(8 months ago)
Grand CommitteeI reject the characterisation of Clause 14 or any part of the Bill as loosening the safeguards. It focuses on the outcomes and by being less prescriptive and more adaptive, its goal is to heighten the levels of safety of AI, whether through privacy or anything else. That is the purpose.
On Secretary of State powers in relation to ADM, the reforms will enable the Government to further describe what is and is not to be taken as a significant effect on a data subject and what is and is not to be taken as meaningful human—
I may be tired or just not very smart, but I am not really sure that I understand how being less prescriptive and more adaptive can heighten safeguards. Can my noble friend the Minister elaborate a little more and perhaps give us an example of how that can be the case?
Certainly. Being prescriptive and applying one-size-fits-all measures for all processes covered by the Bill encourages organisations to follow a process, but focusing on outcomes encourages organisations to take better ownership of the outcomes and pursue the optimal privacy and safety mechanisms for those organisations. That is guidance that came out very strongly in the Data: A New Direction consultation. Indeed, in the debate on a later group we will discuss the use of senior responsible individuals rather than data protection officers, which is a good example of removing prescriptiveness to enhance adherence to the overall framework and enhance safety.
(8 months ago)
Grand CommitteeI agree with the noble Baroness, but with one rider. We will keep coming back to the need for children to have a higher level of data protection than adults, and this is but one of many examples we will debate. However, I agree with her underlying point. The reason why I support removing both these clauses is the hubris of believing that you will engage the electorate by bombarding them with things they did not ask to receive.
A fair number of points were made there. I will look at ages under 16 and see what further steps, in addition to being necessary and proportionate, we can think about to provide some reassurance. Guidance would need to be in effect before any of this is acted on by any of the political parties. I and my fellow Ministers will continue to work with the ICO—
I thank my noble friend Lady Harding for moving this important amendment. I also thank the cosignatories—the noble Lords, Lord Clement-Jones and Lord Black, and the noble Baroness, Lady Jones. As per my noble friend’s request, I acknowledge the importance of this measure and the difficulty of judging it quite right. It is a difficult balance and I will do my best to provide some reassurance, but I welcomed hearing the wise words of all those who spoke.
I turn first to the clarifying Amendments 27 and 32. I reassure my noble friend Lady Harding that, in my view, neither is necessary. Clause 11 amends the drafting of the list of cases when the exemption under Article 14(5) applies but the list closes with “or”, which makes it clear that you need to meet only one of the criteria listed in paragraph (5) to be exempt from the transparency requirements.
I turn now to Amendments 28 to 34, which collectively aim to expand the grounds of disproportionate effort to exempt controllers from providing certain information to individuals. The Government support the use of public data sources, such as the OER, which may be helpful for innovation and may have economic benefits. Sometimes, providing this information is simply not possible or is disproportionate. Existing exemptions apply when the data subject already has the information or in cases where personal data has been obtained from someone other than the data subject and it would be impossible to provide the information or disproportionate effort would be required to do so.
We must strike the right balance between supporting the use of these datasets and ensuring transparency for data subjects. We also want to be careful about protecting the integrity of the electoral register, open or closed, to ensure that it is used within the data subject’s reasonable expectations. The exemptions that apply when the data subject already has the information or when there would be a disproportionate effort in providing the information must be assessed on a case-by-case basis, particularly if personal data from public registers is to be combined with other sources of personal data to build a profile for direct marketing.
These amendments may infringe on transparency—a key principle in the data protection framework. The right to receive information about what is happening to your data is important for exercising other rights, such as the right to object. This could be seen as going beyond what individuals might expect to happen to their data.
The Government are not currently convinced that these amendments would be sufficient to prevent negative consequences to data subject rights and confidence in the open electoral register and other public registers, given the combination of data from various sources to build a profile—that was the subject of the tribunal case being referenced. Furthermore, the Government’s view is that there is no need to amend Article 14(6) explicitly to include the “reasonable expectation of the data subjects” as the drafting already includes reference to “appropriate safeguards”. This, in conjunction with the fairness principle, means that data controllers are already required to take this into account when applying the disproportionate effort exemption.
The above notwithstanding, the Government understand that the ICO may explore this question as part of its work on guidance in the future. That seems a better way of addressing this issue in the first instance, ensuring the right balance between the use of the open electoral register and the rights of data subjects. We will continue to work closely with the relevant stakeholders involved and monitor the situation.
