House of Commons (26) - Commons Chamber (10) / Written Statements (8) / Westminster Hall (4) / Public Bill Committees (4)
House of Lords (17) - Lords Chamber (12) / Grand Committee (5)
(6 years, 8 months ago)
Public Bill CommitteesWe will now recommence line-by-line consideration of the Bill. There are the usual words about turning off your mobile phones. I can see at least one cup containing what is a banned substance as far as the House of Commons is concerned—
It is water! I do apologise. It was the Clerk who drew it to my attention. We have to obey the rules, but water is very acceptable. Thank you.
Clause 8
Extension and termination of tariff cap conditions
I beg to move amendment 2, in clause 8, page 5, line 36, at end insert—
“(3A) In the case that the tariff cap is extended to have effect for the year 2023, the Secretary of State must publish a statement before the end of that calendar year outlining whether the Secretary of State considers it appropriate to introduce further legislation to introduce a new tariff cap to have effect beyond the date outlined in this Act.”
This amendment would require, in the event that the tariff is extended until 2023, the Secretary of State to publish a statement outlining whether he or she considers it appropriate to bring forward further legislation to introduce a new tariff cap to have effect beyond 2023.
It is a pleasure to serve under your chairmanship, Sir Edward. At our last sitting I made a joke about being brief in my comments, but I will be super-brief this time.
The whole reason for the Bill is the admission that the retail energy market is not working in terms of providing effective competition for consumers and allowing them to access the best-priced tariffs. I recognise that the Government have made it clear that the proposed cap mechanism is temporary for that reason and is to allow the market to remedy itself. Because this is a temporary cap, clause 8 is the sunset clause, which in effect states that the cap must end by the end of 2023.
I have tabled my simple amendment because, as we know, the market is not working, but there is no guarantee that it will remedy itself in the time proposed, although we hope it will. There is a risk that there will still be no effective competition in 2023, so the amendment suggests that if we get to that final year of the temporary cap, the Government should make a statement outlining whether they believe it appropriate to introduce further legislation for a new tariff cap with effect beyond 2023.
The amendment is to ensure that the Government update Parliament about where matters are at, and imposes that duty on the Secretary of State. It is a very simple amendment, so my comments have been super-brief. I look forward to hearing what the Minister has to say.
Good morning, Sir Edward. It is a pleasure, as always, to serve under your august chairmanship, and I am impressed with your X-ray eyes seeing the coffee cup. It is, once again, a pleasure to welcome fellow travellers on our Committee.
I was of course interested in what the hon. Member for Kilmarnock and Loudoun said—in essence getting back to that long-term question that we have all been discussing as to what “good” looks like. In 2023 how will we know whether the cap can be removed? Interestingly, the hon. Gentleman is in a way seeking to bind the hands of a future Government with his amendment, by putting in place, when the cap is finally removed—I think we all agree with the sunset clause—the need to opine as to whether further legislation should be introduced.
My hope is to persuade the hon. Gentleman to withdraw the amendment, so I shall set out a couple of reasons why he should, although I think we all agree that we support the cap. We want the cap to be in place for the period it takes to restore effective competition in the market. We also agree that we do not want permanent caps to run in the market, because we want it to move towards a more competitive position. The Bill is an intelligent intervention to speed up that journey.
Frankly, the Government have no wish for a price cap to be a permanent feature of our energy market. We debated that point briefly last week. I think there is strong consensus in the Committee—if I have not misjudged it—that the cap should have a sunset clause. In order for a sunset clause to be effective, there should be an end date to the legislation. Of course, as we discussed last week, that does not simply mean we will pass the Bill quickly through both Houses—as I hope we will—and have the cap in place by the end of the year, as Ofgem has assured us is possible; we will also all be working alongside Ofgem to ensure that the conditions for effective competition are in place by the 2023 deadline. I think we would all want to see those conditions in place well before that date.
Ultimately, we want a fully working and competitive market that is transparent, innovative and adaptive, that promotes competition as the best driver of value and service to customers, and that has a regulator with the powers and appetite to regulate actively should a situation arise, as it has done, where we do not believe some groups of customers get that value and service.
We discussed last week the roll-out of smart meters—where we have seen good progress but we need to go further and faster—and moving to faster and more reliable switching. I am very interested in Ofgem’s midata proposals, which will make switching an almost seamless process. Indeed, my hon. Friend the Member for Weston-super-Mare (John Penrose), who was so instrumental in creating the Bill, told me about his latest app, Flipper, which enables someone’s supplies of various services to be transferred almost seamlessly, with their consent, to the best value tariff, based on what tariff they are looking for.
There are plenty of opportunities for consumers to benefit from that improved competition, but we have discussed the fact that, although some of us are active switchers and are aware of those opportunities, some of us are too time-poor to do that. Worryingly, there is a large group of customers who are on bad-value tariffs and either do not know it or are sufficiently disengaged from the market not to do anything about it. That is why we brought forward the Bill and why it is extremely important to test the initiatives that the Competition and Markets Authority proposed to improve engagement with so-called disengaged customers.
We have discussed incredibly exciting technological changes, such as the move to distributed energy, the increase in renewable energy and people’s ability almost to create their own energy network, which includes them, local businesses and other local energy consumers. New business models will also come into the sector. I was interested to hear the evidence of some of the more innovative new entrants about where they want to go with the market. They mentioned half-hourly settlement and payments to people who do not consume energy at certain times. There is an enormous range of adaptations, and of course smart metering will unlock even more.
We are all determined to have a fully competitive and fair energy market, but I think we are all of a mind that the cap should be a temporary measure. I pay tribute once again to my hon. Friend the Member for Stirling, who serves with great effect on the Business, Energy and Industrial Strategy Committee, to which we all owe a great debt of gratitude. The Committee said that there is a risk that if the price cap became a longer- term fixture it
“would put the Government unduly in charge of setting energy prices for the foreseeable future.”
I thank the right hon. Lady for giving way and congratulate her on receiving Privy Counsellor status—she joins a merry band of us. I accept the argument for a temporary price cap, but does she accept that we should look closely during this period at whether any other structural reform of the energy market is needed to ensure that there is even wider competition and hunger for customers, rather than complacency?
I could not agree more. I thank the right hon. Lady for her kind congratulations. I feel it is an undeserved honour, but it is amazing. She is absolutely right. One of the reasons we were minded to bring forward the Bill was that we have a competitive energy market, with more than 60 companies that would like to sell us energy—either combined heat and power or, in some cases, just power—but we gifted incumbency to a large number of companies when we took what I thought were sensible steps to privatise the energy system. That brought in more than £60 billion of new capital and caused prices to fall and power cuts to halve, but the companies that were gifted incumbency have not had to work for customers. It was interesting to hear from new entrants about how they are determined to shake up that complacency.
I think the right hon. Lady also alluded to practices further up the energy system—or further down; I am not sure whether it starts at the top or the bottom—and particularly profits in the distribution sector and overall network costs, which have come down but arguably could come down further. Work has been done in that area, but I am determined that the whole sector, from generation right to the customer’s meter, should be highly efficient, that efficiency and customer service should be rewarded, and that we ensure we have not created a shield of incumbency that allows companies to persist with bad customer practices. This is the start. We may not need legislation to get there, so we may not have the pleasure of—
I thank my right hon. Friend for giving way and wish her many congratulations from the Government side of the Committee, too. On incumbency and the investment that she mentioned, is it not extremely important that the price cap is set at a level that continues to encourage investment the whole way through the energy chain and into the new infrastructure we need? That is one of the reasons it is so important to signal that this is not a permanent cap; it is an incentive to increase competition and to ensure that the market continues to be dynamic and that infrastructure continues to be invested in.
My hon. Friend brings her great knowledge of these markets on a broader European scale to make a telling and vital point. The need to maintain investment in the industry, which we must have as we go through what is possibly the most exciting revolution in our energy markets for decades, is included in the Bill for exactly that reason. Clause 1(6)(d) speaks to exactly that point: we must ensure that we still have the financial investment in the industry that we so desperately need.
Having talked about the need to keep on improving efficiency, and having accepted the view of the Select Committee that the price cap should be only a temporary measure—reflecting a cross-party view that the Government should not be unduly involved in setting energy prices— I hope that I have persuaded the hon. Member for Kilmarnock and Loudoun that his amendment is unnecessary and provides an obligation on a future Secretary of State to impose another price cap. A future Government may decide to do that—who am I to suggest what legislation a future Government might introduce? However, I do not feel that the amendment is appropriate; it creates disincentives and uncertainty in a market where we have to have certainty to generate investment. On that basis, I hope he might be persuaded to withdraw his amendment.
The Minister finished as she started, by talking about binding future Governments. I suggest that most legislation, in one form or another, binds future Governments. It is for future Governments to make changes to the legislation if it does not suit their policy at the time. Binding future Governments is not a reason not to table an amendment or to withdraw an amendment.
Again, the amendment is not about making the cap permanent. It acknowledges that the cap is temporary, but if, for whatever reason, we get to 2023 and we still do not think that there is effective competition in the marketplace, it puts a duty on the Secretary of State to explain what the Government will do to address that, including possibly introducing new legislation.
On what “good” looks like in the future, if the Government had accepted an amendment setting out the criteria for what effective competition will look like—such as the Labour amendment that suggested a whole list of criteria that should be considered to determine and measure that—we would know what “good” looks like in the future. That might also help to generate the effective competition that we are discussing.
That said, to go back to my original point, I am not trying to say that the cap should not be temporary. Following my comments to the Minister, I do not see any point in pressing the amendment to a vote, so I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 11, in clause 8, page 5, line 36, at end insert—
“(3A) In the case that the tariff cap is extended to have effect for the year 2023, the Secretary of State must publish a report before the end of that calendar year on further measures that can be taken to ensure that conditions are in place for effective competition for domestic supply contracts.
(3B) The report under subsection (3A) must include, but is not limited to—
(a) the merits of establishing pooled trading arrangements which matches energy sellers and buyers on the day-ahead and near-term markets; and
(b) the potential impact of such an arrangement on competition for domestic supply contracts.”
It is a pleasure to serve under your chairmanship, Sir Edward. Before I proceed, I ought to say two things. First, I congratulate the right hon. Member for Devizes on her elevation to the Privy Council. In terms of nomenclature, I am not entirely clear whether I should refer to her as the Minister or the right hon. Minister in the future.
I think I will just continue with “the Minister”—or Claire, depending on the circumstances under which we meet.
Secondly, the hon. Member for Kilmarnock and Loudoun mentioned that he is a man of few words. I may well be a man of even fewer words today, because I am suffering somewhat, and my voice may not last for the whole proceedings. That could be a great boon for the Committee.
My hon. Friend is making an important point. To sum it up, the big six are both generators and retailers. The case is that they generate energy, sell it to themselves and then sell it on to us, without us really being clear about what the true price is. But does he agree that the advantage of a more transparent pool is for those independent generators to have a marketplace in which they can sell their energy, as well as those smaller retailers that would like to operate in a much more open and transparent way? I am glad to say that that was the policy when I was shadow Secretary of State for Energy and Climate Change. If, like other policy areas, it seems to be more popular these days, more strength to his elbow.
I thank my right hon. Friend for that encapsulation of how the pool works and for her important point that a pool system would allow independent generators to trade on exactly the same basis as those vertically integrated generators, and, equally importantly, independent retailers bidding into the market would be able to bid in transparently, on the basis that they would know what the price was at that particular point. There would be hands on the table and the price would be clear for everybody. The whole trading process would be thoroughly transparent, to the particular advantage of how the market works in its new incarnation as a large number of independent retailers and generators operating alongside the more integrated generators and those large inheritors of customers from, essentially, the days of the Central Electricity Generating Board.
I am not sure that I am that enthusiastic about this idea for further intervention, on two grounds. First, the big six are increasingly separating out their supply and generation businesses, because it makes commercial sense for them to do so, and I am therefore not sure that we are tackling a problem that will continue to exist. Secondly and more importantly, in one of the most successful green finance models that is coming through the cheapest cost of capital tends to be when generation is built with a contract directly to a supplier. I wonder if the hon. Gentleman has considered what impact this measure might have on that very cheapest cost of capital that seems to be available for quite significant amounts of generation capacity coming onstream.
I will make two points in response. I hope that the hon. Gentleman will be enthused by the merits of the pool when he looks into it—knowing, as I do, how deeply he does look into these matters on a regular basis. Although it is true that a number of companies are dividing themselves in different ways from the model that there used to be, it is by no means clear that in the complete vertical integration of those companies those divisions all face in one direction. In some instances, such as the recent merger of SSE and Innogy, retail has been put together in one company. In other instances, companies are breaking themselves up into what might be called a good company and a bad company, in terms of the different forms of generation, without distinguishing between vertical integration and generation. Indeed, there are further moves abroad. For example, E.ON in Germany has effectively taken over elements of Innogy, which may have effects back on SSE and Innogy in the UK. A variety of things are happening in the market, some of which point towards different forms of vertical integration and some of which, as the hon. Gentleman says, point in the direction of demerger.
That is not necessarily the central point about how a pool operates. Even if there are circumstances under which there is rather less vertical integration, the fact that the pool is bringing complete transparency on all trades to the table means that everybody in the market is absolutely on the same level as far as both those trades and the retail element, whereby people are bidding in, are concerned. As the hon. Gentleman knows, a number of newer companies will largely be bidding into the day-ahead market. They may be considerably disadvantaged in not knowing what has happened with trades down the curve when bidding into that market. Having that transparency right across the piece is, in principle, a very powerful lever to ensure that the market works well regarding retail trading.
Secondly, the pool system is not a fanciful notion that some people might think is a good idea but that has never worked in practice. Probably the most successful trading arrangement in Europe at the moment is Nord Pool, which does precisely this across the whole of Scandinavia. It does not have the negative effects that the hon. Member for Wells suggests it might in terms of cost of capital and investment, but stabilises that market across the whole of Scandinavia and produces transparency across borders.
In any event, a pool system is something that this we ought to look at for this country. What this amendment does is rather less than that. It asks whether the Minister thinks that, under circumstances in which it has not been possible to frank the market for returning to competitive purposes by 2023, other instruments should be introduced to get us beyond the end of the temporary pool and out of that temporary price cap, which is what we all want. That will be on the basis that we between us will have not just done a good job of running a cap but changed how the market works, so that the cap does not have to be in place subsequently and we do not need to return to the idea of one in the future.
That is what the amendment intends to do. I think it is a relatively modest ask of the Minister. I am sure that, if she is not promoted, she will be in her post in 2023—if there is a Conservative Government. At that point, she would simply have to produce a small report setting out how the pool system might work. Then we will look to see whether we can take that forward at that point as a key measure, to ensure that competition returns to the markets after the end of the temporary price cap.
I have listened with interest to the hon. Gentleman and done a bit of research.
The first part of the amendment asks that an additional report is published setting out additional measures for competition. We had a fruitful discussion of this issue on Tuesday, and talked about the fact that there will be a comprehensive report. There is a duty on the Secretary of State to make this transparent, so it will be obvious that the conditions for competition that have been recommended by Ofgem at that point are clear. We discussed at length whether we need to specify, and the will of the Committee was that that was not the case. So the first part of the amendment is not needed, because we will have a transparent report, we will be able to see what “good” looks like—a phrase many of us have used—and we should be able to satisfy ourselves of that.
The second part of the amendment relates to pooled trading. I understand that the hon. Gentleman is a bit of an expert on that, so I felt that I should go away and look at such things. His argument is that having pooled trading arrangements could be an option that should be included in the assessment of competition, and that the report should cover that. He will know that pooled trading arrangements were in place historically. Indeed, I believe it was the first Blair Government that removed those conditions.
The hon. Gentleman is going to correct me on that. Good—I like a bit of correction on history.
The Minister is absolutely right that there was a pooled system in place, but it was a one-way pool, not a two-way pool. Furthermore, there were only two generating companies at that time, so the circumstances were very different, and it was not a full pool in any event.
I accept that helpful piece of information. But when it was cancelled and replaced with alternative arrangements, the real issue was that prices did not fall as far as they should. The rocket and feathers effect was in full cry. I have not been able to find a pub called “The Rocket and Feathers” anywhere in the country, so we cannot go out and celebrate the successful passage of the Bill with a drink in an aptly named pub. However, the new arrangements were put in place back in 2001 and extended in 2005.
The CMA, in its very comprehensive review of market competition, compared the principle of bilateral trading relationships, which the hon. Gentleman has eloquently expounded, with a pool approach. Its view was that the evidence did not support a move to such a pooling system, primarily because there is sufficient liquidity in the market—Ofgem reviews the liquidity arrangements—and there is price transparency for all the pool participants already. The CMA’s conclusion was that if we all accept that we need to move to a more competitive market, the evidence does not suggest a move to bilateral pooled trading relationships.
I have set out that Ofgem has wide powers to say what “good” looks like, on the basis of which it will make its recommendation to the Secretary of State about whether the cap should be lifted. I think that covers the first part of the amendment. I am persuaded by the CMA’s report that, given that the arrangements are working, there is insufficient merit in examining the merits of the pooled market, and there would not be sufficient gain from introducing that system. It should not be a specific requirement, as detailed by the clause.
There may be other opportunities to debate this structural point. On the point made by the right hon. Member for Don Valley when discussing the previous amendment, I hope that there will be opportunities over the next few years to talk in depth about what other arrangements need to be made in the market to improve the efficiency of the entire supply chain. However, hopefully in this case the hon. Member for Southampton, Test will consider withdrawing his amendment, as it is not needed in the Bill at this time.
I am not persuaded that this notion is not needed in the Bill in the eventuality of the cap going to 2023. However, I am reasonably persuaded that it would not be a good idea to press the amendment to a Division this morning, because the purpose of the amendment was essentially to allow us to debate the question of the possibility of a pool. I have not persuaded the Minister this morning that it would be a good idea for future trading arrangements. However, given the assiduous work that she has already done in looking at how a pool might work, I hope that she will continue with her studies, and will perhaps be persuaded in the fullness of time that it is actually a rather good idea for the long term, and ought to be pursued—if not by this Government, then by the next. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 8 ordered to stand part of the Bill.
Clause 9
Consequential modification of standard supply licence conditions
Question proposed, That the clause stand part of the Bill.
I am not going to delay the Committee on non-controversial clauses, but I feel it is important to state briefly the purpose of each clause, so that we are all clear in supporting them. Clause 9 gives Ofgem the power to modify the standard supply licence conditions after the tariff cap ceases to have effect under clause 8. On the point made by hon. Member for Kilmarnock and Loudoun, we are giving the regulator powers, as it sees fit, beyond the extension of the price cap, to modify the licence as it has already. The effect is that Ofgem can continue to modify the standard supply licence conditions as it deems appropriate, following the removal of the tariff cap, but of course those modifications must be published and it must state their potential impacts.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Clause 10
Amendments of the Utilities Act 2000
Question proposed, That the clause stand part of the Bill.
This is simply a clause containing a whole load of technical gubbins. I commend it to the Committee.
It is a pity we cannot have that sort of debate on every clause.
Question put and agreed to.
Clause 10 accordingly ordered to stand part of the Bill.
Clause 11
Interpretation
Question proposed, That the clause stand part of the Bill.
This clause is a lot of definitional gubbins. It is extremely important—I do not wish in any way to reduce the hard work of the Bill drafting committee—but it does not require a long speech.
Question put and agreed to.
Clause 11 accordingly ordered to stand part of the Bill.
Clause 12
Extent and commencement
Question proposed, That the clause stand part of the Bill.
This clause confirms the geographical extent of the Bill. It will come into force in England, Wales and Scotland, but not Northern Ireland. I am sure the Committee knows that there are separate arrangements for energy supply in Northern Ireland, including existing price controls on incumbent suppliers. We have made reference to that cap in our debates. The Act will come into force on the day it is passed, to make sure that we achieve the crucial momentum in the implementation period.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13 ordered to stand part of the Bill.
New Clause 2
Duty to consider the needs of customers in rural areas
“(1) When exercising its duties under section 1, the Authority must have regard to the need to protect customers in rural areas.
(2) When exercising their duties under sections 7 and 8, the Authority and the Secretary of State must have regard to—
(a) whether effective competition exists for customers in rural areas, and
(b) additional protection in place for customers in rural areas.”.—(Alan Brown.)
This new clause requires the Secretary of State and the Authority to have regard for customers in rural areas when exercising their powers in setting, reviewing and terminating the cap.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
We know that part of the problem with existing tariffs is that certain groups of people are more likely to be adversely affected. New clause 2 would make the duty to consider the needs of customers in rural areas absolutely explicit. To recap what I think we are all aware of, people who reside in rural areas are more likely to have lower incomes; they are more likely to be off the gas grid, which leads to overall higher energy costs; and, particularly in Scotland, they are more likely to have properties that are much more difficult to make energy-efficient, thereby increasing their ongoing energy costs.
Digital connectivity is an issue predominantly in rural issues, which means that is difficult to undertake regular switching. Rural areas also still suffer from notspots for mobile coverage, which is an impediment to getting a smart meter. If we really believe that smart meters will help revolutionise the market and help people get lower tariffs, we need to eliminate the notspots. The Scottish Government have just announced a £25 million fund to provide more coverage in rural areas, but that is perhaps not something they should need to step up to the plate on. Challenger companies are also less likely to tackle the rural issue, so the incumbents—the big six—often have almost a monopoly in some rural areas. That is another barrier to competition.
