(2 months, 1 week ago)
Lords ChamberI thank the noble Lord for his question. He is right that the SME sector is underrepresented, and there is a specific effort to increase its ability to engage and to raise awareness within it. We hope that will be a major part of the European networking programme as well.
My Lords, can the noble Lord give us an estimate of the damage done to our research and development programmes through our absence from the Horizon scheme over the past few years?
There is absolutely no doubt that quite significant damage was done. That the participation rate dropped so dramatically, from 16% of all grants coming to the UK in 2015 to 6.5% in 2022, shows the scale of the damage. At the moment, it is not possible to work that out in terms of patents or publications, partly because those indicators are so lagging, but we will look at that and I fully expect to see some change.
(7 months, 3 weeks ago)
Grand CommitteeI take the Minister’s point and I will settle for the appellation “investigatory powers nerd”; I am quite happy with that. Does the Minister agree with me, however, that the legal difficulty —we see this with the other bulk powers already in our law—is that Article 8 of the European convention locks in not when a human eye gets stuck into the detail, but as soon as a machine harvests the data in bulk? Most of that data relates to people in respect of whom there could be no possible suspicion. Satisfying the requirements of necessity and proportionality must be done even at that stage. I understand that that is awkward and I am sure a lot of people would prefer that it was otherwise, but that is, as I understand it, the law. That renders the distinction that the Minister seeks to draw between data gathering and surveillance perhaps slightly difficult to maintain.
If I may just answer that question from the noble Lord, Lord Anderson; I think it is important to take one question at a time.
I have every sympathy with what the noble Lord has said. As I mentioned on Monday, points could easily raised about that—I think it may have been the noble Baroness, Lady Kidron, who raised points about computers and their robustness. This is the very point that we agree with. It is incredibly important and we have started already to draw up a proper code of practice to work with the banks on how this will actually work. We need continued time to work these issues through. I also made the point on Monday that, at the end of the day, a human being will be there—must be there—to determine where we go from there.
Indeed, I was going to come on to that later in my remarks, particularly to address the points raised by the noble Baroness, Lady Sherlock. We need the necessary time to continue to develop this code of practice, and that is particularly important in respect of this measure. The answer is no, I cannot guarantee to have the code of practice ready by Report. Indeed, I am saying that it will be ready sometime in the summer. It is important to make that point but also a further one, which is that there are many instances, as the noble Lord will know, when a code of practice is finalised and brought forward after the primary legislation is brought through, and this is one of those cases. That is not abnormal but normal. The noble Lord may not like it but there is considerable precedent for that to happen.
I have a question. I am slightly puzzled about the difference between data collection and surveillance. Surely the collection and gathering of data would be to enable officials to survey someone’s bank account. If that is not the case, what is the purpose of collecting the data if not to interrogate the behaviour of an individual to understand how their money is being brought in and spent, so that the department can exercise some judgment over whether the individual is revealing the truth about their income and outgoings?
Indeed, I think we are going back to the debates that we had on Monday. However, this chimes with a question from the noble Lord, Lord Clement-Jones, so it might be helpful briefly to rehearse what we are doing here and to be clear about the limitations and the checks and balances on the power that we are bringing forward.
As per paragraph 1(2) of Schedule 11 to the draft legislation, the DWP can use this power only for the purposes of checking whether someone is eligible for the benefit that they are receiving. In practice, this means that the DWP will request information only on specific criteria, which I laid out on Monday, linked to benefit eligibility rules, which, if met may—I emphasise “may”—indicate fraud or error. If accounts do not match these criteria, no data will be shared with the DWP. The effect of paragraphs 1 and 2 of the draft legislation is that the DWP can ask for data only where there is this three-way relationship between the DWP, the third party and the recipient of the payment. In addition, the DWP can ask for data only from third parties designated in secondary legislation, subject to the affirmative procedure. There are debates to come as further reassurance to your Lordships.
As per paragraph 4(2) of Schedule 11 to the draft legislation, the power does not allow the DWP to share personal information with third parties, which means that the power can be used only with third parties who are able to identify benefit recipients independently. Just to add further to this, we are obliged, under Article 5(1)(c) of the UK GDPR, to ask only for the minimum of information to serve our purposes. In accordance with the DWP’s existing commitments on the use of automation, no automatic benefit decisions will be taken based on any information supplied by third parties to the DWP. As I said earlier and on Monday, a human will always be involved in decision-making. I hope that helps.
My Lords, I thank the Minister for his exposition. He explained the purposes of Clauses 138 to 141 and extolled their virtues, and helpfully explained what my amendments are trying to do—not that he has shot any foxes in the process.
The purpose of my amendments is much more fundamental, and that is to question the methodology of the Government in all of this. The purpose of NUAR is to prevent accidental strikes where building works damage underground infrastructure. However, the Government seem to have ignored the fact that an equivalent service—LinesearchbeforeUdig, or LSBUD—already achieves these aims, is much more widely used than NUAR and is much more cost effective. The existing system has been in place for more than 20 years and now includes data from more than 150 asset owners. It is used by 270,000 UK digging contractors and individuals—and more every day. The fact is that, without further consultation and greater alignment with current industry best practice, NUAR risks becoming a white elephant, undermining the safe working practices that have kept critical national infrastructure in the UK safe for more than two decades.
However, the essence of these amendments is not to cancel NUAR but to get NUAR and the Government to work much more closely with the services that already exist and those who wish to help. They are designed to ensure that proper consultation and democratic scrutiny is conducted before NUAR is implemented in statutory form. Essentially, the industry says that NUAR could be made much better and much quicker if it worked more closely with the private sector services that already exist. Those who are already involved with LinesearchbeforeUdig say, first of all, that NUAR will create uncertainty and reduce safety, failing in its key aims.
The Government have been developing the NUAR since 2018. Claiming that it would drive a reduction in unexpected underground assets being damaged in roadworks, the impact assessment incorrectly states:
“No businesses currently provide a service that is the same or similar to the service that NUAR would provide”.
In fact, as I said, LSBUD has been providing a safe digging service in the UK for 20 years and has grown significantly over that time. Without a plan to work more closely with LSBUD as the key industry representative, NUAR risks creating more accidental strikes of key network infrastructure, increasing risks to workers safety through electrical fires, gas leaks, pollution and so on. The public at home or at work would also suffer more service outages and disruption.
Secondly, NUAR will add costs and stifle competition. The Government claim that NUAR will deliver significant benefits to taxpayers, reduce disruption and prevent damage to underground assets, but the impact assessment ignores the fact that NUAR’s core functions are already provided through the current system—so its expected benefits are vastly overstated. While asset owners, many of whom have not been consulted, will face costs of more than £200 million over the first 10 years, the wholesale publication of asset owners’ entire networks creates commercially sensitive risks, damaging innovation and competition. Combined with the uncertainties about how quickly NUAR can gain a critical mass of users and data, this again calls into question why NUAR does not properly align with and build on the current system but instead smothers competition and harms a successful, growing UK business.
Thirdly, NUAR risks undermining control over sensitive CNI data. Underground assets are integral to critical national infrastructure; protecting them is vital to the UK’s economic and national security. LSBUD deliberately keeps data separate and ensures that data owners remain in full control over who can access their data via a secure exchange platform. NUAR, however, in aiming to provide a single view of all assets, removes providers’ control over their own data—an essential security fail-safe. It would also expand opportunities for malicious actors to target sectors in a variety of ways—for instance, the theft of copper wires from telecom networks.
NUAR shifts control over data access to a centralised government body, with no clear plan for how the data is to be protected from unauthorised access, leading to serious concerns about security and theft. Safe digging is paramount; mandating NUAR will lead to uncertainty, present more health and safety dangers to workers and the public and put critical national infrastructure at risk. These plans require further review. There needs to be, as I have said, greater alignment with industry best practice. Without further consultation, NUAR risks becoming a white elephant that undermines safe digging in the UK and increases risk to infrastructure workers and the public.
I will not go through the amendments individually as the Minister has mentioned what their effect would be, but I will dispel a few myths. The Government have claimed that NUAR has the overwhelming support of asset owners. In the view of those who briefed me, that is not an accurate reflection of the broadband and telecoms sector in particular; a number of concerns from ISPA members have been raised with the NUAR team around cost and security that have yet to be addressed. This is borne out by the fact that there are notable gaps in the major asset owners in the telecoms sector signed up to NUAR at this time.
Clearly, the noble Viscount is resisting changing the procedure by which these changes are made from negative to affirmative, but I hope I have gone some way to persuade the Committee of the importance of this change to how the NUAR system is put on a statutory footing. He talked about a “handful” of data; the comprehensive nature of the existing system is pretty impressive, and it is a free service, updated on a regular basis, which covers more than 150 asset owners and 98% of high-risk assets. NUAR currently covers only one-third of asset owners. The comparisons are already not to the advantage of NUAR.
I hope the Government will at least, even if they do not agree with these amendments, think twice before proceeding at the speed they seem to be and without the consent or taking on board the concerns of those who are already heavily engaged with Linesearch- beforeUdig who find it pretty satisfactory for their purposes.
My Lords, the Minister really did big up this section of the Bill. He said it would revolutionise this information service, that it would bring many benefits, has a green rating, would be the Formula 1 of data transfer in mapping and so on. We were led to expect quite a lot from this part of the legislation. It is an important part of the Bill, because it signifies some government progress towards the goal of creating a comprehensive national underground asset register, as he put it, or NUAR. We are happy to support this objective, but we have concerns about the progress being made and the time it is taking.
To digress a bit here, it took me back 50 years to when I was a labourer working by the side of a bypass. One of the guys I was working with was operating our post hole borer; it penetrated the Anglian Water system and sent a geyser some 20 metres up into the sky, completely destroying my midday retreat to the local pub between the arduous exercise of digging holes. Had he had one of the services on offer, I suspect that we would not have been so detained. It was quite an entertaining incident, but it clearly showed the dangers of not having good mapping.
As I understand it, and as was outlined by the noble Lord, Lord Clement-Jones, since 2018 the Government have been moving towards this notion of somewhere recording what lies below the surface in our communities. We have had street works legislation going back several decades, from at least 1991. In general, progress towards better co-ordination of utilities excavations has not been helped by poor and low levels of mapping and knowledge of what and which utilities are located underground. This is despite the various legislative attempts to make that happen, most of which have attempted to bring better co-ordination of services.
It did complete a pilot phase this year. As it operationalises, more and more will sign up. I do not know the actual number that have signed up today, but I will find out.
NUAR does not duplicate existing commercial services. It is a standardised, interactive digital map of buried infrastructure, which no existing service is able to provide. It will significantly enhance data sharing and access efficiency. Current services—
I am concerned. We get the principle behind NUAR, but is there an interface between NUAR and this other service—which, on the face of it, looks quite extensive—currently in place? Is there a dialogue between the two? That seems to be quite important, given that there is some doubt over NUAR’s current scope.
I am not sure that there is doubt over the current scope of NUAR; it is meant to address all buried infrastructure in the United Kingdom. LSBUD does make extensive representations, as indeed it has to parliamentarians of both Houses, and has spoken several times to the Geospatial Commission. I am very happy to commit to continuing to do so.
In addition to the situation that the noble Lord, Lord Bassam, described, I was braced for a really horrible situation, because these things very often lead to danger and death, and there is a very serious safety argument to providing this information reliably and rapidly, as NUAR will.
My Lords, it took them half a day to discover where the hole had gone and what the damage was. The water flooded several main roads and there were traffic delays and the rest. So these things are very serious. I was trying to make a serious point while being slightly frivolous about it.
No, indeed, it is a deeply serious point. I do not know the number off the top of my head but there are a number of deaths every year as a result of these things.
As I was saying, a thorough impact assessment was undertaken for the NUAR measures, which received a green rating from the Regulatory Policy Committee. Impacts on organisations that help facilitate the exchange of data related to assets in the street were included in the modelling. Although NUAR could impact existing utility—
My Lords, what a relief—we are at the final furlong.
The UK is a world leader in genomics, which is becoming an industry of strategic importance for future healthcare and prosperity, but, frankly, it must do more to protect the genomic sector from systemic competitors that wish to dominate this industry for either economic advantage or nefarious purposes. Genomic sequencing—the process of determining the entirety of an organism’s DNA—is playing an increasing role in our NHS, which has committed to being the first national healthcare system to offer whole-genome sequencing as part of routine care. However, like other advanced technologies, our sector is exposed to data privacy and national security risks. Its dual-use potential means that it can also be used to create targeted bioweapons or genetically enhanced military. We must ensure that a suitable data protection environment exists to maintain the UK’s world-leading status.
So, how are we currently mitigating against such threats and why is our existing approach so flawed? Although I welcome initiatives such as the Trusted Research campaign and the Research Collaboration Advice Team, these bodies focus specifically on research and academia. We expect foreign companies that hold sensitive genomics and DNA to follow GDPR. I am not a hawk about relations with other countries, but we need to provide the new Information Commissioner with much greater expertise and powers to tackle complex data security threats in sensitive industries. There must be no trade-off between scientific collaboration and data privacy; that is what this amendment is designed to prevent. I beg to move.
