(8 months, 3 weeks ago)
Grand CommitteeMy Lords, I thank the Minister for that explanation. I have to say that my recollection is that the issue is much wider than the exemption and ensuring that there is no tip-off to somebody who is about to be visited by immigration enforcement. Let me give an example that was borne out after the Act was passed: solicitors acting for data subjects were unable, as we had anticipated, to find out what the Home Office thought it knew—I put it that way deliberately —about their clients.
I have some general points to make; I will do so fairly quickly. It would be optimistic to think that the Home Office had taken from this saga that objections and criticisms—in the form of amendments, obviously—can be helpful because we could have avoided a lot of effort in rectification. My noble friend Lord Clement-Jones will go into some of the history; I must admit, I do not recall much detail except for being teased frequently by the noble Baroness, Lady Williams, when she was the Home Office Minister, because I brought up our objection to the immigration exemption so often.
I feel strongly that it should not have to be for non-governmental organisations that are no doubt strapped for cash to do so much in order to get things right. I appreciate that that is part of our democracy; I do not object at all to the fact that they can do so, of course, but they should not have to. An application, an appeal, another judicial review, another appeal—at what cost to those organisations and the taxpayer! I emphasise that there is an exclamation mark, not a question mark, at the end of that sentence.
This saga is one of those episodes that vindicates the role of the courts, often in language that I, for one, relish. We have spent a lot of time in the Chamber recently discussing the role of the courts in our constitution; to give one example of the language, I really liked the understated use of
“over-broad derogations from fundamental rights”.
As the Minister said, the litigants were consulted before the publication of the SI. The Secondary Legislation Scrutiny Committee reports that it made three points, of which one, on oversight, was rejected by the Home Office and one was regarded by the Home Office as not necessary. Can the Minister tell the Committee what these were and why they were not pursued?
On the detail of the instrument, I note that it will be a matter for the Secretary of State to balance the risks to the individual and the risks to the state. I happen to think that it is in the public interest to apply exemptions with a very light touch, but of course it is no secret that the Liberal Democrats have problems with the Home Office’s immigration policy, and I fear that the reputational ship is well on its way. Clearly, there is an imbalance of power. That is inevitable, but it is not easy for the individual data subject to exercise his rights, and we should be aware of that.
Can the Minister also tell us what the Home Office will do to ensure that there will be transparency of decisions so that it can appropriately be held to account? Mechanisms must be written into the procedures. New paragraph 4B of Schedule 2 provides for a record of decisions and reasons. How will that be published and what will happen to it?
Will the Minister also comment on the capacity of immigration enforcement—and whoever else needs to—to look at prospective decisions on a case-by-case basis for each disapplication? I recognise that that will not necessarily be a straightforward and easy exercise, but it certainly requires a great deal more than, “It’s okay; it’s immigration, so we can just rely on the exemption”. Case-by-case decision-making is very important.
Finally, I note that the Explanatory Memorandum tells us that there is no full impact assessment because the instrument
“does not substantively alter the safeguards and considerations for applying the Immigration Exemption”.
I have to say that I thought that was the point.
My Lords, this set of regulations is a step forward, but with all the caveats that my noble friend made, and I have some more.
As the Minister confirmed, these regulations are the result of the Open Rights Group case—the Court of Appeal judgment in the3million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor—which confirms the earlier High Court judgment in March 2023. In broad terms, the Court of Appeal found that the immigration exemption in Schedule 2 to the Data Protection Act 2018 conflicted with the safeguards in Article 23 of the UK GDPR, as the Minister said. This was because the immigration exemption was drafted too broadly and failed to incorporate the safeguards prescribed for exemptions under Article 23 of the UK GDPR. It was therefore held to be unlawful and was disapplied.
These regulations follow two previous attempts by the Home Office to craft an immigration exemption which contained sufficient safeguards to satisfy the requirements set out in Article 23 of the UK GDPR. This is the third shot at it. In order to make the immigration exemption compatible with the requirements of Article 23, as the Minister explained, the Government added a number of safeguards to the exemption which were not there before. These are set out in the regulations. They are worth stating because they are really important requirements, which were omitted previously.