To cap it all in terms of the disadvantages for rural customers, people in the Scottish highlands and islands have to pay 4p a unit more for electricity usage. Rubbing salt into their wounds, anything generated in more rural areas has higher transmission charges placed on the generation companies, and customers in those areas pay a higher distribution levy. That is a real injustice for those in rural areas. And, of course, the Government have removed contract for difference auction capabilities for onshore wind in rural areas, which compounds the whole feeling of injustice.
The new clause would therefore require the Secretary of State and the regulator to have regard to customers in rural areas in exercising their powers when setting, reviewing and terminating the cap. The clause itself is self-explanatory. Again, I am interested to hear what the Minister has to say.
The new clause seeks to add a clause to the Bill to create duties on Ofgem and the Secretary of State to consider the needs of customers in rural areas and to consider additional protections for them.
The hon. Gentleman spoke about this on Second Reading, and many of us who represent very rural constituencies understand exactly what he is saying. I have been really pleased to learn that, in the north of Scotland, the Government have confirmed their commitment to the hydro benefit replacement scheme, which is worth an average of £41 annually per household in the region.
The hon. Gentleman will be aware that costs are in some cases the function of geography—there is this unfortunate thing that it costs more to get electricity down to certain parts of the country. In my own region, the south-west, the peninsular effect creates some unfortunate energy price increases for those living at the end of the grid, as it were. That is something we have long had to live with. I am not saying that that is acceptable, but to date it has been a function of the pricing of energy distribution.
The other issue for many of those representing rural areas, including mine, is that people rely on heating oil or liquefied petroleum gas deliveries, because we are off the grid. Not only can that be a costly proposition, given the spike in heating oil prices, but it is a problem in terms of carbon emissions. As the hon. Gentleman knows from the clean growth strategy, I am determined to phase out fossil fuel heating—not in a way that penalises existing customers—starting with new builds from 2025, and really trying to come up with cost-effective alternatives in future.
When we have the consultation on the energy company obligation, which will be happening shortly, I am minded to review how much we direct towards customers in rural areas. As the hon. Gentleman knows, and as I know only too well from my constituency, fuel poverty is not an urban phenomenon. Many of our constituents live in old homes, which are not suitable for more modern forms of energy efficiency—[Interruption.] My hon. Friend the Member for Hitchin and Harpenden is putting up his hand to say that his house is like that. These homes are a problem, particularly for those on low incomes; in my constituency the average income is well below the national average, and many of our homes are simply very old. That is why, what I would like to do with ECO, to be forthcoming, is to see how we can deliver more help to rural households and how we can focus that help more on innovation so that we can create more of a route to market for important new technologies that could help.
We have an open market in the supply of heating oil—it has been looked at, and the conclusion was that it is competitive and working. LPG customers have the LPG orders introduced by the CMA, which set a maximum contract length. Under the fuel poor network extension scheme, Ofgem sets a target for gas distribution companies to connect an additional 91,000 low-income homes to the gas grid by 2021. So there is work afoot to reduce some of the disbenefits of living in some of the most beautiful parts of the world, such as the constituency of the hon. Member for Kilmarnock and Loudoun.
I have mentioned additional help, but I suppose the question is whether we should specify in the Bill that more should be done. My argument is that the new clause is not necessary, because the Bill already explicitly requires Ofgem to protect all existing and future standard variable and default customers, including consumers in rural areas. Furthermore, Ofgem’s role as the regulator under the existing gas and electricity Acts confirms that it has a duty to protect the interests of all existing and future customers. It should specifically have regard to the interests of individuals living in rural areas, among other things.
There are already protections at various levels of the law and in the Ofgem regulations for those customers for whom the hon. Gentleman so rightly speaks. I therefore do not believe that the new clause is necessary, but I remain apprised of the issue he raised, which many of us face: how we help people who live in rural areas, who do not have the same options as those who live in urban areas, whether in terms of heating, lighting or broadband. I hope that he is content with that explanation and is minded to withdraw his new clause.
I welcome what the Minister said about ensuring that ECO is rolled out and that people who live in rural areas are prioritised. I realise that a cap in itself is not a means to an end in terms of ensuring effective competition and particularly helping people in rural areas, and that other Government policies are required to do that. Although, as the Minister said, the regulator needs to have due concern for all consumers, the new clause was intended to re-press the need for the Government and the regulator always to remember the disadvantages that people in rural areas face. It is clear that the Minister is well aware of those issues from her own constituency. For that reason, I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
New Clause 3
Assessment of extension of the tariff cap to small businesses
“(1) Within three months of the passing of this Act, the Secretary of State shall lay a report before each House of Parliament assessing the merits of extending the tariff cap to small business customers.”—(Dr Whitehead.)
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
This is a simple and brief new clause that would require the Secretary of State, immediately after the passage of the Bill, to lay a report before both Houses assessing the merits of extending the tariff cap to small business customers. I do not think I need to emphasise that the Bill’s title gives the game away about what the tariff cap will cover: the Domestic Gas and Electricity (Tariff Cap) Bill applies to domestic customers and to no one else. That rather gainsays the idea that, in many instances, small businesses have far more similarities with domestic customers than with large companies, which may have wholly different arrangements for dealing with their electricity supply—they may engage in private wires or bilateral long-term contracts, or have their own generating plant—from small businesses, which in effect hug pretty closely to the principles for domestic customers.
It seems a little invidious that the cut-off point for the price cap is the end of the domestic customer level. I am sure no hon. Member present is in this position, but it is quite possible for a very large house with multiple activities going on in it to consume a lot more electricity than a high street retailer or a small business. A number of small businesses will find that their electricity bills are not capped even though, to all intents and purposes, they are indistinguishable from domestic customers as far as their patterns of use, means of purchase and so on are concerned.
The new clause would require the Secretary of State, shortly after the Bill’s passage, to think about whether it might be appropriate to bring small businesses under the cap as it progresses, with a proper definition of which small businesses are in and which small businesses—those at the larger end—are out, so that the cap’s benefits can be extended to that particularly hard-pressed sector of the UK economy, and so that a proper relationship can be established between who is doing what so far as their energy purchases are concerned and who should benefit from a cap as a result of doing those things.
This is a simple, straightforward amendment, which I hope the Minister will consider carefully.
I am extremely interested in new clause 3. I will not delay the Committee too much, but the hon. Gentleman is absolutely right to have observed the issue faced by many small businesses. Indeed, it was observed by the last Conservative Government when they commissioned the CMA report. That report also looked at what was happening in the small business sector. It was a really important question.
As the hon. Gentleman mentioned, there is a huge variety of SMEs. They consume energy in entirely different ways and have different supply contracts. Many of them are on a domestic tariff. A question I have asked—I am not sure I know the answer—is what triggers the move from a domestic to a business tariff. If I do not have the answer by the end of this speech, I will happily write to the hon. Gentleman. It is an important question. [Interruption.] My civil servants are scribbling furiously. Of course, those businesses will be protected by the tariff.
As the hon. Gentleman mentioned, companies that are not supplied via a domestic tariff generally have fixed-term, fixed-price contracts that they negotiate through a broker, and those contracts are based on a range of different factors. In my constituency, I am aware—this has come up in the question around energy efficiency, which is a particular problem we need to try to crack with the small business sector—that many small businesses, particularly service companies, occupy premises where energy is just part of the price they pay. There are real disincentives for those landlords to shop around for a more competitive energy price, because it might reduce some of the benefit they get from selling those services as a bundle. It is an interesting question.
The CMA reviewed the small business market and found that a combination of features lead to a weak customer response. My argument on that—I have discussed this with small businesses—is that if someone is making payroll every month, looking to export to new markets and thinking about what they might have to do with the changes to our technical relationship with the EU, they do not necessarily always default to looking at energy costs, even though that might be economically rational, as electricity or power prices might be 5% of an overall cost base. According to the CMA, that weak customer response provides energy suppliers with unilateral market power over inactive customers—those words always make me feel very uncomfortable when we are talking about a supposedly competitive market.
The CMA has already recommended remedies, and those are being implemented. We have ended auto-rollover contracts with restrictions, including termination fees. That was implemented by the Energy Market Investigation (Microbusinesses) Order 2016. We are making prices more transparent, and we are having a price comparison website, which has already been implemented by the CMA through an order in June 2017. Early reports suggest that that has not been fully taken up by suppliers.
We are establishing a programme of prompts with information for consumers to engage, which is similar to the remedy for domestic customers in terms of the least engaged groups. That is ready for implementation, but no date has been set. In a similar way to what we are doing on domestic remedies, we are establishing a database of inactive customers that will be made available to rival suppliers and switching sites. Ofgem has not yet implemented that recommendation.
There has been some progress on transparency and auto-rollover contracts. The recent welcome action Ofgem announced to end back-billing beyond 12 months will also benefit small businesses and should help significantly with the cash-flow drain that a large backdated bill could cause.
Ofgem has a business consumer survey under way that we expect to get sight of this summer. It should give us more insight into the experience of business consumers. Ofgem plans to review consumer protections in the small business market.
While I invite the hon. Gentleman to withdraw the new clause on the basis that the Bill focuses on domestic customers, where we already have more information, I am extremely interested in the problem of how we might provide better customer service and pricing availability to small business customers. I am perfectly happy to commit to looking at the problem very seriously and to have a proper and open discussion, as the hon. Gentleman and I tend to do, about what more might be done. I would send a very strong signal that, if at some future point a price cap mechanism might help small businesses, that is not something I would turn away lightly.
The hon. Gentleman has re-identified an excellent problem, if you like, in the energy markets. As I said to the right hon. Member for Don Valley earlier, the Bill is part of the intention to make a competitive market work well for all consumers. I will continue to engage closely with this problem, and I hope the hon. Gentleman will be content to withdraw the new clause on that basis.
I thank the Minister for that positive response to the overall suggestion. I appreciate that the Bill sticks fairly closely to domestic tariffs, and that is perhaps how we should leave it for present purposes, but I hope that the principle that has been raised, about that almost imperceptible gap, on occasion, between where domestic tariffs finish—
I can inspire the entire Committee with the assiduousness with which my brilliant team is able to answer my questions. A company chooses the business rate. Those in commercial and retail premises have to choose a business tariff, but, of course, a home business, of which there are millions and millions, can be on a domestic tariff. In a way, there is a sort of self-selection mechanism, but if the business moves into commercial premises, it does have to default on to a business tariff. I hope that clarifies the confusion I raised.
I thank the Minister for that clarification, but it emphasises the fact that a small business may be in circumstances where it is renting part of a building or is part of a business park, the negotiation of the energy supply is out of its hands and it is paying a set amount for that electricity, but that is not done on domestic rates, even though the extent of the business means the electricity may be well within what is normally paid for by a domestic consumer.
The Minister is absolutely right to identify the issue for small businesses, and I hope that will underline the seriousness with which she will take the issue forward. She indicated that she does want to give it further thought and to look at circumstances where the point of departure may be less abrupt in the future. On that basis, with the trust that she will assiduously pursue this, I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
New Clause 4
Ongoing relative tariff differential
“(1) The Secretary of State shall, during the term of the tariff cap conditions being in place, develop, ready for implementation, a relative tariff differential.
(2) A relative tariff differential is a requirement on supply licence holders that the difference between the cheapest advertised rate and the most expensive standard variable or default rate shall be no more than a specified proportion of the cheapest advertised rate.
(3) The Authority will be responsible for setting the proportion referred to in subsection (2).
(4) The relative tariff differential shall take effect on the termination of the tariff cap conditions.”—(Dr Whitehead.)
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
This new clause is one that I feel particularly strongly about and that I hope the Minister can take on board, not necessarily with an immediate indication that the exact clause might be accepted but perhaps with an indication that she will look carefully at the principles it outlines and consider whether a similar amendment may be necessary and possible on Report. I say that partly because I appreciate that some of the wording is not what we would want to see in the final Bill. I particularly draw attention to the word “ongoing”. I am sorry that I have committed that word to paper, because it really should not exist as an English word; perhaps we can think of a better clause title. However, I want to talk briefly about what the new clause suggests.
It is worth exploring what might happen down the road when the temporary price cap ends. I am in favour of an absolute price cap rather than a relative price cap. I am listening very carefully to what my hon. Friend is saying and I have read the new clause, but may I say this to him in a friendly way? My concern is that there is a danger that what he is putting forward may inadvertently create a relative price cap and I am against that because a company could set its highest tariff very high so that, even if there were a 6% differential, it would be a differential between a high tariff and a really high tariff. I am totally at one with him on ensuring that another set of bad practices does not come in when the temporary price cap ends, but is there not a danger that that might be the unintended consequence of his new clause?
I thank my right hon. Friend for that important point about trying to look at the consequences of what may happen when the price cap ends. Indeed, the new clause considers precisely what circumstances will be in place at that point. In essence, its purpose is to require the Secretary of State to produce a report on what might happen to relative tariff differentials in the period after the price cap ends. I suggest that that may be one of the pillars of a return to reasonable market conditions when the cap ends. If that pillar and other matters relating to the market working well were in place, and had been franked by Ofgem as being in place, the relative tariff range limitation device might come into place at that point.
In those circumstances, it would make no sense for an energy company to start with a very high tariff, because it would simply lose a whole pile of customers. Indeed, in circumstances where companies have done that, for various reasons, they have bled a very large number of customers. We can see that in some of Centrica’s activities, for example. It seems to me that in circumstances where the market was otherwise working reasonably well, the market itself would determine whether companies could hoick their original offer tariff really high to take advantage of a restricted tariff level. That may simply not be a viable strategy for them to adopt under those circumstances. At the same time, however, companies that had offered a competitive tariff would not have the option of transferring customers to a non-competitive tariff if they did not switch.
That is particularly important given that all the evidence we have so far shows that, whatever we do and whatever remedies or new instruments are put in place, it is unlikely that we will ever have a market in which everyone actively switches. It is extremely likely that the system will continue to operate on the basis of a majority of people one way or another not switching and a minority of people switching, sometimes very actively. Yes, perhaps that switching would keep the market in order, but the market nevertheless would still carry a large number of people who did not switch.
In the past, people not switching has led to the maintenance of SVTs and default tariffs. Even when measures are applied, such as Ofgem’s experiments with getting people to switch on the terms of the CMA’s recommendations—a number of pilots have been carried out, including letters from energy companies or from Ofgem informing people about how they might switch —a good number of people do not switch. We have a reasonable responsibility—indeed, a duty—to consider what will happen to that body of people even after we apply all the other remedies to the market. It seems to me that this particular remedy for the period after the absolute price cap ends may actually address that issue of sticky customers continuing not to switch.
Let me give hon. Members an idea of what is happening in the market today. As we might expect, among the 60-plus companies making a tariff offer in the market, there is an upwards curve in basic tariffs. The annual cost of a dual fuel tariff ranges from about £800 to £1,200 for some of the green tariffs we discussed. If we look at those companies’ tariff ranges—I will not mention names—we see that one company that starts at the lower end with an initial tariff offer of a little over £800 has a tariff range of up to £1,150, another company that offers an initial tariff of just over £900 has a tariff range of up to £1,200, and a company that starts at just under £900 has a tariff range of up to £1,150. That indicates that, at the moment, the slope of a company’s initial tariff bears no relation to its tariff range. Indeed, some companies have very good tariff ranges—Members might be surprised to hear some of their names—whereas other companies, which Members might have a rather more benign view of, actually have huge tariff ranges. So the question of tariff range and how that may affect sticky customers is a question not just of there being bad companies doing this and good companies not doing it, but of it being reasonably endemic across the range of companies offering a relatively low initial tariff but having a very high tariff range structure in their arrangements.
I agree with the right hon. Member for Don Valley that it is absolutely right to think about what might happen when the cap goes off into the sunset, as we have done extensively. I am always interested to listen to the hon. Member for Southampton, Test but I slightly feel—unless I have misjudged this—that we are going over territory that we have covered extensively, in particular on Second Reading. We have heard many arguments about the absolute versus the relative tariff and, in effect, he is proposing a perpetual relative tariff—[Interruption.] Perpetual or ongoing, perhaps we are dancing on the head of a pin—
Okay, but there is a relative tariff or a relative cap that is ready to go. The hon. Gentleman said on Second Reading:
“It should be clear that we want this price cap to come in. We believe it should be an absolute and not a relative price cap”.—[Official Report, 6 March 2018; Vol. 637, c. 271.]
I agree with him, as does Ofgem and as does the Select Committee, which made it very clear that it felt that a relative cap would simply be gamed.
As the right hon. Member for Don Valley mentioned, there is also the problem that companies will simply lift up their skirts and raise their whole tariff. The hon. Member for Southampton, Test may say that companies would then lose their customers, but we come back to the question of whether people will actually move. Yes, companies may lose those hyper-price-sensitive switchers who are very engaged, but they may not lose the customers we are really here to help today—those who are more vulnerable and not as savvy.
The hon. Gentleman is right to say that Centrica lost more than 800,000 customers, but 650,000 of them were due to a collective switch—one big deal. So only 150,000 of a very substantial customer base, the majority of whom are still on SVTs, actually shifted, despite the price rise. The numbers are therefore not quite as unequivocal as he suggests.
He is also right to raise the issue of ongoing protection for vulnerable consumers. We will all be pleased that, regardless of the price cap, Ofgem has already introduced a safeguarding tariff for those on prepayment meters, an additional 1 million customers. Those customers have saved about £120 to date relative to what they would have paid. The tariffs that they are paying have come down relative to the uncapped SVTs on the market. That absolute cap mechanism, therefore, is working. Even when the safeguarding tariff put in place by the CMA or the price cap in the Bill comes to an end, Ofgem will continue to have the powers to take further steps to protect vulnerable customers as it sees fit.
We are all here because we want the market to be in a competitive place on the expiration of the tariff cap under the sunset clause. The hon. Member for Southampton, Test may say that that is a triumph of optimism over practicality but, in essence, if we believe the market will be more competitive and we do not believe that the relative price cap is the way to address any remaining issues of uncompetitiveness, I find it difficult to see why we should put his new clause into the Bill, running all the risks we talked about on Second Reading—which have been explained eloquently by others—of the variable tariff cap not being an effective way to establish competition. We will have had a temporary absolute cap in place. We will have sent the very clear signal. That will have operated. I can see a situation where a relative cap could undo some of that good work and we would suddenly see prices zooming upwards because there was the opportunity to do so.
I appreciate the hon. Gentleman thinking hard, as always, about what “good” will look like, and I share his desire to continue to work together on ensuring that this cap delivers, but I hope he will withdraw the new clause on the basis that it is not necessary and could have bad unintended consequences.
I simply do not accept what the Minister says about bad unintended consequences. I do not think that is realistic. Conversely, having something like this in place would be a positive driver of a return to not only good market conditions but proper protections for those operating tariff arrangements under those otherwise good market conditions. It is important that, in the ending of the absolute cap, we get both sides right. It is not just a question of the market working well. It is a question of people in that market who have disadvantageous circumstances being protected properly as it goes forward.
Would the hon. Gentleman accept that those arguments could be made today about whether we are introducing an absolute or relative cap? We have all agreed quite strongly that an absolute cap provides those protections. If he were proposing that Ofgem has an absolute cap ready to go, we could raise some of the questions we discussed earlier about future uncertainty in the market. I felt that until today we had all considered carefully, but rejected, the structure of a relative cap as a hypothesis—as opposed to an actual absolute cap, which we have—that would not deliver the results we want: vital protections for vulnerable customers.
Yes, indeed. That is why I have been pains to say that this is not a relative cap. It was not a relative cap when it was proposed, although it was branded as one, but can actually be a pillar of an instrument for market return. I do not want to pursue the new clause today; but, for reasons that the Minister and I perhaps need to talk about, it would be a good idea to bring something like it back on Report. I think we probably will. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
Question proposed, That the Chair do report the Bill to the House.
May I thank you for your wise chairmanship, Sir Edward? I also thank Ms McDonagh, who chaired the Committee on Tuesday; the Clerks of the Committee, who have kept us assiduously on the straight and the narrow; and the House staff and Hansard reporters, who always do such an amazing job.
I extend fervent thanks to all members of the Committee. We have had an extremely constructive and helpful debate and have probed many aspects of the Bill. I also thank the witnesses who gave evidence and from whose wisdom we have benefited. I think that covers it, apart from thanking my excellent civil servants for their help in drafting the Bill and their excellent answers to questions. We will continue to draw deeply from that well, but at this stage I thank everybody for taking the Bill—hopefully successfully—through Committee.
Like the Minister, I thank everyone who has taken part in this stage of the Bill’s passage. We have had a genuinely constructive debate, in which we have all been facing in the right direction. I particularly thank the Clerks for their assiduous work and for their help with tabling Opposition amendments; unfortunately we do not have an entire civil service on our side, so we must seek other help, but we have not been failed.