The Committee will be relieved to know that I will be brief. I do not have much to say because, in general terms, this seems an eminently sensible amendment.
We should congratulate the noble Lord, Lord Clement-Jones, on his drafting ingenuity. He has managed to compose an amendment that brings together the need for scrutiny of emerging national security and data privacy risks relating to advanced technology, aims to inform regulatory developments and guidance that might be required to mitigate risks, and would protect the privacy of people’s genomics data. It also picks up along the way the issue of the security services scrutinising malign entities and guiding researchers, businesses, consumers and public bodies. Bringing all those things together at the end of a long and rather messy Bill is quite a feat—congratulations to the noble Lord.
I am rather hoping that the Minister will tell the Committee either that the Government will accept this wisely crafted amendment or that everything it contains is already covered. If the latter is the case, can he point noble Lords to where those things are covered in the Bill? Can he also reassure the Committee that the safety and security issues raised by the noble Lord, Lord Clement-Jones, are covered? Having said all that, we support the general direction of travel that the amendment takes.
(8 months ago)
Grand CommitteeMy Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for tabling these amendments to Clauses 44 and 45, which would reform the framework for data protection complaints to the Information Commissioner.
The noble Lord, Lord Clement-Jones, has given notice of his intention to oppose Clause 44 standing part of the Bill. That would remove new provisions from the Bill that have been carefully designed to provide a more direct route to resolution for data subjects’ complaints. I should stress that these measures do not limit rights for data subjects to bring complaints forward, but instead provide a more direct route to resolution with the relevant data controller. The measures formalise current best practice, requiring the complainant to approach the relevant data controller, where appropriate, to attempt to resolve the issue prior to regulatory involvement.
The Bill creates a requirement for data controllers to facilitate the making of complaints and look into what may have gone wrong. This should, in most cases, result in a much quicker resolution of data protection-related complaints. The provisions will also have the impact of enabling the Information Commissioner to redeploy resources away from handling premature complaints where such complaints may be dealt with more effectively, in the first instance, by controllers and towards value-added regulatory activity, supporting businesses to use data lawfully and in innovative ways.
The noble Lord’s Amendment 153 seeks, in effect, to expand the scope of the Information Commissioner’s duty to investigate complaints under Section 165 of the Data Protection Act. However, that Section of the Act already provides robust redress routes, requiring the commissioner to take appropriate steps to respond to complaints and offer an outcome or conclude an investigation within a specified period.
The noble Lord raised the enforcement of the UK’s data protection framework. I can provide more context on the ICO’s approach, although noble Lords will be aware that it is enforced independently of government by the ICO; it would of course be inappropriate for me to comment on how the ICO exercises its enforcement powers. The ICO aims to be fair, proportionate and effective, focusing on areas with the highest risk and most harm, but this does not mean that it will enforce every case that crosses its books.
The Government have introduced a new requirement on the ICO—Clause 43—to publish an annual report on how it has exercised its enforcement powers, the number and nature of investigations, the enforcement powers used, how long investigations took and the outcome of the investigations that ended in that period. This will provide greater transparency and accountability in the ICO’s exercise of its enforcement powers. For these reasons, I am not able to accept these amendments.
I also thank the noble Baroness and the noble Lord for their Amendments 154 and 287 concerning Section 190 of the Data Protection Act. These amendments would require the Secretary of State to legislate to give effect to Article 80(2) of the UK GDPR to enable relevant non-profit organisations to make claims against data controllers for alleged data breaches on behalf of data subjects, without those data subjects having requested or agreeing to the claim being brought. Currently, such non-profit organisations can already pursue such actions on behalf of individuals who have granted them specific authorisation, as outlined in Article 80(1).
In 2021, following consultation, the Government concluded that there was insufficient evidence to justify implementing Article 80(2) to allow non-profit organisations to bring data protection claims without the authorisation of the people affected. The Government’s response to the consultation noted that the regulator can and does investigate complaints raised by civil society groups, even when they are not made on behalf of named individuals. The ICO’s investigations into the use of live facial recognition technology at King’s Cross station and in some supermarkets in southern England are examples of this.
I also thank the noble Baroness, Lady Kidron, for raising her concerns about the protection of children throughout the debate—indeed, throughout all the days in Committee. The existing regime already allows civil society groups to make complaints to the ICO about data-processing activities that affect children and vulnerable people. The ICO has a range of powers to investigate systemic data breaches under the current framework and is already capable of forcing data controllers to take decisive action to address non-compliance. We are strengthening its powers in this Bill. I note that only a few member states of the EU have allowed non-governmental organisations to launch actions without a mandate, in line with the possibility provided by the GDPR.
I turn now to Amendments 154A, 154B—
Before the noble Lord gets there and we move too far from Amendment 154, where does the Government’s thinking leave us regarding a group of class actions? Trade unions take up causes on behalf of their membership at large. I guess, in the issue of the Post Office and Mr Bates, not every sub-postmaster or sub-postmistress would have signed up to that class action, even though they may have ended up being beneficiaries of its effects. So where does it leave people with regard to data protection and the way that the data protection scheme operates where there might be a class action?
Perhaps the Minister could in due course say what evidence would help to persuade the Government to adopt the article.
I want to help the Minister. Perhaps he could give us some more detail on the nature of that consultation and the number of responses and what people said in it. It strikes me as rather important.
Fair enough. Maybe for the time being, it will satisfy the Committee if I share a copy of that consultation and what evidence was considered, if that would work.
I will turn now to Amendments 154A to 155 and Amendment 175, which propose sweeping modifications to the jurisdiction of the court and tribunal for proceedings under the Data Protection Act 2018. These amendments would have the effect of making the First-tier Tribunal and Upper Tribunal responsible for all data protection cases, transferring both ongoing and future cases out of the court system and to the relevant tribunals.
The Government of course want to ensure that proceedings for enforcement of data protection rules, including redress routes available to data subjects, are appropriate for the nature of the complaint. As the Committee will be well aware, at present there is a mixture of jurisdiction for tribunals and courts under data protection legislation, depending on the precise nature of the proceedings in question. Tribunals are indeed the appropriate venue for some data protection proceedings, and the legislation already recognises that—for example, for application by data subjects for an order requiring the ICO to progress their complaint. However, courts are generally the more appropriate venue for cases involving claims for compensation and successful parties can usually recover their costs. Courts also apply stricter rules of procedure and evidence than tribunals. That is because some cases are appropriate to fall under the jurisdiction of the tribunal, while others are more appropriate for court jurisdiction. For example, claims by individuals against organisations for breaches of legal requirements can result in awards of compensatory damages for the individuals and financial and reputational damage for the organisations. It is appropriate that such cases are handled by a court in accordance with its strict procedural and evidential rules, where the data subject may recover their costs if successful.
As such, the Government are confident that the current system is balanced and proportionate and provides clear and effective administrative and judicial redress routes for data subjects seeking to exercise their rights.
I will go away and look at those; I look forward to learning more about them. There are obvious implications in what the noble Lord said as to the most effective ways of distributing cases between courts and other channels.
For these reasons, I hope that the noble Lord will withdraw his amendment.
I am intrigued by the balance between what goes to a tribunal and what goes to the courts. I took the spirit behind the stand-part notice in the name of the noble Lord, Lord Clement-Jones, as being about finding the right place for the right case and ensuring that the wheels of justice are much more accessible. I am not entirely persuaded by what the Minister has said. It would probably help the Committee if we had a better understanding of where the cases go, how they are distributed and on what basis.
I thank the noble Lord; that is an important point. The question is: how does the Sorting Hat operate to distribute cases between the various tribunals and the court system? We believe that the courts have an important role to play in this but it is about how, in the early stages of a complaint, the case is allocated to a tribunal or a court. I can see that more detail is needed there; I would be happy to write to noble Lords.
My Lords, I have looked at the government amendments in this group and have listened very carefully to what the Minister has said—that it is largely about interpretation. There are no amendments that I wish to comment on, save to say that they seem to be about consistency of language and bringing in part EU positions into UK law. They seem also to be about consistency of meaning, and for the most part the intention seems to be to ensure that nothing in EU retained law undoes the pre-existing legal framework.
However, I would appreciate the Minister giving us a bit more detail on the operation of Amendment 164. Amendment 297 seems to deal with a duplication issue, so perhaps he can confirm for the Committee that this is the case. We have had swathes of government amendments of a minor and technical nature, largely about chasing out gremlins from the drafting process. Can he confirm that this is the case and assure the Committee that we will not be left with any nasty surprises in the drafting that need correction at a later date?
The amendments tabled in the name of the noble Lord, Lord Clement-Jones, are of course of a different order altogether. The first two—Amendments 165 and 166—would restore the relationship between the UK GDPR and the 2018 Act and the relevant provisions of the Retained EU Law (Revocation and Reform) Act 2023. Amendment 168 would ensure that assimilated case law referring to the European Charter of Fundamental Rights would still be relevant in interpreting the UK GDPR. It would give greater certainty in how the UK’s data protection framework is interpreted. Amendment 169 would ensure that the interpretation is carried over from the UK GDPR and 2018 legislation in accordance with the general principle of the protection of personal data.
The noble Lord’s Amendments 170 to 174B would bring back into law protections that existed previously when UK law was more closely aligned with EU law and regulation. There is also an extension of the EU data protection of personal data to the assimilated standard that existed by virtue of Section 4 of the European Union (Withdrawal) Act 2018. I can well understand the noble Lord’s desire to take the UK back to a position where we are broadly in the same place in terms of protections as our former EU partners. First, having—broadly speaking—protections that are common across multiple jurisdictions makes it easier and simpler for companies operating in those markets. Secondly, from the perspective of data subjects, it is much easier to comprehend common standards of data protection and to seek redress when required. The Government, for their part, will no doubt argue that there is some sort of big Brexit benefit in this, although I think that advisers and experts are divided on the degree of that benefit, and indeed who benefits.
Later, we will get to discuss data adequacy standards. Concern exists in some quarters as to whether we have this right and what this legislative opportunity might be missing to ensure that the UK meets those international standards that the EU requires. That is a debate for later, but we are broadly sympathetic to the desire of the noble Lord, Lord Clement-Jones, to find the highest level of protection for UK citizens. That is the primary motivation for many of the amendments and debates that we have had today. We do not want to weaken what were previously carefully crafted and aligned protections. I do not entirely buy the argument that the Minister made earlier about this group of amendments causing legal uncertainty. I believe it is the reverse of that: the noble Lord, Lord Clement-Jones, is trying to provide greater certainty and a degree of jurisdictional uniformity.
I hope that I have understood what the noble Lord is trying to achieve here. For those reasons, we will listen to the Minister’s concluding comments—and read Hansard—very carefully.
I thank the noble Lords, Lord Clement-Jones and Lord Bassam, for their comments. As the noble Lord, Lord Clement-Jones, points out, it is a pretty complex and demanding area, but that in no way diminishes the importance of getting it right. I hope that in my remarks I can continue that work, but of course I am happy to discuss this: it is a very technical area and, as all speakers have pointed out, it is crucial for our purposes that it be executed correctly.
While the UK remains committed to strong protections for personal data through the UK GDPR and Data Protection Act, it is important that it is able to diverge from the EU legislation where this is appropriate for the UK. We have carefully assessed the effects of EU withdrawal legislation and the REUL Act and are making adjustments to ensure that the right effect is achieved. The government amendments are designed to ensure legal certainty and protect the coherence of the data protection framework following commencement of the REUL Act—for example, by maintaining the pre-REUL Act relationship in certain ways between key elements of the UK data protection legislation and other existing legislation.
The purpose of the REUL Act is to ensure that the UK has control over its laws. Resurrecting the principle of EU law supremacy in its entirety or continuing to apply case law principles is not consistent with the UK’s departure from the EU and taking back control over our own laws. These amendments make it clear that changes made to the application of the principle of EU law supremacy and new rules relating to the interpretation of direct assimilated legislation under the REUL Act do not have any impact on existing provisions that involve the processing of personal data.
The noble Lord, Lord Bassam, asked for more detail about Amendment 164. It relates to changes brought about by the REUL Act and sets out that the provisions detailed in Amendments 159, 162 and 163 are to be treated as having come into force on 1 January 2024—in other words, at the same time as commencement of the relevant provisions of the REUL Act. The retrospective effect of this provision addresses the gap between the commencement of the REUL Act 2023 and the Data Protection and Digital Information Bill.
On the immigration exemption case, I note that it was confined to the immigration exemption and did not rule on the other exemptions. The Government will continue to keep the exemptions under review and, should it be required, the Government have the power to amend the other exemptions using an existing power in the DPA 2018. Before doing so, of course the Government would want to ensure that due consideration is given to how the particular exemptions are used. Meanwhile, I thank noble Lords for what has been a fascinating, if demanding, debate.
This is a slightly disparate group of amendments. I have added my name in support of Amendment 296, tabled by the noble Baroness, Lady Jones of Whitchurch, which once again probes the question of whether this Bill risks causing the loss of the data adequacy ruling from the EU. This was an issue raised by many, if not most, noble Lords during Second Reading, and it is an area in which the Government’s position feels a little complacent.
