(5 years, 7 months ago)
Lords ChamberMy Lords, with regard to disinformation connected with democracy and those essential questions, the White Paper deals with disinformation generally. With regard to electoral reform and how elections can be affected by the use of the internet, as I said, the Cabinet Office is bringing out a report soon to deal with that. It is right that constitutional affairs are dealt with there.
On disinformation, we have listed in the White Paper some of the areas we expect the regulator to include, such as:
“Promoting diverse news content … Improving the transparency of political advertising”—
noble Lords can read it themselves; there are other things. That is how we are trying to do it across government. As I said, there are other areas that we deliberately do not cover in the White Paper, but that should not be taken to mean that work is not going on. However, I accept the noble Lord’s suggestion that it is important and needs to be done soon. I take that on board.
As far as time is concerned, we are having a consultation, as the noble Lord said, which will end on 1 July. Obviously, it is not possible for me to say today when legislation will come before the House. That is a decision for the Government and the Leaders of both Houses. Judging by the discussions we have had today, and the feeling I get from across the House, all noble Lords think that this is an important issue. The Government think that this is an important issue. We are aware that we have taken time over the consultation. As far as the Home Office and DCMS are concerned, we want to get on with it.
We have just announced a review of advertising that will report in due course.
My Lords, I too welcome the White Paper. I thank the Minister and the Secretary of State for being open to discussions during the process, and for indicating that there will be more discussions. I feel that more discussions are required because it is a little lacking in detail, and I share others’ concerns about the definition of harms. I was particularly upset to not see a little more work done on the everyday harms: the gaming, the gambling and the addictive loops that drive such unhealthy behaviours online. There are a lot of questions in the paper and I look forward to us all getting together to answer them—I hope quickly and soon. I really welcome the Minister’s words about the anxiety of the Government and both Houses to bring a Bill forward, because that is the litmus test of this White Paper: how quickly we get something on the books.
I feel encouraged by the noble Lord, Lord Griffiths, to mention that on Monday next week we have the launch of the final stage of the age-appropriate design code, which takes a safety-by-design approach. That is what I most welcome in the White Paper, in the Government’s attitude and in the work that we have in front of us: what we want to do is drive good behaviour. We want to drive corporate responsibility. We want to drive shareholders to take responsibility for those massive profits and to make sure that we do not allow the tech sector its exceptionality. It is a business like any other and it must do no harm. In relation to that I mention Will Perrin and Lorna Woods, who brought it forth and did so much work.
Finally, I am really grateful for what the Minister said about the international community. It is worth saying that these problems are in all parts of the world —we are not alone—and they wait and look at what we are doing. I congratulate the Government on acting first.
Obviously, there are details that need to be ironed out, and that is partly what the consultation is about. I expect there to be a lot of detail, which we will go over when a Bill finally comes to this House. In the past we have dealt with things like the Data Protection Act and have shown that we can do that well. The list in the White Paper of legal harms and everyday harms, as the noble Baroness calls them, is indicative. I completely agree with her that the White Paper is attempting to drive good behaviour. The difference it will make is that companies cannot now say, “It’s not my problem”. If we incorporate this safety by design, they will have to do that, because they will have a duty of care right from the word go. They cannot say, “It’s not my responsibility”, because we have given them the responsibility, and if they do not exercise it there will be serious consequences.
(6 years, 6 months ago)
Lords ChamberMy Lords, the main amendments in this group relate to the representation of data subjects by not-for-profit bodies. Last time we discussed this matter, the question before us was whether those bodies should have to seek the mandate—that is, the consent—of data subjects before pursuing claims on their behalf.
As I said then,
“the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of”—
Clause 183—
“as it is currently drafted. The Government are fully prepared to look again at the issue”,
of representation without prior mandate in the context of that review.
“We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions”.—[Official Report, 10/1/18; col. 287.]
Commons Amendments 122 and 123 duly deliver on that promise, while Commons Amendment 121 allows the Secretary of State to make regulations to ensure that, where a not-for-profit seeks to represent a large number of data subjects in court proceedings, it can file one claim and not hundreds.
I am grateful to the noble Baroness, Lady Kidron, for her continued engagement on this subject. She and I are in total agreement that children merit specific protection in relation to their personal data, and that the review should look accordingly at the specific barriers young people face in exercising their rights. Therefore, Commons Amendment 122 makes provision for that in subsections (4), (5) and (6) of the proposed new clause. Of course, as some noble Lords have mentioned previously, such provision is not to the exclusion of other vulnerable groups in our society, and the Government fully expect that review to consider their position, too.