I hope that the Bill will now progress to its remaining stages with consensus that the tariff will be an absolute cap, and with good support from all sides of the House for the result that we all want.
Without going on for too long, may I, too, thank the Clerks and the Chair? I thank the Minister for listening—I hope—and congratulate her on her appointment to the Privy Council. Like the hon. Member for Southampton, Test, I look forward to seeing the tariff cap in place, competition in the marketplace and consumers being saved money.
On behalf of us all, I congratulate the Minister on her great honour; we are all absolutely delighted. On my own behalf and my fellow Chair’s, I thank all hon. Members who have taken part, particularly Dr Whitehead and the Minister. For an unreconstructed Thatcherite libertarian marketeer like me, it has certainly been a useful re-education camp on the benefits of intervention in the marketplace.
Question put and agreed to.
Bill accordingly to be reported, without amendment.
(6 years, 8 months ago)
Public Bill CommitteesI beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?
I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
Could the Bill not also put the Information Commissioner in an extraordinarily difficult position? Decisions that she may make in the future could have huge political consequences. I would be surprised if she wanted to take that on.
I agree with my hon. Friend. The reality may be that under the wording in the Bill, the Information Commissioner has no choice but to apply and incorporate the European data protection board’s decisions if it is to keep up and maintain adequacy.
That is why the amendment is not something to worry about. It seeks to do what will probably happen in practice, but it puts our commitment to that relationship in the Bill. When we say to Europe that, uniquely, unlike any other third country and despite not being a member of the European Union, we want to have a position of influence on the EDPB, we can also say that we recognise that no one else has that level of influence, but in seeking to have it, we have made commitments to that future relationship in UK legislation.
I do not think any other Members here are members of the European Scrutiny Committee, but I spent the whole of yesterday afternoon losing votes on amendments to a report, and I rather enjoyed myself, so I will press this amendment to a vote.
Question put, That the amendment be made.
I beg to move amendment 115, in schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—
“(b) in paragraph 2, for ‘Member States’ substitute ‘The Secretary of State’;
(c) after that paragraph insert—
‘3 The power under paragraph 2 may only be exercised by making regulations under section (Duty to review provision for representation of data subjects) of the 2018 Act.’”
This amendment is consequential on NC2.
With this it will be convenient to discuss the following:
Government amendments 63 to 68.
Amendment 154, in clause 183, page 106, line 24, at end insert—
“(4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject’s mandate—
(a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority),
(b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority),
(c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor).
(4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and—
(a) for the purposes of this subsection ‘proceedings’ includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court,
(b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’s own rights have been infringed,
(c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions,
(d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court’s own motion, and
(e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court.
(4C) Subsections (4A) and (4B)—
(a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section,
(b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and
(c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Amendment 155, in clause 205, page 120, line 38, at end insert—
“(ca) section 183 (4A) to (4C);”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Government amendments 73 and 74.
Government new clause 1—Representation of data subjects with their authority: collective proceedings.
Government new clause 2—Duty to review provision for representation of data subjects.
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter.
I support amendment 154. We strongly recommend that if the Government are, as they claim to be, serious about providing the best possible data protection regime to achieve the gold standard that they often talk about for UK citizens, they should look again at the issue of collective redress and make provision for suitably qualified non-profit organisations to pursue data protection infringements and breaches of their own accord, as provided for by the GDPR.
The right hon. Member for Birmingham, Hodge Hill rightly said that the amendments would allow representative bodies to bring such cases, but would also allow individuals to opt out. Currently there is not a level playing field. If the Bill is not amended, the already uneven playing field will become impossibly uneven for individuals whose rights are breached or infringed—probably by a tech giant.
Collective redress was one of the most controversial and hotly debated issues when the Bill was in the House of Lords. The Government resisted all attempts to change it there. There have been slight amendments since then, and an understanding has been reached, but I feel that what the Government propose does not go nearly far enough to address the concerns expressed by Scottish National party and Labour Members.
Anna Fielder, a former chair of Privacy International, wrote:
“Weak enforcement provisions were one of the widely acknowledged reasons why the current data protection laws, in the UK and elsewhere in Europe, were no longer fit for purpose in the big data age. As a result, it has been more convenient for organisations collecting and processing personal information to break the law and pay up if found out, than to observe the law — as profits made from people’s personal information vastly outweighed even the most punitive of fines.”
That is the situation we are in, and it is incumbent on legislators to level the playing field—not to make it even more uneven. However, as the Bill currently stands, it only enables individuals to request that such suitably qualified non-profit organisations take up cases on their behalf, rather than allowing the organisations themselves to highlight where they believe a breach of data protection law has occurred.
All too often, as has been pointed out on numerous occasions, individuals are the last people to know that their data has been unlawfully and in many cases illegally used. They depend on suitably qualified non-profit organisations, which are there to conduct independent research and investigations, to inform them that that is the case. Indeed, there was a very striking example recently in Germany, where the consumer federation took one of the tech giants to court over a number of platform breaches of current German data protection law, and it won. However, there are numerous examples across the world of organisations and groups highlighting bad or illegal practices that would hitherto probably have gone unnoticed here.
Privacy International recently published a report on the use and possible abuse of personal data connected to the rental car market. Which? has carried out research on online toys that are widely available in this country, which could pose serious child safety risks. The Norwegian consumer council has done similar work on toys, as well as exposing unlawful practices by health and dating apps.
Across the world, there are groups that do collective redress work very successfully in Belgium, Italy, Portugal, Spain, Sweden, Canada and Australia. I urge the Government to reconsider the matter and to see the great consumer benefits and protections that would come from accepting amendment 154. It would give not-for-profit organisations the right to launch complaints with a supervisory authority, as well as seeking judicial remedy, when it considered that the rights of a data subject under the GDPR had been breached.
I repeat that at the moment we have an uneven playing field. If the Bill goes through unamended it will become an impossible playing field for consumers, so I urge the Government to accept the amendment.
I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.
The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.
I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses was correct between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.
The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.
In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.
It is a pleasure to serve under your chairmanship, Mr Streeter. We have had three excellent speeches already in support of amendments 154 and 155, so I will not try to replicate them. As the right hon. Member for Birmingham, Hodge Hill said, this is one of the pivotal debates on the Bill. I would like to be positive, but all I can bring myself to say about the Government’s new clause and amendments is that they are marginally better than nothing. However, they do not go far enough and they will leave the UK significantly behind other EU countries in terms of collective redress and the pursuit of the gold standard of data protection. They will leave the Bill falling short of what the Government themselves promised on effective redress.
Only amendments 154 and 155 will provide a comprehensive opt-out regime and enable adults and children who are victims of data breaches properly to vindicate their rights to proper protection of their personal data. The amendments will provide a mechanism whereby serious breaches of data protection, which can affect the most vulnerable in society, are seriously addressed and result in real change that will benefit thousands if not millions of consumers across the UK.
The Bill provides a hugely significant opportunity to legislate for a cost-effective and efficient mechanism for redress in cases of mass data breaches, which we all know are increasingly common and which the Information Commissioner’s Office has limited resources to deal with. The measure is essential to make the Bill fit for purpose and I wholeheartedly support both amendments.
Before I call the Minister to respond, it might help the Committee to know that, although we are properly debating Opposition amendments 154 and 155 at the moment, if they are to be put to a Division, that cannot happen until we reach clause 183. However, that does not prevent the Minister from indicating she might accept them at this stage. That is entirely up to her.
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
Does the Minister not accept, as I said earlier, that individuals are often the last people to know that their data has been breached and their rights have been infringed? For collective rights in hugely complicated areas, there must be a presumption that those rights are protected, and the Bill does not do that. I do not believe it reflects the principle that individuals are often the last people to know, and that they are the ones who need protecting.
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
As I said, we will deal with the Opposition amendments later in our proceedings.
Amendment 115 agreed to.
Schedule 6, as amended, agreed to.
Clauses 23 and 24 ordered to stand part of the Bill.
Clause 25
Manual unstructured data used in longstanding historical research
Amendment made: 17, in clause 25, page 15, line 40, leave out “individual” and insert “data subject”.—(Margot James.)
Clause 25 makes provision about the processing of manual unstructured data used in longstanding historical research. This amendment aligns Clause 25(1)(b)(i) with similar provision in Clause 19(2).
Clause 25, as amended, ordered to stand part of the Bill.
Clause 26
National security and defence exemption
Question proposed, that the clause stand part of the Bill.
It is a pleasure to serve under your chairmanship once again, Mr Streeter. I think it was about 18 months ago that we were in this very room, debating the Bill that became the Digital Economy Act 2017. We discussed at length the trade-off between the rights of data subjects, privacy, transparency and the need for Government access to data. In that context we were debating the rights of viewers of online pornography, rather than matters of national security. I note that the Government have had to delay the introduction of the regulations, because they failed to get to grips with the issues that we raised in Committee. I do not envy the new Minister, or, indeed, my right hon. Friend the shadow Minister, their task of attempting to get things right. It was one of the low points of my political career when I had to negotiate with the present Secretary of State for Digital, Culture, Media and Sport on what sexual acts would be blocked. I wish them both luck in taking the matter forward, and am glad I am dealing only with national security issues in the Bill that we are considering today.
As we come to crucial clauses that give Ministers and the security services a great deal more latitude, it is important for the Opposition to lay out key principles on national security certificates. Of course we support the legitimate interests of the intelligence services, as dictated by their statutory functions, including the safeguarding of national security. Of course we recognise that protecting citizens from harm often means striking a difficult balance between operational requirements and the rights of individuals who may fall within the scope of the investigations. We know that the security services take that seriously.
It is the Opposition’s duty, however, to scrutinise the Government’s approach, to ensure that any powers that explicitly allow the setting aside of citizens’ data rights under the Bill are proportionate and necessary, and that they will be overseen through appropriate safeguards. Clauses 26 and 27 provide for a national security certification regime allowing restriction of and exemption from a wide range of rights under the GDPR and the Bill on the basis of national security, and for defence purposes.
The Government state that national security falls outside the scope of EU law and, therefore, the GDPR, and that therefore any processing of personal data relating to national security will be governed by the applied GDPR. Article 4(2) of the treaty on the European Union provides that national security remains the sole responsibility of each member state. Despite that, EU data protection legislation provides for derogations for national security. If national security were entirely outside the scope of the EU treaty, such derogations would be unnecessary, so, as the Joint Committee on Human Rights argued, the provisions imply the retention of some level of EU scrutiny over derogations from EU data protection rights on the grounds of national security. It is thus not at all clear that the Government’s assertions about blanket national security exemptions are correct.
Furthermore, there is no clear definition of which entities will be covered by the extremely broad exemptions under subsection 1, which refers to “national security” and “defence purposes”. I am concerned that a measure allowing broad exemptions to the rights of citizens does not stipulate which entities will be entitled to jettison those rights. As was debated at length in the other place, there are no clear definitions of national security, or of the extended exemption for defence purposes, which goes beyond the Data Protection Act 1998, in the Bill or the explanatory notes. As the right hon. and learned Member for Rushcliffe (Mr Clarke) remarked during the passage of the Investigatory Powers Act 2016,
“National security can easily be conflated with the policy of the Government of the day.”—[Official Report, 15 March 2016; Vol. 607, c. 850.]
As the Joint Committee on Human Rights concluded,
“it is unclear why the authorities require such a breadth of exemptions from their obligations under the data protection regime.”
Before we move on to discuss our amendments to clause 26, I should be grateful if the Minister could assure us about the definitions of “national security” and “defence purposes” and in particular which entities they apply to.
It is a pleasure to serve under your chairmanship, Mr Streeter. Clause 26 creates an exemption for certain provisions in the Bill only if that exemption is required for the purpose of safeguarding national security or for defence purposes. Where processing does not meet these tests, the exemption cannot apply. It is possible to exempt from most but not all the data protection principles the rights of data subjects, certain obligations on data controllers and processors, and various enforcement provisions, where required to safeguard national security or for defence purposes. In relation to national security, the exemption mirrors the existing national security exemption provided for in section 28 of the 1998 Act. The statutory framework has long recognised that the proportionate exemptions from the data protection principles and the rights of data subjects are necessary to protect national security. The Bill does not alter that position.
The exemption for defence purposes is intended to ensure the continued protection, security and capability of our armed forces and of the civilian staff who support them—not just their combat effectiveness, to use the outdated language of the 1998 Act. In drafting this legislation, we concluded that this existing exemption was too narrow and no longer adequately captured the wide range of vital activities that are undertaken by the Ministry of Defence and its partners. We have seen that all too obviously in the last two weeks.
If the right hon. Gentleman is going to disagree with me that combat effectiveness would be a very narrow term to describe the events in Salisbury, of course I will give way.
I actually wanted to ask about interpreters who support our armed forces. There is cross-party consensus that sometimes it is important to ensure that we grant leave to remain in this country to those very brave civilians who have supported our armed forces abroad as interpreters. Sometimes, those claims have been contested by the Ministry of Defence. Is the Minister confident and satisfied that the Ministry of Defence would not be able to rely on this exemption to keep information back from civilian staff employed as interpreters in support of our armed forces abroad when they seek leave to remain in this country?
I cannot possibly be drawn on individual applications for asylum. It would be wholly improper for me to make a sweeping generalisation on cases that are taken on a case-by-case basis. I refer back to the narrow definition that was in the 1998 Act and suggest that our enlarging the narrow definition of combat effectiveness would mean including the civilian staff who support our brave troops.
The term “defence purposes” is intended to be limited in both application and scope, and will not encompass all processing activities conducted by the Ministry of Defence. Only where a specific right or obligation is found to incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. The Ministry of Defence will continue to process personal information relating to both military and civilian personnel in a secure and appropriate way, employing relevant safeguards and security in accordance with the principles of the applied GDPR. It is anticipated that standard human resources processing functions such as the recording of leave and the management of pay and pension information will not be covered by the exemption.
I am sorry to press the Minister on this point, and she may want to write to me as a follow-up, but I think Members on both sides of the House have a genuine interest in ensuring that interpreters who have supported our troops abroad are able to access important information, such as the terms of their service and the record of their employment, when making legitimate applications for leave to remain in this country—not asylum—or sometimes discretionary leave.
I am very happy to write to the right hon. Gentleman about that. The exemption does not cover all processing of personal data by the Ministry of Defence, but I am happy to write to him on that subject.
It may assist the Committee if I give a few examples of processing activities that might be considered to fall into the definition of defence purposes requiring the protection of the exemption. Such processing could include the collation of personal data to assist in assessing the capability and effectiveness of armed forces personnel, including the performance of troops; the collection and storage of information, including biometric data necessary to maintain the security of defence sites, supplies and services; and the sharing of data with coalition partners to support them in maintaining their security capability and the effectiveness of their armed forces. That is not an exhaustive list. The application of the exemption should be considered only in specific cases where the fulfilment of a specific data protection right or obligation is found to put at risk the security capability or effectiveness of UK defence activities.
The hon. Member for Sheffield, Heeley asked for a definition of national security. It has been the policy of successive Governments not to define national security in statute. Threats to national security are constantly evolving and difficult to predict, and it is vital that legislation does not constrain the security and intelligence agencies’ ability to protect the UK from new and emerging threats. For example, only a few years ago it would have been very difficult to predict the nature or scale of the threat to our national security from cyber-attacks.
Clause 26 does not provide for a blanket exemption. It can be applied only when it is required to safeguard national security or for defence purposes.
What weight does the Minister give to the written evidence that the Committee received from the Information Commissioner’s Office? It is obviously expert on this issue, and it addresses some of the points she made. It concludes that there is no threshold for when “defence purposes” are to be used, and that there is no guidance
“for when it is appropriate to rely on the exemption.”
What weight does the Minister give to that, and what is her response to the concern raised by the Information Commissioner’s Office?
Again, surely it is for the Executive—elected officials—to take responsibility for decisions that are made by data controllers in the Ministry of Defence. Obviously, the Department has considered the Information Commissioner’s representations, but this is not a blanket exemption. The high threshold can be met only in very specific circumstances.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27
National security: certificate
I beg to move amendment 161, in clause 27, page 17, line 2, leave out subsection (1) and insert—
“A Minister of the Crown must apply to a Judicial Commissioner for a certificate, if exemptions are sought from specified provisions in relation to any personal data for the purpose of safeguarding national security.”
This amendment would introduce a procedure for a Minister of the Crown to apply to a Judicial Commissioner for a National Security Certificate.
With this it will be convenient to discuss the following:
Amendment 162, in clause 27, page 17, line 5, at end insert—
“(1A) The decision to issue the certificate must be—
(a) approved by a Judicial Commissioner,
(b) laid before Parliament,
(c) published and publicly accessible on the Information Commissioner’s Office website.
(1B) In deciding whether to approve an application under subsection (1), a Judicial Commissioner must review the Minister’s conclusions as to the following matters—
(a) whether the certificate is necessary on relevant grounds,
(b) whether the conduct that would be authorised by the certificate is proportionate to what it sought to be achieved by that conduct, and
(c) whether it is necessary and proportionate to exempt all provisions specified in the certificate.”
This amendment would ensure that oversight and safeguarding in the application for a National Security Certificate are effective, requiring sufficient detail in the application process.
Amendment 163, in clause 27, page 17, leave out lines 6 to 8 and insert—
“(2) An application for a certificate under subsection (1)—
(a) must identify the personal data to which it applies by means of a detailed description, and”.
This amendment would require a National Security Certificate to identify the personal data to which the Certificate applies by means of a detailed description.
Amendment 164, in clause 27, page 17, line 9, leave out subsection (2)(b).
This amendment would ensure that a National Security Certificate cannot be expressed to have prospective effect.
Amendment 165, in clause 27, page 17, line 9, at end insert—
“(c) must specify each provision of this Act which it seeks to exempt, and
(d) must provide a justification for both (a) and (b).”
This amendment would ensure effective oversight of exemptions of this Act from the application for a National Security Certificate.
Amendment 166, in clause 27, page 17, line 10, leave out “directly” and insert
“who believes they are directly or indirectly”
This amendment would broaden the application of subsection (3) so that any person who believes they are directly affected by a National Security Certificate may appeal to the Tribunal against the Certificate.
Amendment 167, in clause 27, page 17, line 12, leave out
“, applying the principles applied by a court on an application for judicial review,”
This amendment removes the application to the appeal against a National Security Certificate of the principles applied by a court on an application for judicial review.
Amendment 168, in clause 27, page 17, line 13, leave out
“the Minister did not have reasonable grounds for issuing”
and insert
“it was not necessary or proportionate to issue”.
These amendments would reflect that the Minister would not be the only authority involved in the process of applying for a National Security Certificate.
Amendment 169, in clause 27, page 17, line 16, at end insert—
“(4A) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Judicial Commissioner must give the Minister of the Crown reasons in writing for the refusal.
(4B) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Minister may apply to the Information Commissioner for a review of the decision.
(4C) It is not permissible for exemptions to be specified in relation to—
(a) Chapter II of the applied GDPR (principles)—
(i) Article 5 (lawful, fair and transparent processing),
(ii) Article 6 (lawfulness of processing),
(iii) Article 9 (processing of special categories of personal data),
(b) Chapter IV of the applied GDPR—
(i) GDPR Articles 24 – 32 inclusive,
(ii) GDPR Articles 35 – 43 inclusive,
(c) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)—
(i) GDPR Article 83 (general conditions for imposing administrative fines),
(ii) GDPR Article 84 (penalties),
(d) Part 5 of this Act, or
(e) Part 7 of this Act.”
This amendment would require a Judicial Commissioner to intimate in writing to the Minister reasons for refusing the Minister’s application for a National Security Certificate and allows the Minister to apply for a review by the Information Commissioner of such a refusal.
With our amendments we seek to provide some oversight of and protections against the very broad definitions in this part of the Bill. I am afraid we are not content with the Minister’s assertions in her response on the previous clause.
As they currently stand, national security certificates give Ministers broad powers to remove individuals’ rights with absolutely no oversight. If this is a matter for the Executive, as the Minister has just said, they must be subject to oversight and accountability when making such decisions, and as it stands there is absolutely none at all. The rights at risk from the exemption are the right to be informed when personal data is collected from individuals, which is in article 13 of the GDPR; the right to find out whether personal data against them is being processed, in article 15; and the right to object to automated decision making, in articles 21 and 22. Furthermore, the Information Commissioner’s inspection, authorisation and advisory powers are set aside, which is why she and her office raised concerns, as my hon. Friend the Member for Cambridge set out.
It is not difficult to envisage examples of why those exemptions may be necessary. The Minister has laid some of them out: for instance, during the course of an ongoing national security investigation, the right of an individual to be informed that their data is being processed would not be appropriate. With these exemptions, there will inevitably be a need for appropriate safeguards to protect the rights of citizens. We are not yet convinced that the Bill contains them. That is what these amendments seek to tackle.
It may come as no surprise that I rise to speak in support of amendments 161 to 169. They are intended to challenge the Government’s plan to introduce a national security certification regime that will allow the restriction of and exemptions from a wide range of fundamental rights on the basis of national security and defence. Although it is absolutely right that, as a country, the UK has the ability to act in its own national security interest, I and many others are worried that the scale and scope of what is proposed in the Bill goes much further than the 1998 Act by widening the national security definition to include a further and, I would suggest, undefined range of defence purposes.