The data adequacy ruling from the EU is extremely important, as the impact assessment that accompanies the Bill makes clear. It says:
“Cross-border data transfers are a key facilitator of international trade, particularly for digitised services. Transfers underpin business transactions and financial flows. They also help streamline supply chain management and allow business to scale and trade globally”.
The impact assessment then goes on to estimate the costs of losing data adequacy, and indicates a net present value cost range of between £1.6 billion and £3.4 billion over the next 10 years. As an aside, I note that that is a pretty wide range, which perhaps indicates the extent to which the costs are really understood.
The impact assessment notes that these numbers are the impact on direct trade only and that the impact may be larger still when considering supply chain impacts, but it does not make any attempt to calculate that effect. There are big potential costs, however we look at it. It therefore seems extraordinary that the impact assessment, despite running to 240 pages, makes no attempt at all to quantify the probability that the EU might decide—and it is a unilateral EU decision—to withdraw the data adequacy ruling, which it can do at any time, even before the current ruling comes to an end in July 2025. I find it extraordinary that no attempt has been made to estimate the probability of that happening. You would think that, if the Government were as confident as they say they are, they should have some evidence as to the probability of it happening.
Noble Lords should be aware that this means that the potential cost of the loss of data adequacy is not included in the NPV analysis for the Bill. If that loss did occur, the net present value of the Bill would be largely wiped out, and if the lower end of the IA range is taken, the Bill’s overall financial impact becomes a net present cost to the tune of £2.1 billion. The retention of the EU data adequacy ruling is therefore key to retaining any real benefit from this Bill at all.
On Monday, the Minister said:
“We believe they are compatible with maintaining our data adequacy decisions from the EU. We have maintained a positive, ongoing dialogue with the EU to make sure that our reforms are understood. We will continue to engage with the European Commission at official and ministerial levels with a view to ensuring that our respective arrangements for the free flow of personal data can remain in place, which is in the best interests of both the UK and the EU”.—[Official Report, 15/4/24; col. GC 261.]
By “they”, he means the measures in the Bill. So far, so good. But your Lordships will remember that, at the time of Brexit, there was actually considerable doubt as to whether we would be granted a data adequacy ruling at that time, when our rules were almost entirely convergent. This Bill increases divergence, so the approach at the moment seems complacent at best.
I do not think it is any surprise at all that our European Affairs Committee recently launched an inquiry into this very subject. While the Minister has said how confident he is, noises being made in the EU are less encouraging. For example, the chair of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee wrote in February to the European Commissioner for Justice outlining his concerns about this Bill and questioning whether it will meet the requirements of “essential equivalence”, which is the test that we have to meet. He highlighted, in particular, the lack of independence of the Information Commissioner’s Office, and the elimination of the Biometrics and Surveillance Camera Commissioner, something we will come on to a little later.
It does not seem to be a given that data adequacy will be retained, despite the frankly rather woolly assurances from the Minister about his confidence. Given the enormous importance of the data adequacy ruling, and the fact that the impact assessment makes no attempt at all to assess the probability of retaining or losing it—something one would think to be really fundamental when deciding the extent of divergence we wish to follow—it must make sense to introduce the assessment proposed in Amendment 296. In the absence of something much stronger than the assurances the Minister has given so far, I urge the noble Baroness, Lady Jones, to return to this matter on Report: it is really fundamental.
My Lords, this group has three amendments within it and, as the noble Lord, Lord Vaux, said, it is a disparate group. The first two seem wholly benign and entirely laudable, in that they seek to ensure that concerns about the environmental impacts related to data connected to business are shared and provided. The noble Baroness, Lady Bennett, said hers was a small and modest amendment: I agree entirely with that, but it is valuable nevertheless.
If I had to choose which amendment I prefer, it would be the second, in the name of my noble friend Lady Young, simply because it is more comprehensive and seems to be of practical value in pursuing policy objectives related to climate change mitigation. I cannot see why the disclosure of an impact analysis of current and future announcements, including legislation, changes in targets and large contracts, on UK climate change mitigation targets would be a problem. I thought my noble friend was very persuasive and her arguments about impact assessment were sound. The example of offshore petroleum legislation effectively not having an environmental impact assessment when its impacts are pretty clear was a very good one indeed. I am one of those who believes that environmental good practice should be written all the way through, a bit like a stick of Brighton rock, and I think that about legislation. It is important that we take on board that climate change is the most pressing issue that we face for the future.
The third amendment, in the name of my noble friend Lady Jones, is of a rather different nature, but is no less important, as it relates to the UK’s data adequacy and the EU’s decisions on it. We are grateful to the noble Lords, Lord Vaux of Harrowden and Lord Clement-Jones, for their support. Put simply, it would oblige the Secretary of State to complete an assessment, within six months of the Bill’s passing,
“of the likely impact of the Act on the EU’s data adequacy decisions relating to the UK”.
It would oblige the Secretary of State to lay a report on the assessment’s findings, and the report must cover data risk assessments and the impact on SMEs. It must also include an estimate of the legislation’s financial impact. The noble Lord, Lord Vaux, usefully underlined the importance of this, with its critical 2025 date. The amendment also probes
“whether the Government anticipate the provisions of the Bill conflicting with the requirements that need to be made by the UK to maintain a data adequacy decision by the EU”.
There is widespread and considerable concern about data adequacy and whether the UK legislative framework diverges too far from the standards that apply under the EU GDPR. The risk that the UK runs in attempting to reduce compliance costs for the free flow of personal data is that safeguards are removed to the point where businesses and trade become excessively concerned. In summary, many sectors including manufacturing, retail, health, information technology and particularly financial services are concerned that the free flow of data between us and the EU, with minimal disruption, will simply not be able to continue.
As the noble Lord, Lord Vaux, underlined, it is important that we in the UK have a relationship of trust with the European Commission on this, although ultimately data adequacy could be tested in the Court of Justice of the European Union. Data subjects in the EU can rely on the general principle of the protection of personal data to invalidate EU secondary and domestic law conflicting with that principle. Data subjects can also rely on the Charter of Fundamental Rights to bring challenges. Both these routes were closed off when the UK left the EU and the provisions were not saved in UK law, so it can be argued that data protection rights are already at a lower standard than across the European Union.
It is worth acknowledging that adequacy does not necessarily require equivalence. We can have different, and potentially lower, standards than the EU but, as long as those protections are deemed to meet whatever criteria the Commission chooses to apply, it is all to the good.
However, while divergence is possible, the concern that we and others have is that the Bill continues chipping away at standards in too many different ways. This chipping away is also taking place in statutory instruments, changes to guidance and so on. If His Majesty’s Government are satisfied that the overall picture remains that UK regulation is adequate, that is welcome, but it would be useful to know what mechanism DSIT and the Government generally intend using to measure where the tipping point might be achieved and how close these reforms take us to it.
The Committee will need considerable reassurance on the question of data adequacy, not least because of its impact on businesses and financial services in the longer term. At various times, the Minister has made the argument that a Brexit benefit is contained within this legislation. If he is ultimately confident of that case, what would be the impact on UK businesses if that assessment is wrong in relation to data adequacy decisions taken within the EU?
We are going to need more than warm words and a recitation that “We think it’s right and that we’re in the right place on data adequacy”. We are going to need some convincing. Whatever the Minister says today, we will have to return to this issue on Report. It is that important for businesses in this country and for the protection of data subjects.
My Lords, these amendments have been spoken to so well that I do not need to spend a huge amount of time repeating those great arguments. Both Amendment 195A, put forward by the noble Baroness, Lady Bennett, and Amendment 218 have considerable merit. I do not think that they conflict; they are complementary, in many respects.
Awareness raising is important to this, especially in relation to Amendment 218. For instance, if regulators are going to have a growth duty, which looks like it is going to happen, why not have countervailing duties relating to climate change, as the noble Baroness, Lady Young, put forward so cogently as part of Amendment 218? Amendment 195A also has considerable merit in raising awareness in the private sector, in traders and so on. Both have considerable merit.
My Lords, I thank the noble Baronesses, Lady Bennett, Lady Young of Old Scone and Lady Jones, for their proposed amendments on extending the definition of business data in smart data schemes, the disclosure of climate and nature information to improve public service delivery and the publication of an EU adequacy risk assessment.
On Amendment 195A, we consider that information about the carbon and energy intensity of goods, services or digital content already falls within the scope of “business data” as information about goods, services and digital content supplied or provided by a trader. Development of smart data schemes will, where relevant, be informed by—among other things—the Government’s Environmental Principles Policy Statement, under the Environment Act 2021.
With regard to Amendment 218, I thank the noble Baroness, Lady Young of Old Scone, for her sympathies; they are gratefully received. I will do my best in what she correctly pointed out is quite a new area for me. The powers to share information under Part 5 of the Digital Economy Act 2017—the DEA—are supplemented by statutory codes of practice. These require impact assessments to be carried out, particularly for significant changes or proposals that could have wide-ranging effects on various sectors or stakeholders. These impact assessments are crucial for understanding the implications of the Digital Economy Act and ensuring that it achieves its intended objectives, while minimising any negative consequences for individuals, businesses and society as a whole. As these assessments already cover economic, social and environmental impact, significant changes in approach are already likely to be accounted for. This is in addition to the duty placed on Ministers by the Environment Act 2021 to have due regard to the Environmental Principles Policy Statement.
Lastly, turning to Amendment 296, the Government are committed to maintaining their data adequacy decisions from the EU, which we absolutely recognise play a pivotal role in enabling trade and fighting crime. As noble Lords alluded to, we maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood.
The EU adequacy assessment of the UK is, of course, a unilateral, autonomous process for the EU to undertake. However, we remain confident that our reforms deliver against UK interests and are compatible with maintaining EU adequacy. As the European Commission itself has made clear, a third country—the noble Lord, Lord Clement-Jones, alluded to this point—is not required to have the same rules as the EU to be considered adequate. Indeed, 15 countries have EU adequacy, including Japan, Israel and the Republic of Korea. All these nations pursue independent and, often, more divergent approaches to data protection.
The Government will provide both written and oral evidence to the House of Lords European Affairs Committee inquiry on UK-EU data adequacy and respond to its final report, which is expected to be published in the summer. Many expert witnesses already provided evidence to the committee and have stated that they believe that the Bill is compatible with maintaining adequacy.
As noble Lords have noted, the Government have published a full impact assessment alongside the Bill, which sets out in more detail what both the costs and financial benefits of the Bill would be—including in the unlikely scenario of the EU revoking the UK’s adequacy decision. I also note that UK adequacy is good for the EU too: every EU company, from multinationals to start-ups, with customers, suppliers or operations in the UK relies on EU-UK data transfers. Leading European businesses and organisations have consistently emphasised the importance of maintaining these free flows of data to the UK.
For these reasons, I hope that the noble Baronesses will agree to withdraw or not move these amendments.
The Minister made the point at the end there that it is in the EU’s interest to agree to our data adequacy. That is an important point but is that what the Government are relying on—the fact that it is in the EU’s interest as much as ours to continue to agree to our data adequacy provisions? If so, what the Minister has said does not make me feel more reassured. If the Government are relying on just that, it is not a particularly strong argument.
I do not know what I could possibly have said to create the impression that the Government are flying blind on this matter. We continue to engage extensively with the EU at junior official, senior official and ministerial level in order to ensure that our proposed reforms are fully understood and that there are no surprises. We engage with multiple expert stakeholders from both the EU side and the UK side. Indeed, as I mentioned earlier, a number of experts have submitted evidence to the House’s inquiry on EU-UK data adequacy and have made clear their views that the DPDI reforms set out in this Bill are compatible with EU adequacy. We continue to engage with the EU throughout. I do not want to be glib or blithe about the risks; we recognise the risks but it is vital—
Could we have a list of the people the noble Lord is talking about?
Yes. I would be happy to provide a list of the people we have spoken to about adequacy; it may be a long one. That concludes the remarks I wanted to make, I think.
I hope that the noble Baroness does not get too carried away on that one.
I am sure that we will revisit this at some point in future. Perhaps the noble Lord will like the fact that I am saying that it is certain that we will revisit it from a different place.
These are all really serious amendments. This is a long Committee stage but, in the whole issue of data, having regard to data adequacy is absolutely crucial, as the degree of intervention on the Minister indicated. The Green Party’s position is that we want to be rejoin-ready: we want to remain as close as possible to EU standards so that we can rejoin the EU as soon as possible.
Even without taking that approach, this is a crucial issue as so many businesses are reliant on this adequacy ruling. I was taken by a comment from the Minister, who said that the UK is committed to data adequacy. The issue here is not what the UK is saying but convincing the EU, which is not in our hands or under our control, as numerous noble Lords said.
I have no doubt that we will return to data adequacy and I hope that we will return to the innovative and creative intervention from the noble Baroness, Lady Young of Old Scone. In the meantime, I beg leave to withdraw Amendment 195A.
(8 months ago)
Grand CommitteeMy Lords, we have heard some fine words from the noble Lord, Lord Clement-Jones, in putting the case for his Amendments 135A, 135B, 135C and 135D, which are grouped with the clause stand part debates. As he explained, they seek to test and probe why the Government have sought to extend the ability of the security and intelligence services to disapply basic data protection principles.