They include requirements to: make decisions on the application of the exemption on a case-by-case basis; make separate decisions in respect of each of the relevant UK GDPR provisions which relates to the data subject; make fresh decisions on each occasion where there is consideration or restriction of any of the relevant UK GDPR provisions in relation to the data subject; take into account all the circumstances of the case, including the potential vulnerability of the data subject, and so on; and apply the exemption only if the application of the particular UK GDPR provision would give rise to a substantial risk of prejudice that outweighs the risk of prejudice to the interests of the data subject, ensuring that the application of the exemption is necessary and proportionate to the risks in the particular case.
You would think it rather extraordinary that those are excluded from the previous regulations. In addition, a record must be made of the decision to apply the exemption, together with the reasons for that decision. There is also a rebuttable presumption that the data subject will be informed of the use of the exemption.
The ICO welcomed them in its letter to the Home Office as, in its view, satisfying the requirements of the Open Rights Group case. In its view, the proposed changes will ensure that the exemption complies with Article 23(2) of the UK GDPR and ensure that there are appropriate safeguards to protect individuals. Since it took part in the case as an interested party, this is of considerable reassurance. I congratulate the Open Rights Group and the3million on not one but two notable successes in court cases which have forced the Home Office to amend the exemption twice.
(2 years, 9 months ago)
Lords ChamberMy Lords, it is disappointing that the procedures of your Lordships’ House effectively precluded us from voting on this SI. When we debated the draft in Grand Committee, we said that we would table a regret Motion but the Government were, of course, aware of the 31 January deadline for producing a measure in response to the Court of Appeal and apparently there was no time for a regret Motion and the usual channels arranged for this take-note Motion.
The Government are obviously proper in complying with the court order in the timing, if not the content, but Parliament should have seen the draft SI earlier, had an opportunity not only to scrutinise it but to debate what it took from that scrutiny and to vote on it. I have drawn this to the attention of the chair of the Secondary Legislation Scrutiny Committee, given that committee’s and the Delegated Powers and Regulatory Reform Committee’s focus at the moment on procedures.
We are all aware of the deficiencies when we deal with secondary legislation. We knew that we would not win a vote in the Chamber because the Labour spokesman in Grand Committee supported the regulations, although we were grateful that he agreed with much of what we said during that debate. We wanted again to put our opposition on record. I thank the Minister for her explanation of the SI during that debate and I will try not to repeat too much of what was said then but will focus on the Minister’s remarks.
The Court of Appeal required the Government to amend the Data Protection Act to remedy its incompatibility with retained EU law so that it satisfies requirements of Article 23(2) of the UK GDPR. The declaration was suspended until today to provide a reasonable time to do so. That judgment was, I think, in October so they have had plenty of time. Although this is an SI amending the Act, it does not achieve that objective. The Secretary of State must have regard under the SI to the “immigration exemption policy document” and a draft IEPD was published at the same time as the draft SI.
That policy document can be amended. It can be replaced. It is not primary legislation. It is not secondary legislation. It is not legislation at all. It is not even unamendable legislation—secondary legislation cannot be amended. It is not a “legislative measure” within the terms of Article 23(2) which the Court of Appeal described as “remarkably specific”. It is not “part and parcel” of the legislation. It is not even a code of practice or a codification of safeguards; it is simply a policy document. Parliament cannot carry out a scrutiny function in which the outcome may, in theory, be changed even if we know the realities of dealing with secondary legislation. Parliament can play no meaningful part.
In Grand Committee, I asked the Minister how the policy document builds on previous arrangements, as it appears simply to repeat existing safeguards, and also for details of the Government’s consultation with interested parties and how the issues raised in consultation have been dealt with. I am grateful to her for the letter I received this afternoon, by email, in response to this—she said she would let me have the detail if it was not data protected. I am glad to note that some points were taken on board—but not all, quite clearly, because those with whom she consulted were those who brought the case to court. She said that
“the Department published the IEPD in draft form alongside the draft Regulations on the 10th December … enabling stakeholders the opportunity to consider its contents and to comment accordingly.”
Given that this policy document is central to the arrangements, I am surprised that not publishing it could ever have been thought to be an option.
In response to my question in Grand Committee, as to how one should challenge the Home Office if one does not know what it knows, or thinks it knows, to rectify errors—how would you rectify errors if you do not know that there are errors?—the Minister said that the exemption did not restrict the right to seek rectification of inaccurate data. That does not answer the question; it merely makes that question even more important. She also said that the exemption could not be used to prevent a person establishing a legal claim—which also begs the question.