The Minister gave three or four examples earlier, but stressed that it was not an exhaustive list. Given the broad and indefinite nature of those national security exemptions, we are concerned that they do not meet the test of being both necessary and proportionate. How much confidence can we have that an individual’s fundamental rights will be best protected when the exemptions will be signed off by a Government Minister with little or no judicial oversight? It is also concerning that there appears to have been little or no attention to the harmful impact of exempting vast amounts of information from data protection safeguards by relying upon national security certificates.
As we heard earlier, the list of rights that are exempted, set out in clause 26, includes the right to be informed when data is being collected, the right to find out when personal data is being processed and the right to object to automated decision making. Those exemptions are to be exercised by a certificate, which, as I say, will be signed by a Minister, who will certify that an exemption from those rights and obligations is necessary for the purpose of safeguarding national security.
That means that, as the Bill is currently drafted, people’s rights could be removed by a politician without any form of judicial oversight. That cannot be right. We would argue most strongly that there has to be judicial oversight of any such decision, to prevent the removal of individual data protection rights from being permitted purely at the say-so of a Government Minister. I ask the Minister, how do the Government define national security and defence purposes in the context of the Bill? I certainly was not satisfied with the explanation we heard earlier on. I believe that these undefined terms are unnecessarily open-ended and broad, and open to vague interpretation. They could very well result in the removal of an individual’s rights unnecessarily. The lack of a clear definition of national security and defence purposes also means that people will be unable to foresee or understand when their rights will be overridden by the application of these exemptions. Surely that is incompatible with an individual citizen’s fundamental rights.
These exemptions, on the surface, are not limited to the UK’s intelligence and security services. As we heard when debating part 2 of the Bill, which deals with general processing, they broadly permit public authorities, and even private corporations on occasion, to invoke national security and defence as a reason to cast aside privacy rights. Can the Minister explain if, how, and under what circumstances a public authority or private company could invoke national security and defence as a reason to cast aside privacy rights?
That brings me to necessity and proportionality, which are fundamental principles when looking at exemptions from data protection, and which will be examined extremely closely by the European Commission and its legal team when it decides on the UK’s suitability for adequacy after Brexit. The principles of necessity and proportionality are enshrined in the European convention on human rights. A Minister must take them into account when they consider restricting or limiting an individual’s rights, such as those under article 8, the right to privacy.
As the Bill stands, no conditions or tests are imposed on a Minister’s decision to withdraw an individual’s personal data protection rights by issuing a national security certificate. There is no limitation on how a national security certificate should run or how long it should operate for. There is no obligation to review the ongoing necessity of having a live certificate. In effect, a certificate is open-ended and indefinite. My concern is that that may allow the state to use a certificate for activities for which it was not considered relevant or appropriate by the Minister when it was first issued or signed.
That loophole cannot be considered proportionate or necessary. The certificates have to be time-limited. That does not mean that once a certificate has expired it cannot be re-certified, but it would ensure that certificates that are no longer necessary or that have been used beyond their original remit do not continue indefinitely. Perhaps the Minister could explain why she thinks such a system could not work, and why it would not be in the best interest of the state and of protecting an individual’s rights.
As with everything we do, including everything we have done in this area in the past couple of years, the Bill has to be seen against the backdrop of Brexit. Not only do we have to comply with the GDPR, but we have to do so in a way that means the United Kingdom will achieve the vital, much sought after adequacy decision from the European Commission. We also have to keep our laws consistent with EU law to maintain that adequacy status. I fear that the widespread use of exemptions and, perhaps more worryingly, the undefined range of defence purposes could deal a severe blow to the UK achieving an adequacy decision from the European Commission.
Can the Minister tell me whether the Government have been given cast-iron guarantees that the new and undefined range of defence purposes will be consistent with EU law, to allow us not just to achieve adequacy but to maintain adequacy post Brexit?
I will call the Minister to respond, but before she responds to that point, she wishes to correct the record in relation to a previous point, which I am happy to permit.
On reflection, I would not wish the hon. Member for Cambridge to understand my earlier answer to mean that a Minister makes a decision on defence purposes. I apologise to him if that was not clear. It is the data controller at the Ministry of Defence who makes that decision. The data controller is accountable to Ministers and in due course to domestic courts. I hope that clarifies that.
It is up to the Committee what time we adjourn for lunch, of course, and the Minister may wish to speak quite rapidly.
Much as I would like the Minister to speak rapidly, I will move the Adjournment.
Ordered, That the debate be now adjourned.—(Nigel Adams.)
(6 years, 8 months ago)
Public Bill CommitteesI beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?
I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
Could the Bill not also put the Information Commissioner in an extraordinarily difficult position? Decisions that she may make in the future could have huge political consequences. I would be surprised if she wanted to take that on.
I agree with my hon. Friend. The reality may be that under the wording in the Bill, the Information Commissioner has no choice but to apply and incorporate the European data protection board’s decisions if it is to keep up and maintain adequacy.
That is why the amendment is not something to worry about. It seeks to do what will probably happen in practice, but it puts our commitment to that relationship in the Bill. When we say to Europe that, uniquely, unlike any other third country and despite not being a member of the European Union, we want to have a position of influence on the EDPB, we can also say that we recognise that no one else has that level of influence, but in seeking to have it, we have made commitments to that future relationship in UK legislation.
I do not think any other Members here are members of the European Scrutiny Committee, but I spent the whole of yesterday afternoon losing votes on amendments to a report, and I rather enjoyed myself, so I will press this amendment to a vote.
Question put, That the amendment be made.
I beg to move amendment 115, in schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—
“(b) in paragraph 2, for ‘Member States’ substitute ‘The Secretary of State’;
(c) after that paragraph insert—
‘3 The power under paragraph 2 may only be exercised by making regulations under section (Duty to review provision for representation of data subjects) of the 2018 Act.’”
This amendment is consequential on NC2.
With this it will be convenient to discuss the following:
Government amendments 63 to 68.
Amendment 154, in clause 183, page 106, line 24, at end insert—
“(4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject’s mandate—
(a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority),
(b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority),
(c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor).
(4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and—
(a) for the purposes of this subsection ‘proceedings’ includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court,
(b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’s own rights have been infringed,
(c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions,
(d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court’s own motion, and
(e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court.
(4C) Subsections (4A) and (4B)—
(a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section,
(b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and
(c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Amendment 155, in clause 205, page 120, line 38, at end insert—
“(ca) section 183 (4A) to (4C);”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Government amendments 73 and 74.
Government new clause 1—Representation of data subjects with their authority: collective proceedings.
Government new clause 2—Duty to review provision for representation of data subjects.
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter.
I support amendment 154. We strongly recommend that if the Government are, as they claim to be, serious about providing the best possible data protection regime to achieve the gold standard that they often talk about for UK citizens, they should look again at the issue of collective redress and make provision for suitably qualified non-profit organisations to pursue data protection infringements and breaches of their own accord, as provided for by the GDPR.
The right hon. Member for Birmingham, Hodge Hill rightly said that the amendments would allow representative bodies to bring such cases, but would also allow individuals to opt out. Currently there is not a level playing field. If the Bill is not amended, the already uneven playing field will become impossibly uneven for individuals whose rights are breached or infringed—probably by a tech giant.
Collective redress was one of the most controversial and hotly debated issues when the Bill was in the House of Lords. The Government resisted all attempts to change it there. There have been slight amendments since then, and an understanding has been reached, but I feel that what the Government propose does not go nearly far enough to address the concerns expressed by Scottish National party and Labour Members.
Anna Fielder, a former chair of Privacy International, wrote:
“Weak enforcement provisions were one of the widely acknowledged reasons why the current data protection laws, in the UK and elsewhere in Europe, were no longer fit for purpose in the big data age. As a result, it has been more convenient for organisations collecting and processing personal information to break the law and pay up if found out, than to observe the law — as profits made from people’s personal information vastly outweighed even the most punitive of fines.”
That is the situation we are in, and it is incumbent on legislators to level the playing field—not to make it even more uneven. However, as the Bill currently stands, it only enables individuals to request that such suitably qualified non-profit organisations take up cases on their behalf, rather than allowing the organisations themselves to highlight where they believe a breach of data protection law has occurred.
All too often, as has been pointed out on numerous occasions, individuals are the last people to know that their data has been unlawfully and in many cases illegally used. They depend on suitably qualified non-profit organisations, which are there to conduct independent research and investigations, to inform them that that is the case. Indeed, there was a very striking example recently in Germany, where the consumer federation took one of the tech giants to court over a number of platform breaches of current German data protection law, and it won. However, there are numerous examples across the world of organisations and groups highlighting bad or illegal practices that would hitherto probably have gone unnoticed here.
Privacy International recently published a report on the use and possible abuse of personal data connected to the rental car market. Which? has carried out research on online toys that are widely available in this country, which could pose serious child safety risks. The Norwegian consumer council has done similar work on toys, as well as exposing unlawful practices by health and dating apps.
Across the world, there are groups that do collective redress work very successfully in Belgium, Italy, Portugal, Spain, Sweden, Canada and Australia. I urge the Government to reconsider the matter and to see the great consumer benefits and protections that would come from accepting amendment 154. It would give not-for-profit organisations the right to launch complaints with a supervisory authority, as well as seeking judicial remedy, when it considered that the rights of a data subject under the GDPR had been breached.
I repeat that at the moment we have an uneven playing field. If the Bill goes through unamended it will become an impossible playing field for consumers, so I urge the Government to accept the amendment.
I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.
The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.
I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.
The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.
In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.
It is a pleasure to serve under your chairmanship, Mr Streeter. We have had three excellent speeches already in support of amendments 154 and 155, so I will not try to replicate them. As the right hon. Member for Birmingham, Hodge Hill said, this is one of the pivotal debates on the Bill. I would like to be positive, but all I can bring myself to say about the Government’s new clause and amendments is that they are marginally better than nothing. However, they do not go far enough and they will leave the UK significantly behind other EU countries in terms of collective redress and the pursuit of the gold standard of data protection. They will leave the Bill falling short of what the Government themselves promised on effective redress.
Only amendments 154 and 155 will provide a comprehensive opt-out regime and enable adults and children who are victims of data breaches properly to vindicate their rights to proper protection of their personal data. The amendments will provide a mechanism whereby serious breaches of data protection, which can affect the most vulnerable in society, are seriously addressed and result in real change that will benefit thousands if not millions of consumers across the UK.
The Bill provides a hugely significant opportunity to legislate for a cost-effective and efficient mechanism for redress in cases of mass data breaches, which we all know are increasingly common and which the Information Commissioner’s Office has limited resources to deal with. The measure is essential to make the Bill fit for purpose and I wholeheartedly support both amendments.
Before I call the Minister to respond, it might help the Committee to know that, although we are properly debating Opposition amendments 154 and 155 at the moment, if they are to be put to a Division, that cannot happen until we reach clause 183. However, that does not prevent the Minister from indicating she might accept them at this stage. That is entirely up to her.
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
Does the Minister not accept, as I said earlier, that individuals are often the last people to know that their data has been breached and their rights have been infringed? For collective rights in hugely complicated areas, there must be a presumption that those rights are protected, and the Bill does not do that. I do not believe it reflects the principle that individuals are often the last people to know, and that they are the ones who need protecting.
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
As I said, we will deal with the Opposition amendments later in our proceedings.
Amendment 115 agreed to.
Schedule 6, as amended, agreed to.
Clauses 23 and 24 ordered to stand part of the Bill.
Clause 25
Manual unstructured data used in longstanding historical research
Amendment made: 17, in clause 25, page 15, line 40, leave out “individual” and insert “data subject”.—(Margot James.)
Clause 25 makes provision about the processing of manual unstructured data used in longstanding historical research. This amendment aligns Clause 25(1)(b)(i) with similar provision in Clause 19(2).
Clause 25, as amended, ordered to stand part of the Bill.
Clause 26
National security and defence exemption
Question proposed, that the clause stand part of the Bill.
It is a pleasure to serve under your chairmanship once again, Mr Streeter. I think it was about 18 months ago that we were in this very room, debating the Bill that became the Digital Economy Act 2017. We discussed at length the trade-off between the rights of data subjects, privacy, transparency and the need for Government access to data. In that context we were debating the rights of viewers of online pornography, rather than matters of national security. I note that the Government have had to delay the introduction of the regulations, because they failed to get to grips with the issues that we raised in Committee. I do not envy the new Minister, or, indeed, my right hon. Friend the shadow Minister, their task of attempting to get things right. It was one of the low points of my political career when I had to negotiate with the present Secretary of State for Digital, Culture, Media and Sport on what sexual acts would be blocked. I wish them both luck in taking the matter forward, and am glad I am dealing only with national security issues in the Bill that we are considering today.
As we come to crucial clauses that give Ministers and the security services a great deal more latitude, it is important for the Opposition to lay out key principles on national security certificates. Of course we support the legitimate interests of the intelligence services, as dictated by their statutory functions, including the safeguarding of national security. Of course we recognise that protecting citizens from harm often means striking a difficult balance between operational requirements and the rights of individuals who may fall within the scope of the investigations. We know that the security services take that seriously.
It is the Opposition’s duty, however, to scrutinise the Government’s approach, to ensure that any powers that explicitly allow the setting aside of citizens’ data rights under the Bill are proportionate and necessary, and that they will be overseen through appropriate safeguards. Clauses 26 and 27 provide for a national security certification regime allowing restriction of and exemption from a wide range of rights under the GDPR and the Bill on the basis of national security, and for defence purposes.
The Government state that national security falls outside the scope of EU law and, therefore, the GDPR, and that therefore any processing of personal data relating to national security will be governed by the applied GDPR. Article 4(2) of the treaty on the European Union provides that national security remains the sole responsibility of each member state. Despite that, EU data protection legislation provides for derogations for national security. If national security were entirely outside the scope of the EU treaty, such derogations would be unnecessary, so, as the Joint Committee on Human Rights argued, the provisions imply the retention of some level of EU scrutiny over derogations from EU data protection rights on the grounds of national security. It is thus not at all clear that the Government’s assertions about blanket national security exemptions are correct.
Furthermore, there is no clear definition of which entities will be covered by the extremely broad exemptions under subsection 1, which refers to “national security” and “defence purposes”. I am concerned that a measure allowing broad exemptions to the rights of citizens does not stipulate which entities will be entitled to jettison those rights. As was debated at length in the other place, there are no clear definitions of national security, or of the extended exemption for defence purposes, which goes beyond the Data Protection Act 1998, in the Bill or the explanatory notes. As the right hon. and learned Member for Rushcliffe (Mr Clarke) remarked during the passage of the Investigatory Powers Act 2016,
“National security can easily be conflated with the policy of the Government of the day.”—[Official Report, 15 March 2016; Vol. 607, c. 850.]
As the Joint Committee on Human Rights concluded,
“it is unclear why the authorities require such a breadth of exemptions from their obligations under the data protection regime.”
Before we move on to discuss our amendments to clause 26, I should be grateful if the Minister could assure us about the definitions of “national security” and “defence purposes” and in particular which entities they apply to.
It is a pleasure to serve under your chairmanship, Mr Streeter. Clause 26 creates an exemption for certain provisions in the Bill only if that exemption is required for the purpose of safeguarding national security or for defence purposes. Where processing does not meet these tests, the exemption cannot apply. It is possible to exempt from most but not all the data protection principles the rights of data subjects, certain obligations on data controllers and processors, and various enforcement provisions, where required to safeguard national security or for defence purposes. In relation to national security, the exemption mirrors the existing national security exemption provided for in section 28 of the 1998 Act. The statutory framework has long recognised that the proportionate exemptions from the data protection principles and the rights of data subjects are necessary to protect national security. The Bill does not alter that position.
The exemption for defence purposes is intended to ensure the continued protection, security and capability of our armed forces and of the civilian staff who support them—not just their combat effectiveness, to use the outdated language of the 1998 Act. In drafting this legislation, we concluded that this existing exemption was too narrow and no longer adequately captured the wide range of vital activities that are undertaken by the Ministry of Defence and its partners. We have seen that all too obviously in the last two weeks.
If the right hon. Gentleman is going to disagree with me that combat effectiveness would be a very narrow term to describe the events in Salisbury, of course I will give way.
I actually wanted to ask about interpreters who support our armed forces. There is cross-party consensus that sometimes it is important to ensure that we grant leave to remain in this country to those very brave civilians who have supported our armed forces abroad as interpreters. Sometimes, those claims have been contested by the Ministry of Defence. Is the Minister confident and satisfied that the Ministry of Defence would not be able to rely on this exemption to keep information back from civilian staff employed as interpreters in support of our armed forces abroad when they seek leave to remain in this country?
I cannot possibly be drawn on individual applications for asylum. It would be wholly improper for me to make a sweeping generalisation on cases that are taken on a case-by-case basis. I refer back to the narrow definition that was in the 1998 Act and suggest that our enlarging the narrow definition of combat effectiveness would mean including the civilian staff who support our brave troops.
The term “defence purposes” is intended to be limited in both application and scope, and will not encompass all processing activities conducted by the Ministry of Defence. Only where a specific right or obligation is found to incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. The Ministry of Defence will continue to process personal information relating to both military and civilian personnel in a secure and appropriate way, employing relevant safeguards and security in accordance with the principles of the applied GDPR. It is anticipated that standard human resources processing functions such as the recording of leave and the management of pay and pension information will not be covered by the exemption.
I am sorry to press the Minister on this point, and she may want to write to me as a follow-up, but I think Members on both sides of the House have a genuine interest in ensuring that interpreters who have supported our troops abroad are able to access important information, such as the terms of their service and the record of their employment, when making legitimate applications for leave to remain in this country—not asylum—or sometimes discretionary leave.
I am very happy to write to the right hon. Gentleman about that. The exemption does not cover all processing of personal data by the Ministry of Defence, but I am happy to write to him on that subject.
It may assist the Committee if I give a few examples of processing activities that might be considered to fall into the definition of defence purposes requiring the protection of the exemption. Such processing could include the collation of personal data to assist in assessing the capability and effectiveness of armed forces personnel, including the performance of troops; the collection and storage of information, including biometric data necessary to maintain the security of defence sites, supplies and services; and the sharing of data with coalition partners to support them in maintaining their security capability and the effectiveness of their armed forces. That is not an exhaustive list. The application of the exemption should be considered only in specific cases where the fulfilment of a specific data protection right or obligation is found to put at risk the security capability or effectiveness of UK defence activities.
The hon. Member for Sheffield, Heeley asked for a definition of national security. It has been the policy of successive Governments not to define national security in statute. Threats to national security are constantly evolving and difficult to predict, and it is vital that legislation does not constrain the security and intelligence agencies’ ability to protect the UK from new and emerging threats. For example, only a few years ago it would have been very difficult to predict the nature or scale of the threat to our national security from cyber-attacks.
Clause 26 does not provide for a blanket exemption. It can be applied only when it is required to safeguard national security or for defence purposes.
What weight does the Minister give to the written evidence that the Committee received from the Information Commissioner’s Office? It is obviously expert on this issue, and it addresses some of the points she made. It concludes that there is no threshold for when “defence purposes” are to be used, and that there is no guidance
“for when it is appropriate to rely on the exemption.”
What weight does the Minister give to that, and what is her response to the concern raised by the Information Commissioner’s Office?
Again, surely it is for the Executive—elected officials—to take responsibility for decisions that are made by data controllers in the Ministry of Defence. Obviously, the Department has considered the Information Commissioner’s representations, but this is not a blanket exemption. The high threshold can be met only in very specific circumstances.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27
National security: certificate
I beg to move amendment 161, in clause 27, page 17, line 2, leave out subsection (1) and insert—
“A Minister of the Crown must apply to a Judicial Commissioner for a certificate, if exemptions are sought from specified provisions in relation to any personal data for the purpose of safeguarding national security.”
This amendment would introduce a procedure for a Minister of the Crown to apply to a Judicial Commissioner for a National Security Certificate.
With this it will be convenient to discuss the following:
Amendment 162, in clause 27, page 17, line 5, at end insert—
“(1A) The decision to issue the certificate must be—
(a) approved by a Judicial Commissioner,
(b) laid before Parliament,
(c) published and publicly accessible on the Information Commissioner’s Office website.
(1B) In deciding whether to approve an application under subsection (1), a Judicial Commissioner must review the Minister’s conclusions as to the following matters—
(a) whether the certificate is necessary on relevant grounds,
(b) whether the conduct that would be authorised by the certificate is proportionate to what it sought to be achieved by that conduct, and
(c) whether it is necessary and proportionate to exempt all provisions specified in the certificate.”
This amendment would ensure that oversight and safeguarding in the application for a National Security Certificate are effective, requiring sufficient detail in the application process.
Amendment 163, in clause 27, page 17, leave out lines 6 to 8 and insert—
“(2) An application for a certificate under subsection (1)—
(a) must identify the personal data to which it applies by means of a detailed description, and”.
This amendment would require a National Security Certificate to identify the personal data to which the Certificate applies by means of a detailed description.
Amendment 164, in clause 27, page 17, line 9, leave out subsection (2)(b).