I wonder whether I heard my noble friend correctly. He said “may”, “could” and “not currently convinced” several times, but, for the companies concerned, there is a very real, near and present deadline. How is my noble friend the Minister suggesting that deadline should be considered?
On the first point, I used the words carefully because the Government cannot instruct the ICO specifically on how to act in any of these cases. The question about the May deadline is important. With the best will in the world, none of the provisions in the Bill are likely to be in effect by the time of that deadline in any case. That being the case, I would feel slightly uneasy about advising the ICO on how to act.
Yes. I repeat that I very much recognise the seriousness of the case. There is a balance to be drawn here. In my view, the best way to identify the most appropriate balancing point is to continue to work closely with the ICO, because I strongly suspect that, at least at this stage, it may be very difficult to draw a legislative dividing line that balances the conflicting needs. That said, I am happy to continue to engage with noble Lords on this really important issue between Committee and Report, and I commit to doing so.
On the question of whether Clause 11 should stand part of the Bill, Clause 11 extends the existing disproportionate effort exemption to cases where the controller collected the personal data directly from the data subject and intends to carry out further processing for research purposes, subject to the research safeguards outlined in Clause 26. This exemption is important to ensure that life-saving research can continue unimpeded.
Research holds a privileged position in the data protection framework because, by its nature, it is viewed as generally being in the public interest. The framework has various exemptions in place to facilitate and encourage research in the UK. During the consultation, we were informed of various longitudinal studies, such as those into degenerative neurological conditions, where it is impossible or nearly impossible to recontact data subjects. To ensure that this vital research can continue unimpeded, Clause 11 provides a limited exemption that applies only to researchers who are complying with the safeguards set out in Clause 26.
The noble Lord, Lord Clement-Jones, raised concerns that Clause 11 would allow unfair processing. I assure him that this is not the case, as any processing that uses the disproportionate effort exemption in Article 13 must comply with the overarching data protection principles, including lawfulness, fairness and transparency, so that even if data controllers rely on this exemption they should consider other ways to make the processing they undertake as fair and transparent as possible.
Finally, returning to EU data adequacy, the Government recognise its importance and, as I said earlier, are confident that the proposals in Clause 11 are complemented by robust safeguards, which reinforces our view that they are compatible with EU adequacy. For the reasons that I have set out, I am unable to accept these amendments, and I hope that noble Lords will not press them.
My Lords, I am not quite sure that I understand where my noble friend the Minister is on this issue. The noble Lord, Lord Clement-Jones, summed it up well in his recent intervention. I will try to take at face value my noble friend’s assurances that he is happy to continue to engage with us on these issues, but I worry that he sees this as two sides of an issue—I hear from him that there may be some issues and there could be some problems—whereas we on all sides of the Committee have set out a clear black and white problem. I do not think they are the same thing.
I appreciate that the wording might create some unintended consequences, but I have not really understood what my noble friend’s real concerns are, so we will need to come back to this on Report. If anything, this debate has made it even clearer to me that it is worth pushing for clarity on this. I look forward to ongoing discussions with a cross-section of noble Lords, my noble friend and the ICO to see if we can find a way through to resolve the very real issues that we have identified today. With that, and with thanks to all who have spoken in this debate, I beg leave to withdraw my amendment.
(8 months, 1 week ago)
Grand CommitteeCan I add to that question? Is my noble friend the Minister also saying that there is no risk of companies misinterpreting the Bill’s intentions and assuming that this might be some form of diminution of the protections for children?
In answer to both questions, what I am saying is that, first, any risk of misinterpreting the Bill with respect to children’s safety is diminished, rather than increased, by the Bill. Overall, it is the Government’s belief and intention that the Bill in no way diminishes the safety or privacy of children online. Needless to say, if over the course of our deliberations the Committee identifies areas of the Bill where that is not the case, we will absolutely be open to listening on that, but let me state this clearly: the intent is to at least maintain, if not enhance, the safety and privacy of children and their data.
(10 months ago)
Grand CommitteeBefore my noble friend answers that, can he shed some light on which stakeholders feel that this is unclear?
