House of Commons (40) - Commons Chamber (13) / Written Statements (12) / Westminster Hall (6) / General Committees (5) / Petitions (2) / Public Bill Committees (2)
House of Lords (20) - Lords Chamber (11) / Grand Committee (9)
(6 years, 8 months ago)
Public Bill CommitteesWe begin consideration of the Bill today with schedule 9, to which no amendments have been tabled.
Schedule 9 agreed to.
Schedule 10
Conditions for sensitive processing under Part 4
Amendment made: 117, in schedule 10, page 187, line 5, at end insert—
‘Safeguarding of children and of individuals at risk
3A (1) This condition is met if—
(a) the processing is necessary for the purposes of—
(i) protecting an individual from neglect or physical, mental or emotional harm, or
(ii) protecting the physical, mental or emotional well-being of an individual,
(b) the individual is—
(i) aged under 18, or
(ii) aged 18 or over and at risk,
(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d) the processing is necessary for reasons of substantial public interest.
(2) The reasons mentioned in sub-paragraph (1)(c) are—
(a) in the circumstances, consent to the processing cannot be given by the data subject;
(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a) has needs for care and support,
(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.’—(Victoria Atkins.)
Schedule 10 makes provision about the circumstances in which the processing of special categories of personal data is permitted. This amendment adds to that Schedule certain processing of personal data which is necessary for the protection of children or of adults at risk. See also Amendments 85 and 116.
Schedule 10, as amended, agreed to.
Clauses 87 to 93 ordered to stand part of the Bill.
Clause 94
Right of access
Amendments made: 35, in clause 94, page 55, line 8, leave out ‘day’ and insert ‘time’
This amendment is consequential on Amendment 71.
36, in clause 94, page 55, line 9, leave out ‘day’ and insert ‘time’
This amendment is consequential on Amendment 71.
37, in clause 94, page 55, line 10, leave out ‘days’
This amendment is consequential on Amendment 71.
38, in clause 94, page 55, line 11, leave out ‘the day on which’ and insert ‘when’
This amendment is consequential on Amendment 71.
39, in clause 94, page 55, line 12, leave out ‘the day on which’ and insert ‘when’
This amendment is consequential on Amendment 71.
40, in clause 94, page 55, line 13, leave out ‘the day on which’ and insert ‘when’ —(Victoria Atkins.)
This amendment is consequential on Amendment 71.
Clause 94, as amended, ordered to stand part of the Bill.
Clause 95 ordered to stand part of the Bill.
Clause 96
Right not to be subject to automated decision-making
Question proposed, That the clause stand part of the Bill.
We are rattling through the Bill this morning and will soon reach clause 109, to which we have tabled some amendments. Clause 96, within chapter 3 of part 4, on intelligence services processing, touches on the right not to be subject to automated decision making. I do not want to rehearse the debate that we shall have later, but I think that this is the appropriate point for an explanation from the Minister. Perhaps she will say something about the kind of administration that the clause covers, and its relationship, if any—there may not be one, but it is important to test that question—to automated data-gathering by our intelligence services abroad, and the processing and use of that data.
The specific instance that I want to take up concerns the fact that about 700 British citizens have gone to fight in foreign conflicts—for ISIS in particular. The battery of intelligence-gathering facilities that we have allows us to use remote data-sensing to detect, track and monitor them, and to assemble pictures of their patterns of life and behaviour. It is then possible for our intelligence services to do stuff with those data and patterns, such as transfer them to the military or to foreign militaries in coalitions of which we are a member. For the benefit of the Committee, will the Minister spell out whether the clause, and potentially clause 97, will bite on that kind of capability? If not, where are they aimed?
An intelligence services example under clause 96 would be a case where the intelligence services wanted to identify a subject of interest who might have travelled to Syria in a certain time window and where the initial selector was age, because there was reliable reporting that the person being sought was a certain age. The application of the age selector would produce a pool of results, and a decision may be taken to select that pool for further processing operations, including the application of other selectors. That processing would be the result of a decision taken solely on the basis of automated processing.
I do not think the clause actually says anything about age selection. How do we set boundaries around the clause? Let us say that minors—people under the age of 18—want to travel to Syria or some other war zone. Is the Minister basically saying that the clause will bite on that kind of information and lead to a decision chain that results in action to intervene? If that is the case, will she say a little more about the boundaries around the use of the clause?
The right hon. Gentleman asked me for an example and I provided one. Age is not in the clause because the Government do not seek in any way to create burdens for the security services when they are trying to use data to protect this country. Given his considerable experience in the Home Office, he knows that it would be very peculiar, frankly, for age to be listed specifically in the clause. The clause is drafted as it is, and I remind him that it complies with Council of Europe convention 108, which is an international agreement.
The point is that the clause does create a burden. It does not detract from a burden; it creates an obligation on intelligence services to ensure that there is not automatic decision making. We seek not to add burdens, but to question why the Minister is creating them.
The clause complies with Council of Europe convention 108. I do not know whether I can say any more.
I think we have come to a natural conclusion.
Question put and agreed to.
Clause 96 accordingly ordered to stand part of the Bill.
Clause 97
Right to intervene in automated decision-making
Amendments made: 41, in clause 97, page 56, line 34, leave out “21 days” and insert “1 month”.
Clause 97(4) provides that where a controller notifies a data subject under Clause 97(3) that the controller has taken a decision falling under Clause 97(1) (automated decisions required or authorised by law), the data subject has 21 days to request the controller to reconsider or take a new decision not based solely on automated processing. This amendment extends that period to one month.
Amendment 42, in clause 97, page 56, line 39, leave out “21 days” and insert “1 month”.—(Victoria Atkins.)
Clause 97(5) provides that where a data subject makes a request to a controller under Clause 97(4) to reconsider or retake a decision based solely on automated processing, the controller has 21 days to respond. This amendment extends that period to one month.
Clause 97, as amended, ordered to stand part of the Bill.
Clause 98
Right to information about decision-making
Question proposed, That the clause stand part of the Bill.
This is a vexed and difficult area. The subject of the clause is the right to information about decision making, which is very difficult when it comes to the intelligence services, and I have had experiences, as have others I am sure, of constituents who come along to an advice bureau and claim to have been subject either to intelligence services investigation or, in some cases, to intelligence services trying to recruit them. Sometimes—this is not unknown—an individual’s immigration status might be suspect. I had one of these cases about five or six years ago, where the allegation was that the intelligence services were conspiring with the UK Border Agency and what at that time was the Identity and Passport Service to withhold immigration documents to encourage the individual to become a source. The challenge for Members of Parliament trying to represent such individuals is that they will get a one-line response when they write to the relevant officials to say, “I am seeking to represent my constituent on this point.”
A right to information about decision-making will be created under clause 98. I ask the Minister, therefore, when dealing with very sensitive information, how is this right going to be exercised and who is going to be the judge of whether that right has been fulfilled satisfactorily? There is no point approving legislation that is superfluous because it will have no effect in the real world. The clause creates what looks like a powerful new right for individuals to request information about decisions taken by the intelligence agencies, which might have a bearing on all sorts of things in their lives. Will the Minister explain how, in practice, this right is to become a reality?
If I may give an example, where a terrorist suspect is arrested and believes he is the subject of MI5 surveillance, revealing to them whether they were under surveillance and the process by which the suspect was identified as a potential terrorist would clearly aid other terrorists in avoiding detection. The exercise of the right is subject to the operation of the national security exemption, which was debated at length last week. It might be that, in an individual case, the intelligence services need to operate the “neither confirm nor deny” principle, and that is why the clause is drafted as it is.
The clause is drafted in the opposite way. Subsection (1)(b) says that
“the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing.”
In other words, the data subject—in this case, the individual under surveillance—has the right to obtain from the controller, in the hon. Lady’s example of the intelligence agencies, knowledge of the reasoning underlying the way their data was processed.
Let us take, for example, a situation where CCTV footage was being captured at an airport or a border crossing and that footage was being run through facial recognition software, enabling special branch officers to intervene and intercept that individual before they crossed the border. That is an example of where information is captured and processed, and action then results in an individual, in this case, being prevented from coming into the country.
I have often had cases of constituents who have come back from Pakistan or who might have transitioned through the middle east, perhaps Dubai, and they have been stopped at Birmingham airport because special branch officers have said their name is on a watch list. Watch lists are imperfect—that is probably a fairly good description. They are not necessarily based on the most reliable and up-to-date information, but advances in technology allow a much broader and more wide-ranging kind of interception to take place at the border. If we are relying not on swiping someone’s passport and getting a red flag on a watch list but on processing data coming in through CCTV and running it through facial recognition software, that is a powerful new tool in the hands of the intelligence agencies. Subsection (1)(b) will give one of my constituents the right to file a request with the data controller—presumably, the security services—and say, “Look, I think your records are wrong here. You have stopped me on the basis of facial recognition software at Birmingham airport; I want to know the reasoning behind the processing of the data.”
If, as the Minister says, the response from the data controller is, “We can neither confirm nor deny what happened in this case,” then, frankly, the clause is pretty nugatory. Will the Minister give an example of how the right is going to be made a reality? What are the scenarios in which a constituent might be able to exercise this right? I am not interested in the conventions and international agreements this happy clause tends to agree with, but I would like to hear a case study of how a constituent could exercise this right successfully.
The right hon. Gentleman says he is not interested in conventions and so on, but I am afraid that is the legal framework within which Parliament and this country have to act. The clause confers—as do the other clauses in chapter 3—rights upon citizens, but those rights are subject, as they must be, to the national security exemption set out in chapter 6, clause 110.
I am slightly at a loss as to where the right hon. Gentleman wishes to go with this. I am not going to stand here and dream up scenarios that may apply. The rights and the national security exemption are set out in the Bill; that is the framework we are looking at, and that is the framework within which the security services must operate. Of course one has a duty to one’s constituents, but that is balanced with a duty to one’s country. This is precisely the section of the Bill that is about the balance between the rights of our citizens and the absolute necessity for our security services to protect us and act in our interests when they are required to do so.
I am not asking the Minister to dream up a scenario in Committee. All good Ministers understand every single dimension of a clause they are required to take through the House before they come anywhere near a Committee, because they are the Bill Minister.
We are not debating here whether the security services have sufficient power; we had that debate earlier. We are talking about a power and a right that are conferred on data subjects under subsection (1)(b). I am slightly concerned that the Minister, who is responsible for this Bill and this matter of policy, has not been able to give us a well-rehearsed scenario, which presumably she and her officials will have considered before the Bill came anywhere near to being drafted. How will this right actually be exercised by our constituents? It could be that the Committee decides, for example, that the rights we are conferring on the data subject are too sweeping. We might be concerned that there are insufficient safeguards in place for the intelligence agencies to do their jobs. This is a specific question about how data subjects, under the clause, are going to exercise their power in a way that allows the security services to do their job. That is not a complicated request; it is a basic question.
As I say, the framework is set out in the Bill, and the exemption exists in the Bill itself. I have already given an example about a terror suspect. With respect, I am not going to enter into this debate about the right hon. Gentleman’s constituent—what he or she might have requested, and so on. The framework is there; the right is there, balanced with the national security exemption. I am not sure there is much more I can add.
The Minister says she does not want to enter into a debate. I kindly remind her that she is in a debate. The debate is called—
On a point of order, Mr Hanson. I did not say that I do not want a debate. Will the right hon. Gentleman please use his language carefully, as I know he has long experience of doing? I said I was not sure how fruitful it would be to have examples, to and fro, about constituents. That is quite a different matter from a debate. I have debated with him; I have said the answer; it is for him—
Order. We have a point of order—which, in due course, the good offices of Hansard will resolve—as to what was said by the right hon. Gentleman and how the Minister interpreted it. At the moment, we are dealing with clause 98 and Mr Liam Byrne has the floor. As he wishes, he can give way or continue.
I am grateful, Mr Hanson, for that complete clarity. This is the debate that we are having today: how will clause 98(1)(b) become a reality? It creates quite powerful rights for a data subject to seek information from the intelligence agencies. I gave an example from my constituency experience of how the exercise of this right could run into problems.
All I ask of the Minister responsible for the Bill and this area of policy, who has thought through the Bill with her officials and is asking the Committee to agree the power she is seeking to confer on our constituents, and who will have to operate the policy in the real world after the Bill receives Royal Assent, is that she give us a scenario of how the rights she is conferring on a data subject will function in the real world.
However, Mr Hanson, I think we might have exhausted this debate. It is disappointing that the Minister has not been able to come up with a scenario. Perhaps she would like to intervene now to give me an example.
Part 4 sets out a number of rights of data subjects, clause 98 being just one of them. This part of the Bill reflects the provisions of draft modernised convention 108, which is an international agreement, and the Bill faithfully gives effect to those provisions. A data subject wishing to exercise the right under clause 98 may write to that effect to the Security Service, which will then either respond in accordance with clause 98 or exercise the national security exemption in clause 110. That is the framework.
That is probably about as much reassurance as the Committee is going to get this afternoon. It is not especially satisfactory or illuminating, but we will not stand in the way and we will leave the debate there, Mr Hanson.
This might seem like a long day, but it is still morning. On that note, we will proceed.
Question put and agreed to.
Clause 98 accordingly ordered to stand part of the Bill.
Clause 99
Right to object to processing
Amendments made: 43, in clause 99, page 57, line 28, leave out “day” and insert “time”.
This amendment is consequential on Amendment 71.
44, in clause 99, page 58, line 3, leave out “day” and insert “time”.
This amendment is consequential on Amendment 71.
45, in clause 99, page 58, line 5, leave out “the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
46, in clause 99, page 58, line 6, leave out “the day on which” and insert “when”.—(Victoria Atkins.)
This amendment is consequential on Amendment 71.
Clause 99, as amended, ordered to stand part of the Bill.
Clauses 100 to 108 ordered to stand part of the Bill.
Clause 109
Transfers of personal data outside the United Kingdom
I beg to move amendment 159, in clause 109, page 61, line 13, after “is” insert “provided by law and is”.
This amendment would place meaningful safeguards on the sharing of data by the intelligence agencies.
With this it will be convenient to discuss the following:
Amendment 160, in clause 109, page 61, line 18, at end insert—
‘(3) The transfer falls within this subsection if the transfer—
(a) is based on an adequacy decision (see section 74),
(b) if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or
(c) if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76 as amended by subsection (5)).
(4) A transfer falls within this subsection if—
(a) the intended recipient is a person based in a third country that has (in that country) functions comparable to those of the controller or an international organisation, and
(b) the transfer meets the following conditions—
(i) the transfer is strictly necessary in a specific case for the performance of a task of the transferring controller as provided by law or for the purposes set out in subsection (2),
(ii) the transferring controller has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer,
(iii) the transferring controller informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed, and
(iv) the transferring controller documents any transfer and informs the Commissioner about the transfer on request.
(5) The reference to law enforcement purposes in subsection (4) of section 76 is to be read as a reference to the purposes set out in subsection (2).”
New clause 14—Subsequent transfers—
‘(1) Where personal data is transferred in accordance with section 109, the transferring controller must make it a condition of the transfer that the data is not to be further transferred to a third country or international organisation without the authorisation of the transferring controller.
(2) A transferring controller may give an authorisation under subsection (1) only where the further transfer is necessary for the purposes in subsection (2).
(3) In deciding whether to give the authorisation, the transferring controller must take into account (among any other relevant factors)—
(a) the seriousness of the circumstances leading to the request for authorisation,
(b) the purpose for which the personal data was originally transferred, and
(c) the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.’
This new clause would place meaningful safeguards on the sharing of data by the intelligence agencies.
I rise to speak to amendments 159 and 160, which relate to two significant developments in defence policy that have unfolded over the past couple of years. Our intelligence agencies have acquired pretty substantial new capabilities through all kinds of technological advances, which allow them remotely to collect and process data in a completely new way.
It is now possible, through satellite technology and drones, to collect video footage of battle zones and run the information collected through facial recognition software, which allows us to track much more forensically and accurately the movement, habits, working lives and leisure of bad people in bad places. We are fighting against organisations such as Daesh, in a coalition with allies, but over the past year one of our allies has rather changed the rules of engagement, which allows it to take drone strikes with a different kind of flexibility from that under the Obama regime.
The change in the American rules of engagement means that, on the one hand, the American Administration has dramatically increased the number of drone strikes—in Yemen, we have had an increase of about 288% in the past year—and, on the other, as we see in other theatres of conflict such as the war against al-Shabaab in Africa, repeated strikes are allowed for. Therefore, even when the circumstances around particular individuals have changed—new intelligence may have come to light about them—the Trump Administration have basically removed the safeguards that President Obama had in place that require an individual to be a “continuing and imminent threat” before a strike is authorised. That safeguard has been lifted, so the target pool that American forces can take aim at and engage is now much larger, and operational commanders have a great deal more flexibility over when they can strike.
