of the Bill to “sport”—whatever that is. If we are concerned about performance enhancement, we have to look at other competitive arrangements where people gain an advantage because of a performance-enhancing activity such as taking drugs. For instance, in musical competitions, for which the prizes can be quite substantial, it is apparently possible to enhance one’s performance—perhaps in high trills on the violin or playing the piano more brilliantly—if you take performance-enhancing drugs. Is that not somehow seeking to subvert these arrangements? Since that is clearly not sport, is it not something that we ought to be thinking about having in the Bill as well? I say that because, although the narrow sections of the Bill that relate to sport are moving in the right direction, they do not go far enough. As a society, we are going to have to think more widely about this as we go forward.
Lord Maxton
I am slightly confused by what is a performance-enhancing drug. We have seen athletes and other sportsmen banned in this country for taking what I would call non-enhancing drugs: in other words, cannabis or whatever it might be. In that case they are not performance-enhancing drugs but the reverse of them—yet people can be banned even if taking them is deemed legal in the country where they do so. Even if it is legal to take cannabis, the drug can still be deemed a banned drug by the anti-drug authorities.
Lord Stevenson of Balmacara
My noble friend is quite right. He has obviously been careful to make sure that he has no personal experience of what he talks about and I would like to make it clear that I have none, either. But it is a very tricky area and we are wrong just to dance around it with the idea that we are somehow doing something important in relation to a particular aspect of drug enforcement.
To do this properly, we need a much clearer approach. I realise that I am in danger of rising above the detail here and going back to my high plain of intellectual approach to the Bill for which I have already been criticised—but I hope that when the Minister responds we can get somewhere on this. A meeting on the particular narrow points raised by the government amendment and by the noble Lord, Lord Moynihan, is required. It would be helpful to see the context in which this might operate. I would be happy to attend such a meeting should that be the case.
Baroness Chisholm of Owlpen (Con)
My Lords, I want to reiterate what my noble friend Lord Ashton said. I think we are learning a lot about philosophy from the noble Lord, Lord Stevenson, during the passage of the Bill. It is a welcome addition as far as I am concerned.
I shall start with brief reference to the government amendments in this group. These amendments, Amendments 58 to 60 and 62 and 63, make further related provision in respect of processing undertaken to ensure the integrity of sport. This is necessary because, unusually, integrity issues in sport often relate to sensitive data, the processing of which may otherwise be prohibited under article 9 of the GDPR. I am grateful to a number of stakeholders for their help in making sure that these amendments will achieve their intended effect.
I turn now to the amendments tabled by the noble Lord, Lord Moynihan, and the noble Lord, Lord Stevenson. Amendments 57 and 61 seek to amend the processing condition in paragraph 21 on anti-doping in sport. This condition was included in the Bill following extensive engagement with sports governing bodies and UK Anti-Doping, which together implement and manage anti-doping policy in the UK. They are also responsible for eliminating the scourge of doping in sport. The paragraph as included in the Bill permits the processing of sensitive data for these purposes. UKAD is of the view that the measure as drafted will enable it to continue to perform this important function.
Amendment 57, tabled by my noble friend Lord Moynihan, who has such great expertise in this area and has done so much over the years to try to combat doping in sport, seeks to narrow the doping provision so that it allows processing only where it relates to an athlete who may be in breach of UKAD’s rules. Amendment 61, tabled by the noble Lord, Lord Stevenson, instead seeks to limit the provision to rules set by a sports governing body with responsibility for a single sport. Neither position reflects the reality of split responsibility for anti-doping in UK sport today. Removing the reference to “sporting event” and “sport generally” may potentially exclude the anti-doping processing carried out by UKAD and by those bodies which set and enforce anti-doping rules in a particular sporting event rather than a particular sport, such as 6 Nations rugby, the IOC or the Commonwealth Games Federation. The Bill must not be limited to only the interventions of UKAD but must allow processing in those sports and sporting events which have their own anti-doping rules. The fact that those bodies are not governed entirely by UKAD’s rules makes their processing no less important. Equally, the provision must allow processing in relation to participants who are not themselves athletes. As noble Lords will understand, the sensitive data or criminal record of a coach or relative may be fundamental to anti-doping cases.
A narrowing of the scope of this paragraph could create loopholes for participants who cheat. For these reasons, I am confident that the original drafting suffices. Paragraph 21 of Schedule 1 was subject to significant engagement with sports governing bodies. Given that the Bill comes out of the government department that is also responsible for sport, we have been able to take extra care. The large number of relationships we have with this sector have been used to test the draft, and UKAD is content.
Several noble Lords mentioned various items which I will also refer to. My noble friend Lord Moynihan wanted me to confirm that athletes cannot rely on the right to be forgotten. That right is not unlimited, and if the personal data has been lawfully processed, and needed to be processed, then it would be there only if there was no overriding legitimate interest for the processing of that data. The controller would have to erase the personal data in these circumstances.
My noble friend also asked why we did not criminalise doping. None of those interviewed as part of the review were in favour of criminalising doping in sport. This was a unanimous view. For example, sports governing bodies expected that their internal investigations would be negatively affected by the criminalisation of doping in sport. It would remain quicker to deal with an instance using regulatory or disciplinary proceedings, which must be proved to the civil standard of the balance of probabilities rather than beyond reasonable doubt. Others noted that the current penalties were already sufficient to end a sporting career.
My noble friend also wanted to know whether doping at a sporting event covered spectators. This is a broad measure to cover processing in connection with measures designed to eliminate doping, for the purposes of providing information about doping or suspected doping. This could include processing of special categories, such as data relating to spectators or third parties providing information, but not only when necessary in connection with anti-doping measures.
The noble Lord, Lord Stevenson, brought up a good point, about why sport is unique when there are other areas that could also be included in this. Particular provision for sport is needed because sports bodies are an unusual type of regulator, where the regulation they carry out is capable of meeting a substantial public interest test yet they cannot rely on paragraph 9—there is no statutory recognition of their function nor is it beyond argument that enforcement of their rules benefits all members of the public, as opposed to the protection of their participants. Reliance on paragraph 9 for this processing would be too narrow, but important to remedy given the amount of sensitive data that might be processed by sports bodies in pursuit of their integrity functions. This is not something that we are aware would apply to other types of regulators.
I will move the government amendments for the reasons I have set out, and will of course be happy to meet noble Lords if they wish to discuss this point further.
Lord Moynihan
First, I thank the noble Lords, Lord Stevenson and Lord Clement-Jones, for offering to stand in for me at the last Committee sitting. I was in my place for the first sitting, when we were expecting to reach this amendment, but regrettably had to travel to Australia on two occasions in the last month, only returning about four and a half hours ago. I apologise if I was not as lucid as I would like to have been, and I am very grateful to them for offering to assist if I had been absent again.
I will respond very briefly to a number of points raised. In response to the noble Lord, Lord Maxton, I took into consideration the question of what is a performance-enhancing drug and have suggested, in my amendment, that it should be a drug listed under the WADA—World Anti-Doping Agency—code as a performance-enhancing drug and part of the World Anti-Doping Code. I know this is a contentious issue and that there is an issue about what should or should not be in that code. Indeed, I have many reservations about a number of the drugs in it, which I do not see as performance enhancing, but it is the best international definition at the moment for sport and is used by the International Olympic Committee.
Lord Maxton
As a result of the answer given to me by my noble friend, I have looked this up. It says:
“Use of recreational or social drugs is banned in sport”,
even though they may be,
“detrimental to sporting performance and result in a positive test result weeks later”.
It is not just drugs that enhance performance that are banned but those which do not enhance performance.
Lord Moynihan
I have a great deal of sympathy with and support for the noble Lord, Lord Maxton. I said towards the end of my comments that I have reservations about the Bill applying to categories such as “the spirit of sport”—that is a direct quote—and where there may be harm to an athlete from a drug. I am focused on performance-enhancing drugs, which is why I wrote that into the amendment.
Secondly, I have to say to my noble friend—I may well be wrong, and she has had the advantage of being in the United Kingdom over the past three or four days and may well have spoken to UKAD during that time—that my clear understanding is that UKAD would like to go further than what is in the Bill drafted by the Government. If I am wrong, I will be pleased to reflect on what she has said, but I suggest that it would be worth while, given that my understanding differs from hers, that we have a meeting and encourage UKAD to be present, because my clear understanding is that it would like to go further and have the powers to which I referred in the Bill.
Finally, I turn to the somewhat surprising comment that my noble friend made about spectators at a sporting event being covered. Surely when we are looking at doping in sport it is not intended to cover spectators or anybody at a sporting event. The police, St John Ambulance, stewards—where does the catch-all end? My concern derives from that reflection: this is too general. If we are to be really effective in tackling and eliminating doping in sport, let us at least make sure that the legislation that we enact through due process in both Houses is as accurate and comprehensive as possible. In that context, I echo the comments made by both the noble Lord, Lord Clement-Jones, and the noble Lord, Lord Stevenson.
With the expectation of a further meeting and returning to this at a later stage, I beg leave to withdraw the amendment.
“21A(1) This condition is met if the processing— (a) is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,(b) must be carried out without the consent of the data subject so as not to prejudice those purposes, and(c) is necessary for reasons of substantial public interest.(2) In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—(a) dishonesty, malpractice or other seriously improper conduct, or(b) failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.”
Data Protection Bill [HL]
Monday 13th November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Clement-Jones
Lord Clement-Jones (LD)
My Lords, this amendment arises from concerns about the narrowness of the derogations based on article 89 of the GDPR for research statistics and archiving expressed by a number of organisations, notably techUK. The argument is that there should be a derogation similar to Section 33 of the Data Protection Act 1998. That Act makes provision for exemptions for research and development where suitable safeguards are in place. The GDPR limits this to scientific and historical research, but member states are able to legislate for additional exemptions where safeguards are in place.
The organisation techUK and others believe that the Bill’s provision for scientific and historical research should be broadened, involving the same provisions as Section 33 of the Data Protection Act 1998, and that the definition of scientific and historical research needs clarification. For example, it is not clear whether it would include computer science engineering research. I very much hope that the Minister will be able to clarify that. I recognise that the amendment leads the line in this group but may not be followed in exactly the same way. I beg to move.
Lord Pannick (CB)
My Lords, I shall speak to Amendment 86BA, in my name. It concerns the application of data protection principles in the context of the law of trusts. The law has long recognised that a trustee is not obliged to disclose to a beneficiary the trustee’s confidential reasons for exercising or not exercising a discretionary power. This is known as the Londonderry principle, named after a case decided by the Court of Appeal, reported in 1965, Chancery Division, page 9.1.8. The rationale of this principle was helpfully summarised by Mr Justice Briggs—recently elevated to the Supreme Court—in the case of Breakspear v Ackland, 2009, Chancery, page 32, at paragraph 54.
The principle is that the exercise by trustees of their discretionary powers is confidential. It is in the interests of the beneficiaries, because it enables the trustees to make discreet but thorough inquiries as to the competing claims for consideration for benefit. Mr Justice Briggs added that such confidentiality also advances the proper interests of the administration of trusts, because it reduces the scope for litigation about how trustees have exercised their discretion, and encourages suitable people to accept office as trustees, undeterred by a concern that their discretionary deliberations might be challenged by disappointed or hostile beneficiaries and that they will be subject to litigation in the courts.
There is, of course, a public interest here, which is protected by the inherent jurisdiction of the court to supervise and, where appropriate, intervene in the administration of trusts, as the noble and learned Lord, Lord Walker of Gestingthorpe, stated for the Judicial Committee of the Privy Council in Schmidt v Rosewood Trust Ltd, 2003, 2 AC 709.
The problem is that, as presently drafted, the Bill would confer a right on beneficiaries to see information about themselves unless a specific exemption is included. A recent Court of Appeal judgment in Dawson-Damer v Taylor Wessing, 2017, EWCA Civ 74, drew attention to the general applicability of data protection law in this context unless a specific exemption is enacted.
My understanding, which is indirect—I declare an interest as a barrister, but this is not an area in which I normally practise—is that in other jurisdictions such as Jersey, the data protection legislation contains a statutory restriction on the rights of a data subject to make a subject access request where that would intrude on the trustees’ confidentiality under the Londonderry principle. Indeed, I am told that those who practise in this area are very concerned that offshore trustees and offshore professionals who provide trust services are already actively encouraging the transfer of trust business away from this jurisdiction because of the data protection rights which apply here, and which will apply under the Bill.
The irony is that the data protection law is driving trust business towards less transparent offshore jurisdictions and away from the better regulated English trust management businesses. I have received persuasive representations on this subject from the Trust Law Committee, a group of leading academics and practitioners, and I acknowledge the considerable assistance I have received on this matter from Simon Taube QC and James MacDougald.
This is plainly a very technical matter, but it is one of real public interest. I hope that the Minister will be able to consider this issue favourably before Report.
Lord Hope of Craighead (CB)
My Lords, I want to add a word in support of the points made by the noble Lord, Lord Pannick, particularly with reference to the concerns that some people have expressed about money being moved out of the very closely and properly regulated regime of English trust law to offshore organisations and jurisdictions which are less careful about how people’s money is handled.
I should declare an interest as Chief Justice of the Abu Dhabi Global Market Courts. I am not suggesting that this has anything to do with Abu Dhabi, but it has introduced me to an aspect of trust law with which I was not previously familiar, and it bears closely on the point made by the noble Lord, Lord Pannick. He referred to Jersey as one of the jurisdictions of concern. One aspect of its legislation which has come to my attention through my connection with Abu Dhabi is the Foundations (Jersey) Law 2009. This is a structure set up by statute under Jersey law which is matched with an equivalent statute in Guernsey. It creates a form of trust which is, as it were, a hybrid between a trust and a corporation with a number of aspects that are described very well in Sections 25 and 26 of the Jersey law.
One of the points about the foundation, which appears in Section 25, is that a,
“beneficiary under a foundation … has no interest in the foundation’s assets; and … is not owed by the foundation or by a person appointed under the regulations of the foundation a duty that is or is analogous to a fiduciary duty”.
So the beneficiary under that system is rather different from a beneficiary under our system, where undoubtedly they have an interest in the foundation’s assets. But also to the point is Section 26, which provides that foundations are,
“not obliged to provide information”.
That has its counterpart in the point made about the Data Protection Act in that jurisdiction. It says that except,
“as specifically required by or under this Law or by the charter or regulations of the foundation, a foundation is not required to provide any person … with any information about the foundation”.
It goes on to say in subsection (2) that the,
“information mentioned in paragraph (1) includes, in particular, information about … the administration of the foundation … the manner in which its assets are being administered … its assets; and … the way in which it is carrying out its objects”.
I do not wish in any way to criticise how the foundation laws are run in Guernsey or Jersey, but it is a pattern which, if repeated in less scrupulous jurisdictions, has obvious attractions. People move into a foundation and nobody knows what part of the foundation money they own, because they are not supposed to own any part of it, and the foundation is not obliged to disclose any information at all. There is a risk that those who are keen, for whatever reason—it could even be for matrimonial reasons—to conceal their assets could move them offshore from a trust such as we have in this country, closely regulated and subject to the ordinary rules, to one of these other bodies, which we would not wish to encourage. One has only to look at the Criminal Finances Act 2017 and some of the clauses in the Sanctions and Anti-Money Laundering Bill that is before the House to see that we are taking a completely opposite line to the foundations laws, because we are insisting that we should be provided with information about what organisations of this kind hold and, indeed, who holds what assets. We have not got as far as actually requiring trusts to do that but, certainly, anyone who puts his money into a company, in an attempt to conceal his assets within the company, will be forced eventually to have that information disclosed.
I add these points to suggest that the point that the noble Lord, Lord Pannick, made has a great deal of substance, which one can trace through the foundations law. I stress again that I am not criticising how this is administered in Jersey or Guernsey—that is not really the point. The point is that those who would wish to copy their systems are subject to less close scrutiny. I also emphasise that I am not suggesting that we in this country would want to adopt a foundations law; that would really be quite contrary to how our current legislation is proceeding. So there is an important issue here about protecting ourselves—and those who set up trusts here and administer them properly according to our rules and conventions—against a loss of business, which would be detrimental not only to those who run the businesses but to the whole ethic by which we practise our trust law.
I hope that the Minister and those advising him will look carefully at the Jersey and Guernsey examples, with a view not to criticism but to sensing the risk to which the noble Lord, Lord Pannick, drew our attention.
Baroness Hamwee (LD)
My Lords, Amendments 80A and 83A are in the names of the noble Baroness, Lady Neville-Rolfe, and the noble Lord, Lord Arbuthnot, and come from the Bar Council. In their unavoidable absence, I have again been asked to speak to the amendments. The Government have amendments also to paragraph 5 of Part 1 of Schedule 2—and no doubt we will be asked to agree them shortly. These amendments deal with other aspects of that paragraph and relate to legal professional privilege. The paragraph, as amended, refers to the disclosure of data but disclosure is only one of the acts of processing. The Bar Council is concerned that we need to deal with processing more widely so as not to disrupt the activities of the court and to protect privilege, which is something we have debated on many occasions and which we all agree is not only important but a fundamental right for persons and organisations.
Lord Griffiths of Burry Port (Lab)
My Lords, we have amendments in this group. Amendment 79A concerns exemptions from GDPR and adaptations and restrictions based on various articles. As we begin to tighten up our understanding and clarify the range of application of these exemptions as the Bill goes through this House, we have talked to Liberty about the rights of individuals under this part of the Bill. Amendment 79A seeks to remove the exemption from data subjects’ right to restrict the processing of their data—for example, in cases where data accuracy is contested, the processing is unlawful or the data is required for the exercise of a legal claim in relation to a variety of broad purposes including the prevention and detection of crime, tax purposes, risk assessment systems, including in the administering of housing benefit, and the maintenance of effective immigration control.
Amendment 79B is a similar and parallel amendment to remove the exemption from data subjects’ right to object to data processing where there is an absence of compelling legitimate grounds, again in relation to the same range of activities and purposes. Amendment 83B is a probing amendment by which we seek to delete a paragraph which outlines where the GDPR does not apply to personal data processed for the purposes of functions designed to protect the public. Instanced against this are, for example,
“financial loss due to dishonesty … financial loss due to the conduct of discharged or undischarged bankrupts”,
and so on.
A set of amendments then come under Part 3 of this schedule on the protection of the rights of others. Amendment 86A deletes conditions under which a controller can determine whether it is reasonable to disclose information without consent. Amendment 86B probes provisions which state that information can be disclosed without consent where,
“the health data test is met … the social work data test is met, or … the education data test”.
When we get into some of these it seems, frankly, that they are rather loosely drafted and not immediately clear. Perhaps we could work harder to bring these things to a pitch where they are common sense and clear to normally intelligent people—although after the presentation from the noble Lord, Lord Pannick, I do not reach that bar; I am doing my best. Amendment 86C deletes the paragraph which outlines conditions by which the GDPR does not apply,
“to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person”.
Even reading the wording of an amendment which we have put some thought into is complicated, and these amendments refer to clauses in the Bill that are even more complicated. Since these affect the rights of individuals, the law should be written with some clarity and lucidity to make it more accessible.
Amendment 86D deletes a paragraph which states that the GDPR provisions do not apply where data is processed for,
“management forecasting or management planning in relation to a business or other activity”.
I have to spit the word “data” out of my mouth when it is used with a singular verb. All my education taught me that it should not be.
Baroness Hamwee
My Lords, if the noble Lord scours the GDPR, he may find that the term “data” is used with a plural verb. I wondered whether to put down amendments to that, but I thought that that was pushing it a bit far.
Lord Lucas
My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, as a non-lawyer, I am delighted to find myself in the same company as the noble and learned Lord, Lord Hope of Craighead, as this has also introduced me to an area of trust law which I am not familiar with. I thank noble Lords for their amendments, which concern the exemptions from data rights in the GDPR that the Bill creates. Two weeks ago we debated amendments that sought to create an absolute right to data protection. Today we will further debate why, in some circumstances, it is essential to place limitations on those rights.
The exemptions from data rights in the GDPR are found in Schedules 2 to 4 to the Bill. Part 6 of Schedule 2 deals with exemptions for scientific or historical research and archiving. Without these exemptions, scientific research which involves working on large datasets would be crippled by the administration of dealing with requests from individuals for their data and the need to give notice and service other data rights. This data provides the fuel for scientific breakthroughs, which the noble Lord, Lord Patel, and others have told us so much about in recent debates.
Amendment 79 seeks to remove “scientific or historical” processing from the signposting provision in Clause 14. Article 89 of the GDPR is clear that we may derogate only in relation to specifically historical or scientific research. We believe that Clause 14 needs to correctly describe the available exemption, although I reassure noble Lords that, as we have discussed previously, these terms are to be interpreted broadly, as outlined in the recitals.
Part 1 of Schedule 2 deals with exemptions relating to crime, tax and immigration. For example, where the tax authorities assess whether tax has been correctly paid or criminally evaded, that assessment must not be undermined by individuals accessing the data being processed by the authority. Amendments 79A and 79B, spoken to by the noble Lord, Lord Griffiths of Burry Port, would limit the available exemptions by removing from the list of GDPR rights that can be disapplied the right to restrict processing and the right to object to processing. In my example, persons subject to a tax investigation would be able to restrict and object to the processing by a tax authority. Clearly that is not desirable.
Amendments 80A and 83A seek to widen the exemption in paragraph 5(3) of Schedule 2 which exempts data controllers from complying with certain data rights where that data is to be disclosed for the purposes of legal proceedings. Without this provision, which mirrors the 1998 Act, individuals may be able to unfairly disrupt legal proceedings by blocking the processing of data. We are aware that the Bar Council has suggested that the exemption be widened as the amendments propose. This would enable data controllers to be wholly exempt from the relevant data rights. We believe that this is too wide and that the exemption should apply only where the data is, or will be, subject to a disclosure exercise, which is a process managed through court procedure rules. At paragraph 17 of Schedule 2, the Bill makes separate provision for exemptions to protect legal professional privilege. We think that the Bill continues to strike the right balance between the rights of data subjects and controllers processing personal data for the purposes of exercising their legal rights.
Amendment 83B seeks to remove paragraph 7 of Schedule 2 from the Bill. This paragraph sets out the conditions for restricting data subjects’ rights in respect of personal data processed for the purposes of protecting the public. Those carrying out functions to protect the public would include bodies and watchdogs concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, securing the health and safety of persons at work and protecting charities and fair competition in business. Paragraph 7, which is based on the current Section 31 of the 1998 Act, ensures that important investigations can continue without interference. Without this paragraph, persons would have to be given notice that they were being investigated and, on receipt of notice, they could require their data to be deleted, frustrating the investigation.
Paragraph 14 of Schedule 2 allows a data controller to refuse to disclose information to the data subject where doing so would involve disclosing information relating to a third party. Amendment 86A would remove the circumstances set out in sub-paragraph (3) to which a data controller must have regard when determining whether it is reasonable to disclose information relating to a third party without their consent. These considerations mirror those in the 1998 Act and we think that they remain important matters to be considered when determining reasonableness. They also allow for any duty of confidentiality to be respected.
Paragraph 15 of Schedule 2 ensures that an individual’s health, education or social work records cannot be withheld simply because they make reference to the health, education and social work professionals who contributed to them. Amendment 86B would allow a controller to refuse to disclose an individual’s health records to that individual on the grounds that they would identify the relevant health professionals who authored them. We believe that individuals should be able to access their health records in these circumstances.
Lord Clement-Jones
My Lords, I thank the Minister for that tour de force. This group is an extraordinary collection of different aspects such as research trusts and professional privilege. He even shed light on some opaque amendments to opaque parts of the Bill in dealing with Amendments 86A, 86B and 86C. The noble Lord, Lord Griffiths, was manful in his description of what his amendments were designed to do. I lost the plot fairly early on.
I thank the Minister particularly for his approach to the research aspect. However, we are back again to the recitals. I would be grateful if he could give us chapter and verse on which recitals he is relying on. He said that without the provisions of the Bill that we find unsatisfactory, research would be crippled. There is a view that he is relying on some fair stretching of the correct interpretation of the words “scientific” and “historical”, especially if it is to cover the kinds of things that the noble Lord, Lord Lucas, has been talking about. Many others are concerned about other forms of research, such as cyber research. There are so many other aspects. TechUK does not take up cudgels unless it is convinced that there is an underlying problem. This brings us back, again, to the question of recitals not being part of the Bill—
Lord Lucas
I support the noble Lord on this. Coming back to his earlier example, if you were told a sandwich was solely made of vegetable, the Minister is saying that that means it has not got much meat in it. This is Brussels language. I do not think it is the way in which our courts will interpret these words when we have sole control of them. If, as I am delighted to learn, we are going to implement our 2017 manifesto in its better bits, including Brexit, this is something we will have to face up to. This appears to be another occasion where “scientific” does not bear the weight the Bill is trying to put on it. It is not scientific research which is happening with the NPD. It is research, but it is not scientific.
Lord Clement-Jones
I agree with that. Again we are relying on the interpretation in whichever recital the Minister has in his briefing. It would be useful to have a letter from him on that score and a description of how it is going to be binding. How is that interpretation which he is praying in aid in the recitals going to be binding in future on our courts? The recitals are not part of the Bill. We probably talked about this on the first day.
Lord Ashton of Hyde
This was included in the letter I was sent today. I am afraid the noble Lord has not got it. The noble Lord, Lord Kennedy, helpfully withdrew his amendment before I was able to say anything the other night but the EU withdrawal Bill will convert the full text of direct EU instruments into UK law. This includes recitals, which will retain their status as an interpretive aid.
Lord Clement-Jones
My Lords, we will see if the EU withdrawal Bill gets passed, but that is a matter for another day.
I thank the Minister for his remarks. There are many aspects of his reply which Members around the House will wish to unpick.
Lord Stevenson of Balmacara (Lab)
Perhaps I may pursue this for a second. It is late in the evening and I am not moving fast enough in my brain, but the recitals have been discussed time and again and it is great that we are now getting a narrow understanding of where they go. I thought we were transposing the GDPR, after 20 May and after Brexit, through Schedule 6. However, Schedule 6 does not mention the recitals, so if the Minister can explain how this magic translation will happen I will be very grateful.
Lord Ashton of Hyde
We are not transposing the GDPR. It takes direct effect on 25 May.
Lord Stevenson of Balmacara
I knew I was slow. We are moving to applied GDPR; that is correct. The applied GDPR, as I read it in the book—that great wonderful dossier that I have forgotten to table; I am sure the box can supply it when we need it—does not contain the recitals.
Lord Clement-Jones
My Lords, just to heap Pelion on Ossa, I assume that until 29 March the recitals are not part of UK law.
Lord Ashton of Hyde
They will be part of UK law, because the withdrawal Bill will convert the full text into UK law. There will of course be a difference between the recitals and the articles; it will be like a statutory instrument, where the Explanatory Memorandum is part of the text of the instrument.
Lord Pannick
May I add to this fascinating debate? Does this not illustrate one of the problems of the withdrawal Bill—that in many areas, of which this is one, there will be two potentially conflicting sources of English law? There will be this Act, on data protection, and the direct implementation through the EU withdrawal Bill on the same subject. The two may conflict because this Act will not contain the recitals.
Lord Clement-Jones
My Lords, all I can say is that I do not know how the legal profession will cope in the circumstances.
Lord Ashton of Hyde
One thing we can all be certain of is that the legal profession will cope.
Lord Clement-Jones
Lord Clement-Jones
The Minister will be delighted to hear that I will speak only briefly to this amendment, because I do not want to steal my noble friend Lady Hamwee’s thunder. This amendment would remove exemption to data subjects’ rights where personal data is being processed for the maintenance of effective immigration control or for the investigation or detection of activities that would undermine it. The amendment would remove paragraph 4 of Schedule 2 in its entirety. There is no attempt to define this new objective; nowhere in the Bill or its Explanatory Notes are notions of effective immigration control, or the activities requiring its maintenance, defined.
The immigration exemption is new in the Bill; there was no direct equivalent under the Data Protection Act 1998. This is the broad and wide-ranging exemption that is open to abuse. The exemption should be removed altogether, as there are other exemptions in the Bill that the immigration authorities can, and should, seek to rely on for the processing of personal data in accordance with their statutory duties and functions. The current provision, under the heading “Immigration”, removes all rights from a data subject that the Home Office wishes it did not have. Such removals are not restricted to those who have been found guilty of immigration offences, but apply to every data subject, including Home Office clerical errors. It is exactly those errors that data protection regulates.
In particular, there is a concern that the application of the effective immigration control exemption will become an administrative device to disadvantage data subjects using the immigration appeals process. Since the exemption has nothing to do with crime, national security, public safety or the protection of sources, such a prospect appears a distinct possibility without a rational explanation. The immigration authorities should be able to justify the inclusion of this exemption on the basis of hard evidence. The Home Office should be able to provide examples of subject access requests where personal data were released to the detriment of the public interest.
This is not the first time the Government have attempted to limit data protection rights on immigration control grounds. Clause 28 of the Data Protection Bill 1983 had an identical aim, setting out broad exemptions to data subject rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,
“a palpable fraud upon the public if … allowed to become law”,
because it allowed data acquired for one purpose to be processed for another. In the House of Lords, my late and much-missed noble friend Lord Avebury mounted a robust and ultimately successful opposition to Clause 28 in 1983. He raised concerns almost synonymous with those we raise today. His objections and those of several Members of the House have the same resonance now as they did then. I beg to move.
Baroness Hamwee
My Lords, the Committee may realise that there are sometimes occasions when none of us quite prepare for amendments and others where more than one of us does, but, as my noble friend knows, I rarely pass over an opportunity to say how offensive the phrase “hostile environment” is. Data protection should be a force for good in dealing with the way our society is going.
My noble friend has reminded the Committee of the provisions of paragraph 4. Over the last few years the state has extended the mechanisms for immigration control very significantly to letting of property, employment, bank accounts, driving and so on. We may be told that the various departments have memoranda of understanding between themselves with the Home Office to deal with all this, but that is an inadequate way of dealing with them. I do not think I will be the only one in the Chamber to think that. Home Office errors are reported embarrassingly frequently. The exemption covers so many rights: rights held by data subjects to access rectification and erasure, and the right to know who is processing data and why, including when data is obtained from a third party.
Liberty, with its usual energy, has provided us with 13 pages of briefing on this amendment. I do not propose to read them all to the Committee. No doubt the Government have read them and are prepared to respond, but I reserve the right to do so on Report if necessary. It reminds us of the work, if we needed reminding, of Lord Avebury, who said that the equivalent, very similar provision with which he was dealing was,
“in danger of being oppressive, deeply worrying to the immigrant community living among us, and one which is in grave danger of infringing the provisions”—[Official Report, 21/7/1983; cols. 1274-75]—
of the European Convention on Human Rights. The Minister will be relieved that I have not yet succeeded in emulating my late, much-missed noble friend to the extent I would like—I never will, but I will continue to try. His words are even more pertinent now, extending beyond the immigrant community to families and employers, to give two examples.
Like my noble friend, I would be interested to know examples and justifications for how the exemption might be applied. Presumably it would facilitate sharing between public services used by an individual, government departments and the Home Office to check the individual’s entitlement. The Government have said that they want to make the immigration system as “digital, flexible and frictionless” as possible. Initially that seems admirable, until one delves into issues such as this. Liberty asks whether the provision extends to activities such as running a night shelter or a food bank, which might well benefit undocumented migrants. Providing shelter and providing food could be construed as activities which undermine “effective immigration control”—to quote the Bill. Would a school have to provide a person’s address without their knowledge and without their even having committed an immigration offence? Underlying all this, what effect could such a provision have on migrants’ willingness to engage with public services?
Other noble Lords will probably have received a briefing from the Migrants’ Rights Network. It is about a legal challenge which it is starting against the NHS’s data sharing, but it is relevant here. The director of Migrants’ Rights Network said:
“We are gravely concerned that immigration enforcement is creeping into our public services, especially the NHS. And therefore, it is important to challenge this data-sharing agreement which violates patient confidentiality, and discriminates against those who are non-British”.
The lawyer acting for Migrants’ Rights Network says in the press release what I have heard from many workers in the field: that the data-sharing arrangement,
“is leaving migrants too scared to access healthcare services they are entitled to, for fear their address and other public information may be passed onto the Home Office. This could have a particularly negative effect on children, pregnant women, people with disabilities and victims of trafficking and abuse”.
It could have a severe effect on public health as well—we will debate all this when we deal with NHS charges in the regret Motion on Thursday.
The data subject will not know that data are transferred to the Home Office for immigration control purposes. The exemption seems to apply to immigrants and those connected with them, and those suspected of having an immigration offence in contemplation, thus turning them into an inferior class of citizen. It allows, or perhaps requires, data controllers, including the Home Office and its various arms, processing information for immigration purposes to ignore the principles on which the use of data is founded under the GDPR and the Bill and protection is applied.
I think that your Lordships might gather that we are very unhappy with this provision. It needs more justification than I think is capable of being provided, although we will of course wait and see.
Baroness Jones of Moulsecoomb (GP)
My Lords, the Minister, who is not in his place at the moment, said earlier that he could not understand what I meant by repressive measures, but paragraph 4 of the schedule is exactly what I meant and it is why this amendment would remove it.
The inclusion of an immigration control exemption in the Bill is a brazen violation of the data protection and privacy rights of migrants—both documented and undocumented—and of their families and communities in the name of immigration control. In effect, it removes all the Home Office’s data protection obligations as they relate to its activities to control immigration, as well as those of any other agency processing personal data for the same purpose or sharing data with another agency processing it for that purpose.
As the noble Baroness, Lady Hamwee, mentioned, it is not the first time that the Government have tried to limit data protection rights on immigration control grounds. In 1983, Clause 28 of the then Data Protection Bill had an identical aim, setting out broad exemptions to data subjects’ rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,
“a palpable fraud upon the public if … allowed to become law”,
because it allowed data acquired for one purpose to be processed for another; and here is another power grab by this Government.
Clause 28 was rightly removed from the 1983 Bill, but today we see it resurrected with even more breadth and even less definition of its objectives. No attempt whatever has been made to define the new objective: nowhere in the Bill or its Explanatory Notes are the notions of effective immigration control or the activities requiring its maintenance defined. I simply do not understand the colossal cheek this Government have to put something such as this into a Bill and then present it in this House—I can understand it going through the other place but certainly not here. It is virtually impossible to come up with an exhaustive list of all the activities that might be included under this, or of individuals who might be affected. The potential list, as, again, the noble Baroness, Lady Hamwee, pointed out, could go far beyond the immigrants themselves and could apply to almost anybody, including some in your Lordships’ House—at least, I hope that some in your Lordships’ House might be involved in shelters and food banks.
I urge the Government to think again. This is probably one of the really nasty bits that the Government have an option to take out, so I hope that they will listen to us.
Lord Lucas
My Lords, I thoroughly support this amendment. I really hope that the Home Office has noticed that the Bill is starting in this House and that therefore this is a paragraph we can kill—and should, as we did in 1983. If the Home Office needs something more, it should make a case for it and we should listen, but to have a blanket provision such as this is very destructive of data collection as a whole. To take again the example of the NPD, the fact that data is passed from the NPD to the Home Office has made the bits of data that are being passed totally corrupt: one can no longer rely on that data because so many schools, not unnaturally, are unwilling to shop their parents and drop their parents into what can be extremely difficult circumstances. You destroy the purpose of the data that you pollute in this way; you make it unreliable. I suspect that you also undermine the research exemption: if data is actually being collected to give to the Home Office, how can you claim that it is for research? You start to undermine the Bill in all sorts of insidious ways by having such a broad and unjustified paragraph— unjustified in the sense that no one has made a justification for it. I really hope that the Home Office will think again.
Lord Kennedy of Southwark (Lab (Co-op))
My Lords, first, I welcome the noble Baroness, Lady Williams of Trafford, back to the Committee. Every time I get to the Bill I speak either to her or to the noble Lord, Lord Bourne of Aberystwyth, so I am glad we are back again in Committee.
Amendment 80, moved by the noble Lord, Lord Clement-Jones, would delete paragraph 4 from Part 1 of Schedule 2 to the Bill, as we have heard. I have added my name to the amendment, as have the noble Lord, Lord Paddick, and the noble Baroness, Lady Jones of Moulsecoomb. The amendment deletes the whole paragraph which exempts personal data from the GDPR provisions as they relate, first, to the maintenance of effective immigration control and, secondly, to the investigation or detection of activities that would undermine the maintenance of effective immigration control. I want to be very clear that the intention of this amendment is to enable the Government to explain to us why they think the paragraph is necessary. As we have heard, it is very wide ranging and has been rejected in the past, so I hope the Minister can explain why it is so important that this paragraph gets through in the Bill. The noble Lord, Lord Clement-Jones, raised important points about the broad potential risks to data subjects’ rights, as did the noble Baroness, Lady Hamwee, and my noble friend Lady Jones of Moulsecoomb.
I certainly want an effective immigration service and policy, along with proper immigration controls. Having said that, I am not happy with many aspects of the policies being pursued by the Government with respect to immigration. They are ones that I do not support and they have damaged our reputation as a generous country that has been respected around the world. Unfortunately, that is not the only area where the Government have damaged our reputation. I should like the noble Baroness to explain very carefully why she believes that there is a need for this provision and where it differs from what is already in force. As we have heard, under other provisions the Government have what they need in terms of ensuring that these matters are dealt with properly. The exemptions certainly appear to be wide ranging and I want to be convinced that they are absolutely necessary. As I said, there are provisions in other Acts that the Government can rely on. At this stage, I await the response of the noble Baroness.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.
The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.
It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.
Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,
“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,
“the maintenance of effective immigration control”.
The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.
To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.
It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.
First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.
Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,
“an important objective of general public interest”.
As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.
I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.
Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.
Baroness Hamwee
My Lords, there is a lot that demands careful reading and careful thought. I have three questions which I can raise now. First, in the examples which the Minister gave it struck us on these Benches that she was talking about things which are, in fact, criminal offences being dealt with under Part 3, which is the law enforcement part of the Bill.
Secondly, how is all this applied in practice? How does the controller know about the purposes? I am finding it quite difficult to envisage how this might work in real life. Thirdly, the Minister referred to the lawfulness of processing. I wonder whether this is not circular because paragraph 4, in disapplying listed provisions—by the way, I think those listed provisions include many which are very important indeed—makes it lawful, so I have a bit of a problem around that. Of course, I and others will carefully read what the Minister said, but I am sure we will want to return to this at the next stage.
Lord Lucas
My Lords, I felt entirely comfortable with my noble friend’s examples, but they do not fit with what the Home Office has been doing. What it has done with the national pupil database is not to ask targeted questions when it has a problem with an individual but to collect the whole lot so that it has the ability to trawl, look at, match and use the whole of the dataset. That is a much more dangerous thing because of the consequences it has for the integrity of the data and for the way in which the lawfulness of gathering it is questioned. It is that sort of practice that troubles me. I had not read this clause in the narrow way in which my noble friend described it. I will obviously go away and read it again carefully, but if she would add a letter to her noble friend’s letter enlarging on why this is a narrow provision and giving us comfort, that would be worth while for me.
Baroness Williams of Trafford
I thank my noble friend for that. In the meantime, I think my words should be reread, particularly my point about it not being a wholesale carve-out but quite a narrow exemption. I will write to noble Lords. I thought I might home in on one question that the noble Baroness, Lady Hamwee, asked about relying on this in the investigation, detection and prevention of crime. Of course, that is not always the correct and proportionate response to persons who are in the UK without lawful authority and may not be the correct remedy. I will write to noble Lords, and I hope that the noble Lord will feel happy to withdraw the amendment.
Lord Clement-Jones
My Lords, I thank the Minister. For a Home Office Minister she has a wonderful ability to create a sense of reassurance, which is quite dangerous. I am afraid that for all her well-chosen words, these Benches are not convinced. In particular, I noticed that she started off by saying, “This is only a very limited measure; it does not set aside everything”. But paragraph 1 sets aside nine particular aspects, all of which are pretty important. This provision is not a pussycat; it is very important.
I thank all those who spoke, including the noble Baroness, Lady Jones, and the noble Lord, Lord Lucas. I thought the support from the noble Lord, Lord Kennedy, for this amendment—I called him the right name this time—was rather more equivocal, and I hope he has not been persuaded by the noble Baroness’s siren song this evening. This is a classic example of the Home Office dusting off and taking off the shelf a provision which it has been dying to put on the statute book for years. The other rather telling point is that the noble Baroness said there is express provision for such derogation in the GDPR. But that is no reason to adopt it—just because it is possible, it is not necessarily desirable. But no, they say, let us adopt a nice derogation of this kind when it is actually not necessary.
As my noble friend pointed out, the Minister has not actually adduced any example which was not covered by existing exemptions, for instance, criminal offences. We will read with great care what the Minister has said, but I do not think that the “Why now?” question has really been answered this evening. In the meantime, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
“( ) is necessary for the purpose of obtaining legal advice, or( ) is otherwise necessary for the purposes of”
Lord Ashton of Hyde
“1A. The function is designed to protect members of the public against—(a)dishonesty, malpractice or other seriously improper conduct by persons who carry on any activity that brings them into contact with members of the public, or (b)the unfitness or incompetence of persons who carry on any activity that brings them into contact with members of the public. | The function is of a public nature, or is exercised in the public interest.” |
“A1. The Commissioner | By or under— (a) the data protection legislation; (b) the Freedom of Information Act 2000; (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426); (d) the Environmental Information Regulations 2004 (S.I. 2004/3391); (e) the INSPIRE Regulations 2009 (S.I. 2009/3157); (f) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC; (g) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415); (h) the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696). |
A2. The Pensions Ombudsman. | By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland. |
A3. The Board of the Pension Protection Fund. | By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
A4. The Ombudsman for the Board of the Pension Protection Fund. | By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland. |
A5. The Pensions Regulator. | By or under any enactment.” |
Lord Ashton of Hyde
“( ) the placement (or prospective placement) of the data subject as a volunteer,”
Lord Black of Brentwood
Lord Black of Brentwood (Con)
My Lords, I will be as brief as I possibly can in moving this amendment and speaking to the group, which relates to paragraph 24 of Schedule 2 to the Bill, in Part 5, and the exemptions for journalistic, academic, literary and artistic purposes. I declare my interest as director of the Telegraph Media Group and draw attention to my other media interests. However, I underline that these amendments are not simply of importance to what we used to call the print media, but have the support of a range of broadcast and online media organisations as well as the Media Lawyers Association, the News Media Association and the Society of Editors, as the Bill has a very wide impact on them all.
In Committee last week, the Government reiterated their strong commitment to the,
“operation of a free press”,
as a,
“fundamental principle of any liberal democracy”,
in relation to this Bill and journalistic exemptions.
My noble friend the Minister also sought to make it clear that the Bill seeks to preserve the important “balance” between privacy and free speech found in the 1998 Act, the operation of which has been so successful, as well as ensuring that the journalists remain, in his words,
“exempt from compliance with certain data protection requirements where to do so would undermine the operation of a free press”.—[Official Report, 6/11/17; col. 1675.]
These amendments seek to build on those commitments by proposing some ways in which journalistic safeguards can be made clearer and strengthened further. Some of them seek to ensure consistency in application of the journalistic exemption between the 1998 Act and the Bill; some would extend journalistic exemption, but always subject to the Bill’s conditions, to match new requirements of the GDPR which would otherwise threaten freedom of expression and journalism; and some are intended to avert potential exploitation of the new regime, especially where legal action—often on spurious grounds—can bypass the freedom of expression protections crafted so carefully by those in this House under the Defamation Act 2013, a point I highlighted at Second Reading.
The amendments are intended to safeguard investigative journalism, publication and archives, both domestic and international, for all news media, print and online. In particular, they would prevent the Information Commissioner becoming a statutory regulator of the media, with dangerous and unprecedented prepublication powers. Where the accuracy of what has been published is challenged, they would adopt the approach of defamation law, rather than undermining it. I hope that my noble friend will give serious consideration to the issues and suggested amendments.
I turn briefly to the operation of the amendments. Amendments 87ZA, 174A and 174B would mean that the Bill no longer stipulated processing “only” for the special purposes. This is because article 5 of the GDPR, which mandates exemptions for the purposes of journalism and for academic, literary and artistic purposes, does not require that processing take place “only” for those purposes to benefit from the exemptions. If there is ancillary processing, the exemption should not be vulnerable to any claim that it might be lost.
For example, the media should not be penalised under data protection law in this way if, say, the police sought the pre-broadcast disclosure of journalistic material in relation to an undercover investigation because they wanted to see whether the alleged wrongdoing uncovered by the broadcaster’s investigation merited further police investigation. Furthermore, if broadcast media fund their activities through regulator-approved activities such as Ofcom’s product placement, this should not prevent them benefiting from the exemption.
Amendments 87AA, 87AB and 87AC would amend Schedule 2, part 5 and paragraph 24(2)(a), as the current wording of the Bill arguably represents a narrowing of the application of the exemptions from those in the Data Protection Act 1998, which apply to,
“processing … undertaken with a view to publication by any person of any journalistic, literary or artistic material”.
The amendments would ensure that both the specific personal data and the related material which forms part of the background research are protected.
Amendment 87CA, adding a new subsection to paragraph 24(2), is another aimed at consistency in the transition to the new Act, in this case relating to how to judge where the application of the GDPR principles is incompatible with the special purposes, including journalism—hence the all-important circumstances where the media can rely on the exemption. This amendment would bring the Bill in line with non-binding guidance from the Information Commissioner, which already recognises that media organisations can form the reasonable belief that compliance would be incompatible with the special purposes where it would be, “impractical or inappropriate”.
Amendments 87DA and 87DB to paragraph 24(3) are intended to ensure proper safeguards for journalism and freedom of expression. The provision currently fails to reflect that the exemption applies where the data controller reasonably believes that publication would be in the public interest. In addition, the provision refers to what the controller “must take into account”—quite properly, the special importance of freedom of expression. However, it should also be made clear that the public interest in freedom of expression and information itself, in the widest sense—from the trivial to the most serious—must be taken into account by the Information Commissioner and the courts, again to maintain consistency of approach with the 1998 Act.
Amendments 89C to 89F and 91B address the need for further exemptions, as permitted by GDPR article 85. This is because the GDPR provisions could otherwise have serious, albeit unintended, consequences for all the media. These are additions to the list under Schedule 2, part 5 and paragraph 24(8).
Amendments 89C and 91B are perhaps more procedural and technical in nature. I will come to those but, first, Amendments 89D 89E and 89F raise serious issues concerning the maintenance of integrity of investigations, publications and archives.
Amendment 89D to Schedule 2, Part 5, paragraph 24 (8)(b), would provide a vital exemption from article 36—the requirement for prior consultation set out in chapter IV of the GDPR. Without such an exemption, there would be an obligation to consult the ICO up to 14 weeks or more in advance, where a “data protection impact assessment” indicates that the proposed processing would result in high risk to data subjects in the absence of measures to mitigate that risk. Put simply, this could be a huge risk to investigative journalism, particularly by broadcasters. It could impact their public interest undercover investigations and use of covert filming techniques, such as when investigating allegations of abuse against vulnerable residents at a care home or conditions at a detention centre.
The existing regulatory codes already require them to believe use of such methods to be necessary in the public interest. It is a dangerous departure of principle from the protections in the Data Protection Act 1998 against pre-publication interference, and is at odds with the fundamental traditions of UK journalism and legal safeguards for freedom of expression. It is wholly inappropriate to require the broadcasters or other media to consult the ICO and seek approval prior to investigations requiring use of secret filming techniques and similar emerging technology, such as drone use or wearable technology. Article 36 could stifle investigative journalism and add yet another unprecedented pre-publication power to the Information Commissioner’s potential armoury of statutory pre-publication tools. That is why the amendment states that there must be an exemption from the article 36 prior consultation requirements, provided that the media can satisfy the exemption conditions set out in the relevant provisions in this part of the Bill.
Amendments 89E and 89F have been tabled to put beyond doubt the public interest protections for journalistic activity and publication across borders and media archives through the freedom of expression exemptions mandated by Article 85. Amendment 89E to paragraph 24(8)(b) in Schedule 2 would add a journalistic exemption consistent with satisfaction of the conditions in paragraph 24 of Schedule 2 from the requirements of chapter V of the GDPR concerning transfer of personal data to third countries outside the European Economic Area or international organisations. Third country transfers, of course, include online publication itself. This exemption would enable international publication by UK online publishers, be they the BBC, the Guardian or any other UK news brand sought out by international audiences. The journalistic exemption is also needed to allow collaborative investigative journalism, swiftly sharing data across borders where appropriate, such as with the Panama papers or, as we have seen just recently with the Paradise papers. The journalistic exemption is also required for communications between the media and their foreign correspondents wherever they might be situated outside the EEA.
Amendment 89F would provide the explicit safeguard for news media archives which is currently lacking from the Bill. This would ensure that media archives, whose role and importance the noble Viscount, Lord Colville, described so well at Second Reading, constitute archiving in the public interest and receive the protection of the exemptions. This would be in line with recital 153 of the GDPR, which provides that the protection to be afforded to freedom of expression and information should apply,
“in particular to the processing of personal data in the audio visual field and in news archives and press libraries”.
There are two procedural but none the less important amendments completing this group. Amendment 89C to paragraph 24(8)(b) would add an exemption to article 19 of the GDPR, which requires data controllers to inform the data subject about the recipients of personal data subject to rectification or erasure, if requested by the data subject. While exemptions might apply, the media do broadcast and publish corrections and take other measures. It would be entirely inappropriate to say that article 19 might require the provision of information about individual “publishees” and could be in breach of such individuals’ freedom of expression and data protection rights, as well as in breach of privacy notices.
Finally, Amendment 91B is a measure to mirror the improvements made to defamation law and to protect against the undermining of their freedom of expression safeguards, by attempted exploitation of the data protection laws instead. This, as legal expects among you—I am not one—will instantly recognise is akin to the introduction of a rebuttable single publication rule and a limitation period of one year subject to further amendment to the Limitation Act 1980. Any complaint concerning accuracy of material processed for journalistic, academic, literary and artistic purposes can and should be brought promptly. Some complainants already attempt to abuse data protection law by bringing complaints many years after material is first published, when it will be more difficult for the media, as data controller or processor, to substantiate the accuracy of the publication and the veracity of the complaint. To maintain consistency with the defences under the Defamation Act 2013, this amendment proposes that a limitation period be introduced to prevent complaints about accuracy being brought outside a period of one year after the date of first publication. If adopted, the Limitation Act 1980 should be accordingly amended. This time limit would then apply to both ICO enforcement action and legal claims. Such measures are needed to protect against libel claims being dressed up as data protection actions, to the detriment of freedom of expression and information.
Lord McNally (LD)
My Lords, when the famous French long-serving Foreign Minister Talleyrand died and the news was taken to his long-term rival Prince Metternich of Austria, Metternich looked at the telegram and said, “What does he mean by this?”. Some of my friends have a similar reaction to any amendments that carry the name of the noble Lord, Lord Black, but I am not among them. I think that we share a common belief in a free and a vigorous and independent press. He knows that when at Second Reading he referred to the Defamation Act 2013, my ears pricked up, because it is one of the things that I am most proud of from my time as a Minister. With my noble friend Lord Lester as my mentor, we piloted that Bill into legislation. I am certainly very interested in any amendment that would prevent this Bill becoming a backdoor to getting around the protections that the Defamation Act gave to free comment and academic freedom to have peer comment, and so on. The Act has worked—we are no longer considered the libel capital of the world—and there is a great deal more freedom in the academic world for peer comments and criticisms, without the threat of libel actions, which had a chilling effect.
The problem is that this is an alphabet soup of amendments, which the noble Lord, Lord Black, has put forward with great clarity, so we will be able to study what exactly he wants to do and how he wants to do it. I am interested in a number of things; I am interested in the idea, which he quite rightly pointed out, of investigative journalists having to give prior notice of what they are doing, which seems rather counterintuitive to the idea of investigative journalism. I have certainly received that point of view from the BBC and other forms of journal about the effect of that proposal. The noble Lord, Lord Black, is quite right. We have seen only recently the Paradise papers as another example of investigative journalism exposing things that people would rather keep quiet, which is massively in the public interest. He also referred to the number of exposés of care homes, prisons and young offender institutions, all of which are massively in the public interest. It would be wrong to allow the Bill to bring into law provisions that would chill, prevent or curb the great traditions of a free and vigorous press. In the spirit of Committee stage, I would like to look carefully at what the amendments of the noble Lord, Lord Black, seek to do. As he knows, after Second Reading I offered to collaborate with him on amendments but that would probably have been too great a shock to both our constitutions. However, I would certainly be interested to see where we can work together on the broad aim of ensuring that the Bill contains no accidental curbs on the activities of a vigorous and free press and media.
As I have said before, the noble Lord, Lord Black, and his friends would be in a stronger position if the background to this was not one of previous criminality and invasion of the privacy of people who had every right to see their privacy protected. Therefore, there is bound to be a certain scepticism about whether these proposals give overgenerous access to overbroad exemptions. But let us have a look at them and at some of the issues that have been raised in other quarters—as I say, by the BBC and journals that are not members of IPSO that have expressed the concerns raised by the noble Lord, Lord Black. Following that and what the Minister is about to tell us, we can then make judgments about how we shall approach these issues on Report.
Lord Stevenson of Balmacara
My Lords, we are all very grateful to the noble Lord, Lord Black, for his very full introduction to these amendments. I shall read very carefully what the noble Lord, Lord McNally, said and take his remarks on their merits. I have no problem with that.
I am sure that the noble Lord, Lord Black, will not mind if I quote what he said in Committee only a week ago and pose a question to him. He said:
“This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20”.—[Official Report, 6/11/17; cols. 1667-68.]
What a difference a week makes to one’s thinking. The noble Lord was pressed by a number of noble Lords, including his noble friend Lord Attlee, to come up with a much more detailed and engaged critique. We would love to hear from him again if he is prepared to tell us why there has been a change in his thinking. However, I do not think that gets in the way of what he is saying, which is that some issues need to be addressed. We will look at them carefully when we have the chance to see them in print. I shall also be interested to hear what the noble Baroness makes of this when she replies.
Baroness Chisholm of Owlpen (Con)
As my noble friend Lord Black and the noble Lord, Lord Stevenson, said, the Government are firmly committed to preserving the freedom of the press, maintaining the balance between privacy and the freedom of expression in our existing law that has served us well.
I shall try to reply to my noble friend as I go through the many amendments—a soup of amendments, as the noble Lord, Lord McNally, said. As we heard, Amendments 87ZA, 87AA, 87AB and 87AC would enable the special purposes exemptions to be used when processing for other purposes in addition to a special purpose. The use of the word “only” in the Bill is consistent with the existing law. Examples have been given of where further processing beyond the special purposes might be justified without prejudicing the overall journalistic intent in the public interest. None the less, the media industry has been able to operate effectively under the existing law, and while we are all in favour of further clarity, we must be careful not to create any unintended consequences.
Paragraph 24(3) of Schedule 2 concerns the test to determine whether something is in the public interest. Amendment 87CA seeks to define the compatibility requirement, and Amendments 87DA and 87DB seek to clarify the reasonable belief test. The Bill is clear that the exemption will apply where the journalist reasonably believes that publication would be in the public interest, taking account of the special importance of the public interest in the freedom of expression and information. To determine whether publication is in the public interest is a decision for the journalist. They must decide one way or another. It is not necessary to change the existing position.
Amendments 89C to 89F seek to widen the available exemptions by adding in additional data rights that can be disapplied. Amendment 89C seeks to add an exemption for article 19 concerning the obligation to give the data subjects notice regarding the processing carried out under articles 16, 17 and 18 of the GDPR. The Bill already provides exemptions for the special purposes for these articles, rendering article 19 irrelevant in this context.
Amendment 89D seeks to add an exemption for article 36. This requires the controller to give notice to the Information Commissioner before engaging in high-risk processing. My noble friend Lord Black and the noble Lord, Lord McNally, both argued that this might require the commissioner to be given notice of investigative journalistic activity. This is not the case. We do not believe that investigative journalism needs to put people’s rights at high risk. Investigative journalism, like other data-processing activities, should be able to manage risks to an acceptable level.
Amendment 89E concerns the need for journalists to transfer data to third countries. We are carefully considering whether the GDPR creates any obstacles of the type described. We certainly do not intend to prevent the transfers the noble Lord describes.
Amendment 89F seeks to add an exemption from the safeguards in article 89 that relate to research and archiving. Following the interventions of the noble Lord, Lord Patel, the Government have agreed to look again at these safeguards. Once we have completed that, we will assess whether any related derogations also need reconsidering.
Amendment 91B seeks to introduce a time limit by which complaints can be brought. The Government agree that complaints should be brought in a timely manner and are concerned to hear of any perceived abuses. We will consider this further and assess the evidence base.
The Government are firmly committed to preserving the freedom of the press and preventing restrictions to journalists’ ability to investigate issues in the public interest. We will continue to consider the technical points raised by my noble friend, and I hope—at this late hour, and with the view that we will further consider points that have been raised—that he feels able to withdraw his amendment.
Lord Black of Brentwood
I am grateful to my noble friend for those words and to all noble Lords who have taken part in this short debate at this late hour. Apart from anything else, it has given me an opportunity to say words which I never thought I would hear myself say: I agree with virtually everything that the noble Lord, Lord McNally, said this evening.
Lord Black of Brentwood
I am particularly pleased that the noble Lord mentioned Prince Metternich, who of course was no great fan of liberal democracy. I understand that he once said that the best way to protect the freedom of the press was for nothing whatever to be published over the course of the next five years. That may indeed be the case.
I say to the noble Lord, Lord Stevenson, that in Committee last week we talked about a very different set of amendments from the one that I am proposing this evening. Those amendments were about press regulation. I argued then, and I argue now, that that should not have anything to do with this Bill. My amendments this evening do not undermine what I believe to be a very good balance, and I absolutely stick by my words; they merely provide clarification in some important areas.
I think I sense from the Committee that it would be useful to look in more detail at what I have proposed. I would be happy to talk about it further with noble Lords and to take up my noble friend’s offer to continue constructive dialogue. With that, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
Data Protection Bill [HL]
Wednesday 15th November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Lord Kennedy of Southwark
Lord Kennedy of Southwark (Lab Co-op)
My Lords, Amendment 93A in my name and that of my noble friend Lord Stevenson of Balmacara is the first amendment in a small group before the Committee this afternoon. They are probing amendments to allow us to begin to debate the issues around Schedule 3, specifically Part 2 and matters concerning health data and social work data.
Amendment 93A would delete the words “or another individual”. I want to understand clearly what the Government mean when they refer to the “serious harm test” for the data subject and to this very wide catch-all phrase, “or another individual”. Amendment 94A would delete specific wording as detailed in the Bill and replace it with the wording in my amendment.
I can see the point of paragraph 4(1)(c) of Schedule 3, but do not see why the Government would not wish to rely on the definition of lacking mental capacity, as defined by the Mental Capacity Act 2005. Can the Minister explain, if my amendment is not going to be accepted, why the Government appear to be relying on weaker words in this section?
Amendment 94B would delete paragraph 4(2)(a) of Schedule 3. Again, I stress that this is a probing amendment to give the Minister the opportunity to set out clearly how this is going to work so that it does not cause problems for research but respects people’s privacy regarding the data that they have been provided with.
On the other amendments in the group, Amendment 94C looks to broaden the definition of social work data to include education data and data concerning health, by probing what the Government mean by their definition of social work data in the Bill. Amendment 94D probes, regarding paragraph 8, the details on data processed by local authorities, by the regional health and social care boards, by health and social care trusts and by education authorities.
With Amendments 95A and 95B, I am looking for a greater understanding of what the Government mean. The wording in the Bill which these amendments would delete is quite vague. We want to understand much more what the Government are talking about here. I beg to move.
Baroness Chisholm of Owlpen (Con)
My Lords, the Bill sets new standards for protecting general data, in accordance with the GDPR, which will give people more control over use of their data and provide new rights to move or delete personal data. However, there will be occasions when it is not in the best interests of the data subject for these rights to be exercised, or where exercising them might impinge on the rights and freedoms of others. Schedule 3 considers this issue in the specific context of health, social work, education and child abuse data. It provides organisations operating in these fields with targeted exemptions where it is necessary for the protection of the data subject or the rights and freedoms of others. Importantly, much of Schedule 3 is directly imported from existing legislation.
The amendments which the noble Lords, Lord Stevenson and Lord Kennedy, have tabled focus on exemptions available for healthcare and social services providers. Let me deal first with the amendments relating to the healthcare exemptions. Amendment 93A would amend the serious harm test, in paragraph 2 of Schedule 3, by removing the reference to harm caused to other individuals. This is an important safeguard. For example, if a child informed a healthcare provider that they had been abused by a relative and then that person made a subject access request, it is obvious that disclosure could have serious consequences for the child. I am sure that this is not what the noble Lords envisage through their amendment; we consider there are good reasons for retaining the current wording. As I said earlier, these provisions are not new: they have been imported from paragraph 5 of the Data Protection (Subject Access Modification) (Health) Order 2000.
Amendments 94A and 94B would amend the exemption in paragraph 4 which allows health professionals to withhold personal data from parents or carers where the data in question has been provided by the data subject on the basis that it would not be disclosed to the persons making the request. Again, neither of these provisions is new. They too were provided for in paragraph 5 of the 2000 order and we think they remain appropriate.
Lord Kennedy of Southwark
My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for that full response to this group of amendments. As I said, they were only probing amendments to get the response that we have received from the Minister this afternoon, just so that we could see what is behind the Government’s proposals. I accept that in large part they are carried forward from existing legislation and I am therefore happy to withdraw my amendment.
“(ea) the Sheriff Court Adoption Rules 2009;”
“(ea) the Sheriff Court Adoption Rules 2009;”
“(b) an Academy school;(c) an alternative provision Academy;(d) an independent school that is not an Academy school or an alternative provision Academy;(e) a non-maintained special school.”
“(ii) an Academy school,(iii) an alternative provision Academy,(iv) an independent school that is not an Academy school or an alternative provision Academy, or(v) a non-maintained special school,”
“independent school” has the meaning given by section 463 of the Education Act 1996;“local authority” has the same meaning as in that Act (see sections 579(1) and 581 of that Act);“non-maintained special school” has the meaning given by section 337A of that Act;“proprietor” has the meaning given by section 579(1) of that Act.”
“(ea) the Sheriff Court Adoption Rules 2009;”
“( ) Regulations made under this section may not amend, repeal or revoke the GDPR after the United Kingdom leaves the EU.”
Lord Stevenson of Balmacara (Lab)
I am delighted to move Amendment 108A, which is an extremely important amendment. No, it is not—Amendment 108B is. If noble Lords want to know, this has not been a good day so far. I attended a wonderful memorial service for Lord Joffe, at which many noble Lords were present, and which was a moving and grand experience—so moving that I left the church without my bag, which contained all my possessions: my keys, wallet and everything else. I then spent most of the time until about five minutes ago worrying about that and not concentrating as I should have done on the important business of the House. This has a happy ending. Somebody found the bag, did not hand it in, took it home, thought it belonged to the other Lord Stevenson, the noble Lord, Lord Stevenson of Coddenham, spent four hours trying to find him, and eventually decided that it belonged not to him but to me. I now have my bag back and I feel much better.
Lord Stevenson of Balmacara
I thank your Lordships.
Amendment 108B would prevent regulations under this section being used to amend, repeal or revoke the GDPR after Brexit. This may seem a rather tough charge to lay at the Government’s door. However, concerns about adequacy after Brexit will be so important that it may be in the Government’s best interest to ensure that the Bill contains no hint that the GDPR after Brexit, which will be the responsibility of this Parliament and this Parliament alone, could be amended simply by secondary legislation. If the Government follow this argument they will see that it has a symmetry behind it that encourages the approach taken here, in that when we are a third party and need to rely on an adequacy agreement the GDPR will be seen to be especially ring-fenced.
I will also speak to the other amendments in this group, two of which come from recommendations on delegated legislation made by your Lordships’ House. Amendment 110B is about replacing the current requirement for a negative procedure with a requirement for an affirmative one. In order to explain that, it is probably best if I quote from the report itself. The DPRRC took the view that the framework for the transfer of personal data to third countries should be provided on a test greater than just simply the negative procedure. This is a major issue. One possible example is if the Government were to use the argument that it was in the public interest to transfer bulk personal data held by a UK government department to the agencies of a foreign power—a remote possibility, I know. That would be of interest to the House and probably would need to be debated. The recommendation is that a change should be made from a negative to an affirmative procedure, and that is what this amendment seeks to do.