I cannot give a full account of the individual stakeholders right now; I am happy to ask the department to clarify further in that area. My contention is that the effect of the two sentences are the same, with the new one being clearer than the old one. I am very happy to continue to look at that and listen to the arguments of noble Lords, but that is the position. Personally, when I look at the two sentences, I find it very difficult to discern any difference in meaning between them. As I say, I am very happy to receive further arguments on that.
With respect to the participative arrangements by which a decision is reached around, for example, a conduct requirement, during the period of conduct requirement design, and during the decision-making period, it is, as my noble friend Lord Lansley has stated, highly to be expected that firms will make representations about the consumer benefits of their product. During a breach investigation, on the other hand, later on in the process, a consumer benefits exemption can be used as a safeguard or defence against a finding of breach.
Sorry, but there were so many questions that I have completely lost track. Perhaps the noble Baroness, Lady Kidron, will restate her question.
(10 months, 1 week ago)
Grand CommitteeMy Lords, as we start this phase of the Bill, I declare my interests, in particular my husband’s close involvement with the Bill in the other place as the Member of Parliament for Weston-super-Mare. We rarely get involved in the same issues at the same time, but in this case we are.
Like other noble Lords, I am keen to see this Bill reach the statute book, but also keen to ensure that we minimise the degree of legal ambiguity. I thank the many companies that have given us briefings in advance of Committee, but note how many of them have felt incredibly uncomfortable in doing so and have sworn us all to secrecy about having even been talking to us in private, for fear that their commercial relationships will be prejudiced. We must recognise the enormous commercial power that the companies that this Bill aims to regulate already exert. Making sure that the Bill is clear, and that we are not inadvertently creating legal loopholes, is probably the most important thing that we will do in this House as we give it the degree of scrutiny that we like to give here.
Loopholes do not need to be permanent. If you have already got large market power, loopholes just need to slow the process down. When I ran a challenger business competing against a very large incumbent in telecoms, BT, we used to say all the time that BT’s regulatory strategy was to walk backwards slowly—I think that was even said in public, about 20 years ago. That was its strategy.
This is exactly what the big technology companies are doing worldwide. They know that regulation is coming to this sector but are walking backwards as slowly as they can. We see this very clearly with the EU’s Digital Markets Act where, so far, every potential SMS-equivalent firm has challenged its designation through every stage of the courts that it can. We should go into this Committee with our eyes wide open that that is exactly what will happen with this legislation as well. Giving clarity wherever possible will therefore be essential.
With that in mind, I support Amendments 1, 3, 4, 5 and 6 in their endeavour to give clarity on two important issues: first, whether the CMA can use work that it has already done; and, secondly, that it is impossible to have clarity about what will happen in technology markets over the next five years. Does my noble friend the Minister agree that it is important that the Bill gives clarity on those two issues? If the amendments as currently drafted do not achieve that, what can we do to ensure that we do not look with horror in a few years’ time when each SMS designation is in a JR, with technology companies challenging the CMA’s ability to use historic work or its lack of crystal ball-gazing, which will inevitably have come about?
I also have considerable sympathy with Amendment 7 from the noble Viscount, Lord Colville. We will come to the question of the Secretary of State’s powers in a number of parts of this Bill. In this case, I can see why we should be worried about the ability of individual companies—this is only from the media—with regulatory lobbying budgets of at least $1 billion to influence a single person because, however moral and upstanding they are, it is likely to be quite great. I have some sympathy with the amendment, but the requirement for a Secretary of State decision via the affirmative process is the strongest parliamentary scrutiny available to us. Does my noble friend acknowledge that this is a potential risk? If it is, what additional safeguards would he suggest if he does not like the removal of this power? I recognise that it is possible that we have not captured all the reasons why you might not want to designate a firm as having strategic market status.
We will come back to these issues again and again in our many days together in this Room, because this is really about giving clarity of intent. Will my noble friend confirm that he shares the intent of these amendments?
My Lords, I am pleased to speak on this first day of Committee and thank all noble Lords for their continued and valued engagement on the DMCC Bill, which, as many noble Lords have observed, will drive innovation, grow the economy and deliver better outcomes for consumers. I am grateful for noble Lords’ continued scrutiny and am confident that we will enjoy a productive debate.
I start by briefly speaking to government Amendments 11 and 12, which I hope noble Lords will support. They make the strategic market status notice provisions consistent by obliging the Competition and Markets Authority to provide reasons for its decision not to designate a firm following an initial SMS investigation.