It is not in contention that this data is very significant. Lord Justice Warby said the exemption
“plays a significant role in practice as a brake on access to personal data”—
one’s own data. He referred to Home Office evidence that the exemption was relied on in 59% of responses during the period in question, and that the exemption was available in a wide range of cases. The Minister in Grand Committee made much of how limited its use is and that only the minimum is redacted—only small parts of documents that contain sensitive data that could affect operations. So, I have a request and suggestion that the Home Office, in the current version of the policy document, in paragraph nine, which is a checklist for users—that is, caseworkers—should add to the list that there should be the minimum redaction. That may be implied by other parts of the document, but what caseworkers consider is crucial, and paragraph nine is what they will go to. Can the point that she made, and on which she relied, about the minimum redaction not be spelled out clearly in the checklist? I support my noble friend.
My Lords, I want—briefly—to supplement the remarks of my noble friends. As I said in Grand Committee, I commend my noble friend Lady Hamwee for her consistent and determined opposition to this immigration exemption. During the passage of the Bill, we were not able to delete the original provisions, but we are quite clear on these benches that this new SI does not at all reflect the safeguards required by the GDPR and by the Court of Appeal’s decision. As I said in Committee, I can only wonder what kind of advice the Minister has had. How has she been able to convince herself that this SI will not meet the same fate as the previous provisions? My noble friends referred to what Lord Justice Warby had to say, and what needs to be done is extremely clear. I do not think there is any need to repeat what my noble friends have said.
It is utterly clear that the provisions being put in place do not comply with GDPR—particularly with Recital 41, and certainly not in the way Lord Justice Warby interpreted that recital. The Home Office, regardless of the law, is going forward with this new proposal with an IEPD which is simply not good enough in terms of its legislative status. As both my noble friends said, it adds nothing in the way of safeguards which were already there.
The Minister seemed to be saying in Grand Committee the Home Office had taken on board the points made by the Open Rights Group and the3million, but that she would ascertain what those points were. Sadly, I have not received a copy of the Minster’s letter, so I do not know what those points are. I hope the Minister will adumbrate those in her response this evening. It is clear that the Home Office is in great danger of having another successful judicial review against it on these regulations.
Despite our best efforts in Grand Committee, the Minister did not deal with the fundamental issue of the mechanism being used to introduce this form of exemption. We were reminded today in the Commons about what Margaret Thatcher said:
“The first duty of Government is to uphold the law. If it tries to bob and weave and duck around that duty when it’s inconvenient, if Government does that, then so will the governed and then nothing is safe—not home, not liberty, not life itself.”
Wise words. Bobbing and weaving and ducking—is that not precisely what the Government are doing on this issue?
(6 years, 11 months ago)
Lords ChamberMy Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?
At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
(6 years, 11 months ago)
Lords ChamberI may have to add later to what I have said, which I think the Minister will find totally unpalatable. I will try to move on.
The Minister also said:
“You are concerned that if consent is not a genuine option in these situations and there are no specific processing conditions in the Bill to cover this on grounds of substantial public interest. Processing in these circumstances would be unlawful. To make their consent GDPR compliant, an employer or school must provide a reasonable alternative that achieves the same ends, for example, offering ‘manual’ entry by way of a reception desk”.
Consent is rarely valid in an employment context. If an employer believes that certain premises require higher levels of security, and that biometric access controls are a necessary and proportionate solution, it cannot be optional with alternative mechanisms that are less secure, as that undermines the security reasons for needing the higher levels of security in the first place: for example, where an employer secures a specific office or where the staff are working on highly sensitive or confidential matters, or where the employer secures a specific room in an office, such as a server room, where only a small number of people can have access and the access needs to be more secure.
Biometrics are unique to each person. A pass card can easily be lost or passed to someone else. It is not feasible or practical to insist that organisations employ extra staff for each secure office or secure room to act as security guards to manually let people in.
The Minister further stated:
“You also queried whether researchers involved in improving the reliability or ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. Article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing that appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards of clause 18 of the Bill. For the purposes of GDPR, ‘scientific research’ has a broad meaning. When taken together with the obvious possibility of consent-based research, we are confident that the Bill allows for the general type of testing you have described”.
