(2 years, 6 months ago)
Lords ChamberMy Lords, Amendment 16 proposes a statutory defence for ethical hackers. I am grateful to the noble Lord, Lord Clement-Jones, and to the CyberUp campaign, for their help. Again, I declare my interests as chairman of the Information Assurance Advisory Council, chairman of the Thales UK advisory panel and chairman of Electricity Resilience Limited.
The Computer Misuse Act 1990 criminalised unauthorised access to computer systems. The methods used by cybercriminals and cybersecurity professionals are often identical, which is one of the things that makes the drafting of this amendment rather problematic. Usually, criminals do not have permission for what they do, and cybersecurity professionals do, but I am told by the CyberUp campaign that there are occasions on which that permission is difficult or impossible for a cybersecurity professional to get.
At Second Reading, I cited the case of Rob Dyke, who has been through a legal tussle with the Apperta Foundation, which has since been in touch with me to put its side of the story. It is clear that it feels strongly that it was right to pursue Mr Dyke until he gave undertakings that allowed it to drop its litigation. I do not know the rights and wrongs of that, but the Apperta Foundation supports the principles put forward by CyberUp for a legal defence for offences under the Computer Misuse Act.
In any event, the Government are carrying out a review into the 1990 Act. CyberUp’s submission to it sets out that many in the cybersecurity profession do not know whether what they are doing is legal. This is because legislation in 1990 came in before much of what now happens with computers had been thought of—so it inevitably created ambiguities. In the 1990 Act, no consideration was given—I remember because I was there—to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.
This is why there needs to be certainty for cybersecurity researchers; they need to be able to do things for the public good. We cannot rely on the National Cyber Security Centre for everything, because even the Government cannot keep up with the speed of technological development, as has been mentioned. The CyberUp campaign recognises that legislation also cannot keep up with the speed of change, so it has helped with drafting this amendment not with a view to seeing it enacted—my noble friend will resist it for a number of good reasons—but with a view to eliciting from the Government a statement about how they are getting on with this aspect of the review of the Computer Misuse Act.
One suggestion that the CyberUp campaign makes is that
“legislation to mandate the courts to ‘have regard to’ Home Office or Department for Digital, Culture, Media and Sport … guidance on applying a statutory defence that would, ideally, be based on the framework”
of principles. This includes, first, the prospective benefits of the Act outweighing the prospective harms; secondly, reasonable steps being undertaken to minimise the “risks of causing harm”; thirdly, the actor demonstrably acting “in good faith”; and fourthly, the actor being “able to demonstrate … competence”. Here we may come back to the standards/principle discussion that we had on the first group.
So I expect my noble friend to reject this amendment, but I should be grateful if he could say where the Government’s thinking on the matter is.
My Lords, I speak in support of this amendment. My noble friend has just said that he doubts that the Government will adopt it, but, like him, I want to know where their thinking has got to.
The Computer Misuse Act is one of the first bits of legislation passed in the cyber era. It is old and out of date, and it is fair to say that it contains actively unhelpful provisions that place in legal jeopardy researchers who are doing work that is beneficial to cybersecurity. That is not a desirable piece of legislation to have on the statute book.
Last year, before the consultation that closed over a year ago, I corresponded with my noble friend Lady Williams. The common-sense reading of her reply was that the Home Office was quite aware that the Computer Misuse Act needed updating. I confess that I am a bit disappointed that, a year after the consultation closed, there still has not been a peep from the Government on this subject—either a draft or a statement of intention. It would be good to know where the Government are going, because it is quite damaging for this legislation as it stands to remain on the statute book: it needs modernisation.
Like my noble friend, I recognise that actually getting the drafting right is tricky and complex. Drafting language that strikes the right balance is not all that easy. But inability to find an ideal outcome is not a good reason for doing nothing, so I live in expectation, because the best must not be the enemy of the good. If the Government do not intend to produce legislation that updates that Act, I should like to see something in this legislation, taking advantage of it, at least to move the dial forward and protect ethical hackers to a greater extent than is the case at the moment.
If the Government are concerned about our drafting, I am sure we would be willing to listen to suggestions on a better formulation. In the absence of that, perhaps the Minister will say when and how the Government intend actually to modify a piece of legislation that has served its time and now needs to be superseded.
I am very grateful to my noble friend Lord Arbuthnot of Edrom for representing the other three signatories to this amendment. I was glad to meet him and the noble Lord, Lord Clement-Jones, to discuss this yesterday.
The role of security researchers in identifying and reporting vulnerabilities to manufacturers is vital for enhancing the security of connectable products. The good news is that many manufacturers already embrace this principle, but there are also some products on the market, often repackaged white label goods, where it is not always possible to identify the manufacturer or who has the wherewithal to fix a fault. The Bill will correct that.
As noble Lords have noted, there are legal complexities to navigate when conducting security research. The need to stop, pause and consider the law when doing research is no bad thing. The Government and industry agree that the cybersecurity profession needs to be better organised. We need professional standards to measure the competence and capabilities of security testers, as well as the other 15 cybersecurity specialisms. All of these specialists need to live by a code of professional ethics.
That is why we set up the UK Cyber Security Council last year as the new professional body for the sector. Now armed with a royal charter, the council is building the necessary professional framework and standards for the industry. Good cybersecurity research and security testing will operate in an environment where careful legal and regulatory considerations are built into the operating mode of the profession. We should be encouraging this rather than creating a route to allow people to sidestep these important issues.