In a similar vein, the proposal to delete Clause 21 comes from the DPRRC report. The report says that the committee was,
“puzzled by the inclusion of … a suite of delegated powers … to provide by regulations for various exemptions and derogations from the obligations and rights contained in the GDPR which, as noted above, may … be exercised in respect of ‘the applied GDPR’. The memorandum fails to explain why those powers are considered inadequate, or why the Government might need to have recourse to the distinct powers in section 2(2) of the 1972 Act—which allows Ministers to make regulations”,
around EU obligations. The point is that there will be a period after Royal Assent to the Bill and when the country leaves—if it does—the EU in which it is possible that the Government will wish to make regulations. The committee assumes that this clause has been included just in case the Government decide that these powers are required. But the committee goes on to say:
“We consider it unsatisfactory that the Government should seek to take this widely drafted power without explaining properly what it might be used for”.
I therefore call on the Government to do so if it is appropriate at this time.
The final two amendments in the group, Amendments 180A and 180B, play to the same issue: that the powers, however they are finally settled, will still be wide ranging and grant the Government of the day a considerable amount of power to introduce rules by secondary legislation. In a sense, that is inevitable given the way that things are going, and we are not attacking the main principle. The question is around what safeguards would be appropriate. On these powers we think it would be appropriate for the Government to consult not only the commissioner, for which there is a provision, but the data subjects affected by the regulations. This is not a power that is currently there and we recommend that the Government consider it. I beg to move.
Lord Arbuthnot of Edrom (Con)
My Lords, I hope I will not add to the troubles of the noble Lord, Lord Stevenson, when I say that I am troubled by a couple of his amendments, Amendments 108B and 180A. The former suggests that the Government should not be permitted to,
“amend, repeal or revoke the GDPR”.
I know the Government will have responsibility for the provisions of the GDPR, but these are surely provisions for which the regulations either are or are not. They are European Union regulations, and I would not have thought the Government would have the power to amend or repeal them.
I am also confused, as so often, by the fact that we have already discussed whether Clause 15 should stand part of the Bill but are now considering an amendment to it. No doubt that is just one of the usual vagaries that leads to my confusion about the procedures of this House.
I move on to Amendment 180A, which suggests that the Secretary of State must consult not only the commissioner but data subjects. I am not sure how on earth he could find out who those data subjects were in order to consult them. Therefore, due to practical concerns, I hope the noble Lord will not press the amendment to a Division.
Lord Paddick (LD)
My Lords, I will briefly comment on Amendment 108B. Taking up the position of the noble Lord, Lord Arbuthnot of Edrom, is it not the case that if we leave the European Union, the GDPR will then become, by means of the repeal Bill, part of UK law and therefore could be changed, which is why the amendment makes sense?
However, while I agree with the argument of the noble Lord, Lord Stevenson of Balmacara, that if parts of the GDPR were amended, repealed or revoked after we have left the EU, this may affect the adequacy decision of the European Union. Presumably, if the European Union makes changes to the GDPR it would be advantageous for the Government to be able to respond quickly by means of secondary legislation to those changes to ensure that we can continue to have adequacy—that is, when the change is on the EU side rather than on the UK side. Perhaps the Minister will clarify that.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am thrilled that the day of the noble Lord, Lord Stevenson, has got better, and I hope that at the end of my speech it will get better still. Things are definitely looking up for the noble Lord, I hope.
I will be reasonably brief on this because we have debated other delegated powers before and much of what my noble friend Lady Chisholm said on day two of Committee holds here.
On Amendment 108B, I agree with much of what my noble friend Lord Arbuthnot said. I shall answer the noble Lord, Lord Paddick, in a different way which will address his point. The amendment would prevent the Secretary of State using the delegated power contained in Clause 15 to,
“amend, repeal or revoke the GDPR”.
I am happy to reassure the noble Lord not only that the Government do not intend to use the power in Clause 15 to amend, repeal or revoke the GDPR but that they actively cannot. As the opening line of Clause 15 describes, the power contained in it permits the Secretary of State only to,
“make provision altering the application of the GDPR”.
The noble Lord’s amendment is therefore unnecessary.
Clause 17(1)(a) would allow the Secretary of State to specify in regulations circumstances in which a transfer of personal data to a third country is necessary for an important reason of public interest not already recognised in law. Public interest is one of a number legal bases on which a controller can rely when justifying such a transfer. This is very much a backstop power. In many cases, reasons of public interest will already be recognised in law, so the power is likely to be needed only when there is a pressing need to recognise a particular but novel reason for transferring personal data as being one of public interest. We are wary of any change such as that proposed in Amendment 110B, which may hamper its exercise in emergency situations such as financial crises.
Amendment 180B seeks to amend Part 7 of the Bill to ensure that the power contained in Clause 21 cannot be exercised without consulting the Information Commissioner. The clause is a backstop power which allows the Secretary of State to amend Part 2 of Chapter 3 of the Bill—that is, the applied GDPR and associated provisions—to mirror changes made using Section 2(2) of the European Communities Act 1972 in relation to the GDPR. As I am sure we are all aware, a Bill is being considered in another place that would repeal the European Communities Act, so this power is already specific and time-limited. We are not sure what consulting the Information Commissioner before exercising it would add. However, these points notwithstanding, we are happy to consider the role of Clause 21 and Amendments 110B and 180B in the context of the Government’s response to the Delegated Powers and Regulatory Reform Committee’s recent report on the Bill.
The Government have previously committed to considering amendments substantively similar to Amendment 180A and I am happy to consider that amendment as well. However, I echo what my noble friend Lady Chisholm said about the importance of the law being able to keep up with a fast-moving field.
With those reassurances, I hope the noble Lord will feel able to withdraw the amendment.
Lord Stevenson of Balmacara
It certainly is turning out to be my day. I am grateful to the Minister for his comments. We are perhaps anticipating a further debate that we may have to have on the basis of what the Government intend to take back to the DPRRC, but it is good to have a sense of where the thinking is going, which I am sure we will look at in a sympathetic light. Where he ended up will be an appropriate way of progressing on this point.
On the Minister’s first point in relation to Clause 15, I hesitate to ask because I know he is already burdened, but it would be helpful if he can write to me about subsection (1) because our reading of the line:
“The following powers to make provision altering the application of the GDPR”,
could not, according to what he has said, change the GDPR itself, only the way that it is applied. We may be talking only about nuances of language. Interpretations from the far north, where the noble Lord resides, down to the metropolitan south may well not survive the discussion, so I would be grateful to have something in writing. With that, I beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, we turn to Schedule 5, which deals with an issue covered in the Data Protection Act 1998 and comes forward again in this Bill. It relates to how the accreditation of certification providers is carried out in practice and, for a primary piece of legislation, goes into rather a lot of detail about the way reviews are carried out and appeals are heard. These are probing amendments to try to put on the record some of the issues.
Amendments 108C and 110A would ensure that documentation submitted by the applicant must be relevant to the matter to be considered by the commissioner. This is quite a widely drafted power and it would be otiose if the applicant raises issues that are not narrowly to the point.
Amendment 108D is a probing amendment into the grounds on which an applicant can bring an appeal. At the moment, all the applicant appears to have to show is that they are “dissatisfied”, which seems a rather broad way of opening up a discussion on an important issue. The word “dissatisfied” does not sound as though it will restrict the ability of people to put in submissions on this point.
Amendment 108E deals with the timing. There is a two-stage review process, each stage lasting 28 days, so it is odd that we have different timings. I would be grateful for a comment on that. I do not think there is a particular issue; perhaps the problem is the way it is expressed.
Amendment 108F deals with the very wide powers specified for the grounds to appeal against those appointed members of an appeal panel. Again, I do not see anything wrong with that, but it would be helpful to know the Government’s thinking on why the grounds are so wide: someone can simply put in an appeal and it must be heard. That would probably be rather open-ended, but it may be that there is a history of this and issues that we are not aware of.
Finally, on Amendment 110A, the arrangements for the appeal panel hearings also seem heavily specified. I wonder whether there may be a case for a slightly lighter touch and leaving it more open to the ACAS body, if that is the one concerned, to carry them through.
There are no particular issues here and we are not looking for major changes, but I would be grateful for a response. I beg to move.
The Deputy Chairman of Committees (Lord Brougham and Vaux) (Con)
If Amendment 108F is agreed to, I cannot call Amendment 109 due to pre-emption.
Baroness Chisholm of Owlpen
My Lords, I am grateful to the noble Lord for turning the attention of the Committee to the accreditation process. I recognise the intention behind his detailed amendments; namely, to reduce the administrative burden associated with requests for accreditation decisions to be reviewed and, subsequently, for the review process to be appealed. Under the new regime, both the Information Commissioner and the United Kingdom Accreditation Service will be able to accredit organisations that wish to offer a certification service for compliance with data protection legislation. Many organisations may wish to make use of certification services to support their compliance with the new law, and the accreditation process is intended to support them in choosing a provider of certification.
Schedule 5 establishes a mechanism for organisations that have applied for accreditation to seek redress against a decision made by UKAS or the Information Commissioner. The mechanism process has two elements. In the first instance, organisations can seek a review of the accreditation decision. Then, if they are unhappy with that review process, they can lodge an appeal. I share the noble Lord’s desire to minimise the administrative burden created by that review and appeal mechanism. Amendments 108C and 110A limit the documents that may be submitted when appealing. Amendment 108E reduces the time to lodge an appeal. Amendment 108F removes the ability of the appellant to object to members of the appeal panel.
I assure noble Lords that we want a fair and straightforward review and appeals mechanism. Our choice of process, time limits and other restrictions mirrors the appeals process that UKAS currently operates. That process is as provided for by the Accreditation Regulations 2009. Maintaining a consistent appeals process creates administrative simplicity and efficiency. The Government consider that the process in Schedule 5 strikes the right balance between limiting the administrative burden on the accrediting bodies, while also providing applicants with sufficient means of redress.
To add them up, there are four reasons why we feel that what is in there now works well: our choice of process, time limits and other restrictions limits the appeals process that UKAS currently operates; it maintains a consistent appeals process, which creates administrative simplicity and efficiency; it strikes the right balance between limiting the administrative burden but provides applicants with sufficient means of redress; and the accreditation process will give organisations confidence that they are choosing the right provider of certification. I hope I have addressed the noble Lord’s concerns and urge him to withdraw the amendment.
Lord Stevenson of Balmacara
I am grateful to the Minister for her response. I think I may have slightly misled the Committee: I think I am right in saying that this is a new process, brought in by the Bill. It was not in the Data Protection Act 1998. I should have said that there is an additional reason for wanting to scrutinise it, to make sure we are looking at the right things.
I should have asked one question, to which I do not expect a response now, unless the Minister has it to hand. I notice that the national accreditation body, which has to be set up by member states because of the GDPR, is set up under another EU instrument because it is the designated body under the Accreditation Regulations 2009. I take it that they will be brought forward in the withdrawal Bill as necessary regulations for that to be provided.
Baroness Chisholm of Owlpen
As the noble Lord said, the process is new to the GDPR and not in the 1995 directive or the DPA. The GDPR requires member states to ensure that certification bodies are accredited by the ICO and/or the national accreditation body. As such, the UK Government will need to demonstrate their compliance with that requirement, which Clause 16 and Schedule 5 fulfil.
Lord Stevenson of Balmacara
I thank the Minister for that response. I am sure that the narrow point about the regulations can be dealt with by correspondence, so I will not press it today. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
“(2) But sub-paragraph (1) does not have effect—(a) in the case of the references which are modified or inserted by paragraphs 9(f)(ii), 15(b), 16(a)(ii), 35, 36(a) and (e)(ii) and 38(a)(i);(b) in relation to the references in points (a) and (b) of paragraph 2 of Article 61, as inserted by paragraph 49.”
Lord Ashton of Hyde
Lord Stevenson of Balmacara
My Lords, in moving Amendment 113A I will speak to Amendments 114A, 118A, 119A and 121A. Schedule 6 changes references to “the Union” to “the United Kingdom” and deals with the transposition between the GDPR and the applied GDPR as and when we move beyond Brexit.
The paragraphs to which these amendments relate may be a bit confusing unless we understand the timescale under which they operate. We think that the GDPR, as originally drafted, aims to say that there should be a free flow of information between member states, creating a single market for data flows across the whole of the EU, applied irrespective of the concerns of the various national regimes. Once we leave the EU it hardly seems necessary to have such a provision because it would seem to imply we need to provide powers for data to flow within the United Kingdom. Therefore, the heart of the amendment and of part of this group is the suggestion that this is otiose. Will the Government explain what they are trying to do if it is not about the flow of data within the United Kingdom? If it is, it surely is not needed because we should not have that situation arising.
The concern is not really about whether the Bill refers to Union or domestic law, but which space we are talking about. Are we talking about the United Kingdom or parts of the United Kingdom? Will different rules apply in Jersey, Guernsey and the Isle of Man? These are all the issues that regularly come up about the United Kingdom. By focusing too narrowly on this we raise a danger that we might be overcomplicating what should be a relatively straightforward issue. I beg to move.
Lord Ashton of Hyde
My Lords, it is a great pleasure to speak on these amendments, which cover the applied GDPR. Before I address them directly, it is worth recalling that the purpose of the applied GDPR is to extend GDPR standards to those additional areas of processing that are outside the scope of EU law and not covered separately in Parts 3 and 4 of the Bill. The benefit of taking this approach is that it avoids relevant controllers and processors needing to adapt their systems to two different sets of standards, or even needing to know which set of standards they should be applying. However, if the need for such analysis arises, it is crucial that the data subjects and controllers and processors are clear about their respective rights and obligations.
In such circumstances, reference to text that contains concepts that have no meaning or practical application for processing out of scope of EU law will result in confusion and uncertainty. So, while the intention of the applied GDPR is to align as closely as possible with the GDPR, Schedule 6 adapts the GDPR’s wording where necessary so that it is clear and meaningful. It is important to remember that the GDPR does not apply to such processing, so the creation of equivalent standards under UK law is a voluntary measure we are making in the Bill.
In particular, paragraph 4 of Schedule 6—the subject of Amendment 113A—replaces references to such terms as “the Union” and “member state” with reference to the UK. This simply clarifies that, unlike the GDPR itself, the applied GDPR is a UK-only document and should be read in that context. References to “the Union” et cetera are at best confusing and at worst create uncertainty for the small number of controllers whose processing is captured by the applied GDPR. Paragraph 4 provides important legal clarity to them and, of course, to the Information Commissioner. The United Kingdom in this context refers to England, Wales, Scotland and Northern Ireland only, in accordance with Clause 193.
Paragraph 8, the subject of Amendment 114A, limits the territorial application of the applied GDPR so that it is consistent with that for Parts 3 and 4 of the Bill, as set out in Clause 186, without the EU-wide, and indeed extraterritorial, application of the GDPR itself. As we have touched on in a previous debate, the applied GDPR will apply almost exclusively to processing by UK public bodies relating to areas such as defence and the UK consular services. Controllers in these situations either are in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same EU-wide or extraterritorial application as the GDPR.
Article 9.2(j) of the GDPR provides for a derogation for processing of special categories of personal data for archiving and research purposes, and references the need to comply with the safeguards set out in Article 89 when conducting such processing. The Bill makes full use of this derogation, so paragraph 12(f) of Schedule 6, the subject of Amendment 118A, tidies up the drafting of Article 9.2(j) for the purposes of the applied GDPR so that, rather than setting out the need for derogation, it refers directly to the relevant provisions in the Bill.
Paragraph 27, the subject of Amendment 119A, removes certain requirements on the Information Commissioner relating to data protection impact assessments on the grounds that those provisions exist mainly or wholly to assist the European Data Protection Board in ensuring consistent application among member states. There is clearly no need for such consistency in respect of the applied GDPR—a document which exists only in UK law—and the Information Commissioner will in any case undertake very comparable activities in respect of the GDPR itself. Paragraph 46(d), the subject of Amendment 121A, simply makes further provision to the same end, both specifically in relation to data protection impact assessments and more broadly. I hope that, with those reassurances, the noble Lord will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I am grateful to the Minister for that very full response. I shall read it in Hansard, because there is a lot of detail in it, but I want to make sure that I have got the essence of it to help in subsequent discussions.
On Amendment 113A, I think the Minister’s argument was that the provision was mainly a tidying-up and voluntary measure which was not required by the GDPR but was being done by the Government as a matter of good practice to make sure that data controllers in particular—I suppose it would apply also to data subjects—do not have to keep worrying about how the rules might change once we get to Brexit or later. I understand that point. I think he also clarified that this was a UK mainland rather than a total-UK situation —again, it is helpful to have that clarification.
Perhaps I may ask the Minister about extraterritoriality —our second favourite word. The implication from discussion on a previous set of amendments was that the requirements under the GDPR for extraterritorial application—so that when companies are not established in the EU, they need to have a representative here—will be dropped once we leave the EU. I worry that that would make it harder for data subjects in particular to gain access to data held by data controllers from extraterritorial companies—we have one or two in mind —if a representative is not required to be in the UK. I wonder whether the Minister might reflect on that.
On Amendment 119A, I think that the Minister said that the reason for the original requirement for data protection impact assessments was to satisfy any concern that the European Data Protection Board might have that the same standards were not being applied equally in all EU countries. That is fine, and if we leave the EU, it would not apply. Am I right in assuming that the ICO effectively takes the place of the European Data Protection Board in that respect and that to some extent the question of whether comparability is operating throughout the EU is also true of the United Kingdom? Would there not be a case for maintaining the board in that case? I do not know whether the Minister wants to respond in writing or today.
Lord Ashton of Hyde
I think it would be sensible to reply in writing, just because I want to get it right. It would be more useful for noble Lords to get a letter.
Lord Stevenson of Balmacara
I thank the Minister for that offer, I look forward to a letter and I beg leave to withdraw the amendment.
Lord Ashton of Hyde
114: Page 157, line 28, at end insert— “(including paragraph 3(1)”
Lord Ashton of Hyde
“(ii) for “Article 51” substitute “Article 51 of the GDPR”;”
“(28) “domestic law” has the meaning given in paragraph 3(3) of Schedule 6 to the 2017 Act.””
Lord Ashton of Hyde
“(d) in paragraph 9, for “of this Article” substitute “of Article 45 of the GDPR”.”
Lord Ashton of Hyde
“(ba) in paragraph 3, in point (b), for “the Member State government” substitute “the Secretary of State”;”
“(za) in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “under Part 5 or 6 of Schedule 2 to the 2017 Act or under regulations made under section 15 of that Act”;”
“(ii) for “that Member State” substitute “the United Kingdom”;”
Lord Kennedy of Southwark
Lord Kennedy of Southwark
Amendment 124A, in my name and that of my noble friend Lord Stevenson of Balmacara, would amend Clause 24, which concerns national security and defence exemptions. Comparing the Bill to the 1998 Act, it appears to us that what is proposed is of a much wider scope. I would like to hear a justification from the noble Baroness, Lady Williams of Trafford, as to why we need this wider definition. If it is the noble Baroness’s contention that this is not the case, will she tell the Committee why the Government have not merely taken the words directly from the 1998 Act?
Amendment 124N does the same thing in respect of Clause 26. Amendments 124K and 148J are the same and seek to put into the Bill matters raised by the Constitution Committee. These amendments require the Secretary of State to,
“specify in regulations the grounds of appeal for proceedings under subsection (3)”.
This seems to me perfectly reasonable, giving much-needed clarity, so I hope that the noble Baroness can accept my amendments in this regard, or at least agree to reflect on them before Report. I feel that the clause as presently worded is too vague, and that cannot be a good thing when dealing with these serious matters. The amendments also require that these regulations be subject to scrutiny by both Houses of Parliament through the affirmative resolution procedure, which is an important further layer of parliamentary scrutiny.
The final amendment in my name in this group is another probing amendment. It would delete the measures which limit the power of the Information Commissioner to satisfy themselves that the obligations under Part 4 are being observed. In addition, there are amendments in the group in the names of the noble Baroness, Lady Hamwee, and the noble Lords, Lord Clement-Jones and Lord Paddick. I look forward to them explaining those further to the Committee during the debate. I beg to move.
Baroness Hamwee (LD)
My Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.
My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.
My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.
I note that under Clause 25(2)(a), a certificate may identify data,
“by means of a general description”.
A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?
Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.
Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.
Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
Baroness Hamwee
My Lords, the Minister has just proved a point that I made to a colleague who asked me whether I could explain all my amendments, and I said, “If I don’t, the Minister will”. Let us see what the Constitution Committee has to say, as I take its concerns seriously. To dispose of one small point, I accept what she says about the “timelessness”, which I think was the word she used, of certificates. I accept that some must always apply, but perhaps it is a point that the Government can take into account when thinking about publication of certificates whose relevance has—“expired” is probably the wrong term—passed.
I am still concerned about what is meant by “defence purposes”. The Minister referred to civilian staff. I cannot remember what the object was in the sentence, but we all know what she means by civilian staff. To take a trite example, can the Minister confirm that in “defence purposes”, we are not talking about records of holiday leave taken by cleaners, secretaries and so on working in the Ministry of Defence? “Defence purposes” could be read as something very broad. I will not ask the Minister to reply to that now, but perhaps I can leave the thought in her head.
Finally, I do not think that the right of appeal provides the same protection as applying oversight from the very start of the process. We have had that debate many times, but I shall leave it there for now. There is quite a lot to read, so I am grateful to the Minister for replying at such length.
Lord Kennedy of Southwark
My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.
I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.
Baroness Hamwee
Baroness Hamwee
I shall speak to Amendment 124Q and to a number of amendments in this group. I start with a general point. The number of amendments that we have tabled to Part 3 in particular, but also to Part 4, might suggest considerable opposition to the Bill, but I reassure the Committee that that is not the case. We are on a probing mission generally. We have some serious objections but, in general, we support where the Bill is going.
The probing in many cases is because of the language used. It is about the different uses of language in EU and UK legislation, and how language is used when something is transposed, to use the term non-technically, into UK law. There are different traditions; laws develop in different ways. I might sum it up by saying that it is a matter of style, but the style may have an impact on the meaning. That is why we are using the fact that the Bill has started in this House, where we have a tradition of reading every word and questioning every other word, to get on the record some of the things that we have identified as being helped by explanation.
This group is about definitions. Amendment 124Q would limit “competent authorities”, as they are defined and listed, to the extent of their law enforcement functions. I mentioned just now staff who work at the Ministry of Defence but do not have jobs that come remotely close, in themselves, to defending the country, although they support those who do. It occurred to me that police forces similarly, even if it is above that kind of administrative level, deal with more than law enforcement, if there are still enough coppers around. Prevention work in schools is one example. Then there is dealing with internal human rights—I beg noble Lords’ pardon, I mean human resources—records. I use the acronym HR too often.
The parties to a collaboration agreement are not necessarily policing bodies or even public sector bodies, which fall within these provisions. Criticising my own amendment, I wondered if it would be confusing to have different regimes applying to different activities—the law enforcement ones on one hand and the others on the other—but there are similar distinctions elsewhere in the Bill.
Lord Kennedy of Southwark
My Lords, the noble Baroness’s clarification of these probing amendments is very helpful. As we have heard, a competent authority in this context of the Bill means a person as specified in Schedule 7, to the extent that the person has functions for law enforcement purposes.
Amendments 124Q and 124R would add useful clarifications that the persons listed in Schedule 7 come under the same classification as “any other person” referred to in Clause 28(1)(b) and the persons listed in Clause 28(3)(b). That would be a useful clarification in the Bill.
I do not support Amendment 124S in the name of the noble Baroness, Lady Hamwee, but support the three government amendments in the name of the noble Lord, Lord Ashton of Hyde. As I say, I do not support Amendment 124S, which makes the case for Amendments 124Q and 124R even more important.
I support the amendment that would add police and crime commissioners to the schedule, and the other amendments in the group which would widen the definitions, as that would be very useful. I look forward to the noble Baroness’s response to the points that have been raised.
Lord Young of Cookham (Con)
The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.
I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.
As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.
The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.
The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.
The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.
Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.
Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.
The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.
In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.
I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.
Baroness Hamwee
My Lords, to take that last point about certain areas of profiling first, obviously I did not make myself clear, as I want the opposite of what the Minister read me as wanting. I want to be clear that I do not want to leave areas for doubt, so I sought to restrict rather than to extend.
On police and crime commissioners, I am a little baffled as to why, if so many other organisations which have some functions that are about law enforcement are included, police and crime commissioners should be left to rely on Clause 28(1)(b) rather than being included specifically.
Finally, yes, we are enthusiasts for incorporating the directive. We want to be clear that the incorporation works. Should I talk for another moment or two in case a message is coming? There was a thumbs up to that suggestion. We are great enthusiasts for certain things that the EU is proposing—I am being a little flippant and this will read terribly badly in Hansard. As I said at the start, all this is so that we may be assured—and this is the stage at which to do it—that what is being incorporated works in the way that reading the words as a sort of narrative suggests.
Lord Young of Cookham
Some in-flight refuelling has arrived. The noble Baroness made a valid point about why we had added certain organisations to Schedule 7 but not the police and crime commissioners. We will reflect on that between now and Report.
Baroness Hamwee
I am grateful for that. I beg leave to withdraw the amendment.
Lord Young of Cookham
“3_ Any Northern Ireland department.”
“3A_ The Welsh Ministers.”
Lord Young of Cookham
“20A_ The Welsh Revenue Authority.20B_ Revenue Scotland.”
“25A_ The Competition and Markets Authority.25B_ The Gas and Electricity Markets Authority.25C_ The Food Standards Agency.25D_ Food Standards Scotland.25E_ Her Majesty’s Land Registry.”
Baroness Hamwee
Baroness Hamwee
My Lords, this group of amendments is about data protection principles. Our Amendments 129G and 129H would add transparency to the requirements of lawfulness and fairness for processing. Here, the directive is again being reflected, but why, since transparency is a requirement in the case of the intelligence services? I confess that I found this counterintuitive. I might have expected the services to have an argument against transparency because of the very nature of what they do, but not so law enforcement—at least, not so much.
Amendment 129J enables me to ask, as I did at Second Reading, why some activities are “strictly necessary” and others merely “necessary”. This arises in several places and this is the first example, although for good measure my Amendment 133ZJ seeks to add “strictly” to another of these—I am not sure that it was my best choice, but there you go. The point is that “strictly” calls into question just how necessary something that does not attract the term is. This may be an example of adopting language used in other legislation and directives without it having been considered in the context of UK legislation.
The Minister used the example of our seeking in the first group of amendments on these parts to change a term used in current legislation. I take that point, because it opens up a question as to whether there is any distinction. The point I am making about terminology is not a million miles away from that.
Amendment 130A concerns the scope for the Secretary of State to amend Schedule 8 by regulations. That schedule sets out the conditions for “sensitive processing”—in other words, when that processing is permitted. Should the Secretary of State be able to add circumstances when it is permitted, or to vary the schedule, omitting items from the schedule by regulations would fulfil the objective of protecting the data subject. That is very different from “adding” or “varying”.
Amendment 133ZB deals with another instance of different legislative styles. In Clause 34(1), the law enforcement purpose must be “legitimate”—an interesting term when applied to law enforcement. I suggest as an alternative “authorised by law”, a term used later in the clause, in order to probe this. In not very technical language “legitimate” suggests something wider than legal. It has elements of logic and justification and might import the notion of balance. The term comes from not only the GDPR but the 1995 directive—so there is a history to this—and there are many examples of the accepted meaning of “legitimate” in EU law. However, I am concerned about how we interpret the term and apply it in the UK. Looking to the future, what will happen when we are cut adrift from the European Court of Justice? Presumably we will have to rely on the development of case law in the UK and the different UK jurisdictions. It is worth thinking about how this may be dealt with as we go forward.
On Amendment 133ZD, under Clause 36(3) a clear distinction needs to be made “where relevant”—the amendment would delete this—as far as possible between data relating to different categories of data subject. I do not see what “where relevant” means in this context. It begs the question of whether or not something is relevant and whether the provision is applicable.
Amendment 133ZE applies to Clause 36(4), which deals what must be done—or, rather, not done—with inaccurate, incomplete or out-of-date data, which must not be “transmitted or made available”. That is the phrase used and my amendment probes the question of why the term “disclosed” is not used. There is a definition of “processing” in Clause 2, which includes,
“disclosure by transmission, dissemination or otherwise making available”.
In other words, “disclosed” would cover everything.
Amendment 133ZK relates to Clause 40, which deals with the controller having an appropriate policy document. Under that clause, the controller must make the document available to the Information Commissioner. Is it not a public document? Should it not be published? The amendment proposes that it should be. I beg to move.
Lord Stevenson of Balmacara
My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.
Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.
The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.
Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,
“in relation to the processing of personal data for a law enforcement purpose”,
and would be conferred by rule of law as well. It repeats other areas that cover,
“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.
I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.
Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.
When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?
Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.
Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.
I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?
Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.
Baroness Williams of Trafford
My Lords, as the noble Baroness, Lady Hamwee, said in her opening remarks, the amendments in this group relate to the data protection principles as they apply to law enforcement processing.
I will deal first with the amendments in the name of the noble Baroness, Lady Hamwee, before moving on to the others. Amendments 129G and 129H would add a requirement that processing under Part 3 be transparent as well as lawful and fair, thus mirroring the data protection principles set out in Parts 2 and 4 of the Bill. There is a very simple explanation for the difference of approach. The GDPR and the Council of Europe Convention 108, on which the provisions of Parts 2 and 4 are based, are designed for general processing. Therefore, it is wholly appropriate in that context that the processing of personal data should be transparent. Of course, that data protection principle, as with certain others, will apply subject to the application of the exceptions provided for in Parts 2 and 4, including where necessary to safeguard national security. At first glance, I accept that it might seem odd that Part 4 of the Bill, which relates to processing by the intelligence services, contains a requirement for transparency, but the provisions in Part 4 must be compliant with the modernised Convention 108. As I have said, that data protection principle will operate subject to the application of the exceptions provided for in that part.
In contrast, Part 3 of the Bill reflects the provisions of the law enforcement directive, which is designed to govern law enforcement processing; in this context, it is appropriate that the transparency requirement should not apply. A requirement that all such processing be transparent would, for example, undermine police investigations and operation capabilities. That is not to say that controllers under Part 3 will not process data transparently where they can, and Chapter 3 of this part imposes significant duties on controllers to provide information to data subjects.
Amendments 129J and 133ZJ are not about a popular Saturday night television programme, but about the significance of the word “strictly” in the context of Clause 33(5). Our approach here, and elsewhere, has been to copy out the language of the law enforcement directive wherever possible. Article 10 of the LED uses the phrase “strictly necessary”. The noble Baroness asked whether references in Part 3 to “necessary” and “strictly necessary” should be interpreted differently. That must be the case: “strictly necessary” is a higher threshold than “necessary” on its own.
Amendment 130A brings us back to the report of the Delegated Powers and Regulatory Reform Committee, which was the subject of some debate on day two of Committee. As the noble Baroness, Lady Chisholm, indicated in response to that debate, we are carefully considering the Delegated Powers Committee’s report and will respond before the next stage of the Bill.
Amendment 133ZB would replace the term “legitimate” in Clause 34—which establishes the second data protection principle—with the phrase “authorised by law”. I do not believe that there is any material difference between the two terms. Moreover, “legitimate” is used in both the GDPR and the LED, so for that reason we should retain the language used in those instruments to avoid creating legal uncertainty.
The noble Baroness asked about ECJ case law, post Brexit. The European Union (Withdrawal) Bill sets out how judgments of the Court of Justice of the European Union are to be treated by domestic courts and tribunals after exit day. Clause 6 of that Bill draws a distinction between pre-exit and post-exit CJEU case law. Domestic courts and tribunals are not bound by post-exit case law but may have regard to it if they consider it appropriate. In contrast, pre-exit case law is binding on most domestic courts and tribunals in so far as it is relevant to questions pertaining to retained EU law. The Supreme Court and, in some circumstances, the High Court of Justiciary are, however, not bound. They may depart from pre-exit CJEU case law by reference to the same test that applies when they decide whether to depart from their own case law.
Amendment 133ZD seeks to strike out the reference to “where relevant” in Clause 36(3), which requires a controller to make a distinction between different categories of data subjects, such as suspects, convicted offenders and victims. There may well be a case where it simply would not be relevant for a controller to draw such a distinction. If a controller processes data in respect of only one of the categories of data subject, there is evidently no need for this provision.
Amendment 133ZE seeks to simplify the drafting of Clause 36(4). I do not believe the definitions in Clause 2 support the case for this amendment. Clause 2 defines processing, which includes disclosure, but it does not provide a general definition of disclosure, so it is preferable to retain the language in Clause 36(4).
Amendment 133ZK would introduce a requirement on controllers to publish their policy documents relating to sensitive processing. Such policy documents may contain operationally sensitive information that could well be damaging if published. Given this, scrutiny of such documents by the Information Commissioner, where necessary, provides an appropriate safeguard.
I turn to the amendments tabled by the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson. Amendment 133ZA would remove archiving from the list of conditions for processing sensitive data. Law enforcement agencies often archive data for public protection purposes. However, it is right that sufficient safeguards should be in place, particularly concerning sensitive data. The Bill achieves this by permitting archiving only where it is necessary.
The noble Lord asked in what circumstances archiving would be carried out for a purpose connected with law enforcement processing. It may be necessary where, for example, a law enforcement agency needs to review historical offences, such as allegations of child sexual exploitation. On this occasion, data have been processed for the purposes of reviewing the approach taken in child abuse cases investigated decades previously.
Lord Stevenson of Balmacara
I am grateful to the noble Baroness for that example. I could have used scientific or historical research. Again, I am not entirely clear why these are law enforcement categories. The general ability to take a derogation relating to either of the items listed is well spelled out in the schedule, but I was trying to address the narrow formulation of that in a law enforcement category. The particular example is fine and it is possible that could be right, but I do not think it applies across science, historical or statistical research. Does it?
Baroness Williams of Trafford
It may do if it pertains to law enforcement purposes, but we may be dancing on the head of a very small pin. Perhaps I could come back to the noble Lord, but where it overlaps into the law enforcement sphere I would think it relevant. However, I will write to him to clarify and confirm my thoughts on that.
The noble Lord also asked about retention of data. I am not sure that was on this amendment, but he is right that it is not—
Baroness Williams of Trafford
Okay, I will carry on to Amendment 133ZC, which seeks to require that further processing for law enforcement purposes must have a statutory basis. This would prevent further processing in circumstances that are lawful but not provided in statute. It cannot be in the public interest to unduly restrict the use of data that could assist law enforcement to carry out its legitimate functions.
Amendment 133ZF would remove the law enforcement qualification from Clause 36(4). Its purpose appears to be to ensure that inaccurate data cannot be processed irrespective of whether it is for a law enforcement purpose. For processing other than for a law enforcement purpose, the controller must apply Part 2 of the Bill. Also with reference to Clause 36, Amendment 133ZG would insert a requirement that inaccurate data must be erased if it is not corrected. I understand exactly why this might be a fitting addition. However, it will not always be appropriate for law enforcement where data may form part of a criminal case. For instance, it may be important for evidential reasons for data to be kept unaltered. Inaccurate information could also be evidence of perjury or perverting the course of justice.
Amendment 133ZH would require the controller to have in place a document outlining their retention policy, which would have to be made available to the Information Commissioner on request. Clause 42 already provides safeguards, including a duty to inform the subject about the period for which the data will be stored or the criteria used to determine the period. Moreover, in the policing context, there are policy documents already published that cover this ground, such as the College of Policing manual on the management of police information.
Finally, I will deal briefly with the three government amendments in this group, Amendments 131, 139 and 140, for which the noble Lord has stated his support. They relate to Schedules 8, 9 and 10, which set out a number of conditions, at least one of which must be met, where a law enforcement agency processes sensitive personal data, or one of the intelligence services processes any personal data. They clarify that any processing is lawful for the purposes of the exercise of a function conferred on a person by a rule of law as well as by an enactment. This is consistent with the existing scheme under the Data Protection Act 1998.
In the case of the police, the processing of personal data is, in some instances, undertaken utilising common-law powers in pursuit of their function to prevent crime. One such example is the operation of the domestic violence disclosure scheme, or Clare’s law. Under that scheme, a police force may disclose information to a person about a previous violent and abusive offending behaviour of their partner when he or she was in a previous relationship. It is vital that the police can continue to protect people by disclosing sensitive personal information using their common-law powers.
Amendments 139 and 140 to Schedules 9 and 10 respectively ensure consistency of approach across Parts 3 and 4 of the Bill.
To go back to the point about retention of data and the noble Lord’s point about reviewing whether data are still required, appropriate action should follow such a review. The fifth data protection principle makes this clear. If data are no longer required they should be deleted. I am not entirely sure which amendment that refers to, but I hope some of the explanations I have given will ensure that noble Lords and the noble Baroness are content not to press their amendments.
Lord Stevenson of Balmacara
I am very grateful for the late intelligence that came across on the point about withdrawal. The issue was not that there is not sufficient power in the Bill—there is, we accept that—but just that there seems to be an unfortunate separation between the need periodically to review the length of time for which the data is held and the fact that, when a decision has been arrived at, the data is no longer required. There seems to be no prod to remove the data that should be removed. I understand the point made earlier by the Minister that some data, although wrong, should be kept, but that was not the point I was making. However, I think we can deal with this outside the Chamber.
Baroness Hamwee
My Lords, without wanting to appear ungrateful, I am very troubled by some of what we have heard about the incorporation of language used in the law enforcement directive and in the modernised 108. Simply to reflect that language, incorporate it into our primary legislation and cause confusion thereby does not seem to be a very good way to proceed. My questions about the difference between “strictly necessary” and “necessary” illustrate this well. To be told that “necessary” is a lower threshold than “strictly necessary”—which is certainly how I would read it—calls into question how necessary something which is necessary really is.
We will have to come back to this—it may be something that we can discuss outside the Chamber before Report. I wonder whether I should threaten to unleash my noble friend Lord Lester of Herne Hill—that might be enough to lead us to a resolution, but I have not consulted him yet. However, I am troubled, because we are in danger of doing a disservice to the application of these important provisions. For the moment, of course, I beg leave to withdraw the amendment.
Lord Young of Cookham
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),(b) is necessary for the purpose of obtaining legal advice, or(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”
“4A_ This condition is met if the processing is necessary when a court or other judicial authority is acting in its judicial capacity.”
Baroness Hamwee
“( ) The controller must without undue delay inform each data subject that he is (or, as the case may be, is again) a data subject.”
Baroness Hamwee
My Lords, Amendment 133ZL is an amendment to Clause 42. Clause 43 deals with a data subject’s right of access. The onus is on the data subject to ask whether their personal data is being processed. If so, they have a right of access, although there are provisions about restrictions and the controller must tell them.
We have already touched on how you know that you are a data subject. The amendment would place an obligation on the controller to tell you. I appreciate that there would be considerable practical considerations. However, in a different context, time and again during the passage of the Bill we have heard noble Lords express surprise about what organisations know about each of us. It is irritating when it is a commercial organisation; it is a different matter when it is a law enforcement body.
Amendment 133ZM is a way of asking why the information to be given to a data subject under Clause 42(2) is limited to “specific cases”. Is this is a bit of the narrative style that I referred to earlier? Restrictions are set out later in the clause. What are the specific cases to which the controller’s duties are restricted? Should there be a cross-reference somewhere? The term suggests something more—or maybe something less—than the clause provides.
Amendment 133ZN takes us to Clause 42(4), which refers to the data subject’s “fundamental rights”— this phrase is used also in a number of other clauses. My amendment would insert references to the Human Rights Act and the European Charter of Fundamental Rights, seeking not to reopen the argument about the retention of the charter but to probe how fundamental rights are identified in UK law. It is not an expression that I recognise other than as a narrative term. This is fundamental—if noble Lords will forgive the pun—to my questioning and the workability of all this.
On Amendment 133ZP, the same subsection refers to an “official” inquiry. I know what that means in common sense—in human speak, if you like—but what does it mean in legislative speak?
Amendment 133ZQ is a cross-reference. I queried what was in the clause and have had exchanges with officials about it. I thought that the Minister’s name would be added to the amendment. I would have been very happy if the correction had been made quietly, but apparently that was not possible. So the drafting is not mine, but it corrects a mis-drafting—would that be a gentle term for it? At any rate, that is what the amendment is about. I beg to move.
Lord Kennedy of Southwark
My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.
Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.
Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.
Baroness Williams of Trafford
I thank the noble Baroness, Lady Hamwee, for explaining her amendments in relation to the rights of data subjects. Having disappointed her so much in the last group of amendments, I have some very good news: the Government are content to agree to her Amendment 133ZQ. Perhaps it is right that I did not put my name to it, because she can claim full credit for the amendment, which corrects an erroneous cross-reference in Clause 46(6).
I turn to the other amendments in the group, which have a little more substance. Amendment 133ZL seeks to place a duty on controllers to inform individuals without undue delay that they are a data subject. The right of access conferred on data subjects by Clause 43 largely replicates the existing provision in Section 7 of the Data Protection Act 1998, as I think the noble Lord, Lord Kennedy, pointed out. Clause 42 already includes obligations on the controller to provide individuals with information in general terms and in specific cases to enable a data subject to access their rights. We consider that this is the right approach and one which reflects the terms of the LED. We welcome the enhanced rights for data subjects provided for in Part 3, but it is important that such rights are proportionate and that we take account of the resource implications for police forces and other competent authorities. Placing a duty on controllers proactively to notify individuals that they are data subjects would, we believe, place an unnecessary burden on competent authorities. In practice, many individuals will know that their personal data is being processed by a particular controller; where they are unsure they can submit a subject access request. It is important to note that under the new regime subject access requests will generally be free of charge.
Amendment 133ZM seeks to probe the need for the phrase “in specific cases” in Clause 42(2). This phrase, which appears in article 13(2) of the law enforcement directive, is simply designed to distinguish between the duty on a controller, under Clause 42(1), to provide certain general information to data subjects which might be discharged by posting the information on the controller’s website, and the separate duty, in Clause 42(2), to provide certain additional information directly to a data subject to enable them to exercise their rights. Moreover, the information which must be provided under Clause 42(2) may be person-specific and the drafting makes this clear.
Amendment 133ZN seeks to define the term “fundamental rights” as used in Clause 42(4) and elsewhere in this part. This is not the occasion to reopen the debate we had at the start of Committee on article 8 of the European Charter of Fundamental Rights. The Committee will be aware that it is not the Government’s intention to enshrine the charter into UK law. That being the case, and recognising that Part 3 of the Bill provides for a scheme for law enforcement processing which is enshrined in our domestic law, the reference to fundamental rights should be interpreted in accordance with UK law by the UK courts, rather than seeking to enshrine the charter.
In Amendment 133ZP to Clause 42(4)(a), the noble Baroness seeks clarification of what constitutes an “official inquiry”, as opposed to a “legal inquiry”. I start by pointing out that the law enforcement directive uses both terms, and we have followed our usual practice of copying the directive wherever possible. There are, of course, legally constituted inquiries established under the Inquiries Act 2005, but not all official inquiries are formally constituted under that Act. The use of both terms recognises that formally constituted inquiries may take different forms and be conducted by different entities. It is important to emphasise that a controller is subject to the limitations in the opening words of Clause 42(4) and cannot restrict the provision of information simply by virtue of the fact that the information pertains to an inquiry.
I hope that I have been able to reassure the noble Baroness—she certainly looks happier than on the previous group of amendments—and that she will be content to withdraw her Amendment 133ZL. As I have indicated, I will be happy to endorse Amendment 133ZQ when she comes to move it formally.
Baroness Hamwee
My Lords, the noble Lord, Lord Kennedy, need not have been apologetic: it is perfectly fair to make the point that he did not think the amendment was proportionate. I will not claim the credit for Amendment 133ZQ because it is not my drafting, but much more importantly, yes, fundamental rights should be interpreted by the UK courts, but on what basis? It really is a matter of “New readers start here” with that, and the same applies to “official inquiry”: the very fact that there is an Inquiries Act was in my mind in asking what an official inquiry is. It is all the same argument—the same discussion, would be a better way of putting it—as on earlier groups. I said then that I was troubled; I am troubled in this connection. I think I made it clear that I was not trying to reopen the question of the European Charter of Fundamental Rights now; there will be other occasions to do that. I beg leave to withdraw the amendment.
Baroness Hamwee
Baroness Hamwee
Baroness Hamwee
My Lords, we debated automated decision-making under Part 2 on Monday. Clause 48 provides for automated decision-making in the case of law enforcement. No doubt we will return to the issues raised on Monday in this connection, but for now, Clause 48(1) provides that a “qualifying significant decision” must be,
“required or authorised by law”.
This is perhaps a slightly frivolous probe, but may a controller take a decision that is not required or authorised by law? If it is not authorised, how is the data subject protected?
Amendment 135 refers to not engaging the rights of the data subject under the Human Rights Act. Again, we had a debate on this on Monday and it is a subject to which we may return. I simply ask: does the Minister have anything to add to what her noble friend Lord Ashton of Hyde had to say then? He told us that human rights are always engaged—indeed they are—and that the amendment therefore did not really work but that there are, as he said in col. 1871, “appropriate safeguards”. Are the Government satisfied that the balance between processing and protection is the right one? As I say, I am sure we will come back to this issue.
Amendment 135A is to Clause 48(2), which deals with decisions based solely on automated processing. Article 11 of the directive, which I believe is the basis for this, provides for automated processing, including profiling. Profiling is a defined term, so I merely want to check that there is no significance in omitting the reference to it. I doubt there is but the language is reproduced exactly elsewhere, so this is a simple check.
Clause 48(2)(a) provides that notification of a decision must be given “as soon as … practicable”. Amendment 135B would limit this to a maximum of 72 hours. I do not want to describe what is in the Bill as open-ended but I think the Minister would accept that it is less certain than it could be, which is a pity as the requirement under this clause to notify the right to ask for reconsideration is important. I note that at another point close to this, the data subject has an exact limit of 21 days. That may not be practicable for the data subject but perhaps the Minister can confirm whether that means within 21 days of actual receipt, not 21 days of delivery, as the means of serving that notification.
Amendment 136A would insert a new provision. We have been considering some form of independent oversight of automated decision-making. That would not be quite right because we have the commissioner, who is independent, but the amendment proposes more assistance and advice in this connection and the publication of reports on the subject.
Amendment 137 proposes a new clause. We debated a more elaborate amendment on the right to information about decisions based on algorithmic profiling on Monday. The proposed new clause would allow the data subject to obtain an understanding of the reasoning underlying the processes, when the results of it are applied to him. The wording might seem familiar to noble Lords, which would show that they have read on in the Bill. The amendment would reproduce in the law enforcement part a right that is included in Clause 96 in Part 4, which deals with the intelligence services. If they can do it, why not law enforcement? I was quite surprised that they could do it and were expected to provide the underlying reasoning, but that is a good thing. I am not arguing that this would be a silver bullet for all the issues around algorithms but it would be significant. Perhaps it would be courteous and appropriate to say I understand that as regards the intelligence services exemptions, the UK is proposing one of the most advanced explanation rights in the world—tick.
Amendment 144 raises the human rights point again, in the context of the intelligence services’ automated decision-making. Amendments 145 and 146 are to ask the Government to justify decisions based solely on automated processing which significantly affects the data subject when it relates to a contract. Clause 94(2)(c) refers to,
“considering whether to enter into a contract with the data subject”,
and,
“with a view to entering into … a contract”,
with them. There must be a fine distinction between those two provisions but they are dealt with differently. These are all in Part 4, on the intelligence services. Finally, Amendment 146A is to ask whether the commissioner should have a role in the process, because there is a bit more scope for people doing their own thing in this part of the Bill than under Part 3. I beg to move.
Lord Stevenson of Balmacara
My Lords, I support the amendments that have just been moved and spoken to by the noble Baroness, Lady Hamwee. We should perhaps have signed up to them but I do not think we had the time to do so. However, they all bear on important issues that need to be addressed and I look forward to hearing the responses from the Minister.
Our amendments in this group are also about automated processing but they attach to a slightly different arrangement. In Clause 92, on page 52, the right of access provisions are largely copied from earlier parts of the Bill and are extensive. Like the noble Baroness, Lady Hamwee, we appreciate that. The Government have moved a long way to try to reassure everyone that the intelligence services, as well as the defence services, are trying to operate in a manner that could be taken almost directly from the GDPR. While this may be gold-plating, it is a good way of making progress. Having said that, halfway down page 52 are two things that our amendments address. In Amendment 142C, we suggest that there should be a,
“right to object to automated-decision making”,
within automatic processing, because at the end of Clause 92(2) all the other rights are there but the one present in other parts of the Bill on the right to object is not. I wonder why it has been missed out. It would be interesting to hear from the Minister about that.
In Amendment 143B, we also wish to challenge why the fee has to be paid for this. The Government have tried hard to make an equality of approach right the way across but fees suddenly appear here, in a way which seems rather strange. It cannot be that the information services of Her Majesty’s Government are so starved of cash that they have to charge money to get their services completed for those who just want reasonable information, which should specifically be made available. It seems a double bind to have a situation where these rights and obligations are tantalisingly included in the Bill, but are then removed from reasonable access because of the costs that might be charged. I know that the Secretary of State would have to do it by regulations, which would be subject to further scrutiny, but perhaps this could be looked at again.
Baroness Williams of Trafford
My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.
The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.
A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.
Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.
At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.
Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.
Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.
Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.
Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.
The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.
I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.
Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.
Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,
“necessary for the entering or performance of a contract between the data subject and a controller”,
as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.
Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.
I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.
Baroness Hamwee
My Lords, I am grateful for the long response and for the Minister agreeing to consider Amendment 137. As regards oversight of automated processing, which is not quite where I would be coming to as something that was suggested to us, it would be fair to say that the commissioner has a resource issue covering all these developments. Maybe it is something that we will think about further in order to approach it from a different direction, perhaps by requiring some regular reporting about how the development of automated processing is controlled and affecting data subjects. I will consider that, but for the moment I beg leave to withdraw the amendment.
Baroness Hamwee
“( ) Notwithstanding any determination under subsection (2), joint controllers are each liable for any failure to comply with the obligations of a controller under this Part.”
Baroness Hamwee
My Lords, Clause 56 anticipates that competent law enforcement authorities may work together, and designates them as “joint controllers”. Clause 56(2) allows them to “determine their respective responsibilities”, although there is an exception when the responsibility is,
“determined under or by virtue of an enactment”.
Amendment 137A would, I suggest, take us a step further by providing that, in any event, if there is a failure to comply with a controller’s statutory obligations, each joint controller is liable—or does this not need to be spelled out? I beg to move.
Lord Young of Cookham
My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.
The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.
The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.
I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.
Baroness Hamwee
My Lords, I am certainly happy with the latter. I simply observe that in other walks of life when people act jointly, each is often responsible for what the other does, but of course I beg leave to withdraw the amendment.
Baroness Hamwee
Baroness Hamwee
My Lords, under Clause 59, the controller must record certain information, including, according to subsection (2)(g),
“where applicable, details of the use of profiling”.
The purpose of Amendment 137B is to ask whether, if profiling is used, this is not applicable. My amendment would delete the words, but the Minister will understand that I am probing.
I am afraid this is quite a big group of amendments. Clause 62 provides for data protection impact assessments when there is a “high risk” to “rights and freedoms”. In assessing the risk, the controller,
“must take into account the nature, scope, context and purposes of the processing”.
Amendment 137C would insert a reference to,
“new technologies, mechanisms and procedures”,
picking up wording which is in articles 27 and 28 of the law enforcement directive.
Clause 63 requires consultation with the commissioner where there is a “high risk” to “rights and freedoms”. Article 28(3) of the directive allows for the “supervisory authority”—the commissioner, in our case—to,
“establish a list of the processing operations which are to be subject to prior consultation”.
Amendment 137D would allow the commissioner to “specify other conditions” where consultation is required. I am not sure I would defend the approach of having regulations under a negative resolution. The amendment was tabled following a certain amount of toing and froing—aka consultation with me—because my original amendment did not quite work, or at any rate I was not clear enough about it. I was not at Westminster at the time and I think I did not take in properly over the phone what was being proposed. I am sure the Minister will not take me too much to task for that, but focus instead on the nub of this.
Under Clause 63, the commissioner is required to give advice to the controller and the processor when she thinks that the intended processing would infringe Part 3. Amendment 137E set outs what advice would be included “to mitigate the risk” and would be a reminder of the commissioner’s powers in the event of non-compliance. The amendment builds on rather fuller provisions in article 28 of the directive, which provides for the use of powers.
Amendment 137F would amend Clause 64, which deals with the security of processing and refers to,
“appropriate measures … to ensure a level of security appropriate to the risks”.
The amendment proposes what “appropriate measures” might be, in particular whether cost is a criterion. Article 29(1) seems to envisage this—are we envisaging it in the Bill?
As for Amendment 137G, there is a duty in Clause 66 to inform the data subject when there is a breach, but not when the controller has implemented protection measures. In seeking to change “has” to “had” implemented, I just seek confirmation that the measures in question were applied before the breach. One might read the clause as meaning that, subsequently, steps had been taken and protection measures implemented. That will be good for the future, but would not address the specific breach.
On Amendment 137H, Clause 66(7) gives a wide exemption, setting out the reasons for restricting the provision of information to a data subject. I assume from the words “so long as necessary” that, once a specific security threat has passed or a court case is over, the right to that information would revive. Can the Minister confirm this? Again, I am not sure what the role of the commissioner would be here.
On Amendment 137J, Clause 69 sets out the tasks of the data protection officer. Chapter 5 of this part deals with transfers to third countries. By requiring the updating of controllers on the development of standards of third countries, my amendment suggests that the data protection officer should keep on top of international issues.
Amendment 137K is an amendment to Clause 71 in Chapter 5, on the principles for the transfer of data to a third country or international organisation. It would insert an explicit requirement that the rights of the data subject be protected. Article 44 provides:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
That is broad and overarching. My amendment probes how that protection is covered: is it in the detail of the subsequent clauses? It is spelled out in the article; does that imply that the clauses might not always properly provide protection if we do not spell it out in the same way, given the reflections that the Bill provides?
On Amendments 137L and 137M, authorisation under Clause 71(1)(b) from another member state from which the data originated is not required if the transfer is necessary for the prevention of a threat to the essential interests of a member state and authorisation cannot be obtained in good time. The amendments probe whether “essential interests” are more than law enforcement purposes—the first condition for transfer. Will the interests be clear? Is there a confusing element of subjectivity here? The person who wants the data might see things quite differently from the person who is being asked to transfer it. It is open to us to provide higher safeguards, which is what I am working towards. “Obtaining in good time” perhaps suggests a slightly more relaxed attitude than the subject matter should demand. I would substitute a reference to urgency.
On Amendment 137N—noble Lords will be relieved to know that I am on the last of our amendments in this group—there can be a transfer on the basis of special circumstances under Clause 74. I welcome the fact that, in some cases, the controller can refuse a transfer because fundamental rights and freedoms override the public interest in the transfer. Presumably, the controller’s determination must be reasonable. This seems to give some discretion to the commissioner; I wonder whether the commissioner might give guidance rather than leaving it entirely up to the controller. I beg to move.
Lord Stevenson of Balmacara
My Lords, we have one amendment in this group, and I will speak to it. It affects what appears to be a lacuna—if that is not too technical a term for Hansard—in relation to the storage and retention of data collected by local police forces under the automatic number plate recognition system. Each local police force has an ANPR system. There are thousands of cameras, which we are all too aware of. Anyone who drives past one and has a picture of their number plate taken has a momentary shudder in case they are doing something wrong. When you add them all together, it is one of the biggest surveillance systems in the world—probably the world’s biggest non-military system—and it is growing every day. At the moment, there are probably about 1 billion shots of people cars in circulation. It is of course personal data, as it tracks people’s journeys, or can be read to do so.
There are two problems. First, the ANPR system has grown and grown but does not have proper governance or structure. Attention needs to be paid to that. This is not the Bill for that, but the noble Baroness might wish to take that point back with her. Secondly, an FOI request revealed in 2015 that the police had no systematic retention or disposal policy; they simply just kept the data because it might come in useful at some time. I do not think that works under the Data Protection Act 1998 and does not seem appropriate, given the way the Bill is framed.
In case there is any doubt whether those systems fall within the scope of the Act or whether there should be a change of policy, we have tabled the amendment to probe what is going on. There has been a recent change—I hope that the noble Baroness will update us about it—and several billion deletions, but there is still a question about the appropriate retention system. Our amendment is an attempt to move forward on that issue.
The problem is that the ANPR is not covered anywhere in statute. Despite the fact that it is very large, it is simply run. The Home Office does not see it as an espionage system—that is fair enough—so it is not covered in the Investigatory Powers Act. There is a case, however, for using the Bill to get this issue back into scope. The proposal here is simple. These particular words need not be used, but I hope the noble Baroness will accept that something should be done. We propose that the approach should be in accordance with the arrangements currently adopted in surveillance systems elsewhere.
Baroness Williams of Trafford
My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.
Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,
“nature, scope, context, and purposes of the processing”,
are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.
Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.
Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.
Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.
Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.
Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.
Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.
Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.
Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.
Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.
More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.
I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.
Baroness Hamwee
Certainly. I feel that I ought perhaps to apologise to the House for the speed at which we have been going; it has caused a bit of a flurry. I know that I have been quite telegraphic in speaking to the amendments. I have possibly been too telegraphic, but I will read the detail of the response, and beg leave to withdraw my amendment.
Baroness Hamwee
Baroness Hamwee
My Lords, sensitive processing requires meeting at least one condition from the menu in Schedule 9 and one in Schedule 10. This could be achieved, for instance, because the processing is necessary to protect someone’s vital interests under Schedule 9, and for the same reason under Schedule 10 when consent cannot be given. I wondered whether the repetition amounted to there being only one condition to be met, rather than two or perhaps one and a half—hence Amendment 137R.
Amendment 138A is another amendment suggesting that the Secretary of State’s regulation-making power is too wide under the Bill. In our view, the Secretary of State should be able to add conditions—in other words, protections—but not vary or omit them. That is a thread that runs through the whole of the Bill.
Amendments 139A and 139B probe the condition in Schedule 9 that processing is necessary for the purposes of legitimate interests pursued by the controller or a third party to whom the data is disclosed. Again, “legitimate interest” made me pause. It is made lawful by Clause 84 because it meets one of the lawfulness conditions, so there is a circularity here. The schedule then applies a condition to the condition—it is not lawful if it prejudices rights and freedoms or legitimate interests of data subjects, or rather is unwarranted because of prejudice to the rights and freedoms or interests of the data subject. Does that allow for the risk of prejudice? It struck me as quite a clumsy phrase—“unwarranted … because of prejudice”. I realise that the person who drafted it—I do not want to say “draftsman”—must have had some very particular thoughts in mind.
Lord Young of Cookham
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.
Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.
We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.
Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.
Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.
Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.
Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.
Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.
Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.
Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.
I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.
Baroness Hamwee
My Lords, almost all these amendments were probing, except for Amendment 138A, which is how the noble Lord described it—it was distinctly not probing, so I am glad to have had his assurance in that regard. I commented on an earlier group about either the intelligence services or law enforcement—I cannot remember which—being advantaged as against other employers outside their immediate job. It seemed to me from the noble Lord’s comments about medical data that the services would be advantaged as against employers in completely different fields. He gave a long answer, and I am grateful for that; it of course deserves reading and I will do so. I thank him for this comments on Amendment 138A and beg leave to withdraw the amendment.
Lord Young of Cookham
Lord Young of Cookham
Baroness Williams of Trafford
My Lords, government Amendments 141 and 142 to Clause 90 are technical in nature and simply ensure that the summary description of the rights conferred on data subjects by Chapter 3 of Part 4, as set out in subsection (1), fully itemises each of the relevant rights. I look forward to hearing from the noble Lord, Lord Kennedy, and the noble Baroness, Lady Hamwee, about their amendments in this group and I will respond to them when winding up.
Lord Stevenson of Balmacara
My Lords, I can be very brief. We had intended to withdraw Amendment 142A in this group but, unfortunately, we could not do so in time so I will not speak to it. To complete the icing on the cake, I have already spoken, rather stupidly, to Amendment 142D, and therefore I do not need to repeat myself. I simply await the noble Baroness’s response on it.
Baroness Hamwee
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
Baroness Williams of Trafford
My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.
I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.
Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.
Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.
The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.
It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).
Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:
“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.
I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.
Baroness Hamwee
Before the Minister moves on, I asked whether the power would be used on a case-by-case basis, which I thought was what she was saying, or as a result of overall experience—and then she went on to talk about overall experience. So is it the latter, extending to all cases in the light of experience gathered over a period?
Baroness Williams of Trafford
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
Lord Stevenson of Balmacara
The answer to that question is that we are not happy with what the Minister said about the ability of the intelligence services, uniquely in this whole area, to charge a fee to discourage people from getting access to the rights which they certainly have under the Act. I sensed that the Minister understands that; perhaps it is a little unfair to say that, as most other noble Lords were not able to see her smile, gently, as she tried to put substance and seriousness into the argument she was using, which was clearly very thin indeed. To make the point, we are relying on a convention which has yet to be signed. That is the fig leaf under which we will be smuggling these ridiculous fees. I urge the Minister to take this back and think again, and I look forward to a further discussion with her if she feels that any more information could be provided.
“( ) section 96 deals with the right to information about decision-making;”
“( ) A court may make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for compliance with the obligation to which the order relates.”
“( ) A court may make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for compliance with the obligation to which the order relates.”
“( ) A court may make an order under this section in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for carrying out the rectification, erasure or restriction of processing that the court proposes to order.”
“( ) is necessary for the purpose of obtaining legal advice, or( ) is otherwise necessary for the purposes of”
Data Protection Bill [HL]
Monday 20th November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Paddick
“Function of the Commissioner to maintain a register of data controllers
(1) The Commissioner must maintain a register of all data controllers.(2) Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under subsection (1).(3) Subsections (1) and (2) do not apply in relation to any processing whose sole purpose is the maintenance of a public register.”
Lord Paddick (LD)
My Lords, I will speak to Amendment 153 in my name and that of my noble friend Lord Clement-Jones. Section 17(1) of the Data Protection Act 1998 states that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Effectively, processing personal data without registering and without paying a fee is, at the moment, a strict liability criminal offence. This ensures that all data controllers are aware of their most basic obligations and that a central register of who is processing personal data is maintained. It also provides a simple means of collecting notification fee income.
We have been made acutely aware during the debates on the passage of the Bill of the increased responsibilities that will be placed on the Information Commissioner and the need for her to have additional resources. This is one way of ensuring that she has those resources, provided she is able to keep the fees raised and does not have to hand over large amounts of those fees to the Treasury.
This is an important protection for data subjects, and the Government have asserted that they are strengthening the law to protect data subjects. If the requirement to register is removed, as will happen without this amendment, this will weaken those protections. In addition to protections provided by registration and the increased awareness of the other requirements around data protection as a result of registering, it allows for the Proceeds of Crime Act to be used to confiscate money generated by the unlawful processing of personal data by those who are not registered. This would be lost if this amendment is not adopted.
The amendment seeks to maintain the current position by requiring the Information Commissioner to register all data controllers. However, unlike the current requirement for more detailed information, the amendment requires that the data controller provides only the minimum of information—such as his name and address; if he has nominated a representative for the purposes of the Act, their name and address; and the principal activity or activities undertaken by the data controller.
The Minister may wish to pray in aid article 57(3) of the GDPR, which states:
“The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer”.
We argue that this is a notification fee, not a task performed by the Information Commissioner, and a fee that would be levied on the data controller and not the data protection officer. I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.
Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.
The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.
So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.
Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.
Baroness O’Neill of Bengarve (CB)
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
Could I ask the noble Baroness to repeat which provision she is referring to?
Baroness O’Neill of Bengarve
Subsection (2) of Amendment 153:
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
Lord Stevenson of Balmacara
My Lords, I want to come back to an issue relating to the situation post Brexit: companies operating in the UK, for which a representative will not be required. I listened to the Minister very carefully and I understand what he is saying, but I take it that, post Brexit, he is basically relying on the force of the Information Commissioner’s personality and her ability to maintain her current relationships and build on them. As such, when taking issues abroad, individuals in the UK will not have any statutory provision, as they currently do, but will have to rely on the informal mechanisms the Minister mentioned and their own resources. He has failed to answer the question whether that is a good situation to be in as we progress through the Bill, but I will read what he said more carefully and come back to him later.
Lord Paddick
My Lords, I thank the noble Baroness, Lady O’Neill of Bengarve, for her contribution—we will look at that should we bring back the amendment on Report. I also thank the noble Lord, Lord Stevenson of Balmacara, for his support for the amendment.
The Minister said that provision in the 1998 Act requiring all data controllers to be registered was an important part of data protection, yet his argument for not continuing with that seemed to be that it would be difficult to maintain a register with the numbers now involved. Either the register is an important contribution to data protection or it is not. In any event, we should bear in mind that a charge could be levied. The Minister suggested that a register would not be a proportionate use of the Information Commissioner’s resources, but those resources could significantly increase. If the existing law were enforced, it is estimated that an additional £1 billion in income would be possible.
