The Committee consisted of the following Members:
Chairs: Mr Philip Hollobone, † Ian Paisley
Amesbury, Mike (Weaver Vale) (Lab)
† Bristow, Paul (Peterborough) (Con)
Clarke, Theo (Stafford) (Con)
† Collins, Damian (Folkestone and Hythe) (Con)
† Double, Steve (Lord Commissioner of His Majesty's Treasury)
† Eastwood, Mark (Dewsbury) (Con)
† Henry, Darren (Broxtowe) (Con)
Hunt, Jane (Loughborough) (Con)
Huq, Dr Rupa (Ealing Central and Acton) (Lab)
† Long Bailey, Rebecca (Salford and Eccles) (Lab)
† Monaghan, Carol (Glasgow North West) (SNP)
Onwurah, Chi (Newcastle upon Tyne Central) (Lab)
† Peacock, Stephanie (Barnsley East) (Lab)
† Richards, Nicola (West Bromwich East) (Con)
† Simmonds, David (Ruislip, Northwood and Pinner) (Con)
† Wakeford, Christian (Bury South) (Lab)
† Whittingdale, Sir John (Minister for Data and Digital Infrastructure)
Huw Yardley, Bradley Albrow, Committee Clerks
† attended the Committee
Public Bill Committee
Tuesday 23 May 2023
(Morning)
[Ian Paisley in the Chair]
Data Protection and Digital Information (No. 2) Bill
09:25
Stephanie Peacock Portrait Stephanie Peacock (Barnsley East) (Lab)
- Hansard - - - Excerpts

On a point of order, Mr Paisley. I would like to correct the record regarding my comments on clause 13, which appear in column 148 of the Committee proceedings in Hansard for Tuesday 16 May. I referred to the views of Lexology and included a quote, which I attributed to that organisation, when in fact the views and quote in question were those of an organisation named Prighter, which were simply published by Lexology.

None Portrait The Chair
- Hansard -

Thank you for that clarification.

Clause 78

The PEC Regulations

John Whittingdale Portrait The Minister for Data and Digital Infrastructure (Sir John Whittingdale)
- Hansard - - - Excerpts

I beg to move amendment 5, in clause 78, page 100, line 30, after “86” insert “and [Codes of conduct]”.

This amendment is consequential on NC2.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss Government new clause 1 and Government new clause 2.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr Paisley. Welcome to the Committee.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 place specific requirements on organisations in relation to use of personal data in electronic communications. They include, for example, rules on the use of emails, texts and phone calls for direct marketing purposes and the use of cookies and similar technologies.

Trade associations have told us that sometimes their members need guidance on complying with the legislation that is more bespoke than the general regulatory guidance from the Information Commissioner’s Office. New clause 2 will allow representative bodies to design codes of conduct on complying with the PEC regulations that reflect their specific processing operations. There are already similar provisions in articles 40 and 41 of the UK General Data Protection Regulation to help organisations in particular sectors to comply.

Importantly, codes of conduct prepared under these provisions can be contained in the same document as codes of conduct under the UK GDPR. That will be particularly beneficial to representative bodies that are developing codes for processing activities that are subject to the requirements of both the UK GDPR and the PEC regulations. New clause 2 envisages that representative bodies will draw up voluntary codes of conduct and then seek formal approval of them from the Information Commissioner. The Information Commissioner will approve a code only if it contains a mechanism for the representative body to monitor their members’ compliance with the code.

New clause 1 makes a related amendment to article 41 of the UK GDPR to clarify that bodies accredited to monitor compliance with codes of conduct under the GDPR are required to notify the Information Commissioner only if they suspend or exclude a person from a code. Government amendment 5 is a minor and technical amendment necessary as a consequence of new clause 2.

These provisions are being put into the Bill at the suggestion of business organisations. We hope that they will allow organisations to comply more easily with the requirements.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

It is a pleasure to serve under your chairship, Mr Paisley, and I too welcome you to the Committee.

As I have said more than once in our discussions, in many cases the burden of following regulations can be eased just as much by providing clarification, guidance and support as by removing regulation altogether. I advocated for codes of practice in more detail in the discussion of such codes in the public sector, under clause 19, and during our debates on clauses 29 and 30, when we were discussing ICO codes more generally. New clauses 1 and 2 seem to recognise the value of codes of practice too, and both seek to provide either clarification or the sharing of best practice in terms of following the PEC regulations. I have no problem with proceeding with the Bill with these inclusions.

Amendment 5 agreed to.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I beg to move amendment 48, in clause 78, page 100, line 30, after “86” insert “and [Pre-commencement consultation]”.

This amendment is consequential on NC7.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss Government new clause 7.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

New clause 7 clarifies that the consultation requirements imposed by the Bill in connection with or under the PEC regulations can be satisfied by consultation that takes place before the relevant provision of the Bill comes into force. That ensures that the consultation work that supports development of policy before the Bill is passed can continue and is not paused unnecessarily. A similar provision was included in section 182 of the Data Protection Act 2018. Government amendment 48 is a minor and technical amendment which is necessary as a consequence of new clause 7. I commend the new clause and amendment to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

The new clause and accompanying amendment seek to expedite work on consultation in relation to the measures in this part. It makes sense that consultation can begin before the Bill comes into force, to ensure that regulations can be acted on promptly after its passing. I have concerns about various clauses in this part, but no specific concerns about the overarching new clause, and am happy to move on to discussing the substance of the clauses to which it relates.

Amendment 48 agreed to.

Question proposed, That the clause, as amended, stand part of the Bill.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Clause 78 introduces part 4 of the Bill, which amends the Privacy and Electronic Communications (EC Directive) Regulations 2003. Clauses 79 to 86 refer to them as “the PEC Regulations” for short. They sit alongside the Data Protection Act and the UK GDPR. We will debate some of the more detailed provisions in the next few clauses.

Question put and agreed to.

Clause 78, as amended, accordingly ordered to stand part of the Bill.

Clause 79

Storing information in the terminal equipment of a subscriber or user

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I beg to move amendment 116, in clause 79, page 101, line 15, leave out

“making improvements to the service”

and insert

“making changes to the service which are intended to improve the user’s experience”.

Cookies are small text files that are downloaded on to somebody’s computer or smartphone when they access a website; they allow the website to recognise the person’s device, and to store information about the user’s preferences or past actions. The current rules around using cookies, set out in regulation 6 of the PEC regulations, dictate that organisations must tell people that the cookies are there, explain what the cookies are doing and why, and finally get the person’s freely given, specific and informed consent to store cookies on their device. However, at the moment there is almost universal agreement that the system is not working as intended.

To comply with the legislation, most website have adopted what is known as a cookie banner—a notice that pops up when a user first visits the site, prompting them to indicate which cookies they are happy with. However, due to the sheer volume of those banners, in many cases people no longer feel they are giving consent because they are informed or because they freely wish to give it, but are doing so simply because the banners stop them using the website as they wish.

In their communications regarding the Bill, the Government have focused on reducing cookie fatigue, branding it one of the headline achievements of the legislation. Unfortunately, as I will argue throughout our debates on clause 79, I do not believe that the Bill will fix the problem in the way that users hope. The new exemptions to the consent requirement for purposes that present a low risk to privacy may reduce the number of circumstances in which permission might be required, but there will still be a wide-ranging list of circumstances where consent is still required.

If the aim is to reduce cookie fatigue for users, as the Government have framed the clause, the exemptions must centre on the experience of users. If they do not, the clause is not about reducing consent fatigue, but rather about legitimising large networks of online surveillance of internet users. With that in mind, amendment 116 would narrow the exemption for collecting statistical information with a view to improving a service so that it is clear that any such improvements are exclusively considered to be those from the user’s perspective. That would ensure that the term “improvements” cannot be interpreted as including sweeping changes for commercial benefit, but is instead focused only on benefits to users.