We now see some of the consequences of that policy, with the most alarming statistics being on the number of civilians caught up in some of those strikes. That is true in Yemen and in the fight against al-Shabaab, and I suspect it is true in Syria, Afghanistan and, in some cases, Pakistan. We must ensure that the data sharing regime under which our intelligence agencies operate does not create a legal threat to them because of the way the rules of engagement of one of our allies have changed.
The Joint Committee on Human Rights has talked about that, and it has been the subject of debates elsewhere in Parliament. The JCHR concluded in its 2016 report that
“we owe it to all those involved in the chain of command for such uses of lethal force—intelligence personnel, armed services personnel, officials, Ministers and others—to provide them with absolute clarity about the circumstances in which they will have a defence against any possible future criminal prosecution, including those which might originate from outside the UK.”
We need to reflect on some of those legal risks to individuals who are serving their country. The amendment would ensure that—where there was a collection, processing and transfer of information by the UK intelligence services to one of our allies, principally America, and they ran that information against what is widely reported as a kill list and ordered drone strikes without some of the safeguards operated by previous Administrations—first, the decision taken by the intelligence agency here to share that information was legal and, secondly, it would be undertaken in a way that ensured that our serving personnel were not subject to legal threats or concerns about legal threats.
Does the right hon. Gentleman agree that the legal framework that we rightly expect to apply to our law enforcement offers and agencies does not necessarily apply directly to our intelligence and security services? That, however, would be the effect of the amendment.
I am not sure that that would be the effect of the amendment. While I agree with the thrust of the hon. Gentleman’s argument, I am cognisant of the fact that in 2013 the Court of the Appeal said that it was “certainly not clear” that UK personnel would be immune from criminal liability for their involvement in a programme that entailed the transfer of information to America and a drone strike ordered using that information, without the same kinds of safeguard that the Obama Administration had. The amendment would ensure a measure—nothing stronger than that—of judicial oversight where such decisions were taken and where information was transferred. We must ensure a level of judicial oversight so that inappropriate decisions are not taken. It is sad that we need such a measure, but it reflects two significant changes over the past year or two: first, the dramatic increase in our ability to capture and process information, and, secondly, the crucial change in the rules of engagement under the Trump Administration.
The right hon. Gentleman is being kind and generous with his time. He says that the amendments would not replicate the frameworks for law enforcement, yet amendment 160 would do exactly that by applying clauses 74, 75 and 76 to the test for data sharing for intelligence and security services. Those exact safeguards were designed for law enforcement, not for intelligence and security sharing.
The point for the Committee is that the thrust of the amendment is not unreasonable. Where there is a multiplication of the power of intelligence agencies to capture and process data, it is not unreasonable to ask for that greater power to bring with it greater scrutiny and safeguards. The case for this sensible and cautious amendment is sharpened because of the change in the rules of engagement operated by the United States. No member of the Committee wants a situation where information is transferred to an ally, and that ally takes a decision that dramatically affects the human rights of an individual—as in, it ends those rights by killing that person. That is not something that we necessarily want to facilitate.
As has been said, we are conscious of the difficulty and care with which our politicians have sometimes had to take such decisions. The former Prime Minister very sensibly came to the House to speak about his decision to authorise a drone strike to kill two British citizens whom he said were actively engaged in conspiring to commit mass murder in the United Kingdom. His judgment was that those individuals posed an imminent threat, but because they were not operating in a place where the rule of law was operational, there was no possibility to send in the cops, arrest them and bring them to trial.
The Prime Minister was therefore out of options, but the care that he took when taking that decision and the level of legal advice that he relied on were extremely high. I do not think any member of the Committee is confident that the care taken by David Cameron when he made that decision is replicated in President Trump’s White House.
We must genuinely be concerned and cautious about our intelligence agencies transferring information that is then misused and results in drone strikes that kill individuals, without the safeguards we would expect. The last thing anyone would want is a blowback, in either an American or a British court, on serving officers in our military or intelligence services because the requisite safeguards simply were not in place.
My appeal to the Committee is that this is a point of principle: enhanced power should bring with it enhanced oversight and surveillance, and the priority for that is the fact that the rules of engagement for the United States have changed. If there is a wiser way in which we can create the kinds of safeguard included in the amendment we will be all ears, but we in the House of Commons cannot allow the situation to go unchecked. It is too dangerous and too risky, and it poses too fundamental a challenge to the human rights that this place was set up to champion and protect.
I agree that these amendments ask a legitimate and important question about the level of safeguards on international data sharing by UK intelligence agencies. As it stands, clause 109 contains two fairly otiose sub-clauses to do with the sharing of personal data abroad by our intelligence agencies. In contrast, there is a whole chapter and a full seven clauses putting in place safeguards in relation to transfer to third countries by law enforcement agencies. These amendments borrow some of the safeguards placed on law enforcement agencies and there seems to be no good reason why that is not appropriate. I take the point that it does not necessarily follow that what is good for law enforcement agencies is definitely good for intelligence services. However, it is for the Government to tell us why those safeguards are not appropriate. If there are different ways for us to go about this, I am all ears, like the right hon. Gentleman. The right hon. Gentleman quite rightly raised the example of drones and US attacks based on information shared by personnel. At the moment, the lack of safeguards and of a very clear legal basis for the transfer of information can be lethal for billions and is dangerous for our personnel, as the Joint Committee on Human Rights has pointed out. We support the thrust of these amendments.
I declare my interests as set out in the Register of Members’ Interests.
Order. The hon. Gentleman declared his interests in previous Committees, but I have been advised that he needs to specify what the interests are, as well as declaring them.
Thank you, Mr Hanson. The two items on the register are, first, that I was a legal counsel at BT before my election as a Member of Parliament, where I was responsible for data protection law. Secondly, I had a relationship with a law firm called Kemp Little to maintain my practising certificate while I was a Member of Parliament.
My argument in support of amendment 160 is one that I have rehearsed in previous debates. In line with recommendations from the Joint Committee on Human Rights, today we benefit from an exemption under European treaties that say that national security is a member state competence and therefore not one with which the European Union can interfere. However, if the UK leaves the European Union, the European Commission reserves the right to review the entire data processing legislation, including that for intelligence services of a third country when seeking to make a decision on adequacy—as it has done with Canada. Where the amendment talks about adequacy, it would be helpful—
It does, but it has been reviewed by the European Commission. One of the concerns the Commission has had with Canada is its intelligence-sharing arrangements with the United States of America, which is why this amendment is so pertinent and why it is right to support the Government in seeking this adequacy decision. I make the point again that we will no longer benefit from the exemption if we leave the European Union and I hope that the Government keep that in mind.
Before I start, I want to clarify what the hon. Gentleman has just said about adequacy decisions. Canada does have an adequacy decision from the EU for transfers to commercial organisations that are subject to the Canadian Personal Information Protection and Electronic Documents Act. I am not sure that security services are covered in that adequacy decision, but it may be that we will get assistance elsewhere.
As the right hon. Member for Birmingham, Hodge Hill is aware, amendments 159, 160 and new clause 14 were proposed by a campaigning organisation called Reprieve in its recent briefing on the Bill. They relate to concerns about the sharing of personal data with the US and seek to apply the data sharing protections designed specifically for law enforcement data processing, provided for in part 3 of the Bill, to processing by the intelligence services, provided for in part 4. That is, they are seeking to transpose all the law enforcement measures into the security services. However, such safeguards are clearly not designed for, and do not provide, an appropriate or proportionate basis for the unique nature of intelligence services processing, which we are clear is outside the scope of EU law.
Before I get into the detail of these amendments, it is important to put on record that the international transfer of personal data is vital to the intelligence services’ ability to counter threats to national security. Provision of data to international partners bolsters their ability to counter threats to their security and that of the UK. In a globalised world, threats are not necessarily contained within one country, and the UK cannot work in isolation. As terrorists do not view national borders as a limit to their activities, the intelligence services must be in a position to operate across borders and share information quickly—for example, about the nature of the threat that an individual poses—to protect the UK.
In the vast majority of cases, intelligence sharing takes place with countries with which the intelligence services have long-standing and well-established relationships. In all cases, however, the intelligence services apply robust necessity and proportionality tests before sharing any information. The inherent risk of sharing information must be balanced against the risk to national security of not sharing such information.
Will the Minister tell us more about the oversight and scrutiny for the tests that she has just set out that the intelligence services operate? Perhaps she will come on to that.
I am coming on to that.
Any cross-border sharing of personal data must be consistent with our international obligations and be subject to appropriate safeguards. On the first point, the provisions in clause 109 are entirely consistent with the requirements of the draft modernised Council of Europe data protection convention—convention 108—on which the preventions of part 4 are based. It is pending international agreement.
The provisions in the convention are designed to provide the necessary protection for personal data in the context of national security. The Bill already provides that the intelligence services can make transfers outside the UK only when necessary and proportionate for the limited purposes of the services’ statutory functions, which include the protection of national security; for the purpose of preventing or detecting serious crime; or for the purpose of criminal proceedings.
In addition, on the point the right hon. Gentleman just raised, the intelligence services are already under statutory obligations in the Security Service Act 1989 and the Intelligence Services Act 1994 to ensure that no information is disclosed except so far as is necessary for those functions or purposes. All actions by the intelligence services, as with all other UK public authorities, must comply with international law.
Yes, but I am coming on to further safeguards, if that is the point the hon. Lady wants to raise.
Under those pieces of legislation, are the intelligence services subject to the Information Commissioner, and will they be subject to the commissioner under the Bill’s provisions?
I am about to come on to the safeguards that govern the intelligence services’ information acquisition and sharing under the Investigatory Powers Act 2016 and the Regulation of Investigatory Powers Act 2000. They ensure that any such processing is undertaken only when necessary, lawful and proportionate, and that any disclosure is limited to the minimum number of individuals, in accordance with arrangements detailed in those Acts.
Those Acts, and the provisions in the relevant codes of practice made under them, also provide rigorous safeguards governing the transfer of data. Those enactments already afford proportionate protection and safeguards when data is being shared overseas. Sections 54, 130, 151 and 192 of the 2016 Act provide for safeguards relating to disclosure of material overseas.
Those provisions are subject to oversight by the investigatory powers commissioner, and may be challenged in the investigatory powers tribunal. They are very powerful safeguards, over and above the powers afforded to the Information Commissioner, precisely because of the unique nature of the material with which the security services must act.
Is the point not that those who would seek to do us harm do not have the courtesy to recognise international borders, as recent events have shown? It is vital that our intelligence services can share information across those same borders.
It is absolutely vital. What is more, not only is there a framework in the Bill for overseeing the work of the intelligence services, but we have the added safeguards of the other legislation that I set out. The burden on the security services and the thresholds they have to meet are very clear, and they are set out not just in the Bill but in other statutes.
I hope that I have provided reassurance that international transfers of personal data by the intelligence services are appropriately regulated both by the Bill, which, as I said, is entirely consistent with draft modernised convention 108 of the Council of Europe—that is important, because it is the international agreement that will potentially underpin the Bill and agreements with our partners and sets out agreed international standards in this area—and by other legislation, including the 2016 Act. We and the intelligence services are absolutely clear that to attempt to impose, through these amendments, a regime that was specifically not designed to apply to processing by the intelligence services would be disproportionate and may critically damage national security.
I am sure that it is not the intention of the right hon. Member for Birmingham, Hodge Hill to place unnecessary and burdensome obstacles in the way of the intelligence services in performing their crucial function of safeguarding national security, but, sadly, that is what his amendments would do. I therefore invite him to withdraw them.
I am grateful to the Minister for that explanation and for setting out with such clarity the regime of oversight and scrutiny that is currently in place. However, I have a couple of challenges.
I was slightly surprised that the Minister said nothing about the additional risks created by the change in rules of engagement by the United States. She rested some of her argument on the Security Services Act 1989 and the Intelligence Services Act 1994, which, as she said, require that any transfers of information are lawful and proportionate. That creates a complicated set of ambiguities for serving frontline intelligence officers, who have to make fine judgments and, in drafting codes of practice, often look at debates such as this one and at the law. However, the law is what we are debating. Where the Bill changed the law to create a degree of flexibility, it would create a new risk, and that risk would be heightened by the change in the rules of engagement by one of our allies.
The Minister may therefore want to reflect on a couple of points. First, what debate has there been about codes of practice? Have they changed given the increased surveillance capacity that we have because of the development of our capabilities? How have they changed in the light of the new rules of engagement issued by President Trump?
The right hon. Gentleman is being generous in giving way. I am listening carefully to what he says. I am concerned that he seems to be inviting us to make law in this country based almost solely on the policies of the current US Administration. I do not understand why we would do that.
The reason we would do that is that there has been an exponential increase in drone strikes by President Trump’s Administration and, as a result, a significant increase in civilian deaths in Pakistan, Afghanistan, Syria and Iraq, Yemen and east Africa. It would be pretty odd for us not to ensure that a piece of legislation had appropriate safeguards, given what we now know about the ambition of one of our most important allies to create flexibility in rules of engagement.
I agree with the right hon. Gentleman on that point, but is not the more important point that our legislation cannot be contingent on that of any other country, however important an ally it is? Our legislation has to stand on its own two feet, and we should seek to ensure that it does. To change something, as he attempts to, purely on the basis of changes over the past couple of years would set a dangerous precedent rather than guard against a potential pitfall.
The hon. Gentleman makes a good point, and he is right to say that our legislation has to stand on its own two feet. It absolutely has to, and what is more, it has to be fit for the world in which we live today, which I am afraid has two significant changes afoot. One is a transformation in the power of our intelligence agencies to collect and process data, and in my view that significant advance is enough to require a change in the level of oversight, and potentially a judicial test for the way we share information. As it happens—I was careful to say this—the risk and necessity of that change is merely heightened by the fact that the rules of engagement with one of our most important allies have changed, and that has had real-world consequences. Those consequences create a heightened threat of legal challenge in foreign and indeed domestic courts to our serving personnel.
For some time, our defence philosophy has been—very wisely—that we cannot keep our country safe by defending from the goal line, and on occasion we have to intervene abroad. That is why in my view Prime Minister Cameron took the right decision to authorise lethal strikes against two British citizens. He was concerned first that there was an imminent threat, and secondly that there was no other means of stopping them. Those important tests and safeguards are not operated by our allies.
The change to the American rules of engagement, which allow a strike against someone who is no longer a “continuing and imminent threat”, means that one of our allies now operates under completely different rules of engagement to those set out before the House of Commons by Prime Minister David Cameron, which I think met with some degree of approval. If we are to continue to operate safely a policy of not defending from the goal line, if we are to protect our ability to work with allies and—where necessary and in accordance with international law—to take action abroad, and if we are to continue the vital business of safely sharing information with our allies in the Five Eyes network, a degree of extra reassurance should be built into legislation to ensure that it is fit for the future.
I am confused. Is the right hon. Gentleman suggesting that the actions by Americans, based on the data sharing, which we know is run with international safeguards, could have legal consequences for our personnel in the intelligence agencies serving here?
Yes, and it is not just me—the Court of Appeal is arguing that. The Court of Appeal’s summary in 2013 was that there was a risky legal ambiguity. Its conclusion that it is certainly not clear that UK personnel are immune from criminal liability for their involvement in these programmes is a concern for us all. The Joint Committee on Human Rights reflected on that in 2016, and it concluded pretty much the same thing:
“In our view, we owe it to all those involved in the chain of command for such uses of lethal force…to provide them with absolute clarity about the circumstances in which they will have a defence against any possible future criminal prosecution, including those which might originate from outside the UK.”
This is not a theoretical legal threat to our armed forces and intelligence agencies; this is something that the Court of Appeal and the Joint Committee on Human Rights have expressed worries about.
The new powers and capabilities of our intelligence agencies arguably create the need for greater levels of oversight. This is a pressing need because of the operational policy of one of our allies. We owe it to our armed forces and intelligence agencies to ensure a regime in which they can take clear, unambiguous judgments where possible, and where they are, beyond doubt, safe from future legal challenge. It is not clear to me that the safeguards that the Minister has set out meet those tests.
Perhaps the Minister will clarify one outstanding matter, about convention 108, on which she rested much of her argument. Convention 108 is important. It was written in 1981. The Minister told the Committee that it had been modernised, but also said that that was in draft. I should be grateful for clarification of whether the United Kingdom has signed and is therefore bound by a modernised convention that is currently draft.
I am happy to clarify that. Convention 108 is in the process of being modernised by international partners. I have made it clear, last week and this week, that the version in question is modernised, and is a draft version; but it is the one to which we are committed, not least because the Bill reflects its provisions. Convention 108 is an international agreement and sets the international standards, which is precisely why we are incorporating those standards into the Bill.
I know that the Leader of Her Majesty’s Opposition appears to be stepping away from the international community, over the most recent matters to do with Russia, but the Bill and convention—[Interruption.] Well, he is. However, convention 108 is about stepping alongside our international partners, agreeing international standards and putting the thresholds into legislation. The right hon. Gentleman keeps talking about the need for legislation fit for the world we live in today; that is precisely what convention 108 is about.