As noble Lords have rightly noted, the issues here are complex, and any legislative changes to protect security researchers acting in good faith run the risk of preventing law enforcement agencies and prosecutors being able to take action against criminals and hostile state actors—the goodies and baddies as the noble Earl, Lord Erroll, referred to them. I know my noble friend’s amendment is to draw attention to this important issue. As drafted, it proposes not requiring persons to obtain consent to test systems where they believe that consent would be given. That conflicts with the provisions of the Computer Misuse Act, which requires authorisation to be given by the person entitled to control access. As the products that would be covered by this defence include products in use in people’s homes or offices, we believe that such authorisation is essential. The current provisions in the Computer Misuse Act make it clear that such access is illegal, and we should maintain that clarity to ensure that law enforcement agencies do not have to work with conflicting legislation.
The amendment would also limit the use of such a defence as testers would still be subject to the legal constraints that noble Lords have described when reporting any vulnerability that the Government have not banned through a security requirement. If a new attack vector was identified that was not catered for by the security requirements, the proposed defences would have no effect. The amendment would not protect those testing products outside the scope of this regime, from desktop computers to smart vehicles. If we consider there to be a case for action on this issue, the scope of that action should not be limited to the products that happen to be regulated through this Bill. None the less, the Government are listening to the concerns expressed by the CyberUp Campaign, which have been repeated and extended in this evening’s debate.
The Home Secretary announced a review of the Computer Misuse Act last year. As my noble friend noted, the Act dates back to 1990. I do not want to stress too much its antiquity as I am conscious that he served on the Bill Committee for it in another place. His insight into the debates that went into the Bill at the time and the changes that have taken place are well heard. The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office. It is being actively worked on and the Home Office hopes to provide an update in the summer.
I hope, in that context, that noble Lords will agree that it would be inappropriate for us to pre-empt that work before the review is concluded and this complex issue is properly considered. With that, I hope my noble friend will be content to withdraw his amendment.
My Lords, I was six at the time. It has been a useful debate and I thank all those who have taken part. I am particularly grateful to my noble friend Lady Neville-Jones, who made it quite plain that we understand the problems in the way of the Government in legislating on this but we are getting impatient. With everything that is going on in the world, out-of-date cybersecurity legislation is becoming more dangerous day by day. That said, I beg leave to withdraw the amendment.
(2 years, 6 months ago)
Lords ChamberMy Lords, for a technical Bill, this has been a fascinating and most enjoyable debate. I am lucky follow my noble friend Lady McIntosh, whose comments on the rural economy are always of genuine importance. The Bill addresses two important matters, both arising from market failures. The first is the security of the internet of things. That is what I want to concentrate on. The second, a highly polarised dispute between mobile providers and landowners, has been dealt with by noble Lords much more expert than me.
I will therefore concentrate on the internet of things, which opens up huge opportunities and huge vulnerabilities. I declare my interests as chairman of the Information Assurance Advisory Council, chair of the Thales UK advisory board and chairman of Electricity Resilience Ltd. I am also on the advisory panel of the Electric Infrastructure Security Council in the United States.
For a long time, I have hoped that we might be able to come up with a security solution driven by market forces. How wonderful it would be if the market required product manufacturers to make goods that were secure—actually, if the market required companies to have a secure and resilient infrastructure of governance. If anybody could come up with a business plan to achieve that, they would be able to name their price for it, but experience shows us that this is an area of market failure. A company that spends little money on secure products or secure practices is able to sell those products or services more cheaply than those that take security and resilience seriously. Therefore, this is a field in which the Government have to help so that every product manufacturer has to be put on a level basis and everyone can block a hole in our collective security that would otherwise invite attack from malign actors.
These vulnerabilities are indeed serious. A blogger named Jeff Jarmoc once said:
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”
I am not sure whether internet-connected toasters exist and I cannot think why anybody would want one, but the point remains. The internet is fundamentally insecure because its security model is end-to-end. It was supposed to be a basic tube for a research network for a small group of trustworthy experts—a tube connecting smart devices—but it expanded too far and too fast, and many devices attached to the internet today are not smart at all. Even when they are smart, users can undo their security with unsmart passwords including the ones assigned at the factory and contained in the instruction booklets, which are available online.
There is a problem here. Mankind will do almost anything for convenience. In the Bill, which I very much welcome, we need to cater for those moments when multiple engineers will need to have access to an internet-connected system. They will need to know what to do when something goes wrong, and often they will need to be quick about it to avoid disaster. Without the Bill, often a default password would be the solution to that problem; with the Bill, organisations will have to come up with new ways of addressing it. We also need to cater for that large mass of the population who are neither expert nor in the slightest bit interested in security. Why would I buy a secure internet-connected toaster if I know nothing about security and can get a cheaper one that is not secure?
I note the Government’s intention that
“manufacturers and others should implement a security vulnerability disclosure policy to ensure that such weaknesses are monitored, identified, rectified and reported to stakeholders”,
but I am not sure this works. GDPR, another welcome bit of legislation, to which my noble friend Lord Hunt referred briefly, requires companies to tell you what their cookies are doing, but how many of your Lordships read the terms and conditions you sign up to regularly? I do not, and I bet that not even my noble friend Lord Vaizey reads them. We need the products themselves to be secure by design, in exactly the same way as cars nowadays make it easier for the driver to drive safely.
