My Lords, right from the outset, I had better declare that this is a probing amendment. I shudder to think of another chastisement from the noble Lord, Lord Ashton —that would be too terrible to contemplate. Chastisement from the noble Baroness? Even better.
The amendment is about whether we should put the Bill on all fours with the Data Protection Act 1998. Personal data is defined in Clause 2(2), and then Clause 2(4) goes on to talk about “processing” of data, in terms of requiring the personal data to be recorded in order that it can be subject to,
“an operation … performed on personal data”.
It follows that, if the information is not recorded, it is not capable of being processed under the Bill as it cannot be subject to an operation.
Where I am slightly confused is looking at article 5(1)(f) of the GDPR, which talks about personal data being,
“processed in a manner that ensures appropriate security”,
which means that security obligations apply to recorded information about an individual and perhaps not to unrecorded information, which may be, for instance, disclosed in a conversation. If a controller fails to control his staff and a staff member discloses information in an unrecorded form, is that controller in breach of the security principle?
It would have been crystal clear in the Data Protection Act 1998 because Section 1(2) of the DPA closes that kind of loophole. That is exactly the wording that has been adopted in the amendment. Perhaps the Minister can explain whether we are incapable of using that definition because it is the GDPR or simply because we have failed to incorporate and bring forward equivalent provisions from the 1998 Act. I beg to move.
My Lords, I support the amendment in the names of the noble Lords, Lord Clement-Jones and Lord McNally. I will speak also to Amendments 3 and 9 in this group. This is a wide-ranging, rather stretching group covering a lot of detail, and I am sure the noble Baroness the Minister, who is making her first appearance on this Bill, will be able to cope with it with ease and will not have to resort to having meetings outside or anything; it will be a straight answer. I mean no disrespect to the noble Lord the Minister who spoke earlier.
Amendment 3 is a probing amendment. I make that absolutely clear, like the noble Lord, Lord Clement-Jones, did. It is about the rather disputed issue, as I understand it, of the status that many of the big tech companies that operate in the United Kingdom have in relation to the Act. Are they, as I think I have heard in other meetings, data controllers in the sense that the Bill sets out to achieve; in other words, are they responsible for all the elements that will be raised in the Bill and in the GDPR in relation to that issue? I am looking for a clear and straightforward answer on that, because it seems to me that there has been too much evasion and difficulty in pinning down some of the definitional points that this issue raises.
Having established that they are data controllers and that the material and data that they go through are subject to the Bill in its entirety—and, by implication, the GDPR—in which territory will this power exist? Obviously, that has relevance both pre and post Brexit. For instance, I asked the representatives of a large company who came in to brief us about their concerns about the Bill the very same question and received the answer that they regarded themselves as being European data controllers, which was a strange combination of thinking, and that they had selected, because it seemed appropriate at the time—again, I would be interested in having more information on that if it is available—that the Irish Information Commissioner would be responsible for any activities that were regulated under the Act and they would look to that body. Irrespective of whether or not that is true, and I suspect it is, that leads to a question about the role the Information Commissioner in the United Kingdom has in relation to companies which choose a European domicile and have a responsible information commissioner who is not in this country and therefore not subject to any regulatory or statutory provisions provided by this Parliament. There is no particular reason why this should be wrong. I am not in any sense making accusations that would arise from that, but it is important that we have on the record a very clear narrative on this point because it will raise a lot of questions if we do not.
Amendment 9 has already been referred to in the debate on Amendment 1, in relation to where the recitals that accompany the GDPR are going to end up. Reflecting on what was said by the Minister in that debate, I found that very helpful in answering the questions that Amendment 4A raised. Therefore, it poses another question about why the Government decided—well, they have no choice—to have an arrangement under which the GDPR comes into play, as required, on 25 May 2018. However, at that point the recitals will not be brought into effect. I understand that the recitals do not have statutory power in the GDPR, but it is quite clear, from reading around on this subject and hearing of cases already raised in relation to data processing, that they are helpful to those who have side issues arising from the GDPR. The recitals help them to understand what the legislation actually means and, without them, there may well be a problem, at the least, in getting a consistency of approach across the EU. It is therefore important that we should know where the recitals are going to end up. If they are not being brought in, to what extent can they be relied on and, if so, by whom?