Order. The right hon. Member for Birmingham, Hodge Hill indicates that this is an intervention. I thought he had sat down and wanted the Minister to respond. However, if it is an intervention, it is far too long.
I am grateful. Some of us in this House have been making the argument about the risk from Russia for months, and the permissive environment that has allowed the threats to multiply is, I am afraid, the product of much of the inattention of the past seven years.
On the specific point about convention 108, I am glad that the Minister has been able to clarify the fact that it is not operational.
I will give way to the Minister in a moment. The convention was written in 1981. Many people in the Government have argued in the past that we should withdraw not only from the European Union but from the European convention on human rights and therefore also the Council of Europe.
I did not say it was Government policy. I said that there are people within the Administration, including the Secretary of State for Environment, Food and Rural Affairs, who have made the argument for a British Bill of Rights that would remove Britain from the European convention on human rights and, therefore, the Council of Europe. I very much hope that that ambiguity has been settled and that the policy of the current Government will remain that of the Conservative party from now until kingdom come; but the key point for the Committee is that convention 108 is in draft. The modernisation is in draft and is not yet signed. We have heard an express commitment from the Minister to the signing of the thing when it is finalised. We hope that she will remain in her position, to ensure that that will continue to be Government policy; but the modernised version that has been drafted is not yet a convention.
Does my right hon. Friend recognise that the modernisation process started in 2009, with rapporteurs including one of our former colleagues, Lord Prescott? When a process has taken quite so many years and the document is still in draft, it raises the question of how modern the modernisation is.
Some members of the Committee—I am one of them—have been members of the Parliamentary Assembly of the Council of Europe for some time. We know how the Council of Europe works. It is not rapid: it likes to take its time deliberating on things. The Minister may correct me, but I do not think that there is a deadline for the finalisation of the draft convention. So, to ensure that the Government remain absolutely focused on the subject, we will put the amendment to a vote.
Question put, That the amendment be made.
Clause 113 is one of the broad Henry VIII powers that we are consistently opposing and voting against and will continue to oppose and vote against. In chapter 6 of part 4 of the Bill are set out various exemptions that would disapply a number of aspects of data protection if that were required for national security. In schedule 11 are set out further exemptions, including for prevention and detection of crime, parliamentary privilege, legal professional privilege and so on. Huge swathes of data protection principles and subjects’ rights disappear in those circumstances.
We have already had a number of good debates on whether we have struck the right balance between the rights of data subjects and the national interest, national security interests and so on. In our view, it rather undermines our role in scrutinising Government legislation and finding the right balance if we then hand over what is pretty much a carte blanche to change the balance that we have decided on, with the minimum of scrutiny, through broad Henry VIII powers. We therefore continue to oppose broad Henry VIII powers in the Bill and encourage hon. Members to support taking this clause out of the Bill.
I thank the hon. Gentleman for raising this point. Clause 113 is analogous to clause 16, which we have already debated, and provides for the Secretary of State, by regulations subject to the affirmative procedure, to add further exemptions from the provisions of part 4 or to omit exemptions added by regulations. This clause reflects amendments made in the House of Lords in response to the Delegated Powers and Regulatory Reform Committee’s concerns that the powers in the Bill as introduced, which provided for adding, varying or omitting further exemptions in relation to schedule 11, were inadequately justified and too widely drawn. However, maintaining the power to add further exemptions, or to omit exemptions that have been added, provides the flexibility required, if necessary, to extend exemptions in the light of changing public policy requirements.
I beg to move amendment 122, in schedule 13, page 194, line 36, leave out from beginning to end of line 4 on page 195.
This amendment is consequential on the omission of Clause 121 (see Amendment 47).
Amendment 122 and clause 121 deal with measures inserted into the Bill with the intention of protecting and valuing certain personal data held by the state—an issue championed by Lord Mitchell, to whom I am grateful for taking the time to come to see me to further explain his amendments, and for giving me the opportunity to explain how we plan to address the issues he raised.
Lord Mitchell’s amendments require the Information Commissioner to maintain a register of publicly controlled data of national significance and to prepare a code of practice that contains practical guidance in relation to personal data of national significance, which is defined as data that, in the Commissioner’s opinion,
“has the potential to further…economic, social or environmental well-being”
and
“financial benefit…from processing the data or the development of associated software.”
Lord Mitchell has made it clear that his primary concern relates to the sharing of health data by the NHS with third parties. He believes that some information sharing agreements have previously undervalued NHS patient data, and that the NHS, along with other public authorities, needs additional guidance on optimising the benefits derived from such sharing agreements.
We agree that the NHS is a prime state asset, and that its rich patient data records have great potential to further medical research. Its data could be used to train systems using artificial intelligence to diagnose patients’ conditions, to manage risk, to target services and to take pre-emptive and preventive action—all developments with huge potential. I have discussed this matter with ministerial colleagues; not only do we want to see these technological developments, but we want the NHS, if it is to make any such deals, to make fair deals. The benefits of such arrangements are often not exclusively monetary.
NHS patient data is only ever used within the strict parameters of codes of practice and the standards set out by the National Data Guardian and other regulatory bodies. We of course recognise that we must continue in our efforts to make the best use of publicly held data, and work is already being carried out to ensure that the value of NHS patient data is being fully recognised. NHS England and the Department of Health and Social Care have committed to working with representatives of the public and of industry to explore how to maximise the benefits of health and care data for patients and taxpayers.
Lord Mitchell’s provision in clause 121 proposes that the commissioner publish a code of practice. However, if there is a problem, a code would seem to be an unduly restrictive approach. Statutory codes are by necessity prescriptive, and this is an area where the public may benefit from a greater degree of flexibility than a code could provide in practice, especially to encourage innovation in how Government use data to the benefit of both patients and taxpayers.
The Government are releasing public data to become more transparent and to foster innovation. We have released more than 40,000 non-personal datasets. Making the data easily available means that it will be easier for people to make other uses of Government-collected data, including commercial exploitation or to better understand how government works and to hold the Government to account. The benefits of each data release are quite different, and sometimes they are unknown until later. Lord Mitchell’s primary concern is health data, but can guidance on how that is used be equally applicable to the vast array of data we release? Such guidance would need to be so general that it would be useless.
Even if we stay focused on NHS data and what might help to ensure that the value of it is properly exploited, Lord Mitchell’s proposal has some significant problems. First, by definition, data protection legislation deals with the protection of personal data, not general data policy. Companies who enter into data sharing agreements with the NHS are often purchasing access to anonymised patient data—that is to say, not personal data. Consequently, the code in clause 121 cannot bite. Secondly, maintaining a register of data of national significance is problematic. In addition to the obvious bureaucratic burden of identifying the data that would fall under the definition, generating a list of data controllers who hold data of national significance is likely to raise a number of security concerns. The NHS has been the victim of cyber- attacks, and we do not want to produce a road map to resist those who want to harm it.
Thirdly, we do not believe that the proposed role is a proper one for the Information Commissioner, and nor does she. It is not a question of legislative enforcement and, although she may offer valuable insight on the issues, such responsibilities do not comfortably fit with her role as regulator of data protection legislation. We have consulted the commissioner on the amendments and she agrees with our assessment. In her own terms, she considers herself not to be best placed to advise on value for money and securing financial benefits from the sharing of such personal data with third parties. Those matters are far removed from her core function of safeguarding information rights. She adds that others in Government or the wider public sector whose core function it is to drive value from national assets may be a more natural home for providing such best practice advice.
I have the great pleasure of representing a constituency with one of the best medical research facilities in the world. One of the greatest impediments for that facility is getting access to anonymised NHS data for its research. Is the Minister saying that her amendment, which would remove the Lords amendment, would make it easier or more difficult for third parties to access that anonymised data?
I am ill-qualified to answer the hon. Gentleman’s question. Hypothetically, it would probably make it more difficult, but that is not our purpose in objecting to clause 121, which we do not see as being consistent with the role of the Information Commissioner, for the reasons I set out. However, he raises an interesting question.
I agree with Lord Mitchell that the issues that surround data protection policy, particularly with regard to NHS patient data, deserve proper attention both by the Government and by the National Data Guardian for Health and Care, but we have not yet established that there is any evidence of a problem to which his provisions are the answer. We are not sitting on our laurels. As I have already said, NHS England and the Department of Health and Social Care are working to ensure that they understand the value of their data assets. Further work on the Government’s digital charter will also explore this issue. When my right hon. friend the Prime Minister launched the digital charter on 25 January, she made it clear that we will set out principles on the use of personal data.
Amendment 122 removes Lord Mitchell’s amendment from schedule 13. We do this because it is the wrong tool; however, we commit to doing everything we can to ensure that we further explore the issue and find the right tools if needed. [Interruption.] I have just received advice that the amendments will make no difference in relation to the hon. Gentleman’s question, because anonymised data is not personal data.
I commend amendment 122 and give notice that the Government will oppose the motion that clause 121 stand part of the Bill.
I am grateful that the Minister made time to meet my former noble Friend Lord Mitchell. These are important amendments and it is worth setting out the background to why Lord Mitchell moved them and why we give such priority to them.
In 2009-10, we began to have a debate in government about the right approach to those agencies which happen to sit on an enormous amount of important data. The Government operate about 200 to 250 agencies, and some are blessed with data assets that are more valuable than those of others—for example, the Land Registry or Companies House sit on vast quantities of incredibly valuable transactional data, whereas other agencies, such as the Meteorological Office, the Hydrographic Office and Ordnance Survey, sit on sometimes quite static data which is of value. Some of the most successful American companies are based on Government data—for example, The Weather Channel is one of the most valuable and is based on data issued from, I think, the US meteorological survey. A number of Government agencies are sitting on very valuable pots of data.
The debate that we began to rehearse nearly 10 years ago was whether the right strategy was to create public-private partnerships around those agencies, or whether more value would be created for the UK economy by simply releasing that data into the public domain. I had the great pleasure of being Chief Secretary to the Treasury and the Minister for public service reform. While the strong advice inside the Treasury was that it was better to create public-private partnerships because that would release an equity yield up front, which could be used for debt reduction, it was also quite clear to officials in the Cabinet Office and those interested in public service reform more generally that the release of free data would be much more valuable. That is the side of the argument on which we came down.
After the White Paper, “Smarter Government”, that I brought to the House, we began the release of very significant batches of data. We were guided by the arguments of Tim Berners-Lee and Professor Nigel Shadbolt, who were advising us at the time, that this was the right approach and it was very good to see the Government continue with that.
There are still huge data pots locked up in Government which could do with releasing, but the way in which we release them has to have an eye on the way we create value for taxpayers more generally. Beyond doubt, the area of public policy and public operations where we have data that is of the most value is health. The way in which, in the United States, Apple and other companies have now moved into personal health technology in a substantial way betrays the reality that this is going to be a hugely valuable and important market in years to come. If we look at the US venture industry we can see significant investment now going into health technology companies.
The Minister is very generous. From that vantage point in the City, I was able to watch the level of ingenuity, creativity and innovation that was unlocked simply by the Government telling the world, “Here are the assets that are in public hands.” All sorts of ideas were floated for using those assets in a way that was better for taxpayers and public service delivery.
To the best of my knowledge, we do not have a similar data catalogue today. What Lord Mitchell is asking is for Ministers to do some work and create one. They can outsource that task to the Information Commissioner. Perhaps the Information Commissioner is not the best guardian of that particular task, but I am frustrated and slightly disappointed that the Minister has not set out a better approach to achieving the sensible and wise proposals that Lord Mitchell has offered the Government.
The reason why it is so important in the context of the NHS is that the NHS is obviously a complicated place. It is an economy the size of Argentina’s. The last time I looked, if the NHS were a country, it would be the 13th biggest economy on earth. It is a pretty complicated place and there are many different decision makers. Indeed, there are so many decision makers now that it is impossible to get anything done within the NHS, as any constituency MP knows. So how do we ensure that, for example, in our neck of the woods, Queen Elizabeth Hospital Birmingham does not strike its own data sharing agreement with Google or DeepMind? How do we ensure that the NHS in Wales does not go in a particular direction? How do we ensure that the trust across the river does not go in a particular direction? We need to bring order to what is potentially an enormous missed opportunity over the years to come.
The starting point is for the Government, first, to ensure we have assembled a good catalogue of data assets. Secondly, they should take some decisions about whether the organisations responsible for those data assets are destined for some kind of public-private partnership, as they were debating in relation to Companies House and other agencies a couple of years ago, or whether—more wisely—we take the approach of creating a sovereign wealth fund to govern public data in this country, where we maximise the upside for taxpayers and the opportunities for good public service reform.
The example of Hinkley Point and the unfortunate example of the Google partnership with DeepMind, which ran into all kinds of problems, are not good precedents. In the absence of a better, more concrete, lower risk approach from the Government, we will have to defend Lord Mitchell’s wise clause in order to encourage the Government to come back with a better solution than the one set out for us this morning.
I enjoyed the right hon. Gentleman’s speech, as it went beyond some of the detail we are debating here today, but I was disappointed with the conclusion. I did not rest my argument on it being just too difficult to organise such a database as proposed by Lord Mitchell; there are various reasons, chief among them being that we are here to debate personal data. A lot of the databases the right hon. Gentleman referred to as being of great potential value do not contain personal data. Some do, some do not: the Land Registry does not, Companies House does, and so forth. Also, the Information Commissioner has advised that this is beyond her competence and her remit and that she is not resourced to do the job. Even the job of defining what constitutes data of public value is a matter for another organisation and not the Information Commissioner’s Office. That is my main argument, rather than it being too difficult.
Happily, what sits within the scope of a Bill is not a matter for Ministers to decide. First, we rely on the advice of parliamentary counsel, which, along with the Clerks, was clear that this amendment is well within the scope. Secondly, if the Information Commissioner is not the right individual to organise this task—heaven knows, she has her hands full this week—we would have been looking for a Government amendment proposing a better organisation, a better Ministry and a better Minister for the work.
I can only be the Minister I am. I will try to improve. I was not saying that Lord Mitchell’s amendment is not within the scope of the Bill; I was making the point that some of the databases and sources referred to by the right hon. Gentleman in his speech went into the realms of general rather than personal data. I therefore felt that was beyond the scope of the Information Commissioner’s remit.
I share the right hon. Gentleman’s appreciation of the value and the uniqueness of the NHS database. We do not see it just in terms of its monetary value; as the hon. Member for Edinburgh South made clear in his intervention, it has tremendous potential to improve the care and treatment of patients. That is the value we want to realise. I reassure the right hon. Gentleman and put it on record that it is not my place as a Minister in the Department for Digital, Culture, Media and Sport, or the place of the Bill, to safeguard the immensely valuable dataset that is the NHS’s property.
Before the Minister concludes, given that she has focused so much on NHS data, can she update the Committee on the Government’s progress on implementing Dame Fiona Caldicott’s recommendations about health and social care data?
I cannot give an immediate update on that, but I can say that Dame Fiona Caldicott’s role as Data Guardian is crucial. She is working all the time to advise NHS England and the Secretary of State for Health and Social Care on how best to protect data and how it can deliver gains in the appropriate manner. I do not feel that that is the place of the Bill or that it is my role, but I want to reassure the Committee that the Secretary of State for Health and Social Care, to whom I am referring Lord Mitchell, is alive to those issues and concerns. The NHS dataset is a matter for the Department of Health and Social Care.
Amendment 122 agreed to.
Schedule 13, as amended, agreed to.
Clauses 117 and 118 ordered to stand part of the Bill.
Schedule 14 agreed to.
Clauses 119 and 120 ordered to stand part of the Bill.
Clause 121
Code on personal data of national significance
We debated clause 121 with schedule 13. For those who are interested, the Minister proposed that the clause should not stand part of the Bill, but the question remains “That the clause stand part of the Bill.” For the avoidance of confusion—I have only been here 26 years—those who, like the Minister, do not want the clause to stand part of the Bill should vote no.
Question put, That the clause stand part of the Bill.
The debate rehearsed in the other place was whether we should acquiesce in a derogation that the Government have exercised to set the age of consent for personal data sharing at 13, as opposed to 16, which other countries have adopted. There was widespread concern that 13 was too young. Many members of the Committee will have experienced pressing the agree button when new terms and conditions are presented to us on our updates to software on phones, or privacy settings presented to us by Facebook; privacy settings, it is now alleged, are not worth the paper that they were not written on.
Debates in the other place centred on what safeguards could be wrapped around children if that derogation were exercised and the age of consent left at 13. With Baroness Kidron, we were keen to enshrine in legislation a step towards putting into operation the objectives of the 5Rights movement. Those objectives, which Baroness Kidron has driven forward over the past few years, are important, but the rights therein are also important. They include not only rights that are enshrined in other parts of the Bill—the right to remove, for example—but important rights such as the right to know. That means that someone has the right to know whether they are being manipulated in some way, shape or form by social media technologies.