I make one final point, raised with me by the CyberUp Campaign, and touched on by my noble friends Lord Vaizey and Lord Holmes. The vulnerabilities that I have been talking about mean that cybersecurity researchers need to be encouraged to look for and disclose those vulnerabilities. The Government’s response to the consultation on these proposals mentions the importance of legal certainty for these security researchers. But the CyberUp Campaign suggests that, without a statutory defence in the Computer Misuse Act—and I remember taking part in Committee during the passage of that Act more than two decades ago, in another place—
Three—well, that is also more than two decades ago. Cybersecurity researchers can still face spurious legal action for reporting a vulnerability to a company. They cite as an example Rob Dyke and his civil legal battle with the Apperta Foundation. They suggest that the Government should go further to reform the Computer Misuse Act and put in law a basis from which cybersecurity researchers can defend themselves. I should be grateful if the Minister, who introduced this Bill with such eloquence, could, in winding up, say something about the Government’s thinking on this.
I welcome this Bill and look forward to its further progress in your Lordships’ House.
(7 years ago)
Lords ChamberMy Lords, I am glad to support Amendment 7 and the related amendments in the name of my noble friend Lady Kidron. Like others, I commend her for her perseverance and commitment in ensuring that we see children flourish as they grow from the early years of digital interaction to adulthood.
In 2010, the annual Ofcom media report made no mention of tablet computers. In 2017, 21% of three year-olds have their own tablet. This is the world in which our children are growing up. We use the global term “children” easily, which under the United Nations Convention on the Rights of the Child means a person under the age of 18. As those years encompass such diverse development, the Information Commissioner has a considerable challenge ahead to identify design suitable to cover all those needs. I for one wish her well.
As I have made clear on many occasions, I am for positive use of the internet by children, and for resources which help parents raise their children in the digital age. With that preface in mind, I would like to ask some questions about these amendments to clarify the intentions and the way forward.
First, during the debates we have had on Clause 8, we have talked about children aged between 13 and 16. Amendment 109 refers to a code being developed for sites,
“which are likely to be accessed by children”.
I hope that my noble friend and the Minister will clarify which age group we are referring to, since there is no definition of children in the Bill but the terms “child” and “children” are used in the headings of Clauses 8 and 191, where the relevant age of the child is 13 and 12 respectively. As Amendment 109 refers to the UNCRC, I assume that the intention is that the age-appropriate design code of practice will cover all children up to the age of 18. However, it would be very helpful for a definition of children to be included in the relevant clauses so that there is no uncertainty.
Secondly, I hope that there will be clarification of which sites will fall within the requirements of the code. Clearly, the expectation is that the code will go beyond sites which would require the consent of children, but will it apply only to sites whose primary intention is to reach children? For instance, in the last couple of weeks, Facebook has launched a chat app for children who are not old enough to be signed up to Facebook. The new app is aimed at six to 12 year-olds. Will the new code apply just to this app or to the version of Facebook that permits access by those aged 13 and above as well?
On 23 November, this House discussed online problem gambling. A number of interventions were made by noble Lords on online gambling sites that have games involving cartoon characters which look similar to characters in children’s TV, and most certainly appeal to children. When the Times reported on these games, the chief executive of the Remote Gambling Association said that companies were not deliberately targeting children but that some nostalgic games might inadvertently be attractive to them. I hope that the position of these sites under the code, which in theory should not be accessible to children but clearly are, will also be addressed.
Thirdly, how will sites complying with the age-appropriate design be obvious to parents, especially to parents who consent to their child’s use of any data? In this context, will the new code be incorporated into the next draft of the Internet Safety Strategy? Finally, how will the code be enforced? Without some good enforcement mechanism, it is likely that it will not have as wide-reaching an impact as this House hopes that it will.
These amendments have come at a late stage in our consideration of this Bill. I look forward to hearing what my noble friend and the Minister have to say in response to my questions. I hope that the other place will continue to reflect on the proposal before us today and refine it if necessary. I hope too that it will continue to ask questions about whether the digital age of consent of 13 is the most appropriate age, and that there will be satisfactory evidence that 13 is in the best interests of our young people.
The internet puts the world at the fingertips of our children. I commend my noble friend Lady Kidron for working to ensure that children are able to make the most of this amazing resource in a way that supports child development.
My Lords, I thank the noble Baroness, Lady Kidron, for moving these amendments with such incredible clarity that I was able to understand what they were saying. My question follows on from the point made by the noble Baroness, Lady Howe, about how these amendments would be enforced. As the noble Baroness, Lady Jay of Paddington, said in Committee, all these issues arise in an international context. How will the international dimension work with regard to these amendments? I would be concerned if we were to impose rules in this country which might create divergence from the GDPR and hence make it more difficult to achieve the eventual accommodations with the European Union that would allow us to continue to do business with it in the longer term. There is an international dimension to all this and I do not understand how it would work with regard to these amendments.
My Lords, not for the first time in her distinguished career in this House, the noble Baroness, Lady Howe, has asked some pertinent questions, the answers to which I look forward to. First, however, I pay tribute to the noble Baroness, Lady Kidron. It is quite often difficult for a parliamentarian to know whether they have made a difference; we all get swept up in the tide of things. However, I have looked at the Bill as it has moved through both the other place and here, and without her intervention, her perseverance and her articulate exposition of the case, we would not be where we are today. She should take great credit for that.