I will speak to proposed new regulation 6B when we debate later amendments, but I reiterate that I have absolute sympathy for the intention behind the clause and want as much as anyone to see an end to constant cookie banners where possible. However, we must place the consumer and user experience at the heart of any such changes. That is what we hope to ensure through the amendment, with respect to the list of exemptions.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I am grateful to the hon. Lady for making it clear that the Opposition share our general objective in the clause. As she points out, the intention of cookies has been undermined by their ubiquity when they are placed as banners right at the start. Clause 79 removes the requirement to seek consent for the placement of audience measurement cookies. That means, for example, that a business could place cookies to count the number of visitors to its website without seeking the consent of web users via a cookie pop-up notice. The intention is that the organisation could use the statistical information collected to understand how its service is being used, with a view to improving it. Amendment 116 would mean that “improvements to the service” would be narrowed in scope to mean improvements to the user’s experience of the service, but while that is certainly one desirable outcome of the new exception, we want it to enable organisations to make improvements for their own purposes, and these may not necessarily directly improve the user’s experience of the service.

Organisations have repeatedly told us how important the responsible use of data is for their growth. For example, a business may want to use information collected to improve navigation of its service to improve sales. It could use the information collected to make improvements to the back-end IT functionality of its website, which the user may not be aware of. Or it could even decide to withdraw parts of its service that had low numbers of users; those users could then find that their experience was impaired rather than improved, but the business could invest the savings gained to improve other parts of the service. We do not think that businesses should be prevented from improving services in this way, but the new exception provides safeguards to prevent them from sharing the collected data with anyone else, except for the same purpose of making improvements to the service. On that basis, I hope the hon. Lady will consider withdrawing her amendment.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I am grateful for the Minister’s answer. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I beg to move amendment 49, in clause 79, page 102, leave out lines 21 to 23.

Clause 79 amends regulation 6 of the PEC Regulations to create new exceptions from the prohibition on storing and accessing information in terminal equipment. New paragraph (2C) contains an exception for software updates that satisfy specified requirements. This amendment removes a requirement that the subscriber or user can object to the update and does not object.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss Government amendments 50 to 54.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Clause 79 reforms regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which sets the rules on when an organisation can store information or gain access to information stored on a person’s device—for example, their computer, phone or tablet. This is commonly described as the cookies rule, but it includes similar technologies such as tracking pixels and device fingerprinting. Currently, organisations do not have to seek a user’s consent to place cookies that are strictly necessary to provide a service requested by the user—for example, to detect fraud or remember items in a user’s online shopping basket.

To reduce the number of cookie pop-up notices that can spoil web users’ enjoyment of the internet, clause 79 will remove the requirement for organisations to seek consent for several low privacy risk purposes, including the installation of software updates necessary for the security of the device. Government amendments 49 and 51 remove the user’s right to opt out of the software security update and the right to remove an update after it has taken effect. Government amendment 50 removes the right to disable an update before it takes effect.

Although these measures were initially included in the Bill to give web users a choice about whether security updates were installed, stakeholders have subsequently advised us that the failure to install certain updates could result in a high level of risk to the security of users’ devices and personal information. We have been reflecting on the provisions since the Bill was introduced, and have concluded that removing them is the right thing to do, in the interests of security of web users. Even if these provisions are omitted, organisations will still need to provide users with clear and comprehensive information about the purpose of software security updates. Web users will also still have the right to postpone an update for a limited time before it takes effect.

Government amendment 54 concerns the regulation-making powers under the new PEC regulations. One of the main aims is to ensure that web users are empowered to use automated technology such as browsers and apps to select their choices regarding which cookies they are willing to accept. The Secretary of State could use powers under these provisions to require consent management tools to meet certain standards or specifications. so that web users can make clear, meaningful choices once and have those choices respected throughout their use of the internet.

The Committee will note that new regulation 6B already requires the Secretary of State to consult the Information Commissioner and other interested parties before making any new regulations on consent management tools. Government amendment 54 adds the Competition and Markets Authority as a required consultee. That will help ensure that any competition impacts are properly considered when developing new regulations that set standards of design.

Finally, Government amendments 52 and 53 make minor and technical changes that will ensure that future regulations made under the reformed PEC regulations can include transitional, transitory or savings provisions. These will simply ensure there is a smooth transition to the new regime if the Secretary of State decides to make use of these new powers. I commend the amendments to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I understand that amendments 49 to 51 primarily remove the option for subscribers or users to object to or disable an update or software for security reasons. As techUK has highlighted, the PEC regulations already contain an exemption on cookie consent for things that are strictly necessary, and it was widely accepted that security purposes met this exemption. This is reflected by its inclusion in the list of things that meet the criteria in new paragraph (5).

However, in the Bill the Government also include security updates in the stand-alone exemption list. This section introduces additional conditions that are not present in the existing law, including the requirement to offer users an opt-out from the security update and the ability to disable or postpone it. The fact that this overlap has been clarified by removing the additional conditions seems sensible. Although user choice has value, it is important that we do not leave people vulnerable to known security flaws.

In principle, Government amendment 54 is a move in the right direction. I will speak to regulation 6B in more detail when we discuss amendment 117 and explain why we want to remove it. If the regulation is to remain, it is vital that the Competition and Markets Authority be consulted before regulations are made due to the impact they will likely have in entrenching power in the hands of browser owners. That the Government have recognised that it was an oversight not to involve the CMA in any consultations is really pleasing. I offer my full support to the amendment in that context, though I do not believe it goes far enough and will advocate the removal of regulation 6B entirely in due course.

Amendment 49 agreed to.

Amendments made: 50, in clause 79, page 102, line 25, leave out “disable or”.

Clause 79 amends regulation 6 of the PEC Regulations to create new exceptions from the prohibition on storing and accessing information in terminal equipment. New paragraph (2C) contains an exception for software updates that satisfy specified requirements. This amendment removes a requirement for subscribers and users to be able to disable, not just postpone, the update.

Amendment 51, in clause 79, page 102, leave out lines 27 to 29.

Clause 79 amends regulation 6 of the PEC Regulations to create new exceptions from the prohibition on storing and accessing information in terminal equipment. New paragraph (2C) contains an exception for software updates that satisfy specified requirements. This amendment removes a requirement that, where the update takes effect, the subscriber or user can remove or disable the software.

Amendment 52, in clause 79, page 104, line 20, leave out “or supplementary provision” and insert

“, supplementary, transitional, transitory or saving provision, including provision”.—(Sir John Whittingdale.)

This amendment provides that regulations under the new regulation 6A of the PEC Regulations, inserted by clause 79, can include transitional, transitory or saving provision.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I beg to move amendment 117, in clause 79, page 104, line 32, leave out from the beginning to end of line 38 on page 105.

I begin by re-emphasising my overarching support for exploring ways to reduce consent fatigue and cookie banners. However, because of the direction that new regulation 6B takes us in, it requires far more consultation before entering the statute book. My amendment seeks to remove it. Regulation 6B aims, at some point in the future, to enable users to express any consent they wish to give or objections they wish to make regarding cookies to an operator of a website—commonly a browser—so that this can be done automatically on visiting the website. The three main concerns I have with this must be addressed and consulted on before such a regulation becomes law.

I am concerned that it will pose concerns for competition if browsers, often owned by powerful global tech companies, are given centralised control and access to data surrounding cookies across the entire internet. That concern was echoed by the Advertising Association and the CEO of the Data and Marketing Association during an oral evidence session. When asked whether there was any concern that centralising cookies by browser will entrench power in the hands of the larger tech companies that own the browsers, Chris Combemale answered:

“It certainly would give even greater market control to those companies.”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 21, Q43.]

He said:

“If anything, we need more control in the hands of the people who invest in creating the content”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 21, Q42.]

online.