One of the most interesting aspects of the debate in the public domain in the past few months has been the revelation that many of the world’s leading social media entrepreneurs do not allow their children to use social media apps, because they know exactly how risky, dangerous and manipulative they can be. We have also heard revelations from software engineers who used to work for social media companies about the way they deliberately set out to exploit brain chemistry to create features of their apps that fostered a degree of addiction. The right to know is therefore very powerful, as is the right to digital literacy, which is another important part of the 5Rights movement.
It would be useful to hear from the Minister of State, who—let me put this beyond doubt—is an excellent Minister, what steps she plans to take to ensure that the age-appropriate design code is set out pretty quickly. We do not want the clause to be passed but then find ourselves in a situation akin to the one we are in with section 40 of the Crime and Courts Act 2013 where, five years down the line, a misguided Secretary of State decides that the world has changed completely and that this bit of legislation should not be commenced.
We would like the Minister to provide a hard timetable— she may want to write to me if she cannot do so today—setting out when we will see an age-appropriate design code. We would also like to hear what steps she will take to consult widely on the code, what work she will do with her colleagues in the Department for Education to ensure that the code includes some kind of ventilation and education in schools so that children actually know what their rights are and know about the aspects of the code that are relevant to them, and, crucially, what steps she plans to take to include children in her consultation when she draws up the code.
This is an important step forward, and we were happy to support it in the other place. We think the Government should be a little more ambitious, which is why we suggest that the rights set out by the 5Rights movement should become part of a much broader and more ambitious digital Bill of Rights for the 21st century, but a start is a start. We are pleased that the Government accepted our amendment, and we would all be grateful if the Minister told us a little more about how she plans to operationalise it.
I thank the right hon. Gentleman for his generous remarks. To recap, the idea that everyone should be empowered to take control of their data is at the heart of the Bill. That is especially important for groups such as children, who are likely to be less aware of the risks and consequences associated with data processing. Baroness Kidron raised the profile of this issue in the other place and won a great deal of support from peers on both sides of that House, and the Government then decided to introduce a new clause on age-appropriate design to strengthen children’s online rights and protections.
Clause 124 will require the Information Commissioner to develop a new statutory code that contains guidance on standards of age-appropriate design for online services that are likely to be accessed by children. The Secretary of State will work in close consultation with the commissioner to ensure that that code is robust, practical and meets children’s needs in relation to the gathering, sharing and storing of their data. The new code will ensure that websites and apps are designed to make clear what personal data of children is collected, how it is used and how both children and parents can stay in control of it. It will also include requirements for websites and app makers on privacy for children under 18.
The right hon. Gentleman cited examples of the consultation he hopes to see in preparation for the code. In developing the code, we expect the Information Commissioner to consult a wide range of stakeholders, including children, parents, persons who represent the interests of children, child development experts and trade associations. The right hon. Gentleman mentioned the Department for Education, and I see no reason why it should not be included in that group of likely consultees.
The commissioner must also pay close attention to the fact that children have different needs at different ages, as well as to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. The code interlocks with the existing data protection enforcement mechanism found in the Bill and the GDPR. The Information Commissioner considers many factors in every regulatory decision, and non-compliance with that code will weigh particularly heavily on any organisation that is non-compliant with the GDPR. Organisations that wish to minimise their risk will apply the code. The Government believe that clause 124 is an important and positive addition to the Bill.
Will the Minister say a word about the timetable? When can we expect the consultation and code of practice to be put into operation?
There should be no delay to the development of the code and the consultation that precedes it. If I get any additional detail on the timetable, I will write to the right hon. Gentleman.
Question put and agreed to.
Clause 124, as amended, ordered to stand part of the Bill.
Clause 125
Approval of data-sharing, direct marketing and age-appropriate design codes
Amendment made: 49, in clause 125, page 69, line 9, leave out “with the day on which” and insert “when” —(Margot James.)
This amendment is consequential on Amendment 71.
Clause 125, as amended, order to stand part of the Bill.
Clauses 126 to 130 ordered to stand part of the Bill.
Clause 131
Disclosure of information to the Commissioner
Question proposed, That the clause stand part of the Bill.
Clause 131 deals with disclosure of information to the Information Commissioner, and this is probably a good point at which to ask whether the Information Commissioner has the right level of power to access information that is pertinent to her investigations into the misuse of information. Thanks to The Guardian, The New York Times, and particularly the journalist Carole Cadwalladr, we have had the most extraordinary revelations about alleged misbehaviour at Cambridge Analytica over the past couple of years. Indeed, Channel 4 News gave us further insight into its alleged misdemeanours last night.
We have a situation in social media land that the Secretary of State has described as the “wild west”. Some have unfairly called the Matt Hancock app one of the features of that wild west, but I would not go that far, despite its slightly unusual privacy settings. None the less, there is now cross-party consensus that the regulatory environment that has grown up since the 2000 e-commerce directive is no longer fit for purpose. Yesterday, the Secretary of State helpfully confirmed that that directive will be modernised, and we will come on to discuss new clauses that suggest setting a deadline for that.
One deficiency of today’s regulatory environment is the inadequate power that the Information Commissioner currently has to access information that is important for her investigations. We have a wild west, we have hired a sheriff, but we have not given the sheriff the power to do her job of keeping the wild west in order. We now have the ridiculous situation that the Information Commissioner must declare that she is going to court to get a warrant to investigate the servers of Cambridge Analytica, and to see whether any offence has been committed.
Does my hon. Friend agree that this is also a question of access to the judiciary? Last night, the Information Commissioner had to wait until this morning to get a warrant because no judges or emergency judges were available. At the same time, we assume that Facebook was able to exercise its contractual right to enter the offices of Cambridge Analytica. Emergency judges are available for terrorism or deportation cases. Should there not be access to emergency judges in cases of data misuse for quick regulatory enforcement too?
If I wanted to hide something from a newspaper and I thought that the newspaper was going to print it inappropriately, I would apply for an emergency injunction to stop the newspaper running it. I do not understand why the Information Commissioner has had to broadcast her intentions to the world, because that has given Cambridge Analytica a crucial period of time in which to do anything it likes, frankly, to its data records. The quality of the Information Commissioner’s investigation must be seriously impaired by the time that it has taken to get what is tantamount to a digital search warrant.
Is the Minister satisfied in her own mind that clause 131 and its associated clauses are powerful enough? Will she say more about the Secretary of State’s declaration to the House last night that he would be introducing amendments to strengthen the Commissioner’s power in the way that she requested? When are we going to see those amendments? Are we going to see them before this Committee rises, or at Report stage? Will there be a consultation on them? Is the Information Commissioner going to share her arguments for these extra powers with us and with the Secretary of State? We want to see a strong sheriff patrolling this wild west, and right now we do not know what the Government’s plan of action looks like.
I just want to recap on what clause 131 is about. It is intended to make it clear that a person is not precluded by any other legislation from disclosing to the commissioner information that she needs in relation to her functions, under the Bill and other legislation. The only exception relates to disclosures prohibited by the Investigatory Powers Act 2016 on grounds of national security. It is therefore a permissive provision enabling people to disclose information to the commissioner.
However, the right hon. Member for Birmingham, Hodge Hill has taken the opportunity to question the powers that the Information Commissioner has at her disposal. As my right hon. Friend the Secretary of State said yesterday in the Chamber, we are not complacent. I want to correct something that the right hon. Member for Birmingham, Hodge Hill said. My right hon. Friend did not say that he would table amendments to the Bill on the matter in question. He did say that we were considering the position in relation to the powers of the Information Commissioner, and that we might table amendments, but we are in the process of considering things at the moment. I presume that that goes for the right hon. Gentleman as well; if not, he would surely have tabled his own amendments by now, but he has not.
The Minister will notice that I have tabled a number of new clauses that would, for example, bring election law into the 21st century. I think that the Secretary of State left the House with the impression yesterday that amendments to strengthen the power of the Information Commissioner would be pretty prompt. It is hard to see another legislative opportunity to put that ambition into effect, so perhaps the Minister will tell us whether we can expect amendments soon.
I can certainly reassure the right hon. Gentleman that we are looking at the matter seriously and, although I cannot commit to tabling amendments, I do not necessarily rule them out. I have to leave it at that for now.
On a more positive note, we should at least acknowledge that, although the Bill strengthens the powers of the Information Commissioner, her powers are already the gold standard internationally. Indeed, we must bear it in mind that the data privacy laws of this country are enabling American citizens to take Cambridge Analytica to court over data breaches.
I want to review some of the powers that the Bill gives the commissioner, but before I do so I will answer a point made by the right hon. Member for Birmingham, Hodge Hill. He said that the commissioner had had difficulties and had had to resort to warrants to pursue her investigation into a political party in the UK and both the leave campaigns in the referendum. She is doing all that under existing data protection law, which the Bill is strengthening. That is encouraging.
I did not want to intervene, but I have been struggling with the matter myself. There are allegations that a significant donor to Leave.EU was supported in that financial contribution by organisations abroad. As I spoke to the Financial Conduct Authority and tabled questions to the Treasury, it was revealed that there were no data sharing gateways between the Electoral Commission and the FCA.
I shall come back to the right hon. Gentleman on the relationship between the Information Commissioner and the FCA. I am sure that the information that he has already ascertained from the Treasury is correct, but there may be other ways in which the two organisations can co-operate, if required. The allegations are very serious and the Government are obviously very supportive of the Information Commissioner as she grapples with the current investigation, which has involved 18 information notices and looks as if it will be backed up by warrants as well. I remind the Committee that that is happening under existing data protection law, which the Bill will strengthen.
Question put and agreed to.
Clause 131 accordingly ordered to stand part of the Bill.
(6 years, 8 months ago)
Public Bill CommitteesOn a point of order, Mr Streeter. The Minister suggested this morning that the Secretary of State for Digital, Culture, Media and Sport had not committed to the House yesterday to introduce powers to strengthen the Information Commissioner. However, on checking Hansard over lunch, I noticed that the Secretary of State said that where there is non-compliance with an audit,
“there is a very serious fine, but the question is whether the criminal penalties that can be imposed in some cases should be further strengthened. That detail is rightly being looked at in the discussions on the Data Protection Bill.”—[Official Report, 19 March 2018; Vol. 638, c. 51.]
Most of us would assume that “further strengthened” meant that further powers would be suggested, but the Minister seemed to say this morning that that would not be the case. Could she clarify whether such amendments will be tabled?
It is up to the Minister to decide whether she wishes to respond to that point of order.
I hesitated, Mr Streeter, because I am not quite sure that I can clarify the matter. I cannot answer the right hon. Gentleman’s question. I reiterate that in answer to the important question about strengthening the Information Commissioner’s powers, my right hon. Friend the Secretary of State said yesterday:
“We are considering those new proposals, and I have no doubt that the House will consider that as the Bill passes through the House.”—[Official Report, 19 March 2018; Vol. 638, c. 49.]
In the context of the commissioner’s request for additional powers, he said:
“We are therefore considering the Information Commissioner’s request.”—[Official Report, 19 March 2018; Vol. 638, c. 52.]
The right hon. Gentleman’s point was recently made by the commissioner, so it is a point worth listening to. I can confirm that we are listening and reviewing, but beyond that, I cannot go.
As the Speaker himself might say, the right hon. Gentleman has been here a long time and will no doubt find other ways to pursue the matter. I am grateful for the point of order.
Clause 132 ordered to stand part of the Bill.
Clauses 133 to 139 ordered to stand part of the Bill.
Clause 140
Publication by the Commissioner
Question proposed, That the clause stand part of the Bill.
I was not planning to speak to this clause, but as it is relevant I will use the opportunity to give the right hon. Member for Birmingham, Hodge Hill further information. He asked about the code of conduct where the commissioner has a responsibility to publish the document about child-friendly regulation of websites. Clause 140 provides that the document can be published in a way the commissioner considers appropriate. Under clause 126, the Bill contains a duty to publish various codes of practice, including the age-appropriate design code. The Bill requires the commissioner to publish the age-appropriate design code within 18 months of Royal Assent, but as the matter is important and urgent, we will endeavour to do so sooner.
Question put and agreed to.
Clause 140 accordingly ordered to stand part of the Bill.
Clause 141 ordered to stand part of the Bill.
Clause 142
Inquiry into issues arising from data protection breaches committed by or on behalf of news publishers
I beg to move amendment 137, in clause 142, page 77, line 34, at end insert—
“(3) The Secretary of State must consult the Scottish Government and obtain its consent before establishing an inquiry under subsection (1).”
This amendment would ensure that before any inquiry was established, the UK Government must have consent from Scottish Government.
With this it will be convenient to discuss the following:
Clause stand part.
Clauses 168 and 169 stand part.
Government amendment 72.
Amendment 138, in clause 207, page 121, line 12, after “subsections” insert “(1A),”.
This amendment is a paving amendment for amendment 139.
Amendment 139, in clause 207, page 121, line 13, at end insert—
“(1A) Sections 168 and 169 extend to England and Wales only.”
This amendment would ensure that clauses 168 and 169 would only extend to England and Wales and not apply in Scotland.
Amendments 137, 138 and 139, which stand in my name and that of my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East, were tabled because we believe that the Bill is incompatible with the devolution settlement, trampling roughshod over areas of wholly devolved competence. Whether by accident or design, the Lords amendments on Leveson—in particular on section 40—that seek to impose a one-size-fits-all Truro to Thurso solution are wholly inappropriate, as they fail to recognise or take cognisance of the fact that in press regulation and criminal justice, to name just two fields, it is the Scottish Parliament, not this place, that has legislative competence. The three amendments draw that distinction and defend the devolution settlement, removing any lingering doubts as to where the hitherto clear legislative boundaries, which have existed since 1998, lie.
Amendment 137 relates to any future inquiry on press standards, styled as Leveson 2. The Scottish National party has been clear throughout that all individuals should be able to seek redress when they feel they have been the victim of press malpractice, and that it benefits each and every one of us to have media that are transparent and accountable. However, we have been equally clear that if there is to be a second part of the Leveson inquiry, the distinct legal context in Scotland must be taken into account. As press regulation and criminal justice are matters for the Scottish Parliament, it is that body that must be consulted about the scale and the scope of any future inquiry and how it will operate in Scotland. As long as the Scottish Government were consulted and the distinct Scottish legal system taken into account, we would be happy to support efforts to establish a second part of a Leveson inquiry because any reasonable person would agree that the terms of reference for that part of the inquiry have not yet been met.
It is unfortunate that we have had to table the amendments. It is not unreasonable to expect the House of Lords to know that press regulation and all the associated issues of the culture, practice and ethics of the press would fall under the devolved competence. A blanket UK-wide amendment would only negatively affect areas of devolved competence. We are disappointed that the amendments were necessary in the first place, but we sincerely hope that Members in all parts of the Committee support our attempts to respect the devolution settlement.
Amendment 139 would ensure that clauses 168 and 169 would extend only to England and Wales and would not apply in Scotland. Again, this is simply a case of our having to tidy up after the Lords. I want to put on record that there is no excuse for what we regard as lazy and entirely inappropriate amendments from the other place. By accident or design, those amendments take no cognisance whatsoever of which powers are devolved and which are reserved. For the future benefit of their lordships, let me say again what I have said on numerous occasions. Although data protection may well be an area of competence reserved to this place, press regulation and criminal justice are wholly devolved to the Scottish Parliament and have been for the past 20 years. If the Bill is not amended, the power of this Parliament will be extended into areas that are solely the preserve of the Scottish Parliament. I believe that will set a very dangerous precedent.
Not only does the Bill drive a coach and horses through the devolution settlement, but I would question why the House of Lords thought it in any way appropriate to apply section 40 of the Crime and Courts Act 2013 to the whole of the United Kingdom, because there is no such piece of legislation as the Crime and Courts Act in Scotland. It simply does not exist. Furthermore, the whole concept of exemplary damages, as I understand is being proposed, is not even recognised and has no equivalent in Scots law. If the Bill were passed unamended, it would force the Scottish Government to pass a legislative consent motion—something they have said they have no intention of doing because, as I said, press regulation and criminal justice are wholly devolved to the Scottish Parliament.
It is simply unacceptable for the UK Parliament to decide what should happen in Scotland with regard to press regulation; that is a job for the Scottish Parliament. The Scottish Government have made it clear that, although they are not opposed to press regulation and are having ongoing discussions with the Scottish media about how best to implement an independent press regulation system, it is for Holyrood to decide on a course of action, not to have it decided for them by Westminster. I fully expect the Government to seek to remove clauses 168 and 169 and the Opposition to seek to restore them on Report. I hope that, when the Labour Opposition do that on Report, they will ensure that what they bring back to the Floor of the House of Commons is compatible with the devolution settlement and that the proposed new clause will exclude Scotland from the section 40 legislation.