In some respects, there is a sense of déjà vu. I am glad to see the noble Lord, Lord Puttnam, in his place; I was on his committee 15 years ago which looked at the Communications Act and the implications of what were then new technologies. However, looking back, the truth is that we had only an inkling of the tsunami of technology that was about to hit us and how we would control it. There are some things that we might have done during the passage of that Bill to anticipate some problems that we did not do. However, it is always difficult to know the future. Indeed, of all the things I have had a bit to do with, the creation of Ofcom is one that I take great pride in. For all its problems, Ofcom has proved itself a most effective regulator, and these days it seems that it is asked to do more and more.
That brings us to what is being suggested with the ICO. It is extremely important that the ICO is given the resources, the teeth and the political support to carry out the robust tasks that we are now charging it with. That was not thought of for the ICO when it was first created. We are therefore creating new responsibilities, and we have to will the ends in that respect.
One of the good things about the amendments in the name of the noble Baroness, Lady Kidron, is that this is beginning slightly to impinge on the tech companies—they cannot exist in a kind of Wild West, where anything goes. I think I said at an earlier stage that when I hear people say, “Oh well, the internet is beyond political control and the rule of law”, every fibre of my being as a parliamentarian says, “Oh no it’s not, and we’ll show you that it’s not”. This is a step towards making it clear to the tech companies that they have to step up to the plate and start developing a sense of corporate social responsibility, particularly in the area of the care of children.
(7 years, 1 month ago)
Lords ChamberMy Lords, I speak also to the other amendments in this group. All these amendments are suggested by the Bar Council and stand in my name and those of the noble Lord, Lord Arbuthnot of Edrom, and the noble Baroness, Lady Neville-Rolfe. All concern legal professional privilege, a subject which the Committee and the House have frequently debated. I know I do not need to stress its importance or remind noble Lords—but obviously, I am just about to—that the confidentiality and privilege are those of the client, not the lawyer.
The Bar Council comments that the powers of the commissioner to have access to the information and systems of data controllers should be limited where the data controller is a legal professional or anyone subject to the requirements of client confidentiality and legal professional privilege. It reminded us that there are exceptions in the 1998 Act which deal with this. Legal professional privilege cannot be waived by the lawyer but is subject to contractual or other legal restrictions. In the clauses in question, legal professional privilege seems to be overridden in circumstances where the commissioner considers that she needs to look at the data to perform her functions. Clause 128(1) refers to use or disclosure,
“only so far as necessary for carrying out those functions”—
that is, the commissioner’s functions. I suggest that this is inappropriate given the provisions elsewhere in the Bill which we now seek to amend.
Amendments 161A, 161B, 161C and 161D deal with confidential legal materials which it is proposed should be inserted and covered. These are defined in the last of these four amendments as “materials brought into being”, as distinct from documents which are communicated between an adviser and a client, and thus would be wider, and include materials brought into being,
“for the purpose of establishing, exercising or defending legal rights”,
which is wider than the Bill provides.
The Bill does not contain directions as to the purpose of the guidance on protection of privileged material. Amendment 161C would give a direction to the commissioner as to the purpose. Amendments 162A, 162B, 163ZA and 163ZB would again extend the protection. Clauses 138 and 141 are limited to documents that relate to data protection legislation. These amendments would widen the protection to all documents protected by legal professional privilege.
Clause 138(5) does not cover the right of self-incrimination of other persons, such as the client of a legal representative or a family member of a client, who would not be entitled to rely on privilege. Amendment 162C would widen the class of persons to others. Since the client may well be seeking advice or representation in relation to a matter which might incriminate him, the Bar Council asks us to point out that this is particularly important.
Amendment 163B reflects provisions in Clause 138, on information notices, and in Clause 141, on assessment notices, and extends the restrictions to enforcement notices. The clauses I have mentioned provide that a person is not required to give the commissioner privileged material—I beg your Lordships’ pardon; a bracket has been opened and I am seeking where it closes—in response to such a notice. As I say, this would extend that restriction to enforcement notices.
Finally, on Amendment 164B, professionals may be restricted in providing information to the commissioner in respect of their processing, because of privilege or an obligation of confidentiality, compliance with the Bar code of conduct, or rules or orders of the court. The Bar Council wishes the Committee to be aware that a barrister,
“may wish to disclose information in mitigation or explanation for a breach of the GDPR provisions, but be unable to do so because disclosure would place”,
counsel,
“in breach of professional conduct rules or other confidentiality obligations, or in breach of data protection obligations because it is not possible to obtain consent for”,
the processing.
Compliance with the profession’s rules might have the result of exposing a barrister to a higher penalty to be imposed by the commissioner as a result of that inability, which does not seem fair. The amendment would provide that circumstances of this kind may be taken into account by the commissioner when assessing the penalty by adding a paragraph to the mitigating circumstances in the list. As the Bar Council points out, none of these points would prevent the commissioner effectively carrying out her duties. Even if she were,
“prevented from seeing privileged and confidential material, this … would be a justified and necessary consequence of … proper weight being given to the citizen’s fundamental right to consult a lawyer and to maintain the confidentiality”.
However, if unamended, there could be a conflict between the legal regulators and the commissioner. I beg to move.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, and to the Bar Council for the help it has given us on these amendments. I declare an interest—at least, I suppose I do—in that my wife is a judge and I used to practice as a Chancery barrister long ago.
It is an essential part of our legal system that people should have access to the justice system without communications between the client and the lawyer being disclosed—or, at any rate, that those disclosures should have only the rarest occurrence, such as, for example, if a communication is to be used to facilitate a crime. In those circumstances alone can legal professional privilege be waived. I suggest that the Bill should recognise the value of legal professional privilege but that it does not put that recognition into full effect. I hope that our amendments would achieve that.