The new Government-drafted clause essentially, as well as disapplying current provisions, disapplies the rights of data subjects and the obligations placed on competent authorities and processors. The Explanatory Notes say that this is to create a regime that
“ensures that there is consistency in approach”.
Section 29 is designed to facilitate joint processing by the various agencies with a common regime. Like the noble Lord, Lord Anderson, I well understand why they might want to do that. The noble Lord, Lord Clement-Jones, has done the Committee a service in tabling these amendments because, as he said, during the passage of the 2018 Act assurances were given that law enforcement would always abide by basic data protection principles. On the face of it, that assurance no longer applies. Is this because it is inconvenient for the security and intelligence services? What are the Government seeking to do here?
Can the Minister explain from the Government’s perspective what has changed since 2018 that has led Ministers to conclude that those critical principles should be compromised? The amendments also seek to assert the importance of proportionality considerations when deciding whether national security exemptions apply. This principle is again raised in relation to the issuing of a national security certificate.
The noble Lord, Lord Clement-Jones, with Amendment 135E effectively poses the question of where the balance of oversight should rest. Should it be with the Secretary of State or the commissioner? All that new Clause 29 does is oblige the Secretary of State to consult the commissioner with the expectation that the commissioner then makes public a record of designation orders. However, it strips out quite a lot of the commissioner’s current roles and responsibilities. We should surely have something more convincing than that to guarantee transparency in the process. We on these Benches will take some convincing that the Government have got the right balance in regard to the interests of national security and the security services. Why, for instance, is Parliament being sidelined in the exercise of the Secretary of State’s powers? Did Ministers give any consideration to reporting duties and obligations so far as Parliament is concerned? If not, why not?
Labour does not want to see national security compromised in any way, nor do we want to undermine the essential and vital work that our intelligence services have to perform to protect us all. However, we must also ensure that we build confidence in our security and intelligence services by making them properly accountable, as the noble Lord, Lord Clement-Jones, argued, and that the checks and balances are sufficient and the right ones.
The noble Lord, Lord Anderson, got it right in questioning the change of language, and I want to better understand from the Minister what that really means. But why extend the range of exemptions? We could do with some specific reasons as to why that is being changed and why that is the case. Why has the Information Commissioner’s role been so fundamentally changed with regard to these clauses and the exemptions?
We will, as always, listen carefully to the Minister’s reply before we give further thought to this framework on Report, but we are very unhappy with the changes that are taking away some of the fundamental protections that were in place before, and we will need quite a lot of convincing on these government changes.
My Lords, I thank the noble Lord, Lord Clement-Jones, for his amendments and thank the other noble Lords who spoke in this short debate. These amendments seek to remove Clauses 28, 29 and 30 in their entirety, or, as an alternative, to make amendments to Clauses 28 and 29. I will first speak to Clause 28, and if I fail to answer any questions I will of course guarantee to write.
Clause 28 replaces the current provision under the law enforcement regime for the protection of national security data, with a revised version that mirrors the existing exemptions available to organisations operating under the UK GDPR and intelligence services regimes. It is also similar to what was available to law enforcement agencies under the 1998 Data Protection Act. It is essential that law enforcement agencies can properly protect data where required for national security reasons, and they should certainly be able to apply the same protections that are available to other organisations.
The noble Lord, Lord Clement-Jones, asked whether the exemption was in breach of a person’s Article 8 rights, but the national security exemption will permit law enforcement agencies to apply an exemption to the need to comply with certain parts of the law enforcement data protection regime, such as the data protection principles or the rights of the data subject. It is not a blanket exemption and it will be able to be applied only where this is required for the purposes of safeguarding national security—for instance, in order to prevent the tipping-off of a terror suspect. It can be applied only on a case-by-case basis. We do not, therefore, believe that the exemption breaches the right to privacy.
In terms of the Government taking away the right to lodge a complaint with the commissioner, that is not the case—the Government are not removing that right. Those rights are being consolidated under Clause 44 of this DPDI Bill. We are omitting Article 77 as Clause 44 will introduce provisions that allow a data subject to lodge a complaint with a controller.
In terms of how the subject themselves will know how to complain to the Information Commissioner, all organisations, including law enforcement agencies, are required to provide certain information to individuals, including their right to make a complaint to the Information Commissioner and, where applicable, the contact details of the organisation’s data protection officer or, in line with other amendments under the Bill, the organisation’s senior responsible individual, if they suspect that their personal information is being process unlawfully.
Amendments 135A and 135D seek to introduce a proportionality test in relation to the application of the national security exemption and the issuing of a ministerial certificate for law enforcement agencies operating under Part 3 of the Data Protection Act. The approach we propose is consistent with the similar exemptions for the UK GDPR and intelligence services, which all require a controller to evaluate on a case-by-case basis whether an exemption from a provision is required for the purpose of safeguarding national security.
Amendment 135B will remove the ability for law enforcement agencies to apply the national security exemption to data protection principles, whereas the approach we propose is consistent with the other data protection regimes and will provide for exemption from the data protection principles in Chapter 2—where required and on a case-by-case basis—but not from the requirement for processing to be lawful and the safeguards which apply to sensitive data.
The ability to disapply certain principles laid out in Chapter 2 is crucial for the efficacy of the national security exemption. This is evident in the UK GDPR and Part 4 exemption which disapplies similar principles. To remove the ability to apply the national security exemption to any of the data protection principles for law enforcement agencies only would undermine their ability to offer the same protections as those processing under the other data protection regimes.
Not all the principles laid out in Chapter 2 can be exempted from; for example, law enforcement agencies are still required to ensure that all processing is lawful and cannot exempt from the safeguards that apply to sensitive data. There are safeguards in place to ensure that the exemption is used correctly by law enforcement agencies. Where a data subject feels that the national security exemption has not been applied correctly, the legislation allows them to complain to the Information Commissioner and, ultimately, to the courts. Additionally, the reforms require law enforcement agencies to appoint a senior responsible individual whose tasks include monitoring compliance with the legislation.
Amendment 135C would make it a mandatory requirement for a certificate to be sought from and approved by a judicial commissioner whenever the national security exemption is to be invoked by law enforcement agencies only. This bureaucratic process does not apply to organisations processing under the other data protection regimes; forcing law enforcement agencies to apply for a certificate every time they need to apply the exemption would be unworkable as it would remove their ability to act quickly in relation to matters of national security. For these reasons, I hope that the noble Lord, Lord Clement-Jones, will not press his amendments.
On Clauses 29 and 30 of the Bill, currently, only the intelligence services can operate under Part 4 of the Data Protection Act. This means that, even when working together, the intelligence services and law enforcement cannot work on a single shared dataset but must instead transfer data back and forth, applying the provisions of their applicable data protection regimes, which creates significant friction. Removing barriers to joint working was flagged as a recommendation following the Manchester Arena inquiry, as was noted by the noble Lord, Lord Anderson, and following Fishmongers’ Hall, which also recommended closer working.
Clauses 29 and 30 enable qualifying competent authorities and an intelligence service jointly to process data under a single data protection regime in authorised, specific circumstances to safeguard national security. In order to jointly process data in this manner, the Secretary of State must issue a designation notice to authorise it. A notice can be granted only if the Secretary of State is satisfied that the processing is required for the purpose of safeguarding national security and following consultation with the ICO.
Amendment 135E would make the ICO the final arbiter of whether a designation notice is granted by requiring it to—
May I just intrude on the Minister’s flow? As I understand it, there is a possibility that relatives of the families affected by the Manchester Arena bombing will take to court matters relating to the operation of the security services, including relating to intelligence that it is felt they may have had prior to the bombing. How will this new regime, as set out in the Bill, affect the rights of those who may seek to hold the security services to account in the courts? Will their legal advisers ever be able to discover materials that might otherwise be exempt from public view?
That is a very good question but the noble Lord will understand that I am somewhat reluctant to pontificate about a potential forthcoming court case. I cannot really answer the question, I am afraid.
But understanding the impact on people’s rights is important in the context of this legislation.
As I say, it is a good question but I cannot comment further on that one. I will see whether there is anything that we can commit to in writing and have a further chat about this subject but I will leave it for now, if I may.
Amendment 135E would make the ICO the final arbiter of whether a designation notice is granted by requiring it to judge whether the notice is required for the purposes of the safeguarding of national security. It would be wholly inappropriate for the ICO to act as a judge of national security; that is not a function of the ICO in its capacity as regulator and should be reserved to the Secretary of State. As is generally the case with decisions by public bodies, the decision of the Secretary of State to grant a designation notice can be challenged legally; this is expressly provided for under new Section 82E, as is proposed to be included in the DPA by Clause 29.
On the subject of how a data subject is supposed to exercise their rights if they do not know that their data is being processed under a notice subject to Part 4, the ICO will publish designation notices as soon as is reasonably practical. Privacy information notices will also be updated if necessary to enable data subjects to identify a single point of contact should they wish to exercise their rights in relation to data that might be processed under a designation notice. This single point of contact will ease the process of exercising their data rights.
The noble Lord, Lord Anderson, asked which law enforcement agencies this will apply to. That will be set out separately in the subsequent affirmative SI. I cannot be more precise than that at the moment.
For these reasons, I hope that the noble Lord, Lord Clement-Jones, will be prepared to withdraw his amendment.
I thank the noble Lord for that. It is a lawyerly question and, as he knows, I am not a lawyer. With respect, I will endeavour to write and clarify on that point, as well as on his other good point about the sorts of authorities that we are talking about.
Perhaps the same correspondence could cover the point I raised as well.
My Lords, I am immensely grateful to the noble Lords, Lord Anderson and Lord Bassam, for their interventions. In particular, given his background, if the noble Lord, Lord Anderson, has concerns about these clauses, we all ought to have concerns. I am grateful to the Minister for the extent of his unpacking—or attempted unpacking—of these clauses but I feel that we are on a slippery slope here. I feel some considerable unease about the widening of the disapplication of principles that we were assured were immutable only six years ago. I am worried about that.
We have had some reassurance about the right to transparency, perhaps when it is convenient that data subjects find out about what is happening. The right to challenge was also mentioned by the Minister but he has not really answered the question about whether the Home Office has looked seriously at the implications as far as the human rights convention is concerned, which is the reason for the stand part notice. The Minister did not address that matter at all; I do not know why. I am assuming that the Home Office has looked at the clauses in the light of the convention but, again, he did not talk about that.
The only assurance the Minister has really given is that it is all on a case-by-case basis. I do not think that that is much of a reassurance. On the proportionality point made by the noble Lord, Lord Anderson, I think that we are going to be agog in waiting for the Minister’s correspondence on that, but it is such a basic issue. There were two amendments specifically on proportionality but we have not really had a reply on that issue at all, in terms of why it should have been eliminated by the legislation. So a feeling of unease prevails. I do not even feel that the Minister has unpacked fully the issue of joint working; I think that the noble Lord, Lord Anderson, did that more. We need to know more about how that will operate.
The final point that the Minister made gave even greater concern—to think that there will be an SI setting out the bodies that will have the powers. We are probably slightly wiser than when we started out with this group of amendments, but only slightly and we are considerably more concerned. In the meantime, I beg leave to withdraw the amendment.
My Lords, the noble Baroness, Lady Morgan, has done us a service by raising this issue. My question is about whether the advice given to date about redaction is accurate. I have not seen the Home Office’s guidance or counsel’s analysis. I have taken advice on the Police Federation’s case—I received an email and I was very interested in what it had to say, because we all want to make sure that the bureaucracy involved in charging and dealing with the CPS is as minimal as possible within the bounds of data protection law.
Section 35(2)(b) of the Data Protection Act simply requires the police to ensure that their processing is necessary for the performance of their tasks. You would have thought that sending an investigation file to the CPS to decide whether to charge a suspect seems necessary for the performance of that task. Some of that personal data may end up not being relevant to the charge or any trial, but that is a judgment for the CPS and the prosecutor. It does not mean, in the view of those I have consulted, that the file has to be redacted at vast taxpayer cost before the CPS or prosecutor have had a chance to see the investigation’s file. When you look at sensitive data, the test is “strictly necessary”, which is a higher test, but surely the answer to that must be that officers should collect this information only where they consider it relevant to the case. So this can be dealt with through protocols about data protection, which ensure that officers do not collect more sensitive data than is necessary for the purposes of the investigation.
Similarly, under Section 37, the question that the personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed should not be interpreted in such a way that this redaction exercise is required. If an officer thinks they need to collect the relevant information for the purpose of the investigation, that seems to me—and to those advising me—in broad terms to be sufficient to comply with the principle. Conversely, if officers are collecting too much data, the answer is that they should be trained to avoid doing this. If officers really are collecting more information than they should be, redactions cannot remedy the fact that the collection was unlawful in the first place. The solution seems to be to stop them collecting that data.