It is not enough for the Government to say that they understand and sympathise. I urge the Minister to accept our amendments because they preserve and protect the devolution settlement, which has worked well for the past 20 years in terms of press regulation and criminal justice. I ask the Minister and in particular Conservative Members representing Scottish constituencies to respect the devolution settlement and accept that what came back from the House of Lords flies in the face of the long-established devolution settlement. I ask them to accept that it is wholly inappropriate and inconsistent with Scots law and, therefore, support our amendments.
I want to say a few words in defence of the clause and touch on the amendments the Government have proposed. The substance of the clause is an attempt to ensure that we activate the second half of the Leveson inquiry, to look into allegations of collusion between the police and members of the fourth estate.
It is worth reminding ourselves of the absolute horror with which we all looked at the revelations about News International’s malpractice. The idea that individuals from national newspapers could hack phones of pretty much anybody in the country, including most notoriously the phone of poor Milly Dowler, sell that information and turn it into front-page newspaper stories, absolutely shocked us. Serious questions were asked about the way the police investigation was conducted. That is why the House united not just to begin the Leveson inquiry, but to propose a second part to look into the question of police collusion. That element was not possible at the time because of the cases that were coming to court, both civil and criminal. The solution proposed by Mr Cameron, the then Prime Minister, which I believe was supported by the present Secretary of State for Digital, Culture, Media and Sport, was that there should be a second half of the Leveson inquiry. Mr Cameron said:
“One of the things that the victims have been most concerned about is that part 2 of the investigation should go ahead—because of the concerns about that first police investigation and about improper relationships between journalists and police officers. It is right that it should go ahead, and that is fully our intention.”—[Official Report, 29 November 2012; Vol. 554, c. 458.]
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare an interest: I was a journalist for many years—I am no longer practising—although not in the hard-copy newspaper industry. Given my background, I take a deep interest in these matters.
I have a great deal of sympathy for the reasons for the Scottish National party tabling amendments 137, 138 and 139, and I absolutely understand the need for the tidying up that needs to be done to the amendment that has come from the other place, which appears to be addled in relation to the legal situation with the Scottish Parliament’s devolved powers. I fully understand why the Scottish amendments have been tabled, and I have sympathy with the view that the Lords amendment needs tidying up. However, I cannot support the SNP amendments simply because I do not want the amendment from the other place, to which they would be attached, to be part of the Bill at all. I will go through some reasons to explain why, but I want to put on the record my sympathy for the reason for them being tabled.
The hon. Member for Argyll and Bute described the amendment from the other place as “lazy” because it does not take into account the Scottish devolved powers. That is one description of it. It is also, frankly, a bit mysterious. I find it a little hard to understand why we are discussing this issue at all in relation to the Bill. That amendment and the section 40 amendment, which we will discuss later, were attached to the Bill in the other place in much the same way as one attaches decorations to a Christmas tree. They are not part of what we should be discussing, although I am grateful that we have the opportunity so to do, because that allows the Government to put their case, as I am sure Ministers will do shortly, and as my right hon. Friend the Secretary of State did in the House earlier.
As I set out in my speech on Second Reading, I believe strongly that we should reject the amendments that have come to us from the other place—in particular, the amendment relating to Leveson 2. I heard everything the right hon. Member for Birmingham, Hodge Hill said about the need for Leveson 2 and about victims needing their day in court. I am not putting words into his mouth—I do not think he used exactly that phrase, and I do not disagree—and there is indeed a difficulty in that, of course, there are still examples of reporters working for a variety of news organisations who are undertaking practices that are either immoral or illegal, or in some cases both.
Like the hon. Gentleman, I wish that the entire media operated with the editorial standards of BBC Essex and the Swindon Advertiser. I was struck by a remarkable statement: that he believes that the mispractice or malpractice still goes on—I have written down carefully the words that he used. I cannot, therefore, understand why the conclusion he draws from the persistence of malpractice is to look the other way and to shut down an inquiry into whether it took place and who the guilty are. I would be grateful if he can correct me on my misunderstanding.
Order. First, let me correct a possible misunderstanding. The right hon. Member for Birmingham, Hodge Hill mentioned that clauses 168 and 169 will be debated later. In fact, we are debating them as part of this group, as I tried to make clear when I introduced amendment 137.
Thank you for that clarification, Mr Streeter.
There is nothing remarkable about what I said. Quite clearly, there is still malpractice going on in the journalism industry. Is the right hon. Gentleman honestly trying to say that that is a remarkable thing to say?
It is not remarkable at all. Of course it is going on, but establishing and carrying out Leveson 2 would do nothing to solve that problem and nothing to bring justice to the members of the public who have been done wrong by that small number of journalists who are acting in that way. I do not know why the right hon. Gentleman finds that a remarkable statement to make.
As for the statement that he made on Second Reading—that the Government’s position is to say, “Nothing to see here—absolutely nothing happening”—that is not what the Government are saying at all. The Government’s position is clear: Leveson 2 simply would not do what I think the right hon. Gentleman and probably everyone in this room would like it to do, which is to be some sort of cleansing disinfectant that solves all the problems. It simply will not do that.
As much as I respect the hon. Gentleman’s omniscience, how could he possibly know that?
It is a big gamble to spend potentially £50 million when we are not sure whether it will have the required outcome. That is the point. The Lords amendment would start the Leveson 2 process, which would cost at a very conservative estimate £50 million, potentially last for a huge amount of time and still not get to the answer that we want. There must be better solutions.
I had started to discuss the fact that the landscape has changed and that the very framework in which we work has changed markedly since the former Prime Minister made the commitment to go ahead with Leveson 2. There have been huge changes. Not only have we had the Leveson 1 inquiry, which in its own terms of reference touched on many of the issues that the proposed Leveson 2 inquiry would cover, but we have had any number of changes, improvements, and reforms in the way the police and indeed the media operate. We have had Operations Elveden, Tuleta and Weeting, which included Operation Golding, all of which have investigated a wide range of practices in the interaction between the police and members of the media and journalists. At a total cost, incidentally, of about £40 million for those operations, they have done good work and all of them have resulted in significant reform.
When I first joined the journalistic trade, way back in 1986, there was malpractice on a scale that we would not believe, and it was completely normal for journalists to pick up the phone to a friendly police contact and get whatever information they wanted to write their next report. That was absolutely normal. It is not normal now. I am sure it still happens, but it is now not the norm, which is good. That is why we do not want to turn the clock back and commit ourselves to a very long inquiry—a Leveson 2 inquiry—which would not do what we want it to do.
Where malpractice occurs in the media, where cases such as those raised by the right hon. Gentleman come to light, and where members of the public are treated in the most despicable way by journalists, I want people to be able to have the right to redress, to have their day in court, and to be able to say, “This is what has happened and it must change,” but Leveson 2 would not do that. It would not provide the means by which that happened. That is why the Secretary of State for Digital, Culture, Media and Sport was absolutely right to make the decision and to say that Leveson 2 is not on the Government’s agenda, and nor should it go ahead. It is perhaps worth pointing out also that this Government were elected only nine months ago on a manifesto that specifically said that Leveson 2 would not go ahead. That was a manifesto commitment.
Mr Streeter, may I just seek absolute clarification from you? From your earlier instruction, are we now also talking about section 40?
Yes. Clauses 168 and 169. Clause 168 refers to section 40 of the Crime and Courts Act 2013.
Yes it does. May I go on to address that briefly as well at this point, if that is in order?
Thank you very much indeed.
I do not really have much to say. To be clear, we are considering the amendment made in the other place. It seeks to enact section 40 of the Crime and Courts Act 2013, which this Government and the Secretary of State have said we will not do—indeed, they have said that we wish to repeal section 40.
It is very clear in my mind that we need to reject the amendment made in the other place. There is a very straightforward reason, which is that section 40 does one key thing: it seeks to persuade media organisations, specifically newspapers, that have not signed up to a recognised regulatory body to do so by providing a financial inducement of the most “blunt instrument” kind.
I have here a document from the House of Commons Library; for the record, I emphasise that the House of Commons Library is neutral. The document discusses why section 40 of the Crime and Courts Act 2013 was introduced. The Library says that it was intended to
“coerce or incentivise publishers to become members of a recognised regulator”.
That is language that we should be worried about. The reason we should be more worried about what section 40 will do—it is pretty straightforward—is that if a member of the public brings a defamation action against a newspaper, it goes to court and the newspaper wins the case, that media organisation is still financially liable to pay the costs of both sides.
Quite simply, that will encourage a lot of entirely superfluous and vexatious legal actions to be brought by people who just have some kind of beef against the media and pockets bulging with cash that allows them to do so. When, as will inevitably happen, the media wins the case, because it was built on sand, the media organisations concerned will be put out of business by the requirement to pay the legal costs on both sides.
The Minister is cheering on the hon. Member, but will he for complete clarity remind the Committee who proposed this architecture in the first place? From memory, it was his right hon. Friends the Members for West Dorset (Sir Oliver Letwin) and for Basingstoke (Mrs Miller).
I was not in Parliament at the time. I have only been here for two and a half years. We go back to the point that I made in relation to the previous clause. The ground has shifted. We now know what the effect will be. The other place debated this in some detail; the arguments were put extremely strongly, and by a narrow majority their lordships, as is their right, passed the amendment and asked us to consider it. It is perfectly right that they are asking us to consider it. It is perfectly right that we say: “Up with this we will not put.” Section 40 will have precisely the opposite effect to what probably anyone listening would hope it to have. It will be an extraordinarily damaging measure for the future of the freedom of the press in this country. It will have the effect of preventing publication of material which is in the public interest and which is true, legitimate, and fair, because newspaper proprietors will not be able to afford the risk of going to a court case which they win but still have to pay the costs. It will be an incredible impediment to the free press in this country. For that reason more than any other we must reject the amendments that come from the other place.
One or two colleagues have caught my eye because I was not clear enough in my introduction to this section. I invite Mr Liam Byrne to readdress the Committee in relation to these clauses.
I am grateful to you, Mr Streeter, for setting that out so clearly. I want to speak in defence of clauses 167 and 168.
I am clearly an innocent abroad in a world that is not innocent. I struggle to follow the argument made by the hon. Member for North Devon. On the one hand he was pretty insistent that malpractice continued, but then invited us to believe that somehow the world had changed comprehensively. Either the world has changed or it has not. I fear that the world has changed a bit, but not enough, so there is still a need for an effective means of offering justice to those who have been maligned by newspapers.
The architecture set up by the right honourable Members for West Dorset and for Basingstoke was complicated. We have a fine tradition of a free press, going back to the restoration. One of the reasons why the industrial and scientific revolutions flourished in this country was that we had a culture of free speech—something that Voltaire admired greatly when he spent time in London. However, the reality is that bad behaviour by the press has destroyed people’s reputations without any real chance of recovery. In a world of social media, when reputations are destroyed, the smears stick to people like tar. They do not go away; they stay with people and scar them for life.
I shall be mercifully brief. As a print journalist for 15 years, I start by saying that the entire industry was genuinely horrified to learn of the extent and the offences that had been committed by organisations that, in the main and over many centuries, worked genuinely in the public interest. We should not forget that journalists who work in the media today, and were doing so while that was going on, are in the main trying to do the kind of public service that we would all defend. We should not underestimate the horror with which the industry greeted the stories of what happened to the Dowler family and many others, be they celebrities or other victims. I hope we would agree across the House that the media in the main have fulfilled that remit. I should also say, as did my hon. Friend the Member for North Devon, that I have a great deal of sympathy with the amendments proposed by the Scottish National party. We should prize consistency above all else in this area.
The right hon. Member for Birmingham, Hodge Hill said that he was surprised to learn that the Government did not seek to proceed with the second part of the Leveson inquiry. It was in our manifesto, so his surprise is surprising. I can only conclude that he did not read the Conservative manifesto. Perhaps he read the Labour manifesto and was so horrified he could not face reading another one.
The Labour one? Quite right. We should bear in mind the two things used in favour of the position taken by the Conservative party and the Government in the manifesto. The first, as my hon. Friend the Member for North Devon said, is that the world has indisputably moved on. Even Sir Brian Leveson agrees that the world has moved on. The challenges that face our modern media are not the challenges that would have been subject to the Leveson inquiry. The more important point is that, where there are legitimate concerns about the media and how people are treated, the solution to that is effective and independent regulation, and that is what we have now more than ever.
The hon. Gentleman served on The Daily Telegraph long enough to know that the IPSO code today bears a striking resemblance to the old editors’ code. Perhaps he could give us the benefit of his experience and tell us whether he is satisfied that the IPSO code meets the tests set out by Sir Brian Leveson and agreed in all parts of the House.
I will say two things. I had a mercifully limited engagement with what was then the Press Complaints Commission, although we did have to deal with some complaints in my small bit of the paper. Although we took it seriously, it is in no way comparable with the seriousness that IPSO is now taken. That might be down to the fact that the scale of the apology that can be demanded by IPSO, and has to be given, is exponentially greater. That is a crucial deterrent when it comes to the work done by journalists in the newsroom, who sometimes regard their editors as figures of great fear as much as great role models.
The other side is that we have a crucial low-cost arbitration system that allows people who are not of the means that the right hon. Gentleman described to bring cases against the media and get the redress they deserve when people make mistakes. Those are the two crucial differences between the PCC and IPSO. The latter is a fundamentally more powerful, very different regulator, but it has the credibility and independence that IMPRESS will simply never have.
The hon. Gentleman was an experienced and respected journalist and has a track record on which to draw in his reflections. He did not quite answer the question whether he thought the code of conduct that IPSO regulates meets the tests set out by Sir Brian Leveson and agreed on both sides of the House. Will he reflect on whether the code of conduct is prone to changes driven through by newspaper editors? There is no guarantee that newspaper editors cannot influence that code, and its shape and bite, in the years to come.
The right hon. Gentleman is right that there is a continuous thread to the sensible key principles of press regulation, and for journalists to have a role in shaping those is not entirely illegitimate. None the less, we must bear in mind that those principles should serve the public before they serve the press. That is what is in the principles that Sir Brian Leveson sought to suggest. The right hon. Gentleman is right that we agree on those on both sides of the House, and that IPSO strikes the right balance. The sense that both the world and the regulator have changed should reassure both Opposition Members and members of the public who would like the Government to secure a free but sensibly regulated press that serves all of us.
Surely my hon. Friend shares my concern, and more to the point the public’s concern, that state interference smacks of all the wrong things the Government do and undermines the free press, on which we depend on a national and a local scale.
I agree, which is why IPSO rather than IMPRESS strikes the right balance between the two. The right hon. Member for Birmingham, Hodge Hill made great play of David Cameron promising IPSO, but I would make great play of Government delivering on the manifesto pledges they made when they fought an election in 2017. Not doing what he set out also delivers on a promise—the more recent promise should take precedence.
My hon. Friend the Member for North Devon powerfully made the case against section 40, which seeks to punish the victim. That would obviously have a clear chilling effect not only on our local newspapers, which are often on the brink of bankruptcy, but on the broader media. We can look at fantastic pieces of journalism even today, such as the one about Cambridge Analytica. The Guardian itself says, “Please, we would like your donations so we can keep our valuable journalism free”—the paper has had to fight off three pieces of legal action by Cambridge Analytica and one from Facebook. Those huge corporations seek to shut down legitimate investigation, and the right hon. Member for Birmingham, Hodge Hill suggests that if they were to bring and win cases, The Guardian should pay for them. That is an extraordinary position to take.
I am sure the right hon. Gentleman is about to assure me that he is not taking that position.
Let us be real about this. The idea that companies such as Facebook or Cambridge Analytica will desist from legal action to shut down stories that they do not like—the idea that that will not happen at any time in the future, even under the existing regimes—is for the birds. The argument that is better made by some of the hon. Gentleman’s colleagues is to do with the risk to local newspapers, most of which are now owned by Trinity Mirror, which makes tens of millions of pounds in profit, or the Johnston Press. The point is that vexatious claims can be shut down and thrown out at any one of three stages by the regulator or, before the case goes to arbitration, by the arbitrator or by a judge, so the incidence of costs arising will not be on the scale the hon. Gentleman anticipates. Equally, he must accept that, without a form of low-cost arbitration, justice is denied to people who are maligned by newspapers.
I enjoyed the right hon. Gentleman’s speech, but I disagree with him profoundly. I worked for a newspaper that had, by comparison with our local papers, an enormous budget. The threat of having to pay the legal bills of Facebook and Cambridge Analytica would have a profoundly chilling effect, even at the very highest level of journalism.
Is my hon. Friend as concerned as I am that The Times journalist who uncovered the Rotherham child abuse scandal said that it would have been inconceivable—that is the word he used—for the newspaper to have run that story on its front page had section 40 been in place? How would that have damaged the investigation?