09:44
Secondly, browser-enabled models could confuse liability and damage website direct relationships with customers. Indeed, any system of this kind would inevitably require browsers to be able to interrupt a provider’s relationship with their customers by automatically overriding the consent directly expressed to them by their users. That would make confusing who is liable if data is processed in a way the data subject would like to dispute. The relationship is not only relevant when things go wrong. In general, media owners should be able to develop first-party relationships with their audiences and customers to better understand what they need without having browsers as gatekeepers of the information.
Many, including techUK, have questioned the techno-logical readiness of browser-based solutions. That was also highlighted in the responses to the Government’s “Data: a new direction” consultation. Although regulation 6B recognises this by allowing for browser-enabled models to be implemented in the future rather than immediately, given the previous concerns highlighted it seems reasonable to expect that proper parliamentary scrutiny will be required at the point where we actually know what the technology looks like. For those reasons, as a collective we must oppose the inclusion of regulation 6B. This is not to say that a similar model, with proper consultation and scrutiny, may not at some point come to fruition and work well, but at this point in time further review is needed before the option to enact browser-enabled models is on the statute book.
John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

As the hon. Lady sets out, amendment 117 would remove new regulation 6B from the Bill, but we see this as an important tool for reducing frequent cookie consent banners and pop-ups that can, as we have debated already, interfere with people’s use of the internet. Members will be aware, as has already been set out, that clause 79 removes the need for organisations to seek consent to place cookies for certain non-intrusive purposes. One way of further reducing the need for repeated cookie pop-up notices is by blocking them at source—in other words, allowing web users to select which cookies they are willing to accept and which they are not comfortable with by using browser-level settings or similar technologies. These technologies should allow users to set their online preferences once and be confident that those choices will be respected throughout their use of the internet.

We will continue to work with the industry and the Information Commissioner to improve take-up and effectiveness of browser-based and similar solutions. Retaining the regulation-making powers at 6B is important to this work because it will allow the Secretary of State to require relevant technologies to meet certain standards or specifications.

Without regulations, there could be an increased risk of companies developing technologies that did not give web users sufficient choice and control about the types of cookies they are willing to accept. We will consult widely before making any new regulations under 6B, and new regulations will be subject to the affirmative resolution procedure. We have listened to stakeholders and intend to amend 6B to provide an explicit requirement for the Secretary of State to consult the Competition and Markets Authority before making new regulations.

Damian Collins Portrait Damian Collins (Folkestone and Hythe) (Con)
- Hansard - - - Excerpts

Is this something the Department has considered? For example, Google Chrome has a 77% share of the web browser market on desktop computers, and over 60% for all devices including mobile devices. Although we want to improve the use of the internet for users and get rid of unwanted cookies, the consequence would be the consolidation of power in the hands of one or two companies with all that data.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I entirely agree with my hon. Friend. He accurately sums up the reason that the Government decided it was important that the Competition and Markets Authority would have an input into the development of any facility to allow browser users to set their preferences at the browser level. We will see whether, with the advent of other browsers, AI-generated search engines and so on, the dominance is maintained, but I think he is absolutely right that this will remain an issue that the Competition and Markets Authority needs to keep under review.

That is the purpose of Government amendment 54, which will ensure that any competition impacts are considered properly. For example, we want any review of regulations to be relevant and fair to both smaller publishers and big tech. On that basis, I hope that the hon. Member for Barnsley East will consider withdrawing her amendment.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I appreciate the Minister’s comments and the Government change involving the CMA, but we simply do not believe that that is worth putting into law. We just do not know the full implications, as echoed by the hon. Member for Folkestone and Hythe. I will therefore press my amendment to a Division.

Question put, That the amendment be made.

Division 26

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 8


Conservative: 8

Amendments made: 53, in clause 79, page 105, line 11, after “transitional” insert “, transitory”.
This amendment makes clear that regulations under the new regulation 6B of the PEC Regulations, inserted by clause 79, can include transitory provision.
Amendment 54, in clause 79, page 105, line 15, at end insert—
“(aa) the Competition and Markets Authority, and”.—(Sir John Whittingdale.)
This amendment requires the Secretary of State to consult the Competition and Markets Authority before making regulations under regulation 6B of the PEC Regulations.
Question proposed, That the clause stand part of the Bill.
John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I shall not repeat all that has been said about the purpose of the clause. To recap quickly, consent is required for any non-essential functions, such as audience measurement, design optimisation, presentation of adverts and tracking across websites but, clearly, the current system is not working well. Researchers found that people often click yes to cookies to make the banner go away and because they want to access the service quickly.

The clause will remove the requirement for organisations to seek consent to cookies placed for several low privacy risk purposes. As a result of the new exceptions we are introducing, web users should know that if they continue to see cookie pop-up messages it is because they relate to more intrusive uses of cookies. It is possible that we may identify additional types of non-intrusive cookies in the future, so the clause permits the Secretary of State to make regulations amending the exceptions to the consent requirement or introducing new exceptions.

The changes will not completely remove the existence of cookie pop-ups. However, we are committed to working with tech companies and consumer groups to promote technologies that help people to set their online preferences at browser level or by using apps. Such technology has the potential to reduce further the number of pop-ups that appear on websites. Alongside the Bill, we will take forward work to discuss what can be done further to develop and raise awareness of possible technological solutions. On that basis, I commend the clause to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I spoke in detail about my issues with the clause during our debates on amendments 116 and 117, but overall I commend the Government’s intention to explore ways to end cookie fatigue. Although I unfortunately do not believe that these changes will solve the issues, it is pleasing that the Government are looking at ways to reduce the need for consent where the risk for privacy is low. I will therefore not stand in the way of the clause, beyond voicing my opposition to regulation 6B.

Question put and agreed to.

Clause 79, as amended, accordingly ordered to stand part of the Bill.

Clause 80

Unreceived communications

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss clauses 81 and 82 stand part.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Clause 80 provides an additional power for the Information Commissioner when investigating unsolicited direct marketing through telephone calls, texts and emails—more commonly known as nuisance calls or nuisance communications.

Some unscrupulous direct marketing companies generate hundreds of thousands of calls to consumers who have not consented to be contacted. That can affect the most vulnerable in our society, some of whom may agree to buy products or services that they did not want or cannot afford. Successive Governments have taken a range of actions over the years—for example, by banning unsolicited calls from claims management firms and pensions providers—but the problem persists and further action is needed.

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Information Commissioner can investigate and take enforcement action against rogue companies where there is evidence that unsolicited marketing communications have been received by the recipient. The changes we are making in clause 80 will enable the Information Commissioner to take action in relation to unsolicited marketing communications that have been generated, as well as those received or connected.

Not every call that is generated reaches its intended target. For example, an individual may be out or may simply not pick up the phone. However, the potential for harm should be a relevant factor in any enforcement action by the Information Commissioner’s Office. The application of the regulations, through the changes in clause 80, to communications generated will more accurately reflect the level of intent to cause disturbance.

Clause 81 is a minor and technical clause that should improve the readability of the PEC regulations. The definition of “direct marketing”, which the PEC regulations rely on, is currently found in the Data Protection Act 1998. To help the reader quickly locate the definition, the clause adds the definition to the PEC regulations themselves.

Under the current PEC regulations, businesses can already send direct marketing to existing customers, subject to certain safeguards. That is sometimes known as the soft opt-in rule. Clause 82 applies the same rule to non-commercial organisations, such as charities. The changes will mean that charitable, political and non-commercial organisations will be able to send direct marketing communications to persons who have previously expressed an interest in the organisation’s aims and ideals.

The current soft opt-in rules for business are subject to certain safeguards. We have applied the same safeguards to these new provisions for non-commercial organisations. We think these changes will help non-commercial organisations, including charities and political parties, to build ongoing relationships with their supporters. There is no good reason why the soft opt-in rule should apply to businesses but not to non-commercial organisations. I hope Members will see the benefit of these measures in ensuring the balance between protecting the most vulnerable in society and supporting organisations. I commend clauses 80 to 82 to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

As I have said many times during our discussion of the Bill, I believe that the Information Commissioner should be given proportionate powers to investigate and take action where that is needed to uphold our regulations. That is no less the case with clause 80, which introduces measures that allow the Information Commissioner to investigate organisations responsible for generating unsolicited direct marketing communications, even if they are not received by anyone.

Clause 81 simply lifts the definition of “direct marketing” from the Data Protection Act 1998 and places it into the PEC regulations to increase the readability of that legislation. I have no issues with that.

