Computer Systems: Independent Testing
Lord Arbuthnot of Edrom Excerpts(4 months, 3 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Sharpe of Epsom (Con)
My Lords, I am not quite sure where the bells and whistles come from. As I said, we are just considering all the potential implications. However, part of the Criminal Justice Bill introduces a new power for law enforcement and other investigative agencies to suspend IP addresses and domain names where they are being used to facilitate serious crime. So the answer is partially yes, but the other situation that the noble Lord described is very complicated.
Lord Arbuthnot of Edrom (Con)
My Lords, the prosecutorial guidance referred to just now by my noble friend leaves computer professionals in a position of uncertainty. Do they not need certainty as to the shape of the law?
Lord Sharpe of Epsom (Con)
Well, yes, and as I said, the working group that was set up to look into this, which included the cybersecurity industry, law enforcement, prosecutors and others, could not reach consensus on this subject. Certain cybersecurity professionals are in favour of defences but other industry experts are not—so we have to continue to consider these responses.
Cybersecurity
Lord Arbuthnot of Edrom Excerpts(1 year ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Sharpe of Epsom (Con)
My Lords, I agree that there is an enormous necessity to get this right, but that is part of the problem of why things are perhaps not happening as fast as the noble Lord would like—progress is far from glacial. These issues are incredibly complicated because, as the noble Lord noted, the proposals would potentially allow a defence for the unauthorised access by a person to another’s property, and in this case their computer systems and data, without their knowledge and consent. We therefore need to define what constitutes legitimate cybersecurity activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum. We also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. In short, these are complex matters, and it is entirely right to try to seek a consensus among the agencies I mentioned earlier.
Lord Arbuthnot of Edrom (Con)
My Lords, I declare my interests as set out on the register. Does my noble friend accept that it is very difficult for Governments to keep up with the speed of change of technology in their legislation? The Computer Misuse Act is now 33 years old. If progress is not glacial, please could we have an injection of urgency into the changes to it that we need?
National Security
Lord Arbuthnot of Edrom Excerpts(1 year, 8 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Sharpe of Epsom (Con)
My Lords, I cannot answer that specifically. I have seen that report and have read a variety of newspaper reports with mounting alarm, as I am sure the noble Lord has. I think the task force will address a good deal of the noble Lord’s concerns, and I look forward to hearing what it has to say.
Lord Arbuthnot of Edrom (Con)
My Lords, I echo the question asked by the noble Lord, Lord Browne, but in relation to the report of this House’s risk committee, in which we found that there were real, critical vulnerabilities in our critical national infrastructure. The urgency of the Government producing the resilience report cannot be overstated. It is surely time for the Government to recognise that the front lines of battles that we face now are no longer in other countries but in our computers, our water systems and our electricity systems. They need to be taken really seriously.
Lord Sharpe of Epsom (Con)
I thank my noble friend for that question. I am afraid I will again answer at some length, because the subject of cyber resilience is at the heart of what he, and indeed the noble Lord, Lord Browne, asked me. The current state of UK resilience to cyberattack is an interesting subject, and we are making significant progress in bolstering the UK’s resilience. We stop hundreds of thousands of attacks up stream while bolstering preparedness and helping UK institutions and organisations better understand the nature of cyber threats, risks and vulnerabilities down stream.
Despite this, there remain serious gaps in the nation’s defences, as both noble Lords have pointed out, and the collective resilience-building effort must continue apace. Poor organisational practices, processes and systems, and a lack of awareness of risks and mitigations, all contribute to attacks getting through. Taking some practical and cost-effective steps, such as improving the use of account authentication, could have prevented a lot of damage. I could go on, but at this point I reiterate my praise for the work of the security services. I have seen some of their work in this area, and it is incredible.
Data Protection Bill [HL]
Lord Arbuthnot of Edrom ExcerptsWednesday 15th November 2017
(6 years, 7 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Lord Stevenson of Balmacara
I thank your Lordships.
Amendment 108B would prevent regulations under this section being used to amend, repeal or revoke the GDPR after Brexit. This may seem a rather tough charge to lay at the Government’s door. However, concerns about adequacy after Brexit will be so important that it may be in the Government’s best interest to ensure that the Bill contains no hint that the GDPR after Brexit, which will be the responsibility of this Parliament and this Parliament alone, could be amended simply by secondary legislation. If the Government follow this argument they will see that it has a symmetry behind it that encourages the approach taken here, in that when we are a third party and need to rely on an adequacy agreement the GDPR will be seen to be especially ring-fenced.
I will also speak to the other amendments in this group, two of which come from recommendations on delegated legislation made by your Lordships’ House. Amendment 110B is about replacing the current requirement for a negative procedure with a requirement for an affirmative one. In order to explain that, it is probably best if I quote from the report itself. The DPRRC took the view that the framework for the transfer of personal data to third countries should be provided on a test greater than just simply the negative procedure. This is a major issue. One possible example is if the Government were to use the argument that it was in the public interest to transfer bulk personal data held by a UK government department to the agencies of a foreign power—a remote possibility, I know. That would be of interest to the House and probably would need to be debated. The recommendation is that a change should be made from a negative to an affirmative procedure, and that is what this amendment seeks to do.