(7 years, 1 month ago)
Lords ChamberMy Lords, like the noble Baroness, Lady Jones, I understand the issues of fast-changing technology and the fact that it is very hard for primary legislation to keep up. My noble friend Lady Neville-Rolfe has asked me to express her sadness that she is unable to be here today due to a family funeral. I shall speak to the amendments in our name which, like Amendment 24, propose the super-affirmative resolution procedure.
The report by the Delegated Powers Committee speaks eloquently for itself. The arguments have been made already by the noble Lord, Lord Stevenson, and the noble Baroness, Lady Jones, and I shall not repeat them. Our amendments would do two extra things: they would put the super-affirmative resolution process in the Bill, which would make it a bit clearer—that seems more helpful—and would add a requirement for an updated impact assessment for industry, charities and public authorities. The reason for that is that the Executive could make changes under these powers, including adding a whole new technology to the data protection regime—so an impact assessment, according to my suggestion, would be essential. My noble friend Lady Neville-Rolfe and I would support any call for discussions with the Minister so that we can identify where the super-affirmative procedure should apply.
My Lords, I have two sets of amendments in this group. The first ones are actually amendments to that of the noble Lord, Lord Arbuthnot, because, like him, I think it would be useful, given the range of delegated powers within the Bill, if we wrote the super-affirmative resolution into the Bill. If we do not succeed in greatly reducing the amount of delegated legislation that is permitted under the Bill—although I hope my noble friend Lord Stevenson and others do—we need to treat that delegated legislation when it is brought forward in a way that is more intensive, consultative and engaging than our normal simple affirmative resolutions.
So I support the principle of the amendment of the noble Lord, Lord Arbuthnot, and the noble Baroness, Lady Neville-Rolfe. My Amendments 182A to 182C would simply add an additional dimension. As I read the amendment at the moment, it is emphatic on getting the Government to identify the impact on industry, charities and public bodies. The main point that we are all concerned about is actually the impact on individuals, the data subjects, yet they are not explicitly referred to in the draft of the amendment before us. My three amendments would therefore effectively do two things: first, they would require the Minister to consult data subjects or organisations representing them, such as consumer organisations, as well as those stipulated in the amendment as it stands; and, secondly, they would ensure that the impact assessments related to the impact on individuals as well as on organisations. I hope that the noble Lord would agree to my amendments at whatever point he and the noble Baroness propose to put this to the vote, in which case I could fully support their amendment.
My Amendment 22A is a specific example of the themes that my noble friend Lord Stevenson and the noble Baroness, Lady Jones, have already spelled out. I will not repeat everything they said but it is a particularly egregious form in that it allows the Minister—the noble Baroness, Lady Jones, has already referred to this—to add, vary or omit any safeguard that is in Schedule 1. I particularly object to “omit”. That does not simply mean modifying or tinkering in order to keep up with the technology; rather, it means omitting a serious safeguard that has been put in the Bill during its passage through Parliament.
Since Schedule 1 is pretty wide ranging, this could include issues that related to legal proceedings, crime, taxation, insurance, banking, immigration, public health or indeed any aspect of the public interest. That is a huge range of potential removal of safeguards that would not be subject to the approval of this House through primary legislation. If the safeguards persist and are maintained through the Bill when it eventually emerges, the ability of Ministers to vary them so drastically should be curtailed. I understand that my amendment would be pre-empted if my noble friend Lord Stevenson’s amendments were carried—but if they are not we definitely need to alter that clause.
This is a complex Bill because of the technology and because of the juxtaposition between European legislation and the position we are currently in with regard to it. The Bill is also an exemplar of what we are going to go through in Brexit-related legislation in a much wider sense. We must get right how we deal with delegated legislation post Brexit, and we need to ensure that the Bill is an example and does not concede powers to Henry VIII or indeed to the Minister that we might regret when his successors make use of them later.
(7 years, 1 month ago)
Lords ChamberMy Lords, one of my many character defects is party loyalty. That has led me in the past even to vote against my own amendment, which I will never do again. Today, I have the misfortune to disagree with my party. I will explain briefly why I cannot possibly support the original amendment, which is constitutionally illiterate, or the attempt to rescue it in the manuscript amendment.
The Minister has rightly put on the front page of the Bill his opinion that the Bill is compatible with the convention rights. Those rights include the right to free speech in Article 10 and the right to respect for privacy in Article 8. The Minister could certify in that way because the Bill rightly carries forward from the previous Act journalists’ rights—for example, to protect their sources—which you can find buried away in Schedule 2(5). The Minister was able to do that because we have the Human Rights Act, which requires him to do so, and the European convention, which strikes a balance between free speech and privacy.
I do not understand what on earth the charter has to do with that. As the noble Lord, Lord Faulks, rightly explained in the better part of his speech—the first part—the charter is there as a shield against the abuse of power by EU institutions. Maybe he did not say that, but he would like to have done, I am sure. It is not intended to be a source of rights in parallel with the European convention. The amendment in its original form, and its amended form, seeks to give legal force to one bit of the charter. It squints. It looks at Article 8 of the charter on privacy and data protection, but it does not look at the other bit of the charter that deals with free speech. Then, because it is obvious that the original version was constitutionally illiterate, the manuscript amendment seeks to repair that by saying that it is subject to the exceptions and derogations in the Bill. That is not good enough because it then seeks to give fundamental importance to the right of data protection, as though it were in the Human Rights Act and the European convention, and then it completely fails to explain how on earth any court is meant to reconcile the amendment, if it became law, or the amended amendment, if that became law, with what we already have in the European convention.