On a detailed central register, I said when introducing the amendment that the detail suggested would be far less than is currently the case. However, we will reflect on what the Minister said. For the moment, I beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, the amendment is in my name and that of my noble friend Lord Kennedy. Clause 117 allows the commissioner to inspect personal data held on any automated or structured system where the inspection is necessary,
“to discharge an international obligation of the United Kingdom”.
Before exercising the power, the commissioner under subsection (4) must by written notice inform a controller of her intention. However, this does not apply if the case is “urgent”. Since in every other aspect of the Bill phrases such as “urgent” are usually defined, uniquely in this case it is not, so the amendment is merely to allow the Minister to read into record those cases that he might consider to be urgent. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, the amendments in this small group are probing in nature. Amendment 153C is in my name and that of my noble friend Lord Kennedy. Clause 119 places an obligation on the commissioner to publish and keep under review a data-sharing code of practice that would contain guidance on data sharing and good practice, as the name suggests. This is good, we talked about it in some detail in earlier sittings of the Committee and we have no problems with it. It continues a practice that we are well aware of and there are no particular issues arising from it, provided that it continues to be comprehensive and to provide the sort of advice that data controllers and data subjects will need as we go forward.
Amendment 153D raises the question of whether a 40-day approval process for codes should apply, in order to make it clear that codes under Clauses 119 and 120 are subject to parliamentary scrutiny and that the 40-day approval period would fit in with the procedures of Parliament. As I said, this is a probing amendment and I would be grateful to have the comments of the Minister in due course.
Amendment 154A concerns the statement that the commissioner will review and revise the codes regularly, or keep each code under review. There is no specification of the timescale or the frequency of that. I suspect that the answer will be that it will be as seen fit by the Information Commissioner—but if the Minister can shed some light on this, it would be helpful.
Finally, Amendment 154B draws attention to Clause 119(2), which says, at the top of page 65:
“Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code”.
We have already touched on this, and the procedure is not explained. I would like to confirm that, since this matter may be of interest to Parliament, it will be by the affirmative procedure. I look forward to hearing a response and I beg to move.
Baroness Chisholm of Owlpen (Con)
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
Lord Stevenson of Balmacara
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
“Personal data ethics code of practice
(1) Within six months of the passing of this Act, the Commissioner must prepare an ethics code of practice for data controllers.(2) The code must include a duty of care from the data controller and the processor to the data subject.(3) The code must provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—(a) reduce vulnerabilities and inequalities;(b) protect human rights;(c) increase the security of personal data;(d) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.(4) The code must consider—(a) how to support data processing which has clear benefits for users and members of the public;(b) the effectiveness of measures to seek the consent of users to the collection and use of their personal data;(c) the risks and limitations of new technologies, ensuring that there is sufficient human oversight.(5) The code must also provide guidance on—(a) default privacy settings;(b) data minimisation standards;(c) presentation and language of terms and conditions;(d) transparency of paid for activity, such as product placement and marketing;(e) sharing and resale of data;(f) veracity and accuracy of information;(g) strategies used to encourage extended user engagement;(h) user reporting and resolution processes and systems;(i) responses to unintended consequences of technological advances in the processing of personal data; and(j) any other aspect of design that the Commissioner considers relevant.(6) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.(7) Before preparing the code of practice and prior to every revision, the Commissioner must consult the Secretary of State and relevant stakeholders.(8) The Secretary of State must bring the code of practice into force by regulations made by statutory instrument. (9) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
Lord Stevenson of Balmacara
My Lords, with so many codes of practice flying around it would not be hard to lose one in the crowd, but this one stands out. With this amendment, we are suggesting to the Government that there is a need at the top of the pyramid for a code of practice which looks at the whole question of data ethics and morality. We discussed this topic in earlier sittings of the Committee and I think we were of one mind that there was a gap in the overall architecture of the organisations supporting data processing, which concerned us, in the sense that there was a need for an expert body.
The body could be some sort of combination along the lines of the HFEA or the Committee on Climate Change. It would have a duty to look at the moral and ethical issues affecting data collection and use, and be able to do some blue-sky thinking and to provide a supervisory approach to the way in which thinking on these matters would have to go. We are all aware, as has been mentioned many times, that this is a fast-moving technology in an area full of change where people feel a bit concerned about where their data is and how it is being looked at. They are worried that they do not have sufficient control or understanding of the processes involved.
The amendment suggests to the Government a data ethics code of practice which I hope they will look at with some care. It would begin to provide a hand of support to individuals who are concerned about their data and how it has been processed. Under this code of practice the commissioner could set out the moral and ethical issues, rather than the practical day-to-day stuff. It would focus on duties of care and need to provide examples of where best practice can be found. It would increase the security of personal data and ensure that the access to its use and sharing were transparent, and that the purposes of data processing were communicated to data subjects.
Some codes of this type already exist. I think that the Royal Statistical Society has been behind a number of codes on the use of our overall statistics, such as that operated within the OSS. Having read that code, I was struck by how apposite it was to some of the issues faced in the data-processing community. Some of the wording of this amendment comes from that, while other wording comes from think tanks and others who are working in this field. It will also come as no surprise to the Committee that some of the detail in the code’s latter subsections about privacy settings, minimisation standards and the language of terms and conditions also featured in the proposed code recommended to the Committee by the noble Baroness, Lady Kidron, in relation to children’s use of the internet and how their data is treated. The amendment meets other interests and examples of activity. It seems to fulfil a need, which is becoming more pressing every day, and is ambitious in its attempt to try to make sure that whatever regulatory and statutory provisions are in place, there will also be a wider dimension employed, which I think we will increasingly be part of.
I do not expect the Government to accept the amendment tout court, because it needs a lot more work. I fully accept that the drafting is a bit rough at the edges, despite the fact that we spent a lot of time in the Public Bill Office trying to get it right. I have already explained that I am not very good at synthesising in the way that the Bill team obviously is. I have no doubt that when he responds the Minister will be able to encapsulate in a few choice words what I have been struggling to say over the past three or four sentences—he nods, so it is clearly going to hit me again. I hope that he will take away from this short debate that this is an issue that will not go away. It is an issue that we need to address, and it may be that the new body, which was, I think, generally accepted by the Committee as something that we should move to in short order, might take on this as its first task. I beg to move.
Lord Clement-Jones (LD)
My Lords, the noble Lord, Lord Stevenson, is too modest about his drafting—I think that this is one of the most important amendments to the Bill that we have seen to date. I am just sorry that we were not quick enough off the mark to put our name to it. I do not know which hand the noble Lord, Lord Stevenson, is using—there seem to be a certain number of hands involved in this—but anybody who has read Jonathan Taplin’s Move Fast and Break Things, as I did over the weekend, would be utterly convinced of the need for a code of ethics in these circumstances. The increasing use of data in artificial intelligence and algorithms means that we need to be absolutely clear about the ethics involved in that application. The noble Lord, Lord Stevenson, mentioned a number of codes that he has based this amendment on, but what I like about it is that it does not predicate any particular code at this stage. It just talks about the desirable architecture of the code. That makes it a very robust amendment.
Like the noble Lord, I have looked at various other codes of ethics. For instance, the IEEE has rather a good code of ethics. This is all of a piece with the stewardship council, the data ethics body that we debated in the previous day in Committee. As the Royal Society said, the two go together. A code of ethics goes together with a stewardship council, data ethics committee or whatever one calls it. You cannot have one without the other. Going forward, whether or not we agree today on this amendment, it is very clear that we need to keep coming back to this issue because this is the future. We have to get it right, and we cannot prejudice the future by not having the right ethical framework.
Lord Puttnam (Lab)
My Lords, I support this amendment and identify myself totally with the remarks of the noble Lord, Lord Clement-Jones. I am trying to be practical, and I am possibly even pushing at an open door here. I have a facsimile of the 1931 Highway Code. The introduction by the then Minister says:
“By Section 45 of the Road Traffic Act, 1930, the Minister of Transport is directed to prepare a code of directions for the guidance of road users … During the passage of the Act through Parliament, the opinion was expressed almost universally … that much more could be done to ensure safety by the instruction and education of all road users as to their duties and obligations to one another and to the community as a whole”.
Those last few words are very important. This must be, in a sense, a citizens’ charter for users—a constantly updated notion—of the digital environment to be sure of their rights and of their rights of appeal against misuse. This is exactly where the Government have a duty of care to protect people from things they do not know about as we move into a very difficult, almost unknown digital environment. That was the thinking behind the 1931 Highway Code, and we could do a lot worse than do something similar. That is probably enough for now, but I will undoubtedly return to this on Report.
Baroness O’Neill of Bengarve
My Lords, I support the spirit of this amendment. I think it is the right thing and that we ultimately might aspire to a code. In the meantime, I suspect that there is a lot of work to be done because the field is changing extremely fast. The stewardship body which the noble Lord referred to, a deliberative body, may be the right prelude to identifying the shape that a code should now take, so perhaps this has to be taken in a number of steps and not in one bound.
Baroness Hamwee (LD)
My Lords, I too support the amendment. Picking up this last point, I am looking to see whether the draft clause contains provisions for keeping the code under review. A citizens’ charter is a very good way of describing the objective of such a code. I speak as a citizen who has very frequently, I am sure, given uninformed consent to the use of my data, and the whole issue of informed consent would be at the centre of such a code.
Lord Ashton of Hyde
My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.
The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is why the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.
However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.
Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.
The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.
This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.
There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.
The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.
Lord Clement-Jones
My Lords, do the Minister or the Government yet have a clear idea of whether the power in the Bill to draw up a code will be invoked, or whether there will be some other mechanism?
Lord Ashton of Hyde
At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.
Lord Clement-Jones
So the Minister believes it is going to be the specially set-up data ethics body, not the powers under the Bill, that would actually do that?
Lord Ashton of Hyde
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
Lord Stevenson of Balmacara
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
Baroness Chisholm of Owlpen
My Lords, I shall speak briefly about the Government’s motives in tabling this group of amendments. There are 27 amendments in the group, but fear not: I shall avoid the temptation to talk through them all, instead focusing on only a few which may be of interest. Also, noble Lords received letters from my noble friend on 20 October and 14 November addressing the issues in the amendments.
I start with Amendments 163, 164 and 168. Clause 139 provides a criminal offence of failure to comply with an information notice. This is a hangover from the 1998 Act but, on reflection, the Government consider that it is no longer required, as the Information Commissioner will now have access to a much broader range of administrative penalties. Removing the criminal offence would also align the maximum penalty with that for failure to comply with an enforcement notice, ensuring that the commissioner is not disincentivised from serving an enforcement notice if she considers that that is the most appropriate course of action.
Amendments 165, 166 and 167 amend Schedule 16. Where the commissioner intends to give an administrative penalty, she must give a notice of intent, to which the data controller may make representations. The commissioner has six months from the point at which the notice of intent is given to issue a penalty notice. In some complex cases, the data controller may need more than six months to make their initial representations, or there may be a continuing technical dialogue between the parties. These amendments allow—but, importantly, do not compel—the commissioner and the controller to mutually agree to extend the six-month deadline to allow the process to reach its natural conclusion.
Finally among the many amendments in this group, Amendment 188A provides a list of consequential amendments. I mention it here for two reasons. First, as noble Lords will have noticed, it is a long list: references to the Data Protection Act appear in more than 50 other pieces of primary legislation. Secondly—this is a response to a point made by the noble Lord, Lord McNally, on a previous day in Committee—it is testament to the importance that the Government attach to having a regime that is fully operational in time for 25 May 2018. Such a tight turnaround means that there is no time to take through secondary legislation after Royal Assent, which is the Government’s usual approach to consequential amendments. Instead, we must put everything that we need for 25 May in the Bill. Amendment 188A is another step towards that goal.
On that note, my Lords, I beg to move.
Lord Griffiths of Burry Port (Lab)
My Lords, it is an extraordinary list of amendments that address things in great detail; they are all about tidying up and working things out as we go along. Since that is what we try to do as often as we can, it is nice to see the effort that has been made and hours that have been spent. Much of it is logical and needs no further discussion, but we have in respect of amendments in the range of Amendment 171, and so on, a bit of a worry about the notion that personal data is processed for special purposes—journalism, academic, artistic or literary purposes—and that there are exemptions in place so that the commissioner must first determine whether processing is for a special purpose before taking further enforcement action.
We have always understood that the provisions at this point are only asking in this Bill to replicate the conditions obtaining in such cases in the 1998 legislation. This particular detail makes it seem as if that might not be the case, because we have submissions from various people in the media to suggest that, while they understand the regulations, to step in before the material is put together to make this determination feels a bit threatening. Can the Minister guarantee that the provisions in this Bill are identical with those in the 1998 Act?
There is not an adequate mention, again, according to people in the field, of the relation of photography and photojournalism to written journalism. Could that be thought about, too? If everything is the same, we have no further questions but, if not, could the Minister tell us exactly what the differences are and whether she can write to us so that we may know what they are?
Baroness Chisholm of Owlpen
As the noble Lord said, this particular group of amendments is where personal data is processed for special purposes for journalism, academic, artistic or literary purposes. There are certain exemptions in place, so the commissioner must first determine whether processing is for special purposes before taking further enforcement action. A special purposes determination can be appealed to a court, not a tribunal; these amendments correct the Bill as only a court, not tribunals, are relevant. They also make technical corrections to ensure compatibility with Scots law. The definition of special purposes proceedings is also widened slightly so that special purposes can be asserted in a wider range of situations.
I think that I have inspiration coming from my right hand side. The noble Lord mentioned photojournalism, which is included in the data—I think that that is what he meant.
Lord Griffiths of Burry Port
I sympathise with the Minister, who sought inspiration from behind, because it is what I do all the time. Those who have expressed anxiety to us are worried that pressure will be put on them as programme makers and investigative journalists prior to publication and issuing their material in edited form, whereas currently they are subject to the regulation once that material has been put together. That is the area where anxieties have been expressed, and we need some reassurance on that point.
Baroness Chisholm of Owlpen
The best thing that I can do is to have a look and get back to the noble Lord on those points, if that is okay.
“( ) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).”
Baroness Hamwee
Baroness Hamwee
My Lords, I speak also to the other amendments in this group. All these amendments are suggested by the Bar Council and stand in my name and those of the noble Lord, Lord Arbuthnot of Edrom, and the noble Baroness, Lady Neville-Rolfe. All concern legal professional privilege, a subject which the Committee and the House have frequently debated. I know I do not need to stress its importance or remind noble Lords—but obviously, I am just about to—that the confidentiality and privilege are those of the client, not the lawyer.
The Bar Council comments that the powers of the commissioner to have access to the information and systems of data controllers should be limited where the data controller is a legal professional or anyone subject to the requirements of client confidentiality and legal professional privilege. It reminded us that there are exceptions in the 1998 Act which deal with this. Legal professional privilege cannot be waived by the lawyer but is subject to contractual or other legal restrictions. In the clauses in question, legal professional privilege seems to be overridden in circumstances where the commissioner considers that she needs to look at the data to perform her functions. Clause 128(1) refers to use or disclosure,
“only so far as necessary for carrying out those functions”—
that is, the commissioner’s functions. I suggest that this is inappropriate given the provisions elsewhere in the Bill which we now seek to amend.
Amendments 161A, 161B, 161C and 161D deal with confidential legal materials which it is proposed should be inserted and covered. These are defined in the last of these four amendments as “materials brought into being”, as distinct from documents which are communicated between an adviser and a client, and thus would be wider, and include materials brought into being,
“for the purpose of establishing, exercising or defending legal rights”,
which is wider than the Bill provides.
The Bill does not contain directions as to the purpose of the guidance on protection of privileged material. Amendment 161C would give a direction to the commissioner as to the purpose. Amendments 162A, 162B, 163ZA and 163ZB would again extend the protection. Clauses 138 and 141 are limited to documents that relate to data protection legislation. These amendments would widen the protection to all documents protected by legal professional privilege.
Clause 138(5) does not cover the right of self-incrimination of other persons, such as the client of a legal representative or a family member of a client, who would not be entitled to rely on privilege. Amendment 162C would widen the class of persons to others. Since the client may well be seeking advice or representation in relation to a matter which might incriminate him, the Bar Council asks us to point out that this is particularly important.
Amendment 163B reflects provisions in Clause 138, on information notices, and in Clause 141, on assessment notices, and extends the restrictions to enforcement notices. The clauses I have mentioned provide that a person is not required to give the commissioner privileged material—I beg your Lordships’ pardon; a bracket has been opened and I am seeking where it closes—in response to such a notice. As I say, this would extend that restriction to enforcement notices.
Finally, on Amendment 164B, professionals may be restricted in providing information to the commissioner in respect of their processing, because of privilege or an obligation of confidentiality, compliance with the Bar code of conduct, or rules or orders of the court. The Bar Council wishes the Committee to be aware that a barrister,
“may wish to disclose information in mitigation or explanation for a breach of the GDPR provisions, but be unable to do so because disclosure would place”,
counsel,
“in breach of professional conduct rules or other confidentiality obligations, or in breach of data protection obligations because it is not possible to obtain consent for”,
the processing.
Compliance with the profession’s rules might have the result of exposing a barrister to a higher penalty to be imposed by the commissioner as a result of that inability, which does not seem fair. The amendment would provide that circumstances of this kind may be taken into account by the commissioner when assessing the penalty by adding a paragraph to the mitigating circumstances in the list. As the Bar Council points out, none of these points would prevent the commissioner effectively carrying out her duties. Even if she were,
“prevented from seeing privileged and confidential material, this … would be a justified and necessary consequence of … proper weight being given to the citizen’s fundamental right to consult a lawyer and to maintain the confidentiality”.
However, if unamended, there could be a conflict between the legal regulators and the commissioner. I beg to move.
Lord Arbuthnot of Edrom (Con)
My Lords, I am grateful to the noble Baroness, Lady Hamwee, and to the Bar Council for the help it has given us on these amendments. I declare an interest—at least, I suppose I do—in that my wife is a judge and I used to practice as a Chancery barrister long ago.
It is an essential part of our legal system that people should have access to the justice system without communications between the client and the lawyer being disclosed—or, at any rate, that those disclosures should have only the rarest occurrence, such as, for example, if a communication is to be used to facilitate a crime. In those circumstances alone can legal professional privilege be waived. I suggest that the Bill should recognise the value of legal professional privilege but that it does not put that recognition into full effect. I hope that our amendments would achieve that.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
Baroness Hamwee
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be a practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
“( ) Within the period of three months, beginning with the day on which this Act is passed, the Commissioner must specify in guidance the amounts that constitute a reasonable fee in relation to subsection (1).”
Lord Stevenson of Balmacara
My Lords, although the amendment’s wording is narrow, it is very much a probing amendment. I hope we will be able to range a bit further on the funding and the structure of the Information Commissioner’s Office, which depends on its ability to raise funding to survive. I will make various points on that.
In some senses the Information Commissioner’s Office is a rather strange regulator, in terms not of its functions, but of the way it has survived a number of possibilities for change and development that have been applied to other sectors of British industry, particularly those relating in some senses to data processing. If noble Lords compare Oftel, the IBM, to some extent the BBC and what has now emerged as Ofcom, they will see a change from the original structure of regulators, which were very largely bodies set up to make sure the previously public sector nature of an activity that had been privatised was done in a way that did not exclude the public interest. These regulators were largely economic in origin and have only gradually added social regulation to their parts.
In a sense the ICO’s journey is different. First, the way these other regulators have moved has not been followed, so the change from a one-off individual dealing with economic and a limited amount of social regulation to being partnerships or boards with a range of individuals appointed to take over various functions—Ofcom is perhaps the easiest example to use—has not been followed. We still have a single regulator which is independent and reports to Parliament, and I understand the structure to be that of a corporation sole, which is an issue that we might want to reflect on.
Lord Ashton of Hyde
My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.
On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.
On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.
Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.
The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during the passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.
Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.
I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.
Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.
I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.
Lord Paddick
My Lords, I do not know whether I am getting confused here. The Minister referred to Clause 132(2), about the power for the Information Commissioner to require data controllers to pay a charge regardless of whether the commissioner has provided, or proposes to provide, a service to the controller. How can that be done if there is to be no requirement for data controllers to register with her?
Lord Ashton of Hyde
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
Lord Stevenson of Balmacara
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Kennedy of Southwark
“( ) Within three months of this Act coming into force, the Commissioner must specify in guidance what constitutes “other failures” under subsection (8).”
Lord Kennedy of Southwark
My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.
Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.
Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.
The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,
“as the Secretary of State considers necessary”.
We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.
Baroness Chisholm of Owlpen
My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.
As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.
However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.
As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.
I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.
As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, although this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.
Lord Kennedy of Southwark
My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.
Data Protection Bill [HL]
Wednesday 22nd November 2017
(7 years, 4 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Black of Brentwood
“( ) Prior to giving an enforcement notice under section 142(1) against an information society service in respect of material originating from a third party controller or processor processing personal data for one of the special purposes, the Commissioner must consult and take into account any representations made by the third party, save in circumstances where consulting the third party would result in substantial damage or substantial distress to an individual, in which case the Commissioner must take into account the special importance of the public interest in the freedom of expression and information.( ) The Commissioner must publish a summary of any enforcement notice issued against an information society service in respect of material processed by a third party controller or processor for any of the special purposes.”
Lord Black of Brentwood (Con)
My Lords, in moving Amendment 163A I shall speak also to Amendments 164A, 170B to 170D, 172A to 172C—a number of which the noble Viscount, Lord Colville of Culross, has added his name to—and to the Question whether Clause 165 should stand part. I fear that if noble Lords are still suffering from indigestion as a result of the alphabet soup of amendments we had in Committee last week on this subject, today we have an even more indigestible alphabet banquet.
The amendments relate to media freedoms. I declare my interest as the executive director of the Telegraph Media Group and draw attention to my other media interests. As with the previous group of amendments we discussed in Committee, the implications in this area go well beyond the press and impact on online and broadcast media, along with a wide range of literary and artistic interests. They are supported by the Media Lawyers Association, the News Media Association and the Society of Editors. In the past few days, noble Lords may also have received very important representation, specifically on Clause 164, from the BBC, ITV and other broadcasters.
I highlight two points in particular to give context to this group of amendments. First, Clause 164(3)(c) gives a statutory regulator—the Information Commissioner —powers to interfere with investigations and reporting, pre-publication. Secondly, unless the defences in the Bill are augmented, Clause 161 means that a reporter vindicated as acting lawfully in the eyes of the civil courts could be convicted on the same grounds in the criminal courts. That has widespread ramifications. The exemption for special purposes covers not only the journalism of the BBC, Channel 4, ITN and all newspapers, national and local, but the deadly serious journalistic work of NGOs and campaigning organisations such as Global Witness.
The GDPR demands freedom of expression protections for academic, literary and artistic purposes as well. That means that the playwright, producer, professor, provocative cartoonist, artist, author, diarist and publisher of any book whose work at any stage uses information about living individuals, falling within the broad application of the Bill, is as vulnerable to these parts as the media. That is why the provisions deserve the most careful scrutiny and attention. Given that these powers bite pre-publication, the mere assertion of a data protection breach will be a marvellously cheap and convenient way for individuals with something to hide to stop any work that may cast them in an unwelcome light in its tracks. Indeed, there is a double jeopardy in the Bill, as under Clause 165, the Information Commissioner is empowered to provide financial support to people wanting to bring action; her written determination would also lift any stay on legal action in respect of pre-publication processing.
Let me explain, as briefly as I can, how these amendments seek to tackle that mischief. The first two of them relate to penalties. Amendment 163A to Clause 143 is intended to prevent inconvenient truths being all too conveniently covered up. Currently, the original publisher of an article de-listed from Google or other search engines, following the complainant’s appeal to the Information Commissioner to have it taken down by the content aggregator, neither knows about this virtual disappearance nor has any opportunity to put the case on the accuracy or continued relevance of the article to the ICO. This amendment introduces the option of the ICO consulting with the originating publisher prior to making a determination and then publicising the determinations made.
Amendment 164A to Clause 148 addresses the overall proportionality of penalties for infringements of the Act. As noble Lords will know, a company in breach must pay the appropriate penalty as set out under the Act. However, there is again the risk of double jeopardy as far as the media are concerned, because the standard contractual terms of content aggregators such as Google require media organisations to indemnify them in respect of journalistic material that they then disseminate to their users. Due to their huge global turnovers, such aggregators could be liable for far greater fines under the GDPR, dwarfing those that any media organisation would be liable for on its own transgression. That could result in media organisations facing financial ruin because of the indemnity they are bound to give. This amendment simply proposes that, when any fine is imposed, consideration should be given to indemnities, compensation and other penalties for which organisations are liable, if a breach arises.
Earl Attlee (Con)
My Lords, it may be for the convenience of the Committee if I speak to my Amendments 170AA, 170AB and 170AC at this point. I am grateful to my noble friend for moving his amendment in the skilful way that he did. I hope that my noble friend the Minister has some good answers because my noble friend worried me somewhat.
I fear that I will have to detain the Committee for some time. I wish to make it clear that I have never been mistreated by the media and I do not think I know any celebrity who is not also a parliamentarian. My only complaint is that the general public have never heard of me. Quentin Letts once likened me to Lord Lucan, and when I accidentally appeared to cancel a mainline electrification programme from the Dispatch Box, I got three-quarters of an inch on page 2 of the Sun—at £1.6 billion it was quite an expensive way of getting some publicity.
During the passage of the Crime and Courts Act, I was in the Government with other responsibilities. I have little doubt that later, as a loyal Government Back-Bencher, I voted against the attempt made by the noble Baroness, Lady Hollins, to get Section 40 of the Crime and Courts Act commenced. Thanks to an intense media campaign, I realised that something was going badly wrong when the Government failed to commence Section 40 after the PRP was established and it had approved its first independent regulator.
At present any claims against newspaper publishers where the claimant is an ordinary member of the public is a David versus Goliath battle. The claimant is an individual with limited resources, whereas newspaper publishers are typically well resourced, with teams of lawyers. In effect, the claimant is required to mortgage their home—if they own it—to meet the costs of an action. This is unless they can get a CFA, which is not available for data protection claims—a point that I will come to later. This risk deters ordinary members of the public from ever bringing a claim. When it comes to libel, all they really want is a correction with due prominence. This principle applies to data protection claims as well. Subsequently, publishers have enjoyed impunity in relation to breaching the data rights of ordinary members of the public.
However, the reverse can also be true. Sometimes the claimant is exceptionally wealthy—such as a Russian oligarch—and even the newspapers can struggle to meet the costs of defending a claim. In such cases, censorship can occur where a litigant threatens legal action in order to prevent an article being published. What editor is going to risk hundreds of thousands of pounds in legal costs just to have a pop at a billionaire who desperately deserves it?
The Committee will recall that Lord Justice Leveson recommended a solution: newspapers join a recognised regulator which must offer arbitration, among other things. Arbitration is cheap for the defendant and the claimant, so the cost risks evaporate for both. The only losers in all this are the lawyers on both sides—which I am sure all Members of the Committee will approve of. Most newspapers, however, favour the ability to breach the rights of ordinary members of the public rather than having the free speech benefits of protection from claims by wealthy individuals. So Lord Justice Leveson recommended this ingenious cost-shifting provision.
Newspapers in a recognised regulator offering arbitration are immune from paying the claimant’s costs in cases brought against them, win or lose. Newspapers which have rejected joining a recognised regulator—and, as such, are not offering mandatory arbitration—must meet the costs of all claims brought against them, win or lose. Of course, there are the usual safeguards against frivolous and vexatious claims, even for those not signed up to an approved regulator. As well as protecting free expression and access to justice, this provision would incentivise the press to sign up to a recognised regulator, as Leveson recommended and as Parliament decided and provided for by means of the Crime and Courts Act 2013.
I recognise that in its current form the Bill cannot be used to force the commencement of Section 40 for libel and privacy claims and the like, however strong the case for doing so. However, it can apply Section 40 to data privacy claims relating to publication and commence it. That would give ordinary people whose privacy is invaded at least some protection and provide at least some incentive.
Section 40 of the Crime and Courts Act contains this provision for all media claims except data protection. This was a concession to the press at the time, when data privacy claims were rare because the 1998 Act was written in a way that would require there to be actual financial loss before bringing a claim. The Vidal-Hall v Google case in the Court of Appeal found that the 1998 Act was not compatible with the parent EU directive on this point and had to be interpreted as allowing “distress only” claims, as with other privacy claims.
Viscount Colville of Culross (CB)
My Lords, I declare an interest as a series producer at ITN Productions. I want to talk particularly about Amendments 172A to 172C and whether Clause 165 should stand part of the Bill—all of which relate to the powers of the ICO to investigate special processing. I, too, am very concerned that Clause 164 represents a considerable and troubling extension of the power of the Information Commissioner, which will have a damaging effect on free speech. It will damage not just journalism but academia, art and literature by unleashing a torrent of complaints prior to publication or launch of a work. These amendments will ensure that the powers of the ICO in these matters remain as they are—a situation which has worked well since we have had the Data Protection Act 1998.
In Clause 164(3), paragraphs (a) and (b) indeed make no change. They allow the ICO to investigate and give a written determination on whether the processing of data is for special purposes and publication, and therefore exempt. However, my concern is that paragraph (c) seems to be an important and worrying extension of the power of the ICO. It means that even if she thinks that the data processing is journalism, literature or art she can, in addition, investigate whether the means by which the data is being collected or processed is compliant with the Act. These powers can be used prior to publication, meaning that any complainants who want to stop a journalistic or academic investigation from continuing can now call for the ICO to make a written determination on the way in which the data is being collected. This will open the door to a far greater number of complaints to the ICO. At best, dealing with these will be very time-consuming and wasteful of resources. At worst, they will result in public interest journalism being delayed or thwarted altogether by a regulator with limited expertise of the media, and who may well lack the resources for such an endeavour.
The provision for such ICO inquiries to take place before publication goes against an important principle of our law, which allows for the information to be published and then for the courts or regulators, such as Ofcom, to decide whether there has been an infringement. Clause 164(3), as drafted, suggests that the commissioner is going to make her own judgment of these questions and not simply assess whether the judgment of the data controller—for instance, the editor of the newspaper or the author—is genuine and reasonable.
My concern is that, even if the ICO does not exercise her powers, the prospect of her doing so will have a chilling effect on editors’ decisions about whether to publish. I am already finding that, in the documentaries that I am making, stories which would have been published a few years ago are now not being published for fear—among media lawyers—that there will be a breach of the legislation. In one case, I was told by the media lawyer that I could broadcast a story only if it was already in the public domain—which to me, as a journalist, seems likely to negate the whole purpose of the exercise. I am advised by media lawyers at ITN, the BBC and a number of newspapers, whose views I very much respect, that these new powers of the ICO and other proposed amendments will affect journalists’ investigations in many different ways.
Amendment 172B is intended to ensure that the scope of the exemption continues to apply not merely to information that is due to be published but to information that will inform the final publication. The failure to maintain the existing provision would have the damaging effect that, for instance, a fraudulent businessman who is being investigated could submit a subject access request on the relevant data which had been gathered as part of the story. The result would be that the businessman would be able to find out where the investigation was going and take action to close down that investigation. He would also be able put pressure on the sources of the information that would be revealed by the access request.
I work in television, and a particular concern of mine is the future of secret filming for journalism, which could be threatened by this clause. It would allow the ICO to look into whether the use of recording, without consent, was appropriate or even necessary. It is not clear from the clause what precise test the ICO will apply, but it will involve the ICO making fine editorial judgments, including whether the investigation could or should have been advanced by using less intrusive means. I have carried out many secret filming assignments in my capacity as a producer at the BBC, and I know that the activity is already very tightly controlled to stop fishing expeditions and to ensure that it is aimed directly at and focused on the suspected parties. The BBC code requires clear evidence that the subject of the filming has been involved in wrongdoing. This evidence is rigorously questioned by the lawyers before permission is given to go ahead, and the results of the filming are carefully looked at to make sure that they relate directly to supporting the story.
Unless these amendments are adopted, once the person who is the target of secret filming is told that they are the subject of the story, they could issue a claim or subject access request on the secret filming and delay, or even successfully stop, the story being published. Lawyers at the BBC advise me that some of our important investigations in the public interest would be delayed and maybe in some cases stopped by these new powers. The stories that could have been affected include public interest investigations into wrongdoing, such as those into Winterbourne View and the Rochester young offenders unit or even last week’s BBC “Panorama” on student loan fraud, in which two men were secretly filmed giving advice to prospective students about how to get through a degree by cheating and how to fraudulently collect a student loan.
Perhaps even more problematic will be other people who are not the centre of the investigation but who might get caught up in secret filming or open filming without consent. They could include family members or employees of a company being investigated. These people would not be featured in the final publication or broadcast, but their ability to complain prior to publication would allow them to call on the ICO and deliberately delay or stop an investigation because their data had been collected during the filming. An example is the BBC investigation into the payday lender Wonga, which many noble Lords will know about, whose lending practices were questionable and caused bankruptcy and despair across the country. During the secret filming of the Wonga loan agents, the journalist also filmed the receptionist. She was never going to be featured in the final programme, but her data had been collected and she tried to use it to protect her employers and stop the programme going out. Under Clause 164 she would indeed be able to call in the ICO to give a written determination on the way her data had been collected, and the film would be stopped in its tracks. For the complainant, the time and cost would be minimal—meaning that there is a very low barrier to seeking the help of the ICO.
Other investigations could be thwarted based not just on the data that might be published but on the way the data might be held by the journalist for use in later articles as part of a continuing investigation. Noble Lords may remember the Sunday Times exposure of Lance Armstrong, a man who at the time was seen as the greatest cyclist in history. He was accused by the Sunday Times of taking performance-enhancing drugs. As a result, he took the paper to court for defamation, and it was forced to settle. Under this clause, Armstrong would then be able to bring a data protection complaint in relation to any data that the Sunday Times had collected to support the original allegation that he had taken performance-enhancing drugs. He could argue that the data was inaccurate and should therefore not be held. Following the court settlement it would be open to the ICO to decide whether continuing to hold the data would be in compliance with the legislation. The Information Commissioner could require the paper to dump the data, which she might deem to be inaccurate. In fact, the ability of the journalist on this story to hold on to Armstrong’s data was crucial in allowing the Sunday Times to continue its investigation into Armstrong’s conduct. The paper subsequently published a number of articles to that effect. Eventually, Mr Armstrong confessed that he had indeed taken performance-enhancing drugs and settled the Sunday Times claim that his libel case was fraudulent after all.
Baroness Hollins (CB)
My Lords, I start by adding my strong support to the elegant amendments of the noble Earl, Lord Attlee, and thank him for his perceptive evaluation of the media storm about Section 40 of the Crime and Courts Act.
My Amendments 170K, 170L, 170M, 171A, 172AA, 172E and 174AA would remove the existing pre-publication staying mechanism currently available to data controllers when they may be processing data for special purposes. The old Data Protection Act required that a determination had to be made by the Information Commissioner before any data protection claim could be brought in court where data might be processed for journalism. This determination, set out in a “determination notice”, would specify whether the data was indeed being processed for the special purpose of journalism.
Any claim which might involve the special purposes could be stayed in this way. This means that someone has no way of accessing the courts to establish if such publication of their personal data was legal—for example, because it was in the public interest—until after it happened. In contrast, people can do this with a privacy claim—and the sky has not fallen in, nor has investigative journalism been affected. Data privacy claims should be no different.
The new Bill currently replicates the process that was set out in the old Bill. Unlike other areas of law, and unlike processing for other purposes, before any member of the public can bring a data protection claim in the courts against a data controller prior to publication, Clauses 164 to 166 of the Bill require the ICO to make a determination as to whether the data was being processed for journalistic purposes. This means that when an individual’s data rights are unlawfully breached for publication, without any public interest justification, they can do nothing to prevent use and publication of that data until the determination process is complete, with appeal. That data could include, for example, private medical records or financial transactions that expose deeply personal information.
In practice, this means that ordinary people are denied the right to challenge in court the legality of the data being processed prior to publication. Moreover, determination is slow. When the Information Commissioner produces the determination notice, it is then subject to appeal by the publisher. Lord Justice Leveson argued that this whole mechanism is wrong in principle, and that it should be removed. This amendment would have that effect, by removing journalism from those purposes to which the stay could apply. Publishers and the public would still have access to court action, and the courts could determine whether the material has been unlawfully processed and, if it has, whether publication is protected in the public interest under the existing exemptions in the Bill.
Journalistic exemptions in the Bill would be entirely unaffected by the amendments. Where breaches are in the public interest and undertaken for publication, journalists remain exempt from all the exemptions listed elsewhere in the Bill. That is right, and it will be protected. However, the additional stay, which prevents victims of data protection breaches by newspapers trying to prevent the damage that would be done by publication before they can argue their case in court, would be removed. In summary, nothing in the amendments will interfere with investigative journalism—that is not my intention. Because this is a complicated area, with many amendments to these clauses, I certainly stand ready to discuss with colleagues the best way forward in this area before Report.
My Amendment 179A would require the Government to proceed with a public inquiry into allegations of data protection breaches by or on behalf of newspapers. Such an inquiry would be similar to the already-agreed second half of the Leveson inquiry. In 2005 it was reported, though only in the Guardian, that thousands of individuals had had their personal data, including private phone data, stolen by or on behalf of newspaper publishers. Noble Lords will recall that Operation Motorman was the scandal that allowed phone hacking to occur, but it was far more widespread than just phone hacking. It affected tabloids and other newspapers alike. Data was illegally harvested by private investigators in the pay of newspapers and used for stories or to hack phones, often without any public interest justification. A whole industry of illegal data theft propped up the front pages and exclusives of some of our most powerful and recognisable newspapers for a decade.
The Information Commissioner published two reports on Operation Motorman, first, about this practice and, secondly, on the findings of the police investigation. These included the revelations that 58 clients or journalists working for the Daily Mail had used private investigators, and that 1,482 transactions were identified between the investigators and Mirror Group titles such as the Daily Mirror and the Sunday People. Rarely was there any public interest justification. For example, the victims of crime were targeted and their partners, their colleagues and even their painters and decorators were targeted, too. Some newspapers even rehired private investigators who had been convicted of illegal data handling.
This is not ancient history. The judge in the Mirror hacking civil trial ruled that the Daily Mirror, the Sunday Mirror and the News of the World used an entirely different set of private investigators hundreds, if not thousands, of times to steal phone billing data and “reverse phone numbers”, and that this was a precursor to hacking their phones. In a new civil action against the Sun, it is alleged that that newspaper continued to use a series of private investigators for illegal activities on an industrial scale all the way up to 2011, if not beyond.
A public inquiry, the Leveson inquiry, was established to investigate these matters, and I gave evidence to part 1. However, part 2, established to investigate the extent of breaches of data privacy and other illegality, and to investigate the cover-up of it, has still not taken place. This requirements of the amendment would be satisfied by the Government proceeding with Leveson part 2.
I believe I am not alone in your Lordships’ House in finding the Government’s positioning and repositioning on Leveson part 2 shameful. In 2011, when the scandal of hacking broke, the inquiry was established in two parts, the first to deal with regulation and the second to deal with illegality and allegations of corruption and cover-up. The Government claimed they were committed to part 2 of the inquiry once relevant trials had concluded. Those of us affected by this conduct took the Government at their word.
A few years ago, though, the Government began to revise their position following heavy lobbying from the press. After this House voted overwhelmingly in support of one of my amendments to the Investigatory Powers Bill last year, the Government faced the prospect of a Commons defeat and announced a consultation on Leveson part 2 on the day of that vote. That consultation was judicially reviewed by a victim of press abuse who had been promised by the Government that part 2 would happen. The Government defended that judicial review by claiming that they had an open mind on the matter of Leveson part 2, but within three months their party manifesto for the 2017 general election pledged to scrap Leveson part 2 altogether.
Today, we are no further forward. The Government have still not published the outcome of last year’s consultation. The integrity of the consultation was questioned, and the Government’s intentions were rather exposed by the manifesto commitment to scrap Leveson part 2, although I gather that Conservative Members of neither this House nor the other place were consulted. Nor were victims consulted, despite previous prime ministerial promises to them on this matter.
I see no alternative but to return to legislation and the role of Parliament to see that the Government stand firm on these matters and do not cave in to the press lobby. I hope colleagues will support this amendment. I would not of course return with it on Report should the Government proceed with Leveson part 2 with the agreed terms of reference before then.
Lord McNally (LD)
My Lords, this debate is part of the unfinished business of Leveson in relation to both Section 40 and Leveson part 2. As the noble Baroness, Lady Hollins, explained, we are having to do this not because we are hijacking the Bill but because the Government have used various devices to avoid their commitments on those parts of Leveson. It is unfinished business because sections of the press, for which the noble Lord, Lord Black, is an eloquent spokesman in this House, have deliberately tried to frustrate the will of Parliament. The noble Baroness, with telling eloquence, has spoken for the people who were hurt and damaged by the excesses exposed by Leveson. They do not feel that they have received either closure or justice; nor is there much evidence of the press mending its ways.
I was one of the privy counsellors who signed the royal charter. The coalition Government went out of their way to defend the freedom of the press. Looking back, it is easy to forget just how much public horror, distaste and loathing there was for what was shown to be happening by the Leveson inquiry. Frankly, a Government of the day who had not been interested in the freedom of the press would have had a free hand to deal with it in the most draconian way. So I sometimes resent—not speeches in this House, of course, although they occasionally refer to this—articles in the Times and other papers that see any amendment as an immediate attack on the freedom of the press. We who are tabling these amendments want to strengthen the freedom of the press.
The Conservative Government, freed from the constraints of coalition, have gone back on their word to implement Section 40 and dragged their feet about Leveson 2. They added insult to injury by including the IPSO code in their list of approved codes but ignoring the Impress code, which had been approved by the Press Recognition Panel. The noble Earl, Lord Attlee, explained very well how the charter would have given a defence in the David v Goliath contest often faced by the ordinary citizen.
We are in Committee, so we will listen to the Government’s response to the amendments moved by the noble Baroness, Lady Hollins, the noble Earl, Lord Attlee, and the noble Lord, Lord Black. We will then make our decision on issues to vote on at Report. I listened very carefully to the noble Lord, Lord Black, and, as the noble Earl, Lord Attlee, said, he gave us food for thought, although he often sounds like the boy who murdered his parents and then asked for mercy because he was an orphan. However, there are issues there that need to be considered.
My approach, and the two amendments that I have signed, come from a person whom I know that the noble and learned Lord, Lord Keen, knows very well: the man on the Clapham omnibus. My concern, so very well expressed by the noble Lord, Lord Colville, is that it seems to me, as the man on the Clapham omnibus, that to ask investigative reporters to get prior permission is counterintuitive. Again, I would be very interested to hear the Government’s explanation, particularly of Clause 164(3)(c), which my amendment would delete, and how it would impact on investigative reporting.
Lord Low of Dalston (CB)
My Lords, I speak in support of the amendments tabled by the noble Baroness, Lady Hollins, those in the name of the noble Earl, Lord Attlee, and Amendments 185E and 185F, in the name of the noble Lord, Lord McNally, who has just spoken.
A range of amendments in this group relate to journalism and have different effects. It would be easy to characterise some of them as being in favour of greater press power and others in favour of reduced press power, but that would be wrong. The amendments that I am speaking to would implement and support the recommendations of the Leveson report. That report was a compromise—a split down the middle of the free speech concerns of some, and the concerns of others for the victims and wider public. Some of the other amendments in this group—not all of them—seek to undermine that compromise. When we have debates about Leveson, let us remember that they are not simply debates between the interests of the press and those of the public, but between those who have accepted the compromise and those who will not give an inch. Let us also remember that government inaction is what inspires the rejectionists to persevere.
Amendment 179A, in the name of the noble Baroness, Lady Hollins, would require the Government to proceed with a public inquiry into data protection breaches committed by or on behalf of newspaper publishers. This is long overdue. Such an inquiry is clearly merited after the scale of the abuses and breaches which were made clear in Operation Motorman and since. Court cases still being settled over the last year, with more expected, relate to this conduct. Of course, all parties agreed that such an inquiry was needed in 2011 and established the Leveson inquiry, but that part of the inquiry has still not proceeded. Instead, the Government have twisted and turned to satisfy the interests of the press, which calls for public inquiries into everything but its own scandals. I wonder why that might be. I hope that the Government will respond by beginning Leveson part 2.
The amendments of the noble Baroness, Lady Hollins, to Clauses 164 and 166 would prevent publishers accessing a staying mechanism which would in effect prevent pre-publication data protection claims ever being brought. This is anomalous, given that libel law allows such claims to be brought. There is no good reason for keeping the stay so long as the journalistic exemptions are protected. This amendment does not affect those exemptions and should be supported.
Amendments 170AA, 170AB and 170AC in the name of the noble Earl, Lord Attlee, replicate the terms of Section 40 of the Crime and Courts Act 2013, which this House voted for, as did the other place, but do so only for data protection claims. It remains a constitutional travesty that the Government have autocratically prevented Section 40 coming into force, using the executive power of non-commencement. Providing the costs protection and regulatory incentive of these amendments for data protection claims is a worthwhile objective in itself. If the relevant amendment also helps make the point to the Government that it is unacceptable to reverse a parliamentary vote in this way, then it will have served a second useful purpose. The amendments of the noble Earl, Lord Attlee, would also restore conditional fee agreements for data protection claims. Conditional fee agreements would ensure that the public are able to access justice even if Section 40 does not apply.
Amendments 185E and 185F, in the name of the noble Lord, Lord McNally, respond to five Select Committee reports, the Leveson report and multiple remarks, reports and representations from the Information Commissioner’s Office, allowing custodial penalties for the most egregious cases of data theft. It is not envisaged that many, if any, individuals would be sentenced in this way but, put simply, the mountain of evidence on the matter shows that a fine is not an adequate deterrent and is simply treated as no more than an overhead for the illegal trade in personal data. I therefore believe it important that the House should support the amendments of the noble Lord, Lord McNally.
Lord Puttnam (Lab)
It might surprise the noble Lord, Lord Black, to hear that I think his amendments are important and well worth discussing and crunching out. I listened to his speech very carefully. I will check Hansard tomorrow, but I think that he used the word “reasonable” about a dozen times. However, I ask him to consider that if he wants the sympathy of the House and of Parliament, he has to accept the fact that the reasonable expectations of reasonable people for the media to behave in a reasonable way is the way to go about this. Does he believe that the man on the Clapham omnibus would regard the current policy of apology and correction as remotely reasonable? If he is prepared to reconsider that and talk to the people with whom he works, perhaps there could be real movement here. IPSO does not necessarily have to become Impress but it can look at the obligations that have been placed on Impress and begin to behave accordingly.
Baroness Stowell of Beeston (Con)
My Lords, I rise in support of Amendment 172C, which refers to Clause 164(3)(c). I have no interest to declare but it might be helpful if I remind your Lordships that, prior to joining this House, I worked at the BBC for the best part of 10 years. For the majority of my time there, I worked in the area of governance and regulation, advising three successive chairmen.
I just want to make a couple of simple points. I have not been involved in this Bill so far but, when it was highlighted to me that it would introduce a clause that would, for the first time, bring into statutory regulation a facility for the pre-transmission involvement of regulators in broadcasting in this country, I was surprised—indeed, I was very worried. This is a very big change to our current set-up. Broadcasting is a very heavily regulated sector but it is regulated post hoc, not ex ante—I know that your Lordships like a bit of Latin.
When I worked at the BBC under the old governance regime, before Ofcom was set up and before the BBC became subject to Ofcom regulation, there was only one editor-in-chief at the BBC and he had the final say editorially. We have a former editor-in-chief sitting in his place here today. The governors, led by the chairman, were very clear that their responsibilities prevented them ever interfering in any programming pre-transmission, so even the governors did not involve themselves in programmes pre-transmission. When they had done so in the past, the result had been absolutely calamitous.
We should remember that we demand impartiality from broadcasters in this country. We set very clear and rigorous codes for them to follow and they take them very seriously. However, in order to ensure that there is impartial broadcasting in this country and to give our audiences confidence, in exchange we give broadcasters their independence. I worry that a very simple clause in the Bill, which may look quite innocuous, could put at risk something that is very important to us. I understand that the media can sometimes be arrogant and that they sometimes get things wrong, but we should make sure that we tackle them when they get things wrong rather than try to interfere and put at risk something which, as I said, is very precious to us in this country.
Lord Beith (LD)
My Lords, I simply want to speak about my noble friend’s Amendments 185E and 185F, which relate to custodial sentences. I apologise to the noble Lord, Lord Black. I missed the opening part of his speech as I was looking up the reference to which I now want to refer—the ninth report of Session 2010-12 produced by the House of Commons Justice Committee, of which I was then chairman. As noble Lords know, we took evidence from the Information Commissioner on a number of occasions. We said in the report that we shared,
“the Information Commissioner’s concern and dissatisfaction that no order has been brought before Parliament to implement section 77 of the Criminal Justice and Immigration Act 2008, which would have the effect of providing custodial sentences for breaches of section 55 of the Data Protection Act. Currently the only available penalty is a fine, which we feel is inadequate in cases where people have been endangered by the data disclosed, or where the intrusion or disclosure was particularly traumatic for the victim, or where there is no deterrent because the financial gain resulting from the crime far exceeds the possible penalty”.
The point was made earlier that in some quarters—this is not particularly a media matter; it refers to many kinds of illicit information-gathering—meeting fines, should they be imposed, can be seen as a “trade expense”. So we said:
“We accept the Information Commissioner’s argument that the issue of custodial sentences for section 55 offences is not exclusively, or even primarily, an issue relating to the media and that the issue should be dealt with by Parliament without waiting for the outcome of Lord Justice Leveson’s inquiry”.
That illustrates just how long the matter has been going on and how unsatisfactory it is, to the point of disgraceful, that what Parliament has previously enacted remains not in force because of the lack of commencement.
Lord Stevenson of Balmacara (Lab)
My Lords, I apologise to the House because my voice is annoyingly masked. I urge noble Lords to put their hearing aids on because it might not last until I have said what I want to say.
Every now and then in this House, we have a debate of such importance and significance that the House behaves in a completely different manner from its normal routine. We have had that today. There is a sense of stillness, expectancy and interest that we do not always get, and it is important that we hold on to it because we are touching on some very important and deep issues. While we obviously need to deal with the narrow question of the amendments before us, I hope very much that the wider resonances of this debate might help unpick some of the difficulties that have been raised in our discussion and which are relevant in society today.
I am so taken by the debate we have had that I want first to mention to the House that our amendment in this group, which was laid as one of the first amendments, is an entirely “fake” amendment, if I may use that word. It is a probing amendment and does not mean anything. I can tell the House now that I will not be pressing it. I hope the Minister will do me the justice of not even bothering to respond to it because it has lost all relevance in the light of the issues that have been raised subsequently. My second point is a slightly cheeky one: since I am no longer involved with our amendment in this group and we do not have any names attached to any of the others, I will bring a completely new and independent view to the discussions. I hope that noble Lords will enjoy that.
I hope that the noble Lord, Lord Black, does not take this my final opening point the wrong way. I am not going to follow the line of the noble Lord, Lord McNally, and accuse him of crimes he is not going to commit, but this is so important that we need to come back to it in another place and at another time. I hope that he will understand that. I think that it probably needs a Bill of its own to get this right. We can discuss that later.
Okay. Trying to make sense of what we have in front of us—in this alphabet soup that we often have in complicated parts of Bills—I want to approach this in the following way. I said at Second Reading, and I repeated in the debate last week, that I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson. I do not think that anything said today should be withdrawn; it is really important stuff that needs to be resolved. But this is probably not the Bill to do that in and I will give some reasons for that.
The main worry that I have, and several noble Lords have mentioned this, is that we are talking about a package of measures that were the product of a particular time. For all the reasons that have been given, bits have succeeded and bits have not succeeded; bits have been implemented and bits have not been implemented, and I do not think that it is right for this Bill at this time to try to kick-start some of the bits that need to be looked at, particularly the amendments that relate to the Crime and Courts Act 2013. The speech of the noble Earl, Lord Attlee, was a very good introduction to those. He made a very good case for them. That case does need to be answered, but this is not the right place for that, so I do not support them.
I do not think that Amendment 179A works in the context that I am trying to sketch out. The case made by the noble Baroness, Lady Hollins, as always, was incredibly powerful and one’s heart reaches out to everything she says, which was also picked up by the noble Lord, Lord Low. We want to do something about this and we think that the way that the Government have treated Leveson 2 is a disgrace. It is a shameful way to behave, given the treatment of the victims. We must never forget that.
The third group of amendments here—the amendments of the noble Lord, Lord McNally—also makes very good sense. They are sensible amendments but, for the same reason, we should not continue with them today.
Lord McNally
The noble Lord is giving the Government a “get out of jail free” card, unless he has something else to say. There are areas in all these amendments that have massive implications for data and data protection. If they do not fit into the scope of a Data Protection Bill, where on earth will they fit?
Earl Attlee
My Lords, I would also like to have a little pop at the noble Lord. I understand his point that this is a Data Protection Bill and not something to amend the Crime and Courts Act. Of course, I experienced significant difficulties with the clerks trying to table an amendment to try to amend that Act. But if we had a suitable legislative opportunity—another criminal justice Bill—would the noble Lord’s party support an amendment to make Section 40 of the Crime and Courts Act commence forthwith?
Lord Stevenson of Balmacara
To answer that last point first, we have supported that in the past and on the right occasion we would probably support it again. But my point is not about the quality of the case made or the correctness of the approach. It is just not the right time to do that. The same answer applies to the noble Lord, Lord McNally. I did not say that we would not support him if he brought this back at Report. I am simply saying that, at this particular point, I want to use this debate to focus on something else and that is why I am trying to approach the issue in this way. I hope that noble Lords will bear with me before my voice gives up finally. I hope that I can allow that to ring out so that noble Lords can be inspired by it. That is a faint hope.
Underneath the debate that we have had today are some really important questions. I will pose them quickly in the hope that we will get a response from the Minister. It is really important that the noble and learned Lord uses this opportunity to set out very clearly what the Government’s position is on a number of these key points. Is the regime that currently applies to the press, as set out in the Data Protection Act 1998, still the case in the Bill? In other words, has the regime that has worked well since 1998 been changed in any way by its transposition into this Bill? If it has not, he has to be very clear that that is the case. The case that has been made suggests that, in the rewriting and repositioning of Clause 164, something has happened that has alerted everyone to the point, which was made very well by the noble Viscount, Lord Colville, and the noble Lord, Lord Black. I do not think that that was what we understand to be the case, and certainly I and my noble friend Lord Griffiths have asked for chapter and verse on this so that we can be sure that what we are seeing is exactly what the current law is. That is a straightforward question.
Secondly, we need to be persuaded, if we have not been already, that either the technology or the working practices in print journalism in particular, but also in relation to how print journalism is now often paired up with moving image technologies, has produced such a step-change in the way they operate that the additional defences proposed by the noble Lord, Lord Black, or the additional protections that might be needed by victims, which are so important and relevant, do not need to be brought into the Bill. The case has been made, the charge is there, and the Government must come back and tell us what arrangements have been made.
Thirdly, does the fact that many, but not all, direct investigations of a journalistic type are now done jointly with an audio-visual component, so that we have combinations between major newspapers and television broadcasters or even film, mean that we now have in perpetuity dual regulation, in which case the approach taken by Ofcom has to sit with the regulations under the Data Protection Act 1998 or the Data Protection Bill when it becomes law? If that is the case, we have a problem that needs to be confronted. We have one post hoc regulatory structure and one that is mainly post hoc but has an element, albeit restricted and on a narrow basis, in print journalism. If the way the world is moving suggests that everyone doing this work will have to be involved with two regulators, the Government’s Bill does not take that trick and we will need to come back to the point.
Fourthly, what is it about print journalism which is so different that it requires there to be a predetermination capacity for the ICO compared with the situation when the same work, and possibly the same output, is done under Ofcom? My noble friend Lord Puttnam and the noble Baroness, Lady Stowell, made the point that the difference is that the media in this country are very strongly regulated. There are codes, statutory frameworks and editors who are clearly responsible for them and work to them well. However, a different situation pertains here. That does not mean to say that it should be applied across all the outputs involving investigative journalism, but it must be said that if there was in existence a robust, independent and effective press complaints system which enjoyed the confidence of victims, perhaps we would make better progress on the particular issues which have been raised today. That is the point on which we must focus as regards where we might go with this. I hope that when the noble and learned Lord comes to respond, he can bring some light to this issue.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, I am obliged to all noble Lords for their contributions this afternoon. I would hope that recent debates, particularly in Committee on the Bill, have assured noble Lords that the Government are absolutely committed to preserving the freedom of the press and maintaining the necessary balance between privacy and freedom of expression in our existing law that has generally served us well over many years.
Perhaps I may take some of the amendments in turn. The first, Amendment 163A, was brought forward by my noble friend Lord Black. It asks that the Bill should require that greater consideration be given to the right to freedom of expression and information when the Information Commissioner is exercising her enforcement powers. Amendment 164A would require the commissioner to consider, for example, any other financial penalties imposed by another regulator as a result of failure—a point that was touched on tangentially by the noble Lord, Lord Stevenson, in his closing remarks.
I hope that my noble friend Lord Black agrees that it is important that any amendments in this space do not impact disproportionately on the commissioner’s resources and her ability to execute her regulatory functions in an effective manner. I will give further consideration as to whether these amendments meet that test. I will address my noble friend’s contribution on this point in Hansard and the Government will reflect upon it. I do not hesitate because I am making a concession; I am merely making an observation.
Lord Gordon of Strathblane (Lab)
Taking up the point made by the noble Baroness, Lady Stowell, does the Minister agree that we are introducing, for the first time, vetting of material before it is broadcast, a power that even Ofcom, the regulator set up by government for broadcasting, does not have? Ofcom regulates only after the event. Surely this is a dramatic new intervention.
Lord Keen of Elie
The noble Lord makes a perfectly good observation about this provision. It brings me to one of the questions posed independently and neutrally by the noble Lord, Lord Stevenson, on whether the provisions of the Bill as drafted simply implement the provisions of the 1998 Act or extend its provisions. The answer is that they do not change the regime found in the 1998 Act except in respect of Clause 164(3)(c). I acknowledge the significance of that provision and I am happy to look again at that issue in light of the expressions of concern I have heard from around the Committee about it.
Some noble Lords also questioned the need for the provision of assistance in special purposes proceedings. Under Clause 165, individuals who are a party, or a prospective party, to special purposes proceedings may apply to the commissioner for assistance in those proceedings. For the application to be accepted, the commissioner must be convinced that the matter is of substantial public importance. There is, as I have implied, an equivalent provision in the 1998 Act. I understand that it has only ever been used once. In my respectful submission, that in itself indicates the effectiveness of the provision. It is not necessary because people know it is there and can be relied on, but only if that very high test of substantial public importance is met. Therefore, we consider it appropriate to retain this as a safeguard for data subjects. It is, I respectfully suggest, an important contributor to maintaining the balance between privacy and freedom of expression that has to underlie all these provisions.
Amendment 179A, spoken to by the noble Baroness, Lady Hollins, would require the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. As I have mentioned, a consultation was launched to look at Section 40 of the Crime and Courts Act 2013, which also asked whether proceeding with part 2 of the inquiry was still appropriate, proportionate and in the public interest. As I stated previously, it is the Government’s intention to publish a response to that consultation by Christmas; therefore, we do not believe that this amendment is appropriate, given the decisions that are currently being taken on that matter.
Baroness Hollins
My Lords, the Minister stated that the response to the consultation will be published before Christmas. Can he further reassure the Committee that it will be published before Report so that noble Lords can reconsider their amendments?
Lord Keen of Elie
I am obliged to the noble Baroness. It is the Government’s intention that the consultation response should be published before Christmas. I cannot say that it will be published before Report but we will keep noble Lords advised of any decision with regard to a specific date for publication.
Baroness Hollins
If is not to be published before Report, would it be possible for me to meet the Minister to discuss these matters?
Lord Keen of Elie
I am certainly open to any meeting that the noble Baroness would wish to engage in to discuss these matters. In so far as I am able to inform her, and indeed the Committee, of developments, I will seek to do so.
Lord McNally
Just to be helpful to the Committee, if it was published after Report, does the Minister agree that it would be perfectly reasonable to have a Third Reading amendment to reflect whatever has come out of that response?
Lord Keen of Elie
With respect to the noble Lord, I am not the litmus test of reasonableness—at least, I have been told that in the past.
Lord Low of Dalston
Would the Minister perhaps agree that it would be highly advantageous to the Government—it would be in the Government’s interest—for the response to the consultation to be published before Report? If it is, its contents might well incline those of us who support these amendments to think again about them, whereas if we do not have the benefit of the Government’s response, we may be obliged to carry amendments that the Government would not wish to be carried.
Lord Keen of Elie
I quite understand the force of the noble Lord’s observations. Nevertheless, I am not in a position to say that the response will be available for publication before Report. I am afraid that we have to proceed on that basis. It may have consequences such as those set out by the noble Lord, and we will have to address those in due course. I am afraid that I cannot go further on this point.
Finally, I come to some of the observations of the noble Lord, Lord McNally, who spoke to his Amendments 185E and 185F. I begin by saying that I have no wish to disappoint either the gentleman on the Clapham omnibus or the noble Lord himself. Therefore, I will endeavour to address the questions that he raised as fully as I can. I take account of his commendable intention to peruse Hansard over breakfast and to come to a view as to whether or not I have fully responded to his points.
Amendments 185E and 185F seek to make the unlawful obtaining of personal data a criminal offence with a custodial sentence of up to two years under Clause 175. Of course we recognise the seriousness of any offence that is committed in this context. That is why it is important that proper thought is given to the introduction of any changes which would seek to put in place custodial penalties that could remove people’s liberty. Under the coalition Government, in March 2011, the noble Lord, Lord McNally, said that the Government would not commence prison sentences for Section 55 offences but would continue to keep the matter under review. At that time Ministers agreed to pursue non-custodial options, instead of a custodial option, including encouraging the use of the Proceeds of Crime Act 2002 and making the offences recordable. Indeed, it is this Government’s intention in this Bill that the offences should now be made recordable. That is addressed in Clause 178.
Again, this is one of those complex areas where we have to achieve a balance between competing rights and obligations. We believe that, for the reasons I sought to set out earlier, we are achieving the right balance with the provisions in the Bill. I hope that the noble Lord will feel open to not moving his amendment.
Lord McNally
My Lords, I will consider that point in a few moments, but I am much reassured that the noble and learned Lord has more respect for the man on the Clapham omnibus than he seems to have for BBC lawyers. That is a step forward.
Lord Keen of Elie
No inference can be drawn regarding the considerable respect in which I hold the legal advisers of the BBC.
Viscount Colville of Culross
If I may put the record straight, it was not a BBC lawyer who advised me.
Lord Keen of Elie
My respect for all lawyers remains undiminished.
As the noble Lord, Lord Stevenson, observed, some issues of fundamental importance underlie this; I refer not just to press freedom but to fundamental rights. I therefore have welcomed the contributions to this debate, but I hope that at this time the noble Lord, Lord Black, will feel it appropriate to withdraw his amendment.
Earl Attlee
Can the noble and learned Lord tell us of any precedent for a Government undertaking a consultation exercise before commencing a provision in a recent Act of Parliament?
Lord Keen of Elie
I am not immediately reminded of any precedents, but principle often caps precedent.
Lord Black of Brentwood
My Lords, I thank all those who have taken part in this thoughtful and important debate—despite the fact that it is the first time I have been likened to someone who has murdered his parents, thwarted the will of Parliament and, according to the noble Lord, Lord Puttnam, is the personification of all the sins of the media. I regret that, given the seriousness of the issues for the academic, literary and artistic worlds, we have yet again had a debate which has largely been dominated by press regulation. We have been round this course so many times that even Sir Mo Farah would have been exhausted by now.
I am inclined to agree with the noble Lord, Lord Stevenson, that this is not really the place to debate press regulation. We should wait to see what the consultation says. Like other noble Lords, I am grateful for confirmation from the noble and learned Lord that we will have a response by Christmas.
There were two very important speeches. The noble Baroness, Lady Stowell, talked about the profound change—I shall get my bit of Latin in again—from post hoc to ex ante. We cannot underestimate the scale of the impact of that across the media, and it is right that the noble and learned Lord should look at that. The noble Viscount, Lord Colville, also made some very powerful comments about the serious implications for investigative broadcast journalism. His point about how the Armstrong Sunday Times case would have been impacted by the Bill was a vivid example of the mischief that currently sits in it.