This amendment would ensure that a National Security Certificate cannot be expressed to have prospective effect.
Amendment 165, in clause 27, page 17, line 9, at end insert—
“(c) must specify each provision of this Act which it seeks to exempt, and
(d) must provide a justification for both (a) and (b).”
This amendment would ensure effective oversight of exemptions of this Act from the application for a National Security Certificate.
Amendment 166, in clause 27, page 17, line 10, leave out “directly” and insert
“who believes they are directly or indirectly”
This amendment would broaden the application of subsection (3) so that any person who believes they are directly affected by a National Security Certificate may appeal to the Tribunal against the Certificate.
Amendment 167, in clause 27, page 17, line 12, leave out
“, applying the principles applied by a court on an application for judicial review,”
This amendment removes the application to the appeal against a National Security Certificate of the principles applied by a court on an application for judicial review.
Amendment 168, in clause 27, page 17, line 13, leave out
“the Minister did not have reasonable grounds for issuing”
and insert
“it was not necessary or proportionate to issue”.
These amendments would reflect that the Minister would not be the only authority involved in the process of applying for a National Security Certificate.
Amendment 169, in clause 27, page 17, line 16, at end insert—
“(4A) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Judicial Commissioner must give the Minister of the Crown reasons in writing for the refusal.
(4B) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Minister may apply to the Information Commissioner for a review of the decision.
(4C) It is not permissible for exemptions to be specified in relation to—
(a) Chapter II of the applied GDPR (principles)—
(i) Article 5 (lawful, fair and transparent processing),
(ii) Article 6 (lawfulness of processing),
(iii) Article 9 (processing of special categories of personal data),
(b) Chapter IV of the applied GDPR—
(i) GDPR Articles 24 – 32 inclusive,
(ii) GDPR Articles 35 – 43 inclusive,
(c) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)—
(i) GDPR Article 83 (general conditions for imposing administrative fines),
(ii) GDPR Article 84 (penalties),
(d) Part 5 of this Act, or
(e) Part 7 of this Act.”
This amendment would require a Judicial Commissioner to intimate in writing to the Minister reasons for refusing the Minister’s application for a National Security Certificate and allows the Minister to apply for a review by the Information Commissioner of such a refusal.
With our amendments we seek to provide some oversight of and protections against the very broad definitions in this part of the Bill. I am afraid we are not content with the Minister’s assertions in her response on the previous clause.
As they currently stand, national security certificates give Ministers broad powers to remove individuals’ rights with absolutely no oversight. If this is a matter for the Executive, as the Minister has just said, they must be subject to oversight and accountability when making such decisions, and as it stands there is absolutely none at all. The rights at risk from the exemption are the right to be informed when personal data is collected from individuals, which is in article 13 of the GDPR; the right to find out whether personal data against them is being processed, in article 15; and the right to object to automated decision making, in articles 21 and 22. Furthermore, the Information Commissioner’s inspection, authorisation and advisory powers are set aside, which is why she and her office raised concerns, as my hon. Friend the Member for Cambridge set out.
It is not difficult to envisage examples of why those exemptions may be necessary. The Minister has laid some of them out: for instance, during the course of an ongoing national security investigation, the right of an individual to be informed that their data is being processed would not be appropriate. With these exemptions, there will inevitably be a need for appropriate safeguards to protect the rights of citizens. We are not yet convinced that the Bill contains them. That is what these amendments seek to tackle.
It may come as no surprise that I rise to speak in support of amendments 161 to 169. They are intended to challenge the Government’s plan to introduce a national security certification regime that will allow the restriction of and exemptions from a wide range of fundamental rights on the basis of national security and defence. Although it is absolutely right that, as a country, the UK has the ability to act in its own national security interest, I and many others are worried that the scale and scope of what is proposed in the Bill goes much further than the 1998 Act by widening the national security definition to include a further and, I would suggest, undefined range of defence purposes.
The Minister gave three or four examples earlier, but stressed that it was not an exhaustive list. Given the broad and indefinite nature of those national security exemptions, we are concerned that they do not meet the test of being both necessary and proportionate. How much confidence can we have that an individual’s fundamental rights will be best protected when the exemptions will be signed off by a Government Minister with little or no judicial oversight? It is also concerning that there appears to have been little or no attention to the harmful impact of exempting vast amounts of information from data protection safeguards by relying upon national security certificates.
As we heard earlier, the list of rights that are exempted, set out in clause 26, includes the right to be informed when data is being collected, the right to find out when personal data is being processed and the right to object to automated decision making. Those exemptions are to be exercised by a certificate, which, as I say, will be signed by a Minister, who will certify that an exemption from those rights and obligations is necessary for the purpose of safeguarding national security.
That means that, as the Bill is currently drafted, people’s rights could be removed by a politician without any form of judicial oversight. That cannot be right. We would argue most strongly that there has to be judicial oversight of any such decision, to prevent the removal of individual data protection rights from being permitted purely at the say-so of a Government Minister. I ask the Minister, how do the Government define national security and defence purposes in the context of the Bill? I certainly was not satisfied with the explanation we heard earlier on. I believe that these undefined terms are unnecessarily open-ended and broad, and open to vague interpretation. They could very well result in the removal of an individual’s rights unnecessarily. The lack of a clear definition of national security and defence purposes also means that people will be unable to foresee or understand when their rights will be overridden by the application of these exemptions. Surely that is incompatible with an individual citizen’s fundamental rights.
These exemptions, on the surface, are not limited to the UK’s intelligence and security services. As we heard when debating part 2 of the Bill, which deals with general processing, they broadly permit public authorities, and even private corporations on occasion, to invoke national security and defence as a reason to cast aside privacy rights. Can the Minister explain if, how, and under what circumstances a public authority or private company could invoke national security and defence as a reason to cast aside privacy rights?
That brings me to necessity and proportionality, which are fundamental principles when looking at exemptions from data protection, and which will be examined extremely closely by the European Commission and its legal team when it decides on the UK’s suitability for adequacy after Brexit. The principles of necessity and proportionality are enshrined in the European convention on human rights. A Minister must take them into account when they consider restricting or limiting an individual’s rights, such as those under article 8, the right to privacy.
As the Bill stands, no conditions or tests are imposed on a Minister’s decision to withdraw an individual’s personal data protection rights by issuing a national security certificate. There is no limitation on how a national security certificate should run or how long it should operate for. There is no obligation to review the ongoing necessity of having a live certificate. In effect, a certificate is open-ended and indefinite. My concern is that that may allow the state to use a certificate for activities for which it was not considered relevant or appropriate by the Minister when it was first issued or signed.
That loophole cannot be considered proportionate or necessary. The certificates have to be time-limited. That does not mean that once a certificate has expired it cannot be re-certified, but it would ensure that certificates that are no longer necessary or that have been used beyond their original remit do not continue indefinitely. Perhaps the Minister could explain why she thinks such a system could not work, and why it would not be in the best interest of the state and of protecting an individual’s rights.
As with everything we do, including everything we have done in this area in the past couple of years, the Bill has to be seen against the backdrop of Brexit. Not only do we have to comply with the GDPR, but we have to do so in a way that means the United Kingdom will achieve the vital, much sought after adequacy decision from the European Commission. We also have to keep our laws consistent with EU law to maintain that adequacy status. I fear that the widespread use of exemptions and, perhaps more worryingly, the undefined range of defence purposes could deal a severe blow to the UK achieving an adequacy decision from the European Commission.
Can the Minister tell me whether the Government have been given cast-iron guarantees that the new and undefined range of defence purposes will be consistent with EU law, to allow us not just to achieve adequacy but to maintain adequacy post Brexit?
I will call the Minister to respond, but before she responds to that point, she wishes to correct the record in relation to a previous point, which I am happy to permit.
On reflection, I would not wish the hon. Member for Cambridge to understand my earlier answer to mean that a Minister makes a decision on defence purposes. I apologise to him if that was not clear. It is the data controller at the Ministry of Defence who makes that decision. The data controller is accountable to Ministers and in due course to domestic courts. I hope that clarifies that.
It is up to the Committee what time we adjourn for lunch, of course, and the Minister may wish to speak quite rapidly.
Much as I would like the Minister to speak rapidly, I will move the Adjournment.
Ordered, That the debate be now adjourned.—(Nigel Adams.)
(6 years, 8 months ago)
Public Bill CommitteesBy the miracle of assistance from the Clerks, I am aware that we have had a debate this morning and that the Minister is now to respond to that debate, which I did not hear, but which I am sure was a full one.
Clause 27
National security: certificate
Amendment proposed (this day): 161, in clause 27, page 17, line 2, leave out subsection (1) and insert—
“A Minister of the Crown must apply to a Judicial Commissioner for a certificate, if exemptions are sought from specified provisions in relation to any personal data for the purpose of safeguarding national security.”.—(Louise Haigh.)
This amendment would introduce a procedure for a Minister of the Crown to apply to a Judicial Commissioner for a National Security Certificate.
Question again proposed, That the amendment be made.
I remind the Committee that with this we are discussing the following:
Amendment 162, in clause 27, page 17, line 5, at end insert—
“(1A) The decision to issue the certificate must be—
(a) approved by a Judicial Commissioner,
(b) laid before Parliament,
(c) published and publicly accessible on the Information Commissioner’s Office website.
(1B) In deciding whether to approve an application under subsection (1), a Judicial Commissioner must review the Minister’s conclusions as to the following matters—
(a) whether the certificate is necessary on relevant grounds,
(b) whether the conduct that would be authorised by the certificate is proportionate to what it sought to be achieved by that conduct, and
(c) whether it is necessary and proportionate to exempt all provisions specified in the certificate.”.
This amendment would ensure that oversight and safeguarding in the application for a National Security Certificate are effective, requiring sufficient detail in the application process.
Amendment 163, in clause 27, page 17, leave out lines 6 to 8 and insert—
“(2) An application for a certificate under subsection (1)—
(a) must identify the personal data to which it applies by means of a detailed description, and”.
This amendment would require a National Security Certificate to identify the personal data to which the Certificate applies by means of a detailed description.
Amendment 164, in clause 27, page 17, line 9, leave out subsection (2)(b).
This amendment would ensure that a National Security Certificate cannot be expressed to have prospective effect.
Amendment 165, in clause 27, page 17, line 9, at end insert—
“(c) must specify each provision of this Act which it seeks to exempt, and
(d) must provide a justification for both (a) and (b).”.
This amendment would ensure effective oversight of exemptions of this Act from the application for a National Security Certificate.
Amendment 166, in clause 27, page 17, line 10, leave out “directly” and insert
“who believes they are directly or indirectly”.
This amendment would broaden the application of subsection (3) so that any person who believes they are directly affected by a National Security Certificate may appeal to the Tribunal against the Certificate.
Amendment 167, in clause 27, page 17, line 12, leave out
“, applying the principles applied by a court on an application for judicial review,”.
This amendment removes the application to the appeal against a National Security Certificate of the principles applied by a court on an application for judicial review.
Amendment 168, in clause 27, page 17, line 13, leave out
“the Minister did not have reasonable grounds for issuing”
and insert
“it was not necessary or proportionate to issue”.
These amendments would reflect that the Minister would not be the only authority involved in the process of applying for a National Security Certificate.
Amendment 169, in clause 27, page 17, line 16, at end insert—
“(4A) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Judicial Commissioner must give the Minister of the Crown reasons in writing for the refusal.
(4B) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Minister may apply to the Information Commissioner for a review of the decision.
(4C) It is not permissible for exemptions to be specified in relation to—
(a) Chapter II of the applied GDPR (principles)—
(i) Article 5 (lawful, fair and transparent processing),
(ii) Article 6 (lawfulness of processing),
(iii) Article 9 (processing of special categories of personal data),
(b) Chapter IV of the applied GDPR—
(i) GDPR Articles 24 – 32 inclusive,
(ii) GDPR Articles 35 – 43 inclusive,
(c) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)—
(i) GDPR Article 83 (general conditions for imposing administrative fines),
(ii) GDPR Article 84 (penalties),
(d) Part 5 of this Act, or
(e) Part 7 of this Act.”.
This amendment would require a Judicial Commissioner to intimate in writing to the Minister reasons for refusing the Minister’s application for a National Security Certificate and allows the Minister to apply for a review by the Information Commissioner of such a refusal.
Thank you, Mr Hanson. It is a pleasure to serve under your chairmanship again.
I will first provide some context for this part of the Bill. The provisions in the Bill relating to national security exemptions and certificates are wholly in line with the provisions in the Data Protection Act 1998 and its predecessor, the Data Protection Act 1984. What we are doing in the Bill is preserving an arrangement that has been on the statute book for more than 30 years and has been operated by successive Governments.
The national security exemption is no different in principle from the other exemptions provided for in the Bill. If it is right that certain provisions of data protection legislation can be disapplied for reasons of, for example, crime prevention or taxation purposes, or in pursuit of various regulatory functions, without external approval, surely it is difficult to take issue with the need for an exemption on the grounds of national security on the same basis.
The Minister is absolutely right that the provisions mirror those in the DPA. That is exactly why we take issue with them. They mirror unacceptable preventions of rights in the tribunal appeal process, but do not mirror the rights in the Investigatory Powers Act 2016. Why were safeguards put in place in that Act, but will not apply in this Bill?
If I understand the hon. Lady’s argument correctly, she has presented the judicial commissioners as permitting, for example, warrant to be granted. Having sat through the Joint Committee on the Draft Investigatory Powers Bill and then the Public Bill Committee, I can tell her that I am afraid that is not how that Act works. What happens is that the Secretary of State grants the warrant and then that decision is overseen by the judicial commissioner. I will come on to the difference between the Investigatory Powers Act and this Bill in due course, because the terminology used draws on that in the Investigatory Powers Act, but that Act is very different from this Bill, which is about the processing of data, in its engagement with people and their rights.
Will the Minister give way on that point?
If I may, I will make some progress. Along with existing provisions in section 28 of the 1998 Act, clause 27 provides for a certificate signed by a Minister of the Crown certifying that exemption from specified data protection requirements is required for the purposes of safeguarding national security. There are equivalent provisions in parts 3 and 4 of the Bill. Such a certificate is conclusive evidence of that fact, for example in any legal proceedings. That is the point about the certificates—they only come into play if the exemption or restriction is actually applied.
The certificate provides evidence that the exemption or restriction is required for the purpose of safeguarding national security. It therefore has relevance only in the event that, first, the exemption or restriction is applied to the data in question and, secondly, there is a need to rely on the certificate as conclusive evidence in proceedings to establish that the exemption or restriction is required for the statutory purpose.
But what the national security certificate does not require is a statement of what data is being processed or the exemptions under which the Ministry of Defence or the intelligence services require it. That is what our amendments seek to introduce. If the Bill proceeds unamended, national security certificates would require only very broad details and no information on what data was being processed. It would therefore not be very likely that a tribunal would be able to oppose the decision on the basis of a judicial review.
I have a copy of a live certificate granted by the then Secretary of State, David Blunkett, on 10 December 2001. In the certificate, he sets out in summary the reasons why the certificate has been granted, including:
“The work of the security and intelligence agencies of the Crown requires secrecy.”
I assume hon. Members do not disagree with that. Another reason is:
“The general principle of neither confirming nor denying whether the Security Service processes data about an individual, or whether others are processing personal data for, on behalf of with a view to assist or in relation to the functions of the Security Service, is an essential part of that secrecy.”
Again, I assume that hon. Members do not disagree with that. As I said, this is a live certificate that has been given to the Information Commissioner, and is in the public domain for people to see and to check should they so wish. Those reasons are given in that certificate.
That is wonderful, but the Bill does not require that. It is great that my noble Friend Lord Blunkett put that on his national security application, but the Bill does not require that in law, so I am afraid that it is not a sufficient argument against the amendments that we have tabled.
What we are doing is transposing the requirements of the Data Protection Act 1998 into the Bill. It is difficult to see a situation in which a national security certificate will be granted on the basis that the work of the security and intelligence agencies of the Crown does not require secrecy.
Is there not a bigger, more general overall point here, which is that we should not be considering doing anything in Committee that risks making it more difficult for the security services to protect us? This week of all weeks, surely that should be uppermost in our minds.
Very much so—indeed, this debate ran through the passage of the Investigatory Powers Act 2016, which was one of the most scrutinised pieces of legislation. Senior parliamentarians who served on the Committee on that Act during long careers in this House, including the then Minister, my right hon. Friend the Member for South Holland and The Deepings (Mr Hayes), said that it was an incredibly well scrutinised Bill. There was constant debate about the battle, or tension, between ensuring the national security of our country in the most transparent way possible, and the fact that by definition there has to be some secrecy and confidentiality about the ways in which the security agencies work.
What was important in the debates on that Act, as it is in those on the current Bill, was making it clear that the idea that rogue civil servants or security agents can run around with people’s information with no checks is very wrong. We are replicating in the Bill the system that has been used for the past 30 years, because we consider that that system has the appropriate and necessary safeguards in the often very fast-moving context of a national security situation.
I will make a little progress, then I will take more interventions.
To be absolutely clear, a national security exemption is applied not by a Minister but by a data controller. Data controllers—be they the intelligence services, the Ministry of Defence or any other body—are well placed to make the determination, given that they will have a detailed understanding of the operational context and the extent to which departure from the requirement of the general data protection regulation—or parts 3 or 4 of the Bill as the case may be—is necessary to safeguard national security. In short, a data controller decides whether the national security exemption should be applied in a particular case, and the certificate is the evidence of the need for such an exemption in the event that someone challenges it.
I will give an example first, because I think it is so important. I fear that a bit of misunderstanding has crept in. Let us take the example of a subject access request. Mr Smith asks an intelligence service whether it is processing personal data concerning him and, if so, for information about that data under clause 94. The intelligence service considers whether it is processing personal data, which it will have obtained under its other statutory powers, such as the Regulation of Investigatory Powers Act 2000 or the Investigatory Powers Act 2016.
If the agency determines that it is processing personal data relating to Mr Smith, it then considers whether it is able to disclose the data, or whether a relevant exemption is engaged. For the agency, the key consideration will be whether disclosing the data would damage national security, for example by disclosing sensitive capabilities or alerting Mr Smith to the fact that he is a subject of investigation. If disclosure does not undermine national security and no other exemption is relevant, the intelligence service must disclose the information. However, if national security would be undermined by disclosure, the agency will need to use the national security exemption in relation to processing any personal data relating to Mr Smith.
If the intelligence service does not process any personal data relating to Mr Smith, it will again have to consider whether disclosing that fact would undermine national security, for example by revealing a lack of capability, which could be exploited by subjects of investigation. That is why, on occasion, when such requests are made, a “neither confirm nor deny” response may be necessary, because either confirming or denying may in itself have ramifications, not only in relation to Mr Smith but in relation to other aspects of national security.
Mr Smith may complain to the Information Commissioner about the response to his request for information. The intelligence service may then be required to demonstrate to the commissioner that the processing of personal data complies with the requirements of part four of the Bill, as set out in clause 102, and that it has responded to the request for information appropriately.
If, in legal proceedings, Mr Smith sought to argue that the national security exemption had been improperly relied upon, a national security certificate could be used as conclusive evidence that the national security exemption was required to safeguard national security. Any person who believed they were directly affected by the certificate could of course appeal against it to the upper tribunal, as set out in clause 111.
The Minister is setting out the mechanics of the system with admirable clarity. The point in dispute, though, is not the mechanics of the process but whether the data controller is able—unilaterally, unchecked and unfettered—to seek a national security exemption. Anyone who has worked with the intelligence agencies, either as a Minister or not, knows that they take parliamentary oversight and the defence of parliamentary supremacy extremely seriously.
What we are seeking with this amendment is to ensure that a data controller does not issue a national security certificate unchecked, and that instead there is an element of judicial oversight. The rule of law is important. It should be defended, protected and enhanced, especially when the data collection powers of the intelligence services are so much greater than they were 30 years ago when data protection legislation was first written.
The Government fully accept that national security certificates should be capable of being subject to judicial oversight. Indeed, the current scheme—both under the 1998 Act and this Bill—provides for just that. However, the amendments would radically change the national security certificate regime, because they would replace the existing scheme with one that required a Minister of the Crown to apply to a judicial commissioner for a certificate if an exemption was sought for the purposes of safeguarding national security, and for a decision to issue a certificate to be approved by a judicial commissioner.
This, again, is the debate that we had when we were considering the Investigatory Powers Act 2016. There were some who would have preferred a judicial commissioner to make the decision about warrantry before the Secretary of State. However, Parliament decided that it was not comfortable with that, because it would have meant a great change. For a member of the judiciary to certify on national security issues, rather than a member of the Executive—namely the Prime Minister or a Secretary of State—would have great constitutional implications.
There were great debates about the issue and the House decided, in its wisdom, that it would maintain the constitutional tradition, which is that a member of the Executive has the ultimate responsibility for national security, with, of course, judicial oversight by judicial commissioners and by the various tribunals that all these powers are subject to. The House decided that the decision itself must be a matter for a Minister of the Crown, because in the event—God forbid—that there is a national security incident, the House will rightly and properly demand answers from the Government of the day. With the greatest respect, a judicial commissioner cannot come to the Dispatch Box to explain how the Government and those assisting them in national security matters have responded to that situation. That is why we have this fine constitutional balance, and why we have adopted in the Bill the regime that has been in place for 30 years.