Exactly—there are a number of such examples. Opposition Members might wish to imagine that the so-called Fleet Street media has money to burn and could not care less about paying all sorts of legal costs. However, we all know that these businesses have to mind every penny, whether they are profitable or not. It is legitimate for them to do that. If every single investigative journalist was constantly living under the threat of their piece of work costing their newspaper and their boss tens of thousands of pounds, they simply would not get hired, never mind allowed into print.
Finally and very briefly, the hon. Gentleman is making an eloquent argument. Why, then, was that proposed by the right hon. Members for West Dorset and for Basingstoke? How did they get it so profoundly wrong?
That is a fascinating philosophical question, but I can only tell the right hon. Gentleman that I would not have voted for it. I appreciate that he will say that it is easy for me to say that now, but the idea that people in this place would be convinced that it is the best possible model is simply not plausible after the statements that my hon. Friend the Member for North Devon and I have made today. Surely we need a set of press regulations that preserves the independence of the media, and their ability to invest in journalism at local and national level, which we all want if we are to hold the powerful to account. We also need regulations that allow hon. Members to say with a clear conscience that we have done nothing that puts those businesses in serious jeopardy.
It does not seem to me that a costly Leveson 2 is the best use of public money, or that the threat of section 40 will ever be the best use of private money, putting legitimate local and national media out of business. Those arguments seem to me like a powerful case for IPSO, and for a sensible look at the sustainability of the press, as the Prime Minister has set about doing. They do not under any circumstances seem to me like a good reason to vote for the amendments.
I will set out the Government’s position on clauses 142, 168, 169 and 205, before returning to the amendments in the name of the hon. Member for Argyll and Bute.
As we have heard, clause 142 requires the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. The Government set out our intention not to reopen the Leveson inquiry in our response to the consultation on the future of the inquiry on 1 March. I will not repeat the arguments in full, but I will say that the Government’s firm focus is on the problems faced by the media right now.
The Government recognise that there is a great deal of feeling on both sides of the debate. We have listened to all views, including those of victims, in reaching a decision. No one seeks to excuse the past behaviour of individual media organisations, nor to legitimise it. As the right hon. Member for Birmingham, Hodge Hill said, some of the stories we heard at the beginning of the Leveson inquiry were horrific. The Government have a duty, however, to make decisions that are proportionate and in the public interest. In the light of all the evidence available, it is apparent that part 2 of the inquiry is no longer appropriate or proportionate.
Part 1 of the inquiry lasted over a year, and heard evidence from more than 300 people, including journalists, editors and victims. Since then, the majority of the Leveson recommendations have been implemented. Three major police investigations examining a wide range of offences have been completed. More than 40 people were convicted, some of whom were sent to prison. There have also been extensive reforms to policing practices, and significant changes to press self-regulation.
As a result, the terms of reference for part 2 have largely been met, and the culture that allowed phone hacking to become the norm has changed. Meanwhile, the media are facing critical challenges that threaten their sustainability, including fake news, declining circulations and gaining revenue from online content. Free and vibrant media are vital to democratic discourse, and we need to tackle those challenges urgently. Holding a costly and time-consuming public inquiry looking predominantly backwards is not the right way to go.
The Government are committed to addressing these issues, and we are developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to keep people safe online and to ensure that personal information is used appropriately. As part of that, we are also undertaking work to ensure that there are sustainable business models for high-quality media online. The media landscape is different and the threats are different, too. Issues such as fake news mean there is a need to protect the reliability and objectivity of information.
Likewise, clauses 168 and 169 are similar to the provisions contained in sections 40 and 42 of the Crime and Courts Act 2013, but apply to breaches of data protection law only. The Government do not believe that introducing a provision similar to section 40 of the 2013 Act into the Bill is appropriate, but in relation to data protection only. That is particularly so given our decision earlier this month to repeal section 40 when there is a suitable legislative vehicle. In coming to that decision, we considered all the available evidence, including the views of respondents to the public consultation that we undertook last year. Many respondents cited concerns about the chilling effect that section 40 would have on the freedom of the press, which was so ably summed up by my hon. Friend the Member for Boston and Skegness.
Will the Minister tell the Committee why she supported it when it came to a vote last time?
The right hon. Gentleman has made great play of the former Prime Minister’s statement. I remind him that that statement was given six years ago. Much has changed since. My hon. Friend the Member for North Devon tried to make the point that, although we cannot rule out that egregious conduct is still going on in the press, as I imagine there is in virtually every other sector of society, we can agree that much has changed and improved. That is why the Government have changed their direction. I hope that satisfies the right hon. Gentleman.
It is a pleasure to serve under your chairmanship, Mr Streeter.
On that point, the Minister accepts that egregious activity could be taking place across the industry but does not think that the proposal is the appropriate vehicle for dealing with it. She believes that the digital charter is the appropriate vehicle, but what evidence is she using to ensure that that addresses the egregious activity?
I want to correct one thing that the hon. Gentleman said: I did not say that that activity was taking place across the industry; I said that it was still taking place. Indeed, we have heard the horrendous allegations made by John Ford, albeit referring to behaviour that predates 2011. He alleges that it is still going on. I am not denying that it probably is still carrying on in pockets, but I would not say that it is widespread.
Press self-regulation has changed significantly in recent years with the establishment of IPSO, which follows many of the principles set out in the Leveson report. As so few publishers have joined a regulator recognised under the royal charter, commencement of section 40 would have a chilling effect on investigative journalism, which is so important to a well-functioning democracy.
It is a pleasure to serve under your chairmanship, Mr Streeter. We keep hearing about the chilling effect—it is well rehearsed—but could the Minister confirm that it could be entirely avoided if newspapers sign up to an appropriate regulator, which does not have to be IMPRESS? It is not a difficult thing to do.
Currently, IMPRESS is the only regulator recognised under the royal charter. I cannot speak for the press. There was a heated debate when the legislation went through Parliament. The press decided as one not to join what they perceived as a state-backed regulator. IPSO now does the job, albeit the Financial Times and The Guardian alone among the broadsheets have not joined IPSO.
The media landscape has changed. As I noted earlier, high-quality journalism is under threat from the rise of clickbait and fake news, from difficulties in generating revenue online to replace the revenue that used to flow from printed sources, and from the dramatic, continued rise of largely unregulated social media. If implemented, section 40 could impose further financial burdens on publishers, particularly at local level—200 local papers have closed in the last decade.
On top of that, the amendments made in the other place undermine our Scotland and Northern Ireland devolution settlements—that point was ably made by the hon. Member for Argyll and Bute. The proposed new clauses seek to legislate on a UK-wide basis despite press regulation being a reserved matter for the devolved Administrations, which brings me to amendments 137, 138 and 139 in the name of the hon. Gentleman.
The Government are sympathetic to the hon. Gentleman’s arguments for reasons I have set out. We will nevertheless push instead for the removal of those clauses from the Bill in their entirety. Similarly, while we agree with the sentiment of amendment 137, which seeks to require the Government to obtain the Scottish Government’s consent before establishing an inquiry under clause 142, we note that there is already a consultation requirement to that effect in the Inquiries Act 2005. Such an amendment is therefore unnecessary.
To conclude, high-quality news provision is vital to our society and democracy. I know there is shared interest across the House in safeguarding its future, and the Government are passionate about and working to deliver it. We believe that the clauses would work against those aims and cut across the work we are doing to help strengthen the future of high-quality journalism, and will therefore oppose their continued inclusion in the Bill.
I take on board what the Government say and appreciate that they have accepted the principle of the amendment, but I still intend to push it to the vote. It is essential that the devolution settlement is protected in as broad and deep a way as possible. I understand that they would seek to remove the entire clause, but if the clause is passed and de-amended, it has serious consequences for the devolution settlement. For that reason we will be pushing it to the vote.
Question put, That the amendment be made.
I beg to move amendment 51, in clause 143, page 77, line 37, after “notice”)” insert “—
(a) ”.
See the explanatory statement for Amendment 52.
With this it will be convenient to discuss Government amendments 52, 54, 126 and 58.
The Information Commissioner has a breadth of corrective powers at her disposal to investigate breaches of data protection legislation. One such power is the ability to issue an information notice on a data controller requesting that they provide the commissioner with specified information. Article 2 of the general data protection regulation states that certain types of processing of personal data, including purely personal or household activities, are exempt from the provisions of the GDPR. That includes the list of all those hon. Members who deserve a Christmas card this year.
Although such processing is exempt, it is important that in certain situations the Information Commissioner is able to verify that the processing actually meets this test and does not fly under the radar of GDPR requirements unduly. Government amendments 51 and 52 will ensure that the Information Commissioner is able to issue an information notice, in order to determine whether the process is genuinely being undertaken in the course of a purely personal or household activity.
Government amendment 54 is a consequential amendment. It ensures that the reference to processing of personal data in the subsection added by Government amendment 52 means any type of processing, pulling on the definitions provided in subsections (2) and (4) of clause 3, rather than those under parts 2, 3 or 4, none of which apply to processing in the course of purely personal or household activities.
Government amendments 58 and 126 make further consequential changes to clause 159 and paragraph 9 of schedule 16. The amendments ensure that certain safeguards for controllers and processors in the context of enforcement action extend to all persons, since their exact status may in fact be the source of dispute.
All in all, this is a common sense set of changes that enjoy the full support of the Information Commissioner’s Office.
Amendment 51 agreed to.
Amendments made: 52, in clause 143, page 77, line 40, at end insert “, or
(b) require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.”
This amendment and Amendments 51 and 54 enable the Information Commissioner to obtain information in order to work out whether processing is carried out in the course of purely personal or household activities. Such processing is not subject to the GDPR or the applied GDPR (see Article 2(2)(c) of the GDPR and Clause 21(3)).
Amendment 53, in clause 143, page 78, line 23, leave out
“with the day on which”
and insert “when”.
This amendment is consequential on Amendment 71.
Amendment 54, in clause 143, page 78, line 30, at end insert—
“(10) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (1)(b).”—(Margot James.)
This amendment secures that the reference to “processing” in the new paragraph (b) inserted by Amendment 52 includes all types of processing of personal data. It disapplies Clause 3(14)(b), which provides that references to processing in Parts 5 to 7 of the bill are usually to processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.
Question proposed, That the clause, as amended, stand part of the Bill.
In this of all weeks, it is particularly relevant that we debate this clause, which relates to information notices, and the powers and enforcement sanctions available to the Information Commissioner, given the horrendous breaches of our data regulation that have been exposed by Channel 4 and The Guardian.
The Secretary of State for Digital, Culture, Media and Sport told the House yesterday that the Information Commissioner was seeking further powers to compel compliance with information notices, testimony from other individuals in complex investigations, such as that into Cambridge Analytica, and criminal sanctions for breaches of information notices.
Under the current data protection legislation, breach of information notice is a criminal offence that carries a custodial sentence. The maximum sentence under this Bill is only a fine. That is a significant weakening of the data protection regime and its sanctions. Indeed, in her own evidence, the Information Commissioner said:
“The new approach in the Bill of failure to comply with an”
information notice
“no longer being a criminal offence but punishable by a monetary penalty issued by the ICO is likely to be less of a deterrent, as data controllers with deep pockets might be inclined to pay the fine, rather than disclose the information being requested.”
I would be grateful if the Minister could set out exactly why the Government have decided to weaken the powers given to the Information Commissioner and the sanctions available to her.
Crucially, the Information Commissioner has requested the power to compel compliance with information notices. As things stand, it is an offence not to deliver information, but the Information Commissioner does not have the power to demand compliance with information notices. She has said that that puts us out of step with our closest EU member state neighbour, Ireland, which has a much stronger data protection regime, with much tougher sanctions and, indeed, powers to compel compliance with an information notice.
That gap in the Information Commissioner’s enforcement powers has not caused significant problems up to now, because formal action has largely centred on security breaches or contraventions of the privacy and electronic communications regulations. In such cases, the commissioner rarely needs to use her information notice powers, because the evidence of a contravention is usually clear and in the public domain.
Where the Information Commissioner has used her enforcement powers against a data controller for contraventions of the data protection principles under the Data Protection Act, she has generally found data controllers to be co-operative because, under the current framework, financial penalties are reserved only for the most serious contraventions of the law. However, as investigations become more complex—and as we are seeing this week—the Commissioner will be unable to obtain the information she needs.
The Minister has said that the Government are considering potential amendments to the Bill, as laid out by the Secretary of State yesterday. It is baffling, however, that those amendments have not already been tabled, given that the Information Commissioner suggested them in her written evidence earlier in the process. The provisions represent a serious weakening of the existing regime and a failure of the Government to step up to the plate on the matter of the complex investigations conducted by the Information Commissioner.
I do not accept that this Bill represents a reduction in the powers of the Information Commissioner, and I do not think that that is her view either. Obviously, I accept what she said in response to questioning from Select Committee on Digital, Culture, Media and Sport. As I have already said, my right hon. Friend the Secretary of State is considering her request, and we are working on the areas where she feels there is a shortfall.
I reassure the Committee that the Bill strengthens ICO’s overall powers. The hon. Member for Sheffield, Heeley has mentioned fines. There are fines of up to 4% of global turnover, or £17 million, both for malpractice itself and for blocking investigations and inquiries mounted by the ICO.
One way in which the Government could row in behind a frustrated Information Commission would be to deny Government contracts to companies that are behaving badly. I understand that Cambridge Analytica has Government contracts with both the Foreign Office and the Ministry of Defence. Are they under review?
I cannot speak for either of those Departments. We are debating the powers of the ICO rather than contractual matters between private companies and Government Departments. I accept that that is a moot point, but it is not the purpose of this Bill Committee to go into those details.
To return to the points raised by the hon. Member for Sheffield, Heeley, we are strengthening the powers of the Commissioner. We are extending her current power to serve assessment notices on data controllers in public sector bodies to all data controllers across the private sector as well. Those assessment notices will require them to provide evidence of their compliance with the law, and there is now the power to enforce assessment notices by obtaining a warrant to exercise search and seizure powers on behalf of the ICO. The Bill also creates a criminal offence for obstructing a warrant, which is subject to both fines and a criminal record. We are strengthening in those areas and also increasing fines substantially.
I understand that the Minister cannot answer the detailed question about Government contracts with, for example, Cambridge Analytica, but does she think, philosophically, that a Government would and should reconsider contracts with companies that are not complying with a reasonable request made by the Information Commissioner?
The right hon. Gentleman makes an entirely reasonable point. As I said earlier, I cannot go into it in a debate on this particular Bill, other than to say that he makes a reasonable point.
Clause 143 provides the commissioner with the power to issue an information notice. This is a type of notice that requires a controller or processor to provide the commissioner with specified information within a certain time period.
Question put and agreed to.
Clause 143, as amended, accordingly ordered to stand part of the Bill.
Clause 144 ordered to stand part of the Bill.
Clause 145
False statements made in response to an information notice
Question proposed, That the clause stand part of the Bill.
The operation of clause 145 is a matter of great public concern this week, because of the revelations that an app that sat on Facebook collected data for a particular purpose, but they were then re-used by Cambridge Analytica for an entirely different purpose, to bend the outcome of particular elections and, quite possibly, referendums too. Facebook had made a statement that the matter had been resolved a couple of years ago and that the relevant data in question had been deleted. The story has developed over the past 24 hours and former Facebook employees are now alleging that it was not simply 50 million records that were collected for one purpose and re-used for another; there may have been hundreds of millions of records collected for one purpose and used for another.
How will clause 145 bite on a company such as Facebook that may be responding to an information notice issued by the Information Commissioner? The company may have told the Information Commissioner that it was all fine, the data was all deleted and everyone was perfectly satisfied, but a couple of years later it transpires that that is not the case. What would then happen to a company such as Facebook? Is the Minister satisfied that the proposed sanctions and penalties are strong enough? It is not clear to me, given what we now know, that these sanctions are strong enough at all.
We are debating a suite of powers as part of the overall powers with which the Bill reinforces the Information Commissioner’s Office. It is not just about clause 145. If a company discloses information unlawfully, there is also a separate offence in clause 170. We are not relying on one clause alone.
Earlier, we debated the requirement for law enforcement agencies to conduct data protection impact assessments ahead of developing or using any new filing system, and we debated several examples of what those filing systems or methods of data collection could be, including automated facial recognition software, automatic number plate recognition and the use of algorithms to determine decisions made in the criminal justice system.
In relation to the clause, the Information Commissioner has requested that she be given the power to impose corrective measures where necessary, when a data protection impact assessment has revealed that the processing of that personal data is of high risk to individuals and where there are no measures to mitigate that risk in relation to law enforcement processing, as she has for other processing. She maintains that a different approach to law enforcement is not justified and might lead to adverse consequences in an important area affecting individuals. That is important because it gives weight to the important aspects raised earlier that require law enforcement agencies to conduct that DPIA. There is little point asking organisations and data controllers to conduct impact assessments and then, even when they are falling short dramatically, to let them carry on conducting assessments and collecting data in that way.