I am very grateful to the noble and learned Lord for saying that he will look at the issues raised, particularly by Amendments 163, 164A and 170B, and also at Clause 164(3)(c). It has caused concern around the Committee, and he confirmed that it is a change since the 1998 Act that will have profound implications. On that note, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
( ) has failed to comply with an information notice, an assessment notice or an enforcement notice,”
Lord Ashton of Hyde
(3) The period for giving a penalty notice to a person may be extended by agreement between the Commissioner and the person.”
Lord Ashton of Hyde
The Deputy Chairman of Committees (The Countess of Mar) (CB)
I cannot call Amendment 170, as it is an amendment to Amendment 169.
Lord Hunt of Wirral
Lord Hunt of Wirral (Con)
My Lords, I declare my interests as set out in the register, in particular as a partner in the global commercial law firm DAC Beachcroft LLP and as chair of the British Insurance Brokers’ Association.
In debates on the Financial Guidance and Claims Bill, yesterday and on previous days, noble Lords from all sides of the House expressed profound concern and distaste about the damage wreaked by the so-called compensation culture. What is now widely, perhaps universally, recognised is that the compensation culture is driven not by the legitimate claims of those who have been genuinely wronged and suffered damage or loss but by an utterly cynical industry that operates as a fast-moving profit-driven roadshow, exploiting every possible weakness in legislation and every loose judgment of the courts. The compensation system is like a roof that will always leak and this compensation roadshow, motivated purely by financial gain and entirely heedless of the damage it wreaks upon society, is like the relentless rain that will find every crack and gap—even the tiniest hole—and just pour in. Some years ago, I discussed this matter with a senior senator in the United States. I shall never forget his words to me: “The compensation culture is destroying the civility of civil society”.
Lord Lucas (Con)
My Lords, I entirely support my noble friend’s amendment. We have got ourselves into a complete mess in this country on insurance, and motor insurance is a pretty good example. Premiums in this country are about double what they should be. They are the highest in Europe, above even Italy, because of a level of fraud that we encourage by our legislation and by the lack of action from successive Governments to do anything about it. We can see the size of the problem that this clause will generate, if unamended, by what has happened in motor insurance. It leaves an open door to an enormous number of claims management companies, of which 500 or so were seriously active the last time I looked. It is a really big, profitable industry, and it will push into a hole like this with no difficulty at all.
We took a bit of action a while ago on whiplash injuries. Fine, whiplash injuries are down, but rocketing upwards now is, “Oh, I had this crash and now I get a buzzing in my ears”. It is wonderful—a disease which has suddenly appeared from nowhere because the claims management companies need an opportunity to push in here. We must realise what is happening. I hope we will get around to dealing with the general problem at some stage, but to open another door to these people is just foolish.
Lord Griffiths of Burry Port (Lab)
My Lords, I thank the noble Lord for his eloquent disquisition, which made me much more aware of the issues than I was before. I have no problem in aligning myself with the two points of view that have just been expressed. I had come to the conclusion partly myself, but to be told that the wording is not in the equivalent article in the European GDPR just adds to my simple conclusion that the words “other adverse effects” add precisely nothing but open a potential cave of dark possibilities. The rain of the noble Lord’s eloquence has found a crack in my roof, and I am very happy to align myself with his remarks.
Baroness Neville-Rolfe (Con)
I also share the concerns expressed by my noble friend Lord Hunt, based on my experience, both in government and in a number of different businesses. We have the experience not only of the motor sector, which has been talked about, but obviously of PPI, where there was compensation that needed to be paid, but the whole business took years and generated not only claims management companies but also nuisance calls and lots of other harms. This is an area that one has to be very careful about, and I support looking at the drafting carefully to see what can be done, and at my noble friend’s idea of trying to estimate the economic impact—the costs—in terms of those affected. That would help one to come to a sensible conclusion on what is appropriate in this important Bill.
Baroness Chisholm of Owlpen (Con)
My Lords, I thank my noble friend Lord Hunt for explaining Amendment 170A and other noble Lords who have spoken. The amendment seeks to clarify the definition of “damage” provided by Clause 159 and its relationship to the language used in article 82 of the GDPR. This is important because article 82 of the GDPR provides a right to compensation when a person has suffered damage as the result of an infringement of the rights during the processing of their personal data.
Currently, the type of damage that can be claimed is broader under article 82 than Section 13 of the 1998 Act, as article 82 expressly extends to “non-material” damage. As a result, in drafting the Bill, the Government considered that some definition of “damage” was necessary, including specifying that it extends to distress, to provide clarity and certainty for data subjects and others as to their rights under article 82.
I stress that Clause 159 does not seek to provide a wider definition of “damage” than is currently provided in the GDPR, and nor indeed could it. The intention is simply to clarify the GDPR’s meaning. My noble friend Lord Hunt asked what estimates have been made of the financial consequences of the increase in litigation, but as Clause 159 does not provide a wider definition of damage there will be no financial consequence.
The concept of “damage” included in the GDPR reflects developments in case law over a period of some years. As such, I cannot agree with my noble friend’s suggestion that the Bill or the GDPR will suddenly unleash a free-for-all of claims. However, I am happy to reflect on my noble friend’s point that the Bill’s use of the term “other adverse effects” may unintentionally provide uncertainty rather than clarity. With the reassurance that I will go away and look at that, I hope my noble friend feels able to withdraw his amendment.
Lord Hunt of Wirral
My Lords, I am very grateful to my noble friend Lord Lucas. Together we have been trying to ensure that real victims get justice but that we do not create a market for those who fasten on to discomfort and distress to make money themselves, often with no qualifications at all in the whole arena. That is why I believe my noble friend is so right when he says we have to scrutinise everything that we pass now to ensure that it does not open the door to further claims.
I thank the noble Lord, Lord Griffiths of Burry Port, for his very kind remarks, which I much appreciate—whether I have penetrated his roof, as he described it, I am not quite sure, but I certainly got through and I am grateful to him for acknowledging that. I also thank my noble friend Lady Neville-Rolfe, with her great experience in the private and commercial sector. It is right to remind ourselves of what has happened in the past and ensure that we do not create the same problems for ourselves in the future.
I am of course grateful to my noble friend the Minister; I believe my noble friend Lady Chisholm of Owlpen has given me all I was hoping for in the context of this debate in Committee. I would just like her to question those who drafted these words over whether they are right in saying, “All it does is clarify”. It does not. Why do we need to add words that are not there in the first place? I understand that we need to rectify Section 13 of the 1998 Act in light of the new legislation, but can we please find a better way to do so without at the same time opening the door to all these additional claims that might well arise unless we are vigilant and stop them before the legislation becomes part of an Act of Parliament? I am grateful to the Minister and beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.
Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.
The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.
Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,
“must set standards by which a data controller is required to anonymise personal data”.
There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.
The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.
At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.
The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.
There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.
Lord Clement-Jones (LD)
We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
Baroness Neville-Rolfe
I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.
The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.
The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.
I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.
I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.
Lord Lucas (Con)
I very much support what my noble friend has just said. The noble Lord, Lord Stevenson, has tried to give an exemption for researchers, but a lot of these things will happen in the course of other research. You are not spending your time solely trying to break some system; you are trying to understand what you can get from it, and suddenly you see someone you know, or you can see a single person there. It is something that you can discover as a result of using the data; you can get to the point where you understand that this is a single person, and you could find out more about them if you wanted to. If it is a criminal offence, of course, you will then tell nobody, which rather defeats the point. You ought to be going back to the data controller and saying that it is not quite right.
There are enormous uses in learning how to make a city work better by following people around with mobile phone data, for instance, but how do you anonymise it? Given greater computational power and more datasets becoming available, what can you show and use which does not have the danger of identifying people? This is ongoing technology—there will be new ways of breaking it and of maintaining privacy, and we have to have that as an active area of research and conversation. To my mind, this clause as it presently is just gets in the way.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.
Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.
As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.
It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.
I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.
Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.
Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.
Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.
Lord Clement-Jones
My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.
Lord Ashton of Hyde
If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.
Lord Clement-Jones
That may have been the original intention, but perhaps it was never put properly into effect.
Lord Ashton of Hyde
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
Lord Stevenson of Balmacara
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
Baroness Neville-Rolfe
My Lords, I simply wish to associate myself with the comments of the noble Lord, Lord Stevenson, and say that a meeting on this would be helpful. As I said, I hope that we can find a solution. If we cannot, I have reservations about this measure being part of the Bill.
Lord Ashton of Hyde
I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.
Lord Kennedy of Southwark
“( ) In this section, a request made by a data subject under subsection (1)(a) includes, but is not limited to, requests about reviews written by a third party about workers.”
Lord Kennedy of Southwark (Lab Co-op)
My Lords, Amendment 170J, which stands in my name and that of my noble friend Lord Stevenson of Balmacara, seeks to address an issue that I am not convinced is sufficiently covered in the Bill as it stands.
Freelance workers or self-employed people—whatever you want to call them—offering a range of services and seeking work through various platforms, have sprung up in recent years. In many cases, their customers are able to rate them and the work they have done. However, these individuals often find that they cannot take that rating information with them if they move on to another platform. The reviews are written by third parties, who rate the quality of the work, and understandably it is very valuable to the trades- persons if they can carry those reviews forward with them.
This is a very strange situation. Various companies often maintain that they do not have employees and that they are merely acting as a platform, a noticeboard or a portal where people can find tradespersons. However, those tradespersons then find that it is not very easy to take information about them with them when they move on. This is intended as an enabling amendment to put on the face of the Bill that data subjects have the right to take with them the information written about them by third parties when they move on to another platform.
At this stage, this is obviously a probing amendment but I am keen to hear what the noble Lord has to say about this issue. It is important for the people concerned—if you have done a good job, you want to take recognition of that with you. I look forward to the noble Lord’s response.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.
This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.
The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.
It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.
I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.
Lord Kennedy of Southwark
I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.
Lord Ashton of Hyde
If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.
Lord Kennedy of Southwark
I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
(a) proceedings under section 158 (including proceedings on an application under Article 79 of the GDPR), or(b) proceedings under Article 82 of the GDPR or section 160 .”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Clement-Jones
Lord Clement-Jones
My Lords, in moving Amendment 183A I hope to astonish the Minister with my brevity. Clause 172 deals with the avoidance of certain contractual terms related to health records so that,
“A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which — … (a) consists of the information contained in a health record, and … (b) has been or is to be obtained by a data subject in the exercise of a data subject access right”.
The NHS has committed to informing patients how their medical records are used. The legal protections in the Bill against an enforced subject access request on a medical record should also apply to such information about that record. Does this provide the required protection? I beg to move.
Baroness Chisholm of Owlpen
It is probably for the best that we are not doing a seventh day in Committee because the noble Lord, Lord Stevenson, has told us that his voice is going and I seem to have an infected eye. Slowly, we are falling by the way, so it is probably just as well that this is our last evening.
This amendment seeks to amend Clause 172, which concerns contractual terms relating to health records. As noble Lords are aware, the Bill will give people more control over use of their data, providing stronger access rights as well as new rights to move or delete personal data. Data subject access rights are intended to aid people in getting access to information held about them by organisations. While subject access provisions are present in current data protection law, the process will be simplified and streamlined under the new legal framework, reflecting the importance of data protection in today’s digital age.
There are, unfortunately, a minority of instances where service providers and employers seek to exploit the rights of data subjects, making it a condition of a contract that a person supplies to them health records obtained through use of their data subject access rights. It is with this in mind that Clause 172 was drafted, to protect data subjects from abuses of their rights. Organisations are able to use provisions in the Access to Medical Reports Act 1988 to gain access to a person’s health records for employment or insurance purposes, and so should not be unduly relying upon subject access rights to acquire such information.
Amendment 183A seeks to widen the clause to include prohibiting contractual terms from including a requirement to use subject access rights to supply a person with information “associated with” as well as “in” a health record. While I can see where the noble Lord is coming from with the amendment and appreciate the willingness further to protect data subjects from exploitation, we are not convinced that it is necessary to widen the scope of this clause. The Government believe that avoidance of contractual terms—that is to say a restriction on parties’ freedom of contract—is not something that should legislated for lightly. Our starting point must be that contractual terms are voided only where there is a known, rather than a hypothetical, abuse of them.
It is also important to point out that the clause has been carried over from the 1998 Act, which has served us well for many years and we are not aware of any issues with its scope. But I will certainly carefully read the noble Lord’s contribution in Hansard, and with this in mind I encourage the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I thank the Minister. She will not need to spend very long reading my contribution in Hansard, as she will appreciate, but I pledge to read what she had to say. The interplay with the Access to Medical Reports Act may be of some importance in this, but on both sides we may need to reflect a little further. The case being made is that, because the NHS is making more information available about the use of patient records, it may be appropriate to change the legislation, which, as the Minister said, may have been fit for purpose for a period of time but now, in the light of new circumstances, may need changing. Indeed, it may not be “hypothetical” any more, to use her word. I will reflect on what the Minister said, but if there is scope for further improvement of the clause, I hope that it might be considered at a future stage. In the meantime, I beg leave to withdraw the amendment.
“( ) In relation to the processing of personal data to which the GDPR applies, Article 80(2) of the GDPR (representation of data subjects) permits and this Act provides that a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate, under—(a) Article 77 (right to lodge a complaint with a supervisory body);(b) Article 78 (right to an effective judicial remedy against a supervisory authority); and(c) Article 79 (right to an effective judicial remedy against a controller or processor),of the GDPR if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.”
Lord Stevenson of Balmacara
My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,
“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.
I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.
Lord Stevenson of Balmacara
It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.
I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.
Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.
The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.
The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.
However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.
Lord Clement-Jones
My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.
I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.
The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.
I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.
Baroness Jones of Moulsecoomb (GP)
My Lords, I support Amendment 184. As the noble Lord, Lord Stevenson, said, the GDPR does allow not-for-profit organisations to lodge complaints about suspected breaches of data protection without needing the authorisation of the individuals concerned. I really do not understand why this has been taken out; it is such an important piece of legislation that gives teeth to data protection. Most people do not have the time or the inclination to lodge complaints against data controllers. So many organisations are now holding data about us that it is ridiculous to suggest that individuals can become data detectives responsible for finding out who holds data on them and trying to work out whether that data is being processed in accordance with data protection rules.
I went through the hassle of getting my own subject access request from the Met police. It took a lot of form filling and cost me £10, which was absolutely not money well spent because the file, when I got it, was so redacted. I did ask for my money back but was not given it. That shows me that most of us will not know that data about us is being held—so the amendment is extremely valid.
Despite my opposition to some provisions in the Bill, I accept that it is very important. However, it is equally important that we get it right and that we do not have all these derogations which mean that it has less authority and power. Personally, I think that the amendment strengthens the data protection regime without any hassle for consumers. I hope that the Government will include it in the next iteration of the Bill.
Baroness Kidron (CB)
I, too, support the amendment. One thing that we can all agree on is that data regulations is a complex and highly technical area of the law. As the Bill stands, it asks members of the public to become experts on the subject, which actually creates a significant barrier to its successful implementation. My particular and declared interest in the Bill is the rights of children. It is a pervasive myth in the digital environment that all users are equal. That is a category error, because if all users are equal, children are treated in the digital environment as adults and their long-established rights and privileges do not then apply. So it is on behalf of that demographic that I want to say specifically that this amendment is very important.
Without the amendment, a child would be expected to take on the very adult responsibility of being a named complainant in a regulatory or judicial complaint for a breach of data law. In the case of a child, such a complaint is very likely to be made against a multimillion or indeed multibillion dollar corporation. That cannot be, in anybody’s mind, a fair fight. While the noble Lord’s amendment and indeed the GDPR are designed to benefit all users, I point out that the amendment usefully aligns with the recommendation made by the Children’s Commissioner and the House of Lords Communications Committee that children urgently need champions in the digital environment.
We have seen special provision being made in the Bill for libraries, archivists, the insurance industry, security and intelligence, and possibly even for journalists this evening. Given that, I am waiting for the Government to concede that, like all these other special needs groups, children are data subjects with specific needs. One of those needs is to have an informed advocate if they have a complaint. So, although I do not think that the amendment would adequately fulfil that role, because I would like to see something more formal, it would at least go some way to providing support for children should they have a complaint.
Lord Lucas
My Lords, without these amendments, I do not see how the Bill can provide an adequate remedy when a large number of people suffer a small degree of damage.
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.
With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.
Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.
Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.
More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?
We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.
I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in article 80(2), which could not be clearer. Their prevarication is extravagant.
Lord Ashton of Hyde
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
Lord Stevenson of Balmacara
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
“Framework for Data Processing by GovernmentFramework for Data Processing by Government
(1) The Secretary of State may prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of—(a) the Crown, a Minister of the Crown or a United Kingdom government department, and(b) a person with functions of a public nature who is specified or described in regulations made by the Secretary of State.(2) The document may make provision relating to all of those functions or only to particular functions or persons.(3) The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.(4) The Secretary of State may from time to time prepare amendments of the document or a replacement document.(5) Before preparing a document or amendments under this section, the Secretary of State must consult—(a) the Commissioner, and (b) any other person the Secretary of State considers it appropriate to consult.(6) Regulations under subsection (1)(b) are subject to the negative resolution procedure.(7) In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.”
Lord Ashton of Hyde
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.
Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.
All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.
The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.
Lord Kennedy of Southwark
My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?
The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.
I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.
Lord Clement-Jones
My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.
Lord Ashton of Hyde
My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.
Lord Ashton of Hyde
“Approval of the Framework
(1) Before issuing a document prepared under section (Framework for Data Processing by Government), the Secretary of State must lay it before Parliament.(2) If, within the 40-day period, either House of Parliament resolves not to approve the document, the Secretary of State must not issue it.(3) If no such resolution is made within that period—(a) the Secretary of State must issue the document, and(b) the document comes into force at the end of the period of 21 days beginning with the day on which it is issued.(4) Nothing in subsection (2) prevents another version of the document being laid before Parliament.(5) In this section, “the 40-day period” means—(a) if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or(b) if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.(6) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.(7) This section applies in relation to amendments prepared under section (Framework for Data Processing by Government) as it applies in relation to a document prepared under that section.”
“Publication and review of the Framework
(1) The Secretary of State must publish a document issued under section (Approval of the Framework)(3).(2) Where an amendment of a document is issued under section (Approval of the Framework)(3), the Secretary of State must publish— (a) the amendment, or(b) the document as amended by it.(3) The Secretary of State must keep under review the document issued under section (Approval of the Framework)(3) for the time being in force.(4) Where the Secretary of State becomes aware that the terms of such a document could result in a breach of an international obligation of the United Kingdom, the Secretary of State must exercise the power under section (Framework for Data Processing by Government)(4) with a view to remedying the situation.”
“Effect of the Framework
(1) When carrying out processing of personal data which is the subject of a document issued under section (Approval of the Framework)(3) which is for the time being in force, a person must have regard to the document.(2) A failure to act in accordance with a provision of such a document does not of itself make a person liable to legal proceedings in a court or tribunal.(3) A document issued under section (Approval of the Framework)(3), including an amendment or replacement document, is admissible in evidence in legal proceedings.(4) In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of any document issued under section (Approval of the Framework)(3) in determining a question arising in the proceedings if—(a) the question relates to a time when the provision was in force, and(b) the provision appears to the court or tribunal to be relevant to the question.(5) In determining a question arising in connection with the carrying out of any of the Commissioner’s functions, the Commissioner must take into account a provision of a document issued under section (Approval of the Framework)(3) if—(a) the question relates to a time when the provision was in force, and(b) the provision appears to the Commissioner to be relevant to the question.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“SCHEDULE 18 MINOR AND CONSEQUENTIAL AMENDMENTSPart 1ACTS AND MEASURESParliamentary Commissioner Act 1967 (c. 13)
1_ In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Local Government Act 1974 (c. 7)
2_ The Local Government Act 1974 is amended as follows.3_ In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or (ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”4_ In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Consumer Credit Act 1974 (c. 39)
5_ The Consumer Credit Act 1974 is amended as follows.6_ In section 157(2A) (duty to disclose name etc of agency)—(a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in paragraph (b), after “any” insert “other”.7_ In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.8_ In section 189(1) (definitions), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.Medical Act 1983 (c. 54)
9_ The Medical Act 1983 is amended as follows.10_(1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”.(3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”11_(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”.(3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”12_ In section 55 (interpretation), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.13_(1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows. (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.(3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”Dentists Act 1984 (c. 24)
14_ The Dentists Act 1984 is amended as follows.15_(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”16_(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Access to Medical Reports Act 1988 (c. 28)
17_ In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—““health professional” has the same meaning as in the Data Protection Act 2017 (see section 183 of that Act);”.Opticians Act 1989 (c. 44)
18_(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows. (2) In subsection (3), after “enactment” insert “or the GDPR”.(3) For subsection (4) substitute—“(4) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (9) insert—“(10) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Human Fertilisation and Embryology Act 1990 (c. 37)
19_(1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
20_(1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Tribunals and Inquiries Act 1992 (c. 53)
21_ In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 112 of the Data Protection Act 2017”.Health Service Commissioners Act 1993 (c. 46)
22_ In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Data Protection Act 1998 (c. 29)
23_ The Data Protection Act 1998 is repealed.Crime and Disorder Act 1998 (c. 37)
24_ In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”. Food Standards Act 1999 (c. 28)
25_(1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration and Asylum Act 1999 (c. 33)
26_(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.(2) For subsection (4) substitute—“(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”(3) After subsection (4) insert—“(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Financial Services and Markets Act 2000 (c. 8)
27_ The Financial Services and Markets Act 2000 is amended as follows.28_ In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.29_ In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.30_ In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.31_ In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.32_ In section 417 (definitions), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Terrorism Act 2000 (c. 11)
33_ In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.Freedom of Information Act 2000 (c. 36)
34_ The Freedom of Information Act 2000 is amended as follows.35_ In section 2(3) (absolute exemptions), for paragraph (f) substitute—“(f) section 40(1),(fa) section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.36_ In section 18 (the Information Commissioner) omit subsection (1). 37_(1) Section 40 (personal information) is amended as follows.(2) In subsection (2)—(a) in paragraph (a), for “do” substitute “does”, and(b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.(3) For subsection (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (4) substitute—“(4A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14, 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) For subsection (5) substitute—“(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—(a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—(i) would (apart from this Act) contravene any of the data protection principles, or(ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(6) Omit subsection (6).(7) For subsection (7) substitute—“(7) In this section—“the data protection principles” means the principles set out in— (a)Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act).(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”38_ Omit section 49 (reports to be laid before Parliament).39_ For section 61 (appeal proceedings) substitute—“61 Appeal proceedings(1) Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).(2) In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—(a) securing the production of material used for the processing of personal data, and(b) the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.(3) Subsection (4) applies where—(a) a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and(b) if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.(5) Where an offence is certified under subsection (4), the Upper Tribunal may—(a) inquire into the matter, and(b) deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.(6) Before exercising the power under subsection (5)(b), the Upper Tribunal must—(a) hear any witness who may be produced against or on behalf of the person charged with the offence, and(b) hear any statement that may be offered in defence.(7) In this section,“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4) and (14) of that Act).”40_ In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.41_ After section 76A insert—“76B Disclosure of information to Commissioner or TribunalNo enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner, the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions under this Act. 76C Confidentiality of information provided to Commissioner(1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—(a) has been obtained by, or provided to, the Commissioner under or for the purposes of this Act,(b) relates to an identified or identifiable individual or business, and(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,unless the disclosure is made with lawful authority.(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under a provision of this Act or the data protection legislation,(c) the disclosure was made for the purposes of, and is necessary for, the discharge of a function under this Act or the data protection legislation,(d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.(3) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).(4) A person guilty of an offence under this section is liable—(a) on summary conviction in England and Wales, to a fine;(b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;(c) on conviction on indictment, to a fine.(5) No proceedings for an offence under this section may be instituted—(a) in England and Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.”42_ In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.43_ In section 84 (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Political Parties, Elections and Referendums Act 2000 (c. 41)
44_(1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.(2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph,“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Finance and Accountability (Scotland) Act 2000 (asp 1)
45_ The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.46_ In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.47_ In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.48_ In section 29(1) (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice and Police Act 2001 (c. 16)
49_ The Criminal Justice and Police Act 2001 is amended as follows.50_ In section 57(1) (retention of seized items)—(a) omit paragraph (m), and(b) after paragraph (s) insert—“(t) paragraph 10 of Schedule 15 to the Data Protection Act 2017;”.51_ In section 65(7) (meaning of “legal privilege”)—(a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017”, and(b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.52_ In Schedule 1 (powers of seizure)—(a) omit paragraph 65, and(b) after paragraph 73R insert—“Data Protection Act 201773S_ The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017 (powers of entry and inspection).”Anti-terrorism, Crime and Security Act 2001 (c.24)
53_ The Anti-terrorism, Crime and Security Act 2001 is amended as follows.54_(1) Section 19 (disclosure of information held by revenue departments) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.55_(1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.(2) Omit paragraph 42.(3) After paragraph 52 insert—“52A_ Section 76C(1) of the Freedom of Information Act 2000.”(4) After paragraph 53F insert—“53G_ Section 127(1) of the Data Protection Act 2017.”Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
56_(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.(2) In subsection (3), after “provision” insert “or the GDPR”.(3) For subsection (5) substitute— “(5) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (7) insert—“(8) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Justice (Northern Ireland) Act 2002 (c. 26)
57_(1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Proceeds of Crime Act 2002 (c. 29)
58_ The Proceeds of Crime Act 2002 is amended as follows.59_ In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.60_ In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.61_ In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.62_ In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.63_ In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.64_ After section 442 insert—“442A Data protection legislationIn this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Scottish Public Services Ombudsman Act 2002 (asp 11)
65_(1) In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.(2) In paragraph 1, for sub-paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”.(3) For paragraph 2 substitute—“2_ The commission of an offence under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Freedom of Information (Scotland) Act 2002 (asp 13)
66_ The Freedom of Information (Scotland) Act 2002 is amended as follows. 67_ In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.68_(1) Section 38 (personal information) is amended as follows.(2) In subsection (1), for paragraph (b) substitute—“(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.(3) For subsection (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit subsection (4).(6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act);”.(7) After that subsection insert—“(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Courts Act 2003 (c. 39)
69_ Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.70_(1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.(2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”71_(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.(2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In sub-paragraph (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Sexual Offences Act 2003 (c. 42)
72_(1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice Act 2003 (c. 44)
73_ The Criminal Justice Act 2003 is amended as follows.74_ In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.75_ In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Audit (Wales) Act 2004 (c. 23)
76_(1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (5), at the beginning insert “In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Domestic Violence, Crime and Victims Act 2004 (c. 28)
77_(1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children Act 2004 (c. 31)
78_ The Children Act 2004 is amended as follows.79_(1) Section 12 (information databases) is amended as follows.(2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (13) insert—“(14) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”80_(1) Section 29 (information databases: Wales) is amended as follows. (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (14) insert—“(15) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Constitutional Reform Act 2005 (c. 4)
81_(1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act 2005 (c. 9)
82_ In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—““health record” has the same meaning as in the Data Protection Act 2017 (see section 184 of that Act);”.Public Services Ombudsman (Wales) Act 2005 (c. 10)
83_(1) Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (5) substitute—“(5) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Commissioners for Revenue and Customs Act 2005 (c. 11)
84_(1) Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Gambling Act 2005 (c. 19)
85_(1) Section 352 of the Gambling Act 2005 (data protection) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Commissioner for Older People (Wales) Act 2006 (c. 30)
86_(1) Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.(2) In subsection (7), for paragraph (a) substitute— “(a) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (8) substitute—“(8) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”National Health Service Act 2006 (c. 41)
87_ The National Health Service Act 2006 is amended as follows.88_(1) Section 251 (control of patient information) is amended as follows.(2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “of the data protection legislation”.(3) In subsection (13), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.89_ In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.National Health Service (Wales) Act 2006 (c. 42)
90_ The National Health Service (Wales) Act 2006 is amended as follows.91_(1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”92_ In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.Tribunals, Courts and Enforcement Act 2007 (c. 15)
93_ The Tribunals, Courts and Enforcement Act 2007 is amended as follows.94_ In section 11(5)(b)(right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.95_ In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.Statistics and Registration Service Act 2007 (c. 18)
96_ The Statistics and Registration Service Act 2007 is amended as follows.97_(1) Section 45A (information held by other public authorities) is amended as follows.(2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”. (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(5) In subsection (12)(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.98_(1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.(2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.99_(1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.(2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.100_ In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.101(1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.(2) In subsection (6), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.102(1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.(2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.103(1) Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.(2) In the heading omit “Data Protection Act 1998 and”.(3) Omit paragraph (a) (together with the final “or”).104_ In section 67 (general interpretation: Part 1), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Serious Crime Act 2007 (c. 27)
105_ The Serious Crime Act 2007 is amended as follows.106(1) Section 5A (verification and disclosure of information) is amended as follows.(2) In subsection (6)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”107(1) Section 68 (disclosure of information to prevent fraud) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”. (3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”108(1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Legal Services Act 2007 (c. 29)
109(1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Adoption and Children (Scotland) Act 2007 (asp 4)
110_ In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—“(5) In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act).”Criminal Justice and Immigration Act 2008 (c. 4)
111_ The Criminal Justice and Immigration Act 2008 is amended as follows.112_ Omit—(a) section 77 (power to alter penalty for unlawfully obtaining etc personal data), and(b) section 78 (new defence for obtaining etc for journalism and other special purposes).113(1) Section 114 (supply of information to Secretary of State etc) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(6A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Regulatory Enforcement and Sanctions Act 2008 (c. 13)
114(1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2008 (c. 14)
115_ In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.Counter-Terrorism Act 2008 (c. 28)
116(1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows. (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Health etc.(Scotland) Act 2008 (asp 5)
117(1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (7) insert—“(7A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Banking Act 2009 (c. 1)
118(1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.(2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Borders, Citizenship and Immigration Act 2009 (c. 11)
119(1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.(2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine and Coastal Access Act 2009 (c. 23)
120_ The Marine and Coastal Access Act 2009 is amended as follows.121(1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”122(1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Broads Authority Act 2009 (c. i)
123(1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (6), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”. Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))
124(1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.(2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Terrorist Asset-Freezing etc. Act 2010 (c. 38)
125(1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (6), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Marine (Scotland) Act 2010 (asp 5)
126(1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Charities Act 2011 (c. 25)
127(1) Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Welsh Language (Wales) Measure 2011 (nawm 1)
128_ The Welsh Language (Wales) Measure 2011 is amended as follows.129(1) Section 22 (power to disclose information) is amended as follows.(2) In subsection (4)—(a) in the English language text, for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”, and(b) in the Welsh language text, for paragraph (a) substitute—“(a) adrannau 137 i 147, 153 i 155, neu 164 i 166 o Ddeddf Diogelu Data 2017 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.(3) For subsection (5)—(a) in the English language text substitute—“(5) The offences referred to under subsection (3)(b) are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or (b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”, and(b) in the Welsh language text substitute—“(5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—(a) o dan ddarpariaeth yn Neddf Diogelu Data 2017 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu(b) o dan adran 76C neu 77 o Ddeddf Rhyddid Gwybodaeth 2000 (troseddau o ddatgelu gwybodaeth ac altro etc cofnodion gyda’r bwriad o atal datgelu).”(4) In subsection (8)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(5) In subsection (9)—(a) at the appropriate place in the English language text insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.130(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.(2) In sub-paragraph (7)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(3) In sub-paragraph (8)—(a) in the English language text, after “paragraph” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) in the Welsh language text, after “hwn” insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation “yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))
131(1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2012 (c. 7)
132_ The Health and Social Care Act 2012 is amended as follows.133_ In section 250(7) (power to publish information standards), for the definition of “processing” substitute— ““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.134(1) Section 251A (consistent identifiers) is amended as follows.(2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”135(1) Section 251B (duty to share information) is amended as follows.(2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Protection of Freedoms Act 2012 (c. 9)
136_ The Protection of Freedoms Act 2012 is amended as follows.137(1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”138_ In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.139_ In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.HGV Road User Levy Act 2013 (c. 7)
140(1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Crime and Courts Act 2013 (c. 22)
141_ The Crime and Courts Act 2013 is amended as follows.142(1) Section 42 (other interpretive provisions) is amended as follows.(2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 159 or 160 of the Data Protection Act 2017 (compensation for contravention of the data protection legislation)”.(3) After subsection (5) insert—“(5A) In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).” 143(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph, insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))
144(1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Local Audit and Accountability Act 2014 (c. 2)
145(1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.(2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (3) insert—“(3A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”(4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)
146(1) Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.(2) In sub-paragraph (4)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After sub-paragraph (5) insert—“(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Immigration Act 2014 (c. 22)
147(1) Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Care Act 2014 (c. 23)
148_ In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—“(a) a health record (within the meaning given in section 184 of the Data Protection Act 2017),”.Social Services and Well-being (Wales) Act 2014 (anaw 4)
149_ In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—(a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”, and(b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “personal data” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2017 (gweler adran 2(2) a (14) o’r Ddeddf honno))”.Counter-Terrorism and Security Act 2015 (c. 6)
150(1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Small Business, Enterprise and Employment Act 2015 (c. 26)
151(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.(2) In subsection (7)—(a) for paragraph (b) substitute—“(b) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and(b) omit paragraph (c).(3) After subsection (7) insert—“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Modern Slavery Act 2015 (c. 30)
152(1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.(2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))
153_ The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.154_ In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.155_ In section 25(1) (interpretation of this Act), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.156_ In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”. Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))
157(1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration Act 2016 (c. 19)
158(1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Investigatory Powers Act 2016 (c. 25)
159_ The Investigatory Powers Act 2016 is amended as follows.160_ In section 1(5)(b), for sub-paragraph (ii) substitute—“(ii) in section 161 of the Data Protection Act 2017 (unlawful obtaining etc of personal data),”.161_ In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—“(2) In this Part, “personal data” means—(a) personal data within the meaning of section 2(2) of the Data Protection Act 2017 which is subject to processing described in section 80 (1) of that Act, and(b) data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”162_ In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 84(7) of the Data Protection Act 2017”.163_ In section 206 (additional safeguards for health records), for subsection (7) substitute—“(7) In subsection (6)—“health professional” has the same meaning as in the Data Protection Act 2017 (see section 183(1) of that Act);“health service body” has the meaning given by section 183(4) of that Act.”164(1) Section 237 (information gateway) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (2) insert—“(3) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))
165(1) Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 and 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”. (3) For subsection (5) substitute—“(5) The offences are those under—(a) any provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc),(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”(4) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))
166(1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.(2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (12) insert—“(12A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))
167_ In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—““health record” has the meaning given by section 184 of the Data Protection Act 2017;”.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))
168_ The Justice Act (Northern Ireland) 2016 is amended as follows.169(1) Section 17 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.170_ In section 44(3)(disclosure of information)—(a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Policing and Crime Act 2017 (c. 3)
171(1) Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.(2) The existing text becomes subsection (1). (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection, insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children and Social Work Act 2017 (c. 12)
172_ In Schedule 5 to the Children and Social Work Act 2017—(a) in Part 1 (general amendments to do with social workers etc in England) omit paragraph 6, and(b) in Part 2 (renaming of Health and Social Work Professions Order 2001) omit paragraph 47(g).Higher Education and Research Act 2017 (c. 29)
173_ The Higher Education and Research Act 2017 is amended as follows.174(1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.175(1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert —“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Digital Economy Act 2017 (c. 30)
176_ The Digital Economy Act 2017 is amended as follows.177(1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”178(1) Section 43 (codes of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.179(1) Section 49 (further provision about disclosures under section 48) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”180(1) Section 52 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”. 181(1) Section 57 (further provision about disclosures under section 56) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”182(1) Section 60 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.183(1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”184(1) Section 70 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.185_ Omit sections 108 to 110 (charges payable to the Information Commissioner).Landfill Disposals Tax (Wales) Act 2017 (anaw 3)
186(1) Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.(2) In subsection (4)(a)—(a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”, and(b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.(3) After subsection (7)—(a) in the English language text insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”, and(b) in the Welsh language text insert—“(8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno).”This Act
187(1) Section 183 (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).(2) In subsection (1)(g)—(a) omit “and Social Work”, and(b) omit “, other than the social work profession in England”.(3) In subsection (2), for paragraph (a) substitute— “(a) a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.Part 2SUBORDINATE LEGISLATIONChannel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)
188(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.(2) In paragraph (2)—(a) for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 186 of the Data Protection Act 2017 (“the 2017 Act”), data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.(3) In paragraph (3)—(a) for “section 5 of the 1998 Act, data which are” substitute “section 186 of the 2017 Act, data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
189_ The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.190_ In Article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”, and(b) for “are” substitute “is”.191_ In Article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”,(b) for “are” substitute “is”, and(c) for “section 5” substitute “section 186 ”.Environmental Information Regulations 2004 (S.I. 2004/3391)
192_ The Environmental Information Regulations 2004 are amended as follows.193(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act);”.(3) For paragraph (4) substitute—“(4A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a public authority as defined in these Regulations, and (b) the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”194(1) Regulation 13 (personal data) is amended as follows.(2) For paragraph (1) substitute—“(1) To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—(a) the first condition is satisfied, or(b) the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”(3) For paragraph (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”(4) For paragraph (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(5) Omit paragraph (4).(6) For paragraph (5) substitute—“(5A) For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—(a) the condition in paragraph (5B)(a) is satisfied, or(b) a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.(5B) The conditions mentioned in paragraph (5A) are—(a) giving a member of the public the confirmation or denial—(i) would (apart from these Regulations) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 97 of the Data Protection Act 2017 (right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;(e) on a request under section 92(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(7) After that paragraph insert—“(6) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”195_ In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.196_ In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
197_ The Environmental Information (Scotland) Regulations 2004 are amended as follows.198(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (2) and (14) of that Act);”.(3) For paragraph (3) substitute—“(3A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”199(1) Regulation 11 (personal data) is amended as follows.(2) For paragraph (2) substitute— “(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—(a) the first condition set out in paragraph (3A) is satisfied, or(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”(3) For paragraph (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For paragraph (4) substitute—“(4A) The third condition is that any of the following applies to the information—(a) it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit paragraph (5).(6) After paragraph (6) insert—“(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
200(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.(2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene— (a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).”(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).INSPIRE Regulations 2009 (S.I. 2009/3157)
201(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a),(b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b).(3) After paragraph (7) insert—“(8) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act; “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).(9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)
202_ In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co- operation in criminal matters).Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R.(N.I.) 2014 No. 224)
203_ In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—(a) in paragraph (9) omit sub-paragraph (b) and the word “and” before it, and(b) in paragraph (11) omit the definition of “processing” and “sensitive personal data” and the word “and” before it.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)
204_ In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—(a) in paragraph (7) omit sub-paragraph (b) and the word “and” before it, and(b) omit paragraph (8).Provision inserted in subordinate legislation by this Schedule
205_ Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.”
Lord Clement-Jones
My Lords, looking at the amendments and new Schedule 18 is rather like looking for a needle in a haystack, but I hope that the Minister received some notice of what I was going to raise. If not, as ever, I hope that he will helpfully write to me. In paragraph 42 of new Schedule 18, there is a reference to an amendment to Section 77 of the Freedom of Information Act. It deletes any reference to,
“section 7 of the Data Protection Act 1998”.
That is a deletion of a summary offence, which is rather baffling to many of us. It is about not keeping records. Many of us thought that, since there have been very few or no prosecutions under that section of the Freedom of Information Act, the answer would perhaps have been to ratchet up the penalty. At the moment, it is only a summary offence. Therefore, there is a six-month time limit, and it is difficult to get the information to hand in that period. If it was made a more serious offence, it would be rather more straightforward to prosecute in those circumstances. The Government, however, seem to have swept this off the statute book, buried in new Schedule 18. I hope that the Minister when he writes will elucidate clearly and perhaps say that in another part of the forest a criminal offence still lurks.
Lord Ashton of Hyde
My Lords, I have had some help from the officials, saying, “We debated this earlier”—which was not very helpful. I am not even sure that it was me who debated it, so I am afraid that I will have to look at what the noble Lord said. I do not have the facts at my fingertips. I will certainly write to him and put a copy of the letter in the Library.
Lord Ashton of Hyde
“( ) Where there is a power to extend a part of an Act by Order in Council to any of the Channel Islands, the Isle of Man or any of the British overseas territories, the power may be exercised in relation to an amendment or repeal of that part which is made by or under this Act.”
Lord Ashton of Hyde
Data Protection Bill [HL]
Monday 11th December 2017
(7 years, 3 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
15:52 - Division on Amendment 1 - Ayes: 172 / Noes: 139 - Amendment 1 agreed.
Lord Ashton of Hyde
“Protection of personal data
(1) The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—(a) requiring personal data to be processed lawfully, on the basis of the data subject’s consent or another specified basis,(b) conferring rights on the data subject to obtain information about the processing of personal data, and(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.(2) When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.”
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, it is with some degree of anticipation that I open the debate on the first day of Report on this Bill with amendments relating to the EU Charter of Fundamental Rights. While we have, in the great tradition of this House, managed to discuss and settle many of our differences over recent weeks while debating this legislation, it was this topic, concerning the charter, where we first found ourselves at odds, really since arguments at the other end of the Palace were sent here to tease us.
Since we last considered this matter, the European Union (Withdrawal) Bill has been making progress in the other place. On 21 November, there was an extensive debate on the future of the charter. My honourable friend the Minister of State for Justice and my honourable friend the Solicitor-General explained at length that the charter is not the original source of the rights contained within it; it was only intended to catalogue rights that already existed in EU law. Those rights, codified by the charter, came from a wide variety of sources, including the treaties, EU legislation and, indeed, case law, which recognised fundamental rights as general principles. All those substantive rights, of which the charter is a reflection not the source, will already be protected in domestic law by the European Union (Withdrawal) Bill. It is not necessary to retain the charter in order to protect such substantive rights.
Last week, on 5 December, the Government published a detailed memorandum setting out how each article of the charter will be reflected in UK law after we leave. That document explains in detail how the right to data protection is already reflected in our law. The Government are well aware of the economic benefit of ensuring that, once we have left the EU, we preserve the free flow of personal data with our main trading partners. Indeed, that is one of the guiding principles that underpins this legislation. On 7 August, when we published our statement of intent before we introduced this Bill, we set that out clearly, and we have repeated this time and again. Every amendment that noble Lords have proposed to this Bill has to be considered against that key test. Will it support or will it harm our arguments that we have wholly implemented the necessary data protection reforms to support the free flow of personal data?
There is no doubt in our minds that we have fully implemented the right to data protection in our law. No one has convincingly put forward any counter argument. None the less, our Amendment 1 is designed to provide additional reassurance on this point. Not only will it be clear in the substance of the legislation and all of the statements and announcements around the legislation; it will also be written into the Bill. This Bill exists to protect individuals with regard to the processing of personal data. Personal data must be processed lawfully. Individuals have rights, and the Information Commissioner will enforce those. The Bill does what it says on the tin.
Lord Stevenson of Balmacara (Lab)
My Lords, I thank the Minister for moving his amendment and for his concluding remarks, which I will return to. I welcome this amendment, and the implication it carries that the Government have listened to the discussions we have had in the last few weeks and have moved from their initial position.
I will speak to Amendment 2, which I am delighted has also been signed by the noble Baroness, Lady Ludford. I am sure that your Lordships’ House will recognise that, in bringing forward a revised draft, we have reflected very deeply on the points made by noble and noble and learned Lords in the debate on the original amendment moved in Committee. In addition to noble Lords who spoke on that occasion, I thank the academic and practising lawyers—as well as many in industry—who have contributed to our emerging thinking on this topic. Before it was submitted to the gruelling process that happens to all amendments when they go to the Public Bill Office, I sent an earlier draft of this amendment to many Members of this House who spoke in that earlier debate. I am grateful for the comments I have received.
It is unusual to have two amendments bearing on very similar points. It is an advantage to be able to see the conflicting, and often overlapping, thinking that has gone into this. It is clear to all who have read both and thought about them that, while we are not yet in full agreement, we are very close. Indeed, I venture to suggest that there is more that unites us on this issue than divides us. What do we agree on? We both recognise that the key data protection rights currently enjoyed by citizens in the UK crucially underpin any assessment of adequacy that might need to be made by the EU post Brexit. They are crucial for the future of our successful data-handling industry. We both want the key data protection rights currently enjoyed by citizens in the UK to continue once the Bill becomes law, while the GDPR is in force, and then after Brexit—if that happens. We agree that the key question to be determined is not the exact wording of one or other but whether it is necessary for these key rights, currently enjoyed by UK citizens through Article 8 of the EU Charter of Fundamental Rights, to be expressed clearly for all to see on the face of the Bill, or whether their existence in various parts of the Bill—and in the GDPR and its recitals—is sufficient.
By putting down their own amendment on this issue, the Government seem to agree that explicit references in the Bill will be helpful, for the reasons given above. We now need to get together to find a form of words which will achieve this aim and which we can both support. I therefore agree with the noble Lord that the right thing to do is for both sides to withdraw their amendments on this issue today and for the Minister to confirm—as he has done—that the matter is of sufficient importance to be brought back for further consideration at Third Reading. If he will agree to that, I will not move my amendment when it is called.
Baroness Ludford (LD)
My Lords, I also welcome the fact that we are in touching distance of an agreement on this matter. I thank the Minister for bringing forward Amendment 1. However, there is a little way to go. Amendment 1 is declaratory of what is contained in the Bill, whereas Amendment 2 is rather stronger and clearer.
Embedding a general right to data protection inspired by the Charter of Fundamental Rights is not only important for UK citizens but, as we have agreed in many debates and exchanges in this House, it is crucial for unhindered data flows between the UK and the European Union if we Brexit. It is absolutely crucial for business and law enforcement to be able to exchange data and have access to EU databases, such as the Schengen Information System, Europol and so on. The Government’s review of the charter, which was also most welcome and was produced last week, says that,
“domestic courts will be required to interpret retained EU law consistently with the general principle reflected in Article 8, so far as it is possible to do so”.
Is the Minister able to elucidate what that caveat leaves out? What would not be possible?
In the Watson case, to which the Brexit Secretary was a party until he became the Brexit Secretary, the European Court of Justice found that the current UK data protection regime in relation to data retention and acquisition was incompatible with Article 8 of the charter. This demonstrated the deep importance that the European Union places on charter rights in the protection of privacy. The draft resolution that the European Parliament is due to debate and vote on this Wednesday, on the joint report on the phase 1 divorce agreement that was reached last Friday,
“underlines that it will accept a framework for the future EU-UK relationship as part of the Withdrawal Agreement only if it is in strict concordance with the following principles”,
including the,
“United Kingdom’s adherence to the standards provided by international obligations, including fundamental rights … data protection and privacy”.
So we can expect this to be a very important matter, on which there will be a spotlight in the consideration of an adequacy assessment by the European Commission, which I think we all agree it is essential to achieve.
As I said in Committee, the adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the United Kingdom. Of course, this will include the law and practice in terms of national security, which at the moment—rather ironically, or perversely—are excluded under the EU treaties. Once we are outside—if we are—there will be closer examination of how privacy fares in relation to the demands of national security than there is while we are in the EU. In that context, the national security issues in the Bill, which will be further debated as well, will perhaps take on a heightened importance.
On these Benches we believe that the rights under the charter in relation to data protection should be reflected in the Bill so as to have a general right to the protection of personal data in UK law. I very much agree with the course advocated by the noble Lord, Lord Stevenson, to reflect further and to accept the Government’s offer to come forward at Third Reading with something that we could all agree on.
Lord Pannick (CB)
My Lords, the Minister said that Amendment 1 is designed to provide reassurance that existing EU law rights are fully protected under the Bill. I, too, welcome the Minister’s assurance that further work will be done on this amendment prior to Third Reading. I will suggest four points that need to be considered and included in this amendment.
First, subsection (1)(a) of the proposed new clause refers to the need for data “to be processed lawfully”, but it does not refer to the obligation under Article 8.2 of the charter for data also to be processed fairly. That needs to be included.
Secondly, Amendment 1 does not refer, in subsection (1)(b), to the right to have personal data rectified. Again, that right is conferred by Article 8.2 of the charter.
Thirdly, the government amendment uses weak language in subsection (2), which says that,
“the Commissioner must have regard to”,
and uses “taking account of”. The Minister will know that Article 52 imposes a much tougher standard for limitations. It is a test of necessity, which is echoed in Amendment 2 in subsection (6).
Fourthly, government Amendment 1 makes no mention of the principal of proportionality. Again, that is an important element of Article 52.1 of the Charter, which, again, is mentioned in Amendment 2.
If the objective of the government amendment is to echo the rights that are currently enjoyed under the charter, these issues need to be further considered and, I hope, can be included in the redrafted Amendment 1 that the Government will bring forward at Third Reading.
Lord Faulks (Con)
My Lords, I do not wish in any way to spoil the degree of harmony that appears to have grown up over these issues in Amendments 1 and 2. When I looked at both amendments, I was not convinced of the need for either. If, as the Minister rightly says, Amendment 1 does not create any new rights, given that we have a Bill of 242 pages with a number of complex provisions, it seems surprising that we need to restate the principles. Of course, if we restate them, we run into the danger of attracting the attention of the noble Lord, Lord Pannick, who can say, “If you’re going to restate the principles, you may restate them rather better”. Surely it is much more desirable to specify precisely what the Bill is intended to do in those bespoke provisions rather than resort to generality, which inevitably has imprecision.
On Amendment 2, I am not a great fan of the European Charter of Fundamental Rights. The position of the party opposite when it was first advanced was entirely correct: it should not add rights to any protection that already exists in our law. On this so-called right to protection of personal data, if an amendment is to be introduced at this rather late stage of the proceedings, surely the first question is: does it add clarity to the Bill? It does not. Does it provide better protection, doing something that is otherwise not covered by the Bill but ought to be? If that is the case, let us by all means have an appropriate amendment. Why does it not provide clarity? These provisions must ultimately be interpreted by a court, as is recognised by proposed new subsection (7) in Amendment 2, which invites the court to,
“take into account any relevant judgment, decision, declaration or advisory opinion of the … Court of Justice of the European Union; and … European Court of Human Rights”.
Interestingly, the word “must” is used rather than “may”, which is the way that Section 2 of the Human Rights Act invites courts to have regard to the jurisprudence of the Strasbourg court. So a court is going to have to try to make sense of the relevant decision judgment of the Court of Justice of the European Union or the European Court of Human Rights. The ECHR does not have quite the same system of precedent that we have, and courts have often found it difficult to distil from the jurisprudence precisely what they should or should not be following. What if there were a difference between the interpretation of the Court of Justice of the European Union and the ECHR? That would provide further difficulties for a court.
Lord McNally (LD)
My Lords, I follow with some trepidation my successor at the Ministry of Justice, the noble Lord, Lord Faulks. I do so because, for the three years before he took up his office, I was the Minister of State at the Ministry of Justice who had responsibility for the negotiations around the GDPR in its early stages. It is interesting that this debate reflects very much the early gestation of the GDPR. At that point, there was a very clear division between what I would describe as the Anglo-Saxon approach—which the noble Lord, Lord Faulks, has expounded—and the continental approach. I suspect that is something that has bedevilled our approach to law-making in the EU over 40 years.
The truth of the Anglo-Saxon approach is this: of course we believe in these things, and if we look here, there and everywhere we will find that they are all covered; but hold that against points made by people who have only very recently experienced the power of the state and its abuse of the law by the Stasi and others. They want a much clearer definition that can be clearly observed. Thanks mainly to the hard work of my noble friend Lady Ludford in the European Parliament, we got a GDPR that was not overprescriptive in that direction but satisfied those very real concerns. We are at the same point again in this Bill.
Of course the noble Lord, Lord Faulks, is undoubtedly right about the various guarantees found in this and other legislation, but the politician in me says that if we are to get the adequacy we want in due course, we must not—to use a phrase of an old mentor of mine, Joe Gormley—build platforms for malcontents to stand on. We must not leave in everybody’s mind the question of why they did not want this in the Bill, when it is such a clear statement of their beliefs and our beliefs.
To revert to my old job as a political adviser, my advice to the Minister is this. In doing what he has been asked to do—to withdraw the amendment—he should work with the amendment tabled by the Opposition and bring through at Third Reading something that will cover our Anglo-Saxon desire to see these things in law but also reassure in a very political way those who have genuine concerns and want to see us carry out and stand by these responsibilities.
Lord Mackay of Clashfern (Con)
My Lords, I find this situation slightly difficult because it looks to me as though what is wanted is to say that there is something in the charter that is not already in the Bill; otherwise it does not seem very much to the point. If it is already in the Bill, the two proposed new clauses—which are not intended to be additional but optional—are unnecessary. If it is not in the Bill, surely we should put it in the Bill and not leave it. I do not know whether I am Anglo-Saxon, Celtic or what, but I do not distinguish between these various matters. As for being political, I am not sure that I want to be that either.
I want the Bill to be as precise as it can be in a difficult area. Both the government amendment and the opposition amendment strike me as vague. I will say a few words about the opposition amendment because the government amendment, as the Minister says, is not intended to confer any new rights. That is a clear situation. Proposed new subsection (5) of the opposition amendment states:
“Restrictions on the rights of a data subject and any limitation on the exercise of the right to the protection of personal data under this section must be provided for by legislation”.
I would like to see it stopping there. I do not see how you can start to judge the legislation that has already been passed by considering whether it respects the essence of that right. If it does not, it should not have been passed as legislation.
Proposed new subsection (6) has the same effect. It states:
“Subject to the principle of proportionality, the restrictions and limitations under subsection (5)”—
these are restrictions brought in by statute, according to subsection (5)—
“may be made only if they are necessary to support a democratic society”,
and so on. I think I know where that comes from. The point is that if that is right, it should not be in the legislation. This is a requirement about the nature of the legislation which, on the theory of proposed new subsection (5), has already been passed.
It is not appropriate for the Bill to try to control legislation which, according to this, does not seem to have been passed, unless it is already in this Bill, in which case we should accept it.
Lord Ashton of Hyde
My Lords, I turn first to the amendment of the noble Lord, Lord Stevenson. During the course of the Bill I met the noble Lord frequently, both formally and informally. When I met him two weeks ago he told me that he was working on his Amendment 2 and he had a look of foreboding about him. He said, “Wish me luck”. I had sympathy with his position—I almost felt sorry for him—because this is a legally and constitutionally complex area. Amendment 2 reads well—it sounds attractive and has seductive packaging—but when taken out of that packaging and slotted into this Bill it is not only ineffective but damaging. It is rather like pouring diesel into a petrol engine.
The amendment makes great play of creating a new and freestanding right. Unlike the government version it is not framed within the context of the Bill. It is a wider right. Indeed, it is far wider even than article 8 of the charter. It is not constrained to the context of EU law but applies to everything. It is attractive, perhaps, but it is seriously problematic.
How is the court to interpret this new right? If this was in the context of the Human Rights Act, there is a framework within which to operate, so if a court finds primary legislation to be incompatible with a convention right, it will make a declaration of incompatibility. The Human Rights Act sets out the effect of that finding on the validity, continuing operation and enforcement of the legislation. This simply would not exist if we were to agree Amendment 2, so the consequences of any finding would be unclear. That could create legal, regulatory and economic chaos.
How would data controllers operate if they could not tell whether the apparently incompatible legislation they were operating under was still effective or not and there was no mechanism to fill any gap? What if the courts found parts of the GDPR incompatible with this new super-right? Rather than enabling the free flow of data we could be crippling it. Further, how would the courts approach other legislation in light of this new right and how would they approach other rights? Could this new right be balanced against other rights, and if so, would it carry additional weight?
Apart from these legal problems, in our view Amendment 2 is simply unnecessary. The general principles of EU law will be retained when we leave the EU by the European Union (Withdrawal) Bill for the purposes of interpretation of retained EU law. The GDPR will be retained. Indeed, this Bill firmly entrenches it in our law. The right to protection of personal information is a general principle of EU law and has been recognised as such since the 1960s. The European Union (Withdrawal) Bill requires our courts to interpret the GDPR consistently with the general principle reflected in article 8, and with retained CJEU case law so far as it is possible to do so. In that context, the jurisprudence of the CJEU will continue to have influence in much the same way as the judgment of a court in Australia might have an influence on how common legal principles should be applied.
The amendment also refers to the status of judgments of the European Court of Human Rights. This is completely unnecessary and unwelcome. Section 2 of the Human Rights Act already requires our courts to take into account relevant judgments of the Strasbourg court. If we write this here, where else must we write it? We do not want to cast doubt on our absolute and total respect for human rights on any issue, not just data protection. The Government have reaffirmed and renewed our commitment to human rights law. It is reflected through UK national law as well as in a range of domestic legislation that implements our specific obligations under UN and other international treaties, from the convention against torture to the Convention on the Rights of the Child. Of course, the principal international treaty most relevant to the UK’s human rights laws is the European Convention on Human Rights. I am happy to repeat the commitment made by my fellow Ministers in recent months that the Government are committed to respecting and remaining a party to the ECHR. There will be no weakening of our human rights protections because we are leaving the EU.
All of these issues interlink. Article 6 of the Treaty on European Union makes clear that due regard must be had to the explanations of the charter when interpreting and applying it. The explanations for article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection.
It is easy to conclude that we are spiralling in circles on this matter, and in a sense, we are. We believe that there is simply no problem here of any substance. The right to data protection is fully implemented in our law and it is fully enforceable. Government Amendment 1 makes it clear that this is the case. While Amendment 2 seeks to do the same it trips and falls, creating confusion rather than the clarity the noble Lord is after. So I hope that he will feel able to withdraw his amendment. I wish to press government Amendment 1. As the noble Lord, Lord Pannick, said, we are seeking to provide reassurance. I said at the beginning that we would remain open for discussions on this, and if we can provide any further reassurance, taking into account some of the four points made by the noble Lord, Lord Pannick, we will do so.
The noble Baroness, Lady Ludford, gave a long explanation of why adequacy is important and some of the extra issues that will be taken into account when we have to approach an adequacy decision from the EU, including for example areas of law which at the moment are not susceptible to EU jurisdiction, such as national security. I agree completely that that will be taken into account when we go for an adequacy arrangement. That is exactly why we have tried to apply the GDPR principles to all our laws, so that we have a complete and systematic data protection regime. On that basis, I accept the four questions asked by the noble Lord, Lord Pannick. We will consider those issues in the discussions.
Baroness Ludford
I thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?
Lord Ashton of Hyde
I completely agree with the noble Baroness. We have applied the GDPR principles to areas such as defence, national security and the intelligence services in different parts of the Bill so that when we seek an adequacy arrangement, we can say to the EU that we have arranged a comprehensive data protection regime that takes all the GDPR principles into account, including areas that are not subject to EU law. That is why, contrary to what we said in Committee, we have taken the arguments on board and tabled government Amendment 1 to provide reassurance on that exact point. We originally said that the rights under article 8 were contained in the Bill, but we are now putting further reassurance in the Bill. Other areas of the Bill, without direct effect, signpost how the Bill should be regarded.
The noble Baroness supports the amendment but would like, I think, to create a free-standing right. I have explained why we do not agree with that. Before Third Reading, we will try to seek a form of words in our amendment that provides more reassurance, so that when it comes to seeking an adequacy decision—we cannot do that until we leave the EU—there will be no doubt about what this regime provides. That would be the best way to do it, I think.
Lord Pannick
Does the Minister also agree that a further answer to the points made by the noble Lord, Lord Faulks, and the noble and learned Lord, Lord Mackay of Clashfern, is that it is absolutely inevitable that the detailed provisions of the Bill will be, on occasion, the subject of dispute, uncertainty and litigation, and that it would be very helpful to have a statement of principle on what is intended at the commencement of the Bill? This would not be the first time that a Bill has done that. Everybody would then know what the principles were. Of course, the Minister still needs to consider before Third Reading what that statement should be, but that is the point, as I understand it, of government Amendment 1.
Lord McNally
Why does the Minister feel it so necessary to push ahead with his amendment when it is quite clear that the best and most constructive way forward would be for both amendments not to be pressed to allow constructive discussion and resolution at Third Reading?
Lord Ashton of Hyde
Government Amendment 1 provides a basis for the discussion that we will have before Third Reading. Of course, I accept that it could be amended at that stage.
As for the remarks of the noble Lord, Lord Pannick, I will have to read my noble friend Lord Faulks’s words. I was not entirely sure that he was as supportive as the noble Lord feels, but I may have misinterpreted him.
Lord Pannick
As I understand them, both the noble Lord, Lord Faulks, and the noble and learned Lord, Lord Mackay, doubt the need for any amendments of this sort. I am suggesting to the Minister that there is a real need for a statement of principle—that is all.
Lord Ashton of Hyde
I thank the noble Lord. As I said in Committee, we too saw no need for this. The Government have moved because they are always listening and we hope that we can make this more acceptable. I will read what was said by the noble Lords, Lord Pannick and Lord McNally, and my noble friend Lord Faulks, but I would like to press my amendment so that we might have it as a basis for further discussion before Third Reading.
Lord Stevenson of Balmacara
My Lords, the Minister has received quite a lot of comment from around the Chamber on this and I made it clear in my opening remarks that I though the best solution was to have neither amendment. If we are to have a genuine discussion, it does not seem helpful to have in the Bill the wording which the Minister has alighted on at this stage in his conversion. It would be much better to start with a blank sheet and try to work to a common solution. I beg him to reconsider his view and withdraw his amendment; I will not press mine. We could then move to Third Reading with a clean slate.
Lord Ashton of Hyde
My Lords, I understand what the noble Lord is saying. This amendment has been around the houses in government; it has had many people from many departments looking at it from top to bottom. The feeling of the Government at the moment is that it is better to have something on paper as a basis for discussion. I would like to press my amendment.
Baroness Chisholm of Owlpen (Con)
My Lords, I am pleased to be moving the Government’s technical amendments this evening, and, in particular, Amendments 3, 4 and 5 which respond to the concerns raised by the noble Baroness, Lady Royall, and others on behalf of the UK’s universities, schools and colleges. They were worried that the Bill would restrict their ability to process the data of alumni for fundraising purposes. As the noble Baroness explained in Committee, universities, schools and colleges were concerned that being badged as public authorities by Clause 6 would mean they could not rely on the legitimate interests processing condition in article 6(1)(f). This is because the final sentence of article 6(1) states:
“Point (f) … shall not apply to processing carried out by public authorities in the performance of their tasks”.
Universities also doubted whether, in the context of alumni relations, they could rely on article 6(1)(e) of the GDPR, which relates to processing necessary for the performance of a task carried out in the public interest. Although there is a good argument that any fundraising or similar activity which allows universities to improve facilities for students would be considered a “public interest” task, the Government can see why universities might doubt whether all their fundraising work would fall into that category. If universities could not rely on article 6(1)(e) or (f), they say they would be left without an obvious processing condition in situations where obtaining the data subject’s consent, at least in the GDPR sense of that term, was not a realistic option.
Government Amendments 3, 4 and 5 address these concerns by making it clear that public authorities will be treated as public authorities for data protection purposes only when they are carrying out their public tasks. To the extent that they carry out non-public tasks, they would not be defined as a public authority for the purposes of the GDPR and would not be prevented from relying on the legitimate interests processing condition.
We recognise that the amendment does not refer to universities, schools or colleges by name. This is deliberate, meaning that any public authority which is processing data for non-public functions will be able to rely on this provision. The education sector is not the only one to have these worries. I know, for example, that our museums and galleries would welcome the same degree of flexibility, and this amendment will ensure they have it. I am grateful to the noble Baroness for raising this matter and I hope these amendments will provide universities and other similar organisations with the reassurance they need.
I will not go through the remaining amendments in the group one by one, but instead pick out a few which I think may be of broader interest—for example, Amendments 145 and 146. In Committee, my noble friend Lord Hunt of Wirral was among those to express concerns about the inclusion of the term “other adverse effects” in the definition of damage in Clause 159. He asked whether this was broader than the definition in the GDPR. As I set out then, the Government’s intention in including a definition of damage in Clause 159 was to provide clarity, specifically in relation to the inclusion of distress. Clause 159 does not seek to provide a wider definition of damage than is currently provided in the GDPR; nor indeed could it.
None the less, in light of the concerns expressed by my noble friend, the Government have reconsidered this issue and decided to amend the definition to ensure that it is as clear as possible and to minimise the risk of any uncertainty such as that which concerned noble Lords. The amended definition now simply states that the reference to “non-material damage” in the GDPR includes distress. The definition of damage for the purposes of the law enforcement and intelligence services regimes is set out separately in Clause 160. Amendment 146 makes a similar change to that definition so that it is as clear as possible and no longer refers to “other adverse effects”. I beg to move.