Does the Minister accept that in response to the case of Watson and others against the Government, the Government conceded that additional safeguards, including a far more robust system of independent oversight, were necessary? That test of judicial review is simply not sufficient as oversight. It cannot contest the merits of the case and applies only to the very limited, narrow appeal right of judicial review. It is just not sufficient.
I will come on, if I may, to the judicial review test. I have quite a lot about that.
I am grateful to have more time for my officials to scribble a response.
I am happy to help the Minister. She keeps referring to the framework that has been in place for the last 30 years. That has been a time when we have been a member of the European Union. In reviewing this situation, the House of Lords European Union Committee made the point that under the treaty on the functioning of the European Union, there is absolute jurisdiction for national member states to take decisions on national security. That is not an EU area of jurisdiction. The treaty says that we are protected as a member of the EU, but if we leave the European Union we are not protected by that exemption under the treaty. That is why, for third countries, the European Commission looks at the whole legislative framework. Do we not risk the adequacy decision by taking this approach? In the future, we will not have the answer of saying that it is an issue of exemption from the European Commission.
National security must always be a matter for any member state in the EU, but also once we leave the EU. Sorry, I may have misunderstood the hon. Gentleman, but how we deal with national security is, of course, a matter for the state.
I am happy to clarify for the Minister. The status quo is that the European Union will not look at areas of national security because they are the jurisdiction of member states. When we leave the European Union, the Commission will look at the entirety of legislation around data protection and privacy rights, because there are no exemptions that it needs to take into account. The noble Lords made the point that our
“data protection standards would be assessed without the benefit of the protection afforded by the national security exemption”
under the treaty. Do we not risk our adequacy by taking these exemptions?
No, because those who have drafted the Bill have sought, at all times, to comply with the law enforcement directive and with the modernised, draft Council of Europe convention 108. The Bill very much meets those standards, not just on law enforcement but across parts 3 and 4.
I have spoken to the outgoing Council of Europe information commissioner about the issue, and he has put on the record his grave reservations about the regime that we have in place, because we simply do not have the right kind of judicial oversight of the information gathering powers that are now available to our intelligence services. Our intelligence services are very good, and they need to be allowed to do their job, but they will be allowed to do that job more effectively—and without additional risks to our adequacy—if there is some kind of judicial oversight in the right timeframe of the decisions that are taken.
That is where the distinction between obtaining information and processing it is so important. The gathering that the right hon. Gentleman refers to falls under the Investigatory Powers Act 2016. Retaining it and processing it in the ways that the Bill seeks to provide for is the data protection element. The 2016 Act has all the extra judicial oversights that have been passed by the House.
Quite helpfully, we are coming to the nub of the question. It is now incumbent on the Minister to lay out for the Committee why the oversight regime for obtaining information should be so remarkably different from the regime for processing it.
The obtaining of information is potentially intrusive and often extremely time-sensitive. For the processing of information, particularly in the case of a subject access request, once we have met the criteria for obtaining it, separate judicial oversight through the upper tribunal is set out in the Bill, as well as ministerial oversight. They are two separate regimes.
There is extra oversight in the 2016 Act because obtaining information can be so intrusive. The right hon. Gentleman will appreciate that I cannot go into the methodology—I am not sure I am security-cleared enough to know, to be honest—but obtaining information has the potential to be particularly intrusive, in a way that processing information gathered by security service officials may not be.
I reassure the Minister that I went through the methodologies during my time at the Home Office. The justification that she still needs to lay out for the Committee—she is perhaps struggling to do so—is why there should be one set of judicial oversight arrangements for obtaining information and another for processing it. Why are they not the same?
There might be many reasons why we process information. The end result of processing might be for national security reasons or law enforcement reasons—my officials are scribbling away furiously, so I do not want to take away their glory when they provide me with the answer.
I have an answer on the Watson case, raised by the hon. Member for Sheffield, Heeley, which dealt with the retention of communications by communications service providers. Again, that is an entirely different scenario from the one we are talking about, where the material is held by the security services.
Amendment 161 goes further than the 2016 Act, because it places the decision to issue a certificate with the judicial commissioner. As I have said, national security certificates come into play only to serve in legal proceedings as conclusive evidence that an exemption from specified data protection requirements is necessary to protect national security—for example, to prevent disclosure of personal data to an individual under investigation, when such disclosure would damage national security. The certificate does not authorise the required use of the national security exemption, which is properly a matter for the data controller to determine.
Amendments 163 and 164 relate to the form of a national security certificate. Amendment 163 would require a detailed rather than general description of the data identified on a national security certificate, but we believe this change to be unnecessary and unhelpful, given that much data can be adequately described in a general way. Amendment 164, which would prevent a certificate from having prospective effect, appears to be dependent on the prior judicial authorisation scheme proposed in amendments 161 and 162, and again contrasts with the prospective nature of certificates currently under the Data Protection Act 1998.
Prospective certificates of the type issued under the 1998 Act are the best way of ensuring that the use of the national security exemption by the intelligence services and others is both sufficiently foreseeable for the purposes of article 8 of the European convention on human rights, and accountable. The accountability is ensured by the power to challenge certificates when they are issued, and that is something that has real teeth. The accountability is strengthened by the provision in clause 130 for the publication of certificates. The documents we are discussing will therefore be in the public domain—indeed, many of them are already. But it will now be set out in statute that they should be in the public domain.
Amendments 166 to 168 relate to the appeals process. Amendment 166 would broaden the scope for appealing a national security certificate from a person “directly affected” by it to someone who
“believes they are directly or indirectly affected”
by it. I wonder whether the Opposition did any work on the scope of the provision when drafting it, because the words “indirectly affected” have the potential to cause an extraordinary number of claims. How on earth could that phrase be defined in a way that does not swamp the security services with applications from people who consider that they might be indirectly affected by a decision relating to a national security matter? I do not see how that can be considered practicable.
As I have already said, the issue is that the judicial review process for appeal is incredibly narrow and limited. Under section 28 of the DPA, where an individual requests to access his or her data that is subject to a certificate, they will merely be informed that they have been given all the information that is required under the Act. They would not be informed that their data is being withheld on the grounds of a national security certificate. That means that it is impossible for them to know whether they even have the right to appeal under a judicial review, and they do not have the information available to allow them to take that judicial review case forward. That is why the amendment is drafted in this way. If the Minister would like, she can suggest some alternative wording that would solve the problem.
We get to the nub of the problem. Is the hon. Lady seriously suggesting that the security services should notify someone who puts in an access request that they are the subject of an investigation? That is the tension facing the security services. That is why we have internationally met standards, with regard to article 108 of the convention, which the Bill complies with. That is why we have to build in all these safeguards, to try to ensure that those people who intend ill will to this country do not benefit from our natural wish to be as transparent as possible when dealing with people’s personal data.
I have already explained that there would of course be an exemption for not informing individuals if they were under surveillance or being processed, but there are not sufficient oversights, safeguards or appeals. In the absence of any of those three, the Minister has to accept that there are absolutely no checks and balances on the exemptions listed under the clause.
There most certainly are: they have the right to appeal to the upper tribunal.
Yes. The upper tribunal reviews the material and applies the judicial review test. Again, we had this debate in relation to the Investigatory Powers Act 2016, which Parliament passed, in relation to the test that applied in the later appeal stages, following the grant of a warrant. This Bill has been drafted to comply with the modernised convention 108 of the Council of Europe. This is why it is in this way. It reflects the past 30 years’-worth of practice but meets international standards as they exist at the moment, which I hope reassures the hon. Member for Bristol North West.
On the specific narrow point, is it not the case that clause 130 already provides for the publication of certificates, so the amendment is simply not necessary? On the wider point—at the risk of repeating my earlier one—I fear that we are at risk of stumbling into a law of unintended consequences where we will make it more difficult for our security services to do the job that we want them to do. While we have been sitting here, I saw on my phone that the international community has recognised that what happened in Salisbury is the first recorded attack using a nerve agent on a European country since 1945. Let us remember that.
That is a particularly sobering development. I know that we all feel the gravity of our responsibilities when considering the Bill in the context of national security today. I am grateful to my hon. Friend.
The Minister and I served on the Draft Investigatory Powers Bill Joint Committee and we had many debates on this subject. It struck me that the House was at its best when we passed the Investigatory Powers Bill on Third Reading, with the support of the Labour party, having had these debates. It is frustrating that today of all days, as my hon. Friend says, we should go over that ground again having already reached a useful consensus.
On the judicial review point, the test was debated at length in the Joint Committee, in the Public Bill Committee and on the Floor of the House. The House passed that Act with cross-party consensus, as my hon. Friend has said, so I do not understand why we are having the same debate.
Anyone who has spent time working with our intelligence agencies knows that they see their mission as the defence of parliamentary democracy. They believe in scrutiny and oversight, which is what we are trying to insert in the Bill. The reason the Investigatory Powers Bill was passed in that way was because we were successful in ensuring that there were stronger safeguards. The Minister has been unable to explain today why the safeguarding regime should be different for the processing of data as opposed to the obtaining of data. We have heard no convincing arguments on that front today. All that we are seeking to do is protect the ability of the intelligence agencies to do their job by ensuring that a guard against the misuse of their much broader powers is subject to effective judicial oversight, and not in public but in a court.
For the security services to have obtained data under the Investigatory Powers Act, they will have passed through the various safeguards that Parliament set out in that Act. Once that data is obtained, it follows that the permission that the judicial commissioner will have reviewed will still flow through to the processing of that information. Our concern here is certain requirements of the data protection regime. The decision to disseminate information under that regime must rest with the intelligence agencies, with oversight. The Bill provides for those decisions to be appealed. That is as it should be. It should not be for a judicial commissioner to take over the decision of the data controller, who is processing applications and information in real time, often in situations that require them to act quickly. Likewise, whether to grant a certificate, which will be in the public domain, must be a decision for a member of the Executive, not the judiciary.
I assume that no work has been done to measure the scope of amendment 166, but allowing the clause to cover people indirectly affected could have enormous consequences for the security services, which already face great pressures and responsibilities.
Amendments 167 and 168 would remove the application of judicial review principles by the upper tribunal when considering an appeal against a certificate. They would replace the “reasonable grounds for issuing” test with a requirement to consider whether issuing a certificate was necessary and proportionate. Again, that would be an unnecessary departure from the existing scheme, which applies the judicial review test and has worked very well for the past 30 years.
In applying judicial review principles, the upper tribunal can consider a range of issues, including necessity, proportionality and lawfulness. As we set out in our response to the report of the House of Lords Constitution Committee, that enables the upper tribunal to consider matters such as whether the decision to issue the certificate was reasonable, having regard to the impact on the rights of the data subject and the need to safeguard national security. The Bill makes it clear that the upper tribunal has the power to quash the certificate if it concludes that the decision to issue it was unreasonable.
I hope that I have answered the concerns of the right hon. Member for Birmingham, Hodge Hill about how certificates are granted and about the review process when a subject access request is made and the certificate is applied. We must recognise that the Bill does not weaken a data subject’s rights or the requirements that must be met if an exemption is to be relied on; it reflects the past 30 years of law. Perhaps I missed it, but I do not think that any hon. Member has argued that the Data Protection Act 1998 has significant failings.
As the Minister well knows, the debate internationally is a result of the radical transformation of intelligence agencies’ ability to collect and process data. There is an argument, which has been well recognised in the Council of Europe and elsewhere, that where powers are greater, oversight should be stronger.
Yes, and that is precisely why Parliament passed the Investigatory Powers Act 2016.
The safeguards that apply once the information has been obtained—
Order. I realise that the right hon. Gentleman feels strongly about the issue, but if he wishes to intervene, he must stand. If not, he must remain quiet and take it on the chin.
The Government have listened to the concerns of the House of Lords. We added clause 130 in the Lords to provide for the publication of national security certificates by the Information Commissioner, so that they would be easily accessible to anyone who wished to mount a subject access request, and could be tested accordingly. In her briefing to noble Lords about the Bill, the Information Commissioner said that the clause was
“very welcome as it should improve regulatory scrutiny and foster greater public trust and confidence in the use of national security certificate process.”
It will also ensure that any person who believes that they are directly affected by a certificate will be better placed to exercise their appeal rights.
The Bill’s approach to national security certificates is tried and tested. We rely on those 30 years of experience of the regime being in place. In her written submission to the Committee, the Information Commission has not raised any issues in respect of the provisions in clause 27.
I hope that I have reassured the hon. Member for Sheffield, Heeley. I suspect from the interventions that she may well press the amendment to a vote, but I invite her to withdraw it. We have scrutinised this matter, and the Government are clear that the Bill reflects the past 30 years of the regime. It has worked and the Information Commissioner has not raised any concerns about clause 27.
I am afraid that the Minister is correct; she has not reassured Opposition Members. The amendment is not about putting obstacles in the way of our intelligence agencies going about their operational capabilities—that is the last thing we want to do—but the Minister has been unable to give us a clear argument as to why there should be stronger safeguards on the collection of data than on processing. That the Home Office would like to have the data is not a sufficient argument.
Please do not trivialise the matter. It is not the case that the Home Office would like the data; this is national security. This is the regime that our security services use at the moment. It is the regime they need. That is why the Government are pressing the issue. Again, I would have thought that this week of all weeks is the week to back our security services, not to put more barriers in their way.
The intelligence agencies, as my right hon. Friend the Member for Birmingham, Hodge Hill has said, take parliamentary oversight and scrutiny seriously. The safeguards and oversights are not built into the Bill in the way they were in the Investigatory Powers Act 2016. There is no clear argument why those safeguards should be in place for collection, but not for processing. The Minister has constantly relayed that that decision is based on 30 years’-worth of data but, as has already been said, the scope for the collection and processing of data is so far transformed, even from when the Data Protection Act was written in 1998, that the oversights and safeguards need to be transformed as well. That is why we are proposing these amendments.
The Joint Committee on Human Rights has suggested that the exemptions put forward in the Bill are not legal and introduce arbitrary interferences into people’s privacy rights. It is this Committee’s responsibility to ensure that the amendments pass. That is not trivialising the issue, but ensuring that there is a proper debate about security and the individual’s data subject rights. That is why we will press the amendment to a vote.
Question put, That the amendment be made.
Members will note that there are a number of clauses on the selection list to which no amendments have been tabled. I propose to start grouping such clauses together in order to speed progress. However, Members still have the right to tell me that they wish to speak to, or vote on, an individual clause.
Clauses 28 and 29 ordered to stand part of the Bill.
Clause 30
Meaning of “competent authority”
Amendments made: 18, in clause 30, page 19, line 4, after “specified” insert “or described”.
This amendment changes a reference to persons specified in Schedule 7 into a reference to persons specified or described there.
Amendment 19, in clause 30, page 19, line 10, leave out from “add” to end of line and insert
“or remove a person or description of person”.—(Margot James.)
This amendment makes clear that regulations under Clause 30 may identify a person by describing a type of person, as well as by specifying a person.
Clause 30, as amended, ordered to stand part of the Bill.
Schedule 7 agreed to.
Clauses 31 to 34 ordered to stand part of the Bill.
Clause 35
The first data protection principle
Question proposed, That the clause stand part of the Bill.
Very briefly, subsection (1) includes the phrase
“must be lawful and fair”.
Could the Minister say a little more about the word “fair”? What definition is she resting on, and who is the judge of it?
“Lawful” means any processing necessary to carry out a particular task, where that task is authorised either by statute or under common law. It would cover, for example, the taking and retention of DNA and fingerprints under the Police and Criminal Evidence Act 1984, or the police’s common law powers to disclose information required for the operation of the domestic violence disclosure scheme.
The Government recognise the importance of safeguarding sensitive personal information about individuals. Subsections (3) to (5) therefore restrict the processing of sensitive data, the definition of which includes information about an individual’s race or ethnic origin, and biometric data such as their DNA profile and fingerprints.
Further safeguards for the protection of sensitive personal data are set out in clause 42. The processing of sensitive personal data is permitted under two circumstances. The first is where the data subject has given his or her consent. The second is where the processing is strictly necessary for a law enforcement purpose and one or more of the conditions in schedule 8 to the Bill has been met. Those conditions include, for example, that the processing is necessary to protect the individual concerned or another person, or is necessary for the administration of justice. In both cases, the controller is required to have an appropriate policy document in place. We will come on to the content of such policy documents when we debate clause 42.
I am grateful for the Minister’s extensive definition, given in response to a question I did not ask. I did not ask for the definition of “lawful” but for the definition of “fair”.
I am so sorry; I thought it was apparent from my answer. “Fair” is initially a matter for the data controller, but ultimately the Information Commissioner has oversight of these provisions and the commissioner will cover that in her guidance.
Question put and agreed to.
Clause 35 accordingly ordered to stand part of the Bill.
Schedule 8
Conditions for sensitive processing under Part 3
Amendment made: 116, in schedule 8, page 184, line 32, at end insert—
“Safeguarding of children and of individuals at risk
3A (1) This condition is met if—
(a) the processing is necessary for the purposes of—
(i) protecting an individual from neglect or physical, mental or emotional harm, or
(ii) protecting the physical, mental or emotional well-being of an individual,
(b) the individual is—
(i) aged under 18, or
(ii) aged 18 or over and at risk,
(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d) the processing is necessary for reasons of substantial public interest.
(2) The reasons mentioned in sub-paragraph (1)(c) are—
(a) in the circumstances, consent to the processing cannot be given by the data subject;
(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a) has needs for care and support,
(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”—(Victoria Atkins.)
Schedule 8 makes provision about the circumstances in which the processing of special categories of personal data is permitted. This amendment adds to that Schedule certain processing of personal data which is necessary for the protection of children or of adults at risk. See also Amendments 85 and 117.
Schedule 8, as amended, agreed to.
Clauses 36 to 40 ordered to stand part of the Bill.
Clause 41
Safeguards: archiving
Amendment made: 20, in clause 41, page 23, line 34, leave out “an individual” and insert “a data subject”.—(Victoria Atkins.)
Clause 41 makes provision about the processing of personal data for archiving purposes, for scientific or historical research purposes or for statistical purposes. This amendment aligns Clause 41(2)(b) with similar provision in Clause 19(2).
Question proposed, That the clause, as amended, stand part of the Bill.
We had a good debate on what I think was a shared objective across the Committee: to ensure that those running our big national archives—whether they are large or small organisations—should not be jeopardised by frivolous claims or, indeed, a multiplicity of claims from individuals who might seek to change the records held there in one way or another. I mentioned to the Minister in an earlier debate that we were anxious, despite the reassurances she sought to give the Committee, that a number of organisations, including the BBC, were deeply concerned about the Bill’s impact on their work. They were not satisfied that the exemptions and safeguards in the Bill would quite do the job.
My only reason for speaking at this stage is to suggest to Ministers that if they were to have discussions with some of those organisations about possible Government amendments on Report to refine the language, and provide some of the reassurance people want, that would attract our support. We would want to have such conversations, but it would be better if the Government could find a way to come forward with refinements of their own on Report.
I am happy to explore that. The reason for the clause is to enable processing to be done to create an archive for scientific or historical research, or for statistical purposes. The reason law enforcement is mentioned is that it may be necessary where a law enforcement agency needs to review historic offences, such as allegations of child sexual exploitation. I would of course be happy to discuss that with the right hon. Gentleman to see whether there are further avenues down which we should proceed.
I am grateful to the Minister for that response. I am happy to write to her with the representations that we have received, and perhaps she could reflect on those and write back.
Question put and agreed to.
Clause 41, as amended, accordingly ordered to stand part of the Bill.
Clause 42
Safeguards: sensitive processing
Amendment made: 21, in clause 42, page 24, line 29, leave out “with the day” and insert “when”.—(Victoria Atkins.)
This amendment is consequential on Amendment 71.
Clause 42, as amended, ordered to stand part of the Bill.
Clauses 43 to 46 ordered to stand part of the Bill.
Clause 47
Right to erasure or restriction of processing
I beg to move amendment 22, in clause 47, page 28, line 20, leave out second “data”.
This amendment changes a reference to a “data controller” into a reference to a “controller” (as defined in Clauses 3 and 32).
I can be brief, because this drafting amendment simply ensures that clause 47, as with the rest of the Bill, refers to a “controller” rather than a “data controller”. For the purposes of part 3, a controller is defined in clause 32(1) so it is not necessary to refer elsewhere to a “data controller”.
Amendment 22 agreed to.
Clause 47, as amended, ordered to stand part of the Bill.
Clause 48 ordered to stand part of the Bill.
Clause 49
Right not to be subject to automated decision-making
Question proposed, That the clause stand part of the Bill.
We had a good debate on possible amendments to the powers of automatic decision making earlier and this is an important clause in that it creates a right not to be subject to automated decision making. Clause 49(1) states:
“A controller may not take a significant decision based solely on automated processing unless that decision is required or authorised by law.”