I assume—maybe I am completely wrong—that the Minister will utter “suitable guidance” in response to the noble Baroness’s amendment and say that there is no need to amend the legislation, but, if there is no need to do so, I hope that they revise the guidance, because the Police Federation and its members are clearly labouring under a misapprehension about the way the Act should be interpreted. It would be quite a serious matter if that has taken place for the last six years.
My Lords, we should be very grateful to the noble Baroness, Lady Morgan of Cotes, for her amendment. I listened very carefully to her line of argument and find much that we can support in the approach. In that context, we should also thank the Police Federation of England and Wales for a particularly useful and enlightening briefing paper.
We may well be suffering under the law of unintended consequences in this context; it seems to have hit quite hard and acted as a barrier to the sensible processing and transfer of data between two parts of the law enforcement machinery. It is quite interesting coming off the back of the previous debate, when we were discussing making the transfer of information and intelligence between different agencies easier and having a common approach. It is a very relevant discussion to have.
I do not think that the legislation, when it was originally drafted, could ever have been intended to work in the way the Police Federation has set out. The implementation of the Data Protection Act 2018, in so far as law enforcement agencies are concerned, is supposed to be guided by recital 4, which the noble Baroness read into the record and which makes good sense.
As the noble Baroness explained, the Police Federation’s argument that the DPA makes no provisions at all that are designed to facilitate, in effect, the free flow of information, that it should be able to hold all the relevant data prior to the charging decision being made by the CPS, and that redaction should take place only after a decision on charging has been made seems quite a sensible approach. As she argued, it would significantly lighten the burden on police investigating teams and enable the decision on charging to be more broadly informed.
So this is a piece of simplification that we can all support. The case has been made very well. If it helps speed up charging and policing processes, which I know the Government are very concerned about, as all Governments should be, it seems a sensible move—but this is the Home Office. We do not always expect the most sensible things to be delivered by that department, but we hope that they are.
I thank all noble Lords for their contributions—I think. I thank my noble friend Lady Morgan of Cotes for her amendment and for raising what is an important issue. Amendment 137 seeks to permit the police and the Crown Prosecution Service to share unredacted data with one another when making a charging decision. Perhaps to the surprise of the noble Lord, Lord Bassam, we agree: we must reduce the burden of redaction on the police. As my noble friend noted, this is very substantial and costly.
We welcome the intent of the amendment. However, as my noble friend has noted, we do not believe that, as drafted, it would achieve the stated aim. To fully remove it would require the amendment of more than just the Data Protection Act.
However, the Government are committed to reducing the burden on the police, but it is important that we get it right and that the solution is comprehensive. We consider that the objective which my noble friend is seeking would be better achieved through other means, including improved technology and new, simplified guidance to prevent overredaction, as all speakers, including the noble Lord, Lord Clement-Jones, noted.
The Home Office provided £960,000 of funding for text and audio-visual multimedia redaction in the 2023-24 financial year. Thanks to that funding, police forces have been able to procure automated text redaction tools, the trials of which have demonstrated that they could save up 80% of the time spent by the police on this redaction. Furthermore, in the latest Budget, the Chancellor announced an additional £230 million of funding for technology to boost police productivity. This will be used to develop, test and roll out automated audio-visual redaction tools, saving thousands more hours of police time. I would say to my noble friend that, as the technology improves, we hope that the need for it to be supervised by individuals will diminish.
I can also tell your Lordships’ House that officials from the Home Office have consulted with the Information Commissioner’s Office and have agreed that a significant proportion of the burden caused by existing pre-charge redaction processes could be reduced safely and lawfully within the current data protection framework in a way that will maintain standards and protections for individuals. We are, therefore, actively working to tackle this issue in the most appropriate way by exploring how we can significantly reduce the redaction burden at the pre-charge stage through process change within the existing legislative framework. This will involve creating simplified guidance and, obviously, the use of better technology.
(8 months, 3 weeks ago)
Grand CommitteeMy Lords, I associate myself with the comments that my noble friend Lord Kamall just made. I have nothing to add on those amendments, as he eloquently set out why they are so important.
In the spirit of transparency, my intervention enables me to point out, were there any doubt, who I am as opposed to the noble Baroness, Lady Bennett, who was not here earlier but who I was mistaken for. Obviously, we are not graced with the presence of my noble friend Lord Maude, but I am sure that we all know what he looks like as well.
I will speak to two amendments. The first is Amendment 144, to which I have added my name. As usual, the noble Baroness, Lady Kidron, has said almost everything that can be said on this but I want to amplify two things. I have yet to meet a politician who does not get excited about the two-letter acronym that is AI. The favoured statement is that it is as big a change in the world as the discovery of electricity or the invention of the wheel. If it is that big—pretty much everyone in the world who has looked at it probably thinks it is—we need properly to think about the pluses and the minuses of the applications of AI for children.
The noble Baroness, Lady Kidron, set out really clearly why children are different. I do not want to repeat that, but children are different and need different protections; this has been established in the physical world for a very long time. With this new technology that is so much bigger than the advent of electricity and the creation of the first automated factories, it is self-evident that we need to set out how to protect children in that world. The question then is: do we need a separate code of practice on children and AI? Or, as the noble Baroness set out, is this an opportunity for my noble friend the Minister to confirm that we should write into this Bill, with clarity, an updated age-appropriate design code that recognises the existence of AI and all that it could bring? I am indifferent on those two options but I feel strongly that, as we have now said on multiple groups, we cannot just rely on the wording in a previous Act, which this Bill aims to update, without recognising that, at the same time, we need to update what an age-appropriate design code looks like in the age of AI.
The second amendment that I speak to is Amendment 252, on the open address file. I will not bore noble Lords with my endless stories about the use of the address file during Covid, but I lived through and experienced the challenges of this. I highlight an important phrase in the amendment. Proposed new subsection (1) says:
“The Secretary of State must regularly publish a list of UK addresses as open data to an approved data standard”.
One reason why it is a problem for this address data to be held by an independent private company is that the quality of the data is not good enough. That is a real problem if you are trying to deliver a national service, whether in the public sector or the private sector. If the data quality is not good enough, it leaves us substantially poorer as a country. This is a fundamental asset for the country and a fundamental building block of our geolocation data, as the noble Lord, Lord Clement-Jones, set out. Anybody who has tried to build a service that delivers things to human beings in the physical world knows that errors in the database can cause huge problems. It might not feel like a huge problem if it concerns your latest Amazon delivery but, if it concerns the urgent dispatch of an ambulance, it is life and death. Maintaining the accuracy of the data and holding it close as a national asset is therefore hugely important, which is why I lend my support to this amendment.
My Lords, the noble Lord, Lord Clement-Jones, has, as ever, ably introduced his Amendments 74, 75, 76, 77 and 78, to the first of which the Labour Benches have added our name. We broadly support all the amendments, but in particular Amendment 74. We also support Amendment 144 which was tabled by the noble Baroness, Lady Kidron, and cosigned by the noble Baroness, Lady Harding, the noble Lord, Lord Clement-Jones and my noble friend Lady Jones.
Amendments 74 to 78 cover the use of the Government’s Algorithmic Transparency Recording Standard—ATRS. We heard a fair bit about this in Committee on Monday, when the Minister prayed it in aid during debates on Clause 14 and Article 22A. The noble Lord, Lord Clement-Jones, outlined its valuable work, which I think everyone in the Committee wants to encourage and see writ large. These amendments seek to aid the transparency that the Minister referred to by publishing reports by public bodies using algorithmic tools where they have a significant influence on the decision-making process. The amendments also seek to oblige the Secretary of State to ensure that public bodies, government departments and contractors using public data have a compulsory transparency reporting scheme in place. The amendments legislate to create impact assessments and root ADM processes in public service that minimise harm and are fair and non-discriminatory in their effect.
The noble Lord, Lord Kamall, made some valuable points about the importance of transparency. His two stories were very telling. It is only right that we have that transparency for the public service and in privately provided services. I think the Minister would be well advised to listen to him.
The noble Lord, Lord Clement-Jones, also alighted on the need for government departments to publish reports under the ATRS in line with their position as set out in the AI regulation White Paper consultation process and response. This would put it on a legislative basis, and I think that is fairly argued. The amendments would in effect create a statutory framework for transparency in the public service use of algorithmic tools.
We see these amendments as forming part of the architecture needed to begin building a place of trust around the increased use of ADM and the introduction of AI into public services. Like the Government and everyone in this Committee, we see all the advantages, but take the view that we need to take the public with us on this journey. If we do not do that, we act at our peril. Transparency, openness and accountability are key to securing trust in what will be something of a revolution in how public services are delivered and procured in the future.
We also support Amendment 144 in the name of the noble Baroness, Lady Kidron, for the very simple reason that in the development of AI technology we should hardwire into practice and procedure using the technology as it affects the interests of children to higher standards, and those higher standards should apply. This has been a constant theme in our Committee deliberations and our approach to child protection. In her earlier speech, the noble Baroness, Lady Harding, passionately argued for the need to get this right. We have been wanting over the past decade in that regard, and now is the moment to put that right and begin to move on this policy area.
The noble Baroness, Lady Kidron, has made the argument for higher standards of protection for children persuasively during all our deliberations, and a code of practice makes good sense. As the noble Baroness, Lady Harding, said, it can either be stand-alone or integrated. In the end, it matters little, but having it there setting the standard is critical to getting this policy area in the right place. The amendment sets out the detail that the commissioner must cover with admirable clarity so that data processors should always have prioritising children’s interests and fundamental rights in their thinking. I am sure that is something that is broadly supported by the whole Committee.
As I said, I will write. I do not believe that follows axiomatically from the ATRS’s existence.
On Amendment 144, the Government are sympathetic to the idea that the ICO should respond to new and emerging technologies, including the use of children’s data in the development of AI. I assure noble Lords that this area will continue to be a focus of the ICO’s work and that it already has extensive powers to provide additional guidance or make updates to the age-appropriate design code, to ensure that it reflects new developments, and a responsibility to keep it up to date. The ICO has a public task under Article 57(1)(b) of the UK GDPR to
“promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing”.
It is already explicit that:
“Activities addressed specifically to children shall receive specific attention”.
That code already includes a chapter on profiling and provides guidance on fairness and transparency requirements around automated decision-making.
Taking the specific point made by the noble Baroness, Lady Kidron, on the contents of the ICO’s guidance, while I cannot speak to the ICO’s decisions about the drafting of its guidance, I am content to undertake to speak to it about this issue. I note that it is important to be careful to avoid a requirement for the ICO to duplicate work. The creation of an additional children’s code focused on AI could risk fragmenting approaches to children’s protections in the existing AADC—a point made by the noble Baroness and by my noble friend Lady Harding.
I have a question on this. If the Minister is arguing that this should be by way of amendment of the age-related code, would there not be an argument for giving that code some statutory effect?
I believe that the AADC already has statutory standing.
As the noble Lord, Lord Clement-Jones, explained, his intention to oppose the question that Clause 19 stands part seeks to retain the status quo. As I read Section 62 of the Data Protection Act 2016, it obliges competent authorities to keep logs of their processing activities, whether they be for collection, alteration, consultation, disclosure, combination or the erasing of personal data. The primary purpose is for self-monitoring purposes, largely linked to disciplinary proceedings, as the noble Lord said, where an officer has become a suspect by virtue of inappropriately accessing PNC-held data.
Clause 19 removes the requirement for a competent authority to record a justification in the logs only when consulting or disclosing personal data. The Explanatory Note to the Bill explains this change as follows:
“It is … technologically challenging for systems to automatically record the justification without manual input”.
That is not a sufficiently strong reason for removing the requirement, not least because the remaining requirements of Section 62 of the Data Protection Act 2018 relating to the logs of consultation and disclosure activity will be retained and include the need to record the date and time and the identity of the person accessing the log. Presumably they will be able to be manually input, so why remove the one piece of data that might, in an investigation of abuse or misuse of the system, be useful in terms of evidence and self-incrimination? I do not understand the logic behind that at all.
I rather think the noble Lord, Lord Clement-Jones, has an important point. He has linked it to those who have been unfortunate enough to be AIDS sufferers, and I am sure that there are other people who have become victims where cases would be brought forward. I am not convinced that the clause should stand part, and we support the noble Lord in seeking its deletion.
This is a mercifully short group on this occasion. I thank the noble Lord, Lord Clement-Jones, for the amendment, which seeks to remove Clause 19 from the Bill. Section 62 of the Data Protection Act requires law enforcement agencies to record when personal data has been accessed and why. Clause 19 does not remove the need for police to justify their processing; it simply removes the ineffective administrative requirement to record that justification in a log.
The justification entry was intended to help to monitor and detect unlawful access. However, the reality is that anyone accessing data unlawfully is very unlikely to record an honest justification, making this in practice an unreliable means of monitoring misconduct or unlawful processing. Records of when data was accessed and by whom can be automatically captured and will remain, thereby continuing to ensure accountability.
In addition, the National Police Chiefs’ Council’s view is that this change will not hamper any investigations to identify the unlawful processing of data. That is because it is unlikely that an individual accessing data unlawfully would enter an honest justification, so capturing this information is unlikely to be useful in any investigation into misconduct. The requirements to record the time, date and, as far as possible, the identity of the person accessing the data will remain, as will the obligation that there is lawful reason for the access, ensuring that accountability and protection for data subjects is maintained.