Lord Patel (CB)
My Lords, I will comment on Amendments 3, 4 and 5. The Minister and the noble Baroness may well feel that I do not give up, and I agree: I do not. I of course understand clearly what the Government are trying to do with the amendment from the noble Baroness, Lady Royall of Blaisdon—that they have agreed to get that into the Bill. It is helpful to know that public bodies need to be defined as such when they are processing data for tasks that are not defined as tasks in the public interest. This opens up the possibility of their instead using legitimate interests as a legal basis under some circumstances: for example, as has already been mentioned, for universities contacting alumni for fundraising purposes.
My point is different: universities and their research activities and how that is recognised, which we discussed. Here, it is more pressing to be clear on what counts as a task in the public interest, since public bodies will need to determine which legal basis is appropriate to the processing they are undertaking in different circumstances. For example, is research conducted in universities a task in the public interest, in which case the university would be considered as a public body for the purposes of the Bill, or is it not? In the latter case the university is not a public body for research purposes, and the research is therefore conducted on the legal basis of legitimate interest.
These differences matter, particularly as the GDPR requires data controllers to be clear on the legal basis they are using. How are public bodies such as universities to make this determination? The clearest answer would be, as I indicated in Committee, that the ICO gives guidance. I understand that the Government cannot direct the ICO to give guidance, so a way needs to be found to clarify which tasks fall under the public interest basis, specifically using the example of university research to provide that clarity. I would be grateful if the Minister commented on that.
Lord Macdonald of River Glaven (LD)
As the Minister knows, I put my name to the amendments from the noble Baroness, Lady Royall, to which this amendment is a response. I am grateful to the Minister for meeting a group of us to discuss this issue, for bringing forward this amendment, and particularly for the clear way in which she has indicated one of its purposes, which is that when universities are not acting in the public interest in the exercise of their official functions they will be permitted and empowered to rely upon the legitimate-interest condition, which was our original concern. I believe this amendment meets that concern, and I am very grateful.
Lord Smith of Finsbury (Non-Afl)
My Lords, I remind the House of my interest as master of Pembroke College, Cambridge. I give a warm welcome to Amendments 3, 4 and 5, and I am grateful that Ministers have listened to the concerns of universities and colleges and very helpfully addressed them in these amendments. I know I speak also for the noble Baroness, Lady Royall, in this respect.
The two most important issues that have been of concern to universities and colleges have been, first, maintaining good relationships with alumni and the way in which that can lead to successful fundraising for universities and, secondly, the need constantly to improve what we do in outreach work to schools and the widening of participation from the broadest base of potential students to draw them into the best of our universities. In both these respects, relying on legitimate interests, as we do at the moment, is going to be extremely helpful. I very much hope that that is the Government’s understanding of the purpose and effect of the amendments.
Lord Clement-Jones (LD)
My Lords, I hope to be as brief as the Minister, who I thought was admirably so in introducing the government amendments. However, there are some issues that arise. I applaud the noble Baroness, Lady Royall, and others who have been so instrumental in persuading the Government on this. As the noble Lord, Lord Patel, indicated in various ways, there are ambiguities; the particular way in which the Government have chosen to amend the Bill potentially leaves a gap. I wonder, for instance, whether alumni fundraising for, say, a research institute can never be in the public interest. Is there not a possibility that it might fall outside the exemptions as a result? Perhaps the Minister can give me the correct interpretation. It is very important that this is on the record and that it is very clear what the formulation means. It would have been much more straightforward to have approached the subject directly in the Freedom of Information Act, but that is not the way the Government have chosen to help alumni fundraising in universities. In talking about universities, I should declare an interest as chairman of the council of Queen Mary University as well.
Another question arises. By and large there is nothing particularly controversial in the remainder of the amendments, but I do not quite understand why new Section 76C of the Freedom of Information Act, which was introduced in the original version of the Bill, is now being taken out by Amendment 198. Is it because Clause 127 already provides the necessary duty of confidentiality of information by the commissioner and employees of the Information Commissioner’s Office? The Minister might have given us a bit of explanation about that, which would have been extremely helpful.
Otherwise, many of the other provisions are welcome. Amendments 119, 182 and 197 demonstrate that it would be a good idea to have prompt enactment or implementation of legislation, so that weird and wonderful new clauses such as are introduced by those amendments would be unnecessary.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.
There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.
I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.
Baroness Chisholm of Owlpen
My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.
I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.
The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?
Baroness Chisholm of Owlpen
I think that gets more rather than less muddling, but I think I see where the noble Lord is coming from.
The amendment should relate to and rely either on article 6(1)(e) or (f). That should solve any possibility raised by the noble Lord.
“subject to subsections (1A) and (2).(1A) An authority or body that falls within subsection (1) is only a “public authority” or “public body” when performing a task carried out in the public interest or in the exercise of official authority vested in it.”
Baroness Chisholm of Owlpen
My Lords, as it is 4.25 pm and the Statement is due sometime after 4.30 pm, it would be unwise to start on another amendment now, particularly a very long amendment, so I need to adjourn the House during pleasure for four minutes until 4.30 pm.
Data Protection Bill [HL]
Monday 11th December 2017
(7 years, 3 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
“(a) amend Schedule 1 —(i) by adding or varying conditions or safeguards, and(ii) by omitting conditions or safeguards added by regulations under this section, and(b) consequentially amend this section.”
Baroness Chisholm of Owlpen (Con)
My Lords, before I launch myself into the detail of these many amendments, I will express our thanks and gratitude for the detailed report of the Delegated Powers and Regulatory Reform Committee. We are also grateful for the extensive and informative discussions in Committee, and we have reflected on the views expressed by all noble Lords during the debates. We have carefully and comprehensively considered each of the committee’s recommendations, and none of our decisions have been reached lightly. A theme that noble Lords have heard me express previously is the extraordinary pace of change in the digital and data economy. I am very conscious that the Bill needs to provide a framework for the constant evolutions and developments in how we use and apply data. It must support rather than stifle innovation and growth and, primarily for this reason, in some areas we have deviated from the committee’s full recommendations.
I will speak to the key points. In its report, the committee raised concerns about the Henry VIII powers in Clauses 9(6), 33(6) and 84(3), which enable the Government to make regulations to “add to, vary or omit” the processing conditions and safeguards for sensitive data set out in Schedules 1, 8 and 10 respectively. Amendments 9, 90, and 99 respond to these concerns and narrow the regulation-making powers in these clauses. Amendment 9 removes the Government’s power to omit processing conditions and safeguards in Schedule 1. Amendments 90 and 99 remove the Government’s ability to vary or omit processing conditions in Schedules 8 and 10 respectively. We reflected at length as to whether we could go further than this but, on balance, considered it necessary to maintain the powers to add new processing conditions and to vary those in Schedule 1.
Many of these powers are not new. The 1998 Act already provides a power to add to the conditions for sensitive processing. In addition, many of the provisions in Schedule 1 in respect of which these powers will apply are currently set out in secondary legislation. This means that they can currently be added to, varied or omitted through other secondary legislation. Our experience under the 1998 Act and, indeed, in Committee, has highlighted the frequency with which scenarios can arise which require new processing conditions for sensitive data. Accepting the Committee’s recommendations in full would leave the Government unable to accommodate developments in data processing and the changing requirements of certain sectors. This in turn could render the UK at a disadvantage internationally if, for example, we were unable to make appropriate future provision for sectors, including those such as insurance, where the UK is a world leader, to reflect advances and changes in their approach to data processing.
The committee also raised concerns about Clause 15 of the Bill, which enables the Government by regulation to add to, vary or repeal the exemptions from certain specified data protection principles and data subject rights set out in Schedules 2, 3 and 4. Clause 111 contains a similar power to add, vary or repeal the list of exemptions in Schedule 11. The Government listened carefully to the debate in Committee, where the noble Lords, Lord Stevenson and Lord McNally, recognised the challenge of future-proofing the legislation to take account of changing technology. The noble Lord, Lord Stevenson, further suggested that,
“the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation”.—[Official Report, 6/11/17; col. 1639.]
I am hopeful that our amendments will set the noble Lord’s mind at rest.
Government Amendments 67 and 68 will remove the Government’s power in Clause 15 to omit provisions in Schedules 2, 3, and 4. It also removes Clause 15(1)(d) in its entirety. Amendment 103 removes the corresponding power in Clause 111(2) to vary or omit the existing provisions in Schedule 11. I am aware that there are some who would like us to go further than this, but it would not be a good idea for a number of reasons. First, a number of the provisions in Schedules 2 to 4 have been added to the Bill to address specific requirements arising from the new regime and have not yet been tested in operation. Others have been carried over from secondary legislation, where they can at present be added to, varied or removed. The Government therefore consider it prudent to retain the ability to amend Schedules 2 to 4 if it proves necessary. There is also a technical issue here. Schedules 3 and 4 contain a large number of references to subordinate legislation. The power to make and amend the instruments referred to does not always include the power to make consequential amendments to primary legislation. This provides a further, technical reason to retain the power in Clause 15 to vary these provisions.
Government Amendment 71 provides that any regulations made under Clause 17 will now be subject to the affirmative rather than negative resolution procedure. In cases of urgency, there is provision for the “made affirmative” procedure to be used if accompanied by an urgency statement. There is precedent for such an approach; for example, in the Legal Aid, Sentencing and Punishment of Offenders Act 2012. Amendments 168, 169, 170 and 184 make consequential provision later in the Bill.
I turn now turn to Amendments 130, 133, 134 and 136, which respond to the Committee’s concerns that the powers in Clauses 142 and 148 were too broad and gave the Government unlimited powers to determine types of additional failure that could attract the Information Commissioner’s enforcement powers, including unlimited penalties. Clearly, this was never the Government’s intention, and these amendments make it clear that any additional failures must be failures to comply with data protection legislation. They clarify also that the regulations making provision about the penalty for an additional failure will provide for the penalty to be either the standard maximum amount or the higher maximum amount referred to in Clause 150.
Amendment 144 provides that the Information Commissioner’s guidance about regulatory action will be subject to the negative resolution procedure when first produced. Generally, the Government believe that guidance of this kind should not be subject to parliamentary procedure. However, exceptionally in this instance, and in recognition of the large and ever-growing number of organisations for which this guidance will be relevant, on reflection the Government agree with the Committee that the negative resolution procedure would be appropriate. Amendments 139, 140, 141, 142 and 143 make consequential provision to ensure that the relevant clause functions as intended.
Amendment 166 reflects the concerns raised by noble Lords in Committee that regulations made under the Bill should be subject to consultation, not only with the Information Commissioner but also with consumer organisations and others who represent data subjects. Accordingly, we are including a requirement in Clause 169 that when the Secretary of State makes regulations under the Bill, she must consult “such other persons” as she considers appropriate. This will apply to all regulations save for those listed in new subsection (2A). We have also tabled consequential Amendments 126, 131, 135 and 138 to remove the equivalent requirement from Clauses 133(1), 142(9), 148(6) and 152(3) to avoid unnecessary duplication in the light of the new general requirement in Clause 169.
Lord Clement-Jones (LD)
My Lords, the noble Baroness having sat through my last speech, I am in no position to judge. That was a skilful summary of the memorandum put to the Delegated Powers and Regulatory Reform Committee and it is useful to have it on the parliamentary record.
I remind the House that the amendments we have brought forward do not take the ultra position, if you like. They are about having an appropriate level of parliamentary control over delegated legislation in a field where these are important matters—rights which are inextricably linked to human rights. To boil down a long memorandum, the Minister’s arguments are about flexibility and future proofing. However, the horse has bolted. In previous legislation such regulations were permitted to be made by government and therefore we should roll over and put them into the next bit of legislation.
The one essence that I take away is that the consultation duty is enshrined. I accept that it is a considerable improvement that the Secretary of State must consult the commissioner and such other persons as the Secretary of State considers appropriate. It would be useful at this stage at least to have on the record the kinds of bodies the Minister thinks are appropriate in these circumstances.
The real issue and the reason why we have tabled our amendments—I am not saying they are perfect but they allow for a parliamentary process in which there is an ability to suggest amendments and to have a full consultation on regulation changes—is the controversy about “omission”, “addition” and “varying”. The Government have clearly come to the view that omitting provisions is permissible in certain circumstances but they are relying on adding or varying. They say that varying is a light-touch aspect but why, in certain circumstances, is it permissible to omit provisions added by regulations? Is this a kind of second thoughts aspect, whereby regulations are brought forward under this Bill and then the Government think they want to omit some of them? I do not quite understand the rationale behind that.
I accept that in some of the crucial cases they are limiting themselves to “adding” or “varying”. However, variation can be extremely broad and virtually equivalent to omitting. It seems that one can vary a right all the way down to a minuscule situation which can impinge on the human rights of an individual, even though it is not technically an omission where a safeguard is provided. These are very broad rights. They are broad powers to create new exemptions to data protection rules as they affect a data subject and they can add exemptions to safeguards for processing sensitive personal data. These matters could have a powerful effect on individuals.
I should remind the Minister of a sad aspect, which is that in its procedures, the Delegated Powers and Regulatory Reform Committee does not seem to have a second bite of the cherry—something I am sure the Minister approves of entirely. But for those of us who relied on the very useful original DPRRC report, it is unfortunate that the committee has not come back and said what it thinks of the ministerial memorandum. In the original report the committee went as far as to say:
“We consider that clause 9(6) is inappropriately wide and recommend its removal from the Bill”.
That is pretty heavy stuff, even for this useful committee. It had even more to say about Clause 15:
“We regard this is an insufficient and unconvincing explanation for such an important power”.
I must put on the record that we on these Benches do not think that the Government have discharged the onus of proof, showing why they need these extraordinary powers under the Bill, and we hope that they will further reduce their regulation-making powers.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.
I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.
In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.
As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.
Baroness Chisholm of Owlpen
I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.
On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.
Lord Clement-Jones
With the greatest respect, the point I was making was whether the right to vary was not omission by the backdoor. Perhaps I was not clear enough.
Baroness Chisholm of Owlpen
No, we do not believe it is omission by the backdoor.
Lord Ashton of Hyde
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, in Committee the noble Earl, Lord Kinnoull—I am very grateful to him for his help and that of the industry bodies that I have now met—told us that the language in the Bill enabling the processing of sensitive data relating to employment might be interpreted more narrowly than the similar wording in paragraph 2 of Schedule 3 to the Data Protection Act 1998. This was never the Government’s intention and I thank the noble Earl and the noble Lord, Lord Clement-Jones, for bringing the issue to the Government’s attention. Amendments 11 and 12 to address these concerns by reverting to the wording used in the 1998 Act, thereby removing any doubts as to their proper interpretation. I will sit down and wait for the noble Earl to propose his amendments and reply to them after. I beg to move.
The Earl of Kinnoull (CB)
My Lords, I am very grateful to the Minister for that news on those government amendments. It is very helpful and will prevent a lot of insurers having to redo their administrative systems. I shall speak to Amendments 25 and 26, which are another pair of insurance amendments. I declare my interests as set out in the register of the House, particular those in respect of the insurance industry.
I thank the noble Lord, Lord Clement-Jones, who has been very helpful. He brings great clarity at all times of day to our discussions. Although he is the chairman of the Artificial Intelligence Select Committee, his intelligence is far from artificial and is most helpful. Also, I see the Bill team over there. They have been excellent. Given the amount of fire coming in they are very calm, collected and user-friendly. I thank them for everything they have done so far on the Bill.
The Lloyd’s Market Association, the British Insurance Brokers’ Association and the Association of British Insurers, among other insurance associations, have helped in the preparation of some of these remarks. The insurance industry is trying to deliver products in the public interest. Indeed, some major classes of insurance, such as motor insurance and employers’ liability insurance, are compulsory. There is a long list of other insurances that are quasi-compulsory. For instance, one cannot get a mortgage without buying household insurance. It is greatly to society’s benefit that a wide choice of good products is available at a reasonable price.
Lord Clement-Jones
My Lords, it is a pleasure to follow the noble Earl, Lord Kinnoull, who has very impressively pursued these issues with considerable care and determination. He has said pretty much everything that needs to be said. Processing special category data, including health data and criminal convictions is, as he said, fundamental to calculating levels of risk and underwriting. I hardly need to say that to the Minister. His amendments are welcome, but of course the essence of the noble Earl’s amendments is to get from the Minister a progress report on how things are moving on in terms of enabling the continued processing of special category and criminal conviction data and whether we can get something along the right lines that allows a derogation for processing of special category and criminal conviction data where it is necessary in relation to insurance policies and claims. That would prevent disruption to consumers in the way the noble Earl mentioned. Then, of course, there is the guidance produced by Amendment 26; this is what you might call a sprat to catch a mackerel and I hope that the Minister will deliver the mackerel.
Lord Kennedy of Southwark
My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.
Lord Ashton of Hyde
My Lords, I am grateful to everyone who has spoken in this debate. As we have just heard, Amendment 25 would replace the existing processing conditions:
“Insurance and data concerning health of relatives of insured person”,
and:
“Third party data processing insurance policies and insurance on the life of another”,
with a broader insurance processing condition. Amendment 26 would require the Information Commissioner to produce sector-specific guidance for the insurance sector. These processing conditions are made under article 9(2)(g), the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited by the need to meet this substantial public interest test. We are also required to provide appropriate safeguards for data subjects.
The Government recognise the importance of insurance products, in particular compulsory classes and the protection afforded by third-party liability. As the noble Earl mentioned, engagement between the insurance sector and government officials has continued since this matter was discussed in Committee and, indeed, since I met him and representatives of the insurance industry after Committee. There is still some work to do on the precise drafting of the relevant provisions, but I am grateful for the opportunity to place on record the Government’s intention to table an amendment addressing this issue at Third Reading, if we can finalise the drafting in time and the House is content for us to do so. At the moment I am not aware of any insuperable problems in that regard, but noble Lords will recognise that this is a complex issue and one that we want to get absolutely right.
As for the Information Commissioner producing sector-specific guidance, as proposed by Amendment 26, I will certainly take that back and pass it on to the department. With that reinsurance, or rather reassurance—“reinsurance” was a bit of a Freudian slip there—I respectfully invite the noble Earl not to move his amendments this evening. I beg to move.
Lord Ashton of Hyde
“ This condition is met if the processing is—(a) in the exercise of a function of either House of Parliament, and(b) necessary for reasons of substantial public interest.”
Lord Brown of Eaton-under-Heywood (CB)
My Lords, this group of amendments in my name, prompted by House officials, covers a number of issues concerning parliamentary privilege. The Bill in its present form contains some exemptions to its application to Parliament, but these are considered rather too narrow in scope. The group relates to four areas which have been raised by officials—that is, counsel and clerks of both Houses—as giving rise to concerns about how the Bill as drafted risks infringing parliamentary privilege. These concerns have been discussed extensively with the Bill team and the Leader’s office at official level, and drawn to the attention of the Senior Deputy Speaker, who is of course chairman of the Committee for Privileges and Conduct of this House. I say at once that these discussions have been most helpful and constructive. I pay tribute to the Bill team for its co-operation throughout.
Happily, the Bill team is now, as I understand it and as I expect the Minister shortly to confirm, satisfied that amendments to the Bill in all four areas of concern are appropriate, so that those will be forthcoming before Third Reading in the new year. I recognise and accept that those amendments may not follow the precise wording suggested in the present proposals but, provided they address the substance of these various specific concerns, we shall obviously be disposed to accept them.
In these circumstances, and given that we shall obviously not divide the House at this stage, it is unnecessary to outline the detailed nature of each of these proposed amendments. It is, I hope, sufficient to indicate that they include, for example, meeting concerns lest the Information Commissioner take enforcement action against Members or the corporate officers of either House—here, the Clerk of the Parliaments—in respect of the processing of personal data in parliamentary proceedings. Such action could lead to very substantial administrative penalties amounting to millions of pounds. There are concerns, too, about the liability of both corporate officers to prosecution for certain specified offences for things done on behalf of the two Houses of Parliament. I hope that that is sufficient, and at this stage I beg to move Amendment 16 and ask that the eight other amendments be accepted.
Baroness Hamwee (LD)
My Lords, from these Benches I support the noble and learned Lord, who is absolutely the right person to pursue this matter. If I might simply add to what he said, it is important that we bear in mind that in the same way as legal professional privilege is the privilege of the client, these provisions would be for the benefit of the public, the running of good democracy, good scrutiny and holding the Government to account. It is not a personal benefit that is proposed here and I hope—I trust, because this is very important—that the Government can find a way through this. I look forward to hearing from them, as the noble and learned Lord said, early in the new year.
Baroness Chisholm of Owlpen
My Lords, I am grateful to the noble and learned Lord, Lord Brown, for raising these amendments and for the words of the noble Baroness, Lady Hamwee. His amendments address concerns about the interaction of the Bill with parliamentary privilege. I agree wholeheartedly with him that parliamentary privilege should continue to be safeguarded and maintained for future generations, as it has been for centuries past. As I said in Committee, the Government’s view is that the Bill contains adequate protections to ensure that this is the case. However, we recognise the concerns that, in some areas, these protections could be enhanced and clarified, and we will bring forward amendments at Third Reading to address some of the points that the noble and learned Lord has raised in his amendments.
With that in mind, I will now turn briefly to the amendments themselves, starting with Amendments 16, 17 and 185. The Government recognise the concerns raised in these amendments about the way the conditions for processing sensitive personal data apply in respect of parliamentary proceedings, and liability under Clause 193(5). I am happy to reassure noble Lords that the Government intend to bring forward amendments to address these points at Third Reading.
Lord Stevenson of Balmacara (Lab)
Before the Minister sits down, I put it to her that, in the considerations that will take place between now and the return in January, one thing that changes between 1998 and today in terms of the Act is something we have not looked at specifically, although it comes up in the Bill. It is the need to ring-fence the Information Commissioner from any involvement with Parliament or the Government. She is answerable to Parliament, but she should not be in that sense exposed to considerations that might adversely affect her. I hope that might be taken into account as well.
Baroness Chisholm of Owlpen
I agree with the noble Lord, and we will take that into account.
Lord Brown of Eaton-under-Heywood
My Lords, I am most grateful for the reassurance given to us by the Minister. On the basis that all these matters will be brought back in some shape or form at Third Reading, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Baroness Neville-Jones
“Processing by patient support groups
(1) This condition is met if the processing—(a) is necessary for the purpose in accordance with the conditions listed in sub-paragraph (2), and(b) is necessary for reasons of substantial public interest.(2) The processing is carried out— (a) in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not for profit body with a patient support aim, and(b) on condition that—(i) the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes, and(ii) the personal data is not disclosed outside that body without the consent of the data subjects.”
Baroness Neville-Jones (Con)
My Lords, I introduced the same amendment in Committee and do not intend to repeat what I said then. I am glad to say that, since I put down that amendment, there has been a very helpful meeting between DCMS officials, the Genetic Alliance UK and Unique. I very much hope that that meeting will form the basis of a solution on which we can build for Third Reading. I thank my noble friend the Minister for his personal contribution to the progress that we have made.
My understanding is that at that meeting it was accepted that an amendment would have to be brought forward to ensure the legality of the work of patient support groups. My understanding also is that the Government would prefer to do this by their own amendment, and I am certainly very happy to accept that. I also hope that it will be possible to agree such an amendment before Third Reading.
My noble friend has said that he is concerned about defining the scope of the amendment. I certainly accept that that is a legitimate issue. The family of patient support groups is quite large, but I accept that it is right to prevent any amendment becoming a loophole for evasion of the Bill’s provisions. I am conscious of that issue. However, the purpose of the amendment is not controversial and I am happy to look to finding words and drafting that will both safeguard the points that we want to make and provide the right scope for the amendment. It would be highly desirable to be able to deal with this matter in our House.
I hope and trust that my noble friend will be able to confirm that he shares my understanding of the point that we have now reached and that he will be able to give me an assurance at least of best endeavours to present a government amendment at Third Reading. I might say that Genetic Alliance and other patient support groups stand ready to help in any way that they can to meet this deadline.
Lord Clement-Jones
My Lords, I will speak briefly to support the noble Baroness, Lady Neville-Jones, in her amendment. Clearly, this is of great importance to patient groups. I very much hope that the Minister will carry on the good work and come back at Third Reading with something substantive for the benefit of patient organisations that collect vital health information from their members, so that they will not be required to destroy or anonymise data. Without amendment, the Data Protection Bill has the potential to seriously damage the work of these patient support groups and hinder the work of certain public agencies, too, such as Public Health England and NICE—so I very much support the noble Baroness.
The Earl of Erroll (CB)
My Lords, I will say a couple of things on this in full support of the proposition made by the noble Baroness, Lady Neville-Jones. These issues are very complicated. We tend to try to brush them aside and hope that they will be dealt with by the person who is enforcing and regulating. But that can be dangerous, because they will find it very difficult as well, and sometimes, if you do not have the intention in the Bill, it may just not happen.
This is important because, although I fully support the intention and objectives of the GDPR in the Data Protection Bill in front of us, which is there for all the right reasons, we have to be careful not to throw out the baby with the bathwater. This is one of those instances where, in trying overzealously to introduce a rules-based system in a complex world and a complex society, you find unexpected consequences. Some of them cannot be defined terribly easily in regulation, but I think it would be wise to put this in an amendment.
We in this House tend to think in principle much more than another place. To try to deal with this in another place when it gets there may be unwise in case they run out of time. It would be good to put something in the Bill in this House at Third Reading, if the Minister were so minded, and I would wholeheartedly support that.
Lord Patel (CB)
My Lords, I have already spoken on this at length and I do not intend to repeat myself, but I support the amendment from the noble Baroness, Lady Neville-Jones. This is a very important database. It is not just national but international, and it is difficult to collect. That is why I am glad that an accommodation has been made to support the amendment.
Lord Stevenson of Balmacara
My Lords, I add my voice in support of the noble Baroness’s amendment and wish it well. I suspect she has run into the logjam that constitutes the waiting list to see the Bill team and the Ministers, who have been worked so hard in the last few months. But I hope it will be possible, given that there is a bit of time now before Third Reading, for this matter to be resolved quickly and expeditiously before then.
Lord Ashton of Hyde
My noble friend Lady Neville-Jones explained in Committee that Unique plays a hugely important role in providing advice and support to sufferers of rare chromosomal disorders and their carers. Some of these charities have large databases dating back many years, so we understand their desire to maintain these when the GDPR comes into force without necessarily obtaining fresh consent to GDPR standards for each data subject included on the database. When families are providing support to their loved ones, some of whom may need round-the-clock care, filling in a new consent form may not be high on their agenda.
However, they may still value the support and services that patient support groups provide and would be concerned if they were removed from the charities’ databases. If charities such as Unique had to stop processing or delete records because consent could not be obtained, they worry that this would impede the work they do to put patients and their families in touch with others suffering from rare genetic conditions, help clinicians to deliver diagnoses and facilitate research projects. We recognise that this could be particularly damaging when there is barely any knowledge of the condition other than what they may hold on their database.
Let me be clear: if there is a grey area in the Bill that puts this work at risk, the Government are fully prepared to amend it. Legislating in this area is not straightforward and I am keen that the policy and legal teams in the department are able to continue with the constructive discussions they have been having with Unique and the UK Genetic Alliance to ensure that the legislation adequately covers the specific processing activities they are concerned about, while providing adequate safeguards for data subjects. I assure noble Lords that we will use our best endeavours to work on this legislative solution as quickly as possible. If it is not ready by Third Reading, and I am afraid I cannot promise it will be, the Government will endeavour to introduce any necessary provisions at the next possible amending stage of the Bill. I will of course ensure that my noble friend gets the credit she deserves for her persistent efforts on this subject when that time comes.
Government Amendments 72 to 77 are the products of detailed discussion with the noble Lord, Lord Patel, the noble Baroness, Lady Manningham-Buller, and representatives of the Wellcome Trust. I thank them very much for those constructive and helpful discussions. In Committee we discussed the operation of the safeguards in Clause 18 and the potentially damaging impact they would have on pioneering medical research. As I explained at the time, it was never the Government’s intention to undermine such important work, so it is with great pleasure that I table these amendments today.
Noble Lords will recall that the greatest concern stemmed from the safeguard in what is currently Clause 18(2)(a). That paragraph was designed to prevent researchers using personal data to make measures and decisions in respect of particular data subjects but, as the noble Lord explained, there are certain types of medical research where this is inevitable. In the context of a clinical trial, for example, a data subject might willingly agree to participate, but in the course of the trial researchers might need to make decisions about whether the treatment should continue or stop, with respect to some or all data subjects. Government Amendment 77 addresses this concern by making it clear that the safeguard is automatically met where processing is necessary for the purposes of approved medical research. Approved medical research is defined in the new clause and includes, for example, research approved by an ethics committee established by the Health Research Authority or relevant NHS body. Importantly, the new clause also contains an order-making power so that the definition of approved research can be kept up to date.
Lord Patel
Before the Minister sits down, I thank him and his team immensely for taking on board the concerns that I and others expressed about the interventional medical research that the government amendments will now allow. It cannot be overstated: this will now allow important research, including clinical trials, to be undertaken that will advance medical research in the United Kingdom, making it an attractive place to do such research. I thank him immensely; I am most grateful.
Baroness Neville-Jones
My Lords, I am extraordinarily grateful to noble Lords who have spoken in support of my amendment, and for the comprehension that the Minister has shown for the work of the patient support groups. They will have greatly appreciated hearing how much the Government support what they do.
I very much hope that we can work on an amendment that will both meet the Government’s concerns and effectively cover the work of those organisations, which, as I think the Minister understands, work in difficult circumstances. They stand ready to participate with the Government in getting language that will both cover their concerns and ensure that we do not open the door to those for whom it is not intended. On that basis, I beg leave to withdraw the amendment.
Lord Kennedy of Southwark
Lord Kennedy of Southwark
My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.
I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.
Baroness Hamwee
My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.
I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.
We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.
Lord Ashton of Hyde
I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.
Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.
Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.
As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.
I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.
Lord Kennedy of Southwark
I thank the Minister for his response. I tabled the amendment to keep the issue live and to illustrate the problem we have here. In his response, he talked about the responsibilities of the commission and data protection responsibilities and how they may conflict, belonging to different bodies. That begins to highlight the problem that we potentially have here. You could have different regulators trying to enforce different bits of legislation, all on the statute book at the same time and equally legitimate. We have got a real problem here.
I look forward to the meeting on Thursday. It is very important that we have a meeting after that, though, with a much wider group of people from different parties and campaigns. It is a genuine problem that affects every political party represented in this House and the other place and those that are not in either House. There is no advantage here—it is a question of getting a procedure in place that allows political parties to campaign and do their job properly and fairly. Equally, it protects the volunteers so that they understand what they can and cannot do so that they do not unintentionally get themselves in difficulty. I look forward to the meeting, but there are one or two things to sort out before then. I hope that it can get done by Thursday but, if it cannot, we have the other place. But it would be much better to sort it out at this end rather than the other end. I beg leave to withdraw the amendment.
“( ) A member of the House of Lords is to be treated as an elected representative for the purposes of this paragraph and paragraph 20.”
Lord Brown of Eaton-under-Heywood
My Lords, this pair of amendments, like the earlier group that I proposed, promoted by House officials, concerns another aspect of parliamentary privilege. Unlike the earlier group, these amendments have failed thus far to attract the support of the Bill team and government. Also unlike the earlier group, they relate only to this House, and not the House of Commons. But I shall have to address the issue at a marginally greater length than previously.
As will readily be apparent from the text of the two amendments, they propose that, with regard to a particular aspect of the processing of sensitive personal data, a Member of this House should be treated in the same way as a Member of the other House—or, for that matter, as Members of every other elected body in the country down to the smallest local authorities. There are really compelling reasons why in this context we should be treated on the same basis as elected representatives.
I begin with two acknowledgements. First, I readily concede that, unlike all the other representatives in public life, Members of this House are not elected. I put aside the Minister’s observation in Committee that he speaks as an elected Member,
“albeit with a fairly small electorate”.—[Official Report, 13/11/17; col. 1818.]
Secondly, I recognise that the Bill as drafted would essentially continue the position that has existed for the past 15 years, established under the Data Protection Act 1998 by secondary legislation in a ministerial order which followed in 2002.
The benefit of the particular provisions in Schedule 1 to the Bill which we are now seeking to amend by our proposed inclusion of Members of this House is that it would better enable elected representatives by dispensing in certain limited circumstances with the need for the express consent of the data subject to campaign on behalf of individuals.
Baroness Hamwee
My Lords, I have put my name to this amendment. I stumbled on the omission of Members of this House during debate in Committee, when I asked what I thought was an innocent question. I was asked to appear on the BBC’s “Question Time” after the list of Peers of which I was one was announced but before I actually arrived here. It was a fairly difficult occasion, which I remembered when I was thinking about this issue at lunchtime today. When I referred, during the discussion, to Members of Parliament, Nicholas Ridley said, “You are a Member of Parliament”. We are all Members of Parliament. We happen to be Members of the House of Lords; those who are normally called MPs are Members of the House of Commons. I regard myself as being in a representative position, even though I am not elected.
I disagree with one comment of the noble and learned Lord, which was about the amount of casework that I do. I am so conscious of the problems of getting it wrong, particularly in the area of immigration, that I try not to do that work. However, it is notable how the number of requests to Peers to intervene in individual cases has grown over the last few years. I suppose that reflects the fact that MPs are taking on more and more of what a few years ago one might have called social work. There are not the same demarcation lines as perhaps there used to be.
The casework, among other things, informs our general response to policy issues and specific proposals put before us, so we cannot exclude ourselves from all this. Ten days or so ago, in response to a request to pursue a particular case, I made the point that the individual should approach her own MP. The answer came back, through an intermediary, “She’s an asylum seeker. She doesn’t have an MP. We’re looking for anyone who can help”.
In Committee, questions on this issue were asked round the House. I recall that the noble Lord, Lord Lucas, took up the point after I had asked a question. I am very grateful to the noble and learned Lord for pursuing this matter. I hope that the Minister will accept his suggestion that this should be considered further between now and Third Reading, and that it should be dealt with at this end. I hope that the Minister will this evening assure us that it will remain on the agenda and that we can return to it at the next stage of the Bill in this House.
Lord Stevenson of Balmacara
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
Baroness Chisholm of Owlpen
My Lords, Amendments 28 and 29 create a new processing condition for Members of this House. The Government’s view is that the provisions in paragraphs 19 and 21 of Schedule 1 are intended to reflect the unique and special nature of the relationship between an elected representative and their constituent.
Like the noble Baroness, Lady Hamwee, and the noble and learned Lord, Lord Brown, I am very aware of the important and valuable work that many noble Lords carry out on behalf of members of the public, advocating for their rights, taking up their cases with government departments and representing their interests in any number of scenarios. However, this relationship between a Peer and a member of the public is of a different nature and order from that conferred on an elected representative by their constituents. Elected representatives have particular rights and duties to act on behalf of the citizens they represent. The Government therefore consider it appropriate for them to be able to deal with urgent situations where they could not reasonably be expected to obtain consent; for example, in the case of an individual facing imminent deportation. There is no such need for Peers to be exempted from the provisions on consent. I stress again that nothing in the Bill or the GDPR prevents Peers undertaking casework if they first obtain the consent of the individual concerned.
I emphasise that these provisions are not new. The position under the 1998 Act is very similar and, in answer to the point made by the noble Lord, Lord Stevenson, it has not prevented Peers who are interested in undertaking casework doing so. Indeed, I have not found difficulty in this respect; I have just obtained consent first.
I hope I have reassured the noble and learned Lord that the Government understand the concerns raised, and that in this instance he will withdraw his amendment.
Lord Brown of Eaton-under-Heywood
I confess to being disappointed by the Minister’s response to this. I dealt with the fact that things have changed over the 15 years since the 2002 order. Of course there will continue to be circumstances in which it is possible to get, without inhibiting problems, the express consent of the person concerned. However, it will not always be possible, and to that extent it will inhibit the future ability of Members to discharge a function they have been discharging. Of course I will not divide the House at this stage; nevertheless, I urge the Government to reread the arguments and submissions that the noble Baroness and I have advanced today and see whether they cannot bring themselves to recognise that there is a substantial point here. Although there is a natural reluctance to treat us as elected Members, they should for this limited purpose do so; that is justified in the narrow circumstances in which this point arises.
Baroness Hamwee
Before the noble and learned Lord finishes, if the House permits me, I will raise something with the Minister. A number of individual cases are brought to us through other organisations, which may have the consent of the individuals. We would want to pursue a matter in the way the noble Lord, Lord Stevenson, just mentioned—I was not at Question Time today but I can imagine the kind of situation. It would add considerably to the difficulty of doing that if the consent obtained by the organisation was thought not to extend to a Peer taking up the matter. I do not know how we would deal with that. It would be a considerable barrier to our doing what I regard as our job.
Lord Brown of Eaton-under-Heywood
I am grateful to the noble Baroness, who puts forward a dimension to the problem that she is much more alive to than I am. However, there it is. I urge the Minister to reread these speeches and, in the meantime, I have no option but to beg leave to withdraw the amendment.
Lord Ashton of Hyde
Data Protection Bill [HL]
Wednesday 13th December 2017
(7 years, 3 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
16:31 - Division on Amendment 31 - Ayes: 229 / Noes: 232 - Amendment 31 disagreed.
18:02 - Division on Amendment 42 - Ayes: 92 / Noes: 222 - Amendment 42 disagreed.
Lord Moynihan
“( ) The references in sub-paragraph (1) to a body or association that is responsible for eliminating doping in sport are to be read as references to UK Anti-Doping (UKAD), its successor bodies or a body designated by the Secretary of State.( ) The Secretary of State must by regulations made by the affirmative resolution procedure specify—(a) the relationship between UKAD and other sporting bodies and associations, and (b) the powers and responsibilities of UKAD,under this paragraph.”
Lord Moynihan (Con)
My Lords, the objectives of Amendment 31, on doping in sport, are simple, and they build on considerable exchanges that have taken place at Second Reading and, more recently, in Committee. The first part of the amendment seeks to recognise the United Kingdom Anti-Doping agency—UKAD—and its successor bodies as the main body responsible for eliminating doping in sport in this country. The second part focuses on bodies which are not currently affiliated with or under the control and influence of UKAD and allows the Secretary of State to designate those bodies and to make regulations by the affirmative resolution procedure to outline the relationship between UKAD and other sporting bodies and the powers and responsibilities of UKAD.
I recently had the opportunity to discuss the amendment before the House with a range of individuals from the world of sport. At the most recent meeting, along with the noble Lord, Lord Stevenson, I had the opportunity to meet Emma Drake, a lead lawyer for sport on data protection; Tim Payton from the national governing bodies; Jonathan Taylor, the legal counsel to the United Kingdom Anti-Doping authority; and Alison Faiers from the ECB. They responded to us both a couple of days later by setting out possible changes to the current wording in the Bill and suggesting that UK Anti-Doping be named specifically in the Bill, while retaining flexibility in case of a successor body. Secondly, they said that included for the first time in primary legislation should be a reference to the role of the UK national anti-doping policy. This particularly emphasises the accountability of UKAD to Parliament and its responsibility for implementing and monitoring compliance with the policy. Thirdly, they suggested that we retain a clear reference to the fact that other sports governing bodies that are not subject to the UK national anti-doping policy should be able to rely on a condition in the clause itself, which is precisely what I sought to do before bringing this latest amendment to your Lordships’ House.
It is important to place on record the role of UKAD. It co-ordinates the UK intelligence-led, risk-based testing programme across more than 40 key sports in accordance with the international standard for testing and investigations. It is at the centre of our anti-doping programme in this country, and is very important in the management of highly sensitive personal data—this Bill is about the management of that personal data. When it comes to dealing with highly sensitive personal data, it should be recognised as the body responsible for anti-doping in this country. It already has a broad remit and can test any UK or non-UK athlete staying, training, residing, entering a competition or named as a member of a team participating in a competition at any level within the United Kingdom. Those athletes are eligible for testing as part of UKAD’s national anti-doping programme. UKAD is recognised by the Government and by the DCMS. It is paid for by us as taxpayers and undertakes a vital role in keeping sport clean in this country.
Meanwhile, the Bill is very important because of the context in which data falls as far as sports men and women. The data we are talking about is twofold for the success of an anti-doping policy. First is the whereabouts test. Every athlete who competes internationally and is part of the national register testing pool has to provide, every day, a 60-minute time slot to be tested without prior notice. That is a major request. Under employment law, you are entitled to go on holiday and your whereabouts not be known by your employer. In sport, the data required extends throughout every day of the year: wherever you are, you are duty-bound to notify your governing body or UKAD of your whereabouts. That seems to me a major issue of privacy. If we are asking athletes to give up that right, as we are in this Bill, to have an effective anti-doping policy—which I fully support—that should be taken very seriously indeed.
The second point is the principle of strict liability. All athletes are solely responsible for any banned substance, regardless of how it got there or whether or not it was the intention of an athlete to cheat. Under the anti-doping programme, you are effectively guilty until proven innocent. The fact that athletes have to adhere to those two requirements of data management makes it incumbent on this House to ensure that the situation under which someone could be tested, or under which UKAD can operate, is very clearly defined in the Bill. Regrettably, I do not believe that it is at the moment.
The issue is even more important because it is about the making and breaking of careers and reputations. Only today, in a different context internationally, we had news that the UCI is investigating Chris Froome’s case under its anti-doping rules. Here it was strict liability again. However, it was also a case where he did not break the rules in terms of performance enhancing substances. His highly sensitive records were made public; he was given a TUE—a therapeutic use exemption—for asthma, but the level at which he tested was above the level recognised by the UCI as acceptable. That is the test being applied. It is headline news. The fact that he is a part of that doping policy has meant that his career, his profile and potentially his future are under the microscope. That is because he signed up to that anti-doping policy. It is the same anti-doping policy that would occur here. Indeed, UKAD was heavily involved in another case earlier this year, as noble Lords will know, with regard to Bradley Wiggins and the famous jiffy bag in June 2011. It said it was hampered by a lack of accurate medical records being available for British cycling, yet his whole career and reputation is under the spotlight as a result of that incident.
Baroness Billingham (Lab)
My Lords, I rise to express my support for the amendment of the noble Lord, Lord Moynihan, and the work that it encompasses. I regret that my contribution to this powerful legislation has been so limited. My defence is that a boring cocktail of illnesses has kept me from that task, only concluding with a total knee replacement that has in fact proved a triumph. I have followed your Lordships’ debate from afar. I appreciate fully how much work has gone into the amendments and how crucial the debates have been—but no more excuses for my backsliding.
This issue is not straightforward. The widely held public view is that sport must be seen to be clean and cheating must be eliminated. Bodies such as the UK Anti-Doping Agency should be powerful and expert enough not only to detect the use of performance-enhancing drugs but to prohibit them. The general public are frustrated and appalled when yet more cheating comes to light. Fair play in sport is one of its underlying qualities; it is a prime reason for a love of sport and the impetus for all of us—parents, teachers, coaches and administrators—to encourage people to participate. That is all the more reason to strengthen the powers of anti-doping organisations.
The athlete, himself or herself, must be totally responsible for what is in their body at all times. They are guilty before being proved innocent but there must be a balance regarding genuine errors, and they must meet the whereabouts test. We have the support of governing bodies, which lead the fight against doping. The challenge is that their technology must outpace the damaging technologies and pharmaceutical products that threaten clean sport. The work of the anti-doping agencies must encompass all sport in the UK and cover all levels, from amateur to elite. Doctors who facilitate cheating should be criminalised and held responsible. Clearly, UKAD should have overall authority to determine whether an event run by non-UK bodies when operating in the UK is up to UK standards. It cannot be right that international sports organisers can hold events that fail to meet the minimum standards in the fight against cheating.
Viscount Falkland (CB)
My Lords, this is the first time I have intervened on the Bill. I confess that I am one of those who has been lobbied, as suggested by the noble Lord, Lord Moynihan. I will speak about horseracing uniquely, which is different from the kind of doping to which the noble Lord addressed himself. Doping has of course gone on ever since the early 18th century, when horseracing as we know it started to grow into the complicated and well-run sport that it is today. We still have quality racing in Britain, but more importantly to this debate we have the reputation of having the best control by the bodies that deal with racing, particularly the horseracing association.
I have given the association’s concerns some thought over lunch. It said in a brief that was a little too complicated for me to present to your Lordships that it is afraid that if the regulations are brought into the legislation in the way suggested, the very detailed work that it does to prevent the spread and, indeed, to stop the existence of doping in horseracing faces a new hurdle. These days, as in the sports that the noble Lord addressed, all kinds of substances are developed genuinely for good purposes, but criminals are clever people. They get hold of the latest kind of substance that may make a horse go faster, or slower. It is quite easy to stop a horse going very quickly—you just give it a bucket of water—but to make it go faster is a more complicated business.
Maintaining the cleanness of the sport in terms of corruption—it is all about money and betting—is becoming even more complicated because the new technologies and the moving of betting online is complicating it enormously, away from the old days when people went round in slouch hats with a man they employed to administer a substance. The problem the governing body faces is the uncertainty. It is following leads and information all the time—racing is all about information, whichever way you look at it—which is essential for it to get a step ahead of the game as far as the criminals are concerned. I understand from the association’s brief that it fears that, admirable though this Bill may be—I have sat through a lot of it and think it is a good Bill overall—we are creating a hurdle which will make the bodies go by the book. Going by the book—if I may use that expression in this field—would be a slow business. The bodies would be prevented doing the things which they normally do in jumping straightaway into a position where they can prevent whatever doping they have been informed is about, and they would fear infringing what is in the Bill in terms of the duties of the Secretary of State. There would be a need to consult the Secretary of State and the bodies fear the time that that would take. It would be useful if the Minister could give me some idea of what procedures would relate to horseracing and how quickly the bodies could get a line to the Secretary of State to get permission to move more quickly and cut out some of the actions and investigations that they would have to undertake, so that the bird had not flown by the time one got to dealing with the problem at hand. That is the bodies’ main concern as I understood it through my quick lunch—they have a concern in relation to a later amendment which is more complicated, but this one is quite simple.
A lot of hard work goes into this and a lot of success is achieved through the controlling bodies of all sports. That is particularly true of the horseracing authority, because it is essential that one keeps criminals from being able to affect the results of horseraces through doping. I hope that the Minister can help me on that, and maybe they will ask me again.
Lord Maxton (Lab)
My Lords, I shall not follow the noble Viscount, Lord Falkland, down the road of horseracing because I have a confession to make, which is that I have never been in a betting shop in my life as far as I know—unless I was taken in as a very young child. I have three points to make. The first is the question of what sport is, because it is vital to the amendment—which I will be supporting. Darts and snooker are considered sports. They are therefore covered by any legislation relating to sport. You have only to watch “Strictly Come Dancing”, however, to know that a lot more physical activity is involved in dancing than in either darts or snooker, yet dancing is not covered by this legislation because it is not considered a sport.
Secondly, there are differences in the drugs taken by snooker players, for instance. A snooker player would be banned if he took a beta blocker, because a beta blocker slows the heart down, slows the pulse down and slows everything down, but if any other athlete took it, it might be for medical purposes—although it would not be to his benefit or advantage to do so.
Thirdly, I gather that under this country’s present doping laws recreational drugs are banned by all sporting bodies and the UK sports drugs authority. In some countries, however, it is legal to take, for instance, cannabis—to be honest, I am one of those who think it should be legal in this country as well; it should be part and parcel of the legal system that we allow people to take cannabis. But it would be banned. If it is illegal—this question may be one for the noble Lord, Lord Moynihan, directly—and an athlete comes to this country to take part in an international event, be it football or whatever, from a country where it is legal to take cannabis, and if he has taken cannabis in the last 24 hours and it shows up in a drugs test, will he be banned from taking part in that event? Some countries allow it. Why are recreational drugs part of that authority anyway? It is a police matter in this country, not a matter for sporting bodies, therefore we ought to take recreational drugs out of the equation altogether.
Lord Stevenson of Balmacara (Lab)
My Lords, the Government must be quaking in their shoes whenever a Back-Bencher offers to come to their help. I looked across at the Dispatch Box when I heard the noble Lord, Lord Moynihan, make that offer and I saw a definite quiver come over the Minister’s face. Clearly, we are in for something rather interesting. We were entertained by the noble Viscount, Lord Falkland, with his worries about the BHA, but he said he thought that it is really quite simple at the end of the day—we need to keep the money out and sort out the betting influences that are affecting all our sports. He is absolutely right. The public have come to the end of their tether and it is time that we got this sorted: we have to keep sport clean and eliminate cheating. The data is key to this, as the noble Lord, Lord Moynihan, said.
We expect a great deal of our athletes in terms of their whereabouts and their strict liability, so we have to make sure that the systems under which they operate are fair, properly organised and regulated. In short, we have such high stakes in this that we have to be sure that we up our game—I am sorry about the puns. We should be clearer than we are at the moment about who has responsibility for what and how it is operated, and that is what this amendment is about. DCMS needs a stronger NDPB, in the form of UKAD or a successor body, and there needs to be an authority exercised with care and consideration as to how the rules will apply and to whom they apply. All these definitional points, all the concern about where it goes, are tied up in that set of constructs, which is what this amendment deals with. I think it is very powerful.
If noble Lords look back at the way in which a state was able to influence the way that the drug-testing system operated in the winter Olympic Games in Russia, they will understand how this thing has got to a new level of concern. We must have appropriate safeguards and ways of operating in place to insulate those who are trying to do the right thing from the charge that they are involved too closely. The public will stand for no less. I recommend this amendment very strongly and we will support it should it be necessary to take it to a vote. I hope that that will not be necessary, because as the noble Lord, Lord Moynihan, said, this is an area of such importance that the right thing to do would surely be for the Government to accept this amendment today and bring it back at Third Reading with a proper wording and proper consideration that will reassure any who still doubt it. In the interim, we will support it if necessary.
Lord Clement-Jones (LD)
My Lords, as ever the noble Lord, Lord Moynihan, made his case extremely well. We on these Benches share his objectives and, indeed, most of the objectives of the noble Lord, Lord Stevenson, around clean sport, particularly putting UKAD on a statutory footing and having a proper framework around the powers in the Bill.
I know that the noble Lord, Lord Moynihan, feels that these need a proper definition and control. However, despite the noble Lord’s best efforts this amendment is not the finished article. Sadly, there are still discussions taking place. Noble Lords have had a great deal of material from governing bodies, including the England and Wales Cricket Board, the Rugby Football Union, the British Horseracing Authority and the Sport and Recreation Alliance, which by itself represents some 320 organisations.
Further discussions need to take place so that we get to an agreed position. I feel very uncomfortable at this point. All those governing bodies may be speaking with different voices, as the noble Lord, Lord Moynihan, suggests, and he has entered discussion with them in good faith, but other voices have come to us saying that they are not yet able to accept what he has put forward. There is still work to be done. I very much hope that the Minister will take on board the fact that many of us around the House, particularly on these Benches, want those conversations to continue and an agreed amendment to be brought forth at Third Reading.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am not quaking in my boots when addressing an amendment from my noble friend, first, because he is a helpful man and, secondly, because I am getting quite used to it, to be quite honest, particularly after the Digital Economy Bill.
As we heard, my noble friend’s amendment would restrict the provision in the Bill that allows anti-doping bodies to process sensitive personal data without consent to just UK Anti-Doping. It would permit other bodies to process sensitive data only if allowed by the Secretary of State. This House agrees, I think, how important sport is and that it can only continue to be successful if it is, and is seen to be, clean. It should therefore come as no surprise when I say that the Government remain fully committed to combating doping and protecting the integrity of sport. We are at one with the noble Baroness, Lady Billingham, on that.
At the moment, a large number of organisations, both domestic and international, work to prevent and eliminate doping in sport in this country in accordance with agreed international standards. UKAD, as the UK’s national anti-doping organisation, plays a vital role. But we must recognise that other bodies, some of which have been mentioned, also have important roles to play, including in particular sports’ national governing bodies. The amendment would see UKAD as the only body with automatic responsibility for processing sensitive data for the purposes of preventing doping in the UK. Other bodies would have a role only if named by the Secretary of State.
I am not convinced that this is a positive change for a number of reasons. First, it is not immediately clear to me why such an amendment is needed. UKAD’s role, and that of other sporting bodies, is set out in the national anti-doping policy, and this arrangement is largely seen to be effective, not just here in the UK but internationally. But we can never be complacent, and that is why my honourable friend the Minister for Sport, Tracey Crouch, has already commissioned a review of UKAD. That review is looking closely at UKAD’s functions, efficiency and effectiveness and has consulted widely. The findings of this review will be published early next year and will inform the revision of the UK national anti-doping policy, which will also take account of the recently published review of the criminalisation of doping. As part of this policy revision process, the Government will consult all relevant stakeholders, and will no doubt welcome discussions with my noble friend Lord Moynihan.
In addition, the arrangement outlined in my noble friend’s amendment would appear to present a number of risks. As he mentioned, the World Anti-Doping Code and the UNESCO convention set a clear framework that allows major events organisers and international federations to conduct their own anti-doping activities. Their ability to test cannot, without risking a breach of the convention, be contingent on them having obtained prior authorisation by a national Government.
Sports bodies change regularly as new sports are recognised and new bodies gain funding and manage competitions. A new round of designations would be required every time a new sporting body came into being or organised competitions or an old body changed its name. Under the system proposed by my noble friend, even a short delay in doing so could allow a drugs cheat to escape sanction by challenging the validity of the data processing undertaken by a sports body weeks, months or even years prior. That is not least because the Secretary of State’s decision to designate a body would itself be subject to judicial review. This could turn a relatively straightforward process of designation into a lengthy process of review, consultation and litigation. Similarly, if international bodies wanted to hold competitions in this country, they would, on the face of it, need to be officially designated by the Secretary of State. In a competitive marketplace, this could discourage organisers of major events from bringing their events to the UK.
To summarise, the Government believe that my noble friend’s amendment will put the UK’s status as a leading destination for clean sport at risk. It will create uncertainty in the sporting world and will be out of step with the recognised international framework that is already in place. It is widely understood that UKAD is the recognised body in the UK with responsibility for enforcing anti-doping rules. But the Bill must not be used as a tool to limit interventions by internationally recognised sporting bodies, such as the England and Wales Cricket Board, the Football Association and the Rugby Football Union. They, like UKAD, should be allowed to set and enforce anti-doping rules in sports. The fact that these bodies are not governed entirely by UKAD’s rules does not make their need to process data without consent for anti-doping purposes any less important. We are clear on that, the World Anti-Doping Code is clear on that, and the bodies themselves are clear on that.
Indeed, I have a statement from four of our leading sports bodies: the Football Association, the Rugby Football Union, the England and Wales Cricket Board, and the British Horseracing Authority. They are not speaking with different voices. This is a joint quote, which they have authorised me to announce. They say:
“We welcome further discussion with all parties on this issue but do not believe that this Amendment, that has not been discussed with or subject to any consultation with our organisations, is the right way to proceed today”.
In answer to the noble Viscount, Lord Falkland, who asked about the horseracing authority, I am afraid he should direct his question to my noble friend Lord Moynihan, because it is his amendment that would change the current system. Therefore, while I understand the desire of my noble friend to assist in the fight against doping, which we all support, I do not believe that the Bill is the proper vehicle to achieve it; nor do I believe that my noble friend’s amendment would in fact achieve it.
Let me be clear: if my noble friend or the noble Lord, Lord Stevenson, want to keep talking about anti-doping in general, I am very happy to do so, as is my honourable friend the Minister for Sport; I have already said that. But the Government have spent a great deal of time working with UKAD and sports bodies to design paragraph 23 of Schedule 1, and I have heard nothing in the debates in Committee and today that would suggest that we should alter our view before the review of UKAD is complete. On that basis, I urge my noble friend to withdraw his amendment.
Lord Moynihan
My Lords, I am grateful to all noble Lords who have contributed. I will respond to the Minister first. I was disappointed that he did not respond to the suggestion of the noble Lord, Lord Clement-Jones, which I also touched on, namely, that it was important, if at all possible, to take away this amendment and consider it in greater detail so that the Government could bring it back at Third Reading. The Government have decided not to do so, and in so doing they have argued the following points.
The first was that there has been inadequate consultation—for example, no discussion between the BHA and myself. If I may respond to the noble Viscount, Lord Falkland, I had a conference call with, I think, four BHA people last Friday to discuss in detail the consequences of the proposed amendment. It was a constructive and helpful discussion. It was very important to them that they did not come under the umbrella of UKAD, and they would not. Amendment 31 says very specifically that the references are,
“to be read as references to … UKAD … , its successor bodies or a body designated by the Secretary of State”.
They asked me whether that would be a cumbersome process, and I said, “Certainly not”. The Secretary of State could respond to a letter pretty much immediately by saying, “Continue the good work that you’re doing”. That would be absolutely fine under the amendments I have tabled to Schedule 1.
This would apply to any organising group that exercises authority in anti-doping in this country outside UKAD, which covers the wide majority. Indeed, UKAD can test any athlete in this country, if it so wishes, at any level of competition. But there are organisations which will operate outside UKAD, for example the international federations and the International Olympic Committee. The other organisations which the noble Lord mentioned operate within UKAD in any event. Organisations such as the Football Association and the Rugby Football Union have a relationship with it to continue its good work, not least because those are Olympic sports, so they are covered in any event by the phrase,
“a body designated by the Secretary of State”.
I want further to assist my noble friend the Minister by suggesting that, instead of simply leaving it at that, every single point that he made could be covered by the regulations that he is being asked to bring forward under the Bill. There would be no uncertainty; there would be complete clarity, and we would have the opportunity to address those points in detail prior to that secondary legislation coming forward.
Why was it important to amend a general catch-all clause on sport to deal with these issues? It was important so that the BHA knew its position and could continue the good work with minimum bureaucracy, simply by a letter recognising that it continues the good work. I have heard nobody—not from the Bill team, which I met, not the policy advisers from DCMS and not the BHA, which I had a long conference call with last Friday—mention that there is anybody who seeks to change the way in which the BHA does excellent work in this area. It would simply be recognised on the face of the secondary legislation and so it should be—
Lord Ashton of Hyde
Does my noble friend not accept, then, that if the situation is exactly the same as now, he is proposing a new process which will possibly be subject to litigation and achieve exactly the same status that we have today?
Lord Moynihan
First, there is no evidence whatever that it is subject to litigation. If the Secretary of State—
Lord Ashton of Hyde
I am sorry to interrupt again. Of course there has not been any litigation because the system that my noble friend proposes has not been put in place.
Lord Moynihan
But there are no grounds for litigation. If the BHA is doing good work in anti-doping then, in the context of this paragraph, all that is being done is for that to be recognised within the legislation and by the Secretary of State in designating the BHA to continue its good work. Who would wish to litigate on that? Nobody is changing any relationship between the BHA, and those who work within it, and the excellent anti-doping policy that it currently runs. I am sure the Government would not want to change that.
The reason why this should be on the face of the Bill and in the secondary legislation—the regulations—is that this is of serious importance. We are asking athletes to give up a lot of personal data, and we should protect them when giving up personal data. It is important and right for an anti-doping policy that they should do so, but its importance should be recognised and my noble friend the Minister did not even mention it in his response. It is about the data management.
I conclude by saying simply this, and I will happily give way to my noble friend the Minister. If he is prepared, as I hope he is, to follow the initiative of the noble Lord, Lord Clement-Jones, which I fully support, on improving the wording of the amendment, I stand absolutely ready to find consensus with all governing bodies, the Government, the Bill team and everybody else who is interested in the subject, including all Members of your Lordships’ House, in order to find an improved amendment. I think the amendment works perfectly satisfactorily, and I have just tried to explain that to my noble friend and the House, but I am sure it could be improved by further discussions. Is my noble friend the Minister willing to take it away and bring it back at Third Reading? If he is, I will happily give way.
Lord Ashton of Hyde
I have to be very clear about what we are doing, particularly as this is the first group on our first day on Report. To be absolutely clear, I am not content to return to this issue at Third Reading of the Data Protection Bill because we have heard nothing that would suggest to us that paragraph 23 would benefit from further consideration at this time. I have to repeat that the wording on the face of the Bill was drawn up—this is a quote from the governing bodies that I mentioned—
“in close consultation with the sports governing bodies and the Sport and Recreation Alliance and we support the original wording as the right way forward”.
Lord Moynihan
I hear what the Minister said. We have had many discussions with different members of governing bodies and others who have argued that this provision could be improved. Indeed, the noble Lord, Lord Stevenson, and I sat opposite UKAD and governing bodies last Monday, so what the right hand in some of these governing bodies is doing is clearly not what the left hand is doing. I think this amendment is a significant improvement that protects the rights of individual athletes. That is what we should be doing in this Bill because it is about data management. Regretfully, because I hoped that the Minister would take this away and come back with a consensus on something better, I wish to test the opinion of the House.
Lord Ashton of Hyde
“Safeguarding of children and vulnerable adults
32A(1) This condition is met if the processing— (a) is necessary for the exercise of a safeguarding activity,(b) is carried out without the consent of the data subject so as not to prejudice the exercise of that activity, and(c) is carried out in compliance with any guidance issued under statute by a Minister of the Crown or a Scottish Minister or Welsh Minister as the case may be.(2) In this paragraph, “safeguarding activity” means an activity designed to—(a) protect children and vulnerable or protected adults from maltreatment,(b) prevent the impairment of children’s, or vulnerable or protected adults’, health or development,(c) ensure that children grow up in circumstances consistent with the provision of safe and effective care, or(d) enable children and vulnerable or protected adults to have the best outcomes. (3) This paragraph applies to a safeguarding activity carried out whether as part of a statutory function or otherwise by any holder of a public office, institution, authority, church or religious congregation, company, organisation, body, or association, whether or not having corporate status.(4) This paragraph does not apply to the activities of individuals acting in a private capacity.(5) In this paragraph—“child” means a person who has not attained the age of 18;“vulnerable adult” has the same meaning as in paragraph 7 of Schedule 4 to the Safeguarding Vulnerable Groups Act 2006;“protected adult” has the same meaning as in the Protection of Vulnerable Groups (Scotland) Act 2007.”
Lord Stevenson of Balmacara
My Lords, I intend to be brief, but not because this is a minor matter—quite the reverse. This is one of the biggest concerns that we should have about how we engage through the public view on the issues that affect many of our citizens. I am talking particularly here about safeguarding, especially in relation to sport, although it also has wider concerns, wherever an adult has responsibility for a child.
The public concern has mostly focused on issues such as football and swimming in recent months and the last few years, but there are wider concerns that have been dealt with under various inquiries, and we await the results. The narrow issue relating to this Bill is that those individuals or bodies that have a protective function of safeguarding children or, indeed, vulnerable adults, and need to process sensitive data, even though they have no legal obligation to do it and have no statutory function may be an issue that the Government wish to return to. There is no doubt that UK Anti-Doping has the powers that are necessary in sports. But when members of the public and their children are not being sufficiently looked after, extra vigilance must be taken, and we must ensure that the Bill in no way affects that.
I have tabled this amendment, sent to us by a number of bodies involved in sport, but there are other groups outside the sporting area with interests here. The Government are currently discussing these issues and hoping to come to a conclusion shortly. On that basis, I hope that the Minister can give us some indication of the progress that has been made here and, if he can, some sense of the timescale in which the Government will act. I beg to move.
Lord Ashton of Hyde
My Lords, I will be brief. Amendment 33 seeks to introduce a condition permitting the processing of special categories of personal data where it is necessary for the purposes of safeguarding children or vulnerable adults. The Government take the issue of safeguarding extremely seriously and recognise the need for the Bill to provide certainty to organisations with safeguarding responsibilities, so I thank the noble Lord, Lord Stevenson, for raising this issue.
Organisations in all sectors wish to ensure that they have a lawful basis when they process special categories of data for safeguarding purposes. In many—maybe even all—circumstances, organisations will be able to rely on existing conditions under the Bill: for example, where processing is necessary for the purposes of preventing or detecting unlawful acts or where the processing is necessary for the exercise of functions under legislation or under a rule of law. However, I recognise that there is an argument for having a specific safeguarding condition to put the issue beyond doubt.
This is an issue which requires careful consideration and noble Lords may be assured that my department is actively working across government and with stakeholders in the voluntary and private sectors to consider the issue. We must be mindful, for example, of the broader implications of defining safeguarding and vulnerability within data protection law. Inclusion of such definitions within the Bill could have unforeseen consequences for other legislation which uses the same, or similar, terminology. As such, I can assure noble Lords that the Government are sympathetic to the objective of this amendment. However, given the importance of this issue and the potential impacts both within and beyond data protection law, we are sure that further consideration is required before any amendment can be brought forward. I can assure noble Lords that we will continue to examine this issue urgently. While it will not be possible to conclude our consideration in time for Third Reading, I am confident of doing so in time for Committee stage in the Commons. On the understanding that we will return to the issue of safeguarding in the Commons, I hope that the noble Lord feels able to withdraw his amendment this evening.