I hope Ministers recognise that
“required or authorised by law”
is an incredibly broad set of questions. I would like to provoke the Minister into saying a little more about what safeguards she believes will come into place to ensure that decisions are not taken that jeopardise somebody’s human rights and their right to appeal and justice based on those human rights. It could be that the Minister decides to answer those questions in the debate on clause 50, but it would be useful for her to say a little more about her understanding of the phrase “significant decision” and a little more about what kind of safeguards will be needed to ensure that decisions that are cast in such a broad way do not impact on people in a negative way.
Clause 49 establishes the right for individuals not to be subject to a decision based exclusively on automated processing, where that decision has an adverse impact on the individual. It is important to protect that right to enhance confidence in law enforcement processing and safeguard individuals against the risk that a potentially damaging decision is taken without human intervention. The right hon. Gentleman asked about the definition of a significant decision. It is set out in the Bill.
We are not aware of any examples of the police solely using automated decision-making methods, but there may be examples in other competent authorities. The law enforcement directive includes that requirement, so we want to transpose it faithfully into statute, and we believe we have captured the spirit of the requirement.
There is the example of Durham police force—an excellent police force in many regards—using automated decision making to decide who does and does not remain in custody, and when people receive their charge. A human is involved in that decision-making process at the moment, but the Bill would enable that to be taken away and allow it to be done purely on an automated basis. I am sure the Minister understands our concerns about removing humans from that decision-making process.
I have to say that I am not familiar with that example. I look to my officials—
Order. The hon. Lady has on a number of occasions referred to her officials. She should remember at all times that, as far as the Committee is concerned, there are no officials in this room, even though self-evidently there are.
I wonder whether that is captured in the spirit of the Bill. Forgive me, Mr Hanson. This is my first Bill Committee as a Minister and I was not aware of that. Many apologies.
I am not familiar with that example. It would be a very interesting exercise under the PACE custody arrangements. I will look into it in due course. These protections transpose the law enforcement directive, and we are confident that they meet those requirements.
Question put and agreed to.
Clause 49 accordingly ordered to stand part of the Bill.
Clause 50
Automated decision-making authorised by law: safeguards
Amendments made: 23, in clause 50, page 30, line 11, leave out “21 days” and insert “1 month”.
Clause 50(2)(b) provides that where a controller notifies a data subject under Clause 50(2)(a) that the controller has taken a “qualifying significant decision” in relation to the data subject based solely on automated processing, the data subject has 21 days to request the controller to reconsider or take a new decision not based solely on automated processing. This amendment extends that period to one month.
Amendment 24, in clause 50, page 30, line 17, leave out “21 days” and insert “1 month”.—(Victoria Atkins.)
Clause 50(3) provides that where a data subject makes a request to a controller under Clause 50(2)(b) to reconsider or retake a decision based solely on automated processing, the controller has 21 days to respond. This amendment extends that period to one month.
Question proposed, That the clause, as amended, stand part of the Bill.
I remain concerned that the safeguards the Government have proposed to ensure people’s human rights are not jeopardised by the use of automated decision making are, frankly, not worth the paper they are written on. We know that prospective employers and their agents use algorithms and automated systems to analyse very large sets of data and, through the use of artificial intelligence and machine learning, make inferences about whether people are appropriate to be considered to be hired or retained by a particular company. We have had a pretty lively debate in this country about the definition of a worker, and we are all very grateful to Matthew Taylor for his work on that question. Some differences emerged, and the Business, Energy and Industrial Strategy Committee has put its views on the record.
The challenge is that our current labour laws, which were often drafted decades ago, such as the Sex Discrimination Act 1975 and the Race Relations Act 1965, are no longer adequate to protect people in this new world, in which employers are able to use such large and powerful tools for gathering and analysing data, and making decisions.
We know that there are problems. We already know that recruiters use Facebook to seek candidates in a way that routinely discriminates against older workers by targeting job advertisements. That is not a trivial issue; it is being litigated in the United States. In the United Kingdom, research by Slater and Gordon, a group of employment lawyers, found that one in five bosses admits to unlawful discrimination when advertising jobs online. Women and people over 50 are most likely to be stopped from seeing an advert. Around 32% of company executives admitted to discriminating among those over 50; 23% discriminated against women; and 62% of executives who had access to profiling tools admitted to using them to actively seek out people based on criteria such as age, gender and race. Female Uber drivers earn 7% less than men when pay is determined by algorithms. A number of practices in the labour market are disturbing and worrying, and they should trouble all of us.
The challenge is that clause 50 needs to include a much more comprehensive set of rights and safeguards. It should clarify that the Equality Act 2010 and protection from discrimination applies to all new forms of decision making that engage core labour rights around recruitment, terms of work or dismissal. There should be new rights about algorithmic fairness at work to ensure equal treatment where an algorithm or automated system takes a decision that impinges on someone’s rights. There should be a right to explanation where significant decisions are taken based on an algorithm or an automated decision. There is also a strong case to create a duty on employers, if they are a large organisation, to undertake impact assessments to check whether they are, often unwittingly, discriminating against people in a way that we think is wrong.
Over the last couple of weeks, we have seen real progress in the debate about gender inequalities in pay. Many of us will have looked in horror at some of the news that emerged from the BBC and at some of the evidence that emerged from ITV and The Guardian. We have to contend with the reality that automated decision-making processes are under way in the labour market that could make inequality worse rather than better. The safeguards that we have in clause 50 do not seem up to the job.
I hope the Minister will say a bit more about the problems that she sees with future algorithmic decision making. I am slightly troubled that she is unaware of some live examples in the Home Office space in one of our most successful police forces, and there are other examples that we know about. Perhaps the Minister might say more about how she intends to improve the Bill with regard to that issue between now and Report.
I will pick up on the comments by the right hon. Gentleman, if I may.
In the Durham example given by the hon. Member for Sheffield, Heeley, I do not understand how a custody sergeant could sign a custody record without there being any human interaction in that decision-making process. A custody sergeant has to sign a custody record and to review the health of the detainee and whether they have had their PACE rights. I did not go into any details about it, because I was surprised that such a situation could emerge. I do not see how a custody sergeant could be discharging their duties under the Police and Criminal Evidence Act 1984 if their decision as to custody was based solely on algorithms, because a custody record has to be entered.
I thank the Minister for allowing me to clarify. I did not say that it was solely an algorithmic decision already. Durham is using an algorithm known as the harm assessment risk tool. A human makes a decision based on the algorithm’s recommendations. The point I was making was that law enforcement is using algorithms to make very important decisions that limit an individual’s right to freedom, let alone the right to privacy or anything else, but the Bill will enable law enforcement to take that further. I appreciate what the Minister is saying about PACE and the need for a custody sergeant, but the Bill will enable law enforcement to take that further and to remove the human right—
This has been a moment of genuine misunderstanding. Given how the hon. Lady presented that, to me it sounded as if she was saying that the custody record and the custody arrangements of a suspect—detaining people against their will in a police cell—was being done completely by a computer. That was how it sounded. There was obviously an area of genuine misunderstanding, so I am grateful that she clarified it. She intervened on me when I said that we were not aware of any examples of the police solely using automated decision making—that is when she intervened, but that is not what she has described. A human being, a custody sergeant, still has to sign the record and review the risk assessment to which the hon. Lady referred. The police are using many such examples nowadays, but the fact is that a human being is still involved in the decision-making process, even in the issuing of penalties for speeding. Speeding penalties may be automated processes, but there is a meaningful element of human review and decision making, just as there is with the custody record example she gave.
There was a genuine misunderstanding there, but I am relieved, frankly, given that the right hon. Member for Birmingham, Hodge Hill was making points about my being unaware of what is going on in the Home Office. I am entirely aware of that, but I misunderstood what the hon. Lady meant and I thought she was presenting the custody record as something that is produced by a machine with no human interaction.
Line-by-line scrutiny, but I was acting in good faith on an intervention that the hon. Member for Sheffield, Heeley made when I was talking about any examples of the police solely using automated decision making.
May I ask for your guidance on this question? We are in a Bill Committee that is tasked with scrutinising the Bill line by line. Is it customary for Ministers to refuse to give way on a matter of detail?
Ultimately, whether the Minister gives way is a matter for the Minister—that is true for any Member who has the Floor—but it is normal practice to debate aspects of legislation thoroughly. Ultimately, however, it remains the choice of the Minister or any other Member with the Floor whether to give way.
I think it is fair to say that I have given way on interventions, but the right hon. Gentleman seemed to be seeking to argue with me as to my understanding of what his colleague, the hon. Member for Sheffield, Heeley, had said. Frankly, that is a matter for me to understand.
Order. We are debating clause 50 of the Bill, so may I suggest that in all parts of the Committee we focus our minds on the clause?
I have lost track of which point the right hon. Gentleman wants me to give way on.
Let me remind the Minister. What we are concerned about on the question of law enforcement is whether safeguards that are in place will be removed under the Bill. That is part and parcel of a broader debate that we are having about whether the safeguards that are in the Bill will be adequate. So let me return to the point I made earlier to the Minister, which is that we would like her reflections on what additional safeguards can be drafted into clauses 50 and 51 before Report stage.
Clause 49 is clear that individuals should not be subject to a decision based solely on automated processing if that decision significantly or adversely has an impact on them, legally or otherwise, unless required by law. If that decision is required by law, clause 50 specifies the safeguards that controllers should apply to ensure that the impact on the individual is minimised. Critically, that includes informing the data subject that a decision has been taken and giving that individual 21 days in which to ask the controller to reconsider the decision, or to retake the decision with human intervention.
A point was made about the difference between automated processing and automated decision making. Automated processing is when an operation is carried out on personal data using predetermined fixed parameters that allow for no discretion by the system and do not involve further human intervention in the operation to produce a result or output. Such processing is used regularly in law enforcement to filter large datasets down to manageable amounts for a human operator to use. Automated decision making is a form of automated processing that allows the system to use discretion, potentially based on algorithms, and requires the final decision to be made without human interference. The Bill seeks to clarify that, and the safeguards are set out in clause 50.
Question put and agreed to.
Clause 50, as amended, accordingly ordered to stand part of the Bill.
Clause 51
Exercise of rights through the Commissioner
I beg to move amendment 25, in clause 51, page 31, line 2, leave out from first “the” to end of line 3 and insert
“restriction imposed by the controller was lawful;”.
This amendment changes the nature of the request that a data subject may make to the Commissioner in cases where rights to information are restricted under Clause 44(4) or 45(4). The effect is that a data subject will be able to request the Commissioner to check that the restriction was lawful.
These technical amendments are required to ensure that the provisions in clause 51 do not inadvertently undermine criminal investigations by the police or other competent authorities. Under the Bill, where a person makes a subject access request, it may be necessary for the police or other competent authority to give a “neither confirm nor deny” response, for example in order to avoid tipping someone off that they are under investigation for a criminal offence. In such a case, the data subject may exercise their rights under clause 51 to ask the Information Commissioner to check that the processing of their personal data complies with the provisions in part 3. It would clearly undermine a “neither confirm nor deny” response to a subject access request if a data subject could use the provisions in part 3 to secure confirmation that the police were indeed processing their information.
It is appropriate that the clause focuses on the restriction of a data subject’s rights, not on the underlying processing. The amendments therefore change the nature of the request that a data subject may make to the commissioner in cases where rights to information are restricted under clause 44(4) or clause 45(4). The effect of the amendments is that a data subject will be able to ask the commissioner to check that the restriction was lawful. The commissioner will then be able to respond to the data subject in a way that does not undermine the original “neither confirm nor deny” response.
This is a significant amendment—I understand the ambition behind the clause—so it is worth dwelling on it for a moment. I would like to check my understanding of what the Minister said. In a sense, if an investigation is under way and the individual under investigation makes a subject access request to the police and gets a “neither confirm nor deny” response, the data subject will be able to ask the Information Commissioner to investigate. Will the Minister say a little more about what message will go from the police to the Information Commissioner and the content of the message that will go from the Information Commissioner to the data subject? I have worked on such cases in my constituency. Often, there is an extraordinary spiral of inquiries and the case ultimately ends up in a judicial review in court. Will the Minister confirm that I have understood the mechanics accurately and say a little more about the content of the messages from the police to the Information Commissioner and from the Information Commissioner to the person who files the request?
I can help the right hon. Gentleman in one respect: he has understood the mechanics. I am afraid that I cannot give him examples, because it will depend on the type of criminal offence or the type of investigation that may be under way. I cannot possibly give him examples of the information that may be sent by the police to the Information Commissioner, because that will depend entirely on the case that the police are investigating.
Perhaps I can pose the question in a sharper way. I do not think that is entirely the case. It must be possible for the Minister to be a little more specific, and perhaps a little more knowledgeable, about the content of the message that will go from the Information Commissioner to the data subject. Will that be a standard message? Will it be in any way detailed? Will it reflect in any way on the information that the police provide? Or will it simply be a blank message such as “I, the Information Commissioner, am satisfied that your information has been processed lawfully”? I do not think the Information Commissioner is likely to ask for too much detail about the nature of the offence, but she will obviously ask whether data has been processed lawfully. She will want to make checks in that way. Unless the Information Commissioner is able to provide some kind of satisfactory response to the person who has made the original request, we will end up with an awful administrative muddle that will take of lot of the courts’ time. Perhaps the Minister could put our minds at rest on that.
The Information Commissioner will get the information but, by definition, she does not give that information to the subject, because law enforcement will have decided that it meets the criteria for giving a “neither confirm nor deny” response from their perspective. The commissioner then looks at the lawfulness of that; if she considers it to be lawful, she will give the same response—that the processing meets part 3 obligations.
Amendment 25 agreed to.
Amendment made: 26, in clause 51, page 31, line 11, leave out from first “the” to end of line 12 and insert “restriction imposed by the controller was lawful;” —(Victoria Atkins.)
This amendment is consequential on Amendment 25.
Clause 51, as amended, ordered to stand part of the Bill.
Clause 52 ordered to stand part of the Bill.
Clause 53
Manifestly unfounded or excessive requests by the data subject
Amendments made: 27, in clause 53, page 31, line 39, leave out “or 47” and insert “,47 or 50”.
Clause 53(1) provides that where a request from a data subject under Clause 45, 46 or 47 is manifestly unfounded or excessive, the controller may charge a reasonable fee for dealing with the request or refuse to act on the request. This amendment applies Clause 53(1) to requests under Clause 50 (automated decision making). See also Amendment 28.
Amendment 28, in clause 53, page 32, line 4, leave out “or 47” and insert “,47 or 50”.—(Victoria Atkins.)
Clause 53(3) provides that where there is an issue as to whether a request under Clause 45, 46 or 47 is manifestly unfounded or excessive, it is for the controller to show that it is. This amendment applies Clause 53(3) to requests under Clause 50 (automated decision making). See also Amendment 27.
Question proposed, That the clause, as amended, stand part of the Bill.
We have just agreed a set of amendments that, on the face of it, look nice and reasonable. We can all recognise the sin that the Government are taking aim at, and that the workload of the Information Commissioner’s Office and of others has to be kept under control, so we all want to deter tons of frivolous and meaningless requests. None the less, a lot of us have noticed that, for example, the introduction of fees for industrial tribunals makes it a lot harder for our constituents to secure justice.
I wonder, having now moved the amendment successfully, whether the Minister might tell us a little more about what will constitute a reasonable fee and what will happen to those fees. Does she see any relationship between the fees being delivered to her Majesty’s Government and the budget that is made available for the Information Commissioner? Many of us are frankly worried, given the new obligations of the Information Commissioner, about the budget she has to operate with and the resources at her disposal. Could she say a little more, to put our minds at rest, and reassure us that these fees will not be extortionate? Where sensible fees are levied, is there some kind of relationship with the budget that the Information Commissioner might enjoy?
Clause 35 establishes the principle that subject access requests should be provided free of charge in most cases. That will be the default position in most cases. In terms of the fees, that will not be a matter to place in statute; certainly, I can write to the right hon. Gentleman with my thoughts on how that may develop. The intention is that in the majority of cases, there will be no charge.
Question put and agreed to.
Clause 53, as amended, accordingly ordered to stand part of the Bill.
Clause 54
Meaning of “applicable time period”
Amendments made: 29, in clause 54, page 32, line 14, leave out “day” and insert “time”.
This amendment is consequential on Amendment 71.
Amendment 30, in clause 54, page 32, line 15, leave out “day” and insert “time”.—(Victoria Atkins.)
This amendment is consequential on Amendment 71.
Clause 54, as amended, ordered to stand part of the Bill.
Clauses 55 to 63 ordered to stand part of the Bill.
Clause 64
Data protection impact assessment
I beg to move amendment 142, in clause 64, page 37, line 2, leave out “is likely to” and insert “may”.
With this it will be convenient to discuss the following:
Amendment 143, in clause 64, page 37, line 2, leave out “high”.
Amendment 144, in clause 64, page 37, line 15, leave out “is likely to” and insert “may”.
Amendment 145, in clause 64, page 37, line 15, leave out “high”.
Amendment 146, in clause 65, page 37, line 19, leave out subsection (1) and insert—
“(1) This section applies where a controller intends to—
(a) create a filing system and process personal data forming part of it, or
(b) use new technical or organisational measures to acquire, store or otherwise process personal data.”
Amendment 147, in clause 65, page 37, line 23, leave out “would” and insert “could”.
Amendment 148, in clause 65, page 37, line 23, leave out “high”.
Amendment 149, in clause 65, page 37, line 44, at end insert—
“(8) If the Commissioner is not satisfied that the controller or processor (where the controller is using a processor) has taken sufficient steps to remedy the failing in respect of which the Commissioner gave advice under subsection (4), the Commissioner may exercise powers of enforcement available to the Commissioner under Part 6 of this Act.”
New clause 3—Data protection impact assessment: intelligence services processing—
“(1) Where a type of processing proposed under section 103(1) may result in a risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.
(2) A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.
(3) A data protection impact assessment must include the following—
(a) a general description of the envisaged processing operations;
(b) an assessment of the risks to the rights and freedoms of data subjects;
(c) the measures envisaged to address those risks;
(d) safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
(4) In deciding whether a type of processing could result in a risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.”
New clause 4—Prior consultation with the Commissioner: intelligence services processing—
“(1) This section applies where a controller proposes that a particular type of processing of personal data be carried out under section 103(1).
(2) The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section [Data protection impact assessment: intelligence services processing] indicates that the processing of the data could result in a risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).
(3) Where the controller is required to consult the Commissioner under subsection (2), the controller must give the Commissioner—
(a) the data protection impact assessment prepared under section [Data protection impact assessment: intelligence services processing], and
(b) any other information requested by the Commissioner to enable the Commissioner to make an assessment of the compliance of the processing with the requirements of this Part.
(4) Where the Commissioner is of the opinion that the intended processing referred to in subsection (1) would infringe any provision of this Part, the Commissioner must provide written advice to the controller and, where the controller is using a processor, to the processor.
(5) The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor.
(6) The Commissioner may extend the period of 6 weeks by a further period of one month, taking into account the complexity of the intended processing.
(7) If the Commissioner extends the period of 6 weeks, the Commissioner must—
(a) inform the controller and, where applicable, the processor of any such extension before the end of the period of one month beginning with receipt of the request for consultation, and
(b) provide reasons for the delay.
(8) If the Commissioner is not satisfied that the controller or processor (where the controller is using a processor) has taken sufficient steps to remedy the failing in respect of which the Commissioner gave advice under subsection (4), the Commissioner may exercise powers of enforcement available to the Commissioner under Part 6 of this Act.”
The amendments in my name, and in the names of my right hon. and hon. Friends, are all designed to strengthen the requirement to conduct impact assessments, and to require permission from the Information Commissioner for the purposes of data processing for law enforcement agencies. Impact assessments are a critical feature of the landscape of data protection, particularly where new technology has evolved. It is vital that we have in place enabling legislation and protective legislation to cover new technologies and new methods of data collection and processing.
Since the introduction of the Data Protection Act 1998, the advance of technology has considerably increased the ability of organisations to collect data, as we have discussed. The impact assessment as envisaged allows for an assessment to be conducted where there are systematic and extensive processing activities, including profiling, and where decisions have legal effects, or similarly significant effects, on individuals. In addition, an assessment can be conducted where there is large-scale processing of special categories of data, or personal data in relation to criminal convictions or offences, and where there is a high risk to rights and freedoms—for example, based on the sensitivity of the processing activity.
Given the breadth and reach of new technology, it is right that impact assessments are conducted where the new technology may present a risk, rather than a “high risk”, as envisaged in the Bill. That is what we seek to achieve with the amendments. New technology in law enforcement presents a unique challenge to the data protection and processing environment. The trialling of technology, including facial recognition and risk assessment algorithms, as already discussed, has not been adequately considered by Parliament to date, nor does it sit easily within the current legal framework. I do not doubt that such technologies have a significant role to play in making law enforcement more effective and efficient, but they have to be properly considered by Parliament, and they need to have adequate oversight to manage their appropriate use.
Facial recognition surveillance was mentioned in Committee on Tuesday. The Minister was right to say that it is being trialled by the Metropolitan police, but it has been trialled for three years running. I suggest that it is no longer a trial. It is also being used by South Wales police and other police forces across the country, particularly when policing large events. The Metropolitan police use it in particular for Notting Hill carnival.