It is good to hear that the Government interpret the research provisions as being broad enough to accommodate the research and development described. However, for organisations to use these provisions with confidence, they need to know whether the ICO and courts will take the same broad view.
There are other amendments which would broaden the understanding of the research definition, which no doubt the Minister will speak to and which the Government could support to leave no room for doubt for organisations. However, it is inaccurate to assume that all R&D will be consent based; in fact, very little of it will be. Given the need for consent to be a genuine choice to be valid, organisations can rarely rely on this as they need a minimum amount of reliable data for R&D that presents a representative sample for whatever they are doing. That is undermined by allowing individuals to opt in and out whenever they choose. In particular, for machine learning and AI, there is a danger of discrimination and bias if R&D has incomplete datasets and data that does not accurately represent the population. There have already been cases of poor facial recognition programmes in other parts of the world that do not recognise certain races because the input data did not contain sufficient samples of that particular ethnicity with which to train the model.
This is even more the case where the biometric data for research and development is for the purpose of improving systems to improve security. Those employing security and fraud prevention measures have constantly to evaluate and improve their systems to stay one step ahead of those with malicious intent. The data required for this needs to be guaranteed and not left to chance by allowing individuals to choose. The research and development to improve the system is an integral aspect of providing the system in the first place.
I hope that the Minister recognises some of those statements that he made in his letter and will be able, at least to some degree, to respond to the points that I have made. There has been some toing and froing, so I think that he is pretty well aware of the points being raised. Even if he cannot accept these amendments, I hope that he can at least indicate that biometrics is the subject of live attention within his department and that work will be ongoing to find a solution to some of the issues that I have raised. I beg to move.
My Lords, I wonder whether I might use this opportunity to ask a very short question regarding the definition of biometric data and, in doing so, support my noble friend. The definition in Clause 188 is the same as in the GDPR and includes reference to “behavioural characteristics”. It states that,
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data”.
Well:
“There’s no art
To find the mind’s construction in the face”.
How do behavioural characteristics work in this context? The Minister may not want to reply to that now, but I would be grateful for an answer at some point.
(7 years ago)
Lords ChamberI will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.
Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.
Recital 80 of the GDPR explains the role of the representative:
“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Supposing that a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?
My Lords, I am glad that the noble Lord, Lord Stevenson, has raised the question of the meaning of “broadly equivalent”. It encapsulates a difficulty I have found throughout the Bill: the language of the GDPR and of the law enforcement directive is more narrative and descriptive than language to which we are accustomed in UK legislation. Though one might say we should just apply a bit of common sense, that is not always the first thing to apply in interpreting UK legislation.
In this clause, there is another issue apart from the fact that “broadly equivalent” gives a lot of scope for variation. Although Clause 3 is an introduction to the part, if there are problems of interpretation later in Part 2, one might be tempted to go back to Clause 3 to find out what the part is about and be further misled or confused.
(7 years, 9 months ago)
Lords ChamberMy Lords, I will just pick up the noble Baroness’s last point about who is an official. There are examples, in other legislation, of references to “senior officials” and “designated officials”, which might be somewhere between the junior official she has in mind and the Permanent Secretary, but she is right to draw the issue to the Committee’s attention.
On an earlier group, the noble and learned Lord indicated that he was going to speak at greater length—I assume that may be on this group—on the reason for using the term “personal information” rather than “data”. Perhaps I may use my noble friend’s Amendment 213 to ensure that we get to share more of Government’s thinking. I understand the point about corporations, since in the one case, they come within the group covered, and in the other they do not. But I am still puzzled as to why such efforts have had to be made to deal with personal information and then to add in references to the Data Protection Act, rather than starting from the DPA—with any necessary exclusions—which would have taken us straight to the involvement of the Information Commissioner, the data protection principles and so on.
I wondered during the Statement whether to have a go at some alternative drafting for Report, but thought I had better wait for this discussion. But perhaps part of it boils down to a question on Clause 33(8), which says, in wording replicated elsewhere, that,
“nothing in section 30, 31 or 32 authorises … a disclosure which … contravenes the Data Protection Act”.
To look at it from the other end of that telescope, is there any personal information which is the subject of the Bill that would not fall within the DPA and therefore not be protected by that clause?