I agree with every word of my noble friend Lord Pannick’s speech, and I agree with the first part of the speech by the noble Lord, Lord Faulks. I am afraid I cannot possibly support this amendment. I very much hope that it will be a probe and nothing more at this stage. We are at the beginning of Committee stage. We need to think about some of these issues carefully. If we were now to divide the House and vote to incorporate either version, we would be doing an injustice to the arguments and intelligence of the House.
When I first joined the House, I remember Lord Alexander of Weedon saying to me, “Anthony, you must remember that the House of Lords is not a Court of Appeal; it is essentially a jury”. He was right about that. Most noble Lords, including me, will have understood only half of what was said in some of the original speeches. What is surely clear is that we would be failing in our duty today if we were to amend the very beginning of the Bill at this stage, rather than consider it properly and come back to it at Report.
My Lords, it is a daunting thing to have to follow such an enjoyable speech. I simply say that, as I read Amendment 4 alongside Amendment 4A, it appears that the original opposition amendment had the unintended consequence that it destroyed all the exemptions already contained in the Bill. So Amendment 4A must be an improvement, but I am unclear precisely what is the purpose of Amendment 4A, because it expressly adds the principle of its being subject to all the general provisions of the Bill, so it adds nothing. I hope that we will not be pressed to a Division.
The amendment raises an important question of principle, and one which this House will have to consider further when we scrutinise the European Union (Withdrawal) Bill. One reason why the charter was brought into being was to give visibility to rights which existed elsewhere. As at least some noble Lords will know, I speak with some experience, having spent a number of months involved in the negotiation and conclusion of the European Charter of Fundamental Rights. It was a key aim behind the decision of the European Council at Tampere and Cologne to bring together a group of people to set out in the charter the rights which would affect them, largely in their relations with the EU institutions.
I emphasise the word “visibility”, because the point just made by the noble Lord, Lord Lester, about laypeople not understanding what lawyers say is all too familiar to those of us who are lawyers. It is a very good reason why we should attempt, when we are saying things which are important, to say them in a way which is clear and comprehensible. Both amendments—I shall come to the difference between them as I see it—start by saying that we all have the right to protection of personal data concerning ourselves. That is a very important principle, and one which is very reassuring, whatever the exceptions, derogations and limitations on it may be. That is what the charter sought to do: to make these things clear to everybody.
What are the objections to the amendments? The first is that they do not allow for the exceptions and reservations which apply. The noble Lord, Lord Pannick, referred to the provisions of the charter, which state that all of the rights in the charter, with almost no exception—although there are one or two—can be subject to exceptions and limitations. I agree with the noble Lord about that; that is the position taken in the charter, and rightly so. There is a balance between different rights of different people and of different rights between the citizen and the state.
That is what I understand that Amendment 4A is intended to correct, by making it clear that the general statement of principle, which I still believe is important, is none the less subject to certain exceptions and derogations set out in the Bill. The Bill in Clause 13 and the regulation-making power under Clause 14 provide for the ability to make exceptions, reservations and derogations. I sympathise with the noble Lord, Lord Pannick, when he says that he is not sure, in the time available, whether this will achieve the objective of turning something which he was concerned appeared to be too absolute into something which works. There are ways to deal with that and ensure that further time is available or—this is not for me to say—if my noble friend Lord Stevenson moves the amendment and it is passed, it can be corrected afterwards. But that is a point of timing, albeit an important detail. With respect, it appears to me that what matters is for us to give a clear statement that this principle of data protection applies to all of us.
It is then asked, “Well, what about other provisions in the charter?”. No doubt that is a debate that we will have when we come to the withdrawal Bill. Will those other provisions also be allowed to stand? That will be a matter for this House and the other place when the Government bring forward that Bill. However, there is a need for visibility and for reassurance to all that there will still be a principle of data protection that we will uphold. For that reason, while it is apparent from what I have said that my preference is for Amendment 4A as opposed to Amendment 4, I think that that amendment ought to receive the support of this House.
(7 years, 1 month ago)
Lords ChamberI am grateful for the noble Baroness’s comments. Something certainly can be done to think more about turnover than the number of employees, otherwise there would be a big loophole, particularly around marketing and being able to set up a company to harvest data, for which the Act would not apply. It could then sell the data on. It would not need very many people at all to pursue that opportunity.
The other thing these amendments allow us to do is ask the Minister to enlighten us a little on his thinking about how the Information Commissioner’s role will develop. In particular, if it is to pursue the sorts of education activities set out in these amendments, how will it be resourced to do so? I know there are some career-limiting aspects for Ministers who promise resources from the Dispatch Box, but the more he can set out how that might work, the more welcome that would be.
My Lords, I declare my interests as a chairman of a charity and of a not-for-profit organisation, and as a director of some small businesses. Having said that, I agree with every word that my noble friend Lady Neville-Rolfe said.
The Association of Accounting Technicians has said that the notion that the GDPR will lead to a €2.3 billion cost saving for the European Union is absurd. I agree. The Federation of Small Businesses has said how a sole trader might have to pay £1,500 for the work needed, and someone with 25 employees might have to pay £20,000. In the Second Reading debate my noble friend Lord Marlesford talked about his parish council rather poignantly. It might be impossible to exempt organisations such as those from European Union regulations. But if that is so, I hope that my noble friend the Minister will say, first, why it is impossible; and, secondly, what we can do to get round and to ameliorate the various different issues raised.
