Data (Use and Access) Bill [HL]
Debate between Baroness Kidron and Lord Stevenson of BalmacaraTuesday 10th December 2024
(1 week, 6 days ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-II(a) Amendment for Grand Committee (Supplementary to the Second Marshalled List) - (9 Dec 2024)
Baroness Kidron (CB)
My Lords, I will speak to Amendments 59, 62, 63 and 65 in the name of my noble friend Lord Colville, and Amendment 64 in the name of the noble Lord, Lord Clement-Jones, to which I added my name. I am also very much in sympathy with the other amendments in this group more broadly.
My noble friend Lord Colville set out how he is seeking to understand what the Government intend by “scientific research” and to make sure that the Bill does not offer a loophole so big that any commercial company can avoid data protections of UK citizens in the name of science.
At Second Reading, I read out a dictionary definition of science:
“The systematic study of the structure and behaviour of the physical and natural world through observation, experimentation, and the testing of theories against the evidence obtained”—
i.e. everything. I also ask the Minister if the following scenarios could reasonably be considered scientific. Is updating or improving a new tracking app for fitness, or a bot for an airline, scientific? Is the behavioural science of testing children’s response to persuasive design strategies in order to extend the stickiness of commercial products scientific? These are practical scenarios, and I would be grateful for an answer in order to understand what is in and out of the scope of the Bill.
When I raised Clause 67 at a briefing meeting, it was said that it was, as my noble friend Lord Colville suggested, just housekeeping. The law firm Taylor Wessing suggests that what can
“‘reasonably be described as scientific’ is arguably very wide and fairly vague, so it will be interesting to see how this is interpreted, but the assumption is that it is intended to be a very broad definition”.
Each of the 14 law firm blogs and briefings that I read over the weekend described it variously as loosening, expanding or broadening. Not one suggested that it was a tightening and not one said that it was a no-change change. As we have heard, the European Data Protection Supervisor published an opinion stating that
“scientific research is understood to apply where … the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests”.
When the Minister responds, perhaps she could say whether the particular scenarios I have set out fall within the definition of scientific and why the Government have failed to reflect the critical clarification of the European Data Protection Supervisor in transferring the recital into the Bill.
I turn briefly to Amendment 64, which would limit the use of children’s personal data for the purposes of research and education by making it subject to a public interest requirement and opt-in from the child or a parent. I will speak in our debate on a later grouping to amendments that would enshrine children’s right to higher protection and propose a comprehensive code of practice on the use of children’s data in education, which is an issue of increasing scandal and concern. For now, it would be good to understand whether the Government agree that education is an area of research where a public interest requirement is necessary and appropriate and that children’s data should always be used to support their right to learn, rather than to commoditise them.
During debate on the DPDI Bill, a code of practice on children’s data and scientific research was proposed; the Minister added her name to it. It is by accident rather than by design that I have failed to lay it here, but I will listen carefully to the Minister’s reply to see whether children need additional protections from scientific research as the Government now define it.
Lord Stevenson of Balmacara (Lab)
My Lords, I have in subsequent groups a number of amendments that touch on many of the issues that are raised here, so I will not detain the Committee by going through them at this stage and repeating them later. However, I feel that, although the Government have had the best intentions in bringing forward a set of proposals in this area that were to update and to bring together rather conflicting and difficult pieces of legislation that have been left because of the Brexit arrangements, they have managed to open up a gap between where we want to be and where we will be if the Bill goes forward in its present form. I say that in relation to AI, which is a subject requiring a lot more attention and a lot more detail than we have before us. I doubt very much whether the Government will have the appetite for dealing with that in time for this Bill, but I hope that at the very least—it would be a minor concession at this stage—they will commit at the Dispatch Box to seeking to resolve these issues in the legislation within a very short period because, as we have heard from the arguments made today, it is desperately needed.
More importantly, if, by bringing together documentation that is thought to represent the current situation, either inadvertently or otherwise, the Government have managed to open up a loophole that will devalue the way in which we currently treat personal data—I will come on to this when I get to my groups in relation to the NHS in particular—that would be a grievous situation. I hope that, going forward, the points that have been made here can be accommodated in a statement that will resolve them, because they need to be resolved.
Data (Use and Access) Bill [HL]
Debate between Baroness Kidron and Lord Stevenson of BalmacaraTuesday 3rd December 2024
(2 weeks, 6 days ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-I(a) Amendments for Grand Committee (Supplementary to the Marshalled List) - (3 Dec 2024)
Baroness Kidron (CB)
My Lords, I support the amendments in the name of the noble Lord, Lord Clement-Jones. I perhaps did not say it at the beginning of my remarks on this section, but I fully support the Government’s efforts to create a trust framework. I think I started with criticism rather than with the fact that this is really important. Trust is in the name and if we cannot trust it, it is not going to be a trust framework. It is important to anticipate and address the likelihood that some will seek to abuse it. If there are not sufficient consequences for abusing it, I do not understand quite how we can have the level of trust needed for this to have wide adoption.