Lord Stevenson of Balmacara
I am grateful to the Minister for giving such a precise response to this, not only on the substance, recognising the issue and confirming that it needs to be put beyond doubt that the powers will exist, but giving us the assurance that this matter will be brought back in the Commons, which is wonderful. I beg leave to withdraw the amendment.
Lord Clement-Jones
Lord Clement-Jones
My Lords, I will speak also to a number of other amendments to Clause 13 in this group. I regret that the rules of drafting on Report mean that I was not able to produce a consolidated clause; it is rather bitty in the way it is presented in the amendments, but I very much hope that the Minister will be able to interpret the bits as eventually forming a perfectly-formed whole and a much preferable alternative Clause 13. In addition to those amendments I will speak to Amendment 41, which constitutes a new clause after Clause 13.
Clause 13 concerns the prohibition and exemptions around significant solely automated decisions. However, it can be confusing. There are three grounds on which such decisions are permitted under the GDPR: to enter or to perform a contract, to give explicit consent or to be authorised under UK law. Clause 13 concerns only the safeguards for the last category. Therefore, our amended version of Clause 13 has the following important four aims.
First, it clarifies that an individual’s ability to claim that a decision had a significant effect on them—a prerequisite for triggering any of the protections that the GDPR has to offer relating to automated decision-making—can be grounded in a significant effect on a protected group under the Equality Act 2010. The Equality Act is a strong piece of legislation, but it contains no information rights for individuals to investigate suspicions of machine bias or illegal discrimination. Given that the Information Commissioner will already be overloaded with work, given the changes accompanying the GDPR and the speed of technological development, this is a simple and crucial check and balance that will strengthen enforcement of not just data protection but many UK laws.
Secondly, the amendments further clarify that in order to claim that a decision was not solely automated—and therefore benefiting from none of this clause’s protections—there must be “meaningful human input”. The Minister argued in Committee that this is,
“precisely the meaning that that phrase already has”.—[Official Report, 13/11/17; col. 1869.]
Unfortunately, we have reason for concern because, in respect of identical wording in the 1995 data protection directive, German courts, for instance, have previously read “solely” in a restricted, narrow sense. Therefore, having such clarification in the Bill would ensure that the Minister’s understanding of the protection afforded to data subjects is the protection they will receive. This clarification is in line with the article 29 working party guidance—I recognise that the Minister corresponded with me on the subject of article 29 guidance—but it takes us closer to an adequacy agreement if one is sought upon leaving the EU.
Thirdly, the Explanatory Notes in paragraph 115 promise a safeguard that is not found in any of the articles of the GDPR, nor the safeguards laid out by the Government: a right to,
“an explanation of the decision reached after an assessment”.
The cause of this is that its position is in a non-binding recital, and there is a contradiction between the recitals and the main text. This is easily rectified for the decisions authorised by law, as the purpose of Clause 13 is to specify safeguards for these particularly impactful and largely public sector decisions.
It is included as well to indicate—in a very similar way to a recent French law on exactly the same issue—what such an explanation should provide to be useful. These explanations are possible even with black box algorithms. I have tabled an additional simple amendment to include this safeguard explicitly for automated decisions authorised by consent or contract, not just those authorised by law.
Baroness Jones of Moulsecoomb (GP)
My Lords, I support Amendment 34 and will speak to Amendments 35, 93, 100, 101 and 102. I retabled these amendments because I think I did not make myself clear in Committee and some of the Ministers’ replies seemed confused. It was pacifying to be soothed in that way but I still have a problem. The noble Lord, Lord Ashton, said:
“All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis”.—[Official Report, 13/11/17; col. 1871.]
My point was that there is confusion between the gathering of evidence, the processing and decision-making. My amendments do nothing to inhibit automated data processing or seek to move us back to handwritten records. Automated data processing is unaffected by my amendments, which focus on decisions based on data, however the data is processed. Data could be gathered, processed and analysed completely automatically with no human involvement—a computer could even generate a recommended decision—but where human rights are engaged, the final decision must be made by a human being.
There was similar confusion in the replies of the noble Baroness, Lady Williams, in regard to law enforcement and intelligence service decisions. She said that,
“the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act”.—[Official Report, 15/11/17; col. 2073.]
Again, there is confusion between the processing, gathering of data and making the decision where human rights are engaged.
I repeat that my amendments allow for data to be processed automatically: they do not allow for a computer to make a decision contrary to someone’s human rights. Decision-makers can be supported by automated processing but the ultimate decisions must be made by a human being. We have to have this vital safeguard for human rights. After all the automated processing has been carried out, a human has to decide whether or not it is a reasonable decision to proceed. In this way we know where the decision lay and where the responsibility lies. No one can ever say, “We messed up your human rights. We interfered with your human rights and it is the computer’s fault”.
I am grateful to Liberty for drafting the amendments I have tabled and I hope that I have explained them fully and rather better than in Committee. I look forward to the Ministers’ replies. I feel strongly about this issue. These words have to be in the Bill so that it is absolutely clear that human rights are protected.
Baroness Hamwee (LD)
My Lords, I support my noble friend’s amendments. The points that he made apply almost entirely to Amendments 91, 92 and 94, which relate to later parts of the Bill, including particularly the phraseology “solely” and in Amendment 94 “solely” or “partially”.
I am pleased that the noble Baroness, Lady Jones, decided to retable her amendments. What she said can be summed up as, “Human rights, so human decision”. Human beings will ensure transparency and accountability in a way that machines simply do not. The Minister smiled when the noble Baroness said that she was not sure whether she was clear on the last occasion. I rather wish that I could ask her to give us the reassurances and concessions that that smile might have indicated, but I do not know.
These issues are extremely important. I was thinking about them over the weekend and, although it sounds patronising, the Government are entirely correct to ensure that human rights are engaged in these subjects. Given how central human rights are, they cannot be thought of as an occasional peripheral, particularly not as regards law enforcement and security issues. I have come full circle to thinking that the protection of human rights should be spelled out at the start of the Bill, which would take us back to our debate on Monday about an introductory clause covering the protection of a subject where the right is not absolute because of the criteria of necessity and proportionality. I think that that should be made clear in the Bill and it would put what the noble Baroness is seeking to achieve in her amendments in the right context. I support her in this.
Lord Stevenson of Balmacara
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I start by thanking noble Lords for their amendments, which bring us back to the important issues around the use of automated processing in what is an increasingly digital world. I apologise if my smile was misleading, I was just very pleased to see the noble Baroness in her place; it did not indicate anything other than that.
The range in which automated processing is applied includes everything from suggested views on YouTube to quotes for home insurance and beyond. In considering these amendments it is important to bear in mind that automated decision-making can bring benefits to data subjects, so we should not view these provisions simply through the prism of threats to data subjects’ rights. The Government are conscious of the need to ensure that stringent provisions are in place to regulate appropriately decisions based solely on automated processing. We have included in the Bill the necessary safeguards such as the right to be informed of automated processing as soon as possible, along with the right to challenge an automated decision made by a data controller or processor. We have considered the amendments proposed by noble Lords and believe that Clauses 13, 43, 48, 94, 95, 111 and 189 provide sufficient safeguards to protect data subjects of all ages—adults as well as children.
Lord Clement-Jones
My Lords, I thank the Minister for that helpful unpacking of the amendments. I hope that the ICO will read her speech because, in essence, it has helpfully brought together a series of glosses on automated decision-making and the rights of the data subject. My amendments tried to bring together those rights specifically on the face of the Bill. The fact that the Minister had to unpack them from quite a number of articles and recitals demonstrates just how opaque is the GDPR for many of us, including those of us who have spent many weeks in the salt mines—it is no less opaque than when we started. Her response was extremely helpful. I hope that some sort of explanatory memorandum produced by the ICO might help because many of us around the House are trying to future-proof the Data Protection Bill so that we do not have to keep coming back and invoking Clause 15, Clause 9 and so on—whatever our differences may be about Henry VIII powers. We want to come to some conclusions while the Bill is going through and really understand what the rights of the data subject are in the face of increasing use of algorithms and so on.
There are just a couple of areas in which I should push, in particular the article 29 working group guidance on “meaningful”. None of us really knows what the status of the article 29 working group will be. Will we have a 29 March 2019 working group? Does everything change after that or not? If we are relying on that kind of interpretation, we need to have a pretty clear idea and a pretty good statement from the Government that it will continue after Brexit.
Where I am still unpersuaded and thought the argument was not really as good as it could have been was over my Amendment 41, on recital 71. Children are not adequately drawn into the legislation or protected from automated decision-making—that was the reason for proposing that additional clause.
I will withdraw my amendment, but I will read very carefully what the Minister has had to say. I am sure we will have many more happy hours corresponding in this area, because it will provide grist to the mill for quite a number of observers who are extremely interested in the consequences of artificial intelligence and the data it uses. I beg leave to withdraw the amendment.
“Use of private personal data accounts
(1) Within the period of 12 months beginning with the day on which this Act is passed, the Commissioner must carry out a public consultation on the use of private personal data accounts by data subjects.(2) The consultation must include, but is not limited to—(a) how the rights accorded to data subjects under the GDPR and this Act, including the rights to rectification and to be forgotten, may be affected by having a private personal data account;(b) the conditions under which a data subject may make their personal data available to data controllers via a private personal data account; and(c) the remuneration arrangements which may arise between a data subject and a data controller through the use of a private personal data account.(3) In this section, “private personal data account” means a single account through which a data subject can store and share their personal data with data controllers.”
Lord Stevenson of Balmacara
My Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.
Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.
We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.
The Earl of Erroll (CB)
My Lords, this amendment has a lot of merit. For some time I have been discussing with certain people who know an awful lot about this, as has the noble Lord, the concept of agency: having control over your own information. It is a very important concept because the GDPR and the Bill are all about data processors looking after your stuff for you, but the real issue is having control over things that affect you. Why, if people are using it to make money out of you or on your behalf, should you not sell them that control in return for better access?
There are many issues around this that might suit a modern world in which your data can be useful, but to you, so that data processors do not just mine it and use it for their own purposes—you have control over it. This amendment has a lot of merit because it gives a foundation for us to start researching this. There is no compulsion here, but it could move us down a line whereby the data subject—the person in the street— suddenly gets some control over what happens when people research things for their own good. We are going to have to give away our location and other things to use most of these apps, so why can we not also control that and decide how to sell it to other people and benefit from it ourselves?
Baroness Kidron (CB)
I, too, support the amendment. I raised this issue at Second Reading and pointed to the work of the ethics committee of the IEEE, which has done a lot of work on this. This is not as blue sky as the noble Lord suggested; this is indeed the direction of travel.
Lord Clement-Jones
My Lords, I am inspired by the last two speeches to add some words here. This is a very imaginative amendment. There is a great debate about ownership or control of one’s personal data, and this may be an elegant solution to some of that in future, although I suspect that the noble Lord, Lord Stevenson, may be right in his prediction about the Government’s response at this stage. Again, it is a bit of future-proofing that we really should think about.
If the Government do not like this, how do they think portability will work? If portability is to be a substantive right that can be taken advantage of under the GDPR, this is a very good way to make sure that data can then be inserted into a vehicle as a result of it having been sought in a portable way. This could be a very imaginative way to give teeth to the right of portability. I shall be extremely interested to hear how, otherwise, the Government think it will take effect.
Baroness Chisholm of Owlpen (Con)
My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
Lord Stevenson of Balmacara
I thank all noble Lords who have spoken in this short debate, particularly the noble Earl, Lord Erroll, for the idea about agency, which is an important construct that we will need to keep an eye on. He is quite right about that. I thank the noble Baroness, Lady Kidron, for reminding me, correctly, that I had got a lot of information from the IEEE, whose work on this I have praised before. I reiterate that: it has done a great job in trying to think through some of the bigger issues involved in this area. I also take this opportunity to acknowledge the debt I owe an organisation called HATDeX, which has been working in this area and from which I got the original idea of a private personal data account.
I agree with the noble Lord, Lord Clement-Jones, that this is something that will come back to haunt us. Obviously, as long as the Minister is there with her beaming smile, we will be able to resist all blandishments to come at it, but I think it will come and bite us. It was not an arbitrary thought of mine that it might be something that the ICO would want to look at it. I know from talking to the ICO that it is interested in this as well. I think the Minister is saying that the proposal, as it is, stands outside the Bill framework, but that is because the Bill focuses on a particular area, and perhaps that is a pity. But if it is not the ICO, who is it? I hope it will be the data ethics commissioner that we hope to establish in the future. I beg leave to withdraw the amendment.
The Deputy Chairman of Committees (Viscount Simon) (Lab)
I must advise your Lordships that if Amendment 42 is agreed to, I cannot call Amendments 43 or 44 due to pre-emption.
Schedule 2: Exemptions etc from the GDPR
Amendment 42
Baroness Hamwee
Baroness Hamwee
My Lords, paragraph 4 of Schedule 2, which this amendment would delete, deals with the provisions of the GDPR—that is, protections—which do not apply to immigration control. Government Amendment 44 alters that by removing some of the protections from the list; in other words, the protections would continue to apply in relation to the rights to rectification and data portability.
So what protections will the data subject forgo? I suggest that they are almost all basic safeguards, including: that the processing of someone’s personal information must be lawful, fair and transparent; that data must be processed accurately and kept up to date; that it be held securely; that the person to whom the data relates is informed of the data being held, for how long it may be held and for what purpose it may be used; and that the person to whom the data relates may inspect it and request its erasure. I am not clear what use the right to rectification, which will be retained, would be without one being able to access the data being held so that one could identify the factual inaccuracies. The Information Commissioner’s Office says that this will mean that,
“the system lacks transparency and is fundamentally unfair”.
The list may appear innocuous because not every paragraph in the articles listed is in play, but what is left are things such as that this right,
“shall not adversely affect the rights and freedoms of others”;
the best part of each of the articles listed will no longer apply. This is not a limited or modest modification of the basic safeguards but a wholesale removal.
What is the purpose of this? The purpose is for,
“the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the … provisions would be likely to prejudice”,
these matters. In other words, this is very far-reaching indeed.
Lord Kennedy of Southwark
My Lords, Amendment 42, moved by the noble Baroness, Lady Hamwee, was also debated in Committee. The noble Baroness, her noble friend and other noble Lords raised concerns in Committee about paragraph 4 of Schedule 2 in respect of the broad nature, the wide-ranging exemptions and the application of those exemptions. I see the point about the application of this part of the Bill. The amendments tabled by the noble Lord, Lord Ashton of Hyde, set out in the Bill those rights which might be restricted by virtue of article 23(1) of the GDPR and so give more focus to this part of the schedule.
I want to see effective immigration controls and also fair immigration controls, but I do not want to see people unable to get access to data held on them or to how that data is being used and shared except in limited circumstances. I hope the Minister can confirm that the government amendments will do this on a case-by-case basis and do not provide a blanket power. These things are very sensitive and are a matter of balancing important principles, protections and rights carefully and coming down with the right protections in place. I think it would be a problem if we were left in a situation where we could disclose to data subjects information that could give them the opportunity to circumvent our immigration controls.
The noble Baroness, Lady Williams of Trafford, gave a detailed explanation of the Government’s opposition to the amendment in Committee and highlighted a number of the issues that would come forward. I do not think anyone wants a situation where we are making things worse for ourselves. I recall the examples given of an overstayer where the authorities are seeking to enforce an administrative removal or where there is an application to extend the leave to stay and it is suspected that false information has been given. These seem perfectly reasonable to me. The amendments tabled by the Government provide important clarification on what is exempt, limit the power in the Bill and seek to address the concerns highlighted during the previous debate and today.
Lord Clement-Jones
Before the noble Lord sits down, does he therefore agree with the Government that this is all about the circumvention of immigration controls? Does he not think that essentially, as my noble friend Lady Hamwee mentioned, most of the circumstances are about people asserting their rights?
Lord Kennedy of Southwark
I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.
Baroness Williams of Trafford
My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.
Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.
The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,
“important objectives of general public interest”.
The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.
The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.
Baroness Hamwee
My Lords, the Minister is reading from her brief, but I do not think I made any of the statements it anticipated I would make.
Baroness Williams of Trafford
I have been badly advised somewhere. Shall I just get on with what I was going to say?
I made clear in Committee that the exemption is not a blanket provision applying to a whole class of data subjects. It is important to note that Schedule 2 does not create a basis for processing personal data. The exemptions in that schedule operate as a shield allowing data controllers to resist the exercise or application of the data subjects’ rights as set out in chapter III of the GDPR. It is the assertion or application of those rights that triggers the exemptions in Schedule 2. Given this, it is simply not the case that the Home Office, or any other data controller, can invoke the immigration exemption or, for that matter, any other exemption as a default response to subject access requests by a group of persons. Instead, an individual decision must be taken as to whether to apply the exemption in circumstances where a data subject’s rights are engaged.
Moreover, before a right can be restricted, the controller must be satisfied that there would be a likelihood of prejudice to the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. Only if that test is satisfied will the controller be able to apply the restriction on the data subject’s rights. I should also stress that this restriction should be seen as a pause button and not something to be applied in perpetuity to the data subject. If circumstances change so that the test is no longer satisfied in a given case, then the restriction will have to be lifted.
Having said that, I recognise the concerns that were expressed in Committee about the breadth of the exemption, and government Amendments 43 and 44, as the noble Lord, Lord Kennedy, said, respond to those concerns. These amendments remove the right to rectification and the right to data portability from the list of data subjects’ rights that may be restricted. On further examination of the listed GDPR provisions in paragraph 1 of Schedule 2, we have concluded that the risk of any prejudicial impact on our ability to maintain effective immigration control that might arise from the exercise of the rights in articles 16 and 20 of the GDPR is likely to be low.
Having clarified both the purpose of this provision and the way it will operate, and having addressed the concerns about the extent of the exemption, I would ask the noble Baroness, Lady Hamwee, to withdraw her amendment and support the government amendments.
Baroness Hamwee
My Lords, I am obviously disappointed by both those speeches. I agree with the noble Lord, Lord Kennedy, that immigration control should be effective and fair, which is precisely what I was driving at. He referred to balance; I quoted article 23(1), which requires necessity and proportionality.
I thank the Minister for her answers and for her response to Liberty. She talked about taking this “case by case”, but is that not how we deal with all our immigration control? We do not apply wholesale visa bans; we are not Trump’s poodle. Data requests are made on a case-by-case, individual basis, but you need to know what data is held in order to make the request.
The Minister referred to a “pause button”. I am afraid that does not, to me, have the air of reality or really offer any assurance in the real world.
Amendment 44 does not respond to our concerns. As I commented, you cannot exercise the right of rectification unless you know what is said about you. I feel we are hardly even talking the same language, although it gives me no pleasure to say that. I think I must seek to test the opinion of the House.
Lord Ashton of Hyde
“(1A) The GDPR provisions referred to in sub-paragraph (1) are—(a) the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—(i) Article 13(1) to (3) (personal data collected from data subject: information to be provided);(ii) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);(iii) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);(iv) Article 17(1) and (2) (right to erasure);(v) Article 18(1) (restriction of processing);(vi) Article 21(1) (objections to processing);(vii) Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (vi); and(b) the following provisions of the GDPR (the application of which may be adapted by virtue of Article 6(3) of the GDPR)—(i) Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;(ii) Article 5(1)(b) (purpose limitation).(That is, the listed GDPR provisions other than Article 16 (right to rectification) and Article 20(1) and (2) (right to data portability).)”
“( ) the Prison Ombudsman for Northern Ireland, or” |
Lord Pannick
“Confidential trust information
The listed GDPR provisions do not apply to personal data in respect of which the controller is (or acts as agent or confidential adviser to) a trustee or other officer of a private trust to the extent that the data consists of information—(a) which records any person’s deliberations about the manner of exercise of a power or discretion under that trust, (b) which discloses any person’s reasons for any particular exercise of such power or discretion, or(c) upon which such deliberations or reasons were or might have been based.”
Lord Pannick (CB)
Amendment 48 is in my name and the name of the noble and learned Lord, Lord Walker of Gestingthorpe. It concerns the law of trusts, and I should mention, as the noble and learned Lord is unlikely to do so, that for many years he was the leading trusts practitioner at the Bar. During his career on the Bench, including in the Appellate Committee of this House, in the Supreme Court and in the Judicial Committee of the Privy Council, he gave many of the leading judgments that define the modern law of trusts.
I declare a much more modest interest as a practising barrister. I am not a specialist in the law of trusts but, as I explained in Committee, I know that the law has long recognised that a trustee is not obliged to disclose to a beneficiary the trustee’s confidential reasons for exercising or not exercising a discretionary power. The law recognises that if the trustee were to have such a duty of disclosure it would impede the trustee’s ability to perform his or her function, the effective exercise of which depends on confidentiality. The public interest is protected because the court has an inherent jurisdiction to supervise and, where appropriate, to intervene in the administration of trusts.
A recent Court of Appeal judgment, Dawson-Damer v Taylor Wessing, has prompted a concern of trust practitioners about the applicability of data protection law in this context. I have received powerful representations on this subject from the Trust Law Committee, which is a group of leading academics and practising lawyers. One of its concerns is that in other jurisdictions, such as Jersey, the data protection legislation contains express statutory restrictions on the right of a data subject to make a subject access request where that would intrude on the principle of confidentiality. Those who practise in this area are very concerned that offshore trusts, and offshore professionals providing trust services, are already actively encouraging the transfer of trusts business away from this jurisdiction because of data protection concerns. The irony in this is that data protection law may be driving trust business towards less transparent offshore jurisdictions.
The noble and learned Lord, Lord Walker, and I, accompanied by other trusts lawyers, had the benefit of a very helpful meeting with the Minister—the noble and learned Lord, Lord Keen—and members of the Bill team. I am extremely grateful to them for the very constructive discussions we had. I very much hope that the Minister, when he replies to this short debate—I hope it will be short—will be able to confirm three matters.
The first is that the Government understand and are sympathetic to the concerns raised by the Trust Law Committee, which I have just summarised. The second matter, which I hope the Minister can confirm, is that the Government’s view is that article 15(4) of the GDPR, which states that the right of access,
“shall not adversely affect the rights and freedoms of others”,
applies in this context to protect the confidentiality principle. The third matter, to which I hope the Minister will be able to respond, is that if that view is shown to be erroneous in future litigation—I anticipate the Government do not believe this will be the case, but if it were to occur—I hope the Government would consider using the delegated powers conferred by this Bill to enact a specific and express exemption. I recognise, of course, that the Minister will be unable to commit the Government to any future course of action. I hope that the Minister will be able to respond positively on those three matters. They would go a long way to alleviating the concerns of trusts lawyers. I beg to move.
Lord Walker of Gestingthorpe (CB)
I have added my name to the amendment proposed by my noble friend Lord Pannick, and I shall say a few words in support of it. I do not want to repeat any of the points my noble friend has made, but I shall say a little bit about the practicalities of the documents that are likely to be the subject of data access requests by a disappointed beneficiary who wants to circumvent by the use of these powers the traditional confidentiality of discussions between trustees, even if put down on paper, which has been established in English law for about 50 years or more.
Discretionary trusts are still very common—surprisingly, in a way, given the increasingly complex inheritance tax provisions that affect them. I am talking about trusts with English law as the proper law and trustees resident in this country, who pay all the income tax, capital gains and inheritance tax that is due from them from time to time. In my experience, trustees of long-term discretionary trusts are often not solicitors or accountants but friends or acquaintances—reliable people trusted by the settlor with important discretions. Solicitors and accountants are, of course, involved, but they get their fees for professional advice. The trustees themselves generally get no remuneration for taking on what are sometimes huge and increasingly worrying responsibilities.
Discretionary trusts commonly confer wide discretions over both the disposition of income and the eventual destination of capital—usually it is a trust over income and powers over capital, but I need not go into those technicalities. Often, there will be a large class of beneficiaries who can be the objects of the exercise of the trustees’ discretion, typically a settlor’s children and remoter issue, very often their spouses or some remoter relatives or friends—named, of course, rather than just left as “friend”—and named employees and retainers. All those beneficiaries are, in a sense, in competition with one another. They do not, of course, seek favours from the trustees, but the fact is that the trustees sometimes have to exercise very difficult decisions on how to spend resources.
It is the duty of the unremunerated trustees to keep themselves fully informed about the beneficiaries. They have to take account of births, deaths, marriages, separations and divorces; of success or failure in education, and in business or professional life; of disability or injury—and sometimes, sadly, of beneficiaries who have become addicted to drink, drugs or gambling. So let us imagine trustees of a discretionary trust who meet once or twice a year to consider how they will distribute income and whether they will distribute capital in the course of that year, or six months. In a sense, all the beneficiaries are in competition, and inevitably the confidential minutes of the trustees’ deliberations will record how the trustees approached those competing demands and how they measured up, as they have to in a sense, the claims of one beneficiary rather than another on the settlor’s bounty. It is a consideration by the trustees collectively of all the competing claims on the settlor’s bounty, yet the data subject, to use the phrase in the Bill, who will in this case typically be a disgruntled and disaffected beneficiary, is entitled to information about the data subject himself or herself alone. That is fundamental to how the provisions work, which is underlined by paragraph 14 in Part 3 of Schedule 2, which relieves the data controller, who in this case will be the solicitor or accountant who keeps the trust records,
“to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information”.
If one looks at the practicalities, the likelihood is that those confidential minutes would have to be so savagely redacted with the censor’s blue pencil as to be barely comprehensible—certainly, not giving any sort of true picture of how the trustees had operated. Redaction would be troublesome and oppressive to the trustees, but even more oppressive—and I come back to the central point made by the noble Lord, Lord Pannick—is the fact that the trustees, who are typically unremunerated and doing their best to do what is sometimes a very difficult job, would be compelled to disclose what was not redacted to the disaffected beneficiary: the data subject. For those reasons, which I have briefly given, and all the reasons given by the noble Lord, Lord Pannick, I support the amendment.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, I begin by thanking the noble Lord, Lord Pannick, and the noble and learned Lord, Lord Walker of Gestingthorpe, for taking the time to meet me and officials to explain in detail the concerns following the debate in Committee. The question about the interaction of the fundamental principles of trust law and the GDPR is a valid one that we understand, and which deserves a response.
In Committee, my noble friend the Minister conveyed that it is not our intention to compel trustees to disclose the kind of information described in the noble Lord’s amendment. The Government both understand and are sympathetic to the noble Lord’s concerns in this respect.
Article 15 of the GDPR confers a general right for a data subject to seek access to personal data held by a controller, but there are a number of exemptions, set out directly in both article 15 and in Schedule 2 to the Bill. The amendment of the noble Lord, Lord Pannick, seeks to add an additional exemption to Schedule 2 to preserve the confidentiality of trustees’ decision-making and to minimise the risk of disagreement between beneficiaries and trustees, to which the noble and learned Lord, Lord Walker, referred. The Government’s position remains that article 15(4) of the GDPR already prevents the disclosure of the material the noble Lord’s amendment is concerned with. This is because the Government consider that the,
“rights and freedoms of others”,
referred to in article 15(4) includes the rights of both trustees and other beneficiaries. Where disclosure under data protection law would reveal information about a trustee’s deliberations or reasons for their decisions that would otherwise be protected from disclosure under trust law, the Government’s view is that disclosure would adversely affect the rights and freedoms of trustees and beneficiaries in the trustees’ ability to make independent decisions in the best interests of the trust without fear of disagreement with beneficiaries.
While I appreciate the noble Lord’s concerns, rushing to codify what in trust law is generally referred to as the Londonderry principle would, we consider, be a disproportionate step. The wider potential risks and unintended consequences involved mean that pre-emptive action in this area, far from clarifying the position, might actually confuse it. Should the law be tested after Royal Assent and found wanting—which, I stress, the Government do not expect to happen—the delegated power in Clause 15(1) allows the Secretary of State to bring forward regulations to correct this. By that point it will be much clearer what deficiency, if any, has in fact been identified in the law and we would expect a Government to consider those powers in such circumstances. I hope that is a full and adequate response to the three points the noble Lord, Lord Pannick, made. In those circumstances, I invite him to withdraw the amendment.
Lord Pannick
I am very grateful to the Minister. He has responded positively to each of the points that I made. I know that the House is anxious to move on to reaffirming freedom of speech. Therefore, I will say no more other than to beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Keen of Elie
“(2) Sub-paragraph (2A) applies to the processing of personal data carried out for the special purposes if—(a) the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and(b) the controller reasonably believes that the publication of the material would be in the public interest.(2A) The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.”
Lord Keen of Elie
My Lords, exactly a month ago, we had an interesting debate concerning a range of amendments tabled by my noble friend Lord Black. It was a surprisingly consensual debate, and I am rather hoping for more of the same this evening. The noble Lord, Lord Stevenson, agreed that there were serious issues raised that needed to be addressed. The noble Lord, Lord McNally, agreed that the Bill needed amending to ensure that it did not undermine the work of investigative journalists. The Government have listened, as we have on so many issues raised by noble Lords, and we have tabled appropriate amendments.
Government Amendment 50 deals with the issue raised by my noble friend that the Bill applies the exemptions only where processing is for the special purposes. We heard the persuasive example of the media being penalised if, for example, the police sought the pre-broadcast disclosure of journalistic material in relation to an undercover investigation because they wanted to see whether the alleged wrongdoing uncovered by the broadcaster’s investigation merited further police investigation. We agree that it is unfair and our amendment puts this right.
Government Amendment 57 concerns the list of journalistic codes of practice that appears in paragraph 24 of Schedule 2, which is also the focus of a number of amendments tabled by noble Lords, from whom I am sure we will hear in due course. In Committee, the noble Lords, Lord Clement-Jones, Lord Stevenson and Lord Skidelsky, and the noble Baroness, Lady Hollins, all highlighted that the editors’ code is incorrectly described in the Bill as the IPSO editors’ code. Having looked at this further, we concede the point and the Government’s amendment removes the reference to IPSO. The legal effect of this is nil but we should use the correct label. We are grateful to noble Lords for bringing this fault to our attention.
Government Amendment 61 is a further concession to deal with further concerns raised by noble Lords. Article 36 of the GDPR would have required investigative journalists to consult with the ICO before instigating covert filming, such as when investigating allegations of abuse against vulnerable residents at a care home. Article 44 of the GDPR might disproportionately impact on collaborative investigative journalism, including the sharing of data across borders where appropriate, such as with, for example, the Panama papers. The government amendment allows journalists to be exempted from these restrictions where the public interest test is otherwise met.
Government Amendments 150, 156 and 161, as well as a number of consequential amendments, create journalistic defences to the offences in Clauses 161 and 162 in respect of unlawfully obtaining personal data or unlawfully reidentifying de-identified data. We accept the arguments of my noble friend Lord Black that what processing is permitted for the special purposes under Schedule 2 should not be criminalised later in the Bill. These amendments remove any doubt on this matter. We wish to ensure that we do not criminalise journalistic or whistleblowing activities that are believed to be in the public interest.
Government Amendment 162 removes paragraph (c) from Clause 164(3). This measure allowed the Information Commissioner to determine prepublication whether processing could be done without reliance on the special purpose provisions. Many noble Lords felt this was a power to allow the commissioner to overreach and interfere in journalistic decisions. I am grateful for the advice of the noble Viscount, Lord Colville of Culross, together with that of my noble friend Lady Stowell of Beeston, who took the time to come and see me about this provision and further explain its dangers. The noble Lord, Lord McNally, set out similarly powerful arguments in Committee. Following further discussions with stakeholders and the commissioner, the Government have concluded that giving the commissioner power to take such enforcement action in relation to data being processed for the special purposes before the journalist or author publishes their work goes beyond what we consider is the appropriate role of the commissioner as the regulator and enforcer of the data protection legislation. With Amendment 162, the circumstances in which enforcement action would be available to the commissioner in relation to the special purposes would be limited to that of the existing position under the 1998 Act.
I will respond in full on the other amendments in this group once noble Lords have explained their intent. I beg to move.
The Deputy Speaker (Baroness Garden of Frognal) (LD)
My Lords, I have to inform the House that if Amendments 50 or 50A are agreed to, I cannot call Amendments 51 or 52 by reason of pre-emption.
Baroness Hollins (CB)
My Lords, the government amendment is excellent and I support it. However, it does not go far enough. I have therefore introduced a manuscript amendment.
My Amendment 50A would simply add two further provisions—my Amendments 51 and 52—into government Amendment 50, and would do no more than what Lord Justice Leveson recommended: to rebalance data protection law and prevent speculative trawling for stories. Operation Motorman was a police investigation in 2003, which I have mentioned before in debate, and it found that private data was being stolen on behalf of newspapers. That information, taken from private, medical, police, local authority, bank and many other confidential records, was used for stories or to hack phones. Those findings were considered by Leveson, who also reviewed the submissions of media organisations, and he was able to cut through some of the rhetoric—the kind of rhetoric that we have seen splashed across several newspapers today. He found that data protection law was fundamentally imbalanced in favour of publications at the expense of the public. That is not right. Just as the Human Rights Act strikes a balance between Article 10 speech rights and Article 8 privacy rights, so the GDPR obliges us to strike the same balance on data protection. This is not just following our own precedent; it is the right thing to do and is a legal requirement.
This amendment would implement some of Leveson’s recommendations. First, it would change the test for the exemption to apply to ensuring that the data processing in breach of the individual’s rights was necessary for future or continuing publication rather than undertaken just with a view to publication, as in the DPA and currently in the Bill. This is Leveson recommendation 48A and would protect the public from fishing operations when journalists process data without any specific intention to publish. Let me be clear: the data itself would not have to be published but the processing would need to have been done with an intention to publish—that is all. Secondly, this amendment would ensure that the exemption should be available only where the likely interference with privacy resulting from the processing of the data is outweighed by the public interest in publication. This properly strikes the balance between privacy and freedom of expression—this is Leveson recommendation 48C—and this balance is specified in the GDPR.
These amendments are the product of representations from all sides at the Leveson inquiry which sought a compromise—a way to protect the free-expression rights of publishers and to ensure that the public are protected. I thank the noble Lords, Lord McNally and Lord Stevenson, who have supported this amendment, and I also acknowledge assistance from a number of sources including the victim-representative organisation Hacked Off. I hope the House will support these reforms to bring balance to data protection law.
Lord Brown of Eaton-under-Heywood (CB)
My Lords, in this group of amendments I support government Amendment 50 and oppose, therefore, the plainly incompatible manuscript amendment to which the noble Baroness, Lady Hollins, just spoke. Its incompatibility is surely obvious. First, and perhaps most critically, in proposed new sub-paragraph (2)(a) it would substitute the words,
“necessary for the future or continuing publication”,
for the Minister’s words,
“being carried out with a view to the publication”.
There would be two important consequences of that. First, as the noble Baroness said, it would involve establishing the necessity of processing, plainly a steeper and more exacting test to be satisfied than the test of processing “with a view to” publication. I respectfully suggest that necessity is too high a hurdle to demand with regard to processing data in these most important areas of our life—journalism, academe, art and literature. Linked to that, the proposed change would seriously inhibit prepublication preparatory work, most obviously and particularly work of investigation and research with a view to publication but which may in the end never result in publication.
As the noble Baroness also rightly told your Lordships, the second change from the Minister’s draft is the proposed addition by her of new sub-paragraph (2)(c), which again is designed to stand as a possible obstacle to the journalistic processing of data. Essentially, I am sure it will be accepted that Amendment 50A attempts to tip the balance rather against journalists and others who are seeking to invoke these exemptions. They tend to introduce a presumption in favour of privilege whereas I suggest it ought properly to be a presumption in favour of freedom of speech.
I would respectfully remind the House of Section 12 of the Human Rights Act 1998, which is headed “Freedom of expression”. It basically forbids any restraint on pretrial publication unless the court or tribunal,
“is satisfied that the applicant is likely to establish that publication should not be allowed”;
and it requires that particular regard be had to the importance of the convention right to freedom of expression and, so far as journalistic, literary or artistic material is concerned, regard also to the extent to which publication would be in the public interest.
I respectfully urge the Minister to stick with his draft, brought before us in the shape of Amendment 50.
Viscount Colville of Culross (CB)
My Lords, I declare an interest as a series producer at ITN Productions. I thank the Minister for responding so positively to the concerns expressed by myself and other noble Lords from across the House in Committee who were worried about the effect that Clause 164(3)(c) would have on free speech. I am therefore grateful to him for bringing forward government Amendment 162, and I also support government Amendment 50.
I have concerns about my noble friend’s Amendment 50A. It replaces the phrase,
“with a view to the publication”,
with the term “necessary”—which, I fear, would cause huge problems for journalists, authors and academics. The present wording in the Bill allows them to take the view that material can, and indeed should, be appropriately retained, even if it is not for publication. This could be necessary to respond to any possible legal or editorial complaints which might arise from the publication of a programme or article. Surely noble Lords would want these complaints or legal actions to be responded to as fully and accurately as possible. The ability to defend a publication surely supports the act of publication itself. This amendment would not allow data to be retained for those purposes.
I am also concerned that data collected which might not be used in the original publication could be crucial in supporting subsequent stories on the subject. In Committee I referred to the investigation by the Sunday Times of drugs cheating by the cyclist Lance Armstrong. Initially, Mr Armstrong sued the paper for defamation. But, despite settling, the newspaper persevered in its investigations, which ultimately led to Mr Armstrong confessing that he was indeed a drugs cheat.
Keeping hold of data in many investigations can be crucial, even if it is not necessarily obvious at the time whether it should be so. The Hillsborough inquiry and subsequent stories over 20 years relied heavily on unbroadcast BBC footage from the Hillsborough football stadium at the time of the tragedy. It provided vital information for subsequent inquiries and inquests. Surely noble Lords would not want that sort of material, which might seem unimportant at the time, to be deleted. I therefore ask the Minister to stick to his guns and reject Amendment 50A.
Lord Lester of Herne Hill (LD)
My Lords, we had rather strong debates in Committee and I am not going to repeat any part of those. I have thought about how I could best help the House at this stage, and I think it is by stating what I believe the law to be and why Amendment 50A, if carried, would put the Bill in breach of the Human Rights Act and the European Convention on Human Rights.
When the Bill was first introduced, the Minister certified, as is required under the Human Rights Act, that in his view it was compatible with the convention rights; those being the right to free speech, the right to personal privacy and the right to equal treatment without discrimination. The amendments that the noble and learned Lord, Lord Keen, has introduced in this group would pursue the convention rights and, if carried, as I hope they will be, make sure that the Bill continues to be compatible with the convention rights.
In the light of the speech by the noble and learned Lord, Lord Brown, it would be quite unnecessary and wrong for me to go through the relevant law in any detail. But perhaps I can help the House a bit by giving a very brief summary of why I consider the government amendment compatible, and the amendment put forward by the noble Baroness, Lady Hollins, or those supporting Hacked Off and all the rest, incompatible.
The position is this. Article 10 of the convention protects the right to free speech and freedom of the press, subject to necessary and appropriate exceptions. One exception is, of course, personal privacy, which is guaranteed by Article 8 of the convention. The test the convention uses, as interpreted by the European Court of Human Rights, is a pressing social need test. The starting point is free expression and any restriction or limitation on that right must be in accordance with legal certainty and must be proportionate. The Human Rights Act requires that all legislation, old and new, including this Bill, must be compatible with the convention rights. It also requires courts to read and give effect to the convention compatibly with those rights.
Together with the noble Lord, Lord Pannick, I edited a textbook, the third edition of which we published in 2009. It has a whole chapter on free speech and another on privacy. What I am trying to summarise now, we spelled out in that large textbook some years ago. I am trying to help the House by giving a legal opinion on what I consider the law to be. I very much hope that the noble and learned Lord, Lord Keen, will correct me if I have got it wrong in any respect, because the House needs to know that if it were to support Amendment 50A, it would, in my view and that of the noble and learned Lord, Lord Brown, put the Bill in breach of the convention and the Human Rights Act. The Minister could then no longer certify that it was compatible with the convention rights.
Lord Pannick
My Lords, I declare an interest as the co-author with the noble Lord, Lord Lester, of Human Rights Law and Practice, available in all good bookshops. I declare an interest also as a practising barrister. I have represented newspaper groups many times in relation to privacy and freedom of speech issues, but I have also represented individuals complaining about breaches of their privacy—individuals as diverse as Max Mosley and Her Majesty the Queen. Noble Lords may remember that the contents of Her Majesty the Queen’s breakfast tray were disclosed in the Daily Mirror by a footman who was, in truth, a foot-in-the-door man from that paper. I speak, therefore, from legal experience.
I agree entirely with what was said by the noble Lord, Lord Lester, my noble and learned friend Lord Brown of Eaton-under-Heywood and my noble friend Lord Colville. We should be very slow indeed to limit the scope of the exemptions for journalists and in relation to academic, artistic and literary material. Without these exemptions, as defined in government Amendment 50, journalists cannot do their job effectively: you cannot investigate child sex abuse in Rotherham, corruption in Tower Hamlets or any of the other examples that have been given if those you are investigating are entitled to see the data you are processing that relates to them. Such data may not be “necessary” but it may be material that needs to be retained and published. It is as serious as that.
These are not theoretical concerns. Earlier this year, Mr Justice Popplewell dismissed a claim by James Stunt, a businessman who was married to one of Bernie Ecclestone’s daughters. Mr Stunt complained about a number of articles in the Daily Mail and the Mail on Sunday, claiming rights under the Data Protection Act 1998. The judge dismissed the claim, stating in paragraph 56 of the judgment that journalism would be discouraged or impeded,
“if the subject had access to the detailed extent or direction of the investigation, of the information gathered or of the intended story”.
That is right. In my view, government Amendment 50 adopts the right approach with its focus on the reasonable belief—not any belief, but the reasonable belief—of the data controller that publication is in the public interest.
It gives me no pleasure to say that many of the amendments in this and the next group are not concerned with promoting the ability of journalists and others to carry out their essential functions under Article 10 in relation to freedom of speech and freedom of information. They pursue a different agenda: either to encourage newspaper groups to join Impress as their regulator or to punish the press for the wrongdoing of some of its members. I say to noble Lords that that should not be the concern of this Bill, which should focus on protecting freedom of information in relation to data.
I cannot agree with manuscript Amendment 50A. It would provide a field day for those seeking to impede academic work, artistic and literary expression, and journalism that they do not welcome. It would inevitably create a chilling effect on work in academia, the arts, literature and journalism. I simply do not understand how a necessity test would work. When the journalist, the academic or the artistic or literary individual is conducting the processing, they cannot know whether it is necessary for future publication—they may reasonably believe that it will be or that it may be, and that is enough. Manuscript Amendment 50A, if accepted, would seriously damage freedom of expression in this country. As the noble Lord, Lord Lester, said, it would be a blatant breach of Article 10 of the European Convention on Human Rights.
Lord Prescott (Lab)
My Lords, I cannot give this House a legal opinion but I can give an opinion based on experience. I declare an interest: I attended the Leveson inquiry because I was on the end of illegal tapping of my phone. Public interest was not defined there; it was defined by the editors of the papers. They said it was not illegal, but clearly it was.
I support what the noble Baroness has said tonight. She is absolutely right and I am glad that there is a lot of support for her amendment. However, I am concerned that it addresses only a small part of what Leveson recommended. He made recommendations about public interest—it is an important issue and I welcome the amendment—but even though we all voted unanimously for the royal charter and the proposals of Leveson, we keep hiding away from debating his main recommendations. He made 37 recommendations and only 12 have been implemented. We have taken a small step forward but to have a serious debate about public interest you have to cover all the things that Leveson recommended—and we do not do that. We have to ride on the back of a single piece of legislation, and the answer always comes that it is not realistic to put such a proposal in the legislation. I am glad that tonight there has at least been agreement—presumably by both sides, for whatever political reason—that we have to move to do something about the important issue of public interest.
I will not go on about that. I have a couple of questions for the Minister, which I hope he will answer. I wonder whether we are taking into account here the hacking actions that are going on at present in the courts. The Government have always said that they will wait until the courts have finished, but hacking actions are continuing. Statements have been made in court that hacking is still going on, involving and paid for by some members of the press.
The royal charter involves the monarchy in politics. It is where the divisions are and why I resigned as a privy counsellor. I thought it was designed to keep the monarchy out of it, but now it is right in the middle of it as we get more and more into whether we are for or against the Leveson proposals. Is it still the Government’s policy that they will wait until all the court trials have finished before they give their view of the many recommendations in Leveson? Is it the position that the Government do not want to accept Leveson’s recommendation for a second inquiry into the relationship between the police and the press, which is still at the heart of many of these problems at the present stage?
To show that I am intellectual, I read in the Times—which is not a paper I support—an editorial headed “Free Speech in Peril”, which covers the very things we are discussing at the moment. It states:
“A number of peers have seized on a chance to curb press freedom by meddling with new data protection legislation. They should desist”.
I hope that tonight we will not desist but will carry it through.
The charge levelled in the Times—that this is an attack on press freedom—is signed by 70 newspaper editors. In fact, that means it is signed by seven owners of different papers. Seven cabal owners decide to describe Leveson as a big attack on press freedom, so why is it that the same papers that object to interference, in regulatory form or by government, all sign up for press regulation in Ireland? Every one of the papers we are talking about, which tell us that we are threatening freedom, have now signed up recently. I do not know whether they are less democratic or whether their freedom is threatened in Ireland, but they are the same people. It is hypocrisy.
Have the Government looked at what they have done in Ireland? A Minister is in charge in Ireland, not an independent regulator as proposed by Leveson. In Ireland a government Minister—a direct political person—decides whether the press is acting in a responsible way and, presumably, in the public interest.
The amendment is a small step forward and there is a long way to go yet, without a doubt. I hope that we will give more consideration to those factors. Basically, there is a lot more to be done. I am thankful that the Government, as I have heard, are supporting the proposal of the noble Baroness, Lady Hollins. It is a small step but there is a lot more to be done. These threats to press freedom are not coming from the politicians but from the press—and it is about time we took account of that.
Lord Black of Brentwood (Con)
My Lords, as these amendments deal with the media, I declare my interest as executive director of the Telegraph Media Group and draw attention to my other media interests in the register.
I will say a brief word first about Amendment 50 and the other government amendments in this group. These amendments seek to deal with a number of the problems raised in Committee by noble Lords across the House, as my noble friend said. I have a number of times during the course of the Bill commended the Government for their commitment to consultation on all the issues impacting on media freedom and for their willingness to discuss them with interested parties. I am grateful to my noble friend the Minister for the way in which he has approached these issues and I strongly support the amendments.
Manuscript Amendment 50A, like Amendments 51 and 52—especially in combination with later amendments with which we will deal in due course—point, I fear, in absolutely the other direction. The issue surrounding them has been eloquently and cogently set out by the noble and learned Lord, Lord Brown of Eaton-under-Heywood, and the noble Lords, Lord Lester and Lord Pannick. I could not improve on what they have said in any way, shape or form. Those amendments would, in short, cripple investigative journalism for all the reasons the noble Lord, Lord Pannick, set out.
Above all, they would create a deeply repressive data protection regime for all those involved in journalistic, academic, literary and artistic activities. It is not only journalists on national newspapers, who are so clearly targeted by these amendments, who would be punished but the local press, broadcasters, academics, film producers, playwrights, book producers and many others. As they all use data regularly in the course of their activities, it would make their day-to-day work almost impossible. This House, which contains so many people drawn from academia, the arts and the world of literature—I see many around me here today—has always prided itself on championing the UK’s creative industries. How ironic that we should even be debating these repressive amendments, which would be a body blow to the entire sector. They would place all those who work in it—many tens of thousands of people—at a huge disadvantage compared with their colleagues and competitors in the rest of Europe and elsewhere in the world.
On the amendments concerning the designation of codes by which the media should reference the public interest in publication, Amendments 54 and 56 seek to downplay the role of the Ofcom code, BBC guidelines and the Editors’ Code of Practice, all of which the 1998 Act sought to safeguard, and Amendment 55 would sweep them out completely. Amendment 55 seeks to give a statutory regulator, the Information Commissioner, power to determine codes of practice and guidance for the purposes of operating the journalistic exemptions and applying the public interest criteria within the Bill. This, again, is a significant departure from the terms of the 1998 Act, which has worked so well.
The Information Commissioner could choose not to determine particular codes even though they are recognised by the courts and elsewhere in legislation. She could even draw up and determine her own codes and guidance, without any reference to the long-established regulators of the broadcasters and the press, which would then have legal status. Even to a non-lawyer such as me, codes and guidance with legal status determined, drawn-up and administered by a statutory regulator is a system of statutory press regulation in the making—to which the vast majority of Members of this House say they are opposed—and is therefore a dangerous step which we should not take.
Lord Low of Dalston (CB)
My Lords, in the absence of the noble Baroness, Lady O’Neill, I shall speak in support of Amendment 58, which is in the names of the noble Baroness, Lady O’Neill, the noble Lords, Lord Lipsey and Lord McNally, and myself.
The Bill contains an exemption for publication which is for journalistic, academic, artistic and literary purposes and is in the public interest. In determining whether publication is in the public interest, regard must be had to,
“any of the codes of practice or guidelines listed in sub-paragraph (5)”,
of paragraph 24, which is in Part 5 of Schedule 2. The codes of practice listed in sub-paragraph (5) are the,
“BBC Editorial Guidelines; … Ofcom Broadcasting Code; … IPSO Editors’ Code of Practice”.
The purpose of Amendment 58 is to add to that finite list a further, open-ended category of codes to cater for any other relevant code of practice approved by the Press Recognition Panel. The immediate effect of the amendment would be to add the Impress standards code to the list of journalism standards codes recognised in the Bill, because so far it is the only one which has been approved by the Press Recognition Panel.
The Bill rightly recognises that journalists may sometimes have occasion to process and publish people’s personal data. On the rare occasions when a journalist has occasion to breach someone’s data privacy, the Bill requires them to show a reasonable belief that doing so was in the public interest. The Bill itself does not include a public interest test. Instead, it refers to three codes which do: the BBC Editorial Guidelines, the Ofcom Broadcasting Code and the IPSO Editors’ Code of Practice. Our amendment would add a fourth code, or rather a class of codes, to the list:
“any code which is adopted by an approved regulator as defined by … the Crime and Courts Act 2013”.
This modest amendment would bring the Bill closer to the recommendations made by Sir Brian Leveson following his inquiry into press standards and press regulation. It would also reflect the changing nature of news publication in this digital age. An approved regulator as defined in the Crime and Courts Act 2013 is a regulator that is compliant with the Leveson recommendations as distilled in the royal charter on self-regulation of the press. The royal charter requires an approved regulator to have an independent board, to have effective powers and remedies, to provide a low-cost arbitration scheme for civil disputes and to take responsibility for a standards code. According to the charter, the standards code of an approved regulator,
“must take into account the importance of freedom of speech, the interests of the public … and the rights of individuals”.
In particular, it must include appropriate “respect for privacy” where there is no sufficient public interest justification for breach.
The charter also states that a regulator can be approved only if it provides,
“non-binding guidance on the interpretation of the public interest that justifies what would otherwise constitute a breach of the standards code”.
In other words, a regulator can be approved only if its code properly balances the interests of freedom of speech with appropriate respect for privacy and if it provides guidance on what this means in practice. In order to be listed, an approved regulator must not just be likely to have the right kind of code; it must be guaranteed to do so.
At present, the only approved press regulator is Impress, the Independent Monitor for the Press, which was recognised by the Press Regulation Panel in October 2016 after a nine-month application process. The decision of the Press Recognition Panel to approve Impress has recently been upheld by the High Court, which dismissed an application for judicial review brought by the News Media Association on all six counts. In due course, other regulators may be recognised.
The system we envisage is not exclusive and more than one regulator at a time may enjoy approved status. In this way, Amendment 58 allows for changes in the regulatory landscape. So long as a regulator has successfully completed the rigorous approval process, its standards code would be included; if a regulator withdraws from the recognition system or loses its approved status, its code would no longer be included.
Impress now regulates 78 news publications across the UK that reach almost 7 million readers every month. A further 36 publishers have applied to join. Without this amendment, these publications would not enjoy the same protections as members of IPSO, which does not meet the Leveson criteria and is not externally accountable. In these circumstances, for the Bill not to contain a framework that covers Impress and other Press Recognition Panel-approved publishers beyond the three codes currently listed would be perverse.
Lord Lester of Herne Hill
I am grateful to the noble Lord, Lord Low, for giving way. I rise to answer the question that he put to the noble Lord, Lord Pannick, on what he thought of the amendment. Speaking for myself, I cannot think of any objection to including the Impress code as well as the IPSO code. In my speech, I did not say anything about the IPSO code because I thought it was inappropriate in this debate. I have a detailed brief about that from Sir Alan Moses but I will not talk about it any more because this is not a competition between IPSO and Impress.
Lord Low of Dalston
I am grateful to the noble Lord for that intervention, which I think supports my contention that there is nothing in the inclusion of the Impress code that strikes at the heart of press freedom.
As I was saying in concluding my remarks, it would be perverse if the Bill did not include a code such as that of Impress but one of an organisation that is not approved by the Press Recognition Panel and does not meet Leveson criteria, such as IPSO. I hope that the Government and the Minister accept that, but at the very least I hope that the Minister will be prepared to assure the House that the Government are not opposed to the Impress standards code being listed in the Bill.
Viscount Hailsham (Con)
My Lords, I follow what the noble Lord, Lord Low, said, which is of considerable importance. In doing so, I address Amendment 55, which has not yet been spoken to by the noble Lord, Lord Stevenson. I have both an observation and suggestion to make and I would be very grateful if he could let me have his views on them.
I suggest to your Lordships that Amendment 55, as it stands, goes too far, in that it gives great power to the commissioner, who is in no way subject to parliamentary control. Given the nature of the powers to determine appropriate guidance and practice, that is undesirable, on the face of it. That said, I have considerable sympathy for the proposition that the commissioner should be involved in the formulation of policy and in identifying amendments to the list. One way to address that is as follows: under subsection (6) of the clause we are dealing with, the Secretary of State has a power to make regulations that amend the list, which is itself subject to affirmative procedure. If we were minded to do so, we could make it explicit that the power exercised by the Secretary of State under subsection (6) should be used after representations made to him or her by the commissioner, and furthermore that, in any event and at all times, the power to amend the regulation should be used after consultation with the commissioner. If we went down this road, it would enable the commissioner to play a proactive role in shaping a very important list; in any event, it would involve the commissioner in the policy-making process.
Lord Keen of Elie
It may have gone unnoticed in Committee, because we considered no fewer than 432 amendments, but I say this in the context of Amendment 55—to be spoken to by the noble Lord, Lord Stevenson—and in the light of observations made by the noble Viscount, Lord Hailsham: the then Amendment 181 amended Clause 169 to ensure that when regulations are made to amend the list of codes of practice, the Secretary of State must consult the Information Commissioner.
Viscount Hailsham
That is extremely helpful and I am grateful to hear it, but I do not think that it says that the commissioner can be proactive in the regulation. The point made by my noble and learned friend is that the Secretary of State must involve the commissioner in discussions but it does not make it explicit that the commissioner can be proactive by making suggestions to the amendment of the list. My suggestions are twofold and I would be grateful if the noble Lord, Lord Stevenson, would share his thoughts on the matter.
Baroness Cavendish of Little Venice (Non-Afl)
My Lords, I want to briefly bring us back to Amendment 50A of the noble Baroness, Lady Hollins. I declare an interest; I have been a journalist for about 15 years and have won several prizes for investigative journalism. One of my campaigns, which exposed miscarriages of justice, led to the Blair Government changing the law in 2009. Looking back on that case—and the Rochdale and Rotherham sexual harassment and grooming cases, which I was involved in as part of the investigative team at the Times—I feel that the use of “necessary”, which the noble Baroness is suggesting, is fraught with more difficulty than it may appear.
It is perhaps difficult to understand quite how difficult it is for journalists to do some of the deep, preparatory investigative work that results in some of these exposés. The vested interests arranged against the exposure of some of these cases are phenomenal; the legal remedies available are quite significant. Indeed, I think someone mentioned earlier that, only two years ago, the Sunday Times was faced with the threat of an injunction and civil proceedings for the publication of what turned out to be completely accurate information about doping among gold-medal athletes. That paper was protected under the Data Protection Act 1998, but the cases were brought under that Act. It is important to remember that journalists do not have the entirely free hand that we perhaps imagine.
I find myself standing in this Chamber, which has historically been a bastion of freedom, and looking at a series of largely well-meaning amendments that would amount to a shift towards presumption of privacy, which would protect precisely the kind of vested interests that I have spent part of my career challenging. I come back to the point about necessity: as the noble Lord, Lord Pannick, suggested earlier, it is extremely difficult to understand, as a journalist, how this would work in practice. The definition of what is necessary seems extremely difficult. I foresee that that would be a gift to those who have an interest in preventing the investigation and publication of their activities—some of whom would be perfectly innocent and some of whom would be precisely the kind of people that this House would want to expose, I hope—because it would enable them to debate the definition of necessity and to delay investigation, potentially stopping it altogether. Delay is an enormously powerful weapon—do not underestimate it—when people are up against newspapers; do not forget about local newspapers, which sometimes have extremely limited resources.
I am deeply worried about the wording of the amendment; I would prefer the House to support Amendment 50.
Lord McNally (LD)
We need to get to the Front Benches soon. I am sorry but I think the Times newspaper has had quite a good run tonight.
Lord McNally
We have heard from journalists, we have heard from lawyers—come on.
Before we hear from the Front Benches, I want to say that it would be perfectly good to have this debate and listen to all these distinguished speakers if we were looking at a few tweaks to the 1998 Act, which otherwise had run perfectly smoothly, and if in the 20 years since then we had seen nothing to perturb us about how the law was working. The truth is that we are operating against the background of Lord Leveson’s report. I have the greatest respect for the noble and learned Lord, Lord Brown, my noble friend Lord Lester and the noble Lord, Lord Pannick, as all three of them know, but I also have the greatest respect for Lord Leveson. I saw him week after week in one of the most public examinations of how the law was working that we have ever seen in this country. It revealed abuse on an industrial scale by many of the people who have spoken about their profession tonight.
Viscount Hailsham
Does the noble Lord accept that the amendment he supports will tilt the argument against free speech and chill the ability of the press to publish?
Lord McNally
No. The amendment I have put forward is exactly the finding of Leveson—that what was wrong in the 1998 Act was an imbalance the wrong way. That is what Leveson found and suggested that Parliament put right. There may be many other ways of putting it right, but to say that what Leveson did was somehow to be totally ignored ignores not only Leveson itself but the findings and support of both Houses of Parliament. Since Leveson and the setting up of the royal charter—I was the Minister involved with that—nobody could have tried more than that set of Ministers to find a solution that was as far away from state regulation as we could possibly find.
Lord Low of Dalston
The noble Lord said that Leveson found that the press had abused its position and looked to Parliament to put it right. Would the noble Lord not agree that Parliament has put it right with Section 40 of the Crime and Courts Act 2013, but that the Government have not given effect to that provision?
Lord McNally
I am grateful for that accurate intervention. The noble Lord, Lord Berkeley, asks from a sedentary position what the answer is. The noble Lord, Lord Low, is right: the Government have not gone ahead with Section 40. The Government have sat on their hands.
All I will say in conclusion is that the media can roll out all their lawyers and journalists, and they can write their editorials suggesting that we are attacking press freedom: they know it is rubbish and not true. Unless the Government deal with the real hurt, problem and exposed faults of the media, this will continue. A sensible, smart Government—one advised by the noble and learned Lord, Lord Keen—would deal with these problems now rather than let it drag on into 2018, as it will. We will vote for the amendment.
Lord Finkelstein
I hope the noble Lord, Lord McNally, will forgive me, but I feel his comments require response. I recall at a university meeting when we had to discuss rules for debate, one student started a speech with, “I’m a liberal, but I’m against free speech”. I notice we have a very large turnout of both small “l” and big “L” liberals in the House, which usually suggests we are about to ban something. I am very sorry to be on the other side from the noble Lord, Lord McNally, who has been my inspiration and mentor for many years, but I have to disagree with him on this.
First, the proponents of these various amendments argue that these changes are not an attack on free speech but, in practice, they are. They tilt the balance against investigative journalism, scrutiny of the powerful and legitimate inquiry. The high bar introduced of necessity would have a chilling effect for anyone who has worked on practical investigations. What will happen is not so much that the law will be used, but that it will never be used because investigations will not take place.
Secondly, the proponents say that this is not about state regulation of the media, but it is. It will be done in two ways. The Information Commissioner will end up with so much power that he or she will become a press regulator whether or not he or she wishes to. That would be the impact of Amendment 55. At the same time, newspapers will be pulled against their will into Impress, which has been the burden of several remarks in this debate. That is also an aim of Amendment 55. It is simply nonsense to say that all that is being sought is voluntary self-regulation when the failure to volunteer or regulate in a state-approved way and be licensed by a state body is backed up by repeated attempts to penalise and punish, as these amendments would do.
Thirdly, the proponents say that all we will be doing is controlling behaviour, not content. I am afraid that this is wilfully naive. Impress has been named as a regulator. That choice by the panel is instructive. The behaviour of the staff and board of Impress, the body the panel has approved, shows quite clearly the agenda being followed. Its chief executive has been sharing views such as:
“John Lewis is bringing its name into disrepute by advertising in a Neo-Fascist rag”,
and:
“I do like @StopFundingHate’s campaign to defund racist media”.
This means it cannot claim to be the independent regulator the noble Lord, Lord Low, talked about. This is apparently acceptable as charter-approved behaviour, yet some noble Lords are critical that national newspapers are suspicious of the charter and fear Impress.
My fourth point is very important because the noble Lord, Lord McNally, said this in Committee. I respected it and listened to it. He said that newspapers have “got away with it”. This is not the case. People went to jail, newspapers closed and the regulatory system changed utterly. Those of us working in the industry all know and agree that there has to be change. Anyone who thinks that there has not been has not read a newspaper or been in a newspaper office since the scandal broke. I respect and understand the pressure for change, but you have to take “yes” for an answer.
Finally, there is a suggestion that the public are crying out for further regulation and more inquiries. People who advance this argument must have been in different constituencies from me. The attempt to hijack Bills to bully the press into compliance is a diversion from the public interest and there is no public pressure for it. Of course, it is right to insist on high standards of behaviour, but to introduce amendments designed to help powerful people keep secrets and to make free publication harder is an odd position for liberals. All I ask is that we do not remove protections in Britain enjoyed by Europeans. Normally, this rallying cry is very effective in this House. Let us hope that it is today.
Lord Stevenson of Balmacara
My Lords, I had better deal with Amendment 55, which is in my name and that of my noble friend Lord Kennedy. I am loath to do so at any length, so I simply say that it will be answered by the Minister when he responds. He has partially given me the answer and it would be wrong for me to anticipate the rest of it. I reassure him that I do not intend to press that amendment.
This debate is not about free speech; it is the latest exchange in a long-running debate on how in a democratic society we enshrine the press’s freedom to publish as it sees fit, root out the culture of abuse, illegality and criminality which has for too long involved all the newspapers at some point or other, and make sure that victims can get effective redress when such abuse happens. We should not lose sight of those cardinal aims.
If the House believes that everything in the garden is rosy, as the previous speaker tried to persuade us, we can of course do nothing and simply allow the Data Protection Bill to go forward as amended. I agree that the Minister has moved a long way and agree with the noble Lord, Lord Black, that we could now rely on the processes and procedures that have worked so well since 1998—for nearly 20 years. They could be allowed to continue, because they are tried and trusted and seem to do most of what we require.
But it is not like that. One could not listen to my noble friend Lord Prescott and the noble Lord, Lord McNally, for any length of time without feeling that there is still a canker. Something needs to be cut out of what we currently do and we are failing as a House if we do not do what we must to get this right. We have a lot of problems. We had a cross-party agreement; that has gone. We have let down the victims grievously time and again. We are unable to discuss this without accusations of a ridiculous nature being thrown at us about our intentions and processes. We need to do this properly; we need to do it coolly and with some consideration. We need evidence of the changes that are affecting the press. Is it true that the traditional press as we know it is going down the tube? Is it true that fake news, other news sources and the other things that our children are reading and reporting to us will destroy our understanding in a democratic society of what it is to be informed about the way things are done? Will we lose the extremely good points made by the noble Baroness, Lady Cavendish, who said that she was an investigative journalist and proud of her record, which is exemplary? We want that to continue, but we do not want people such as the noble Baroness, Lady Hollins, to suffer as a result of it. We have to be mature about this; we have to get it right.