My Lords, I am grateful to the noble Lords, Lord Clement-Jones and Lord McNally, for the opportunity to explain the meaning of data processing. As the noble Lord, Lord Clement-Jones, has explained, Amendment 2 would import words in relation to this term from Section 1(2) of the Data Protection Act. It might be helpful if I explain that the definition in Clause 2(4) of the Bill is taken directly from article 4(2) of the GDPR. Importantly—the noble Lord, Lord Clement-Jones, was right to mention this—the extent to which we can redefine or reinterpret it is therefore limited.
Having said that, the current definition of data processing already refers to,
“any operation or set of operations which is performed on personal data, or on sets of personal data”.
That is a very broad term. If somebody obtained, recorded, used or disclosed all or any part of the data relating to individuals, I have no doubt and am confident that it would be covered by the existing definition.
I go on to the amendments in the name of the noble Lord, Lord Stevenson, who I thank for his kind words about us being together at the Dispatch Box. I greatly look forward to it, too. As he explained, Amendment 3 aims to clarify that the processing of data includes processing undertaken by information society services, such as commercial websites. Article 4 of the GDPR and Clause 2 make it quite clear that the term processing applies to any automated and certain non-automated processing. There is no doubt that this would include information society services.
I am sorry to interrupt so aggressively and early in the Minister’s response, but a word was used that I did not understand and I therefore need to come back. In films, we often find that if you talk to an American film executive about whether a film is successful, compared with what happens if you talk to a British executive in a similar situation, they will use “quite” in completely different senses. Britain uses “quite” to mean, “That’s okay”. But if Americans say, “That film was quite successful”, it means, “Blimey—you really have hit the box office”. In which sense was the Minister using it?
I am using it in the English sense. The noble Lord interrupted me, but I wanted to go on to say that, because of this, we can see no reason to distinguish information society services from any other type of data controller or processor.
Additionally, the definition of controller in the GDPR requires a case-by-case analysis to determine who the controller is, but it is likely that social media companies are controllers. Although the person posting personal data online is a controller, social media companies control personal data: in the context of activities which involve collecting such data; in retrieving, recording and organising it for indexing purposes; in storing it on their services; and in disclosing and making it available to users in the form of lists of search results. The Information Commissioner has also published guidance on this matter suggesting that, if a social media site’s operator has a moderating role over the site’s contents, then it is likely to be a controller.
In respect of Amendment 9, the recitals to the GDPR do not have normative effect—they are more akin to Explanatory Notes—and there is no requirement for the UK to enshrine them in legislation. In some places in the Bill we have adopted some language in the recitals to aid with clarity. For example, in Clause 8 we borrow from the recitals to make it clear that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child. We will return to this later in Amendment 17 in another group. It is important to say that recitals do not contain substantive law, nor can they override the express language of a regulation. I hope my clarification on this issue is sufficient, and I urge the noble Lord to withdraw his amendment.
My Lords, I was hesitating as I thought perhaps the noble Lord, Lord Stevenson, might want to come back. I must admit that that was one of the most interesting answers in the light of what the noble Lord, Lord Ashton, said in the previous debate. He prayed in aid two recitals to the GDPR and yet they do not have “normative effect”, which is extremely interesting. I feel another amendment coming on in due course—at the appropriate time, of course. The noble Lord, Lord Ashton, was not in his place when I said I feared another chastisement from him, but that is why I emphasised that my amendment is purely a probing amendment.
Returning to what the Minister said about that, I think she is really saying that the GDPR is wide enough in article 4 to cover conversations, casual disclosure of information and so on and that the information does not have to be structured or in recorded form. That is a very useful explanation that people will rely on when they come to look at the Act in future years. I beg leave to withdraw the amendment.