My Lords, I thought I would intervene to see if it might help the Minister. The code of practice does not make things any clearer. With reference to my noble friend’s very apt point about information versus data, paragraph 4 of the code says:
“The definitions of ‘personal information’ contained in the Bill are intended to ensure that the information shared through these powers is handled carefully”.
That does not sound like a particularly good legal answer to the question. It goes on:
“Though the definition of ‘personal information’ for the purposes of the Bill may differ from the definition of ‘personal data’ in the DPA, all information shared and used under the public service delivery, debt and fraud provisions must be handled in accordance with the framework of rules set out in the DPA”.
Where is that explicitly set out? It would be very helpful if the Minister, in answering, could advert to that as well.
(13 years, 5 months ago)
Lords ChamberMy Lords, this is a device to elicit from the Government their motives for introducing a barrage of new provisions relating to temporary event notices. We seem to be building up a parallel system through the TENs system. It has worked extremely well. The notices are used extensively by community groups. They are not intended for commercial purposes, but are used for community events, village fetes, charity fundraising events and so on. It would be extremely interesting to hear from the Government why they feel that it is necessary to introduce so many new elements into the TENs system.
It was always designed as a form of flexible licensing for community groups. What is now happening under the various clauses relating to temporary event notices is that we are adding environmental health to the scrutiny process and are adding cost to the regime for local government as well. I do not know whether it is because the Government feel that TENs are being used by commercial operators, but the evidence given to me—I think, in particular, that increased hours during the new year celebrations was cited by the Government in their response to their consultation—has not painted that picture about how they are used. Ironically, it is likely that in any event there will be greater reliance if premises are caught by the late-night levy. There will be a greater use of TENs by commercial premises in those circumstances.
What is the justification for all these changes? What seems particularly odd is this extension: the change from a duration of 96 hours to one of 168 hours under Clause 116 and the increase in the number days from 15 to 21. If anything, one is making them more available for commercial purposes. We are changing from a temporary type of licensing to something much more permanent as far as I can see, so we have a self-fulfilling prophecy. Now we will have more conditions, and if there are going to be conditions, they should be standard conditions, so I have some sympathy with the amendments that follow in this group. I look forward to hearing from the Minister why we have to have more objectives, more bureaucracy and an extension of TENs as a concept in these circumstances. I beg to move.
My Lords, I do not think my noble friend is moving that the clause stands part of the Bill. I have Amendments 240C, 240E, 240F, 240G, 240H, 240J and 240K in this group. My noble friend mentioned parallel provisions. I think the noble Lord, Lord Hunt, and I have managed a degree of parallelism which probably adds to the confusion, but I think we are heading in the same direction.
In response to my noble friend, I say first that when we get to some amendments later on the subject of New Year’s Eve, I have a lot of sympathy for them. As I understand it, temporary event notices or TENs—I have always known that word in a completely different context—have grown in number far more than was anticipated. Almost 125,000 were used in the financial year to March 2010. They were introduced as a means of minimising the regulatory burden on small, ad hoc events, as my noble friend said, but they have grown somewhat. The Bill proposes that only following a representation from the police or environmental health will licensing authorities be able to insist that relevant conditions from the licence also apply for the duration of the temporary event notice and that regulations will stipulate the process, format and timescales for notifying applicants of the conditions.
I was glad to hear my noble friend’s comment about standard conditions. We know the view of the Local Government Association on this matter. It has briefed noble Lords that a more transparent and less burdensome approach would be for all existing premises licence conditions to apply automatically, apart from those that will be altered by a temporary event notice, such as hours. Licensing authorities should be given the ability to add appropriate conditions to a temporary event notice. Currently, there is no mechanism for adding controls in unlicensed premises. During the Commons stages, the Government responded that TENs would increase bureaucracy. Bureaucracy is not always a bad thing. Some bureaucracy is necessary. Giving authorities an effective tool would give them greater, but not disproportionate, control. Standard conditions would actually reduce bureaucracy.
Secondly, on the time allowance for temporary event notices, I share the LGA’s concern about the extension of the duration to seven days from the current four. Seven days seems to me to be qualitatively different from four. The Bill does not introduce a mechanism whereby unlicensed premises can be conditioned when using a temporary event notice, and the LGA is concerned about the scenario of periods of up to seven days with no conditions on things like closing times, door staff and so on. There would be a qualitative difference, and I think this extension would go too far.