Police officers inform us that the current requirement places an unnecessary burden on them as they have to update the log manually. The Government estimate that the clause could save approximately 1.5 million policing hours, representing a saving in the region of £46.5 million per year.
I understand that the amendment relates to representations made by the National AIDS Trust concerning the level of protection for people’s HIV status. As I believe I said on Monday, the Government agree that the protection of people’s HIV status is vital. We have met the National AIDS Trust to discuss the best solutions to the problems it has raised. For these reasons, I hope the noble Lord will not oppose Clause 19 standing part.
My Lords, very briefly, I thank the Minister for unpacking his amendments with some care, and for giving me the answer to my amendment before I spoke to it—that saves time.
Obviously, we all understand the importance of transfers of personal data between law enforcement authorities, but perhaps the crux of this, and the one question in our mind is, what is—perhaps the Minister could remind us—the process for making sure that the country that we are sending it to is data adequate? Amendment 121 was tabled as a way of probing that. It would be extremely useful if the Minister can answer that. This should apply to transfers between law enforcement authorities just as much as it does for other, more general transfers under Schedule 5. If the Minister can give me the answer, that would be useful, but if he does not have the answer to hand, I am very happy to suspend my curiosity until after Easter.
My Lords, I too can be brief, having heard the Minister’s response. I thought he half-shot the Clement-Jones fox, with very good aim on the Minister’s part.
I was simply going to say that it is one in a sea of amendments from the Government, but the noble Lord, Lord Clement-Jones, made an important point about making sure that the country organisations that the commissioner looks at should meet the test of data adequacy—I also had that in my speaking note. The noble Lord, Lord Clement-Jones, was making a good point in terms of ensuring that appropriate data protections are in place internationally for us to be able to work with.
The Minister explained the government amendments with some care, but I wonder if he could explain how data transfers are made to an overseas processor using the powers relied on by reference to new Section 73(4)(aa) of the 2018 Act. The power is used as a condition and justification for several of the noble Lord’s amendments, and I wonder whether he has had to table these amendments because of the original drafting. That would seem to be to be the most likely reason.
(8 months, 3 weeks ago)
Grand CommitteeMy Lords, I thank the noble Baroness, Lady Jones, for tabling her amendments. Amendment 19 would remove processing which is necessary for the purposes of democratic engagement from the list of recognised legitimate interests. It is essential in a healthy democracy that registered political parties, elected representatives and permitted participants in referendums can engage freely with the electorate without being impeded unnecessarily by data protection legislation.
The provisions in the Bill will mean that these individuals and organisations do not have to carry out legitimate interest assessments or look for a separate legal basis. They will, however, still need to comply with other requirements of data protection legislation, such as the data protection principles and the requirement for processing to be necessary.
On the question posed by the noble Baroness about the term “democratic engagement”, it is intended to cover a wide range of political activities inside and outside election periods. These include but are not limited to democratic representation; communicating with electors and interested parties; surveying and opinion gathering; campaigning activities; activities to increase voter turnout; supporting the work of elected representatives, prospective candidates and official candidates; and fundraising to support any of these activities. This is reflected in the drafting, which incorporates these concepts in the definition of democratic engagement and democratic engagement activities.
The ICO already has guidance on the use of personal data by political parties for campaigning purposes, which the Government anticipate it will update to reflect the changes in the Bill. We will of course work with the ICO to make sure it is familiar with our plans for commencement and that it does not benefit any party over another.
On the point made about the appropriate age for the provisions, in some parts of the UK the voting age is 16 for some elections, and children can join the electoral register as attainers at 14. The age of 14 reflects the variations in voting age across the nation; in some parts of the UK, such as Scotland, a person can register to vote at 14 as an attainer. An attainer is someone who is registered to vote in advance of their being able to do so, to allow them to be on the electoral roll as soon as they turn the required age. Children aged 14 and over are often politically engaged and are approaching voting age. The Government consider it important that political parties and elected representatives can engage freely with this age group—
I am interested in what the Minister says about the age of attainers. Surely it would be possible to remove attainers from those who could be subject to direct marketing. Given how young attainers could be, it would protect them from the unwarranted attentions of campaigning parties and so on. I do not see that as a great difficulty.
Indeed. It is certainly worth looking at, but I remind noble Lords that such communications have to be necessary, and the test of their being necessary for someone of that age is obviously more stringent.
The processor has to determine whether it is necessary to the desired democratic engagement outcome to communicate with someone at that age. But I take the point: for the vast majority of democratic engagement communications, 14 would be far too young to make that a worthwhile or necessary activity.
I am not aware one way or the other, but I will happily look into that to see what further safeguards we can add so that we are not bombarding people who are too young with this material.
I am not sure whether it is written in the Bill. I will check, but the Bill would not function without the existence of the guidance.
I am sorry to drag this out but, on the guidance, can we be assured that the Minister will involve the Electoral Commission? It has a great deal of experience here; in fact, it has opined in the past on votes for younger cohorts of the population. It seems highly relevant to seek out its experience and the benefits of that.
I should also declare an interest. I apologise that I did not do so earlier. I worked with a think tank and wrote a series of papers on who regulates the regulators. I still have a relationship with that think tank.
My Lords, I have been through this large group and, apart from my natural suspicion that there might be something dastardly hidden away in it, I am broadly content, but I have a few questions.
On Amendment 20, can the Minister conform that the new words “further processing” have the same meaning as the reuse of personal data? Can he confirm that Article 5(1)(b) will prohibit this further processing when it is not in line with the original purpose for which the data was collected? How will the data subject know that is the case?
On Amendment 196, to my untutored eye it looks like the regulation-making power is being extended away from the data holder to include authorised persons and third-party recipients. My questions are simple enough: was this an oversight on the part of the original drafters of that clause? Is the amendment an extension of those captured by the effect of the clause? Is it designed to achieve consistency across the Bill? Finally, can I assume that an authorised person or third party would usually be someone acting on behalf of an agent of the data holder?
I presume that Amendments 198, 212 and 213 are needed because of a glitch in the drafting—similarly with Amendment 206. I can see that Amendments 208, 216 and 217 clarify when time periods begin, but why are the Government seeking to disapply time periods in Amendment 253 when surely some consistency is required?
Finally—I am sure the Minister will be happy about this—I am all in favour of flexibility, but Amendment 283 states that the Information Commissioner has the power to do things to facilitate the exercise of his functions. The noble Lord, Lord Kamall, picked up on this. We need to understand what those limits are. On the face of it, one might say that the amendment is sensible, but it seems rather general and broad in its application. As the noble Lord, Lord Kamall, rightly said, we need to see what the limits of accountability are. This is one of those occasions.
I thank the noble Lords, Lord Kamall and Lord Bassam, for their engagement with this group. On the questions from the noble Lord, Lord Kamall, these are powers that the ICO would already have in common law. As I am given to understand is now best practice, they are put on a statutory footing in the Bill as part of best practice with all Bills. The purpose is to align with best practice. It does not confer substantial new powers but clarifies the powers that the regulator has. I can also confirm that the ICO was and remains accountable to Parliament.
The Information Commissioner is directly accountable to Parliament in that he makes regular appearances in front of Select Committees that scrutinise the regulator’s work, including progress against objectives.
The noble Lord, Lord Bassam, made multiple important and interesting points. I hope he will forgive me if I undertake to write to him about those; there is quite a range of topics to cover. If there are any on which he requires answers right away, he is welcome to intervene.
I want to be helpful to the Minister. I appreciate that these questions are probably irritating but I carefully read through the amendments and aligned them with the Explanatory Notes. I just wanted some clarification to make sure that we are clear on exactly what the Government are trying to do. “Minor and technical” covers a multitude of sins; I know that from my own time as a Minister.
Indeed. I will make absolutely sure that we provide a full answer. By the way, I sincerely thank the noble Lord for taking the time to go through what is perhaps not the most rewarding of reads but is useful none the less.
From looking at the wording of the Members’ explanatory statements for wishing to leave out Clauses 9 and 36, I do not think that the Minister has addressed this, but does he accept that the Bill now provides a more lax approach? Is this a reduction of the standard expected? To me, “vexatious or excessive” sounds very different from “manifestly unfounded or excessive”. Does he accept that basic premise? That is really the core of the debate; if it is not, we have to look again at the issue of resources, which seems to be the argument to make this change.
If that is the case and this is a dilution, is this where the Government think they will get the savings identified in the impact assessment? It was alleged in the Public Bill Committee that this is where a lot of the savings would come from—we all have rather different views. My first information was that every SME might save about £80 a year then, suddenly, the Secretary of State started talking about £10 billion of benefit from the Bill. Clarification of that would be extremely helpful. There seems to be a dichotomy between the noble Lord, Lord Bassam, saying that this is a way to reduce the burdens on business and the Minister saying that it is all about confident refusal and confidence. He has used that word twice, which is worrying.
First, on the point made by the noble Lord, Lord Bassam, it is not to be argumentative—I am sure that there is much discussion to be had—but the intention is absolutely not to lower the standard for a well-intended request.
Sadly, a number of requests that are not well intended are made, with purposes of cynicism and an aim to disrupt. I can give a few examples. For instance, some requests are deliberately made with minimal time between them. Some are made to circumvent the process of legal disclosure in a trial. Some are made for other reasons designed to disrupt an organisation. The intent of using “vexatious” is not in any way to reduce well-founded, or even partially well-founded, attempts to secure information; it is to reduce less desirable, more cynical attempts to work in this way.
But the two terms have a different legal meaning, surely.
The actual application of the terms will be set out in guidance by the ICO but the intention is to filter out the more disruptive and cynical ones. Designing these words is never an easy thing but there has been considerable consultation on this in order to achieve that intention.
My Lords, this is the first group of amendments covering issues relating to automated decision-making, one of the most interesting areas of data use but also one of the most contested and, for the public at large, one of the most controversial and difficult to navigate. The development of AI and data systems that easily enable automatable decisions could offer huge efficiencies for consumers of public services. Equally, the use of such systems can, if used and regulated in the wrong way, have a devastating impact on people’s lives. If we have learned one thing from the Horizon scandal it is simply that, in the wrong hands and with the wrong system in place, the misuse of data can destroy lives and livelihoods.
Our country has a massive social security system, which includes everything from pension payments to disability income support and, of course, the universal credit system, which covers people entitled to in-work and out-of-work benefits. Over 22 million people receive DWP benefits of one sort or another. If automated decisions make errors in this field the potential to damage lives is enormous, as I am sure the Minister will appreciate.
I turn to the four amendments in the group in the name of my noble friend Lady Jones. Amendments 36 and 37 seek to amend new Article 22A of the UK GDPR and make it clear that protection is provided for profiling operations that lead to decisions. This is important, not least because the clause further reduces the scope for the human review of automated decision-making. Profiling is used as part of this process, and these amendments seek to protect individual data subjects from its effect. We take the view that it is essential that human interaction is involved in making subject access decisions.
Amendment 40 also makes it clear that, in the context of the new Article 22A, for human involvement to be considered meaningful, the review of the decision must be completed by a competent person. One of the positive changes made by the Bill is the introduction of the concept of “meaningful human involvement” in a decision. Meaningful human review is a key component for achieving an appropriate level of oversight over automated decision-making, for protecting individuals from unfair treatment and for offering an avenue for redress. The aim of the amendment is to bring more clarity around what “meaningful human involvement” should consist of. It would require that a review needs to be performed by a person with the necessary competence, training and understanding of the data, and, of course, the authority to alter the decision.
Our Amendment 109 is not so much about building protections as introducing something new and adding to the strength of what is already there. Users have never been able to get personalised explanations of automated decisions but, given the impact that these can have, we feel that systems should be in place for people to understand why a computer has simply said yes or no.
As it stands, the Bill deletes Section 14 of the Data Protection Act 2018 in its entirety. Our amendment would undo that and then add personalisation in. The amendment would retain Section 14 of that Act, which is where most automated decision-making safeguards are currently detailed in law. It would introduce an entitlement for data subjects to receive a personalised explanation of an automated decision made about them. This is based on public attitudes research conducted by the Ada Lovelace Institute, which shows a clear demand for greater transparency over these sorts of decisions.
The amendment also draws on independent legal analysis commissioned by the Ada Lovelace Institute, which found that the generic nature of explanations provided under current law are insufficient for individuals to understand how they have been affected by automated decision-making. This was considered to be a major barrier to meaningful protection from and redress for harms caused by AI. As many noble Lords have made clear in these debates, we have put building trust at the heart of how we get the most from AI and, more particularly, ADM systems.
I turn to the amendments in the name of the noble Lord, Lord Clement-Jones. In essence, they are about—as the noble Lord will, I am sure, explain better than I possibly could—the level of engagement of individuals in decisions about data subject automated decision-making processes. The common thread through the amendments is that they raise the bar in terms of the safeguards for data subjects’ rights and freedoms. We have joined the noble Lord, Lord Clement-Jones, on Amendment 47, and might equally have added our names to the other amendments in the group as we broadly support those too.