On the duty to advise Parliament of the consequences of the Bill, I said at Second Reading that the regulator cannot issue guidance until the European Data Protection Board issues its guidance. That may not be until spring next year. This leaves businesses, charities and parish councils very little time, first, to make representations to Parliament; secondly, to bring in new procedures; and thirdly, to train the staff they will need. In that short time, organisations will all be competing for very skilled staff. That must push the price of those skilled staff up at a time when these small businesses will find it very difficult to pay.
I look forward with interest to hearing what my noble friend says, and I hope that he will be able to agree to the meeting that my noble friend asked for.
My Lords, I declare an interest as the editor of the Good Schools Guide. We have three employees and we certainly should come under this Act in terms of the data on people and schools that we have in our charge. It is very difficult to find any measure that describes the importance of data that a business holds other than, “How important is the data that you hold?”. Therefore, I look to my noble friend to explain how the Information Commissioner will not take sledgehammers to crack nuts and how they will genuinely look at how important the data you have under your control is and, given that, what efforts you ought to have made. That seems the right criterion to get a system that operates in a human way, where there is a wide element of giving people time to get up to speed and being human in the way you approach people, rather than immediately reaching for the fine.
However, this is important. This is our data. Just because I am dealing with someone small, I do not want them to be free from this. I want to be secure in the thought that if I am dealing with a small company my data is just as safe as if I had been dealing with someone big. I want to encourage small businesses to grow and to be able to reassure their customers that they are every bit as good. They would have terrible trouble having contracts with the NHS and others if they are not up to speed on this.
I do not think that is the way, but I do think we have to understand that this will be very difficult for small businesses. We have to look at how we might construct a set of resources that small businesses can use not only to get up to speed but to stay up to speed, because this is a constant issue. I draw your Lordships’ attention again to what is going on in Plymouth, where both universities, the FE colleges, the schools and the local authority, and a lot of the big businesses, have got together to construct apprenticeships in cybersecurity tailored to small businesses. Expert cybersecurity advice has been made available to small businesses in small chunks, while young people are trained in how to take the right path in cybersecurity rather than wandering off to the point where they get arrested if they visit the United States. There is scope for extending that in areas such as social marketing but also in data protection, where expertise tends to be concentrated in large organisations and a structure is needed that enables small businesses to have ready access to it. We could greatly enhance the employment prospects of a lot of young people, and improve life for our small businesses, if we talked to BEIS and the DfE about tweaking the requirements for apprenticeships to make it rather easier to run them in small businesses.
(7 years, 1 month ago)
Lords ChamberMy Lords, I shall speak only to Amendment 188, and I do so because, as so often, I am confused. In Scotland, a person aged 12 is presumed to have capacity to exercise rights under the Data Protection Act 1998, and that position is perpetuated in the Bill. How does that mesh with the general data protection regulations, which provide that consent to process personal data is lawful below the age of 13 only if given by a parent? I think that is the position and that is why I have tabled my probing amendment. Perhaps my noble friend could explain why Scottish children are so much more mature than English children.
I was persuaded by the view expressed by the noble Baroness, Lady Lane-Fox, at Second Reading when she said that we do not want to bring in lots of new and different laws for 13 year-olds and we need to recognise the reality that children will wish to do what their peers are doing. We do not want to incentivise them to tell lies online. So I am perfectly happy with the Government’s position on the age of 13 and just a bit bewildered about Scotland.
As a Scot I can hardly complain, and I am always bewildered, too—not only about this but about many other things. Our Amendment 17 in this group is also one of bewilderment. Clause 8 is headed:
“Child’s consent in relation to information society services”,
and refers to “preventive or counselling services” not being included. This goes back to an earlier amendment, when we established that these references are actually recitals and not part of the substantive GDPR, so we are back in what is not normative language and issues that we cannot possibly talk about in relation to the wider context because we are talking about the law that will apply.
There are three points that need to be made and I would be grateful if the noble Lord would either respond today or write to me about them. The first is to be clear that the reference to “information society services”, which is defined, has nothing in it that would suggest that it is a problem in relation to the lack of inclusion of preventive or counselling services. The answer is probably a straightforward yes. Secondly, what are the preventive or counselling services that we are talking about? I think the context is that these are meant to exclude any data processing relating to a data subject if the data subject concerned—with parental consent if the subject is younger than 13 and on their own if they are older than 13—who is taking a form of counselling that may be related to health or sexual issues would not be allowed to be included. Is my understanding of that right? I am sure that it is.
Thirdly, could we have a better definition of preventive or counselling services because those are very wide-ranging terms? Yes, they come from a recital and perhaps in that sense they can be tracked back to earlier discussions around the formation of the GDPR, but they have to be applied in this country to situations in real life. I am not sure what a preventive service is and I should like to have it explained. Counselling services I probably do get, but do they include face-to-face counselling or is this about only online counselling services? Is it the same if the child is being accompanied by a parent or guardian? There are other issues that come into this and there is a need for clarity on the point.
While I am on my feet I should like to respond to the amendment moved by the noble Baroness, Lady Howe, who has campaigned long and hard on these issues. We would be bereft if she did not enter into this Bill with all its implications for children, given the wisdom and experience that she brings to the table. The point she makes is one of simple clarity. There is a need to be very careful about the evidence gathering on this issue and it is probably not appropriate for it to be left to Ministers in regulations. There needs to be a wider discussion and debate on the matter, perhaps involving the Children’s Commissioner and other persons with expertise. She has made her point very well and I should like to support it.