In September last year, the Policing Minister made it clear in response to a written question that there is no legislation regulating the use of CCTV cameras with facial recognition. The Protection of Freedoms Act 2012 introduced the regulation of overt public space surveillance cameras. As a result, the surveillance camera code of practice was issued by the Secretary of State in 2013. However, there is no reference to facial recognition in the Act, even though it provides the statutory basis for public space surveillance cameras.
Neither House of Parliament has ever considered or scrutinised automated facial recognition technology. To do so after its deployment—after three years of so-called trialling by the Metropolitan police—is unacceptable, particularly given the technology’s significant and unique impact on rights. The surveillance camera commissioner has noted that “clarity regarding regulatory responsibility” for such facial recognition software is “an emerging issue”. We urgently need clarity on whether the biometric commissioner, the Information Commissioner or the surveillance camera commissioner has responsibility for this use of technology. Our amendments suggest that the Information Commissioner should have scrutiny powers over this, but if the Minister wants to tell me that it should be any of the others, we will be happy to support that.
I rise briefly to support my hon. Friend’s excellent speech. The ambition of Opposition Members on the Committee is to ensure that the Government have in place a strong and stable framework for data protection over the coming years. Each of us, at different times in our constituencies, have had the frustration of working with either local police or their partners and bumping into bits of regulation or various procedures that we think inhibit them from doing their job. We know that at the moment there is a rapid transformation of policing methods. We know that the police have been forced into that position, because of the pressure on their resources. We know that there are police forces around the world beginning to trial what is sometimes called predictive policing or predictive public services, whereby, through analysis of significant data patterns, they can proactively deploy police in a particular way and at a particular time. All these things have a good chance of making our country safer, bringing down the rate of crime and increasing the level of justice in our country.
The risk is that if the police lack a good, clear legal framework that is simple and easy to use, very often sensible police, and in particular nervous and cautious police and crime commissioners, will err on the side of caution and actually prohibit a particular kind of operational innovation, because they think the law is too muddy, complex and prone to a risk of challenge. My hon. Friend has given a number of really good examples. The automatic number plate recognition database is another good example of mass data collection and storage in a way that is not especially legal, and where we have waited an awfully long time for even something as simple as a code of practice that might actually put the process and the practice on a more sustainable footing. Unless the Government take on board my hon. Friend’s proposed amendments, we will be shackling the police, stopping them from embarking on many of the operational innovations that they need to start getting into if they are to do their job in keeping us safe.
I will speak briefly in support of amendments 142 to 149, as well as new clauses 3 and 4. As it stands, clause 64 requires law enforcement data controllers to undertake a data protection impact assessment if
“a type of processing is likely to result in a high risk to the rights and freedoms of individuals”.
That assessment would look at the impact of the envisaged processing operations on the protection of personal data and at the degree of risk, measures to address those risks and possible safeguards. If the impact assessment showed a high risk, the controller would have to consult the commissioner under clause 65.
It is important to be clear that the assessment relates to a type of processing. Nobody is asking anyone to undertake an impact assessment every time the processing occurs. With that in mind, the lower threshold for undertaking an assessment suggested in the amendments seems appropriate. We should be guarding not just against probable or high risks, but against any real risk. The worry is that if we do not put these tests in place, new forms of processing are not going to be appropriately scrutinised. We have had the example of facial recognition technology, which is an appropriate one.
New clauses 3 and 4 do a similar job for the intelligence services in part 4, so they also have our support.
I rise to support the amendments in the name of my hon. Friend the Member for Sheffield, Heeley. I had the pleasure of cross-examining Baroness Williams of Trafford, who is the Minister responsible for some of these issues, on the Select Committee on Science and Technology in our inquiry on the biometric strategy and why there has been such a delay in the Government publishing that document. We had grave concerns about the delay in the strategy, but also about the way in which IT systems and servers in different forces act in different ways, which make things potentially very difficult.
The amendments would add safeguards to legitimate purposes—to prevent them from going too far. They should be welcomed by the Government and included in the Bill. There are a number of situations where, in this developing area of technology, which could be very useful to us as a country, as my hon. Friends have said, we need to ensure that the appropriate safeguards are in place. On facial recognition, we know from information received by the Science and Technology Committee that there is too high a number of facial records on the police national database and other law enforcement databases, when there is no legitimate reason for them to be there. We understand that it is difficult to delete them, but that is, with respect, not a good enough answer.
The Select Committee also heard—I think I mentioned this in an earlier sitting—that we have to be careful about the data that the Government hold. The majority of the adult population already has their facial data on Government databases, in the form of passport and driving licence imagery. When we start talking about the exemptions to being able to share data between different Government functions and law enforcement functions, and the exemptions on top of that for the ability to use those things, we just need to be careful that it does not get ahead of us. I know it is difficult to legislate perfectly for the future, but these safeguards would help to make it a safer place.
I will mention briefly the IMSI-catchers, because that covers my constituency of Bristol North West. It was the Bristol Cable, a local media co-operative of which I am a proud member—I pay £1 a month, so I declare an interest—that uncovered some of the issues around IMSI-catchers with bulk collection of information. It is really important that when we are having debates, as we have had with algorithms and artificial intelligence, we recognise that human intervention and the understanding of some of these systems is sometimes difficult. There are very few people who understand how algorithms actually work or how the systems actually work. As they become more advanced and learn and make decisions by themselves, the idea of human intervention or a human understanding of that is increasingly difficult.
In a situation where human resource is extremely stretched, such as in the police service, the tendency will understandably be to rely on the decisions of the systems within the frameworks that are provided, because there is not time to do full human intervention properly. That is why the safeguards are so important—to prevent things getting ahead of us. I hope the Government support the amendments, which I think are perfectly sensible.
I have just a small correction. The hon. Member for Sheffield, Heeley said in error that the Home Office were holding on to the photographs. It is not the Home Office. It is individual police forces that hold that.
No, it is on the police national computer. That falls under the responsibility of the Home Office, not individual forces.
That is run by the police. I do not want the misapprehension to be established that there is an office in the Home Office in Marsham Street where these photographs are held on a computer. It is on the police national computer, which is a secure system that people have to have security clearance to get into. It is not completely accurate to say that the Home Office has possession of it.
I would be grateful if the Minister can confirm that all the examples we raised today will fall under the “high risk” category in the Bill.
I will deal with the definition of high risk in a moment. Clause 64 separates out the processing most likely significantly to affect an individual’s rights and freedom, which requires an additional level of assessment to reflect the higher risk. The amendments would water down the importance of those assessments. That is not to say that consideration of the impact on rights and freedoms can be overlooked. It will, of course, remain necessary for the controller to carry out that initial assessment to determine whether a full impact assessment is required. Good data protection is not achieved by putting barriers in the way of processing. It is about considering the risk intelligently and applying appropriate assessments accordingly.
On the question of high risk, officers or data controllers will go through that process when considering whether a data protection impact assessment is correct. I will write to the hon. Lady to clarify whether the bodies and lists she mentioned will be defined as high risk. The fact is that they are none the less regulated by various organisations.
The crucial point—I do not think the Opposition disagree with it—is that, although some things contain an element of risk, there are also huge benefits. Surely nobody wishes to do anything that prevents law enforcement from using hugely advantageous new technology, which will allow it to divert its resources to even more valuable areas.
Indeed. A pertinent example of that is the development of artificial intelligence to help the police categorise images of child sexual exploitation online. That tool will help given the volume of offences now being carried out across the world. It will also help the officers involved in those cases, because having to sit at a computer screen and categorise some of these images is soul-breaking, frankly. If we can use modern technology and artificial intelligence to help categorise those images, that must surely be a good thing.
There is absolutely no argument over that. As a former special constable myself, I have no wish to put obstacles in the way of law enforcement. There is a particular need to develop technology to help digital investigations, and I think the Government have been delaying that. Human failures in those investigations have led to the collapse of several trials over the past couple of months.
The Minister says that the surveillance camera commissioner has a role. The commissioner has said that there needs to be further clarity on regulatory responsibility. It is not clear whether it is the surveillance camera commissioner, the biometrics commissioner or the Information Commissioner who has responsibility for facial recognition software. Does she accept that the Government urgently need to provide clarity, as well as guidance to the National Police Chiefs Council and police forces, about the use of this potentially invasive software?
Specifically on clause 64, which is about the data protection impact assessment, the judgment as to whether the proposed processing is high risk must be a matter for the controller. On the face of it, many of the systems that the hon. Lady described in her speech will involve high risk, but with respect the decision is not for me to make as a Minister on my feet in Committee. We must allow data controllers the freedom and responsibility to make those assessments. They are the ones that make the decisions and what flows from that in terms of processing.
If the hon. Lady will write to me on the more general, wider point about oversight of the surveillance camera commissioner and so on, I would be happy to take that up outside of Committee.
The issue about whether it is high risk is of course a matter for the data controller, but we are scrutinising this Bill, and the Minister is asking us to support a test of high risk. I am sure the whole Committee would agree that all the cases that have been suggested today involve an incredibly high risk. They involve deprivation of liberty and invasion of privacy. The idea that we would accept a definition of high risk that does not cover those examples is too much for the Opposition to support. That is why the amendment exists. We need to test exactly what the Government envisage in the definition of high risk.
May I just clarify whether the hon. Lady intends to amend her amendment to list the various categories she listed in her speech? I have been very clear that high risk is defined as including processing where there is a particular likelihood of prejudice to the rights and freedoms of data subjects. I would be very cautious about listing examples in the Bill through an amendment, because as we have all acknowledged, criminality and other things develop over time. It would be very bold to put those categories in the Bill.
No one is suggesting that such examples should go in the Bill. I appreciate this is the Minister’s first Bill Committee, but the job of the Opposition is to test the definitions in the Bill and ensure that it is fit for purpose. My concern is that the definition of high risk is set too high to cover law enforcement agencies and will allow egregious breaches of individuals’ data rights, privacy rights and right to liberty. It is our job as the Opposition—there is nothing wrong with us exercising this role—to ensure that the Bill is fit for purpose. That is what we are seeking to do.
I am extremely grateful to the hon. Lady for clarifying her role. My answer is exactly as I said before. High risk includes processing where there is a particular likelihood of prejudice to the rights and freedoms of data subjects. That must be a matter for the data controller to assess. We cannot assess it here in Committee for the very good reason put forward by members of the Committee: we cannot foresee every eventuality. Time will move on, as will technology. That is why the Bill is worded as it is, to try to future-proof it but also, importantly, because the wording complies with our obligations under the law enforcement directive and under the modernised draft Council of Europe convention 108.
Does the Minister not have some sympathy with the poor individuals who end up being data controllers for our police forces around the country, given the extraordinary task that they have to do? She is asking those individuals to come up with their own frameworks of internal guidance for what is high, medium and low risk. The bureaucracy-manufacturing potential of the process she is proposing will be difficult for police forces. We are trying to help the police to do their job, and she is not making it much easier.
Clause 65(2) states:
“The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section 64 indicates that the processing of the data would result in a high risk”.
There are many complicated cases that the police and others have to deal with. That is why we have guidance rather than putting it in statute—precisely to give those on the frontline the flexibility of understanding, “This situation has arisen, and we need to calibrate the meaning of high risk and take that into account when we look at the prejudices caused to a person or a group of people.” That is precisely what we are trying to encompass. Presumably, that is what the Council of Europe and those involved in drafting the law enforcement directive thought as well.
Of course, there will be guidance from the Information Commissioner to help data controllers on those assessments, to enable us to get a consistent approach across the country. That guidance will be the place to address these concerns, not on the face of the Bill.
Can the Minister confirm that the Metropolitan police consulted the Information Commissioner before trialling facial recognition software? I appreciate that she might not be able to do so on her feet, so I will of course accept it if she wishes to write to me.
I am afraid that I will have to write to the hon. Lady on that.
The intention behind this part of the Bill is not to place unnecessary barriers in the way of legitimate processing. Nor, we all agree, should we place additional burdens on the commissioner without there being a clear benefit. These provisions are in the Bill to address the need for an intelligent application of the data protection safeguards, rather than assuming that a one-size-fits-all approach results in better data protection.
Amendment 149 would insert a new subsection (8) to clause 65, which would permit the commissioner to exercise powers of enforcement if she was not satisfied that the controller or processor had taken sufficient steps to act on her opinion that intended processing would infringe the provisions in part 3. It is worth noting that the purpose of clause 65 is to ensure consultation with the commissioner prior to processing taking place. It is therefore not clear what enforcement the commissioner would be expected to undertake in this instance, as the processing would not have taken place. If, however, the controller sought to process the data contrary to the commissioner’s opinion, it would be open to her to take enforcement action in line with her powers already outlined in part 6.
I do not know, Mr Hanson, whether we have dealt with new clauses 3 and 4.
New clauses 3 and 4 are being considered as part of this group, but would not be voted on until after the consideration of the clauses of the Bill have been completed. If you wish to respond to them, Minister, you can do so now.
I am grateful; I will deal with them now. New clauses 3 and 4 would place additional obligations on the intelligence services. New clause 3 would require the intelligence services to undertake a data protection impact assessment in cases where there is
“a risk to the rights and freedoms of individuals”,
whereas new clause 4 would require the intelligence services to have prior consultation with the Information Commissioner when proposing processing. Neither new clause reflects the unique form of processing undertaken by the intelligence services, its sensitive nature and the safeguards that already exist.
I should stress that the “data protection by design” requirements of clause 103 are wholly consistent with draft modernised Council of Europe convention 108, which was designed to apply to the processing of personal data in the national security context, and which therefore imposes proportionate requirements and safeguards. Under clause 103, in advance of proposing particular types of processing, the intelligence services will be obliged to consider the impact of such processing on the rights and freedoms of data subjects. That requirement will be integrated into the design and approval stages of the delivery of IT systems that process personal data, which is the most effective and appropriate way to address the broad aim. Furthermore, clause 102 requires the controller to be able to demonstrate, particularly to the Information Commissioner, that the requirements of chapter 4 of part 4 of the Bill are complied with, including the requirement in clause 103 to consider the impact of processing.
I remain concerned that the Bill leaves gaps that will enable law enforcement agencies and the police to go ahead and use technology that has not been tested and has no legal basis. As my right hon. Friend the Member for Birmingham, Hodge Hill said, that leaves the police open to having to develop their own guidance at force level, with all the inconsistencies that would entail across England and Wales.
The Minister agreed to write to me on a couple of issues. I do not believe that the Metropolitan police consulted the Information Commissioner before trialling the use of photo recognition software, and I do not believe that other police forces consulted the Information Commissioner before rolling out mobile fingerprint scanning. If that is the case and the legislation continues with the existing arrangements, that is not sufficient. I hope that before Report the Minister and I can correspond so as potentially to strengthen the measures. With that in mind, and with that agreement from the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 64 ordered to stand part of the Bill.
Clauses 65 and 66 ordered to stand part of the Bill.
Clause 67
Notification of a personal data breach to the Commissioner
Question proposed, That the clause stand part of the Bill.
The Committee is looking for some guidance and for tons of reassurance from the Minister about how the clause will bite on data processors who do not happen to base their operations here in the United Kingdom. This morning we debated the several hundred well-known data breaches around the world and highlighted some of the more recent examples, such as Yahoo!—that was probably the biggest—and AOL. More recently, organisations such as Uber have operated their systems with such inadequacy that huge data leaks have occurred, directly infringing the data protection rights of citizens in this country. The Minister will correct me if I am wrong, but I am unaware of any compensation arrangements that Uber has made with its drivers in this country whose data was leaked.
Even one of the companies closest to the Government—Equifax, which signed a joint venture agreement with the Government not too long ago—has had a huge data breach. It took at least two goes to get a full account from Equifax of exactly what had happened, despite the fact that Her Majesty’s Government were its corporate partner and had employed it through the Department for Work and Pensions. All sorts of information sharing happened that never really came to light. I am not sure whether any compensation for Equifax data breaches has been paid to British citizens either.
My point is that most citizens of this country have a large amount of data banked with companies that operate from America under the protection of the first amendment. There is a growing risk that in the years to come, more of the data and information service providers based in the UK will go somewhere safer, such as Ireland, because they are worried about the future of our adequacy agreement with the European Commission. We really need to understand in detail how the Information Commissioner, who is based here, will take action on behalf of British citizens against companies in the event of data breaches. For example, how will she ensure notification within 72 hours? How will she ensure the enforcement of clause 67(4), which sets out the information that customers and citizens must be told about the problem?
This morning we debated the Government’s ludicrous proposals for class action regimes, which are hopelessly inadequate and will not work in practice. We will not have many strong players in the UK who are able to take action in the courts, so we will be wholly reliant on the Information Commissioner to take action. I would therefore be grateful if the Minister reassured the Committee how the commissioner will ensure that clause 67 is enforced if the processor of the data is not on our shores.
The right hon. Gentleman refers to companies not on these shores, about which we had a good deal of discussion this morning. Clause 67 belongs to part 3 of the Bill, which is entitled “Law enforcement processing”, so I am not sure that the companies that he gives as examples would necessarily be considered under it. I suppose a part 3 controller could have a processor overseas, but that would be governed by clause 59. Enforcement action would, of course, be taken by the controller under part 3, but I am not sure that the right hon. Gentleman’s examples are relevant to clause 67.
I am grateful to the Minister for that helpful clarification. Let me phrase the question differently, with different examples. The Home Office and many police forces are outsourcing many of their activities, some of which are bound to involve data collected by global organisations such as G4S. Is she reassuring us that any and all data collected and processed for law enforcement activities will be held within the boundaries of the United Kingdom and therefore subject to easy implementation of clause 67?
The controller will be a law enforcement agency, to which part 3 will apply. I note that clause 200 provides details of the Bill’s territorial application should a processor be located overseas, but under part 3 it will be law enforcement agencies that are involved.
Where G4S, for example, is employed to help with deportations, the Minister is therefore reassuring us that the data controller would never be G4S. However, if there were an activity that was clearly a law enforcement activity, such as voluntary removal, would the data controller always be in Britain and therefore subject to clause 67, even where private sector partners are used? The Minister may outsource the contract, but we want to ensure that she does not outsource the role of data controller so that a law enforcement activity here can have a data controller abroad.
I appreciate the sentiment behind the amendment. If the Home Office outsources processing to an overseas company, any enforcement action would be taken against the Home Office as the controller. The right hon. Gentleman has raised the example of G4S in the immigration context, so I will reflect on that overnight and write to him to ensure that the answer I have provided also covers that situation.
Question put and agreed to.
Clause 67 accordingly ordered to stand part of the Bill.
Clause 68 to 71 ordered to stand part of the Bill.
Clause 72
Overview and interpretation
Question proposed, That the clause stand part of the Bill.
I want to flag up an issue that we will stumble across in a couple of stand part debates: the safeguards that will be necessary for data sharing between this country and elsewhere. We will come on to the safeguards that will be necessary for the transfer of data between our intelligence agencies and foreign intelligence agencies. Within the context of this clause, which touches on the broad principle of data sharing from here and abroad, I want to rehearse one or two arguments on which Ministers should be well briefed and alert.
Our intelligence agencies do an extraordinary job in keeping this country safe, which sometimes involves the acquisition and use of data that results in the loss of life. All Committee members will be familiar with the drone strike that killed Reyaad Khan and Ruhul Amin, and many of us will have heard the Prime Minister’s assurances in the Liaison Committee about the robust legal process that was gone through to ensure that the strike was both proportionate and legal.
The challenge—the public policy issue that arises under chapter 5 of the Bill—is that there is a number of new risks. First, there is the legal risk flagged up by the Court of Appeal in 2013, when justices said that it was not clear that UK personnel will be immune from criminal liability for their involvement in a programme that involves the transfer of intelligence from an intelligence service here to an American partner and where that American partner uses that information to conduct drone strikes that involve the loss of life. Confidence levels differ, but we in the Committee are pretty confident about the legal safeguards around those kinds of operations in this country. We can be less sure about the safeguards that some of our partners around the world have in place. The Court of Appeal has expressed its view, which was reinforced in 2016 by the Joint Committee on Human Rights. The Committee echoed the finding that
“front-line personnel…should be entitled to more legal certainty”
than they have today.
This section of the Bill gives us the opportunity to ensure that our intelligence services are equipped with a much more robust framework than they have today, to ensure that they are not subject to the risks flagged by the Court of Appeal or by the Joint Committee on Human Rights.
We are still on part 3, which deals with law enforcement processing. It does not relate to processing by security services. We will come to that when we debate amendment 159 to clause 109, so I reserve the right to respond to those observations on that amendment in due course.
There is no amendment before the Committee. We are on clause 72. The right hon. Member for Birmingham, Hodge Hill made some comments, which I did not rule out of order. The Minister has indicated that she will respond to the wider issue of concerns about drones and national security at a later date. That is a matter for her. If the right hon. Gentleman is happy with that, and if the Minister is content, I will put the question that the clause stand part of the Bill.
Question put and agreed to.
Clause 72 accordingly ordered to stand part of the Bill.
Clauses 73 to 86 ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned.—(Nigel Adams.)