Commons Amendment 126 would allow Her Majesty’s Revenue & Customs to share contact detail information with the Ministry of Defence to ensure that the Ministry of Defence is better able to locate and contact members of the ex-regular reserve. The amendment does not alter the liability for ex-regular reserves, nor does it affect the rules regarding the call-out or recall of ex-regular reserves; it is simply about being better able to contact them. The security of the United Kingdom is the primary responsibility of government. Commons Amendment 126 offers us the opportunity to strengthen that security.
Finally, Commons Amendment 282 would insert a schedule making transitional, transitory and saving provision in connection with the coming into force of the Bill, including provision about subject access requests, the Information Commissioner’s enforcement powers and national security certificates. This comprehensive new schedule, running to some 19 pages, is designed to ensure a seamless shift between the 1998 Act and the new data protection law we are scrutinising today. I beg to move.
I thank the Government for listening, the Bill team, the Secretary of State and the Minister, Margot James. The point is that rights are only as good as one’s ability to enact them, so I really welcome the review and I thank all concerned for the very great care and detail with which they have laid it out in the Bill.
(6 years, 10 months ago)
Lords ChamberMy Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
My Lords, I am very grateful to noble Lords for their comments. Although I have to say at the outset that we have some reservations about these amendments, I think we might be able to find a way forward this evening. I have listened to the noble Lords, Lord Stevenson and Lord Clement-Jones, and taken their remarks on board, but I have especially listened to the noble Baroness, Lady Kidron, who spoke about children. We have some experience of her input in this Bill. I obviously take a lot of notice of what the noble Lords, Lord Stevenson and Lord Clement-Jones, say but, as you know, familiarity and all that, so I have certainly listened especially to the noble Baroness, Lady Kidron.
The Government are sympathetic to the idea of facilitating greater private enforcement, but we continue to believe that the Bill as drafted provides significant and sufficient recourse for data subjects. In our view, there is no need to invoke article 80(2) of the GDPR, with all the risks and potential pitfalls that that entails. To recap, the GDPR provides for, and the Bill allows, data subjects to mandate a suitable non-profit organisation to represent their interests following a purported infringement. The power will, in other words, be in their hands. They will have control over which organisation is best placed to represent their interests, what action to take and what remedy to seek. The GDPR also places robust obligations on the data controller to notify the data subject if there has been a breach which is likely to result in a high risk to the data subject’s rights and freedoms. This is almost unprecedented and quite different from, say, consumer law where compulsory notification of customers is rarely proportionate or achievable.
These are very significant developments from the 1998 Act and augment a rapidly growing list of enforcement options available to data subjects. That list already includes existing provisions for collective redress, such as group litigation orders, which were used so effectively in the recent Morrisons data breach case, and the ability for individuals and organisations to independently complain to the Information Commissioner where they have concerns about how personal data is being processed.
What these initiatives have in common is that they, like the GDPR as a whole, seek to empower data subjects and ensure they receive the information they need to enforce their own data rights. By comparison, Amendments 175 and 175A would go much further. I stress that, as I have already said, we are not against greater private enforcement, and I have borne in mind the points the noble Baroness made about children. We also have reservations about the drafting and purpose of these amendments, all of which I could of course go through at length, if the House wishes, but in view of what I am about to say, I hope that will not be necessary.
Since Committee, the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of Clause 173 as it is currently drafted. The Government are fully prepared to look again at the issue of article 80(2) in the context of that review. We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions.
In view of that, I would be very grateful if the noble Lord will withdraw his amendment this evening and other noble Lords do not press theirs.
Before the Minister sits down, can I get absolute reassurance from him that this is not pushing it into the future, where it will languish? Will the Government be looking to this review to actually solve the problem that we have put forward on behalf of children?
It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.
(7 years ago)
Lords ChamberI do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.
I also apologise for interrupting but I have to support the noble Lord, Lord Knight. When I read out the list, I said that Instagram takes information such as your phone number, your birthday and who you are chatting with. That is data, so I come at this from a very clear position on children’s rights. I am very keen for children to be online. I agree with the noble Lord, Lord Knight, that we are beyond an age of consent, as he said on Second Reading. Consent is meaningless if you do not change the service on the other side of that consent. It is not simply about the bad things that happen. It is about abusing the entire data of a child when they are online. I hope that is helpful to put it back into scope of the Bill.
There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.
We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.
It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.
First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.
Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.
Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.
Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.
Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.
I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.
Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.
In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.
There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.