(7 years, 2 months ago)
Lords ChamberMy Lords, it is a pleasure to follow the noble Lord and listen to his important comments on health data and particularly consent. I thought how brave he was with his data machine. I would worry that my pearls of wisdom would disappear somewhere into the ether, but luckily that did not happen to him.
This is a welcome and necessary Bill. It is not perfect, but I leap to its defence in at least one respect—namely; the absence of the GDPR regulations themselves from the Bill. On the Government’s website, there is a truly helpful document, the Keeling schedule, which sets out how the GDPR intersects with the text of this Bill. After noble Lords have read it a few times, it comes close to being comprehensible.
I will touch on one or two of the imperfections of the Bill that have been drawn to noble Lords’ attention by bodies such as ISACA, techUK, Citibank, Imperial College and others, and I am grateful to them for doing that. I declare my interest as chairman of the Information Assurance Advisory Council and my other interests as in the register. While the Bill has its flaws, I am sure that in Committee and on Report we shall be able to see whether improvements might be made.
The Commission says that the aim of the new rules is to,
“give citizens back control over their personal data, and to simplify the regulatory environment for business”.
The Commission has estimated that this would lead to savings of around €2.3 billion a year for businesses. But while the rules might make things simpler for businesses in that respect, it is possible that they will also make it easier for citizens to demand to know what information is held on them in paper form as well as in digital form. In fact, that is one of the main purposes of the Bill. So we might find that businesses have more rather than less to do. I wonder whether that has been costed. It is a good thing that citizens should find out what information people hold on them, but we should not pretend that the exercise will be free of cost to businesses. The Federation of Small Businesses estimates an additional cost of £75,000 per year for small businesses, and obviously much more for larger ones.
The Bill contains a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes. The aim of this, which is laudable, is to,
“ensure that there is a single domestic and trans-national regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector”,
but what is the law enforcement sector? To what extent do banks, for example, fall into the law enforcement sector? They have obligations under the anti-money laundering rules to pull suspicions together and to share those across borders—not just across European borders but globally. How are those obligations tied in with the GDPR obligations in the Bill? Businesses, especially banks, will need to understand the interplay between the GDPR regulations, the anti-money laundering regulations and all of the others. The Government would not, I know, want to create the smallest risk that by obeying one set of laws you disobey another.
That sort of legal understanding and pulling things together will take time. It will take money and training for all organisations. There is a real concern that too many organisations are simply hoping for the best and thinking that they will muddle through if they behave sensibly. But that is not behaving sensibly. They need to start now if they have not started already. The Federation of Small Businesses says that:
“For almost all smaller firms, the scope of the changes have not even registered on their radar. They simply aren’t aware of what they will need to do”.
Yet it goes on to say that,
“full guidance for businesses will not be available until next year, potentially as late as spring. The regulator cannot issue their guidance until the European Data Protection Board issue theirs”,
so there is a lot of work to be done.
I shall touch on three other issues at this stage of the Bill. The first is Clause 15, which would allow the alteration of the application of the GDPR by regulations subject to affirmative resolution and that could include the amendment or repeal of any of the derogations contained in the Bill. I share the concern expressed by the noble Baroness, Lady Ludford, on that and we will need to look at it.
Secondly, there are various issues around consent. The only one that I will mention is that the Bill provides that the age of consent for children using information society services should be 13. The right reverend Prelate the Bishop of Chelmsford mentioned the YouGov survey about that. I actually believe that the Government have this right. It recognises the reality of today’s social media and the opportunities that the digital world brings, and the Bill also protects young people to some extent by the right to have information deleted at the age of 18. TechUK agrees and so does the Information Commissioner. But if the public do not—and from the sounds of the YouGov survey they do not—there is a lot of work to be done in explaining to people why the age of 13 is the right one.
There is a technical issue that I simply do not understand. The GDPR rules state that the minimum age a Government can set for such consent is 13, and in this Bill, as we know, the Government have gone for the minimum, except in Scotland. Scotland is dealt with in Clause 187 of the Bill and there it seems that the minimum age is 12, unless I have this completely wrong. How do the Government square that with the GDPR minimum of 13?
My final point echoes one raised by the noble Lord, Lord McNally, relating to the issue of the re-identification of personal data which has been de-identified, as set out in Clause 162. The clause makes it a crime to work out to whom the data is referring. The very fact that this clause exists tells us something: namely, that whatever you do online creates some sort of risk. If you think that your data has been anonymised, according to the computational privacy group at Imperial College, you will be wrong. It says:
“We have currently no reason to believe that an efficient enough, yet general, anonymization method will ever exist for high-dimensional data, as all the evidence so far points to the contrary”.
If that is right, and I believe it is, then de-identification does not really exist. And if that is right, what is it in terms of re-identification that we are criminalising under this clause? In a sense, it is an oxymoron which I think needs very careful consideration. The group at Imperial College goes on to suggest that making re-identification a criminal offence would make things worse because those working to anonymise data will feel that they do not have to do a particularly good job. After all, re-identifying it would be a criminal offence, so no one will do it. Unfortunately, in my experience that is not entirely the way the world works.
We can come back to all of these issues in Committee and consider them further, and I look forward to the opportunity of doing so. This is not just a worthwhile Bill; it is an essential and timely one, and I wish it well.