I particularly want to say that good systems cannot rely on good people. We know that and we see it. We are going to discuss it later in Committee, but good systems need checks and balances. In relation to this set of amendments, we need a disincentive for bad actors to mislead or give false information to government or the public. I am not going to rehearse each amendment that the noble Lord, Lord Clement-Jones, explained so brilliantly. The briefing on the trust framework is a very important one for us all. The amount of support there is for the idea, and the number of questions about what it means and how it will work, mean that we will come back to this if we do not have a full enough explanation of the disincentives for a bad actor.
Lord Stevenson of Balmacara (Lab)
My Lords, I support these amendments and applaud the noble Lord, Lord Clement-Jones, for his temerity and for offering a variety of choices, making it even more difficult for my noble friend to resist it.
It has puzzled me for some time why the Government do not wish to see a firm line being taken about digital theft. Identity theft in any form must be the most heinous of crimes, particularly in today’s world. This question came up yesterday in an informal meeting about a Private Member’s Bill due up next Friday on the vexed question of the sharing of intimate images and how the Government are going to respond to it. We were sad to discover that there was no support among the Ministry of Justice officials who discussed the Bill with its promoter for seeing it progress any further.
At the heart of that Bill is the same question about what happens when one’s identity is taken and one’s whole career and personality are destroyed by those who take one’s private information and distort it in such a way that those who see it regard it as being a different person or in some way involved in activities that the original person would never have been involved in. Yet we hear that the whole basis on which this digital network has been built up is a voluntary one, and the logic of that is that it would not be necessary to have the sort of amendments that are before us now.
I urge the Government to think very hard about this. There must be a break point here. Maybe the meeting that has been promised will help us, but there is a fundamental point about whether in the digital world we can rely on the same protections that we have in the real world—and, if not, why not?
Data (Use and Access) Bill [HL]
Debate between Baroness Kidron and Lord Stevenson of BalmacaraTuesday 19th November 2024
(1 month ago)
Lords ChamberRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara (Lab)
With respect, it is the narrow question that a number of us have raised. Training the new AI systems is entirely dependent on them being fed vast amounts of material which they can absorb, process and reshape in order to answer questions that are asked of them. That information is to all intents and purposes somebody else’s property. What will happen to resolve the barrier? At the moment, they are not paying for it but just taking it—scraping it.
Baroness Kidron (CB)
Perhaps I may come in too. Specifically, how does the data protection framework change it? We have had the ICO suggesting that the current framework works perfectly well and that it is the responsibility of the scrapers to let the IP holders know, while the IP holders have not a clue that it is being scraped. It is already scraped and there is no mechanism. I think we are a little confused about what the plan is.
Online Safety Bill
Debate between Baroness Kidron and Lord Stevenson of BalmacaraThursday 27th April 2023
(1 year, 7 months ago)
Lords ChamberRead Full debate Online Safety Act 2023 View all Online Safety Act 2023 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 87(Rev)-IV Fourth marshalled list for Committee - (27 Apr 2023)
Lord Stevenson of Balmacara (Lab)
My Lords, this group of amendments concerns terms of service. All the amendments either have the phrase “terms of service” in them or imply that we wish to see more use of the phrase in the Bill, and seek to try to tidy up some of the other bits around that which have crept into the Bill.
Why are we doing that? Rather late in the day, terms of service has suddenly become a key fulcrum, under which much of the operations of the activity relating to people’s usage of social media and service functions on the internet will be expressed in relation to how they view the material coming to them. With the loss of the adult “legal but harmful” provisions, we also lost quite a considerable amount of what would have been primary legislation, which no doubt would have been backed up by codes of practice. The situation we are left with, and which we need to look at very closely, is the triple shield at the heart of the new obligations on companies, and, in particular, on their terms of service. That is set out primarily in Clauses 64, 65, 66 and 67, and is a subject to which my amendments largely refer.
Users of the services would be more confident that the Government have got their focus on terms of service right, if they actually said what should be said on the tin, as the expression goes. If it is the case that something in a terms of service was so written and implemented so that material which should be taken down was indeed taken down, these would become reliable methods of judging whether or not the service is the one people want to have, and the free market would be seen to be working to empower people to make their own decisions about what level of risk they can assume by using a service. That is a major change from the way the Bill was originally envisaged. Because this was done late, we have one or two of the matters to which I have referred already, which means that the amendments focus on changing what is currently in the Bill.