Clause 82 extends the soft opt-in rules to charities and non-commercial organisations. It is only right that the legislation is consistent in offering non-profits the opportunity to send electronic marketing communications in the same way as for-profit organisations. It might, however, be worth raising the public’s awareness of the rule and of the ability to opt out at any point. If they suddenly find themselves on the end of such communications, they will have a clear understanding of why that is the case and that consent may be withdrawn if they so wish.

Question put and agreed to.

Clause 80 accordingly ordered to stand part of the Bill.

Clauses 81 and 82 ordered to stand part of the Bill.

Clause 83

Direct marketing for the purposes of democratic engagement

10:00
John Whittingdale Portrait Sir John Whittingdale (Maldon) (Con)
- Hansard - - - Excerpts

I beg to move amendment 55 in clause 83, page 107, line 41, leave out ‘or transitional’ and insert ‘, transitional, transitory or saving’.

This amendment provides that regulations under clause 83 can make transitory or saving provision.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Clauses 83 and 84 stand part.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Before I speak to the amendment, I will set out the provisions of clause 83, which gives the Secretary of State the power to make exceptions to the PEC regulations’ direct marketing provisions for communications sent for the purposes of democratic engagement. We do not intend to use the powers immediately because the Bill contains a range of other measures that will facilitate a responsible use of personal data for the purposes of political campaigning, including the extension of the soft opt-in rule that we have just debated. However, it is important we keep the changes we are making in the Bill under review to make sure that elected representatives and parties can continue to engage transparently with the electorate and are not unnecessarily constrained by data protection and privacy rules.

The Committee will note that if the Secretary of State decided to exercise the powers, there are a number of safeguards in the clause that will maintain a sensible balance between the need for healthy interaction with the electorate and any expectations that an individual might have with regard to privacy rights. Any new exceptions would be limited to communications sent by the individuals and organisations listed in clause 83, including elected representatives, registered political parties and permitted participants in referendum campaigns.

Before laying any regulations under the clause, the Secretary of State will need to consult the Information Commissioner and other interested parties, and have specific regard for the effect that further exceptions could have on the privacy of individuals. Regulations will require parliamentary approval via the affirmative resolution procedure. Committee members should also bear in mind that the powers will not affect an individual’s right under the UK GDPR to opt out of receiving communications.

We have also tabled two technical amendments to the clause to improve the way it is drafted. Government amendment 55 will make it clear that regulations made under this power can include transitory or savings provisions in addition to transitional provisions. Such provisions might be necessary if, for example, new exceptions were only to apply for a time-limited period. Clause 84 is also technical in nature and simply sets out the meaning of terms such as “candidate”, “elected representative” and “permitted participant” for the purposes of clause 83.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

The clauses mirror somewhat the involvement of democratic engagement purposes on the recognised legitimate interests list. However, here, rather than giving elected representatives and the like an exemption from completing a balancing test when processing under this purpose, the Bill paves the way for them to be exempt from certain direct marketing provisions in future.

The specific content of any future changes, however, should be properly scrutinised. As such, it is disappointing that the Government have not indicated how they intend to use such regulations in future. I appreciate that the Minister has just said that they do not intend to use them right now. Does he have in mind any examples of any exemptions that he might like to make from the direct marketing provisions for democratic engagement purposes? That is not to say that such exemptions will not be justified; just that their substance should be openly discussed and democratically scrutinised.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

As I have set out, the existing data protection provisions remain under the GDPR. In terms of specific exemptions, I have said that the list will be subject to future regulation making, which will be also subject to parliamentary scrutiny. We will be happy to supply a letter to the hon. Lady to set out specific examples of where that might be the case.

Amendment 55 agreed to.

Clause 83, as amended, ordered to stand part of the Bill.

Clause 84

Meaning of expressions in section 83

Amendment made: 31, in clause 84, page 110, line 31, leave out “fourth day after” and insert

“period of 30 days beginning with the day after”.—(Sir John Whittingdale.)

Clauses 83 and 84 enable regulations to make exceptions from direct marketing rules in the PEC Regulations, including for certain processing by elected representatives. This amendment increases the period for which former members of the Westminster Parliament and the devolved legislatures continue to be treated as "elected representatives" following an election. See also NC6 and Amendment 30.

Clause 84, as amended, ordered to stand part of the Bill.

Clause 85

Duty to notify the Commissioner of unlawful direct marketing

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I beg to move amendment 56, in clause 85, page 112, line 35, at end insert—

“(13A) Regulations under paragraph (13) may make transitional provision.

(13B) Before making regulations under paragraph (13), the Secretary of State must consult—

(a) the Commissioner, and

(b) such other persons as the Secretary of State considers appropriate.”

This amendment enables regulations changing the amount of a fixed penalty under regulation 26B of the PEC Regulations to include transitional provision. It also requires the Secretary of State to consult the Information Commissioner and such other persons as the Secretary of State considers appropriate before making such regulations.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Amendment 118, in clause 85, page 113, line 3, at end insert—

“(1A) Guidance under this section must—

(a) make clear that a provider of a public electronic communications service is not obligated to monitor the content of individual electronic communications in order to determine whether those communications contravene the direct marketing regulations; and

(b) include illustrative examples of the grounds on which a provider may reasonably suspect that a person is contravening or has contravened any of the direct marketing regulations.”

Government amendment 33.

Clause stand part.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Before I speak to Government amendment 56, it might be helpful to set out the provisions of clause 85. The clause will help to ensure that there is better co-operation between the industry and the regulator in tackling the problem of nuisance communications. It places a duty on public electronic communications service and network providers to notify the Information Commissioner within 28 days if they have “reasonable grounds” for suspecting that unlawful direct marketing communications are transiting their services or networks. Once notified, the ICO will investigate whether a breach of the PEC regulations has occurred and take appropriate action where necessary.

We cannot expect network and service providers to know for certain whether a customer has agreed to receive a marketing call, which is why the new requirement is predicated on the organisation having reasonable grounds for suspecting that something unlawful is occurring. For example, there might be cases where a communications network or service provider notices a large volume of calls being generated in quick succession, with only one digit in the telephone number changing each time. That might suggest that calls are being made indiscriminately, without regard to whether the customer has registered with the telephone preference service or previously advised the caller that they did not want to be contacted.

We do not envisage that the provision will place significant new burdens on the network and service providers. It does not require them to put new systems in place to monitor for suspicious activities. However, where they have that capability already and have reasonable grounds to believe that unlawful activity is going on, we would like them to share that information with the ICO. The clause also requires the ICO to produce and publish guidance for network and service providers to help them to understand what intelligence information could reasonably be shared.

I shall respond to amendment 118 after the hon. Member for Barnsley East has spoken to it, but it might be helpful for me briefly to explain Government amendment 56. The fixed penalty for failure to comply with the duty, which is currently set at £1,000, is being kept under review. Where appropriate, the Secretary of State can use regulations to change the fine amount. The amendment will ensure that those regulation-making powers are consistent with similar powers elsewhere in the Bill. The regulations could include transitional provisions, and the amendment will also require the Secretary of State to consult the Information Commissioner and other persons they consider appropriate before making such regulations.

Government amendment 33 is a minor and technical change designed to improve the readability of the legislation.

None Portrait The Chair
- Hansard -

The amount is fixed in the Bill at £1,000, Minister. That is stated at clause 85 in proposed new regulation 26B. The Bill states:

“The amount of a fixed monetary penalty under this regulation shall be £1,000.”

That does not indicate any flexibility. I draw that to the attention of the Committee.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

But, as I have set out, that is subject to review.

None Portrait The Chair
- Hansard -

Thank you.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

The ambition of the clause is broadly welcome, and we agree that there is a need to tackle unwanted calls, but the communications sector, including Vodafone and BT, as well as techUK, has shared concerns that the clause, which will place a new duty on telecoms providers to report to the commissioner whenever they have “reasonable grounds” for suspecting a breach of direct marketing regulations, might not be the best way to solve the issue.

I will focus my remarks on highlighting those concerns, and how amendment 118 would address some of them. First, though, let me say that the Government have already made it clear in their explanatory notes that it is not the intention of the Bill to require providers to monitor communications. However, that has not been included in the Bill, which has caused some confusion in the communications sector.