In evidence, the Information Commissioner has said that part 3 of the Bill
“requires these types of assessment to be undertaken”
and provides
“for requirements to consult the Commissioner where such a high risk is present but measures cannot be put in place to mitigate these. They also provide requirements for the Commissioner to use her corrective powers in relation to GDPR but the way the Bill is drafted these corrective powers will not be available in relation to concerns arising from a DIPA involving law enforcement processing. Nor are there any powers available to ensure that the Information Commissioner can take action if a DIPA for law enforcement processing is not carried out when required.”
Not only are there no enforcement powers if the DPIA is conducted and falls short, but the Information Commissioner is not provided with any powers under this legislation to compel a DPIA to take place. Given, as we discussed earlier, the serious threats not just to data rights, but to prevention with respect to an individual’s rights to liberty and freedom, it is very serious indeed if law enforcement agencies will be able to carry out impact assessments without any adherence to the provisions in the Bill.
The Information Commissioner says:
“Having the ability to issue corrective measures based upon the DPIA or indeed requiring a DPIA to be undertaken when it should have been, is an important measure which is missing in relation to law enforcement processing”.
The commissioner has raised her concerns with the Government and suggested drafting solutions. Will the Minister clarify why those were not introduced in Committee?
The clause gives the commissioner the power to issue an enforcement notice, which requires a person to take steps or refrain from taking steps specified in the notice. For example, the commissioner can use an enforcement notice to compel a data controller to give effect to a data subject if they have otherwise failed to do so. Section 40 of the Data Protection Act 1998 made similar provision. In respect of the hon. Lady’s questions concerning the law enforcement aspects of the clause and the need for impact assessments, and the powers that the ICO might need to ensure that those impact assessments are done and are appropriate, I will have to write to her on the details of those latter points.
Question put and agreed to.
Clause 148 accordingly ordered to stand part of the Bill.
Clause 149
Enforcement notices: supplementary
Amendment made: 56, in clause 149, page 83, line 36, leave out “with the day on which” and insert “when”.—(Margot James.)
This amendment is consequential on Amendment 71.
Clause 149, as amended, ordered to stand part of the Bill.
Clause 150
Enforcement notices: rectification and erasure of personal data etc
Question proposed, That the clause stand part of the Bill.
The clause bites on the question of individuals’ rights to the erasure of personal data and rectification. I want to give the Minister an opportunity to update the Committee on her conversations with media, culture and other organisations about how she is going to balance the implementation of clause 150 with the ambitions of those organisations to protect archives—not just archives of very large sets of artefacts, such as the Natural History Museum, but those that are run by News UK or Trinity Mirror or the BBC.
The risk that is obviously posed by those organisations is that they often rely on very good, detailed and often quite old archives of news information. The scenario that was put to us last night by lawyers representing a number of those organisations that wanted to give us their views about clauses 168 and 169 was that successful journalism—whether The Daily Telegraph or the Swindon Advertiser—will often rely on excellent archives.
If rich individuals are seeking to create a different truth and a different history, and to exercise their rights under the clause, a risk will be created for those media organisations. I am more worried about the media organisations’ rights than I am about the Natural History Museum and the BBC, because I think the Minister’s Department will do a good job of working out where to put that grey line round what should be protected and what is up for grabs. The example put to us last night was of rich individuals seeking to create a different kind of history—a different kind of past—to bend deliberately the future of reporting by eradicating a record that might be true. The risk that was put to us is that, very often, newspaper legal directors—the poor things often have to advise on this decision—will sometimes conclude that the game is just not worth it and therefore give in to the rich individual to avoid damaging and expensive legal action and delete the records from their archives.
This is a difficult area, where balances have to be struck, but it is a form of litigation that will doubtless continue into the future. We might have just decided to deny access to ordinary people to correct media malpractice, but rich individuals will continue to bring their cases. Will the Minister tell us how the balance will play out in practice? How do we protect the rights of news organisations to run good archives for the benefit of public interest journalism in the future?
The clause makes additional provision for enforcement notices where the subject matter of the notice relates to the controller or processor’s failure to comply with the data protection principle of ensuring accuracy. The clause may also apply where a controller or processor has failed to comply with the data subject’s rights on rectification, erasure or restriction of processing under articles 16 to 18 of the general data protection regulation.
We touched on the issue of archives in one of the Committee sittings last week. I explained to the Committee that there is protection for archives under the GDPR, whether they be those of news organisations or of academic sources. We are aware of the concerns expressed by organisations representing archives, and I agree with the right hon. Gentleman that quality journalism often depends on the use of such archives. However, I assure him that my Department will defend the rights of journalists and the press as tenaciously as we would defend the rights of archivists in the great museums of our country against the distortions that he gave as examples of people perhaps wanting to use the right to be forgotten in an excessive manner and in a bid to rewrite history. We are aware of such individuals, and we are comfortable that the GDPR prevents those abuses.
Question put and agreed to.
Clause 150 accordingly ordered to stand part of the Bill.
Clauses 151 and 152 ordered to stand part of the Bill.
Clause 153
Powers of entry and inspection
Question proposed, That the clause stand part of the Bill.
Again, on this point, we would benefit from some clarification from the Minister. The story that broke this morning was that the Information Commissioner had, in effect, to go to court to get her warrant to investigate what Cambridge Analytica was up to. There was some speculation as to why Facebook was able to exercise some contractual rights and turn up at the offices of Cambridge Analytica to conduct an inspection. The reports are that, as the situation played out, the Information Commissioner had to tell Facebook legal officers to stand down and to stop what they were doing. As it happened, Facebook wisely decided to follow the Information Commissioner’s orders.
A matter of great concern is that the Information Commissioner has to go through what sounds like a laborious process to get the warrant needed to conduct an investigation that is obviously in the public interest. When we secure, for example, emergency injunctions to stop the publication of material that people do not want published, or when magistrates issue search warrants, most of us with experience of this at a local level would observe that such warrants are often issued in a much faster and less high-profile way than the process the Information Commissioner appears to have to go through.
In effect, Cambridge Analytica has had 48 hours’ notice of the Information Commissioner’s concerns—[Interruption.] I am sorry, but I do not know whether the Minister wants to intervene on that—
I am sorry, Mr Hanson. I was not sure whether the Home Office Minister wanted to clarify that point. We know that warrants have to be sought and judicial oversight is important, but the process appears slightly cumbersome. I wonder whether the Minister can tell us whether she is satisfied that the process and the powers that we will equip the Information Commissioner with are as smooth and slick as the new enforcement environment requires.
I remind the right hon. Gentleman that, in this case, the Information Commissioner is acting under the existing powers in the Data Protection Act 1998, but she is pursuing warrants where she has to get them to continue her investigation. She has issued 12 information notices—I might have said this earlier—pertaining to Cambridge Analytica, and she plans to issue another six this week. One of those notices has been challenged, but she is now issuing a demand for access and she is getting where she needs to get. She was very surprised to read that Facebook had decided to plough into the offices of Cambridge Analytica when it was itself under investigation. She must have thought that an extraordinary course of action, but as soon as she intervened, Facebook desisted and removed itself from the offices of Cambridge Analytica to enable her to undertake her inquiries.
That is of course all happening under the existing legislation. The Bill will provide new powers, including the ability to serve assessment notices, backed up by warrants if they are not complied with.
Question put and agreed to.
Clause 153 accordingly ordered to stand part of the Bill.
Schedule 15 agreed to.
Clause 154
Penalty notices
I beg to move amendment 179, in clause 154, page 85, line 39, leave out from the beginning to “when” and insert “Subject to subsection (3A),”.
This amendment and amendment 180 provide that the requirement in clause 154(2) and (3) for the Commissioner to have regard to listed matters when deciding whether to give a penalty notice, and determining the amount of a penalty, applies not only in the case of failures described in clause 148(2), (3) or (4) but also in the case of failures to comply with an information notice, an assessment notice or an enforcement notice.
As part of the Information Commissioner’s suite of corrective powers, she can issue penalty notices to data controllers requiring them to pay a fine. Fines can be issued where a controller has failed to comply with a previous notice or where significant breaches of data protection legislation have taken place. Members will be aware from our debate this afternoon that the maximum such penalty will increase from £0.5 million to £17 million, or 4% of global turnover, for the most serious breaches.
When imposing a penalty for breaches of the GDPR, the commissioner must follow the procedures set out in article 83 of the GDPR, which include acting on a case-by-case basis; ensuring that the fine is effective, proportionate and dissuasive; and taking into account various factors. Because law enforcement and intelligence services processing falls outside the scope of the GDPR, the clause makes parallel provision in respect of breaches of those parts of the Bill, including by listing matters that the commissioner must take into account when deciding whether to issue a fine for that type of processing and when determining the magnitude of that fine.
Government amendments 179 and 180 make it clear that, when considering a person’s failure to comply with notices—an information notice, for example—the commissioner is to have regard to the matters listed in article 83(2) of the GDPR and, in relation to law enforcement processing and intelligence processing, to clause 154(3) and (4) of the Bill. Clause 154 prescribes such requirements only for decisions regarding the issuing of a monetary penalty notice in relation to certain failings. The commissioner has powers to prepare guidance on how she uses her enforcement powers, so she could decide, as a matter of policy, to have regard to those matters in relation to other failings. However, the Government’s view is that there should be a requirement for her to do so in the Bill.
Government amendment 57 makes an addition to clause 154(3)(c) to ensure that the Information Commissioner takes into account any actions the controller has taken to mitigate not only damages, but distress suffered by the data subject. The amendment will bring the clause into line with other similar clauses in the Bill, where the Information Commissioner must take into account damage or distress caused. They include clause 149 regarding enforcement notices, where the Information Commissioner must take into account the magnitude of the damage or distress caused by the controller. I am sure right hon. and hon. Members will agree that providing consistency across the Bill is important; the amendment is a step to ensure that that is provided.
Amendment 179 agreed to.
Amendments made: 57, in clause 154, page 86, line 10, at end insert “or distress”.
This amendment is for consistency with Clause 149(2). It requires the Commissioner, when deciding whether to give a penalty notice to a person in respect of a failure to which the GDPR does not apply and when determining the amount of the penalty, to have regard to any action taken by the controller or processor to mitigate the distress suffered by data subjects as a result of the failure.
Amendment 180, in clause 154, page 86, line 28, at end insert—
“(3A) Subsections (2) and (3) do not apply in the case of a decision or determination relating to a failure described in section 148(5).” —(Margot James.)
See the explanatory statement for amendment 179.
Question proposed, That the clause, as amended, stand part of the Bill.
I am sorry to labour the point; it is pertinent to the clause but also relates to the debate that we just had on information notices. The Minister has failed to set out why the Government have removed the custodial sentence as an enforcement power of the Information Commissioner when data controllers or processors breach information notices. The Minister said earlier that she does not accept that it is the Information Commissioner’s view that that weakens the existing data protection regime, but the commissioner explicitly set that out in her written evidence to the Committee:
“The new approach in the Bill of failure to comply with an IN no longer being a criminal offence but punishable by a monetary penalty issued by the ICO is likely to be less of a deterrent”.
We very much welcome the increased penalty as a sanction by the Information Commissioner, but the Minister has so far failed to set out why she has removed that custodial sentence, which, as the Information Commissioner has laid out, is a serious deterrent. That could weaken her abilities to investigate complex situations and, as I mentioned earlier, it is in direct contrast to the Irish Government’s approach, which carries a fine but also a custodial sentence of up to five years’ imprisonment if the data controller fails to comply with an information notice.
In written evidence, again, the Information Commission suggests that the Government’s approach pales in comparison to that taken by Ireland. Will the Minister take this opportunity to explain why she has so significantly weakened the Information Commissioner’s important powers?
The clause replicates section 55(a) of the 1998 Act, which gives the commissioner a power to serve a monetary penalty, requiring the data controller to pay the commissioner an amount determined by the commissioner. The maximum penalty is specified in clause 156. Before the commissioner can issue a penalty notice, she must be satisfied that a person has failed to comply with certain provisions of the GDPR or the Bill, or has failed to comply with an information notice, assessment notice or enforcement notice.
Clearly, it is up to the commissioner to decide whether a penalty notice is appropriate. She has stated:
“It’s about putting the…citizen first. We can’t lose sight of that…It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us.”
For reasons that are entirely understandable, my constituents in Cambridge take a particularly close interest in some of the things that have been happening with Cambridge Analytica this week. They will be astonished that the Minister does not seem to be answering the question raised by my hon. Friend the Member for Sheffield, Heeley. Financial penalties, yes, but criminal proceedings surely should be uppermost when we have seen these dreadful things that have been going on.
I was coming on to answer the hon. Member for Sheffield, Heeley, but as the hon. Member for Cambridge has raised her question again, I will jump to it. We are not removing all criminal powers under this new legislation. Under paragraph 2 of schedule 15, the commissioner may enforce assessment notices. That power includes the new offence of obstructing a warrant, which is a criminal offence, so criminal offences do remain. As I said, we are looking at the commissioner’s desire for stronger powers in certain areas, but under the current law there is a criminal sanction only for non-compliance with a notice, and that offence is not used. A civil penalty is a better way forward and is provided as the appropriate sanction by the GDPR itself.
The Minister has just confirmed that under the existing arrangements a custodial sentence is the maximum penalty if an individual fails to comply with an information notice. She has not given a coherent reason why she is removing that through the Bill. Is she really arguing that criminal sanctions are less of a deterrent than civil? That is a direct contradiction of the Information Commissioner’s evidence.
I have just been advised that the existing law is non-custodial criminal sanctions. I have referred to the criminal sanctions with respect to assessment notices, and I will get back to the hon. Lady on the question of the sanctions on the information notices that she has asked about. I am told what I am told; the existing law is non-custodial.
Question put and agreed to.
Clause 154, as amended, accordingly ordered to stand part of the Bill.
Schedule 16
PENALTIES
Amendments made: 123, page 203, line 26, leave out “with the day after” and insert “when”.
This amendment is consequential on Amendment 71.
124, page 204, line 10, leave out “with the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
125, page 205, line 5, leave out “with the day after the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
126, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”.—(Margot James.)
This amendment is consequential on Amendment 52.
Schedule 16, as amended, agreed to.
Clause 155 ordered to stand part of the Bill.
Clause 156
Maximum amount of penalty
Question proposed, That the clause stand part of the Bill.
I think we could all do with a bit of clarity, which did not quite emerge in the last debate. My hon. Friend the Member for Sheffield, Heeley, makes an important point: in light of this week’s news, there is real concern that the maximum possible sentences should be on the books to punish people who try to get in the way of investigations by the Information Commissioner. Can the Minister say whether the Information Commissioner is currently able to prosecute people for getting in her way, and whether they could go to jail? That would be clarification No. 1. Clarification No. 2 would be whether, under the Bill the Minister is asking us to agree, that custodial sentence would still remain.
I understand that under the current law there are no custodial sentencing provisions, so therefore I cannot argue that they will remain. That does not seem logical at all. The existing DPA offences are for fines only, according to section 60 of the Data Protection Act 1998.
Question put and agreed to.
Clause 156 accordingly ordered to stand part of the Bill.
Clause 157
Fixed penalties for non-compliance with charges regulations
Question proposed, That the clause stand part of the Bill.
Given the clarity that the Minister has now furnished for the Committee, and given the scale of wrongdoing that is alleged about Cambridge Analytica and potentially Facebook this week, the question on clause 157 is whether she is satisfied that financial penalties are going to do the job in the years to come. Otherwise, is this a clause on which we need to reflect on Report if not now so that if custodial sentences are not currently available, we might consider introducing them for people who appear determined to move heaven and earth to get in the way and obstruct an Information Commissioner inquiry? Could we perhaps come back to that on Report, rather than simply rely on sanctions such as fixed penalty notices?
I have mentioned before to the right hon. Gentleman that there are criminal offences set out in the Bill, such as an offence of obstructing a warrant, which would enable the ICO to go in and exercise search and seizure powers. Although obstruction carries potential fines and a criminal record, I do not believe that it carries the threat of a custodial sentence, which is no change from the current situation.
As I have said before, and as my right hon. Friend the Secretary of State said yesterday, we are reviewing the enforcement powers of the ICO, and we are working with the commissioner to ensure that we get the whole suite absolutely right. I cannot say any more than I already have on that point.
Question put and agreed to.
Clause 157 accordingly ordered to stand part of the Bill.
Clause 158 ordered to stand part of the Bill.
Clause 159
Guidance about regulatory action
Amendment made: 58, in clause 159, page 89, line 37, leave out from “a” to end of line 38 and insert
“person to make oral representations about the Commissioner’s intention to give the person a penalty notice;”—(Margot James.)
This amendment is consequential on Amendment 52.
Clause 159, as amended, ordered to stand part of the Bill.
Clauses 160 to 163 ordered to stand part of the Bill.
Clause 164
Orders to progress complaints
Amendment made: 59, in clause 164, page 93, line 4, leave out “with the day on which” and insert “when”
This amendment is consequential on Amendment 71.—(Margot James.)