In a similar vein, the proposal to delete Clause 21 comes from the DPRRC report. The report says that the committee was,
“puzzled by the inclusion of … a suite of delegated powers … to provide by regulations for various exemptions and derogations from the obligations and rights contained in the GDPR which, as noted above, may … be exercised in respect of ‘the applied GDPR’. The memorandum fails to explain why those powers are considered inadequate, or why the Government might need to have recourse to the distinct powers in section 2(2) of the 1972 Act—which allows Ministers to make regulations”,
around EU obligations. The point is that there will be a period after Royal Assent to the Bill and when the country leaves—if it does—the EU in which it is possible that the Government will wish to make regulations. The committee assumes that this clause has been included just in case the Government decide that these powers are required. But the committee goes on to say:
“We consider it unsatisfactory that the Government should seek to take this widely drafted power without explaining properly what it might be used for”.
I therefore call on the Government to do so if it is appropriate at this time.
The final two amendments in the group, Amendments 180A and 180B, play to the same issue: that the powers, however they are finally settled, will still be wide ranging and grant the Government of the day a considerable amount of power to introduce rules by secondary legislation. In a sense, that is inevitable given the way that things are going, and we are not attacking the main principle. The question is around what safeguards would be appropriate. On these powers we think it would be appropriate for the Government to consult not only the commissioner, for which there is a provision, but the data subjects affected by the regulations. This is not a power that is currently there and we recommend that the Government consider it. I beg to move.
Lord Arbuthnot of Edrom (Con)
My Lords, I hope I will not add to the troubles of the noble Lord, Lord Stevenson, when I say that I am troubled by a couple of his amendments, Amendments 108B and 180A. The former suggests that the Government should not be permitted to,
“amend, repeal or revoke the GDPR”.
I know the Government will have responsibility for the provisions of the GDPR, but these are surely provisions for which the regulations either are or are not. They are European Union regulations, and I would not have thought the Government would have the power to amend or repeal them.
I am also confused, as so often, by the fact that we have already discussed whether Clause 15 should stand part of the Bill but are now considering an amendment to it. No doubt that is just one of the usual vagaries that leads to my confusion about the procedures of this House.
I move on to Amendment 180A, which suggests that the Secretary of State must consult not only the commissioner but data subjects. I am not sure how on earth he could find out who those data subjects were in order to consult them. Therefore, due to practical concerns, I hope the noble Lord will not press the amendment to a Division.
Lord Paddick (LD)
My Lords, I will briefly comment on Amendment 108B. Taking up the position of the noble Lord, Lord Arbuthnot of Edrom, is it not the case that if we leave the European Union, the GDPR will then become, by means of the repeal Bill, part of UK law and therefore could be changed, which is why the amendment makes sense?
However, while I agree with the argument of the noble Lord, Lord Stevenson of Balmacara, that if parts of the GDPR were amended, repealed or revoked after we have left the EU, this may affect the adequacy decision of the European Union. Presumably, if the European Union makes changes to the GDPR it would be advantageous for the Government to be able to respond quickly by means of secondary legislation to those changes to ensure that we can continue to have adequacy—that is, when the change is on the EU side rather than on the UK side. Perhaps the Minister will clarify that.
Criminal Law
Lord Arbuthnot of Edrom Excerpts(9 years, 7 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Mrs May
I will make a little progress before I take more interventions.
The assistance of Eurojust has proved instrumental in the prosecution of animal rights extremists in the UK. Through its facilitation of meetings between the relevant European jurisdictions, evidence was obtained of the existence of an international conspiracy to blackmail the suppliers and customers of Huntingdon Life Sciences which was used in the UK trial.
Mr James Arbuthnot (North East Hampshire) (Con)
I ought to declare an interest because my wife is a judge who deals with European arrest warrants on a regular basis. The suggestion that there is no judicial oversight of European arrest warrants in this country is nonsense. Please will my right hon. Friend stick to her guns, because I do not want this country to become a haven for foreign criminals?
Mrs May
I am grateful to my right hon. Friend for his comments. I assure him that I will refer to a number of measures that will ensure that there is judicial oversight of the European arrest warrant and proper consideration of such cases in the United Kingdom. He is absolutely right about another thing. The Government have negotiated this package and are bringing it to the House because we believe that these measures are necessary to ensure that we can continue the job of keeping people safe and bringing criminals to justice.
I will outline some of the other vital measures in the package of 35 measures. However, I said earlier that I would say a little about the timing of today’s debate, which I think is relevant to the consideration that Members have given to the motion. Now that the final reservation has been lifted on our deal, which, as I said, happened on Friday, we must allow for discussion at a Council in Brussels before the month is out. Very few appropriate options remain. We must add items to the agenda of a Council 16 days in advance to guarantee their inclusion. That means that we do not have long to complete our domestic processes. To avoid an operational gap for our police and law enforcement agencies, we must complete the entire process before 1 December. That involves formally notifying Brussels about the measures that we wish to remain part of.