Amendment 118 would put that confusion to rest by providing for the explicit inclusion of the clarification in the clause itself. That would provide assurances to customers who would be sure their calls and texts would not be monitored, and to telecoms companies, which would be certain that such monitoring of content was absolutely not required of them.

Secondly, the intent of the clause is indeed not to have companies monitoring communications, but many relevant companies have raised concerns around the technological feasibility of identifying instances of unlawful and unsolicited direct marketing. Indeed, the new duty will require telecommunications providers to be able to identify whether a person receiving a direct marketing call has or has not given consent to receive the call from the company making it. However, providers have said they cannot reliably know that, and have warned that there is no existing technology to conduct that kind of monitoring accurately and at scale. In the absence of communication monitoring and examples of how unsolicited direct marketing is to be identified, it is therefore unclear how companies will fulfil their duties under the clause.

That is not to say the industry is not prepared to commit significant resources to tackling unwanted calls. BT, for example, has set up a range of successful tools to help customers. That includes BT Call Protect, which is used by 4.4 million BT customers and now averages 2.35 million calls diverted per week. However, new measures must be feasible, and our amendment 118 would therefore require that guidance around the implementation of the clause include illustrative examples of the grounds on which a provider may reasonably suspect that a person is contravening, or has contravened, any of the direct marketing regulations.

If the Minister does not intend to support the amendment, I would like to hear such examples from him today, so that the communications sector was absolutely clear about how to fulfil its new duties, given the technology available.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

As the hon. Lady has said, amendment 118 would require the commissioner to state clearly in the guidance that the new duty does not oblige providers to intercept or monitor the content of electronic communications in order to determine whether there has been a contravention of the rules. It would also require the guidance to include illustrative examples of the types of activity that may cause a provider reasonably to suspect that there had been a contravention of the requirements.

I recognise that the amendment echoes concerns that have been raised by communications service providers, and that there has been some apprehension about exactly what companies will have to do to comply with the duty. In response, I would emphasise that “reasonable grounds” does mean reasonable in all circumstances.

The hon. Lady has asked for an example of the kind of activity that might give reasonable grounds for suspicion. I direct her to the remarks I made in moving the amendment and the example of a very large number of calls being generated in rapid succession in which, in each case, the telephone number is simply one digit away from the number before. The speed at which that takes place does provide reasonable grounds to suspect that the requirement to, for instance, check with the TPS is not being fulfilled.

There are simple examples of that kind, but I draw the attention of the hon. Lady and the Committee to the consultation requirements that will apply to the ICO’s guidance. In addition to consulting providers of public electronic communications networks and services on the development of the guidance, the ICO will be required to consult the Secretary of State, Ofcom and other relevant stakeholders to ensure that the guidance is as practical and useful to organisations as possible.

10:15
Damian Collins Portrait Damian Collins
- Hansard - - - Excerpts

Does my right hon. Friend agree that, if amendment 118 were made, it could be used as a general get-out-of-jail-free card by companies? Let us consider, for example, a situation where a company could easily and obviously have spotted a likely breach of the regulations and should have intervened. When the commissioner discovered that the company had failed in its duty to do so, the company could turn around and say, “Well, yes, we missed that, but we were not under any obligation to monitor.” It is therefore important that there is a requirement for companies to use their best endeavours to monitor where possible.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I completely agree; my hon. Friend is right to make that distinction. Companies should use their best endeavours, but it is worth repeating that the guidance does not expect service and network providers to monitor the content of individual calls and messages to comply with the duty. There is more interest in patterns of activity on networks, such as where a rogue direct marketing firm behaves in the manner that I set out. On that basis, I ask the hon. Lady not to press her amendment to a vote.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I appreciate the Minister’s comments and those of the hon. Member for Folkestone and Hythe. We have no issue with the monitoring of patterns; we wanted clarification on the content. I am not sure that the Minister addressed the concerns about the fact that, although the Government have provided a partial clarification in the explanatory notes, this is not in the Bill. For that reason, I will press my amendment to a vote.

Amendment 56 agreed to.

Amendment proposed: 118, in clause 85, page 113, line 3, at end insert—

“(1A) Guidance under this section must—

(a) make clear that a provider of a public electronic communications service is not obligated to monitor the content of individual electronic communications in order to determine whether those communications contravene the direct marketing regulations; and

(b) include illustrative examples of the grounds on which a provider may reasonably suspect that a person is contravening or has contravened any of the direct marketing regulations.”—(Stephanie Peacock.)

Question put, That the amendment be made.

Division 27

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 8


Conservative: 8

Amendment made: 33, in clause 85, page 113, line 28, at end insert—
“(4) After regulation 18 insert—
‘Direct marketing
(1) Regulations 19 to 26C make provision about direct marketing.
(2) See also section 83 of the Data Protection and Digital Information Act 2023 (which provides for regulations to make exceptions to regulations 19 to 24).’”—(Sir John Whittingdale.)
This amendment inserts into the PEC Regulations provision introducing the regulations dealing with direct marketing (including regulations amended or inserted by the Bill) and cross-referring to the regulation-making power in clause 83 of the Bill.
Clause 85, as amended, ordered to stand part of the Bill.
Clause 86
Duty to notify the Commissioner of unlawful direct marketing
John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I beg to move amendment 57, in clause 86, page 113, line 38, at end insert—

“(13A) Regulations under paragraph (13) may make transitional provision.

(13B) Before making regulations under paragraph (13), the Secretary of State must consult—

(a) the Information Commissioner, and

(b) such other persons as the Secretary of State considers appropriate.”

This amendment enables regulations changing the amount of a fixed penalty under regulation 5C of the PEC Regulations to include transitional provision. It also requires the Secretary of State to consult the Information Commissioner and such other persons as the Secretary of State considers appropriate before making such regulations.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Clause stand part.

Government amendments 32 and 58.

That schedule 10 be the Tenth schedule to the Bill.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Before turning specifically to the provisions of the amendment, I will set out the provisions of clause 86 and schedule 10. Clause 86 updates the ICO’s powers in respect of enforcing the PEC regulations. Currently, the ICO has to rely mainly on outdated powers in the Data Protection Act 1998 to enforce breaches of the PEC regulations. The powers were not updated when the UK GDPR and the Data Protection Act came into force in 2018. That means that some relatively serious breaches of the PEC regulations, such as nuisance calls being generated on an industrial scale, cannot be investigated as effectively or punished as severely as breaches under the data protection legislation.

The clause will therefore give the ICO the same investigatory and enforcement powers in relation to breaches of the PEC regulations as currently apply to breaches of the UK GDPR and the 2018 Act. That will result in a legal framework that is more consistent and predictable for organisations, particularly for those with processing activities that engage both the PEC regulations and the UK GDPR.

Clause 86 and schedule 10 add a new schedule to the PEC regulations, which sets out how the investigatory and enforcement powers in the 2018 Act will be applied to the PEC regulations. Among other things, that includes the power for the Information Commissioner to impose information notices, assessment notices, interview notices and enforcement and penalty notices. The maximum penalty that the Information Commissioner can impose for the most serious breaches of the PEC regulations will be increased to the same levels that can be imposed under the UK GDPR and the Data Protection Act. That is up to 4% of a company’s annual turnover or £17.5 million, whichever is higher.

Relevant criminal offences under the Data Protection Act, such as the offence of deliberately frustrating an investigation by the Information Commissioner by destroying or falsifying information, are also applied to the PEC regulations. The updated enforcement provisions in new schedule 1 to the PEC regulations will retain some pre-existing powers that are unique to the previous regulations.

Clause 86 also updates regulation 5C of the PEC regulations, which sets out the fixed penalty amount for a failure to report a personal data breach under regulation 5. Currently, the fine level is set at £1,000. The clause introduces a regulation-making power, which will be subject to the affirmative procedure, for the Secretary of State to increase the fine level. We have tabled Government amendment 57 to provide an explicit requirement for the Secretary of State to consult the Information Commissioner and any other persons the Secretary of State considers appropriate before making new regulations. The amendment also confirms that regulations made under the power can include transitional provisions.