I turn to Amendment 1, tabled by the noble Baroness, Lady Jones of Whitchurch. The amendment seeks to ensure that the CMA will be able to use, in its SMS investigations, previous analysis undertaken in related contexts. I agree entirely that the CMA should not have to repeat work that it has already done and should be able to draw on insights from previous analysis when carrying out an SMS investigation, when it is appropriate and lawful to do so.
I offer some reassurance to the noble Baroness that the Bill as drafted permits the CMA to rely on evidence that it has gathered in the past, so long as it is appropriate and lawful to do so. As she highlighted, a strength of the regime is the flexibility for the CMA to consider different harms in digital markets. I suspect that this is a theme that we will return to often in our deliberations, but being prescriptive about what information the CMA can rely on risks constraining the broad discretion that we have built into the legislation.
Amendments 3, 4, 5 and 6, tabled by the noble Lord, Lord Clement-Jones, would make it explicit that the CMA must consider currently available evidence of expected or foreseeable developments when assessing whether a firm holds substantial and entrenched market power in a digital activity. Amendment 3 would remove the duty for the CMA to consider such developments over a five-year period. The regime will apply regulation to firms for a five-year period; it is therefore appropriate that the CMA takes a forward look over that period to assess whether a firm’s market power is substantial and entrenched, taking account of expected or foreseeable developments that might naturally reduce the firm’s market power, if it were not designated.
Without an appropriate forward look, there is a risk that designation results in firms facing disproportionate or unnecessary regulation that harms innovation and consumers. However, the CMA will not be required to prove that a firm will definitely have substantial and entrenched market powers for the next five years—indeed, that would be impossible. The CMA will have to give reasons for its decisions to designate firms and support any determination with evidence. As a public body, it will also be subject to public law principles, which require it to act reasonably and take into account relevant considerations. Therefore, in our view, these amendments are not necessary.
Amendment 7, tabled by the noble Viscount, Lord Colville of Culross, seeks to remove the power for the Secretary of State to amend by regulations subject to the affirmative procedure the conditions to be met for the CMA to establish a position of strategic significance. I recognise, first, that Henry VIII powers should be used in legislation only when necessary. To the point raised by my noble friend Lady Harding, I also recognise the importance of limiting the scope for too much disputation around this and for too many appeals. In this case, however, the power helps to ensure that the regime can adapt to digital markets that evolve quickly and unpredictably.
Changes in digital markets can result from developments in technology, business models, or a combination of both. The rapid pace of evolution in digital markets, to which many have referred, means that the CMA’s current understanding of power in these markets has changed over the past decade. The concept of strategic significance may therefore also need to evolve in future, and the conditions to be updated quickly, so that the regime remains effective in addressing harms to competition and consumers effectively. The affirmative resolution procedure will give Parliament the opportunity to scrutinise potential changes. It will provide a parliamentary safeguard to ensure that the criteria are not watered down, and should address the noble Lord’s concerns regarding lobbying. For these reasons, I believe that it is important to retain this power.
I thank noble Lords for raising those points. My response to them both is that the key is that we are trying to set a balance between the workloads—the work that has to be performed by the regulator—and the benefit of that work for competition. We can certainly come up with examples. I shared the example of how many app developers there are and how many of them would have to exchange information with the regulator, but perhaps it would be more helpful to the Committee if I committed to giving a slightly deeper analysis of what the CMA estimates would be the time consumed on such activities and why we are concerned that it would have the potential to detract from the core basis of its mission.
The challenger app developers are, in essence, the customers here, so I am quite worried that I think I am hearing that the regulator cannot cope with customer feedback, whereas that is probably the most important feedback in its process. We are looking for a way of enshrining that in the legislation that does not create some overwhelming burden. To say that customers will overwhelm the regulator with feedback is back to front: they are the people that the competition regulator should most want to hear from.
In that example, I would cast the app developers as participants in the ecosystem and the customers as the users of the app, but that is perhaps an ontological problem. Perhaps the most straightforward thing, to satisfy the Committee’s concerns that we are not idly throwing out the possibility of an overworked regulator, would be to provide the Committee with a greater analysis of why we believe we have to be careful with what information we ask them to exchange with interested parties to avoid the situation in which the paperwork exceeds the value work.