Clause 164, as amended, ordered to stand part of the Bill.
Clauses 165 to 167 ordered to stand part of the Bill.
Clause 168
Publishers of news-related material: damages and costs
Question put, That the clause stand part of the Bill.
I beg to move amendment 157, in clause 170, page 96, line 25, at end insert—
“or
(d) was done in the process of making a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996 (SI 1996/1919 (NI 16)).”.
This amendment seeks to ensure that the offences listed in the offences of the Bill do not infringe on a worker’s ability to raise public interest concerns about wrongdoing, risk or malpractice.
With this it will be convenient to discuss amendment 158, in clause 171, page 97, line 28, at end insert—
“or
(d) was done in the process of making a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996 (SI 1996/1919 (NI 16)).”.
This amendment seeks to ensure that the offences listed in the offences of the Bill do not infringe on a worker’s ability to raise public interest concerns about wrongdoing, risk or malpractice.
I am grateful to my hon. Friend the Member for Edinburgh South for keeping me warm and enthused.
The amendment is important. None of us wants to damage the right and power of whistleblowers to bring important information into the public domain, sometimes to the attention of regulators, sometimes to the attention of organisations, such as the Health and Safety Executive, and sometimes to the attention of Members. Over the years, we have put in place a good regime in order to ensure that whistleblowers are afforded protections that allow them to come forward with information that is in the public interest.
The reason we have to consider that now is that data protection legislation is being strengthened by the incorporation of GDPR into British law. However, the risk is that the ambiguities that frame the protection of whistleblowers in the Bill are such that many are concerned that whistleblowers will not be given the right protection against data protection legislation.
The Government recognise that it is important to protect whistleblowers. There is a protection in clause 170 for whistleblowers bringing forward information that is
“justified as being in the public interest.”
The argument put to us by Public Concern at Work and others is that that approach is unlikely to be effective. We are told that there will be a new test in law, which will therefore require guidance from the courts. Until that time, the precise meaning will obviously be a bit moot, and the scope of the situations that the Government seek to protect will remain a little uncertain. That uncertainty and ambiguity will jeopardise an individual who might have something important to bring to the attention of the outside world.
Exceptions to violations in personal data confidentiality were recently considered by the Government in section 58 of the Digital Economy Act 2017, which provided a far more comprehensive list of exceptions. Where there is overlap between the Bill and the Digital Economy Act, it appears that the Act deals much more satisfactorily with whistleblowers.
I remind the Committee that section 58 of the Act says that the offence does not apply to a disclosure
“which is a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996”.
We therefore have a pretty well established and grounded definition of exceptions. Indeed, it was so well defined and grounded that the Government decided to use that definition in the 2017 Act. It is not clear why the Bill seeks to create alternative definitions and therefore the need for alternative tests and guidance in the courts when we have a definition we can rely on.
The Opposition amendment would return us to what we think was sensible drafting in the Digital Economy Act. That Act is not ancient history—it was only 12 months ago. Otherwise, the risk is that the Government, employers, courts and trade unions will get into an awful muddle as they try to understand which legislation protects whistleblowers in new circumstances. None of us wants to create a situation of uncertainty and ambiguity that stops whistleblowers from coming forward with important information.
I therefore hope we can have a useful debate about why the Government have chosen to introduce new definitions when it is not clear that they are improvements on well-established employment law that dates back to the Employment Rights Act 1996. Let us hear what the Minister has to say, but I hope the Government reflect on the arguments we rehearse this afternoon and introduce further enhancements and perfections on Report.
The right hon. Gentleman is correct: it is essential that we do not create an offence in the clause that will snare whistleblowers. I am sure the Committee shares that goal. Indeed, if we created such an offence, whistleblowers would no longer be whistleblowers—a qualifying disclosure would no longer be a qualifying disclosure if it were an offence under different legislation, including the Bill.
We will listen carefully to what the Minister says, but, to come at it from a slightly different angle, as I understand it, the Employment Rights Act currently requires a “reasonable belief” by the worker making the whistleblowing disclosure that it is in the public interest to disclose that information. That seems a slightly easier test than the one contained in a defence in subsection (2) of the clause, which requires not a “reasonable belief”—those words do not appear—but proof that disclosure was justified in the public interest. There is also a contrast with subsection (3), where a reasonable belief test is applied to a defence but only in circumstances of publication of either journalistic, artistic or literary material.
It is not clear to me why there is a reasonable belief test in subsection (3) but not in subsection (2). I am interested to hear what the Minister has to say about that distinction.
The amendments concern offences relating to personal data provided for by part 6 of the Bill. Hon. Members will be aware that the offence of unlawful obtaining of personal data has been carried over and updated from the 1998 Act to include the unlawful retention of personal data without the controller’s consent. By contrast, the offence of re-identification of de-identified personal data is new to data protection legislation, underlining our intention to bring data protection laws up to date with the digital age.
Amendment 157 would add an additional defence to clause 170 where the conduct is in the process of a disclosure by an employee raising public interest concerns about wrongdoing or malpractice to the extent that such disclosures would be protected by the Employment Rights Act 1996 and equivalent legislation for Northern Ireland. Amendment 158 adds the same defence to clause 171.
I share the sentiment of the amendments, but believe they are unnecessary. Clauses 170 and 171 provide defences in cases where the processing is necessary for the prevention or detection of crime or can be justified as being in the public interest. We believe that the crime prevention defence would cover a disclosure by an employee who suspected that an offence had been committed, and that the flexible public interest defence would encapsulate the other non-criminal activities envisaged by the amendments. In particular, as set out in section 43B of the Employment Rights Act 1996 and article 67B of the Employment Rights (Northern Ireland) Order 1996, a disclosure is protected in the first place only if the disclosing worker reasonably believes the disclosure to be in the public interest.
This is a narrow question that I raised in my speech. There is a “reasonable belief” test in the 1996 Act. It is easier for someone to prove that they had a reasonable belief that a disclosure was in the public interest than to prove that it was in the public interest. That slight difference in wording may be significant. There are in fact two different tests in the clause, so I wonder whether the Minister might look at that again.
I referred to the public interest defence as a flexible defence that would encapsulate non-criminal activities. I do not know whether that satisfies the hon. Gentleman, but a flexible public interest defence is indeed required.
For those reasons, I reassure hon. Members that a further defence providing for whistleblowing is unnecessary. It is telling that there is no such defence in section 55 of the 1998 Act, and we are not aware of any problems with its operation. Hon. Members mentioned section 58 of the Digital Economy Act 2017. That is a difficult comparison. Unlike clauses 170 and 171, section 58 does not contain a straightforward public interest defence, so, unlike the offences in the Bill, there may be no alternative protection for such disclosures. I hope I have given hon. Members sufficient reassurance that they feel confident withdrawing their amendments.
I am grateful to the Minister for that reply. She says that she wants to try to update the legislation. I understand what she is trying to do and why she does not accept that there is a complete parallel with the Digital Economy Act. None the less, the new definition will need to be tested in court, new guidance will need to be issued and new ambiguity will therefore be created, which brings with it the risk that important whistleblowers will be dissuaded from bringing forward information that is in our interest and letting it see the light of day.
I hope the Minister reflects on that further. She seeks to create an extension in law to ensure that there is a public interest definition in the round—I can see the enlargement that she is trying to make—but I hope she reflects before Report stage on the challenge that new definitions will have to be tested in court, which will create ambiguity and risk. I do not think she wants to create that risk, but the strategy she sets out does not completely delete it and it remains a concern. I will happily withdraw the amendment, but I ask the Minister to reflect on that point before Report.
I am happy to reflect on what the right hon. Gentleman proposes. The last thing we want is to have any chilling effect on would-be whistleblowers.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 170 ordered to stand part of the Bill.
Clause 171
Re-identification of de-identified personal data
Question proposed, That the clause stand part of the Bill.
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter. I want to pursue the debate on the re-identification of de-identified personal data because, as the Minister pointed out, under the general data protection regulation, the idea of pseudonymised data comes into the law for the first time. For example, if my name, as my personal data, is turned into #365, it has been pseudonymised, and the question is whether #365 can be unlocked to identify the name “Darren Jones”. Pseudonymising is distinct from anonymising, which cannot be unlocked.
The question has come up a lot in the Select Committee on Science and Technology, in various contexts. I had a conversation with the Minister and her officials in the Select Committee about one scenario—the use of genetic data in the health service, where lots of data from individuals is pooled together for the purpose of learning about trends. It may be re-applied to the individual in the delivery of care. Another example might involve Facebook clients being able to upload customer lists on to the Facebook advertising profile. Each name would be hashed—pseudonymised—but ultimately targeted advertising could be pushed through to the individual’s profile.
Both those scenarios raise a policy question about the end of the process, when it comes back to the individual—the information has been personally identifiable, then is pseudonymised in a pooled way, and is then re-identified. Will those issues give rise to an offence under the part of the Bill that we are considering, and should consent be different, with the potential for pseudonymised data to be re-identified made clear to the end user? The reason I have not tabled any amendments to deal with the point is that I do not know the answer, but I should welcome the Minister’s views, and perhaps a commitment to have a conversation either with the Information Commissioner or the new data and artificial intelligence ethics unit about different types of consent where data is pseudonymised and then re-identified, either for health purposes or targeted advertising.
I am sure you did, Mr Streeter.
Clause 171 creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller who de-identified the data. It is a response to concerns about the security of de-identified data held in online files. For example, recommendations in the review of data security, consent and opt-outs by the National Data Guardian for Health and Care call for the Government to introduce stronger sanctions to protect de-identified patient data, to which I think the hon. Member for Bristol North West was referring.
Subsection (3) provides the defendant with a defence if he or she can prove that re-identification was necessary for the purposes of preventing crime or complying with a legal obligation, or that it was justified in the public interest. Subsection (4) provides further defences where the defendant can prove they reasonably believed that they had or would have had the consent of the data subjects to whom the information relates or of the data controller responsible for de-identifying the information, or that they acted for the special purposes, with a view to publication, and the re-identification was reasonably believed to be justified in the public interest, or if the effectiveness testing conditions in clause 172 were met.
I have perhaps strayed rather far into the matter of defences in answering the hon. Gentleman, and may not have entirely satisfied him as to his question. If he is agreeable I will write to him, and get from my officials the latest as to the oversight of the important questions he raises.
My hon. Friend the Member for Bristol North West has raised important questions about social media providers. Before I entered this place, I worked in the insurance industry. Will the Minister confirm whether insurers would be covered by the clause if they re-identified individuals from datasets to inform the pricing of risk? That is potentially serious when considering the implications of loyalty card, bank or shopping information for health insurance.
I will have to write to the hon. Lady on that. I do not think it would provide cover for insurance companies in those circumstances, but I would like to double-check before I give a definitive answer to her question.
Question put and agreed to.
Clause 171 accordingly ordered to stand part of the Bill.
Clauses 172 to 176 ordered to stand part of the Bill.
Clause 177
Jurisdiction
I beg to move amendment 151, in clause 177, page 102, line 13, at end insert—
“(4) Notwithstanding any provision in section 6 of the European Union (Withdrawal) Act 2018, a court or tribunal shall have regard to decisions made by the European Court after exit day so far as they relate to any provision under this Act.”.
For fear of sounding like a broken record, my arguments in favour of the amendment are broadly similar to those for amendment 152—in seeking to assist the Government in our shared aim of getting a decision of adequacy with the European Commission, it would be helpful to set out in the Bill our commitment to tracking and implementing European jurisprudence in the area of data protection. Members will remember that amendment 152 dealt with the European data protection board. Amendment 151 makes the same argument, but in respect of the European Court.
I appreciate that there may be some political challenges in stating the aim that the UK will mirror the European Court’s jurisdiction, but the reality is that developing European data protection law, either directly from the courts or through the European data protection board, will in essence come from the application of European law at the European Court of Justice. The amendment does not seek to cause political problems for the Government, but merely says that we ought to have regard to European case law in UK courts, in order to provide the obligation to our learned friends in the judiciary to have regard to European legal decision making and debates in applying European-derived law in the United Kingdom. This short amendment seeks merely to put that into the Bill, to assist the Government in their negotiations on adequacy with the European Commission.
I would like to say a word in support of this important amendment. We had a rich and unsatisfactory debate on the incorporation of article 8 of the European charter of fundamental rights into British law. We think that that would have helped the Government considerably in ensuring that there is no divergence between the European data protection regime and our own. If the Government are successful, they will operate on different constitutional bases, and there is therefore a real risk of divergence over the years to come. I think that everyone on the Committee is now pretty well versed in the damage that that would do to British exports, many of which are digitally enabled. This is a really helpful amendment. It tries to tighten to lockstep that we have to maintain with European data protection regimes, which will be good for exports, services and the British economy, and the Government should accept it.
When we leave the European Union, the direct jurisdiction of the Court of Justice of the European Union in the UK will come to an end. Clause 6 of the European Union (Withdrawal) Bill gives effect to that and takes a clear and logical approach to how our domestic courts should approach the case law of the CJEU as a result. In short, where a judgment precedes our exit, it is binding on courts below the Supreme Court. Where a judgment post-dates our exit, our courts may have regard to it if they consider it appropriate, but EU law and the decisions of the ECJ will continue to affect us. The ECJ determines whether agreements that the EU has struck are legal under the EU’s own law. If, as part of our future partnership, Parliament passes an identical law to an EU law, it may make sense for our courts to look at the appropriate ECJ judgments so that we interpret those laws consistently, but our Parliament would ultimately remain sovereign.
The Prime Minister said in her Mansion House speech earlier this month that as a country we may have to stay under the jurisdiction of the ECJ for the purposes of organisations such as Euratom and other EU-wide organisations that the UK may wish to remain part of. Is the Minister saying that that is a possibility with regard to data protection laws in this legislation?
The future of our membership of the European Data Protection Board will be subject to negotiations. I cannot prejudge how those negotiations will develop and finalise in respect of our membership of that important body.
Am I right in saying that the Minister is not ruling it out as part of the legislation?
I would not rule it out, but the negotiations are between two parties, so however much we may wish to maintain our membership of the European data protection board, that might not be something that the EU will grant us. As I say, it is a matter for negotiation and I am sure things will become clearer over the next 12 months. To take an approach now that would require our courts to follow future case law of the CJEU, even if only in some areas, would place limitations on the discretion and independence of our courts.
The Minister is trying to protect a discretion that sounds like the defence of a right to depart from EU case law to such an extent that we might jeopardise an adequacy agreement. Surely the point of this amendment is to keep us in lockstep, to de-risk that adequacy agreement for the years to come. That surely must be an object of her Government’s policy.
The Government are absolutely committed to getting an adequacy agreement. The Prime Minister has said she wishes to go beyond adequacy in the negotiations. I would like to reassure the right hon. Gentleman that the very opposite is the case. Our courts can have regard to, and that is good enough. There is no reason for this to be different in the area of data protection from what it might be in any other area.
The provision has been discussed at length and agreed to by the House. Hon. Members will be aware that the other place is now scrutinising the EU (Withdrawal) Bill and has focused on this very matter. There is broad agreement that we need to consider how best to ensure that the Bill achieves the policy aim with sufficient clarity. We want to reach agreement on a proposition that commands the greatest possible support. We should, however, be wary of seeking to provide for something that alters the underlying policy in a way that binds or steers our courts towards a particular outcome, for example, by saying that they must have regard in only certain areas of law.
I do not quite follow the Minister’s argument. On the one hand, she says that it is the object of Government policy to secure an adequacy agreement and presumably keep that adequacy agreement, if not, indeed, go beyond it. She is now seeking to defend a flexibility that would allow some kind of departure from European norms. I cannot understand how she can quite want her cake and eat it.
Courts will be allowed to follow the jurisprudence of the ECJ in this area of data protection. Nothing I am saying is prompting a departure from that position. We see the amendment as going further than we would like to go. By contrast, the Government’s proposed approach to CJEU oversight respects the referendum result and is clear, consistent and achievable.
The Minister gave a full answer, largely in agreement with the points I made.
I agree. I would therefore invite the Government to reconsider their position and support the amendment, because it reflects what is in the EU (Withdrawal) Bill, it talks about having regard to ECJ jurisprudence in future and, as the Minister pointed out, Government policy and the Government’s intention are that we are going to end up in that position anyway. By putting that in the Bill, we would put it into law and give a very clear signal to our colleagues in the European Union that that is our intention and we will stand by it.
The Minister’s arguments do not seem to stack up. If I were saying in the amendment that we must apply ECJ case law directly and that the UK courts had no power to disregard EU jurisprudence I would probably agree, but that is not what it seeks to do. I am not convinced it goes beyond the Government’s policy position nor what is said in the EU (Withdrawal) Bill. I merely seek to help the Government by making this simple amendment to the Bill. With your permission, Mr Streeter, I will push it to a vote.
Question put, That the amendment be made.