Finally, we have tabled two further minor amendments to schedule 10. Government amendment 58 makes a minor correction by inserting a missing schedule number. Government amendment 32 adjusts the provision that applies section 155(3)(c) of the Data Protection Act for the purposes of the PEC regulations. That is necessary as that section is being amended by schedule 4. Without making those corrective amendments, the provisions will not achieve the intended effect.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

Clause 86 and schedule 10 insert and clarify the commissioner’s enforcement powers with regards to privacy and electronic communications regulation. Particularly of note within the proposals is the move to increase fines for nuisance calls and messages to a higher maximum penalty of £17.5 million or 4% of the undertaking’s total annual worldwide turnover, whichever is higher. That is one of the Government’s headline commitments in the Bill and should create tougher punishments for those who are unlawfully pestering people through their phones.

We are in complete agreement that more must be done to stop unwanted communications. However, to solve the problem as a whole, we must take stronger action on scam calling as well as on instances of unsolicited direct marketing. Labour has committed to going further than Ofcom’s new controls on overseas scam calls and has proposed the following to close loopholes: first, no phone call made from overseas using a UK telephone number should have that number displayed when it appears on a UK mobile phone or digital landline; and secondly, all mobile calls from overseas using a UK number should be blocked unless the network provider confirms that the known bill payer for the number is currently roaming. To mitigate the fact that some legitimate industries rely on overseas call centres that handle genuine customer service requests, we will also require Ofcom to register those legitimate companies and their numbers as exceptions to the blocking.

As the clause and schedule seek to take strong action against unwanted communications, I would be pleased to hear from the Minister whether the Government would consider going further and matching our commitments on overseas scam calling, too.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I say to the hon. Lady that the provisions deal specifically with nuisance calls, not necessarily scam calls. As she will know, the Government have a comprehensive set of policies designed to address fraud committed through malicious or scam calls, and those are being processed through the fraud prevention strategy. I accept that more needs to be done and say to her that it is already taking place.

Amendment 57 agreed to.

Clause 86, as amended, ordered to stand part of the Bill.

Schedule 10

Privacy and electronic communications: Commissioner’s enforcement powers

Amendments made: 32, in schedule 10, page 180, line 25, leave out “for “data subjects”” and insert

“for the words from “data subjects” to the end”.

This amendment adjusts provision applying section 155(3)(c) of the Data Protection Act 2018 (penalty notices) for the purposes of the PEC Regulations to take account of the amendment of section 155(3)(c) by Schedule 4 to the Bill.

Amendment 58, in schedule 10, page 183, line 5, at end insert “15”.—(John Whittingdale.)

This amendment inserts a missing Schedule number, so that the provision refers to Schedule 15 to the Data Protection Act 2018.

Schedule 10, as amended, agreed to.

Clause 87

The eIDAS Regulation

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss clauses 88 to 91 stand part.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Clauses 87 to 91 make changes to the UK’s eIDAS regulation to support the effective functioning of the UK’s trust services market into the future. Clause 87 states that when clauses 88 to 91 talk about the eIDAS regulation, this refers to regulation 910/2014, on electronic identification and trust services for electronic transactions in the internal market, which was adopted by the European Parliament and the European Council on 23 July 2014.

There is potential for confusion between the UK eIDAS regulation and the EU eIDAS regulation from which it stems and which shares the same title. I can confirm that all references to the eIDAS regulation in clauses 88 to 91 refer to the regulation as it was retained and modified on EU exit to apply within the UK.

Clause 88 amends the UK eIDAS regulation so that conformity assessment reports issued by an accredited EU conformity assessment body can be recognised and used to grant a trust service provider qualified status under the regulation. UK-qualified trust services are no longer legally recognised within the EU, which has meant that qualified trust service providers who wish to operate within both the UK and the EU need to meet two sets of auditing requirements. That is not cost effective and creates regulatory barriers in the nascent UK trust services market. Unilateral recognition of EU conformity assessment bodies will remove an unnecessary regulatory barrier for qualified trust service providers wishing to operate within both the UK and EU markets.

Clause 89 provides the Secretary of State with a power to revoke articles 24A and 24B of the UK eIDAS regulation in the future, should the continued unilateral recognition of EU-qualified trust services, and the recognition of conformity assessment reports issued by EU conformity assessment bodies, no longer meet the needs of the UK market. Clause 89 also provides a power to amend article 24A in order to wind down the recognition of EU-qualified trust services, by removing the recognition of certain elements of EU-qualified trust service standards only.

For example, it will be possible to continue to recognise EU-qualified electronic time stamps and delivery services while ending the recognition of EU-qualified electronic signatures and seals, which will give the UK eIDAS regulation flexibility to adapt to future changes. The clause provides that any regulations made under this power will be subject to the negative resolution procedure.

10:30
Clause 90 inserts articles 45A, 45B and 45C into the UK eIDAS regulation, providing the Secretary of State with powers to make regulations to recognise and give legal effect to trust service products provided by entities established outside the UK, on the basis of equivalent reliability to comparable UK trust service products. The legal effect of overseas trust service products, which are specified within regulations made under article 45A, will be equivalent to the legal effect of qualified trust service products provided by a qualified trust service provider established in the United Kingdom.
Two conditions apply when making regulations under article 45A. First, the Secretary of State must be satisfied that the reliability of an overseas trust service product is at least equivalent to the reliability of its qualified counterpart under the eIDAS regulation. Secondly, he must have regard to the relevant overseas law concerning the type of trust service product to be recognised.
The clause provides that the Secretary of State must consult the Information Commissioner, as the UK supervisory body for trust services, before making regulations, and that any regulations made under article 45A or 45B will be subject to the negative resolution procedure. We believe that the measure will help ensure that the UK is well placed to agree mutual recognition of trust service products with other countries to boost the growth in cross-border electronic transactions.
Clause 91 provides a power for the Secretary of State within regulations to designate overseas trust service regulatory authorities, which the Information Commissioner, as the supervisory body for UK trust services, may give information and assistance to and co-operate with in the interests of effective regulation of trust services. That measure will help to future-proof the UK trust services framework, so it can better support the growing demand for secure and trusted electronic transactions across the global digital economy. It provides that the Secretary of State must consult the Information Commissioner before making regulations under this power. It also provides that any regulations made under this power will be subject to the negative resolution procedure.
I hope that Members will recognise the merits of that approach. As the digital economy grows and the demand for UK-based qualified trust service providers is rising, these clauses will ensure that the UK’s trust services framework is future-proofed and able to support the growing demand for trusted digital transactions globally.
Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

“Trust services” refers to services including those relating to electronic signatures, electronic seals, timestamps, electronic delivery services and website authentication. As has been mentioned, trust services are required to meet certain standards and technical specifications for operation across the UK economy, which are outlined under eIDAS regulations. These clauses seek to make logistical adjustments to that legal framework for trust service products and services within in the UK.

Although we understand that the changes are intended to enable flexibility in case EU regulations should no longer be adequate, and absolutely agree that we must future-proof regulations to ensure that standards are always kept high, we must also ensure that any changes made are necessary, to ensure that standards remain high, rather than being made simply for their own sake. It is vital that any alterations made are genuinely intended to improve current practices and have been thoroughly considered to ensure that they are making positive and meaningful change.

Question put and agreed to.

Clause 87 accordingly ordered to stand part of the Bill.

Clauses 88 to 91 ordered to stand part of the Bill.

Clause 92

Disclosure of information to improve public service delivery to undertakings

Question proposed, That the clause stand part of the Bill.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

The clause will amend the Digital Economy Act 2017 to extend the powers under section 35 to include businesses. Existing powers enable public authorities to share data to support better services to individuals and households. The Government believe that businesses too can benefit from responsive, joined-up public services across the digital economy. The clause introduces new data sharing powers allowing specified public authorities to share data with other specified public authorities for the purposes of fulfilling their functions.

The sharing of data will also provide benefits for the public in a number of ways. It will pave the way for businesses to access Government services more conveniently, efficiently and securely—by using digital verification services, accessing support when trying to start up new businesses, completing import and export processes or applying for Government grants such as rural grants, for example. Any data sharing will of course be carried out in accordance with the requirements of the Data Protection Act and the UK GDPR.