It is also true that the changes were not consulted upon; I do not recall there being any document from government about whether this was a good way forward. The changes were certainly not considered by the Joint Committee, of which several of those present were members—we did not discuss it in the Joint Committee and made no recommendation on it. The level of scrutiny we have enjoyed on the Bill has been absent in this area. The right reverend Prelate the Bishop of Oxford will speak shortly to amendments about terms of service, and we will be able to come back to it. I think it would have been appropriate had the earlier amendment in the name of the noble Lord, Lord Pickles, been in this group because the issue was the terms of service, even though it had many other elements that were important and that we did discuss.
The main focus of my speech is that the Government have not managed to link this new idea of terms of service and the responsibilities that will flow from that to the rest of the Bill. It does not seem to fit into the overall architecture. For example, it is not a design feature, and does not seem to work through in that way. This is a largely self-contained series of clauses. We are trying to ask some of the world’s largest companies, on behalf of the people who use them, to do things on an almost contractual basis. Terms of service are not a contract that you sign up to, but you certainly click something—or occasionally click it, if you remember to—by which you consent to the company operating in a particular set of ways. In a sense, that is a contract, but is it really a contract? At the heart of that contract between companies and users is whether the terms of service are well captured in the way the Bill is organised. I think there are gaps.
The Bill does have something that we welcome and want to hold on to, which is that the process under which the risks are assessed and decisions taken about how companies operate and how Ofcom relates to those decisions is about the design and operation of the service—both the design and the operation, something that the noble Baroness, Lady Kidron, is very keen to emphasise at all times. It all starts and ends with design, and the operation is a consequence of design choices. Other noble Baronesses have mentioned in the debate that small companies get it right and so, when they grow, can be confident that what they are doing is something that is worth doing. Design, and operating that design to make a service, is really important. Are terms of service part of that or are they different, and does it matter? It seems to me that they are downstream from the design: something can be designed and then have terms of service that were not really part of the original process. What is happening here?
My Amendments 16, 21, 66DA, 75 and 197 would ensure that the terms of service are included within the list of matters that constitute “design and operation” of the service at each point that it occurs. I have had to go right through the Bill to add it in certain areas—in a rather irritating way, I am sure, for the Bill team—because sometimes we find that what I think should be a term of service is actually described as something else, such as a “a publicly available statement”, whatever that is. It would be an advantage if we went through it again and defined terms of service and made sure that that was what we were talking about.
Amendments 70 to 72, 79 to 81 and 174 seek to help the Government and their officials with tidying up the drafting, which probably has not been scrutinised enough to pick up these issues. It may not matter, at the end of the day, but what is in the Bill is going to be law and we may as well try to get it right as best we can. I am sure the Minister will say we really do not need to worry about this because it is all about risks and outcomes, and if a company does not protect children or has illegal content, or the user-empowerment duties—the toggling—do not work, Ofcom will find a way of driving the company to sort it out. What does that mean in practice? Does it mean that Ofcom has a role in defining what terms of service are? It is not in the Bill and may not reach the Bill, but it is something that will be a bit of problem if we do not resolve what we mean by it, even if it is not by changing the legislation.
If the Minister were to disagree with my approach, it would be quite nice to have it said at the Dispatch Box so that we can look at that. The key question is: are terms of service an integral part of the design and operation of a service and, if so, can we extend the term to make sure that all aspects of the services people consume are covered by adequate and effective terms of service? There is probably going to be division in the way we approach this because, clearly, whether they are terms of service or have another name, the actual enforcement of illegal and children’s duties will be effected by Ofcom, irrespective of the wording of the Bill—I do not want to question that. However, there is obviously an overlap into questions about adults and others who are affected by the terms of service. If you cannot identify what the terms of service say in relation to something you might not wish to receive because the terms of service are imprecise, how on earth are you going to operate the services, the toggles and things, around it? If you look at that and accept there will be pressure within the market to get these terms of service right, there will be a lot of dialogue with Ofcom. I accept that all that will happen, but it would be good if the position of the terms of service was clarified in the Bill before it becomes law and that Ofcom’s powers in relation to those are clarified—do they or do they not have the chance to review terms of service if they turn out to be ineffective in practice? If that is the case, how are we going to see this work out in practice in terms of what people will be able to do about it, either through redress or by taking the issue to court? I beg to move.
Baroness Kidron (CB)
I support these amendments, which were set out wonderfully by the noble Lord, Lord Stevenson. I want to raise a point made on Tuesday when the noble Baroness, Lady Merron, said that only 3% of people read terms of service and I said that 98% of people do not read them, so one of us is wrong, but I think the direction of travel is clear. She also used a very interesting phrase about prominence, and I want to use this opportunity to ask the Minister whether there is some lever whereby Ofcom can insist on prominence for certain sorts of material—a hierarchy of information, if you like—because these are really important pieces of information, buried in the wrong place so that even 2% or 3% of people may not find them.
Data Protection Bill [HL]
Debate between Baroness Kidron and Lord Stevenson of BalmacaraWednesday 10th January 2018
(6 years, 11 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Stevenson of Balmacara
My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
Baroness Kidron (CB)
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.