I have an amendment, Amendment 165, to be taken on Wednesday 10 January—buy your tickets now—which will rehash a lot of our discussion today. It is focused on running a proper inquiry into what needs to happen now to deal maturely with the issues which the press does not wish to be regulated. It tries to find a way forward, to investigate the illegality of the past and learn lessons from it. Above all, it seeks to get a handle on this whole issue and come forward with a proper set of recommendations that we can implement. I hope that the House will look at that carefully when we come to it. In the interim, my advice to the noble Baroness, Lady Hollins, whom I admire for the fantastic work she is doing and I want to be with her on it, is to withdraw her amendment now and live to fight another day on 10 January.
Lord Keen of Elie
My Lords, the noble Baroness, Lady Hollins, has reminded us a number of times in this House of the need for suitable press regulation, and she has some interesting arguments. I am grateful for the time she took earlier this week to meet me and explain her perspective and concerns. However, the position remains that the Government cannot accept her Amendment 50A. The Government support objective, high-quality journalism and a free press. We are committed to ensuring there is a sustainable, effective business model for high-quality media. Of course, we also need a fair system and this Bill is designed to strike a fair balance between individual privacy rights and the right to freedom of expression. The noble Lords, Lord Lester and Lord Pannick, and the noble and learned Lord, Lord Brown of Eaton-under-Heywood, have just alluded to the requirement in law for us to maintain that balance. I do not seek to repeat that, but I gladly adopt the observations they made about the need for balance in the context of convention rights with regard to privacy and freedom of expression.
Lord Elton (Con)
The noble Lord, Lord Low, in an intervention on the noble Lord, Lord McNally, referred to a provision, the name of which I do not recall. They both agreed that that, if implemented by the Government, would resolve the problem. Can the Minister say what the position is on that?
Lord Keen of Elie
It would not necessarily resolve any problem. As noble Lords may be aware, we have consulted on the question of Section 40 and the second part of the Leveson inquiry and there will in due course be a report upon that consultation. I notice that the noble Lord, Lord Stevenson, has assisted my lip-reading by saying “soon”. He may be aware that a letter was recently sent by the Secretary of State to the Committee with regard to the timing of that report. If not, I can bring that news to him. Sir Brian Leveson himself has indicated that he would like the opportunity to consider the responses to the consultation and that will take a little time—of course, that has to be accommodated.
Lord Puttnam (Lab)
Will the Minister do the House an enormous favour and make it clear that this not a debate between people who favour press freedom and people who are opposed to press freedom? There is nobody in your Lordships’ House who is opposed to press freedom. It is very important for all our sakes that this is made absolutely clear.
Lord Keen of Elie
I hope that I indicated that in my earlier comments but I make it clear that we are all concerned with maintaining the very delicate balance between the right to privacy and press freedom.
Baroness Hollins
“(2) Sub-paragraph (2A) applies to the processing of personal data carried out for the special purposes if—(a) the processing of the personal data is necessary for the future or continuing publication by a person of journalistic, academic, artistic or literary material,(b) the controller reasonably believes that the publication of the material would be in the public interest,(c) the likely interference with privacy resulting from the processing of the data is outweighed by the public interest in publication.(2A) The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.”
Baroness Hollins
My Lords, I want to take a moment to respond to some points made by noble Lords who do not support my amendment. I suggest that they protest too much. Some noble Lords have suggested that the necessary test is too high, but I stress that the amendment simply requires an intention to publish, not a requirement to publish. I also understand that in 1998 the noble Lord, Lord Lester, argued that the provision “undertaken with a view” was too speculative. He did not support it at that time, so it is surprising that he opposes my amendment today.
My advice from eminent lawyers is that these amendments do not in any way breach human rights law. Instead, they reinstate an equal balance between freedom of speech and personal privacy. Nor is there any reason why, for example, this amendment would require footage from Hillsborough to be destroyed. It would stop newspapers hanging on to data illegally for any unspecified period. That is just one of the good things this amendment would do. The amendments would not allow debate on necessity from the subject of a planned story. The subject would not know about it, and many journalists have commended the importance of these amendments.
I have thought about these amendments. I think there has been some wilful misrepresentation of the role of the Press Recognition Panel. None of the amendments in this or the later group would favour Impress over any other recognised independent regulator. The noble Lord, Lord Black, implied in Committee that he believed that IPSO would meet the Leveson criteria if it applied to the Press Recognition Panel for approval. It could move towards recognition, so to say that this is about trying to favour Impress is nonsense.
I remind the House that my family was subject to data-fishing trips with no genuine public interest. Have the media changed their behaviour? I suggest not and I give a couple of quick examples. IPSO is not the game changer that has been suggested. It is still not a very clean game. I remind noble Lords of a couple of front page code breaches followed by tiny footnotes for a correction with no equivalent prominence. “1 in 5 Brit Muslims’ sympathy for jihadis”.
“Queen backs Brexit”. These reflect some of the most important topics being debated in the country today, yet they are not corrected adequately. Or the Mirror front page: “Ebola terror as passenger dies at Gatwick”.
In fact, nobody had Ebola, there was no terror because nobody knew about it and it was not at Gatwick. The Mirror printed a tiny apology and IPSO did nothing about it. Or the lady who lost a huge amount of weight and agreed to a feature in a local magazine which described her successful weight loss. She said she had had to shower before she lost weight because she could not fit in the bath. The Daily Star picked up the story: “Too fat to wash! Grubby gran who weighed 27 stone didn’t bath for 20 years”. This was not true, was not the story and IPSO did nothing.
I have listened to the Government’s arguments. All that Amendment 50A does is to raise the bar for processing data to be “necessary” for an intended future publication. I am an academic myself. I argue that the ethical standard of the processing of personal data being necessary is a standard that is already in place in our universities. These are Lord Justice Leveson’s recommendations. He considered that the Data Protection Act was not in balance. I think that it is right that the public’s privacy rights and publishers’ free expression rights are properly balanced to protect the best of both. We will not make progress in achieving this balance by some of the hyperbole we have seen in the press and in the House today about these amendments. We will make progress by listening to all sides, considering the arguments and coming to a reasoned conclusion. That is what Sir Brian Leveson was appointed to do.
I have heard the suggestion of noble Lords that it is not the right moment to vote on this amendment and that there is going to be an opportunity to debate these issues further in the new year, by which time, perhaps, we will have the result of the consultation that was begun as an urgent 10-week consultation a year ago, on the day that a previous amendment in a similar vein was to be voted on in the other place. We have still not got the report from that consultation. I think I want to wait to see what is going to emerge from the consultation and I hope that it will be forthcoming before we reach Third Reading.
Data Protection Bill [HL]
Wednesday 13th December 2017
(7 years, 3 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
The Deputy Speaker (Lord Geddes) (Con)
My Lords, Amendment 50 having been agreed, I cannot call Amendments 51 and 52 due to pre-emption.
Amendment 53
Baroness Hollins
Baroness Hollins (CB)
My Lords, I thank the noble Lords, Lord McNally and Lord Blencathra, for supporting this group of amendments, which flow directly from three fundamental principles with which I believe the majority in your Lordships’ House will agree. First, we are entitled to the same rights over our personal private data as we are to our personal privacy and family life; secondly, a healthy democracy requires that journalists are free to expose corruption, incompetence or wrongdoing in high places; and thirdly, it is imperative that we protect citizens from those who might seek to abuse those protections and in doing so cause great personal distress.
Perhaps it would be helpful to offer some context here. Last week, several of the many foot soldiers who have assisted newspapers to obtain information illegally came into Parliament to describe the sheer scale of that abuse at a meeting for a group of parliamentarians. Two of them have written to noble Lords supporting these amendments. Their revelations were extraordinary, going far beyond what is in the public domain, and not just confined to tabloid newspapers. We heard how individuals of interest to the press were remorselessly targeted in the quest for stories—ordinary people, whose personal and private data was harvested and exploited, not to advance the democratic ideal of public interest journalism but to sell more newspapers. I do not know whether these practices have stopped, but new titles are still being implicated. Even if they have stopped, the competitive pressure on newspapers makes it possible that they will start again. We heard how hard it was for these whistleblowers to speak up and how others employed to engage in similar illegal practices have been silenced with money. I publicly applaud their courage and note the extraordinary stress and fear that they live under because of their positions. They were being employed to do illegal acts at the behest of newspaper proprietors and editors. It was not about freedom of speech—it was an abuse of power. The main perpetrators were not the foot soldiers, yet they are the most likely to be held to account. That is why we need adequate protection for the public, and for journalists, who may be prevented by the editors from speaking up.
The Bill quite properly imposes constraints on how businesses, institutions and even charities can use our private data, but it will allow the rules to be broken under certain circumstances. It is our responsibility to scrutinise the Bill to ensure that those who are permitted to break those laws—to breach the data privacy rights by which everyone else is bound—are in fact acting in the best interests of democracy and not simply on a journalistic whim: to put it crudely, a fishing trip, or something purely for personal or corporate gain.
In that spirit, this group of amendments would achieve a number of things: to address the current imbalance in the Bill whereby the newspaper’s right to publish overrides a citizen’s right to a private life; to enhance the protections in the Bill for public interest investigative journalism; to implement recommendations in the Leveson report in respect of data protection law; to protect the public from data misuse; and, finally, to provide an incentive for newspapers to sign up to an independent regulator so that the public can have faith that their interests are being safeguarded.
This group of amendments, working together, follows the recommendations of Sir Brian Leveson’s report in respect of data protection legislation, specifically the special purposes exemption and his recommendations to reform the Data Protection Act 1998 in line with public interest. When these recommendations were put to the Government in 2012, their response was to ask us to wait for the right legislation to be debated in Parliament. This is the right Bill.
Amendment 53 removes the existing clause in the Bill that gives the right to free expression precedence over the right to privacy. In Committee, the noble and learned Lord, Lord Keen, argued that removing the clause that elevates free expression above privacy would be incompatible with the GDPR. However, my advisers suggest that article 85 of the GDPR allows for exemptions only where they are necessary to reconcile the protection of personal data with the freedom of expression. There is no special importance for free expression; the rights must be balanced. Our default position must surely be compliance with the GDPR.
Amendments 54 and 56 are designed to ensure that when public interest is being considered for the purpose of the journalistic exemption, the codes assist journalists whether or not their publication is governed by one of the designated codes. The present wording would mean that, for example, a Guardian journalist—whose publication is not governed by any of the codes mentioned—would not have to consider any of them. Changing two of the words in the Bill—“must” to “may” and “relevant” to “appropriate”—provides more flexibility.
I move on to Amendments 59 and 64. Leveson said that, to protect investigative journalism and sources, all publishers should continue to enjoy several important exemptions. However, after hearing evidence from lawyers, newspapers and victims, Lord Justice Leveson concluded that a number of exemptions in the 1998 Act were superfluous to the purposes of investigative journalism and should be removed to protect the public from abuse, and could be done so at no risk whatever to genuine public interest journalism. These amendments offer a compromise.
Where Leveson recommended that certain exemptions be entirely removed—recommendation 49(a) to (f)—my amendments would retain them for newspapers that have demonstrated their commitment to accountability by joining an independent press self-regulator. Furthermore, having listened to the noble Lord, Lord Black, in Committee, I have tried to reflect his wishes by including some new exemptions in Amendments 60, 62 and 63 for such newspapers. Belonging to a self-regulator that has been recognised under the Leveson system is the mark of a publication that understands the need for independent, effective and transparent accountability. Such publishers should be entitled to the full list of exemptions, because the public can have faith in their commitment to public interest journalism.
However, neither we nor the public can have faith in publishers that continue to insist on marking their own homework. These amendments would allow those publishers to keep the exemptions necessary for genuine investigative journalism in the public interest and to protect their sources. But they would lose access to those exemptions that Leveson deemed to be superfluous and open to abuse.
Publishers committed to genuine investigative journalism have nothing to fear from these amendments. If they wish to enjoy access to the longer list, they need only join a recognised independent self-regulator or bring their own self-regulator up to the minimum standards of effective, independent scrutiny and redress that the public have a right to demand. I will not go through each of the exemptions to which publishers would lose access should they reject independent regulation as it would detain your Lordships’ House for too long—they are listed in the amendment itself. Moreover, they are listed in the Leveson report, and cover such basic requirements as for data to be kept accurately.
Amendment 217 would ensure that these provisions would be passed into law on Royal Assent, so that the Government could not use the same tactics of executive non-commencement as they have done previously, going back on commitments on press reform.
Lord Black of Brentwood (Con)
My Lords, in speaking to Amendments 59 and 64 I remind the House of the declaration of interests that I made on the previous group of amendments.
It will not surprise noble Lords or the noble Baroness that I am wholly opposed to these amendments, which are pernicious in their effect. This is because they fly in the face of the GDPR, which under article 85, as I understand it, mandates us to ensure that there are exemptions for journalistic activities. The amendments set their face against a successful domestic legal regime established by the 1998 Act which, thanks to the work of Gareth Williams and his colleagues on the Labour Front Bench at the time, has worked so effectively for two decades to balance rights to privacy and free expression. They single out legitimate journalism for special punishment in breach of the Human Rights Act. Above all they are simply a crude form of bullying—that is the best word I can use—to force the press into a state-sponsored system of regulation.
It is not only the national press that would be affected by the noble Baroness’s amendments but the whole of the local press, from the Maidenhead Advertiser—a great newspaper—to the Barnsley Chronicle, and many thousands of magazines such as Reader’s Digest, Country Life and Angling Times. It would also stifle international media, including the Wall Street Journal and Huffington Post. What these many thousands of publications have in common is not that they have been intruding on individual privacy, harassing people or anything of that kind, but simply that they do not want to be part of a system of regulation established by the state and changeable by politicians. They want to be part of a system of self-regulation which has existed in this country for 300 years.
That judgment has not been entered into lightly; it is a matter of deep-seated belief. Even Sir Brian Leveson, whose name has been bandied around a great deal in these debates, expressly acknowledged it as principled. It is also a choice which is entirely lawful. If these amendments were passed they would wholly undermine a fundamental tenet of public law—that it is unlawful to punish someone who has done nothing wrong. Given that the choice of publishers to be part of the Independent Press Standards Organisation and not of Max Mosley’s regulator is both principled and lawful, it is impossible to see how singling them out for special treatment could ever be compatible with the ECHR and the EU Charter of Fundamental Rights. I do not believe this House would want to put itself in such a position.
Nor should this House—the defender of our democratic values—want to introduce a legal regime which would undermine legitimate investigative journalism, and that is what these amendments would do. As we heard with the last group of amendments, journalistic exemptions are absolutely vital to enable investigation to take place and to develop. The Telegraph’s exposure of MPs’ expenses, for example, would have been impossible without these protections because it relied on handling of data. Is the noble Baroness really saying that she wants to put on the statute book laws that would make it impossible to subject this House to such scrutiny? I do not expect so.
These are contentious issues which arouse great passion, as we saw with the last group of amendments, which is one reason among many why they should not be played out in a highly technical Bill about data protection and one which is rightly constrained both by the terms of the GDPR and the Human Rights Act. The Bill as amended in Committee—building on the successful operation of the 1998 Act and making it fit for purpose in a digital age—is carefully crafted and balances rights to privacy with the equally fundamental right of free expression. It protects both individuals and free speech. The House will interfere with that balance, which is the foundation stone of our democracy, at its peril.
Lord Pannick (CB)
My Lords, I repeat my declaration of interest as a barrister acting in privacy cases including, I should mention in relation to this group, acting for the NMA in its unsuccessful attempt to challenge the recognition of Impress, a case which continues.
I shall speak first to Amendment 53. It seeks to remove paragraph 24(3) of the schedule which recognises,
“the special importance of the public interest in freedom of expression and information”.
I am surprised that the noble Baroness is seeking to remove that provision because it has been the law of this country for centuries. Because it has been the law of this country for centuries, a provision to almost identical effect appears in the Human Rights Act 1998 at Section 12(4). It is also the approach taken by the European Court of Human Rights in relation to Article 10. The idea that our law should no longer recognise the special public interest in freedom of expression is therefore a surprising one and would lead this country’s law into conflict with our international obligations under Article 10.
I shall speak also to Amendments 59 and 64 and express my agreement with what has just been said by the noble Lord, Lord Black. If enacted, these amendments would deprive journalists throughout the national and local media of all the exemptions under the Bill unless their employers choose to register with a regulator approved under the royal charter. The question for noble Lords is: why should a journalist on the Financial Times, or indeed on the Borehamwood Times, lose exemptions under this legislation and be hindered from doing his or her job effectively because the newspaper by which they are employed decides that it sincerely does not wish to be regulated by a royal charter regulator?
The fact of the matter, which is quite clear, is that Amendments 59 and 64 seek to use this Bill for what is a wholly extraneous purpose, seeking to compel newspaper groups into submitting to regulation under the royal charter or, as the noble Lord, Lord Black, put it, bullying newspapers in that respect. This Bill is simply not an appropriate vehicle for such an exercise.
Lord Berkeley of Knighton (CB)
My Lords, I have listened to the debate for several hours and I am growing increasingly worried about one or two things. In a sense I am going to act as a devil’s advocate. I believe passionately in a free and inquisitive press. For many years, I was one of its number both in the written and the spoken word. I believe that the press is absolutely vital to holding us all to account. But I have begun to feel that, in castrating Leveson’s work to such an extent, the public are going to lose confidence in public inquiries. Let us hope that that does not happen with Grenfell, although the residents of that tower, who live two roads away from me, are already beginning to think so.
Last year I attended a meeting in a committee room where Gerry McCann, PC Jacqui Hames and Hugh Grant spoke of their quite awful experiences. It is important that we remember the victims and recite these woes. I have not heard any expression of acceptance on this side of the House, or concern about some of these matters. I would go with noble Lords much more about not loosening things if I heard some kind of admittance that there are problems.
Lord Pannick
The answer to the noble Lord was given by the noble Lord, Lord Finkelstein, in the previous debate. The fact is that many of these individuals have justifiably brought civil claims against the newspaper groups concerned. They have recovered and are continuing to recover very large sums in damages, and no doubt rightly so. The News of the World closed down because of its conduct and individuals went to prison in circumstances where they broke the criminal law. That is the answer. No one is suggesting that terrible things were not done, but there are existing legal remedies and they have been applied.
Lord Berkeley of Knighton
I am grateful to the noble Lord, who obviously knows a great deal about the matter—more than I do. I still think that we should question the ability for this to happen in the future. Surely the whole point of the Leveson inquiry was to tighten things up so that this would not happen so much. When I listen to people talking about what happened to them and how they felt that they had very little recourse—although they took civil action and some of them won—I accept that newspapers shut down, but my goodness, perhaps they should have done. These things are right.
In listening to the debate, I was very impressed by the speech of the noble Lord, Lord McNally. It is not that I do not believe in the press—believe me, I think that the press does a wonderful job, by and large—but even those of us who are involved in doing wonderful jobs do so because we can look at ourselves and say, “We got this wrong”. That is what I have not heard enough of. My noble friend Lady Hollins is having a rather tricky time; she is up against some big guns.
What do the future victims have if they do not have recourse to law—if they believe that Leveson was the answer and we gradually remove most of his recommendations, which is what we seem to be doing? Perhaps noble Lords are right; perhaps in law we should be getting rid of them, but I am worried that the public will begin to think, “What are these inquiries? Why does the status quo always remain exactly the same?”. That is why I wanted to speak up for my noble friend Lady Hollins. We must think a bit more about people whose lives are sometimes ruined just by innuendo. As we have heard, they might get a tiny apology at the bottom of the page, but the damage is done—and it can be terrible.
Lord Puttnam (Lab)
My Lords, I first congratulate the noble Baroness, Lady Hollins, on withdrawing her amendment, which I thought was extremely wise and thoughtful. She does us a great favour by constantly bringing us back to these issues.
I try to take the long view. I declare an interest: I am the extremely proud son of a journalist. My father was not any old journalist; he was one of only two people who were evacuated from Dunkirk twice, because he was sent back to report it twice. I am very proud of my father; he was a remarkable journalist and a very fine man. That is why I am passionate about this subject. I apologise to the noble and learned Lord, Lord Keen, if I intervened inappropriately at the end of the last debate. I was trying to make it clear that this House does not contain people who oppose freedom of the press; if we could just agree on that, it would be something of a triumph.
The noble Lord, Lord Pannick, for whom I have enormous regard, and the noble Lord, Lord Black, both used an interesting word: “bully”. The idea of using the word “bully” in the context of a debate such as this, as if it excludes the notion of press bullies, is obviously farcical. I ask the noble Lord, Lord Pannick: when a headline appears that accuses three High Court judges of being traitors, is that fair comment? Is that damaging? Does that provide for the type of democracy he would like to see this country moving towards, or does it irrevocably drive it backwards? As a remainer, I am sick to death of being accused of being somehow undemocratic and apparently opposing the will of the people. That is as much rubbish as is the notion that I might be opposed to freedom of the press.
The noble Lord, Lord Berkeley, is exactly right. We must be more sensible about this. There is fault on both sides. We are not where we would wish to be. The 1998 Act—I was here when it was passed—was a very good act, but it is not sufficient for our present circumstances. It has been ignored by some highly unscrupulous editors. The present regime of apology is ludicrous; the other day, I put that to the noble Lord, Lord Black. I am not sure if he agrees, but it is a joke. We must be more sensible about moving forward on this issue, so I applaud the noble Baroness, Lady Hollins, for taking a long view. We must do the same, but we must also adopt a very determined, clear and moral view to get this right.
Earl Attlee (Con)
My Lords, as I made clear in Committee, I wish to see the recommendations of the Leveson report, which strikes the right balance between the interests of the public and free expression rights of the press, be enacted in law. I say to my noble friend Lord Black that there is certainly no intention to punish anyone.
We already have the architecture in place: the royal charter and the Press Recognition Panel, which applies tests suggested by Leveson and made under the royal charter. There is already one approved regulator in place. The only role left for the state and the Government is for Section 40 of the Crime and Courts Act to be commenced and to deal with some of the detailed data protection issues. We do not need to do much more and we certainly do not need to start again.
These Leveson changes are the only way to achieve a thriving, free and independent press that is immunised against a very rich target for investigation, as well as to provide appropriate protection for the public from abuse. I therefore have no hesitation in strongly supporting the amendments in the name of the noble Baroness, Lady Hollins. I remind the House that I have never been mistreated by the media and I do not know any celebrities, except those who are or have been parliamentarians.
In Committee I also made it clear that one of the factors that stung me into action was the copious misinformation and wrongful propaganda published about press regulation and Leveson’s recommendations by elements of the press. This tactic of publicising falsities about the recommendation in the Leveson report also motivated the DCMS committee in another place to criticise press misreporting about Section 40 and other matters in its submission to the government consultation on press regulation earlier this year.
Probably one of the most palpably false media claims is that the implementation of Leveson is unnecessary. Many noble Lords have already touched on that. The media says that the regulator it has established and controls, IPSO—which fails the Leveson and royal charter tests for independence and effectiveness—is already sufficiently robust. Many noble Lords clearly do not believe that. IPSO helpfully mailed a fact sheet last week to some noble Lords. I was pleased to see that it has already been subject to a rebuttal by a further mailing from Professor Brian Cathcart.
I was alarmed to see some particularly erroneous details in IPSO’s mailing. They cannot be left unchallenged. For instance, IPSO claims that it had ordered 17 front- page references. The truth is that not once in three years of work has IPSO required a national newspaper to publish a recognisable correction on its front page, no matter how profound the original breach. I have to confess that I do not regularly read a certain broadsheet newspaper that many noble Lords would expect me to read. I do not find it to be a reliable source of information, very sadly. So I subscribe to the Economist, but even that august newspaper last week disappointed by publishing a correction about a forgivable error in the previous week’s report on transgender rights that was in small print and at the bottom of a completely unrelated article about Labour Party polling.
Moreover, IPSO argues that its complaints process puts great emphasis on complaints between publication and the complainant being resolved with, it says, more than 600 resolutions in its three years of operation. But what does “resolution” mean? The reality is that in many cases, as with the failed PCC, complainants become so worn down by the process that they give up or accept weak and inadequate remedy. Furthermore, when cases are supposedly “resolved” there is no recording of a code breach, which means that essentially nothing is kept on record by IPSO to show that the newspaper has failed to meet the appropriate standards.
As for IPSO’s claim to offer Leveson-style arbitration, Leveson said that it is critical that arbitration is compulsory for news publishers, yet IPSO’s scheme allows the publishers to choose whether to accept an arbitration claim. In other words, the whole system is optional. This means that those with the strongest cases but with limited means can be refused arbitration, forcing them to go to court—if they can afford it—whereas a multi-billionaire can threaten very expensive legal proceedings against the newspaper. That is exactly what Leveson feared and it renders IPSO’s whole scheme redundant. This is not access to justice for all; it just protects the ultra-rich and elites but leaves ordinary aggrieved citizens with no protection. It is no wonder that, after 18 months, IPSO’s trial arbitration scheme has had no takers.
Lord Blencathra (Con)
My Lords, I am very pleased to support the cross-party amendments in this group, spoken to so ably by the noble Baroness, Lady Hollins, to remedy imbalances in the Data Protection Bill and provide new incentives for the press to join a properly independent system of self-regulation, which is what Leveson recommended and both Houses of Parliament agreed.
Let us remember what led to the establishment of the Leveson inquiry: we had revelations of data breaches on a massive scale. I have never met Hugh Grant—I have not even seen any of his films—but I suppose that one can say that film stars and politicians, as we are public people, are perhaps considered fair game by the media. I do not believe that, but it is an understandable point of view. However, we saw ordinary members of the public and anyone vaguely of press interest being targeted. That meant victims of crime, the bereaved and other totally innocent, private people. Medical records were stolen, mobile phones were hacked and bins were sifted through. Often, there was no public interest or even a suspected story. It was speculative—or “fishing”, as it is known.
Before we get bogged down in legal arguments that this is not the right Bill for these amendments, let us go back to basics and remember the one glaring example that started all this off. A little girl called Milly Dowler disappeared and the media hacked into her voicemails even before her murdered body was found. Despicable as that was, the police did nothing about it, because it was accepted that it was par for the course and that journalists did that sort of thing. That was the view I had as a Member of Parliament in the other place; we took it for granted that that would happen. It was part of the police/media mutual back scratching. Police tipped off friends in the media about arresting the actress Gillian Taylforth performing what was called “a sex act” on her boyfriend in a Range Rover and the media returned the favour by giving some crime story greater coverage in order to help the police.
All parties at the time recognised the need for reform and the Leveson inquiry was established. The inquiry was established to make recommendations to protect freedom of expression and take the matter of press regulation out of the hands of government and give it to an independent body. That is the proper way to reform regulation of the press: a public inquiry the recommendations of which all sides sign up to. Governments of left and right are always vulnerable to pressure from the press, whether it is from Murdoch, Dacre or other individuals, to sway policy in their direction, often at the expense of the public. Let us be honest that no Government have been immune from those pressures. All Governments run scared of doing anything on press regulation when the press might criticise it and not back the party at the next election. That is no way to settle policy, least of all when it overrides the will of both Houses of the British Parliament.
These are not new points; they are a summary of Sir John Major’s evidence to Leveson. I am supporting these amendments today in order to bring those reforms into effect, as Leveson recommended and as Parliament intended and voted for. As noble and noble and learned Lords have said, it is vital that newspapers have access to the exemptions necessary for investigative journalism—Leveson recommended that. We are all defenders of free speech. Newspapers that wish to continue to enjoy the broadest range of exemptions need only sign up to an independent regulator, whereupon they will enjoy not only all of the exemptions already in the Bill, but three new exemptions added by these amendments.
Let us be clear that we mean an independent regulator, not the in-house, fey, bogus, patsy system that the media have created for their own benefit and which is no better than the discredited Press Complaints Commission. We have heard enough examples from noble Lords tonight to show that they have failed to do their duty. We have a cross-party, judge-recommended way forward on these matters. We should take it and take press regulation policy out of the hands of government and into Leveson’s independent system. It is probably just as well that the noble Lord, Lord Prescott, is not here for this debate. In my 40 years in Parliament I have never agreed with anything he has said except every word tonight. I assure noble Lords that it would be as terrible a shock to the noble Lord to hear it as it is to me to say it, but he is absolutely right—we have implemented only a trivial amount of Leveson.
Noble and noble and learned Lords have said, “This is not the right Bill”. There never is a right Bill, unless the Government bring in a press regulation Bill, which I can understand that no Government would want to do. So we are forced to try to implement Leveson by tacking a bit on to this Bill, hoping that there will be another criminal justice Bill next year so we can tack another bit on and gradually, bit by bit, getting Leveson implemented. Of course, the Government could easily implement Section 40, which would give us 90% of what Leveson wanted. These amendments, or implementing Section 40, are the only ways to protect the public while ensuring freedom of the press. I hope that noble Lords from all sides of the House will support these amendments tonight—or, if not tonight if we do not have a vote, in the new year.
Lord Brown of Eaton-under-Heywood (CB)
My Lords, I shall make very few remarks and confine them to Amendment 53—which I oppose, I should say at once. In my arguments addressed to an earlier group, I referred to Section 12(4) of the Human Rights Act, to which the noble Lord, Lord Pannick, referred again this evening. He is plainly right: if you look at the text of that, the amendment and paragraph 24(3) of the schedule—which the amendment would excise—you see that the amendment makes no sense. It would leave out precisely what is already there, which mirrors what is already in Section 12 of the Human Rights Act. If ever there were such a thing as a constitutional Act, that is. It has a considerable place in our overall constitution.
I have been searching the Leveson inquiry report, not least the paragraphs devoted specifically to the press and data protection. I certainly hope to be corrected if I am wrong, but I cannot find any suggestion by Lord Justice Leveson—Sir Brian Leveson, not Lord Leveson—that Section 12 of the Human Rights Act should be repealed. In effect, however, Amendment 53 is, if not repealing it, at least producing a position that would be inconsistent with it.
I do not seek to address Section 40. Manifestly, this is not the right Bill, but my objection is deeper still. It would be wrong and unwise, all these years on from the enactment of the 2013 Act, to bring into force Section 40. I set out all the reasons why I take that view in the full debate that we had in this Chamber on 20 December—just before Christmas—a year ago. I do not want to weary your Lordships by repeating it all, although, if I did so, I fear that what I would say would be in plain conflict with a good deal of what was just said by the noble Lord, Lord Blencathra. Surely the right course now on Section 40 is to wait to see the Government’s final response to their admittedly prolonged consultation process. We will not get there tonight, so I leave it at that. I oppose the amendments.
Baroness Wheatcroft (Con)
My Lords, it is late, so I will be brief, but I cannot avoid speaking against Amendment 53. I declare my interest as someone who spent most of her career in journalism and now chairs the Financial Times complaints commission, which is, I assure your Lordships, a very serious commission. The FT aims to put things right.
I absolutely accept that the public were justifiably incensed by the hacking scandal. It was atrocious and, as has been pointed out, illegal. The fact that it was not dealt with as it should have been at first instance through the criminal process was absolutely wrong. In the end, as we heard from noble Lords such as the noble Lord, Lord Pannick, people were punished and newspapers folded. That was right, because hacking was illegal and should never have happened, and the public were right to be angry about it. But I do not believe that the British public wish to see all media tarred with that scandal. Neither do I believe that the British public, who are an inherently fair group of people, wish to see all media straitjacketed into joining an inappropriate regulator. I cannot resist echoing my noble friend Lord Black in his use of the word “bullying”; that is exactly how it feels. On the whole, I do not think that the British public would go along with bullying on that scale.
I declare another interest as somebody who, as a supporter of remain, has found myself very much on the sharp end of what newspapers can do. The Brexit media have been quite unpleasant, putting aside the fact that at some stages I have worked for the newspapers in question. That did not stop them. Nevertheless, do I want to see them subject to punitive damages in the circumstances that Leveson imagined? No, I do not, because, as everybody in this House has expressed, I too am a believer in free speech. If we believe in free speech, we need to think very carefully about there being punitive damages for not joining an inappropriate regulator. I do not believe the public want that and I do not believe we should support the amendment.
Lord Paddick (LD)
My Lords, I did not intend to speak on these amendments, although we support them from these Benches, but I have to take issue with what the noble Lord, Lord Pannick, said—I think, quoting the noble Lord, Lord Black, from the previous debate—about how we do not need any of this stuff because people can sue the newspapers and achieve redress through those means.
When I was a commander in the Metropolitan Police Service, I was subjected to a kiss and tell story on the front page and eight inside pages of a tabloid newspaper. The story was a mixture of lies and intimate details of my private life and my relationship with somebody I loved and lived with for three and a half years. We broke up in acrimonious circumstances and subsequently he was paid £100,000 by the tabloid newspaper to tell these lies and intimate details of my private life. Thankfully, a group of solicitors and barristers agreed to a conditional fee agreement to pursue the newspaper. However, half way through the preliminaries leading up to the court case, it became apparent that I was unable to secure insurance against losing. Therefore, I was faced with a situation where if I pulled out of the action I would have to pay both sides’ costs—the newspaper’s costs and my own side’s costs because the conditional fee agreement would happen only if the case went to court and I lost—and could have lost my home.
The point is that there are many ordinary people, less high-profile than even I was at that time, who cannot get conditional fee agreements. They do not have the means to sue newspapers. Certainly, I would not recommend anybody going through the stress that I was put through by that newspaper and its lawyers, who tried every trick in the book to try to get us to fold before the court case happened. As it happens, two weeks before the case was due to be heard, they agreed to settle, although they claimed that it was not on the grounds of a breach of privacy but because everything that had been printed in the newspaper was untrue.
For noble Lords to say that there are sufficient safeguards at the moment for ordinary people to take the newspapers to court is, in my respectful submission, completely untrue.
Lord Pannick
I am very sorry to hear about the noble Lord’s personal experience and of course I accept everything he says. But will he accept that hundreds of people have brought legal proceedings against national newspaper groups for their wrongful, unlawful action in accessing personal data—for example, by listening to their mobile telephone calls—and publishing articles in consequence of that, and they have recovered very substantial damages, and rightly so, against those newspapers?
Lord Paddick
I completely accept what the noble Lord says but there are many hundreds, if not thousands, of other ordinary people who have not been able to claim redress for the wrongs that have been meted out to them by the press.
Lord Berkeley of Knighton
This is not simply about money; it is what it does to your reputation. That is much more important than money.
Lord Paddick
I am grateful for the noble Lord’s intervention. Obviously, despite the fact that we won the court case in the end and that there was a small apology in the said newspaper—I think it was on page 6—I was not able to recover the serious damage done to my reputation. I am grateful to be standing here in the House today to address noble Lords on this issue, but there are many people whose reputations have not recovered.
Lord Blencathra
Perhaps I may give the noble Lord some information which he may not have been aware of, as he may have left the Met by then. The reason that maybe up to 100 people were able to sue on the hacking was because their names appeared in the Mulcaire diaries, and the Met team kindly went and told every single person who had possibly been hacked, “They’re after you. You’re in Mulcaire’s diaries and you may care to contact some lawyers. Here are some lawyers who are doing a group action. If you join that, there is no great risk to yourself—you will be in there with a lot of others. The lawyers will be there on a no-win no-fee basis and you’re perfectly safe to do it”. That is why most of those people were able to go together in a joint action, but the thousands of individuals do not have a hope.
Lord Stevenson of Balmacara (Lab)
My Lords, I have been trying to search for words to explain what is going on at the moment. It seems to me that we are living in two parallel universes. My first thought was that we were back in World War I territory—the noble Lord, Lord Black, will get the reference—and that we were engaging in sniping over long pieces of dead ground over issues that nobody could understand, fought by people who did not want to be there and led by people even more stupid than that. But I have decided that this is the rerun of an acrimonious family dinner that we had before the break. We are now reflecting on that and trying to nerve ourselves up to talk again to each other and restore relationships, because relationships must go on.
Again, we have had these passionate stories, anecdotes and recollections of times when things have gone disastrously wrong. No amount of legal redress can undo that suffering. From others, we have heard a perfectly robust and understandable account of why things are perfectly all right at the moment and, given time, will be sorted out. I begin to think that Leveson, for all the great work he did and the excellence of his report—and the longevity of its recommendations—is a bit of a McGuffin here. This is about us and society; it is about Parliament. I tried to address some of that at the end of the last debate. We have to get serious about this and work out how to make progress. We have to restore the rightful balance between Parliament, which must be sovereign, and those who work within an environment in which Parliament seems at the moment to have been discounted.
If we do not get this sorted, we will continue to be like this for the rest of time. It is insufficient and ineffective. It will not be the way we want to live our lives and we will all be much the losers as a result. We must give credit to the noble Baroness, Lady Hollins, and her proposals. Yes, they come from Leveson—but underneath that there is the greater truth that things are not working as they could be. They should be working better.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, while we have already debated amendments that are challenging to a free press, I fear that this group of amendments would be potentially hostile to the concept of a free press. Where there are abuses the answer is to enforce the law, not to shut down the media. I adopt the observations of the noble Lord, Lord Pannick, and my noble friend Lady Wheatcroft in that regard.
Amendment 53 would remove the requirement to give special weighting to the public interest in freedom of expression and information. This is something that we consider an essential way of ensuring that information that is in the public interest is not buried due to the data protection regime that is put in place. In this context, giving special weight to the public interest in freedom of expression and information is an important way of ensuring that we provide constitutional protection of freedom of speech, as required pursuant to Article 10 of the European Convention and the Human Rights Act.
Amendments 54 and 56 relate to the codes of practice to guide journalists in conducting the essential public interest balancing test that has to be carried out. We have already debated this in the previous group, before the dinner break. Amendment 54 intends to take away the absolute requirement to have regard to the listed codes of practice when determining whether publication would pass the public interest test. This requirement is a way of strengthening the obligations on journalists. In line with the enhanced protection of the GDPR, we are making sure that those journalists who are covered by one of the listed codes must have regard to their relevant code.
In a related amendment, Amendment 56, the noble Baroness, Lady Hollins, has suggested that we alter the language of the condition on the special purposes exemption at paragraph 24 of Schedule 2 to the Bill by changing “relevant” to “appropriate”. This amendment makes it unclear which code should be consulted in a given case. We want to ensure that the code which pertains to a particular set of journalists is the code to which they have regard when carrying out the public interest test.
We are not being unreasonable in resisting Amendments 54 and 56. They may look innocuous, just slightly changing the language of the Bill, but if we are to be true to the GDPR, we must ensure that in our law we have resolved the article 85 requirement to set where the public interest lies in managing the balance between privacy and freedom of expression. If we make the use of these codes discretionary and their application vague, we will simply undermine that balance.
Finally, I turn to the amendments from the noble Baroness that aim to create a special group of exemptions only for those journalists who are members of an approved regulator. As drafted, the Bill is designed to protect journalists who should be able legitimately to rely on these exemptions when undertaking journalism in the public interest, regardless of which regulator they belong to or whether they belong to any at all. The reality of the press landscape today is that the vast majority of publishers are not members of an approved regulator. As such, limiting certain exemptions to only those who are members of an approved regulator would limit the ability of most journalists in this country to undertake investigative journalism in the public interest. Whatever the motive or the intention behind these amendments, they are, I am afraid, either wrecking amendments or amendments designed to force publishers to sign up to a regulator to which they object—and that is not acceptable.
Section 40 of the Crime and Courts Act 2013 was mentioned. As we have previously discussed, the Government are currently considering Section 40 with regard to part 2 of the Leveson inquiry. We do not believe that using data protection legislation is an appropriate means of trying to incentivise compliance with, for example, Section 40.
The noble Lord, Lord Stevenson, observed just three weeks ago, and earlier this evening, that this is not perhaps the place for this debate. He commented:
“I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson”.—[Official Report, 22/11/17; col. 195.]
I concur with that observation, which he just reinforced with his observations about the need for us perhaps to look more clearly at what the real issue is rather than being distracted by trying to act as tail-end Charlies to a particular piece of legislation on data protection.
There will be a response to the consultation on Section 40 and Leveson 2, but I shall make one comment with regard to the suggestion about delay in that consultation process. Noble Lords may recollect that the Secretary of State was the subject of a judicial review application which made it impossible for her to proceed with the consultation because the terms of the consultation were the subject of legal challenge. Thereafter, when the consultation proceeded, there were more than 174,000 responses. They had to be analysed and considered, but the fact that there was that number of responses perhaps gives weight to the observation of the noble Lord, Lord Stevenson, about there being an issue that needs to be addressed, and therefore we must look forward to the response to the consultation. I invite the noble Baroness to withdraw the amendment.
Baroness Hollins
Before the Minister sits down, will he confirm that he will reflect on this debate, which has been very important, and in the light of the promised consultation report allow the debate to continue in the new year?
Lord Keen of Elie
I cannot guarantee the continuation of this debate, although the noble Lord, Lord Stevenson, appears determined to see it continue in the new year, under reference to his Amendment 165, and I look to engaging with him in a further interesting discussion on the topic at that stage. Beyond that, I say to the noble Baroness that the Government and Ministers are listening and considering these issues.
Earl Attlee
My Lords, does the fact that the Government have not responded to the consultation indicate that there must be some uncertainty about the issue?
Lord Keen of Elie
The position with regard to the consultation and the response to the consultation is as I indicated before the break. Sir Brian Leveson has, very properly, asked to see material pertaining to the consultation and the responses to it because he is a necessary party in this context. Until he has had a reasonable opportunity to do that, it would not be appropriate for us to respond.
Baroness Hollins
My Lords, I would like just to make one or two corrections for the record. The noble and learned Lord suggested that the amendment, which would reserve some exemptions for newspapers signed up to a recognised regulator, would actually prevent the majority of journalists from engaging in investigative journalism. That is not the case. The exemptions required for investigative journalism remain intact for all journalists, regardless of their regulator.
There are one or two other corrections. The noble Lord, Lord Black, continues to misrepresent the establishment of the Press Recognition Panel, for example by saying that it is subject to interference by the Secretary of State. That is just not the case. It is so patently untrue that I can only assume that the noble Lord has not researched the facts, because it is a point that he has made before.
With respect to my noble friend Lord Pannick’s faith in the legal profession being able to sort out any illegal acts by newspapers, I will just say that affording the money to pay a lawyer and the time to mount a legal claim is not usually possible or a priority for victims of press abuse, particularly when they are in the midst of personal trauma. It is just not a priority. I personally would prefer that newspapers behaved themselves and did not fill lawyers’ pockets with money.
I take exception to being described as a bully. I have heard no compassion or concern for the victims of press abuse. Do noble Lords have any idea what it is like to be bullied by newspapers day after day after day? Any idea at all? To call my amendments bullying is unforgivable. Imagine the effect on the lady I spoke about before, who had lost weight and was described as a “grubby gran”. Imagine what that did to her mental state. I wonder whether she has been able to retain her weight loss.
This is the right Bill for these amendments. They are amendments to data protection legislation, and the victims of press abuse have waited a considerable length of time for an opportunity to take them forward. They are not hastily drawn-up, but the result of an extensive and impartial inquiry, and are as relevant today as they were in 2012. Sir Brian Leveson’s recommendations relate to the processing of data, not to the medium of publication, so it is irrelevant that the media landscape is changing.
I am grateful for the contributions of noble Lords who have spoken, in part because they demonstrate just how much there appears to be two parallel worlds. I assure your Lordships that I will return to this matter, but I beg leave to withdraw my amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
“( ) in Chapter IV of the GDPR (controller and processor), Article 36 (requirement for controller to consult Commissioner prior to high risk processing);( ) in Chapter V of the GDPR (transfers of data to third countries etc), Article 44 (general principles for transfers);”
Lord Ashton of Hyde
Lord Ashton of Hyde
(a) amend Schedules 2 to 4 —(i) by adding or varying provisions, and(ii) by omitting provisions added by regulations under this section, and(b) consequentially amend section 14.”
Lord Ashton of Hyde
Lord Ashton of Hyde
“(3) Regulations under this section—(a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;(b) are otherwise subject to the affirmative resolution procedure.(4) For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”
Lord Ashton of Hyde
“(3) Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.(4) In this section—“approved medical research” means medical research carried out by a person who has approval to carry out that research from—(a) a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or(b) a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—(i) the Secretary of State, the Scottish Ministers, the Welsh Ministers, or a Northern Ireland department;(ii) a relevant NHS body;(iii) United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;(iv) an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);“relevant NHS body” means—(a) an NHS trust or NHS foundation trust in England,(b) an NHS trust or Local Health Board in Wales, (c) a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,(d) the Common Services Agency for the Scottish Health Service, or(e) any of the health and social care bodies in Northern Ireland falling within paragraphs (a) to (d) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).(5) The Secretary of State may by regulations change the meaning of “approved medical research” for the purposes of this section, including by amending subsection (4).(6) Regulations under subsection (5) are subject to the affirmative resolution procedure.”
Lord Ashton of Hyde
“Minor definitionMeaning of “court”
Section 4(1) (terms used in this Chapter to have the same meaning as in the GDPR) does not apply to references in this Chapter to a court and, accordingly, such references do not include a tribunal.”
Lord Kennedy of Southwark
“Duty to notify of data protection breaches due to ransomware attacks
(1) In addition to notifying the Commissioner of a personal data breach under Article 33 of the GDPR, a data controller must also notify the relevant police force if the data breach was the result of a ransomware attack.(2) In this section,“ransomware attack” means an attack of a form of malware which holds the information on a user's computer hostage until a ransom fee is paid; and“police force” has the same meaning as in section 3 of the Prosecution of Offences Act 1985.”
Lord Kennedy of Southwark
My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.
Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.
I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.
We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.
The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.
Lord Kennedy of Southwark
I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.
Lord Ashton of Hyde
Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.
Lord Kennedy of Southwark
It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.
Lord Ashton of Hyde
Lord Stevenson of Balmacara
My Lords, I am grateful to my noble friend Lord Kennedy for supporting me and to the noble Lord, Lord Clement-Jones, for adding his name to this amendment, which is one in search of an easy resolution—and I hope it can be done very quickly. The Minister and his colleagues have from time to time had to animadvert the recitals of the GDPR as evidence and support for claims that they make. I have no concerns with them doing that because I am quite happy with the recitals—I like them, understand them and think they are rather useful things to have around. What I do not understand is how that will happen when we go to the applied GDPR, when the only issue that will be able to be tested in court, as I understand it, is the GDPR itself. Therefore, I went to the Public Bill Office. Normally, its staff are difficult friends for an Opposition seeking to amend a Bill. They throw unforeseen, difficult and complicated legal issues in our way and make it very difficult for us to get to where we want. However, on this occasion, they said, “Leave it with us. We know exactly what you want. We will put an amendment together that will satisfy every concern you have”. It is there in front of us as Amendment 81, which I beg to move.
Lord Clement-Jones (LD)
My Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?
At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.
Baroness Hamwee (LD)
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
Lord Ashton of Hyde
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.
Lord Ashton of Hyde
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
Lord Stevenson of Balmacara
That is a very disappointing end to a rather splendid day. If you read Amendment 81 closely, it simply says “having regard to”, which is probably the weakest form of expression you can find in any legal circumstance. I am a bit surprised that the Minister could not come to a better conclusion than he did. In fact, we got a sort of Pepper v Hart-ish approach to it; we can rely on it but it is not as good as it would have been if we had agreed Amendment 81. I can say nothing more on this except that I am sure that we will return to this at some stage. I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Wednesday 10th January 2018
(7 years, 2 months ago)
Lords ChamberData Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
16:36 - Division on Amendment 107B - Ayes: 235 / Noes: 204 - Amendment 107B agreed.
18:50 - Division on Amendment 127A - Ayes: 238 / Noes: 209 - Amendment 127A agreed.
19:10 - Division on Amendment 147 - Ayes: 217 / Noes: 200 - Amendment 147 agreed.
The Lord Speaker (Lord Fowler)
We are making great progress on this Bill.
Clause 25: National security: certificate
Lord Ashton of Hyde
(a) by adding conditions; (b) by omitting conditions added by regulations under paragraph (a).”
Lord Ashton of Hyde
“( ) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (5) has effect as if it included a reference to that Part.”
Lord Ashton of Hyde
(a) by adding conditions;(b) by omitting conditions added by regulations under paragraph (a).”
Lord Ashton of Hyde
“(1) The Secretary of State may by regulations amend Schedule 11 —(a) by adding exemptions from any provision of this Part;(b) by omitting exemptions added by regulations under paragraph (a).”
Lord Puttnam
Lord Puttnam (Lab)
My Lords, the last time I cleared a room like this, it was a very bad film indeed.
Amendment 103A is connected to Amendments 103B, 103C, 124A, 124B and 125A, and I move it with the support of my noble friend Lord Stevenson and the noble Lords, Lord Clement-Jones and Lord Holmes. In a well-run world, this group of amendments should not really need to be moved or pressed. They are designed purely to ensure that we have the data commissioner—and the office of that commissioner—that we need. Frankly, they are the natural consequence of all the debates that have occurred during the passage of the data protection legislation.
There can be no more important role over the next few years than that of the Data Commissioner. The organisation she is being asked to regulate is the largest in the world. A quite extraordinary statistic is that the four largest companies—Google, Amazon, Facebook and Apple—have between them a larger market capitalisation than the FTSE 100. That is the scale of the businesses we are asking the Data Commissioner to regulate. At the same time, under the Bill at present the resources available to her are wholly inadequate to that task. We went through a similar operation 15 years ago with Ofcom, and out of that, and through the collective wisdom of this House, we were able to ensure that Ofcom had the resources to become what is genuinely the gold standard of any media and telecoms industry regulator in the world. That is an achievement of this House of which we should be very proud. The purpose of these amendments is to achieve exactly the same for our ICO—something we can be proud of and that can do the job given to it.
During the passage of the Bill, we have loaded the ICO with significant new and additional responsibilities. The idea that we might have an underfunded and underresourced regulator that is not adequate to the task we are giving it is unthinkable. The purpose of these amendments is to prevent that. I could go on at some length, but I think the mood of the House is that it wishes to move on, so I shall listen to the Minister’s response. I beg to move.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, it might be for the convenience of the House if I speak now as I have some information which may help the noble Lord, Lord Puttnam, and other noble Lords who have put their names to these amendments.
As I have repeatedly said during the debates on the Bill, the Government are committed to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in this Bill, so I agree with pretty well everything the noble Lord said. That is why we legislated for a new, GDPR-compliant charging regime in the Digital Economy Act, which we will turn to in the next group, but it is also why the commissioner needs to be able to recruit and retain expert staff.
I am therefore very pleased to announce that the Government have today granted the Information Commissioner’s Office pay flexibility up to 2020-21 so that it can review its pay and grading structure. The commissioner will have the independence to determine the levels of pay necessary for the ICO to maintain the expertise it needs to fulfil its new and revised functions as a supervisory authority, subject to the standard public spending principles. I am also pleased to say that the Information Commissioner has agreed these arrangements. She said:
“I welcome the positive response to my business case for pay flexibility at the ICO. I am confident that this will allow me to prepare the ICO for its critical role under the new data protection regime ensuring that the UK has a strong and expert regulator in an area recognised for its importance to the digital economy and society as a whole”.
This flexibility underscores the UK’s commitment to an independent and effective data protection regulator, and I think goes a long way in responding to the points raised by the noble Lord’s amendments. We all want an efficient, well-resourced ICO, so I am very pleased that this agreement has been reached. I should have said at the outset that I am very grateful to the noble Lord for coming to talk to me about it. I am glad to say he was pushing at an open door.
Lord Puttnam
I thank the noble Lord, who has been extraordinarily generous with his time. He and his officials could not have been more helpful in reaching what I regard as a perfectly satisfactory conclusion. My only wish is that we have a regulator that can do the job required of it and tackle the abuses along the way confidently and competently. I am extraordinarily grateful for this outcome. I am very happy to withdraw the amendment.
Lord Ashton of Hyde
“(and see also the Commissioner’s duty under section (Protection of personal data))”
Lord Ashton of Hyde
Baroness Neville-Rolfe
“Duty to support small organisations
(1) The Commissioner is to provide additional support to—(a) small businesses,(b) small charities, and(c) parish councils,in meeting their obligations under the GDPR and this Act.(2) The additional support in subsection (1) may include, but is not limited to—(a) advice on how to comply with the provisions of the GDPR and this Act;(b) access to pro formas to demonstrate compliance with the GDPR and this Act; and(c) in relation to fees to be paid to the Commissioner, discounted charges or no charges.(3) In this Act, “small businesses” has the same meaning as in section 2 of the Enterprise Act 2016.”
Baroness Neville-Rolfe (Con)
My Lords, we have had something of a break, so perhaps I should remind the House what lies behind my Amendments 106, 125 and 127. It is the wish to reduce, as far as possible, the burden that the GDPR and the Bill will place especially on small entities—notably, small businesses, small charities and parish councils. I might add that it behoves us to stand back from time to time and recognise the burdens we all too often impose on people and businesses. This is very often for good reasons, but it can seem overwhelming for those at the receiving end, and it is important to minimise the burden where we can legitimately do so.
I also place on record my thanks to the Minister for a helpful meeting about my concerns. Against this background, Amendment 106 would place a duty on the Information Commissioner to support such small entities in meeting their obligations under the GDPR and the Bill. It gives examples of how this should be done, including compliance advice and zero or discounted fees. This is important both practically and as a manifestation of how the state expects the commissioner to approach her duties. We should always remember that data protection will sound forbidding to some small organisations.
Furthermore, parish councils are fearful that they could face new costs of up to £20 million in total on one reasonable interpretation of the present text. They have been advised that an existing officer of a council could not act as a DPO because they are not independent. My noble friend Lord Marlesford mentioned this issue at Questions in December but, happily, I believe the Government take a different view, and it would be helpful to hear that on the record from my noble friend.
On the same lines, Amendment 125 would require the Secretary of State to consider fixing charges levied on small entities by the commissioner at a discounted or zero level. We need to find a way to avoid the imposition of significant costs for small entities into the future as cost recovery escalates in the administration of data protection.
Amendment 127 goes a little further. It would require the commissioner to have regard to economic factors in conducting her business. This is a fundamental point. The commissioner’s remit contains elements which are similar to those of a judge and focuses predominantly on individual rights and protections. But the analogy is imperfect. Judges must go where justice takes them. The commissioner’s role is different in important respects, and economic factors ought to hold a high place in her consideration. This is important for UK competitiveness and for continued growth and innovation, which is also of benefit to business, citizens and data science—and, indeed, UK plc.
The amendment seeks to ensure that the commissioner concentrates on this economic angle by reference to the commissioner’s annual report. The noble Lord, Lord Stevenson, may remember that we introduced a special reporting requirement into intellectual property legislation which helped to ensure the right culture in that increasingly important area.
I should add that I am grateful to my noble friend Lord Arbuthnot and to the noble Lord, Lord Stevenson, for their involvement, and I am hopeful that the Minister will be able to meet the concerns I have outlined in my three amendments in a sympathetic and practical way.
Lord Clement-Jones (LD)
My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
The Earl of Erroll (CB)
I just want to ask briefly whether small organisations will also include clubs and societies. I do not know whether that has been dealt with before. For instance, I am the chief of Clan Hay and we have a Clan Hay society. It does not make money, but it has membership lists and branches abroad. I discussed it with the ICO before this came up, and it thought we would definitely have to comply. I hope we will be covered as a small organisation.
Lord Carlile of Berriew (CB)
My Lords, I have been involved from time to time in the creation of very small charities of a local nature, or have been involved in advising such organisations. I strongly support Amendment 106 moved by the noble Baroness. There is a real danger that, unless the ICO produces clear and simple pro formas that can be filled in quickly and easily by such organisations, they will be put off forming such charities, and local communities will thereby be deprived of great advantages that would be created by local citizens, which is something I understand the Government wish to encourage.
Lord Marlesford (Con)
My Lords, I rise to support strongly my noble friend Lady Neville-Rolfe in these amendments, particularly Amendment 106. It was a glaring bureaucratic nonsense when it appeared in the Bill, and I referred to it at Second Reading. The Government must recognise that they have to be practical in the imposition of burdens on small bodies that are trying to serve the community. I declare my interest as the chairman of a parish council that would be very adversely affected if this were unchanged.
I do not necessarily expect bureaucrats in Whitehall to take on board the realities of grass-roots democracy in parish councils, but I would hope that Ministers, particularly those who are Members in another place—who have constituencies and whose job it is to be in touch with the real world—would never let this through. It is quite unacceptable as it stands, and I strongly support my noble friend. I hope the Minister will explain how he will deal with it.
Lord Deben (Con)
My Lords, to add to what my noble friend Lord Marlesford said, in small villages, a small number of people do everything. That is increasingly true as many villages become, sadly, of one class and one age group. The person who is helping to run the parish council is also on the parochial church council and running the small local charity. These people are already worn down by the burdens that we lay on them. I speak from the countryside. We must ensure that we do not drive the few remaining people who will bear the burdens of the community away from those institutions because we ask them to do things that are, first, heavy and, secondly, inimical. If the Minister says, “It will not be like that”, then we have got it wrong because we have given the perception that it will, and we must destroy that perception rapidly if we are happy that the Bill does not need the amendment. My view is that it does. I hope my noble friend will reassure me on that, but it is not me who must be reassured, it is the hundreds of people around the country who do these jobs for nothing, and yet for the good of all.
Lord Stevenson of Balmacara (Lab)
My Lords, the noble Lord, Lord Deben, said that a small number of people do everything in small communities. It sometimes feels like that here. I do not think that we need to say much more; all the issues have been raised and I am sure that when he responds, the Minister will answer some, if not all, of the questions. The underlying theme is that we do not want to spoil what is a very good Bill with desirable aims by failing to pick up all the areas that it needs to address, because there will be benefits from it, as we have heard. I think that the Government understand that, but they must not be in the position of willing the ends of policy without also willing the means.
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.
The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.
I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.
Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.
In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.
Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.
While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.
Lord Storey (LD)
While the Minister is responding on this issue—I was not allowed to move Amendment 87A because somebody shouted out “not moved” when it was in fact not moved by myself—could he include schools in his comments?
Lord Ashton of Hyde
We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.
I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.
I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.
Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.
Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.
Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.
Lord Clement-Jones
My Lords, can the Minister explain what the trigger is for the payment of the fees?
Lord Ashton of Hyde
A charge will need to be paid if you are the data controller.
Lord Clement-Jones
That is not what I meant. That is not a trigger; it is notification by the data controller.
Lord Ashton of Hyde
If you process and control data, you will need to make a notification to the data commissioner. I do not understand why that is not a trigger.
Lord Ashton of Hyde
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
Baroness Neville-Rolfe
I thank the Minister for going into the issues in such detail, and for the support that is now being offered by the ICO through the transition. We have heard about the helpline, the websites, and new guidance—not only for parish councils, which I regard as a major breakthrough, but for small business and schools. That is all very good news. There will be a charge but it will be modulated, as I understand it, in a way to be decided and brought before the House in an order. I think the Minister understands the wish of this House not to load lots of costs on smaller businesses as a result of this important legislation, which we all know is necessary for a post-Brexit world.
My only concern related to the Minister’s comments on what we might put into the report, because he rightly said that the Information Commissioner had to be independent, which I totally agree with. Equally, I thought that without undermining her independence, it was possible to ask her to report on economic matters and, for example, on how business learns about data protection and how that is going. I do not know whether he is able to confirm that today, but he made a point about independence and it was not clear whether it would be possible to put something into the reporting system.
Lord Ashton of Hyde
We are keen that the Information Commissioner be independent and is seen to be independent, and I know that the commissioner herself is aware of that. I cannot commit to anything today, but I will certainly take back my noble friend’s question and see what can be done while maintaining the Information Commissioner’s independence.
Baroness Neville-Rolfe
On that basis, I am happy to beg leave to withdraw my amendment.
Lord Mitchell
“(j) maintain a register of publicly controlled personal data of national significance;(k) prepare a code of practice which contains practical guidance in relation to personal data of national significance.(2) For the purposes of sub-sub-paragraphs (j) and (k) of paragraph (1), personal data controlled by public bodies is data of national significance if, in the opinion of the Commissioner, —(a) the data furthers collective economic, social or environmental well-being,(b) the data has the potential to further collective economic, social or environmental well-being in future, and(c) financial benefit may be derived from processing the data or the development of associated software.”
Lord Mitchell (CB)
My Lords, I will also speak to Amendment 108. The points I am addressing were glossed over in Committee, and I now wish to expand on this important issue.
Data is the new oil. This has been said many times in your Lordships’ House, but as each day passes it becomes more true. Without stretching the analogy too far, in our country big data is about to become the 21st-century equivalent of North Sea oil. Because big data has such value, it will come as no surprise to see big tech companies swarming all over it. They have to because it is their lifeline. Many of our public bodies, particularly the NHS, are custodians of massive amounts of data, which big tech is eager to get its hands on. But we as legislators who act for the public good also have a responsibility to ensure that the public are protected and that, simply put, our treasure is not taken from us without clear authority or appropriate recompense. The data the public bodies hold belongs to us all. It is ours—our communal property—and we must tread carefully.
I will make one point as strongly as I can. I am a product of the data revolution; I have been professionally involved in the digital industry for over 50 years. For 40 of those I was an IT serial entrepreneur. This industry has been good to me; I fully understand that the tech sector needs light regulation. I know that at its best the digital revolution is a force for good but, equally, I know the dangers it poses, so I am trying to be cautious in what I propose. We stand at a crossroads. Computing power has reached astronomical capabilities, software is increasingly complex and artificial intelligence is now making dramatic inroads. Plus, we see the exponential availability of digital data. All these have contributed to the creation and brilliance of algorithms. The one thing we know for certain is that these exciting developments will keep on growing at exponential rates. In medicine, for example, new tools are being developed that are already enhancing diagnostic and treatment capabilities that could benefit all manner of healthcare, in particular our ageing population.
I welcome these developments, as I am sure we all do, many of which have come from our own private sector, and we should rejoice at this example of British expertise. However, at the same time we need to strike a balance between the ambitions of 21st century businesses and the responsibility of government to steward assets and resources of national significance so that the proceeds of technological developments benefit us all. My two amendments seek to codify how valuable, publicly controlled personal data is shared with big tech companies, and to ensure that financial returns, combined with wider social, economic and environmental benefits, are optimised.
I can best demonstrate the scale of this issue if I refer to the NHS. Ever since its formation in 1948—maybe they were kept even before that—the NHS has kept records of tens of millions of patients, literally from cradle to grave. These records are either in written form, or increasingly in digital format, but the magnitude of the collected data is huge. Very few countries can match the length and depth of the health records that the NHS is trusted to retain on behalf of the general public. Such data is called longitudinal data and, when it is bundled together, has great commercial value.
At Second Reading I gave the example of a company called DeepMind, which is a British subsidiary of Google. I visited DeepMind, which is an impressive organisation based here in London. It has purchased access to millions of anonymised data records from institutions such as the Royal Free and Moorfields Eye Hospital. It does not buy this data outright—it does not have to. It simply buys access. Such access enables it and companies like it to use very powerful computers and very sophisticated software to process millions of records with the help of artificial intelligence and machine learning.
This synthesising of data using AI capabilities is designed to produce algorithms, and it is these algorithms that become the product that companies such as DeepMind are able to monetise. They do this by selling the algorithms and their consulting services to the likes of pharmaceutical companies and healthcare providers and even back to the NHS itself. It is a global business and very profitable. At the Royal Free, these algorithms are being used to detect the early onset of kidney disease. At Moorfields Eye Hospital, also here in London, spectacular advances have occurred in similarly detecting potential optical problems.
This is data processing used for the benefit and enhancement of all mankind and we should welcome it. However, I am concerned that this precious and unique data is being offered to big tech companies by our public bodies in the absence of clear and consistent guidelines and without asking how best to obtain value for money in the broadest sense of the term.
Having dealt with big tech companies for most of my life, I know that they are staffed with exceptionally clever people and are no slouches at driving hard bargains. Unlike our NHS, they are not consumed with the day-to-day preoccupation of trying to balance their current budgets; with hundreds of billions of dollars in the bank, they can afford to play the long game, and it is easy to see who holds the aces in any negotiation. Put simply, I wish to protect our public bodies and ensure that we do not give away our inheritance. That is why we need to codify how we will obtain value for money from the sharing of data of national significance with the private sector.
My proposal is not just for the NHS and it is not just for now. All public bodies need protection and guidelines today and well into the future. That is why I have introduced my amendments. In Amendment 107B I seek, first, to require the Information Commissioner to maintain a register of publicly controlled personal data of national significance and, secondly, to prepare a code of practice containing practical guidance in relation to personal data of national significance. These are defined in subsection (2). In Amendment 108 I have set out the requirements of the code on personal data of national significance.
Lord Clement-Jones
My Lords, I want briefly to express sympathy with the noble Lord, Lord Mitchell. I share many of his concerns but essentially I think that we should look on the most optimistic side. I hope that he is also really describing the opportunities that can be made available with this kind of data, provided that it is accessible in the way described. I know that the noble Lord takes considerable inspiration from Future Care Capital’s report on intelligence-sharing unleashing the potential of health and care data in the UK to transform outcomes. I thought that it was very good and well considered.