Being able to share data about businesses will bring many benefits. For example, by improving productivity while keeping employment high we can earn more, raising living standards, providing funds to support our public services and improving the quality of life for all citizens. Now that we have left the EU, businesses that take action to improve their productivity will increase their resilience to changing market conditions and be more globally competitive. The Minister will be able to make regulations to add new public authorities to those already listed in schedule 4 to the Digital Economy Act. However, any regulations would be made by the affirmative procedure, requiring the approval of both Houses. I commend the clause to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

The clause amends section 35 of the Digital Economy Act to enable specified public authorities to share information to improve the delivery of public services to businesses with other specified persons. That echoes the existing legal gateway that allows for the sharing of information on improving the delivery of public services to individuals and households.

I believe that the clause is a sensible extension, but would have preferred the Minister and his Department to have considered public service delivery more broadly when drafting the Bill. While attention has rightly been paid throughout the Bill to making data protection regulation work in the interests of businesses, far less attention has gone towards how we can harness data for the public good and use it to the benefit of our public services. That is a real missed opportunity, which Labour would certainly have taken.

Question put and agreed to.

Clause 92 accordingly ordered to stand part of the Bill.

Clause 93

Implementation of law enforcement information-sharing agreements

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I beg to move amendment 8, in clause 93, page 119, line 18, leave out first “Secretary of State” and insert “appropriate national authority”.

This amendment, Amendment 10 and NC5 enable the regulation-making power conferred by clause 93 to be exercised concurrently by the Secretary of State and, in relation to devolved matters, by Scottish Ministers and Welsh Ministers.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Government amendments 9 to 16.

Government new clause 5—Meaning of “appropriate national authority”.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Clause 93 creates a delegated power for the Secretary of State, and a concurrent power for Welsh and Scottish Ministers, to make regulations to implement international agreements relating to the sharing of information for law enforcement purposes. The concurrent power for Welsh and Scottish Ministers has been included in an amendment to the clause. While international relations are a reserved matter, the domestic implementation of the provisions likely to be contained in future international agreements may be devolved, given that law enforcement is a devolved matter to various extents in each devolved Administration.

In the light of introducing a concurrent power for Welsh and Scottish Ministers, amendments to clauses 93 and 108 have been tabled, as has new clause 5. Together they specifically detail the appropriate national authority that will have the power to make regulations in respect of clause 93. The Government amendments make it clear that the appropriate national authority may make the regulations. New clause 5 then defines who is an appropriate national authority for those purposes. I therefore commend new clause 5 and the related Government amendments to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

It is right that the powers conferred by clause 93 can be exercised by devolved Ministers where appropriate. I therefore have no objections to the amendments or the new clause.

Amendment 8 agreed to.

Amendments made: 9, in clause 93, page 119, line 18, leave out second “Secretary of State” and insert “authority”.

This amendment is consequential on Amendment 8.

Amendment 10, in clause 93, page 119, line 36, at end insert—

‘“appropriate national authority” has the meaning given in section (Meaning of “appropriate national authority”);’.(Sir John Whittingdale.)

See the explanatory statement for Amendment 8.

Question proposed, That the clause, as amended, stand part of the Bill.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

As I have already set out, clause 93 creates a delegated power for the Secretary of State, along with a concurrent power for Welsh and Scottish Ministers, to make regulations to implement international agreements relating to the sharing of information for law enforcement purposes. The legislation will provide powers to implement technical aspects of such international agreements via secondary legislation once the agreements have been negotiated.

Clause 93 stipulates that regulations can be made in connection with implementing an international agreement only in so far as it relates to the sharing of information for law enforcement purposes, and that any data sharing must comply with data protection legislation. These measures will enable the implementation of new international agreements designed to help keep the public safe from the threat posed by international criminality and cross-border crime, as well as helping to protect vulnerable people.

None Portrait The Chair
- Hansard -

I am assuming that Northern Ireland is covered by reserved matters.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I believe the position is that at the present time, Northern Ireland does not have a functioning Assembly, so it is not possible, but that may change in due course.

None Portrait The Chair
- Hansard -

Hmm. Okay.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

The clause allows the Secretary of State to make regulations to enact an international agreement for the sharing of information for law enforcement purposes. The substance of any such agreement will likely therefore come through secondary legislation and, as such, it will be appropriate at that point to scrutinise their contents. If the Minister and his Department have identified any targets for such agreements at this stage, I am sure that the Committee would be grateful to hear of them. If not, however, I expect that he would update the House of that through the usual channels.

Question put and agreed to.

Clause 93, as amended, accordingly ordered to stand part of the Bill.

Clause 94

Form in which registers of births and deaths are to be kept

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Clauses 95 to 98 stand part.

That schedule 11 be the Eleventh schedule to the Bill.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Clauses 94 to 98 amend the Registration Service Act 1953 and the Births and Deaths Registration Act 1953—which I will refer to as the Act —and introduce schedule 11, which contains minor and consequential amendments. Currently, under the Act, the Registrar General for England and Wales provides the local registration service with paper live birth, stillbirth and death registers and with paper forms for making certified copies of the register entries—for example, birth and death certificates. Since 2009, registrars in England and Wales also record birth and death registration information electronically, in parallel with the paper-based systems. That is a duplication of effort for registrars.

Clause 94(2) amends the Act and substitutes section 25 with a new section 25. The new section will allow the Registrar General to determine in which form registers of live births, stillbirths and deaths are to be kept, and contains additional provision appropriate for the keeping of registers in an electronic form only. New section 25(2) of the Act allows the Registrar General to require that registrars keep information in a form that will allow the Registrar General and the superintendent registrar to have immediate access to all live birth and death entries as soon as the registrar has entered the details in the register. In the case of stillbirths, new section 25(2)(b) allows the Registrar General to have immediate access to the entries in the register.

New section 25(3) provides that where a register is kept in such form as determined under new section 25(2) —for example, an electronic form—any information in that register made available to the Registrar General or superintendent registrar is deemed to be held by that person, as well as the registrar, when carrying out that person’s functions—for example, the issue of certified copies.

Clause 94(3)(a) and (b) omit sections 26 and 27 of the Act, which set out the requirements for the quarterly returns made by a registrar and superintendent registrar. These returns will no longer be needed, as the superintendent registrar and the Registrar General will have immediate access to the records as provided for by new section 25 of the Act.

Clause 94(3)(c) omits section 28 of the Act, which sets out how paper registers must be stored by registrars, superintendent registrars and the Registrar General. With the introduction of new section 25, that provision is no longer necessary as it would not be relevant to an electronic register.

Proposed new section 25(4) of the Act provides that anything that is required for the purposes of creating and maintaining the registers—for example, providing registrars with the electronic system—is the responsibility of the Registrar General. Proposed new section 25(5) of the Act places a responsibility on the Registrar General to provide the required forms that the local registration service will need to produce certified copies of entries—for example, birth and death certificates.