Amendment 38A, in the name of the noble Baroness, Lady Bennett, would place an additional requirement under new Article 22A to ensure human engagement in the automated decision-making processes.
I am sure the Committee will want more than warm words from the Minister when he comes to wind up the debate. For all of us, ADM is the here and now; it shapes how we use and consume public services and defines what and who we are. Reducing our protections from its downsides is not to be done lightly and we cannot easily see how that can be justified. I want to hear from the Minister how the Government came to conclude that this was acceptable, not least because, as we will hear in later debates on the Bill, the Government are seeking powers that provide for invasive bulk access to potentially every citizen’s bank accounts. I beg to move the amendments in the name of the noble Baroness, Lady Jones.
My Lords, it is a pleasure to follow the noble Lord, Lord Bassam, who has already set out very clearly what the group is about. I will chiefly confine myself to speaking to my Amendment 38A, which seeks to put in the Bill a clear idea of what having a human in the loop actually means. We need to have a human in the loop to ensure that a human interpreted, assessed and, perhaps most crucially, was able to intervene in the decision and any information on which it is based.
Noble Lords will be aware of many situations that have already arisen in which artificial intelligence is used—I would say that what we are currently describing is artificial intelligence but, in real terms, it is not truly that at all. What we have is a very large use of big data and, as the noble Lord, Lord Bassam, said, big data can be a very useful and powerful tool to be used for many positive purposes. However, we know that the quality of decision-making often depends on the quality of the data going in. A human is able to see whether something looks astray or wrong; there is a kind of intelligence that humans apply to this, which machines simply do not have the capacity for.
I pay credit to Justice, the law reform and human rights organisation which produced an excellent briefing on the issues around Clause 14. It asserts that, as it is currently written, it inadequately protects individuals from automated harm.
The noble Lord, Lord Bassam, referred to the Horizon case in the UK; that is the obvious example but, while we may think of some of the most vulnerable people in the UK, the Robodebt case in Australia is another case where crunching big data, and then crunching down on individuals, had truly awful outcomes. We know that there is a real risk of unfairness and discrimination in the use of these kinds of tools. I note that the UK has signed the Bletchley declaration, which says that
“AI should be designed, developed, deployed, and used, in a manner that is … human-centric, trustworthy and responsible”.
I focus particularly on “human-centric”: human beings can sympathise with and understand other human beings in a way that big data simply does not.
I draw a parallel with something covered by a special Select Committee of your Lordships’ House, last year: lethal autonomous weapon systems, or so-called killer robots. This is an obvious example of where there is a very strong argument for having a human in the loop, as the terminology goes. From the last I understood and heard about this, I am afraid that the UK Government are not fully committed to a human in the loop in the case of killer robots, but I hope that we get to that point.
When we talk about how humans’ data is used and managed, we are also talking about situations that are—almost equally—life and death: whether people get a benefit, whether they are fairly treated and whether they do not suddenly disappear off the system. Only this morning, I was reading a case study of a woman aged over 80, highlighting how she had been through multiple government departments, but could not get her national insurance number. Without a national insurance number, she could not get the pension to which she was entitled. If there is no human in the loop to cut through those kinds of situations, there is a real risk that people will find themselves just going around and around machines—a circumstance with which we are personally all too familiar, I am sure. My amendment is an attempt to put a real explanation in the Bill for having that human in the loop.
As I said, the intent of the Government is: yes to more automated data processing to take advantage of emerging technologies, but also yes to maintaining appropriate safeguards. The safeguards in the present system consist—if I may characterise it in a slightly blunt way—of providing quite a lot of uncertainty, so that people do not take the decision to positively embrace the technology in a safe way. By bringing in this clarity, we will see an increase not only in the safety of their applications but in their use, driving up productivity in both the public and private sectors.
My Lords, I said at the outset that I thought this was the beginning of a particular debate, and I was right, looking at the amendments coming along. The theme of the debate was touched on by the noble Baroness, Lady Bennett, when she talked about these amendments, in essence, being about keeping humans in the loop and the need for them to be able to review decisions. Support for that came from the noble Baroness, Lady Kidron, who made some important points. The point the BMA made about risking eroding trust cut to what we have been talking about all afternoon: trust in these processes.
The noble Lord, Lord Clement-Jones, talked about this effectively being the watering down of Article 22A, and the need for some core ethical principles in AI use and for the Government to ensure a right to human review. Clause 14 reverses the presumption of that human reviewing process, other than where solely automated decision-making exists, where it will be more widely allowed, as the Minister argued.
However, I am not satisfied by the responses, and I do not think other Members of your Lordships’ Committee will be either. We need more safeguards. We have moved from one clear position to another, which can be described as watering down or shifting the goalposts; I do not mind which, but that is how it seems to me. Of course, we accept that there are huge opportunities for AI in the delivery of public services, particularly in healthcare and the operation of the welfare system, but we need to ensure that citizens in this country have a higher level of protection than the Bill currently affords them.
At one point I thought the Minister said that a solely automated decision was a rubber-stamped decision. To me, that gave the game away. I will have to read carefully what he said in Hansard¸ but that is how it sounded, and it really gets our alarm bells ringing. I am happy to withdraw my amendment, but we will come back to this subject from time to time and throughout our debates on the rest of the Bill.
My Lords, this group, in which we have Amendments 41, 44, 45, 49, 50, 98A and 104A and have cosigned Amendments 46 and 48, aims to further the protections that we discussed in the previous group. We are delighted that the noble Lord, Lord Clement-Jones, and others joined us in signing various of these amendments.
The first amendment, Amendment 41, is a straight prohibition of any data processing that would contravene the Equality Act 2010. All legislation should conform to the terms of the Equality Act, so I expect the Minister to confirm that he is happy to accept that amendment. If he is not, I think the Committee will want to understand better why that is the case.
Amendment 44 to new Article 22B of the UK GDPR is, as it says, designed,
“to prevent data subjects from becoming trapped in unfair agreements and being unable to exercise their data rights”,
because of the contract terms. One might envisage some sensitive areas where the exercise of these rights might come into play, but there is nothing that I could see, particularly in the Explanatory Notes, which seeks to argue that point. We have no knowledge of when this might occur, and I see no reason why the legislation should be changed to that effect. Special category data can be used for automated decision-making only if certain conditions are met. It involves high-risk processing and, in our view, requires explicit consent.
The amendments remove performance of a contract as one of the requirements that allows the processing of special category data for reaching significant decisions based on automated processing. It is difficult to envisage a situation where it would be acceptable to permit special category data to be processed in high-risk decisions on a purely automated basis, simply pursuant to a contract where there is no explicit consent.
Furthermore, relying on performance of a contract for processing special category data removes the possibility for data subjects to exercise their data rights, for example, the right to object and the ability to withdraw consent, and could trap individuals in unfair agreements. There is an implicit power imbalance between data subjects and data controllers when entering a contract, and people are often not given meaningful choices or options to negotiate the terms. It is usually a take-it-or-leave-it approach. Thus, removing the criteria for performance of a contract reduces the risks associated with ADM and creates a tighter framework for protection. This also aligns with the current wording of Article 9 of the UK GDPR.
Amendment 45 changes the second condition to include only decisions that are required or authorised by law, with appropriate safeguards, and that are necessary for reasons of substantial public interest. The safeguards are retained from Section 14 of the DPA 2018, with amendments to strengthen transparency provisions.
Amendment 49 seeks to ensure that the protections conferred by Article 22C of the UK GDPR would apply to decisions “solely or partly” based on ADM rather than just “solely”. This would help to maximise the protections that data subjects currently enjoy.
Amendment 50 is another strengthening measure, which would make sure that safeguards in the new Article 22C are alongside rather than instead of those contained in Articles 12 to 15.
Our Amendment 104A would insert a new Section into the 2018 Act, requiring data controllers who undertake high-risk processing in relation to work-related decisions or activities to carry out an additional algorithmic impact assessment and make reasonable mitigations in response to the outcome of that assessment.
I ought to have said earlier that Amendment 98A is a minor part of the consequential text.
An improved workplace-specific algorithmic impact assessment is the best way to remedy clear deficiencies in Clause 20 as drafted, and it signals Labour’s international leadership and alignment with international regulatory and AI ethics initiatives. These are moving towards the pre-emptive evaluation of significant social and workplace impacts by responsible actors, combined with a procedure for ongoing monitoring, which is not always possible. It also moves towards our commitment to algorithmic assurance and will help to ensure that UK businesses are not caught up in what is sometimes described as the “Brussels effect”.
I am not philosophically averse to such regulation. As to implementing it in the immediate future, however, I have my doubts about that possibility.
My Lords, this has been an interesting and challenging session. I hope that we have given the Minister and his team plenty to think about—I am sure we have. A lot of questions remain unanswered, and although the Committee Room is not full this afternoon, I am sure that colleagues reading the debate will be studying the responses that we have received very carefully.
I am grateful to the noble Baroness, Lady Kidron, for her persuasive support. I am also grateful to the noble Lord, Lord Clement-Jones, for his support for our amendments. It is a shame the noble Lord, Lord Holmes, was not here this afternoon, but I am sure we will hear persuasively from him on his amendment later in Committee.
The Minister is to be congratulated for his consistency. I think I heard the phrase “not needed” or “not necessary” pretty constantly this afternoon, but particularly with this group of amendments. He probably topped the lot with his response on the Equality Act on Amendment 41.
I want to go away with my colleagues to study the responses to the amendments very carefully. That being said, however, I am happy to withdraw Amendment 41 at this stage.
(8 months, 4 weeks ago)
Grand CommitteeMy Lords, I, too, support the amendments in the name of the noble Lord, Lord Clement-Jones. As this is the first time I have spoken during the passage of the Bill, I should also declare my interests, but it seems that all the organisations I am involved in process data, so I refer the Committee to all the organisations in my entry in the register of interests.
I want to tell a story about the challenges of distinguishing between personal data and pseudonymised data. I apologise for bringing everyone back to the world of Covid, but that was when I realised how possible it is to track down individuals without any of their personal data. Back in November or December 2020, when the first variant of Covid, the Kent variant, was spreading, one test that was positive for the Kent variant came with no personal details at all. The individual who had conducted that test had not filled in any of the information. I was running NHS Test and Trace and we had to try to find that individual, in a very public way. In the space of three days, with literally no personal information—no name, address or sense of where they lived—the team was able to find that human being. Through extraordinary ingenuity, it tracked them down based on the type of tube the test went into—the packaging that was used—and by narrowing down the geography of the number of postcodes where the person might have been ill and in need of help but also in need of identifying all their contacts.
I learned that it was possible to find that one human being, out of a population of 60 million, within three days and without any of their personal information. I tell this story because my noble friend Lord Kamall made such an important point that, at the heart of data legislation is the question of how you build trust in the population. We have to build on firm foundations if the population are to trust that there are reasons why sharing data is hugely valuable societally. To have a data Bill that does not have firm foundations in absolutely and concretely defining personal data is quite a fatal flaw.
Personal data being subjective, as the noble Lord, Lord Clement-Jones, so eloquently set out, immediately starts citizens on a journey of distrusting this world. There is so much in this world that is hard to trust, and I feel strongly that we have to begin with some very firm foundations. They will not be perfect, but we need to go back to a solid definition of “personal data”, which is why I wholeheartedly support the noble Lord’s amendments.
My Lords, I hesitate to make a Second Reading speech, and I know that the noble Lord, Lord Clement-Jones, cannot resist rehearsing these points. However, it is important, at the outset of Committee, to reflect on the Bill in its generality, and the noble Lord did a very good job of precisely that. This is fundamental.
The problem for us with the Bill is not just that it is a collection of subjects—of ideas about how data should be handled, managed and developed—but that it is flawed from the outset. It is a hotchpotch of things that do not really hang together. Several of us have chuntered away in the margins and suggested that it would have been better if the Bill had fallen and there had been a general election—not that the Minister can comment on that. But it would be better, in a way. We need to go back to square one, and many in the Committee are of a like mind.
The noble Baroness, Lady Harding, made a good point about data management, data control and so on. Her example was interesting, because this is about building trust, having confidence in data systems and managing data in the future. Her example was very good, as was that of the noble Lord, Lord Davies, who raised a challenge about how the anonymisation, or pseudonymisation, of data will work and how effective it will be.
We have two amendments in this group. Taken together, they are designed to probe exactly what the practical impacts will be of the proposed changes to Section 3 of the 2018 Act and the insertion of new Section 3A. Amendment 4 calls for the Secretary of State to publish an assessment of the changes within two months of the Bill passing, while Amendment 301 would ensure that the commencement of Clause 1 takes place no earlier than that two-month period. Noble Lords might think this is unduly cautious, but, given our wider concerns about the Bill and its departure from the previously well-understood—
My Lords, a Division having been called, we will adjourn for 10 minutes and resume at 4.48 pm.
As I was saying, it is important for the framework on data protection that we take a precautionary approach. I hope that the Minister will this afternoon be able to provide a plain English explanation of the changes, as well as giving us an assurance that those changes to definitions do not result in watering down the current legislation.