The noble Lord has put down a very important marker today but my one caveat is that I am not sure that there is yet a settled view about how to deal with this kind of data. In Committee we talked about data trusts. In her AI review, Dame Wendy Hall also talked about data trusts. I know that we need to head in a direction that gives us much more assurance about the use of the data in the way that the noble Lord, Lord Mitchell, has described, but I am not sure we have quite reached a consensus around these things to come to the decision that this is the best possible model.
Lord Stevenson of Balmacara
My Lords, in earlier amendments I have tried to interest the Government in the idea of establishing what I loosely call a copyright of one’s personal data. Another possibility put forward in a different amendment is that one could think of data provided by individuals as matters that would be controlled by them through the role of a data controller. I am not trying to be in any sense critical of the Government’s response to this but I think I was ahead of my time—a nice place to be if you can—and I do not think the idea is quite ready to be turned into legislative form. I suspect that the solution lies in a data ethics commission, an idea that we will come to later in the agenda. Such a commission may be established by statute, either today or through some future legislative process, so that we can begin to think through these important issues. I was interested in a lot of what the noble Lord, Lord Mitchell, said in his introduction of the amendment because it has bearing on these issues.
I agree with the noble Lord, Lord Clement-Jones, that we are not quite there yet. However, worrying issues have been raised that need to be addressed, particularly in relation to data that is acquired, used and commercially exploited without necessarily being certain that we are getting value for money from it. The amendments are relatively mild in their exhortations to the Government, but they certainly point the way to further work that should be done and I support them.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Mitchell, for taking the time to come and see me to explain these amendments. We had an interesting conversation and I learned a lot—although clearly I did not convince him that they should not be put forward. I am grateful also to the noble Lords, Lord Clement-Jones and Lord Stevenson, who said, I think, that there may be more work to do on this—I agree—and that possibly this is not the right time to discuss these issues because they are broader than the amendment. Notwithstanding that, I completely understand the issues that the noble Lord, Lord Mitchell, has raised, and they are certainly worth thinking about.
These amendments seek to ensure that public authorities—for example, the NHS—are, with the help of the Information Commissioner, fully cognisant of the value of the data that they hold when entering into appropriate data-sharing agreements with third parties. Amendment 107B would also require the Information Commissioner to keep a register of this data of “national significance”. I can see the concerns of the noble Lord, Lord Mitchell. It would seem right that when public authorities are sharing data with third parties, those agreements are entered into with a full understanding of the value of that data. We all agree that we do not want the public sector disadvantaged, but I am not sure that the public sector is being disadvantaged. Before any amendment could be agreed, we would need to establish that there really was a problem.
Opening up public data improves transparency, builds trust and fosters innovation. Making data easily available means that it will be easier for people to make decisions and suggestions about government policies based on detailed information. There are many examples of public transport and mapping apps that make people’s lives easier that are powered by open data. The innovation that this fosters builds world-beating technologies and skills that form the cornerstone of the tech sector in the UK. While protecting the value in our data is important, it cannot be done with a blunt tool, as we need equally to continue our efforts to open up and make best use of government-held data.
In respect of health data, efforts are afoot to find this balance. For example, Sir John Bell proposed in the Life Sciences: Industrial Strategy, published in August last year, that a working group be established to explore a new health technology assessment and commercial framework that would capture the value in algorithms generated using NHS data. This type of body would be more suitable to explore these questions than a code of practice issued by the Information Commissioner, as the noble Lord proposes.
I agree that it is absolutely right that public sector bodies should be aware of the value of the data that they hold. However, value can be extracted in many ways, not solely through monetary means. For example, sharing health data with companies who analyse that data may lead to a deeper understanding of diseases and potentially even to new cures—that is true value. The Information Commissioner could not advise on this.
That sharing, of course, raises ethical issues as well as financial ones and we will debate later the future role and status of the new centre for data ethics and innovation, as the noble Lord, Lord Stevenson, mentioned. This body is under development and I am sure that this House would want to contribute to its development, not least the noble Lord, Lord Clement-Jones, and his Select Committee on Artificial Intelligence.
For those reasons, I am not sure that a code is the right answer. Having heard some of the factors that need to be considered, I hope the noble Lord will not press his amendment.
Perhaps I may offer some further reassurance. If in the future it emerged that a code was the right solution, the Bill allows, at Clause 124, for the Secretary of State to require the Information Commissioner to prepare appropriate codes. If it proves better that the Government should provide guidance, the Secretary of State could offer his own code.
There are technical questions about the wording of the noble Lord’s amendment. I will not go into them at the moment because the issues of principle are more important. However, for the reasons I have given that the code may not be the correct thing at the moment, I invite him to withdraw his amendment.
Lord Mitchell
My Lords, I thank all noble Lords for their contributions to this short debate. I also thank the Minister for agreeing to see me prior to the Recess and for his comments today. However, this is an issue of precision—and we need precision on the statute book. All that has been suggested to me, which is that it can be found elsewhere or will be looked at in the future, does not give the definitive answer we require. That is why I would like to test the opinion of the House.
Lord Mitchell
“Code on personal data of national significance
The Commissioner must prepare a code of practice which contains—(a) best practice guidance in relation to information sharing agreements between publicly funded data controllers and third parties;(b) guidance in relation to the calculation of value for money where publicly funded data controllers enter into information sharing agreements with third parties;(c) guidance about securing financial benefits from the sharing of such personal data with third parties for the purposes of processing or developing associated software, and(d) such other guidance as the Commissioner considers appropriate to promote best practice in the sharing and processing of personal data of national significance.”
Baroness Kidron
“Age-appropriate design code
(1) The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.(2) Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.(3) Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such other persons as the Commissioner considers appropriate, including—(a) children,(b) parents,(c) persons who appear to the Commissioner to represent the interests of children,(d) child development experts, and(e) trade associations.(4) In preparing a code or amendments under this section, the Commissioner must have regard—(a) to the fact that children have different needs at different ages, and(b) to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.(5) A code under this section may include transitional provision or savings.(6) Any transitional provision included in the first code under this section must cease to have effect before the end of the period of 12 months beginning with the day on which the code comes into force.(7) In this section—“age-appropriate design” means the design of services so that they are appropriate for use by, and meet the development needs of, children; “information society services” has the same meaning as in the GDPR, but does not include preventive or counselling services;“relevant information society services” means information society services which involve the processing of personal data to which the GDPR applies;“standards of age-appropriate design of relevant information society services” means such standards of age-appropriate design of such services as appear to the Commissioner to be desirable having regard to the best interests of children;“trade association” includes a body representing controllers or processors;“the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.”
Lord Ashton of Hyde
“(1A) In relation to the first code under section (Age-appropriate design code)—(a) the Commissioner must prepare the code as soon as reasonably practicable and must submit it to the Secretary of State before the end of the period of 18 months beginning with the day on which this Act is passed, and(b) the Secretary of State must lay it before Parliament as soon as reasonably practicable.”
Lord Ashton of Hyde
“Records of national security certificatesRecords of national security certificates
(1) A Minister of the Crown who issues a certificate under section 25, 77 or 109 must send a copy of the certificate to the Commissioner.(2) If the Commissioner receives a copy of a certificate under subsection (1), the Commissioner must publish a record of the certificate.(3) The record must contain—(a) the name of the Minister who issued the certificate,(b) the date on which the certificate was issued, and(c) subject to subsection (4), the text of the certificate.(4) The Commissioner must not publish the text, or a part of the text, of the certificate if—(a) the Minister determines that publishing the text or that part of the text—(i) would be against the interests of national security,(ii) would be contrary to the public interest, or(iii) might jeopardise the safety of any person, and(b) the Minister has notified the Commissioner of that determination.(5) The Commissioner must keep the record of the certificate available to the public while the certificate is in force.(6) If a Minister of the Crown revokes a certificate issued under section 25, 77 or 109, the Minister must notify the Commissioner.”
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, government Amendment 118 responds to an amendment tabled in Committee by the noble Baroness, Lady Hamwee. I said then that I recognised the concern that had been expressed about the lack of transparency as regards national security certificates and that I would consider what more could be done to address this.
Having reflected carefully on that debate, and on representations from the Information Commissioner, I am pleased to move Amendment 118 to address this issue. It inserts a new clause into Part 5 of the Bill which requires a Minister of the Crown who issues a certificate under Clauses 25, 77 or 109 to send a copy of the certificate to the Information Commissioner, who must publish a record of the certificate. We would normally expect the published record to be a copy of the certificate itself. As I indicated in Committee, a number of the existing certificates are already available online.
As an important safeguard under the new clause, the commissioner must not publish the text or part of the text of the certificate if the Minister determines, and has so advised the commissioner, that to do so would be against the interests of national security or contrary to the public interest, or might jeopardise the safety of any person. Where it was necessary to redact information in a particular certificate, there would still be a public record of the certificate as set out in subsection (3) of the new clause. While in practice we expect that most certificates will continue to be published in full with no need for such restrictions, as is currently the case, this provides an important safeguard where it is necessary for a certificate to include operationally sensitive information. The commissioner must keep the record of the certificate available to the public while the certificate is in force, and if a Minister of the Crown revokes a certificate the Minister must notify the commissioner.
In the Information Commissioner’s briefing to this House on the Bill, she stated that there should be a presumption in favour of placing national security certificates in the public domain where to do so would not damage national security. She also noted that adopting a provision requiring her to be notified when a certificate was issued would provide a further safeguard to help inspire public confidence in regulatory oversight. I agree with her.
We have listened to concerns, and trust that this amendment will be widely welcomed. Indeed, it is worth recording that the ICO’s latest briefing on the Bill said that the amendment was,
“very welcome as it should improve regulatory scrutiny and foster greater public trust and confidence in the use of national security certificate process”.
I beg to move.
Amendment 118A (to Amendment 118)
Lord Paddick
Lord Paddick (LD)
My Lords, we are very grateful to the Government for introducing Amendment 118. We still believe that they could and should have gone further. Taking the example of the Investigatory Powers Act 2016—the fact that Ministers are unable to authorise interception without oversight by an independent judicial commissioner of that decision—we wonder why that sort of oversight could not be applied to these certificates as well. Clearly, we are grateful to the Government for going as far as they have done. We are just disappointed that they did not go as far as we wanted.
Lord Stevenson of Balmacara
My Lords, my noble friend Lord Kennedy is not available at the moment. He is occupied with a personal matter and has asked me to say that he supports the words of the Minister. She has listened to concerns. It is very welcome that she has done so and we agree with the amendment.
Lord Ashton of Hyde
“(2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016. (3) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Baroness Hollins
“Inquiry into issues arising from data protection breaches committed by or on behalf of news publishers
(1) The Secretary of State must, within the period of three months beginning on the day on which this Act is passed, establish an inquiry under the Inquiries Act 2005 into allegations of data protection breaches committed by, or on behalf of, news publishers.(2) The inquiry’s terms of reference must include, but are not limited to,— (a) to inquire, in respect of personal data processing, into the extent of unlawful or improper conduct within news publishers and, as appropriate, other organisations within the media, and by those responsible for holding personal data;(b) to inquire, in respect of personal data processing, into the extent of corporate governance and management failures at news publishers;(c) in the light of these inquiries, to consider the implications for personal data protection in relation to freedom of speech; and(d) to make recommendations on what action, if any, should be taken in the public interest.”
Baroness Hollins (CB)
My Lords, some in this Chamber have taken the view that the Leveson agreement, which united all parties across both Houses just four years ago, has been overtaken by events and that yet another inquiry into press regulation is now needed. That is precisely the pattern of events that has followed virtually every single inquiry into press misconduct over the last 70 years, when Governments of both left and right have first prevaricated and then surrendered to concerted press lobbying, with missed opportunity after missed opportunity. Let us be clear where we are: Parliament has already legislated, with the help of a cross-party consensus, for much of the Leveson frame- work. We have a royal charter and a Press Recognition Panel, both following the Leveson recommendations. We have the establishment of a recognised press self-regulator, which meets the Leveson criteria. So a failure to fulfil the whole cross-party agreement does not represent a failure of the Leveson inquiry, or of the recommendations that followed, but rather of political courage to complete the jigsaw.
This amendment, tabled by me and supported by the noble Lords, Lord Stevenson, Lord McNally and Lord Lipsey, would require the Government to proceed with a public inquiry into data protection breaches at national newspapers. I am grateful for their support and for the encouragement I continue to receive from so many Members across your Lordships’ House. But a brand new inquiry is unnecessary, as the spirit of this amendment would be fully satisfied by the completion of the second part of the Leveson inquiry. That is my amendment’s intention, which is why the terms of reference specified in the amendment so closely resemble those of part 2 of the Leveson inquiry, within the scope of the Bill with respect to data protection.
There are three reasons why part 2, or a very similar inquiry, should go ahead. First, there is the sheer scale of unlawful conduct and the lack of any accountability. Secondly, there are the traumatic consequences for the many ordinary people who are victims. Thirdly, there are the ongoing implications for the conduct of powerful press organisations today. I shall deal with each in turn briefly.
Part 2 of the Leveson inquiry was designed to delve into the extent of criminality, its cover up, and the collusion between press and police, how it was able to persist, and who was ultimately responsible. We know, for example, that private data belonging to thousands of individuals was illegally accessed on a more far-reaching scale, and in many ways more consequential, than in phone hacking. This type of data theft was rarely in the public interest and was therefore unlawful. We know that these activities were not restricted to the News of the World—far from it: they took place at the Mirror, the Sunday People and the Sun, while evidence has emerged that they took place at the Daily Mail, the Express and the Times as well.
A six-week civil trial of the Sun for four claimants, with 50 more following, is starting imminently, alleging widespread data theft from 1998 through to this decade and an illegal cover-up. There has still been no inquiry into this widespread illegal conduct, and the only senior newspaper executive held to account is Andy Coulson at the News of the World. If corporate misbehaviour on this scale had occurred in any other industry, our newspapers would quite rightly have been calling for heads to roll and for government to intervene.
It is perhaps unusual to mention this, but I have some special guests today who have been personally affected by the misuse of their personal data. I have not spoken personally before, and it is not easy to do so, but it seems that some people do not understand what goes on in our media. Members of your Lordships’ House may be familiar with some of the abuses and intrusions that my family suffered and know that I gave evidence to part 1 of the Leveson inquiry, but they may not be aware that our data rights were repeatedly breached by newspapers. One consequence of having your personal data stolen, and not knowing how, is what it does to your own behaviour. I actually withheld information about my daughter’s progress from close family and friends after her life-threatening spinal injury because I began to suspect people I knew of speaking to the media. I stopped trusting people, even people in my own family, my neighbours and my best friends. I did not trust them. I did not know about hacking and blagging. I actually used to joke about how I thought perhaps the journalists who sent flowers to the hospital every day had put a chip in them so that they could capture our conversations in the waiting room when my daughter was fighting for her life in intensive care. That is what I thought. My daughter’s story was primarily a good news story, the triumph of hope over adversity, a story of recovery, not tragedy, but we had to cope with frequent door-stepping and long-range lenses being used to steal pictures, and the intrusion went on for months and months.
At the time of my daughter’s injury, I was a university professor and the head of a prestigious academic professional college. I was amazed by the prevalence of plagiarism in the press. Plagiarism in academia is a dismissible matter. I had no idea, until my family was the subject of intense media scrutiny over many months, just how commonplace plagiarism is. Typically, one paper’s so-called news on Wednesday would simply be downloaded and reprinted, virtually word for word, in a second unrelated paper on Thursday and in another on Friday, and if the second and third papers added a couple of new words, they might even call it an exclusive. When I, as an academic, publish findings, they have to be accurate. One newspaper article had 28 supposedly objective facts, of which only two were correct. The noble Lord, Lord Black, will be pleased to know that the Daily Telegraph was the most restrained newspaper, but your Lordships’ House may be surprised to know that the only serious and accurate article about the implications of a high-level spinal injury for a pregnant woman was in Hello magazine. It was a good article.
Data theft—often disingenuously referred to as leaks—also affects public bodies. I asked to see the Secretary of State in the Department of Health after a story about my learning-disabled son appeared in the Daily Mail. The account was uncannily similar to some evidence he had given in confidence to a government taskforce. The Secretary of State apologised and said it was the fourth data leak that month, but could not or would not tell me how this intensely private information came to be published in a national newspaper. I spoke about that to the Leveson inquiry. The response was that the information was already in the public domain. It was not, and my son was a vulnerable adult, and printing his photograph put him at risk.
Some people experienced much worse than this, and their names are etched in all our memories. Remember the heartache of the Dowler and the McCann families? Alongside other media assaults, these families had personal data stolen and processed by the media. There are countless other private individuals whose lives have been irrevocably changed by hostile and misleading reporting, often following data breaches through the theft of medical records, bank account details, phone numbers or other private data.
Before today’s debate, I met with Edward Bowles, whose 12 year-old son Sebastian lost his life in a bus crash in Switzerland. At a time of such trauma, his and his family’s suffering was made worse by the conduct of national newspapers which, in addition to repeated other intrusions, stole images of the family and published them without consent. These included images of Mr Bowles and his nine year-old daughter grieving after Sebastian’s death, and family photographs taken from Edward’s private Facebook account. Sebastian’s last personal messages to his family from the school’s website were obtained and published without even asking the family.
These data breaches were committed by newspapers with no public interest whatever and occurred in the middle of part 1 of the inquiry, when the press were supposedly on their best behaviour. This is why we still need to understand how such gross and widespread abuse was allowed to happen in the first place and to ensure that ordinary people are protected from those who steal private data to further their own corporate interests. We do not know how much improper and unlawful use of our data was going on, or may still be going on, because of a widespread cover-up. Corporate governance structures remain unreformed and many of the same newspaper executives remain in place.
I chaired a meeting for journalist whistleblowers before the Recess and we heard evidence of the kinds of data theft that they were commissioned to carry out by their editors in pursuit of stories with no public interest whatever. They were confident that these practices persist today, despite assurances from editors and proprietors that those days are gone. Their stories deserve a wider audience. Part 2 of the Leveson inquiry would allow them to be told and allow us to understand from the past how we can better protect the public interests of both private individuals and journalists in the future. The Government have been consulting on whether to complete the Leveson inquiry since November 2016—over a year ago. It should never even have been a matter of consultation but simply a matter of good faith that an inquiry promised to victims of crime should be completed. The failure to go ahead brings public inquiries into disrepute.
It is time to stop prevaricating and act decisively. I hope the noble and learned Lord the Minister will be in a position to assure your Lordships’ House that he has a firm commitment to commence part 2 of the Leveson inquiry. Without such a promise, I intend to divide the House, and I hope the House will support both my amendments and the important amendments of the noble Earl, Lord Attlee, Amendments 147, 148 and 216, which are tabled as a package. I hope we will make serious and genuine progress towards independent press regulation today. I beg to move.
Earl Attlee (Con)
My Lords, I have Amendment 147 and the consequential Amendments 148 and 216 in this group. It may be convenient if I suggest to the House the choreography of how this group might work. The noble Baroness, Lady Hollins, has moved her amendment, which is what we are debating now and will decide on. I will speak to my amendments only once now, and other noble Lords can contribute to all the amendments being debated. I expect that the Minister will reply, the noble Baroness, Lady Hollins, will respond, and we will then deal with her amendment. After the formalities with other amendments, I will formally move my Amendment 147 and deal with any points arising from this debate in respect of it. I believe it is in order for noble Lords to make a substantive contribution after I move my amendment, at that time, but it may be more convenient for the House for noble Lords to do so now, during this current debate.
It goes without saying that I fully support the noble Baroness, Lady Hollins, in her Amendment 127A. We must get to the bottom of what has been going on. My amendments would incentivise media operators to sign up to an independent press regulator in respect of data protection claims. This is achieved in the same way as the yet-to-be-commenced Section 40 of the Crime and Courts Act 2013. My consequential Amendment 216 ensures that Amendments 147 and 148 come into effect on Royal Assent, and deny Ministers the discretion not to implement what Parliament might agree to, as has been done with Section 40.
Viscount Hailsham (Con)
Before my noble friend moves on, would he care to tell your Lordships why he is making a serious distinction in law between IPSO and Impress, because to the minds of many of us, IPSO is a perfectly well regulated and constituted regulator?
Earl Attlee
My noble friend makes an excellent point, which I shall come to in a moment.
The third claim is that the Leveson system is unnecessary, as the new IPSO is much better than the previous Press Complaints Commission. I dealt with this in Committee by identifying some, but not all, of IPSO’s deficiencies. These are, first, that IPSO is not obliged to consider discrimination complaints from a group—for instance, a religious or ethnic group. It has also not yet dealt with a matter so serious as to merit levying even a £10 fine. Finally, in three years of operation, IPSO has not arbitrated a single case. In Committee, I was not challenged on any of those assertions, and I am not surprised, because they were checked very carefully.
I hope that noble Lords will support me in the Division Lobby in order that the House of Commons is given the opportunity to provide the vital costs-shifting protection that the public need and deserve in respect of data protection claims. Of course, this would also send a clear message to the Government that they should bring into force the rest of Section 40 immediately, as Parliament agreed to and voted for in 2013.
Lord Lester of Herne Hill (LD)
Is the noble Earl aware that there are some, including myself, who believe that Section 40 is unlawful and contrary to the European Convention on Human Rights, since it imposes a burden on a newspaper to pay the costs of proceedings even if it is successful, and is discriminatory and arbitrary?
Earl Attlee
There is a simple answer to that—the noble Lord should test that in the courts and test it in Europe.
Lord Pannick (CB)
My Lords, I am very grateful to the noble Earl for mentioning one of the many cases over the years in press law that I have lost. I mention to noble Lords another of those cases, in the Court of Appeal in 2015, when I represented entirely unsuccessfully Mirror Group Newspapers, which sought to overturn the very substantial damages that had been awarded to individuals, some of them famous and some of them not, whose mobile phones had been hacked by journalists and whose data had been used to write articles breaching their privacy. A woman who had had a relationship with an England footballer was awarded damages of £72,500. An actress who appeared in “EastEnders” was awarded £157,000 in damages—and so on.
The reason why the courts awarded damages of that extraordinary magnitude, far more than you would get if someone deliberately ran you down and severely damaged your health, was precisely because of the factors that the noble Baroness, Lady Hollins, mentioned in opening this debate. It is about the personal nature of the intrusion and the suspicions that are engendered as to how the press obtained this information. Was it from friends or relatives who had betrayed you? It is about the very real impact that this has on your personal behaviour; it inhibits, inevitably, the communication that you have with friends and relatives. The claimants in these cases were represented by expert solicitors and by a counsel acting on a conditional fee basis, which meant that, when they won the case, MGN had to pay substantially increased costs, as well as insurance premiums. The costs—because the case related to dozens of claimants—were in the millions of pounds. Similar claims have been brought against other newspaper groups, and the noble Baroness, Lady Hollins, mentioned in her opening remarks that further proceedings are imminent.
I mention all this to emphasise that, when newspapers breach data protection laws, as they have, they have paid for it, and rightly so. Nobody who knows anything about what used to be called Fleet Street could seriously doubt that journalists and editors now take data protection seriously. They would be mad not to do so. In the past few years, editors and journalists have gone to prison for criminal offences related to breaches of data protection. Editors and journalists have lost their jobs in relation to such matters. A prominent newspaper, the News of the World, was closed down. Newspaper groups have paid tens of millions of pounds—perhaps more—in damages and costs. This Bill will create a powerful new administrative machinery to enforce data protection law. All that is rightly so, and I complain about none of it; it is absolutely right that the rule of law applies.
The question is whether we really need a public inquiry on this subject, which will take years to report and cost a fortune to the public purse, occupying the time of busy people who can productively be engaged on other matters. I say to the House that we do not need an inquiry to establish what happened in the past—any number of trials, criminal and civil, have examined the facts, sordid as they are—and we do not need a public inquiry to ensure higher standards of conduct in the future. An inquiry in the terms set out in the amendment of the noble Baroness, Lady Hollins, would be so broad in nature that it would impede the ability of editors and journalists to get on with the vital work of holding government and powerful private individuals and companies to account.
Baroness Kennedy of The Shaws (Lab)
My Lords, it is such a relief to hear the noble Lord, Lord Pannick, admit to the House, as he did at the beginning of his speech, that he sometimes loses a case. In fact, even as a meagre lawyer, I enjoyed success over him on an occasion in the European Court of Justice. However, it is disingenuous of the noble Lord to say that we should wait to hear whether the Government intend to do anything about Leveson part 2. We know that that is not the intention of government. The dragging of feet on all this has made it very clear that the Government do not want to fall out with their friends in the press or to lose the editorial support they get from sections of the press. We should be very clear that it is not likely to happen with the current Government.
I have great sympathy for the noble Baroness, Lady Hollins, and what she is saying, because I share the concern that not all these lessons have been learned. There are ways in which we already see reluctance by those who are now seen as having authority to hold the press to account to take action. Therefore, I do not share the concern that this amendment is unlawful. I do not believe that premise is true and I think that it will be tested in the courts. The noble Lord, Lord Pannick, who often represents the press, may end up representing newspapers as opposed to individuals who have suffered transgressions. I support the amendment of the noble Baroness, Lady Hollins, as I have seen too much of this bad behaviour going on.
Unlike the noble Lord, Lord Pannick, I am a criminal lawyer and I have seen the ways in which the police have leaked information. I am afraid that I have also seen bad behaviour on the part of police officers in divulging information to the press. Concerns have often been raised that there may be what used to be called “a drink in it” for subverting the proper processes by which high standards are maintained. Therefore, I do not share the confidence of the noble Lord, Lord Pannick, that everything will be fine as the measure runs through. I still feel that the press has lessons to learn. I hope that we listened to what the noble Baroness, Lady Hollins, had to say.
Lord Paddick
My Lords, I declare an interest. When I was a commander in the Metropolitan Police service, my personal details—this was in breach of data protection—were secured by Mulcaire, the private detective employed by a newspaper. This was discovered by the Metropolitan Police in 2002, but I was not told about it until 2010, when the Guardian alerted my lawyers to the fact that this had taken place. However, in the course of what subsequently transpired, I was shown an internal memorandum of the Metropolitan Police service, which showed that in 2002 it was aware that my phone and that of the then Deputy Prime Minister had been hacked into, and it never informed me of that. Therefore, noble Lords will understand that I should declare that personal interest.
However, I want to tell the following story to the House. I went with the family of Milly Dowler to see the then Prime Minister, the then Deputy Prime Minister and the then Leader of the Opposition to talk about the family’s experience. Noble Lords will recall that Milly Dowler went missing, was kidnapped and murdered, and that her family kept trying to call her mobile telephone. However, the phone relayed the message that the voicemail box for that number was full. Therefore, the family was losing hope that she might still be alive. Then they tried to phone again and found that some of the messages had been listened to. That gave them hope that she might still be alive. However, it transpired that there was room in that mailbox because journalists had hacked into her voicemail and had listened to some of the messages.
On the evening before the first of those meetings with the then Deputy Prime Minister, Nick Clegg, Milly Dowler’s father was telephoned by Surrey Police to tell him and the family that Surrey Police knew in 2002 that journalists had hacked into Milly Dowler’s voicemail, thereby allowing further messages to be left, as the journalists involved had called the police incident room to tell them that they had illegally hacked into the voicemail. However, it was not until nine years later and the imminent meeting with the then Prime Minister, the then Deputy Prime Minister and the then Leader of the Opposition, that the police felt obliged to tell the Dowler family that they knew from the outset that her phone had been hacked into. They did not offer any explanation for not having taken any action in relation to that illegal hacking into that phone.
These are the sorts of issues involved. This is not just about the conduct of the media. The aim of part 2 of Leveson is to examine the relationship between the police and the media and between politicians and the media, not simply the conduct of the media themselves. That is why we need part 2 of Leveson, and that is why I support Amendment 127A.
Viscount Hailsham
My Lords, I will speak briefly, both to the proposed new clause in the amendment moved by the noble Baroness and the proposed new clause moved by my noble friend.
I am against the suggestion that we should have an inquiry. I share the view of the noble Lord, Lord Pannick, that we know enough already. The facts have been canvassed time and time again, in inquiry, in criminal cases and in civil cases, and the time has now come for policy. We do not need new facts—we need a policy decision, and that is essentially a matter for government and Parliament. If we call for a further inquiry, the policy decisions will be postponed. A further point is that, if the proposed new clause is carried, the pressure will be on a judge-led inquiry. In the generality, I am against judge-led inquiries when they address matters of major general policy. Judges are good at identifying facts and deficiencies in existing legislation, but they are not well placed to address general policy issues.
Lord Cunningham of Felling (Lab)
The noble Viscount said a few moments ago that we do not need an inquiry because we have all the evidence and all the facts we need. What are the Government hesitating for, then? If we have all the facts and the evidence we need, the Government must have them too. However, they are not proceeding. That is the dilemma that the House faces, and that is why I strongly support the amendment in the name of the noble Baroness, Lady Hollins.
Viscount Hailsham
But the irony is that if we have a new inquiry, we will postpone the moment when the Government come forward with a policy. The only way you will get a policy decision is to press the Government to make their policy decision, not by holding a further inquiry.
The second point I want to deal with is my noble friend’s Amendment 147. I am not in support of it. First, I am against making a distinction in law between an approved and an unapproved regulator. I am bound to say that when I look at IPSO, I do not find it lacking; it seems to be a perfectly constituted and responsible regulator. I certainly do not want to make a distinction in law between Impress and IPSO. I very much hope that IPSO, which is backed by the industry, will get much greater support than it has hitherto received.
Secondly, on the issue of costs under my noble friend’s amendment, I believe that an award for costs should be within the discretion of the trial judge. The consequence of this proposed new clause is to make an award against a successful defendant when the institution and carriage of the litigation was conducted by the unsuccessful plaintiff or complainant. That seems to me to fly in the face of every notion of justice I have ever encountered. I suspect that the noble Lord, Lord Lester of Herne Hill, would agree with that proposition. Therefore, I very much hope that your Lordships will not agree to this proposed new clause. I accept that my noble friend has referred to the provisos, which enables the unapproved regulator to gain the costs. However, if my noble friend will forgive me, the second of the provisos is drawn in such general and loose terms as to be unintelligible, even to the cleverest of judges.
Earl Attlee
Of course, my amendments are entirely modelled on Section 40 of the Crime and Courts Act, which Parliament passed.
Viscount Hailsham
That may be so, but Parliament makes errors, and this House is in the business of looking again at what we have done in the past. We have to ask ourselves: what is just and equitable in the context of this case? I therefore very much hope that we will not approve a new inquiry and that the proposed new clause so eloquently moved by my mentor will fail.
Lord Lipsey (Non-Afl)
My Lords, I am one of those who backed the amendment of the noble Baroness, Lady Hollins, and I want to intervene briefly to make a point about the beast with which we are dealing. I refer noble Lords to the piece in today’s Times—a newspaper at which, incidentally, 25 years ago I was deputy to the editor. The headline reads:
“Peers hijack data bill to attack free press through back door”.
In today’s Times, evidently, the facts are free but comment is sacred.
Lord Black of Brentwood (Con)
My Lords, I hope that for the last time on this Bill I declare my interest as executive director of the Telegraph Media Group, and I draw attention to my other media interests in the register.
Amendment 127A, which I shall speak to first, is, as we have heard, an attempt to bring in by statute part 2 of the Leveson inquiry, but of course it is not quite Leveson 2 because this time there is no inconvenient mention of the role in the events of the past of some politicians and the police, who are noticeably absent from the scope of this amendment. So the target is four-square the press, and I believe that those who back the amendment are happy cynically to sweep everything else under the carpet.
I have four points to make. First, another inquiry is completely unnecessary because there genuinely is nothing left to unearth which has not been gone into in microscopic and comprehensive detail and been covered during the years of inquiries and investigations, as my noble friend Lord Hailsham said. Yes, bad things went on in a small number of places, but the full force of the criminal and civil law leading to prosecutions and often eye-watering amounts of compensation, as the noble Lord, Lord Pannick, said, along with rigorous judicial and parliamentary inquiry, has been brought to bear on them.
We had Leveson part 1, which cost taxpayers £5.4 million at the height of austerity and cost the core participants many tens of millions of pounds in legal costs. We should remember that Leveson had judicial powers of inquiry greater than those given even to Chilcot, who was investigating an illegal war in which hundreds of thousands of people died. We have had three exhaustive police investigations, with more people working on them than investigated the bombing at Lockerbie, in which over 200 souls died, costing the same taxpayer another £43 million. We have had three parliamentary inquiries by Select Committees in another place, one into press regulation by our own Communications Committee and one by a Joint Committee. There was a forensic investigation by the United States Department of Justice into voicemail interceptions and payments by public officials, after which it declined to prosecute. There has also been an investigation here into corporate liability in relation to data offences. After detailed consideration of that, the DPP said that no action was to be taken.
I cannot think of a comparable situation where so much has been done to get to the truth. So it is little wonder that Sir Brian Leveson himself, in concluding a ruling in the course of part 1 on 1 May 2012, questioned its value, saying that it would,
“involve yet more enormous cost (both to the public purse and the participants); it will trawl over material then more years out of date and is likely to take longer”,
to complete. I agree with that.
It was said in Committee, and has been hinted at here, that one of the issues that needed to be looked at again was Operation Motorman, despite the fact that Leveson took evidence on it and made recommendations. However—this goes to the heart of the matter—that concerned journalistic activity prior to 2003, 15 years ago. Does anyone believe that going over all that material again will be in any way fruitful, especially when many of the people involved will have left the industry? Some of them have died, and at least some will have forgotten the circumstances around actions that took place at the turn of the century.
My second point is that since the events that were at the centre of Leveson 1 took place, there genuinely has been a sea change in the regulatory framework surrounding journalism and publishing, which makes an inquiry unnecessary. In the past five years, the Press Complaints Commission, of which I was once director, has been closed and IPSO put in its place. I do not think that this is the time for a debate about IPSO, but it is an organisation with real powers based in civil law, which means that it is a regulator able to extract real penalties, far removed from the conciliation service that the PCC offered. Perhaps not visible to the naked eye, IPSO has also brought about, as I know from personal experience, a huge transformation of the internal complaints handling and governance procedures of newspapers.
My noble friend Lord Attlee mentioned the arbitration scheme. He should know from checking his facts that IPSO does now offer a low-cost arbitration scheme. The claimant fee for an initial ruling is just £50—I do not think you can get much more low-cost than that—and a maximum of £100 if the full process is used.
Lord Black of Brentwood
The scheme has only just come in following a pilot, so we need to give it a bit of time to see whether it will take effect.
Building on the issue of public interest, my third point is that I do not believe the industry can afford the distraction of such a huge inquiry at a time when many parts of it are struggling for survival. On one level, there is the sheer cost. Leveson 1 cost the industry many tens of millions of pounds in legal fees and management time. Any follow-up inquiry of this sort would, as Sir Brian himself intimated, be even longer, even more complex in view of the time that has elapsed and even more expensive. Under the terms of the amendment, it would impact on every part of the media, including the local press and the magazine sector, which were completely cleared in Leveson 1. The amendment puts those proved innocent back in the dock. Indeed, its terms are so wide that it would even draw in the international media, such as Buzzfeed, Reuters and the Huffington Post, as well as broadcasters including the BBC. Quite apart from the cost, there is the profound distraction that it would entail for those who are seeking with great speed to change their business so that they can survive in the digital age.
The spectre of yet another inquiry is a toxic threat to a free and independent press. I have lost count of the number of times during the passage of this Bill I have heard from those who said it was appalling to suggest—which I never have—that they do not believe in press freedom; that they were champions of press freedom through and through. Maybe, but I say to them: if you will the ends, you have to will the means. Setting up this inquiry is absolutely not willing the means for the survival of the free media in this country.
The issue of tumultuous change leads me to my fourth point. This amendment points very much to the past, one long hauled over. I know that bad things went on but we should be desperately trying to point to the future. One problem with the first part of the Leveson inquiry was that it ignored the reality of the new media environment and global competition in news. The world that this amendment seeks to investigate has gone. We should be looking now at how we can support free media by working out how best to regulate the currently completely unregulated online platforms of Google and Facebook, rather than heaping yet more burdens on a part of the media that is more heavily regulated than anywhere in the western world, constantly scrutinised and buckling under serious commercial pressure. It is time to draw a halt to this and look to the challenges of the future.
I turn briefly to Amendments 147 and 148 in the name of my noble friend Lord Attlee, which attempt to bring in a version of Section 40 of the Crime and Courts Act 2013. These are deeply pernicious amendments and would, I say to my noble friend, have a destructive impact on our free press, not just national newspapers but the local press, the magazine and periodical business, and the international media. The so-called process of cost shifting, which lies at the heart of this, means that all newspapers and magazines not signed up to a state-approved regulator would be liable to pay for the other side’s costs in an action for a breach of data protection, whether they win or lose the case. Because data touches on virtually every aspect of the news operation—from the genesis of a report to its ultimate archiving—a legal action relating to almost any journalistic activity could be dressed-up in a way that would take advantage of this malignant law. It would open the floodgates to hundreds of baseless claims that would put the very existence of many newspapers, particularly the local press, in grave jeopardy.
The aim of this is to use the law to blackmail—I use the term advisedly—publishers into a system of state-approved regulation. Punishing newspapers for telling the truth as a ruse to impose such controls is wholly inimical to press freedom and alien to democracy. In the current situation, the problem is even worse because the faux regulator “approved” by the Press Recognition Panel is bankrolled by the anti-press campaigner Max Mosley. My noble friend Lord Attlee asked about state control. As he knows—he and I have talked about it—the Enterprise and Regulatory Reform Act 2013 gives this House the power to change the charter by a two-thirds majority. However, in many ways even that is a red herring, because Parliament can vote at any time to overturn that and change the terms of the royal charter in a way that would extend state control of the press.
Given that the publishing sector has made it clear that it will never join an approved regulator, this amendment would have the most profound impact across all journalism, but particularly on investigative reporting. It would give anyone who wanted to suppress a journalist’s inquiries a blank cheque to bring a legal action, knowing that they would not have to pick up the cost. Very few publications would ever let a case get to court because of the crippling costs involved, and would either have to stop investigating the moment that a legal action was threatened or be forced to apologise for printing something that was true. This would be particularly pertinent in investigations where there could be multiple legal actions. For instance, had this provision been in place, it would have been impossible for the Telegraph to conduct its investigation into MPs’ expenses—perhaps some Members of this House would be entirely happy about that.
For all publishers, there would be serious commercial consequences at a time when the vast majority of the industry is struggling. It is inevitable that some newspapers would go out of business as a result of just a handful of cases brought under my noble friend Lord Attlee’s amendment, with disastrous consequences for the plurality of the media. I wonder whether he really wants “Attlee’s Law”—as I have no doubt it would become known—to be responsible for closing newspapers, journalists losing their jobs and investigations being stopped in their tracks?
Lord Black of Brentwood
I hear noble Lords disagreeing, but I have to tell them that it is true. If you are a struggling local newspaper making barely any profit, one or two actions brought under this provision would bankrupt you.
Many other serious legal issues arise from this amendment relating to the European Convention on Human Rights, which the noble Lord, Lord Pannick, has already dealt with. It is for this reason, and all the reasons I have outlined, that Section 40 has been roundly condemned as an assault on free speech by virtually every international press freedom organisation, including Index on Censorship, the Committee to Protect Journalists, the World Association of Newspapers and the International Press Institute. It is why, rightly, the Government undertook a comprehensive consultation on whether to introduce it last year.
In closing, whatever that consultation says—and I agree that it would be quite wrong to support this amendment in the absence of the Government’s response—Section 40 remains pernicious in principle and would be disastrous in practice for the free and independent media that I believe we all want to see flourish in this country. I hope my noble friend will not press his amendment.
Lord Brown of Eaton-under-Heywood (CB)
My Lords, I too oppose the amendments in this group. I want to focus particularly on Amendment 147, which would, in effect, introduce a Section 40-type penal costs provision into the present legislation. But I seek first to dispel a basic misapprehension on this issue.
Section 40 is said simply to be implementing Leveson. I suggest that it goes very substantially further than that. The relevant Leveson recommendation is recommendation 26, under the heading “Encouraging membership”. The amendment deals, as does Section 40, with both the carrot and the stick, in both instances in more extreme terms than the recommendation. I shall forgo any question of the carrot—it is not necessary to discuss that; it is wrong, but it is not necessary to discuss it—but turn to the second part, the penal cost provision of recommendation 26. It reads as follows:
“On the issue of costs, it should equally be open to a claimant to rely on failure by a newspaper to subscribe to the regulator thereby depriving him or her of access to a fair, fast and inexpensive arbitration service. Where that is the case, in the exercise of its discretion, the court could take the view that, even where the defendant is successful, absent unreasonable or vexatious conduct on the part of the claimant, it would be inappropriate for the claimant to be expected to pay the costs incurred in defending the action”.
Given that recommendation, the suggestion is that the court could take the view that even where the newspaper wins, it would be inappropriate for the claimant to be ordered to pay the newspaper’s costs. Critically, there is nothing there about the newspaper, even when it wins, being made to pay the unsuccessful claimant’s costs.
In the provision as it is sought to be introduced, whether you look at it as Section 40 or as Amendment 147 —which is perhaps more convenient because it is in identical terms to Section 40 except in two wholly immaterial respects—subsection (3) goes way beyond that recommendation. In that instance, the court must—note the word “must” towards the end of the paragraph—award costs against the newspaper to the unsuccessful claimant unless, under this highly abstract concept in paragraph (b),
“it is just and equitable in all the circumstances of the case to make a different award or make no award of costs”.
The plain intent of that provision is to drive newspapers which will not sign up to a recognised regulator to do so by threatening that they will pay the costs, come what may, except only in a vexatious case.
Anyone who is besotted with that mismatch should look also at two other passages in the report. I shall not weary your Lordships with them now but just note that they are at paragraph 5.6 of the report, at page 1770, and paragraph 6.8, at page 1514.
I shall make one final observation on this issue. Not only did Leveson’s recommendations plainly not go as far as Section 40—now the proposed Amendment 147 —but they did not win the total support of all his six assessors. Notably, the noble Baroness, Lady Chakrabarti, now the shadow Attorney-General, who was the director of Liberty at the time and one of the assessors, made plain her deep reservations about Leveson’s recommended regulatory scheme and, in particular, once it came to be established under the rubric of the royal charter.
My second and briefer point is that IPSO—the noble Lord, Lord Black, made this plain a moment ago—now has in place an arbitration scheme that is fully Leveson-compliant. As we have seen, the essential justification suggested for not awarding successful newspapers their costs in these cases but rather requiring them to pay the losing claimants is that, unlike a newspaper signing up to Impress, the claimant has not got the opportunity of a low-cost arbitration. That is now categorically no longer the case. IPSO offers just such an arbitration scheme—including, incidentally, explicitly for data protection claims. This scheme was finally introduced in November after being trialled for a year. However, it was trialled on less beneficial terms than it is now introduced on. There used to be a scheme which cost £300. Now, as the noble Lord, Lord Black, made plain, you pay £50 down and the most you can be required to pay beyond that is another £50—£100 in all. This scheme is overseen by specialist barristers and managed by CEDR, which is Europe’s largest independent provider of alternative dispute resolution. There is less cause now for even the recommended possible sanction by Leveson than there used to be.
My next point is perhaps of reduced significance because of the availability of the arbitration scheme now introduced, but the Bill makes specific provision to assist a claimant in a data protection proceeding against newspapers to apply to the Information Commissioner to fund the claim. Clause 165(6)(a) makes plain that the commissioner’s assistance may include,
“paying costs in connection with the proceedings”.
Not only is this manifestly not the right Bill to introduce by a side-wind legislation that was originally designed for other cases under Section 40; it is the least possibly appropriate Bill in which to do so.
I am tempted to raise a number of other points but I shall not succumb to the temptation because many have been made by other noble Lords. However, with the best will in the world, this is an ill-judged group of amendments and it will do this House no credit to pass them.
Lord Lester of Herne Hill
I wonder whether I will win the sympathy of the House by saying that I am not going to make a speech. All I want to say is that I have given notice to my Chief Whip, as a cuckoo in the nest, that I cannot support these amendments and that if there is a Division I shall vote against them.
The only other point I wish to make was made by the noble Lord, Lord Black, in passing, at the conclusion of his speech, when he referred to the wider world. The rest of the free world that believes in free speech looks with amazement at these debates and thinks how on earth can we be wasting time debating this kind of thing when the press has done what it has done. With Alan Moses, a really independent Court of Appeal judge as the chair and Anne Lapping, a very independent non-lawyer, as the deputy chair of IPSO, having set up a scheme, why on earth are we wasting time in going over past history instead of letting them get on with it.
Lord Falconer of Thoroton (Lab)
My Lords, I came intending to support the amendment of the noble Baroness, Lady Hollins, asking in effect for Leveson 2, and the amendment of the noble Earl, Lord Attlee, in effect introducing Section 40 for data protection. The more I have listened to the debate, the more I am absolutely convinced that both those amendments are correct.
I have found it appalling to listen to the smug reassurances of the apologists for the media that everything is now fine as far as data protection is concerned. The noble Baroness, Lady Hollins, drew our attention to the experience of the Bowles family when their son was killed in an accident. While Leveson 1 was going on—the latest moment at which it was alleged that the media had reformed—they were breaking the Bowles family’s data protection rights, to publish whatever they liked.
I do not know the extent to which the media were tricking or are continuing to trick people into giving out medical records, banking information and private photographs, or taking photographs from sources they should not, or going to the police and getting information from them. I am pretty sure that it is still going on, but I do not know the extent of it. The thing that will reveal the extent of it and the extent to which media owners are involved would be Leveson 2. That is what we as politicians promised at the time. The assertion, made in particular by the noble Lords, Lord Pannick and Lord Black, and the noble Viscount, Lord Hailsham, that we should just stop now because everything in the garden is rosy flies absolutely in the face of the evidence. We would look like politicians who are continuing to collude with the media.
Viscount Hailsham
The point is not that everything is right. We accept that it is not, but the facts are already known. What now needs to happen is that the policy needs to be formulated and brought to Parliament. An inquiry would postpone the day when that could happen.
Lord Falconer of Thoroton
I disagree with what the noble Viscount, Lord Hailsham, says—namely, that the facts are already known—because the apologists are saying that everything is okay now; I do not include him as an apologist because he has a slightly different position. I point to the case of the Bowles family, which indicates that things were not okay when the first Leveson inquiry was going on. The basis on which it has been asserted by the noble Lords, Lord Pannick and Lord Black, along with others, that we should not go ahead is because everything is okay. Well, it is not.
Lord Lester of Herne Hill
I just to make something quite clear. I hope that the noble and learned Lord is not suggesting that I am saying that everything is fine.
Lord Falconer of Thoroton
This is the crux of the position. Now that it seems to be accepted that things are not okay, if that is the case, what is required is an inquiry. As I understand what is being asserted, a change is proposed in the form of Section 40 and there are those who say that we should not make a change. I think that it is important not to be taken in by the siren song that everything is okay.
It is important that there should be a second inquiry. We promised it and we should not break that promise. I also think it would be wrong to suggest that Sir Brian Leveson is against a second inquiry. I do not know what his position is, but we should not assume that he is either in favour or against it; his views need to be canvassed. I strongly support the amendment tabled by the noble Baroness, Lady Hollins.
Lord Pannick
I am not suggesting that breaches do not occur; I am not an apologist. My position is that if and when errors are made and wrongful acts occur, the law has ample means of dealing with them. We do not set up a massive public inquiry in areas of the law or practice whenever there is a risk that wrongful acts are going to take place. My position is that we have inquired sufficiently into these matters, and to the extent that there are still wrongful things going on, the law provides perfectly adequate remedies, and indeed under this Act there will be perfectly adequate administrative procedures.
Lord Falconer of Thoroton
I have two comments to make in response. First, the Leveson 2 inquiry was promised. As I understand the position of the noble Lord, Lord Pannick, now, he is saying that maybe wrongdoing is going on and it is the same as was expected before, but promising Leveson 2 was a mistake. Secondly and separately, Sir Brian Leveson found in his report that the remedies of the law, the remedies to which he referred, were open only to the wealthy. That is what he found as a provision. Therefore, the suggestion that the law provides an adequate remedy before the recommendations made by Sir Brian Leveson is, in my view, wrong. I pray in aid of that the conclusions that Sir Brian Leveson made after a full inquiry.
I turn now to the amendments tabled by the noble Earl, Lord Attlee. I strongly support them and I think that they are entirely appropriate for this Data Protection Bill because they deal with those who abuse data protection. Why should people not have protection in relation to this? I strongly disagree with the suggestion of the noble and learned Lord, Lord Brown, that this goes further than Leveson. It does not, because what Leveson said was that if a newspaper can join a body which could provide a cheap way of dealing with it and it does not, it should be liable to pay the costs unless there is good reason not to. That is precisely what the amendment does, and I say that with some added experience in relation to this. I was involved at the time when Section 40 was being drafted. It was in effect an agreed draft between the Government and their lawyers, with Mr Oliver Letwin representing the Government along with the full majesty of the Treasury Solicitor advising him. We were trying to agree an amendment that gave effect to Section 40. It was passed almost unanimously by the House of Commons and it was passed in this House as well. The suggestion that it goes further than what Leveson proposed is wrong, so I strongly support it.
Having had the benefit of all of those lawyers from the Government at the time, I also strongly disagree with the assertion by the noble Lords, Lord Pannick and Lord Lester, that this would be in breach of the Human Rights Act. It most certainly would not, and I am encouraged in that by what was said by my noble friend Lady Kennedy of The Shaws. Please do not listen to the siren song of the media. Give people the protection that everyone thought they were entitled to. It does not infringe on a free press; it simply makes sure that people like the parents of the victims of the Soham murderer do not have their data mined when there could not be any possible justification for it.
Baroness Butler-Sloss (CB)
My Lords, I was not going to speak, but I feel impelled to do so. I have no time for the media. I have been libelled and I disliked the experience a great deal. But what we are being asked to provide is a remedy. They are saying that the current remedies will not do and that the remedy is an inquiry. As a judge, I have chaired a number of inquiries, and there are other former judges in this House who have done so. They are inevitably long-winded. This one would go on for a very long time, so I would ask this question: what sort of remedy would there be at the end if the inquiry is mired in a huge number of lawyers making a great deal of money out of defending all sorts of groups of people? At the end of the day we would get—what?—a report.
Lord Finkelstein (Con)
My Lords, I first declare my interest as a Times columnist. Perhaps I may also start by thanking the noble Baroness, Lady Hollins, for the opportunity to listen to what she had to say, which it was impossible to do without regarding it as moving and passionate and a cause for reflection. It would be an insult to free debate if I did not say to the noble Baroness that listening to her has made a deep impression on me. I thank her for what she had to say.
I am afraid that I do not agree with the remedy being proposed by the noble Baroness. Perhaps I could propose a minor procedural innovation, which is that before people go through the Division Lobbies and vote for a further inquiry, they might be required to provide evidence that they have read all of the previous one. It ran to 2,000 pages, with 115 pages on data protection, which people may not have come across because they started on page 997. The noble Lord, Lord Paddick, suggested that a second inquiry which delved into the relationship between politicians among others and the press was a good idea. That inquiry was also conducted by Leveson. I know that because I was in it. It was set out in the third volume, and not many people who were not working in the legal departments of newspapers mentioned it to me.
I understand the comment from the noble Lord, Lord Lipsey, about the Times’ comments this morning. It is the normal habit of columnists to say, “I didn’t write the headline”, but in this case I am happy to stand behind it. Of course I understand that nothing would occur less to noble friends and noble Lords than to attack free speech—nobody thinks that that is what they are doing, and de jure they can claim that it is not what they are doing—but please do not have the impression that, de facto, it makes no difference to the free publication of criticism and newspapers if we have yet another inquiry. I know that it is not what the motivation is, but it is effectively harassment to continue to ask the same questions and have inquiries into the same issues. We have heard many moving examples that are covered by two things. They were either raised by the Leveson inquiry or they are capable of being dealt with by criminal, political or arbitration solutions. The idea of having another inquiry therefore justifies how the Times put it this morning.
Lord McNally (LD)
My Lords, I am not a lawyer or journalist. If I was to describe myself as anything it is a jobbing politician. But each and every one of us in this House has to make their decision as a jobbing politician. Quite frankly, and with the utmost possible respect—I know that is what you always say when you are about to be rude—having listened to the lawyers, my head spins. That is why, in the end, we have to make a political judgment.
The truth is, we are where we are because the press that the noble Lord, Lord Black, speaks for—I make no criticism of that—decided that they would not co-operate. We could have had a working system backed by a royal charter from the beginning. Those of good will on all sides could have made that effective. It was the decision of the noble Lord and his friends not to make it work. Everything we have had since then flows from that determination that they would not make the legislation, which passed through both Houses with massive majorities, work. That is why we are in the position we are in now.
We then have to add to that the fact that, sadly, the Conservatives decided to go back on the pledge that the Prime Minister of the day made to the victims that they would have the full second inquiry. They put it into their manifesto, which, noble Lords may have noticed, did not get the approval that they would then claim as a strength in this House.
The position we have now is that the consultation is in the works. Lord Leveson, who must be a glutton for punishment, has said that he wants to look at not only the conclusions, but the submissions and will make positions of his own. What worries me is that, unless we do something tonight to send this matter forward to the other place, it will be taken out of the hands of Parliament. It is a rough old way of doing it, but by passing this amendment it will go to the Commons at a time when the Commons will be cognisant of the amendment as an opinion of the House of Lords, the outcome of the consultation and the opinions of Lord Leveson. That strengthens the position of Matt Hancock, the new Secretary of State—an appointment I very much welcome—but we all know how it works: Ministers in the department may be very willing to give assurances that we will have an inquiry somewhere down the line, but then they will get a call from No. 10 saying, “You can’t: you won’t do this”. We have to strengthen the hand of Ministers who want to carry this through to a proper and honourable conclusion.
We have again heard all the usual arguments. There is no threat of state control of the press. I say to the noble Lord, Finkelstein, to look again at that headline and see whether he is still proud of it. Another Lord Attlee once said he only read one newspaper, the Times, and that was for the cricket scores. I am not sure he would trust the cricket scores these days.
One pertinent item of briefing noble Lords will have had, and to which a number of Members have alluded, was in the rather shrill briefing paper from the News Media Association, which says that,
“the industry faces acute challenge from global digital platforms which reap commercial rewards from the news industry’s investments, yet invest nothing in news content themselves and are treated as mere conduits, with freedom from the responsibilities and liabilities of publishers”.
As the noble and learned Lord said, that is the real challenge to the press. The noble Lord is diverting and losing friends by this obstinate refusal to build the strength that would come from royal charter-approved press regulation. I know that he worked with the PCC, but this is not a 10-year problem. For the last 30 years, we have had this problem that press regulation by itself has never carried credibility. It did not carry it in his day, which is why they got rid of it. If I can remember rightly, they got rid of the one before that in the midst of a scandal. They will probably get rid of IPSO when the next scandal comes along, because it will not work.
I suggest that we strengthen the hands of Ministers by passing these amendments to make sure that, when it goes to the Commons, there is an opportunity in the light of all the facts to make a fully informed decision. I was one of the Ministers who signed the royal charter. I can assure the House that for both Conservative and Liberal Democrat Ministers—we were in full consultation with the Opposition at that time—the one thing we wanted to avoid was any sniff or smell of state regulation. The real intention was to protect the press, not just the press owners. My belief is that, if they had followed through on the royal charter and had a proper regulator, it would protect individual journalists. I always remember during another scandal a very senior member of the Times had just rewritten their regulations yet again. I said, “What if the Daily Mail scooped you on something that you decided was prevented by your new charter?” He said, “Rupert would fire me”. It is that that we want to protect individual journalists and their integrity from.
This would be a step forward. It would keep the political debate going in the place where it needs to be made—the House of Commons. We should make sure that we vote as politicians, thinking about the reality of it. All my life in politics I have made judgments on things by looking around and seeing who was smiling. If noble Lords defeat these amendments, those who will be smiling are those who have done most damage to the press by what they did while in charge of the press. Those who will be in despair are those individual citizens who have not seen their privacy or civil liberties protected. The House would feel ashamed of itself.
Lord Stevenson of Balmacara
My Lords, I sense that the House wishes to move on, to hear from the Minister and move to the inevitable vote, which I think would be a good thing for all of us. Therefore I will not speak at length. We have had a really important debate today, ranging from the deeply personal to the high realms of public policy, and it is very hard to find a balancing point at which we might, as the noble Lord, Lord McNally, has just said, actually find a reason for dividing on the various issues. It is complicated and multilayered. It is also time-sensitive and there are very inconvenient issues in the way. However, one can dig down a little and start with the fact that the Bill, as I have always said and will continue to say, is not the right Bill to solve all the problems in relation to press regulation in the future. It is a Bill about data protection and although it has elements that obviously bear on everything we have been saying today and in the previous debates around the need to balance the rights to privacy against those of freedom of expression, it is not a complete picture and we should not think it is.
It is important that we learn our lessons and move forward. We have an existing framework, set out in the Data Processing Act 1998. It has worked well; it has been said that it will work well in future, and the Bill establishes that again as the basic understanding on which we operate. I welcome that, but we are uncertain about how the issues that were raised between 2010 and 2013, the period that led to Leveson 1, are going to be resolved in the Bill—maybe they cannot be. They include the need to ensure that, for all time, there is an effective redress mechanism for those affected by illegality and bad culture in the press, and that we should understand and learn the lessons of what has happened in the past. We certainly have a lot of information but I do not think we have a full understanding of it all.
As has been said by a number of noble Lords, we must anticipate changes that are in train for the new media, the media sources of information and news and the changes in consumption. We have to explore—this is really important—how we sustain our huge tradition of quality journalism without which this democracy would be a shadow of its current self. My noble and learned friend Lord Falconer, in a very powerful speech, said we need to go back and rethink what we were thinking at the time Leveson was set up, the promises that were made and the impact it will have on the country if we do not deliver on those promises. We promised the completion of the Leveson inquiry. Whether it is Leveson 2 or another inquiry is a lesser point than the need to honour that promise. Too many people are relying on it, too many people will be upset if it does not happen and we will all be the losers.
The noble Viscount, Lord Hailsham, said that this is really a policy issue, not an issue around data processing: noble Lords will have understood from what I said earlier that I agree with him. The problem is that we do not control policy—we are unable to put any pressure on that. The victims do not control policy. The Cross-Benchers and Liberal Democrats do not. The Government control policy but successive Governments have seemed unable to move forward. I happen to think, from private conversations, that a lot more unites us on this issue than divides us across this Dispatch Box.
I would welcome some words from the Minister explaining precisely what will be the way forward. However, I do not think he will be able to do that, for all the reasons that have been given about the inconvenience of timing, the difficulty about cutting across other measures that are in place and the need to think through some implications. I am sympathetic, but the problem is that we need action; we need to move this forward, and the only power we have is to put an inconvenient roadblock in the current thinking. That is why I support the amendment in the name of the noble Baroness, Lady Hollins, and I will support—although I think that they are probably not the whole story—the amendments in the name of the noble Earl, Lord Attlee. It is important that the Government own up to the fact that this is a problem of their own making, show that they understand the issues and take action.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, the Government recognise that there is great deal of passion and genuine concern on all sides of the debate and on all sides of the House on these matters. I am obliged to the noble Baroness, Lady Hollins, for the passionate way in which she advanced her argument on these amendments, and also to the noble Earl, Lord Attlee. Casting my mind back to my limited experience in government—and limited it is—I am slightly perplexed. Usually, Government are accused of seeking to avoid issues or hard decisions and of kicking matters into the long grass by proposing an inquiry. For me, it is a novelty that the matter should be reversed in this fashion. Indeed, I note that a number of noble Lords have made the same observation in various ways in the course of this debate. For us, it is a matter of concern that we should move forward and look at how we can maintain a suitable, appropriate and respectable media for this country, but also the freedom of that media, which underpins our democracy.
It is appropriate to notice that the media landscape has changed significantly since the Leveson inquiry was set up. We have witnessed the completion of three detailed police investigations, extensive reforms to policing practice and significant changes to press self-regulation, which have moved on even further in the recent past, with the changes to IPSO. Of course, we have seen that civil remedies, civil proceedings, provide an effective route for parties, particularly in the context of litigation where conditional fee agreements are available. The Government published a consultation in November 2016 to look at whether part 2 of the Leveson inquiry was still appropriate and, indeed, proportionate and in the public interest.
I note that date, November 2016, because one noble Lord referred to the delay. I just make the point, which I have made before, that progress on that consultation was delayed because the Secretary of State was subject to an application for judicial review with respect to the consultation process. It was not a case of the Government trying to delay that process; we were really quite anxious to bring it forward. Once we were able to proceed with that consultation process, we received more than 174,000 responses. That in itself demonstrates the depth and strength of public feeling on this issue.
We are currently consulting with Sir Brian Leveson as the chair of the inquiry. Sir Brian has asked to see the results of the consultation, along with individual responses to the consultation that were submitted by core participants in the Leveson inquiry. I notice that the noble and learned Lord, Lord Falconer, observed that Sir Brian’s views need to be canvassed. I entirely agree: that is what we are in the process of doing at the present time. It is not only right that his views should be canvassed in this context, it is actually necessary. The Leveson inquiry has not been terminated; it proceeds under the Inquiries Act 2005 and it cannot be brought to an end until the Government have formally consulted Sir Brian and considered his comments with an open mind on how to proceed further. That consultation is in train. When Sir Brian has shared his formal views with us, we will look to publish the Government’s response to the consultation. It would be our intention, subject to Sir Brian’s views, to publish his response at that time as well, in order that that can be in the public domain.
Amendment 127A in the name of the noble Baroness, Lady Hollins, assumes that the existing inquiry will be brought to an end, but, as I say, that decision has not—indeed cannot—be taken at this stage. If, for example, Sir Brian produces compelling reasons for proceeding with part 2 of the inquiry in some shape or form, the Government would have to give reasonable consideration to those representations and will do so. However, we clearly do not need two public inquiries going on at the same time into the same issues: that is where we would end up, on one view of this process. We have to take events in their proper order and this amendment is plainly not in its proper order; it is plainly premature and cuts across the present statutory process that is being carried on pursuant to the Inquiries Act 2005.
However, I emphasise that the Government are determined to address the challenges of the new media landscape in which we all live—not just the obvious printed media but the digital media and the issues that turn on that. We are in the process of developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to help keep people safe online and ensure that personal information is used appropriately. We are also working to deliver on a commitment to ensure a sustainable business model for high-quality media online. Again, that underpins freedom of expression and our democratic way of life.
These are matters of active consideration for the Government. It is in these circumstances that I emphasise that the noble Baroness’s amendment is not appropriate at the present time and would simply lead to confusion in this already difficult landscape. Let us move on: let us complete the process in which we are currently engaged; let us receive Sir Brian’s representations with regard to the consultation process; let the Government make a decision by way of their response to that consultation; let us look at it—the idea that it would not be examined in this House is almost mythical, to be perfectly candid. Of course it will come under scrutiny in this House. I would be amazed if it were simply to pass unnoticed in the night. There can be no question at all of that happening.
Turning briefly to Amendments 147 and 148, again, I recognise that these are modelled on Section 40 of the Crime and Courts Act 2013 and I recognise that Section 40, and press regulation more generally, is a matter that people have incredibly strong—and diverse and conflicting—opinions about. I understand and appreciate the work that the noble Baroness, Lady Hollins, has done in this area and I appreciate her own personal exposure to the difficulties that have emerged in the past with regard to the abuse and misuse of personal data. Again, I reassure noble Lords that the Government are firmly committed to ensuring that the sort of behaviour that led to the Leveson inquiry never happens again. We are determined to address that.
However, we cannot ignore the various concerns that have been raised regarding Section 40. I am not going to go into the issue of convention compliance or any technical issues about that; nor will I elaborate upon the point that Section 40 does, albeit by agreement between various parties, go further than the actual recommendations in Lord Justice Leveson’s original report. Again, that is why the Government have issued their consultation, which will look, among other things, at Section 40 of the 2013 Act. That matter will be addressed. As I say, the Government will publish their response to the consultation shortly. When I use a term such as “shortly” I see some rolling of eyes but let me be clear: the response to the consultation will await the opportunity for Sir Brian to make his own submissions. We will then give due consideration to those, as we will to the 174,000 responses to the consultation.
We understand the serious nature of the matter before us and it will be fully addressed but we do not believe that at this time it is appropriate to advance a provision similar to Section 40 but only in relation to data protection. There is a much wider issue at stake here and that is the issue that needs to be prope