10:45
Clause 95 inserts a new section 11A in the Registration Service Act 1953. That Act sets out the requirements for the appointment of registration officers by local authorities. Proposed new section 11A sets out that the council of every non-metropolitan county and metropolitan district, subject to the provisions of local scheme arrangements, must provide and maintain equipment or facilities that the Registrar General considers necessary for a superintendent registrar or registrar to carry out their functions—for example, the IT equipment needed to host an electronic register. It should be noted that IT equipment is already in place in register offices as births and deaths are currently recorded electronically in parallel with paper registers.
Currently, numerous sections of the Births and Deaths Registration Act 1953 require the paper registers to be signed by an informant when attending the register office to register a birth or death. The Act places a duty on the informant to provide the particulars required to be registered to a registrar and, in the presence of the registrar, to sign the register. Clause 96 makes provision for the signing, by the informant, of registers that are not kept in paper form, as we move towards digital methods of registering births and deaths and the introduction of an electronic register.
Clause 96(2) inserts a new section 38B—titled “Requirements to sign register”—into the Act 1953. That proposed new section empowers the Minister to make regulations regarding registers not kept in paper form. Proposed new section 38B(1)(a) provides that a duty to sign the register
“at any time is to have effect as a duty to comply with specified requirements”,
while proposed new section 38B(3) clarifies that, in the section, “specified” means
“specified in regulations under this section”.
Clause 96(3) states that regulations made by the Minister under proposed new section 38B are subject to the affirmative procedure. I reassure my hon. Friends that that will ensure full parliamentary oversight of the content of the regulations.
Clause 97 covers the treatment of the existing registers of births, stillbirths, deaths, and records. Clause 97(1)(a) specifies that the repeal of section 28 of the 1953 Act does not affect the existing requirement under section 28(2) for every superintendent registrar to continue to keep with the records of the office any registers of live births, or deaths, in their custody immediately before the repeal comes into force.
Clause 97(1)(b) specifies that the repeal of section 28 of the Act does not affect the existing requirement under section 28(4) for the Registrar General to continue to keep any certified copies that he has received under section 27 in the possession of the Registrar General and any registers of stillbirths forwarded to the Registrar General before the repeal coming into force.
Since 1 July 2009, birth and death records are held both in paper registers and in an electronic format. The Bill removes the requirement for birth and death entries to be held in paper format, removing the duplication in process. Clause 97(5) specifies how copies of birth and death records that have been held in a format other than hard copy paper form, such as electronically, are to be treated on and after the day on which clause 94 of the Bill comes into force. Clause 97(6) outlines the period mentioned in clause 97(5) as beginning on 1 July 2009 and ending immediately before the day clause 94 comes into force.
Clause 98 introduces schedule 11, which contains minor and consequential amendments to primary legislation as a consequence of clauses 94 to 97. Part 1 of schedule 11 makes a number of amendments to the Births and Deaths Registration Act, and part 2 makes minor and consequential amendments to other primary legislation as a result of the changes brought about by the Bill.
Before sitting down, I pay tribute to my hon. Friend the Member for Solihull (Julian Knight), who attempted to introduce a number of these provisions via a private Member’s Bill, which unfortunately did not make it through. His intention is now to be put into law as a result of the measures in this Bill.
Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

Clauses 94 to 98 amend the Births and Deaths Registration Act, with the overall effect of removing the provision for birth and death records to be kept on paper, and allowing them to be held in an online database. This is a positive move, with the potential to bring many benefits. First, it will improve the functioning of the registration system—for example, it will allow the Registrar General and the superintendent registrar to have immediate access to all birth and death entries as soon as they have been entered into the system. The changes will undoubtedly be important to families who are experiencing joy or loss, because they make registrations easier and more likely to be correct in the first instance, minimising unnecessary clarifications at what can often be a very difficult time. Indeed, one of the recommendations of the 2022 UK Commission on Bereavement’s landmark report, which looked at the key challenges facing bereaved people in this country, was that it should be possible to register deaths online.

It is great that the Government have chosen to pursue this change. However, despite it being the recommendation listed right next to online death registration, the Government have not used this opportunity to explore the potential of extending the Tell Us Once service, which is disappointing. Indeed, the existing Tell Us Once service has proved very helpful to bereaved people in reducing the administrative burden they face, by enabling them to inform a large number of Government and public sector bodies in one process, rather than forcing them to go through the same process time and again. However, private organisations are not included, and loved ones are still tasked with contacting organisations such as employers, energy and electricity companies, banks, telephone and internet providers, and more. At a time of emotional struggle, this is a huge administrative burden to place on the bereaved and leaves them vulnerable to other unsettling variables, such as communication barriers and potentially insensitive customer service.

The commission found that 61% of adult respondents reported experiencing practical challenges when notifying the organisations that need to be made aware of the death of a loved one. We are therefore disappointed that the Government have not explored whether the Bill could extend the policy to the private sector in order to further reduce the burden on grieving friends and families, and make the inevitably difficult process a little easier. Overall, however, the clauses will mark a positive change for families up and down the country, and we are pleased to see them implemented.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I merely say to the hon. Lady that, having used the Tell Us Once service myself in relation to the death of my mother not that long ago, I absolutely hear what she says about the importance of making the process as easy as possible. We will certainly consider what she says.

Question put and agreed to.

Clause 94 accordingly ordered to stand part of the Bill.

None Portrait The Chair
- Hansard -

Congratulations to the hon. Member for Solihull.

Clauses 95 to 98 ordered to stand part of the Bill.

Schedule 11 agreed to.

Clause 99

Information standards for health and adult social care in England

Question proposed, That the clause stand part of the Bill

None Portrait The Chair
- Hansard -

With this it will be convenient to discussing the following:

That schedule 12 be the Twelfth schedule to the Bill.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

Schedule 12 makes it clear that information standards published under section 250 of the Health and Social Care Act 2012, as amended by the Health and Care Act 2022, can include standards relating to information technology or IT services that are used or intended to be used in connection with the processing of information. The schedule extends the potential application of information standards to the providers of IT products and services to the health and adult social care sector for England. It also introduces mechanisms for monitoring and enforcing compliance by IT providers with information standards, and allows for the establishment of an accreditation scheme for IT products and services.

It is absolutely right that health and care information can flow in a standardised way between different IT systems and across organisational boundaries in the health and adult social care system in England, for the benefit of individuals and their healthcare outcomes. Information standards are vital to enabling that, alongside joint working between everyone involved in the processing of heath and care information.

These changes will support the efficient and effective operation of the health and adult social care system by making it easier for people delivering care to access accurate and complete information when they need it, improve clinical decision making and, ultimately, improve clinical outcomes for patients. The clause is a crucial enabler for the creation of a modern health and care service with systems that are integrated and responsive to the needs of patients and users. I therefore commend it to the Committee.

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

Information standards govern how data can be shared and compared across a sector. They are important in every sector in which they operate, but particularly in health, where they are critical to enabling the information sharing and interoperability necessary for good patient outcomes across health and social care services. For many reasons, however, we do not have a standard national approach to health data; as such, patients receive a far from seamless experience between different healthcare services. The Bill’s technical amendments and clarifications of existing rules on information standards in health, and how they interact with IT and IT services, are small but good steps in the journey towards trying resolve that.

Tom Schumacher of Medtronic told us in oral evidence that one of the problems faced by his organisation and NHS trusts is

“variability in technical and IT security standards.”

He suggested that harmonising those standards would be a “real opportunity,” since it would mean that

“each trust does not have to decide for itself which international standard to use and which local standard to use.”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 42, Q90.]

However, it is unclear how much headway these IT-related changes will make in providing that harmonisation, let alone the seamless service that patients so often call for.

I have one query that I hope the Minister can help with. MedConfidential has shared with us a concern that new section 251ZE of the Health and Social Care Act 2012 on accreditation of information technology, which is introduced by schedule 12, seems to imply that the Department of Health and Social Care and NHS England will have the power to set data standards in social care. MedConfidential says that would be a major policy shift, and that it seems unusual to implement such a shift through an otherwise unrelated Bill. Will the Minister write to me to clarify whether it is the Government’s intention to have DHSC and NHS England take over the information infrastructure of social care—and, if so, why they have come to that decision?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I am grateful to the hon. Lady for her support in general. I hear the concern that she expressed on behalf of the firm that has been in contact with her. We will certainly look into that, and I will be happy to let her have a written response in due course.

Mr Paisley, might I beg the Committee’s indulgence to correct the record? I incorrectly credited the hon. Member for Solihull for the private Member’s Bill, but it was in fact my hon. Friend the Member for Meriden (Saqib Bhatti). I apologise to him for getting his constituency wrong—

None Portrait The Chair
- Hansard -

So we will take the congratulations away from Solihull and pass them elsewhere.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I am afraid that congratulations have been removed from Solihull and transferred to Meriden.

None Portrait The Chair
- Hansard -

Better luck next time, Solihull! Thank you, Minister, for the correction.

Question put and agreed to.

Clause 99 accordingly ordered to stand part of the Bill.

Schedule 12 agreed to.

Ordered, That further consideration be now adjourned. —(Steve Double.)

10:59
Adjourned till this day at Two o’clock.