We broadly support Amendments 1 and 5 and the clause stand part notice, in the sense that they provide additional probing of the Government’s intentions in this area. We can see that the noble Lord, Lord Clement-Jones, is trying with Amendment 1 to bring some much-needed clarity to the anonymisation issue and, with Amendment 5, to secure that data remains personal data in any event. I suspect that the Minister will tell us this afternoon that that is already the case, but a significant number of commentators have questioned this, since the definition of “personal data” is seemingly moving away from the EU GDPR standard towards a definition that is more subjective from the perspective of the controller, processor or recipient. We must be confident that the new definition does not narrow the circumstances in which the information is protected as personal data. That will be an important standard for this Committee to understand.
Amendment 288, tabled by the noble Lord, Lord Clement- Jones, seeks a review and an impact assessment of the anonymisation and identifiability of data subjects. Examining that in the light of the EU GDPR seems to us to be a useful and novel way of making a judgment over which regime better suits and serves data subjects.
We will listen with interest to the Minister’s response. We want to be more than reassured that the previous high standards and fundamental principles of data protection will not be undermined and compromised.
I thank all noble Lords who have spoken in this brief, interrupted but none the less interesting opening debate. I will speak to the amendments tabled by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones; I note that I plan to that form of words quite a lot in the next eight sessions on this Bill. I thank them for tabling these amendments so that we can debate what are, in the Government’s view, the significant benefits of Clause 1.
In response to the points from the noble Lord, Lord Clement-Jones, on the appetite for the reforms in the Bill, we take very seriously the criticisms of the parties that he mentioned—the civil society groups—but it is important to note that, when the Government consulted on these reforms, we received almost 3,000 responses. At that time, we proposed to clarify when data would be regarded as anonymous and proposed legislating to confirm that the test for whether anonymous data can be reidentified is relative to the means available to the controller to reidentify the data. The majority of respondents agreed that greater clarity in legislation would indeed be beneficial.
As noble Lords will know, the UK’s data protection legislation applies only to personal data, which is data relating to an identified or identifiable living individual. It does not apply to non-personal, anonymous data. This is important because, if organisations can be sure that the data they are handling is anonymous, they may be able to more confidently put it to good use in important activities such as research and product development. The current data protection legislation is already clear that a person can be identified in a number of ways by reference to details such as names, identification numbers, location data and online identifiers, or via information about a person’s physical, genetic, mental, economic or cultural characteristics. The Bill does not change the existing legislation in this respect.
With regard to genetic information, which was raised by my noble friend Lord Kamall and the noble Lord, Lord Davies, any information that includes enough genetic markers to be unique to an individual is personal data and special category genetic data, even if names and other identifiers have been removed. This means that it is subject to the additional protections set out in Article 9 of the UK GDPR. The Bill does not change this position.
However, the existing legislation is unclear about the specific factors that a data controller must consider when assessing whether any of this information relates to an identifiable living person. This uncertainty is leading to inconsistent application of anonymisation and to anonymous data being treated as personal data out of an abundance of caution. This, in turn, reduces the opportunities for anonymous data to be used effectively for projects in the public interest. It is this difficulty that Clause 1 seeks to address by providing a comprehensive statutory test on identifiability. The test will require data controllers and processors to consider the likelihood of people within or outside their organisations reidentifying individuals using reasonable means. It is drawn from recital 26 of the EU GDPR and should therefore not be completely unfamiliar to most organisations.
I turn now to the specific amendments that have been tabled in relation to this clause. Amendment 1 in the name of the noble Lord, Lord Clement-Jones, would reiterate the position currently set out in the UK GDPR and its recitals: where individuals can be identified without the use of additional information because data controllers fail to put in place appropriate organisational measures, such as technical or contractual safeguards prohibiting reidentification, they would be considered directly identifiable. Technical and organisational measures put in place by organisations are factors that should be considered alongside others under new Section 3A of the Data Protection Act when assessing whether an individual is identifiable from the data being processed. Clause 1 sets out the threshold at which data—and, therefore, personal data—is identifiable and clarifies when data is anonymous.
On the technical capabilities of a respective data controller, these are already relevant factors under current law and ICO guidance in determining whether data is personal. This means that the test of identifiability is already a relative one today in respect of the data controller, the data concerned and the purpose of the processing. However, the intention of the data controller is not a relevant factor under current law, and nor does Clause 1 make it a factor. Clause 1 merely clarifies the position under existing law and follows very closely the wording of recital 26. Let me state this clearly: nothing in Clause 1 introduces the subjective intention of the data controller as a relevant factor in determining identifiability, and the position will remain the same as under the current law and as set out in ICO guidance.
In response to the points made by the noble Lord, Lord Clement-Jones, and others on pseudonymised personal data, noble Lords may be aware that the definition of personal data in Article 4(1) of the UK GDPR, when read in conjunction with the definition of pseudonymisation in Article 4(5), makes it clear that pseudonymised data is personal data, not anonymous data, and is thus covered by the UK’s data protection regime. I hope noble Lords are reassured by that. I also hope that, for the time being, the noble Lord, Lord Clement-Jones, will agree to withdraw his amendment and not press the related Amendment 5, which seeks to make it clear that pseudonymised data is personal data.
Amendment 4 would require the Secretary of State to assess the difference in meaning and scope between the current statutory definition of personal data and the new statutory definition that the Bill will introduce two months after its passing. Similarly, Amendment 288 seeks to review the impact of Clause 1 six months after the enactment of the Bill. The Government feel that neither of these amendments is necessary as the clause is drawn from recital 26 of the EU GDPR and case law and, as I have already set out, is not seeking to substantially change the definition of personal data. Rather, it is seeking to provide clarity in legislation.
I follow the argument, but what we are suggesting in our amendment is some sort of impact assessment for the scheme, including how it currently operates and how the Government wish it to operate under the new legislation. Have the Government undertaken a desktop exercise or any sort of review of how the two pieces of legislation might operate? Has any assessment of that been made? If they have done so, what have they found?
Obviously, the Bill has been in preparation for some time. I completely understand the point, which is about how we can be so confident in these claims. I suggest that I work with the Bill team to get an answer to that question and write to Members of the Committee, because it is a perfectly fair question to ask what makes us so sure.
In the future tense, I can assure noble Lords that the Department for Science, Innovation and Technology will monitor and evaluate the impact of this Bill as a whole in the years to come, in line with cross-government evaluation guidance and through continued engagement with stakeholders.
The Government feel that the first limb of Amendment 5 is not necessary given that, as has been noted, pseudonymised data is already considered personal data under this Bill. In relation to the second limb of the amendment, if the data being processed is actually personal data, the ICO already has powers to require organisations to address non-compliance. These include requiring it to apply appropriate protections to personal data that it is processing, and are backed up by robust enforcement mechanisms.
That said, it would not be appropriate for the processing of data that was correctly assessed as anonymous at the time of processing to retrospectively be treated as processing of personal data and subject to data protection laws, simply because it became personal data at a later point in the processing due to a change in circumstances. That would make it extremely difficult for any organisation to treat any dataset as anonymous and would undermine the aim of the clause, significantly reducing the potential to use anonymous data for important research and development activities.
My Lords, I keep getting flashbacks. This one is to the Data Protection Act 2018, although I think it was 2017 when we debated it. It is one of the huge achievements of the noble Baroness, Lady Kidron, to have introduced, and persuaded the Government to introduce, the age-appropriate design code into the Act, and—as she and the noble Baroness, Lady Harding, described—to see it spread around the world and become the gold standard. It is hardly surprising that she is so passionate about wanting to make sure that the Bill does not water down the data rights of children.
I think the most powerful amendment in this group is Amendment 290. For me, it absolutely bottles what we need to do in making sure that nothing in the Bill waters down children’s rights. If I were to choose one of the noble Baroness’s amendments in this group, it would be that one: it would absolutely give the assurance and scotch the point about legal uncertainty created by the Bill.
Both noble Baronesses asked: if the Government are not watering down the Bill, why can they not say that they are not? Why can they not, in a sense, repeat the words of Paul Scully when he was debating the Bill? He said:
“We are committed to protecting children and young people online. The Bill maintains the high standards of data protection that our citizens expect and organisations will still have to abide by our age-appropriate design code”.
He uses “our”, so he is taking full ownership of it. He went on:
“Any breach of our data protection laws will result in enforcement action by the Information Commissioner’s Office”.—[Official Report, Commons, 17/4/23; col. 101.]
I would love that enshrined in the Bill. It would give us a huge amount of assurance.
My Lords, we on the Labour Benches have become co-signatories to the amendments tabled by the noble Baroness, Lady Kidron, and supported by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Harding. The noble Baroness set out very clearly and expertly the overarching purpose of retaining the level of protection currently afforded by the Data Protection Act 2018. Amendments 2 and 3 specifically stipulate that, where data controllers know, or should reasonably know, that a user is a child, they should be given the data protection codified in that Act. Amendment 9 takes it a stage further and includes children’s data in the definition of sensitive personal data, and gives it the benefit of being treated to a heightened level of protection—quite rightly, too. Finally, Amendment 290—the favourite of the noble Lord, Lord Clement-Jones—attempts to hold Ministers to the commitment made by Paul Scully in the Commons to maintain existing standards of data protection carried over from that 2018 Act.
Why is all this necessary? I suspect that the Minister will argue that it is not needed because Clause 5 already provides for the Secretary of State to consider the impact of any changes to the rights and freedoms of individuals and, in particular, of children, who require special protection.
We disagree with that argument. In the interests of brevity and the spirit of the recent Procedure Committee report, which says that we should not repeat each other’s arguments, I do not intend to speak at length, but we have a principal concern: to try to understand why the Government want to depart from the standards of protection set out in the age-appropriate design code—the international gold standard—which they so enthusiastically signed up to just five or six years ago. Given the rising levels of parental concern over harmful online content and well-known cases highlighting the harms that can flow from unregulated material, why do the Government consider it safe to water down the regulatory standards at this precise moment in time? The noble Baroness, Lady Kidron, valuably highlighted the impact of the current regulatory framework on companies’ behaviour. That is exactly what legislation is designed to do: to change how we look at things and how we work. Why change that? As she has argued very persuasively, it is and has been hugely transformative. Why throw away that benefit now?
My attention was drawn to one example of what can happen by a briefing note from the 5Rights Foundation. As it argued, children are uniquely vulnerable to harm and risk online. I thought its set of statistics was really interesting. By the age of 13, 72 million data points have already been collected about children. They are often not used in children’s best interests; for example, the data is often used to feed recommender systems and algorithms designed to keep attention at all costs and have been found to push harmful content at children.
When this happens repeatedly over time, it can have catastrophic consequences, as we know. The coroner in the Molly Russell inquest found that she had been recommended a stream of depressive content by algorithms, leading the coroner to rule that she
“died from an act of self-harm whilst suffering from depression and the negative effects of online content”.
We do not want more Molly Russell cases. Progress has already been made in this field; we should consider dispensing with it at our peril. Can the Minister explain today the thinking and logic behind the changes that the Government have brought forward? Can he estimate the impact that the new lighter-touch regime, as we see it, will have on child protection? Have the Government consulted extensively with those in the sector who are properly concerned about child protection issues, and what sort of responses have the Government received?
Finally, why have the Government decided to take a risk with the sound framework that was already in place and built on during the course of the Online Safety Act? We need to hear very clearly from the Minister how they intend to engage with groups that are concerned about these child protection issues, given the apparent loosening of the current framework. The noble Baroness, Lady Harding, said that this is hard-fought ground; we intend to continue making it so because these protections are of great value to our society.
I am grateful to the noble Baroness, Lady Kidron, for her Amendments 2, 3, 9 and 290 and to all noble Lords who have spoken, as ever, so clearly on these points.
All these amendments seek to add protections for children to various provisions in the Bill. I absolutely recognise the intent behind them; indeed, let me take this opportunity to say that the Government take child safety deeply seriously and agree with the noble Baroness that all organisations must take great care, both when making decisions about the use of children’s data and throughout the duration of their processing activities. That said, I respectfully submit that these amendments are not necessary for three main reasons; I will talk in more general terms before I come to the specifics of the amendments.
First, the Bill maintains a high standard of data protection for everybody in the UK, including—of course—children. The Government are not removing any of the existing data protection principles in relation to lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, data security or accountability; nor are they removing the provisions in the UK GDPR that require organisations to build privacy into the design and development of new processing activities.
The existing legislation acknowledges that children require specific protection for their personal data, as they may be less aware of the risks, consequences and safeguards concerned, and of their rights in relation to the processing of personal data. Organisations will need to make sure that they continue to comply with the data protection principles on children’s data and follow the ICO’s guidance on children and the UK GDPR, following the changes we make in the Bill. Organisations that provide internet services likely to be accessed by children will need to continue to comply with their transparency and fairness obligations and the ICO’s age-appropriate design code. The Government welcome the AADC, as Minister Scully said, and remain fully committed to the high standards of protection that it sets out for children.
Secondly, some of the provisions in the Bill have been designed specifically with the rights and safety of children in mind. For example, one reason that the Government introduced the new lawful ground of recognised legitimate interest in Clause 5, which we will debate later, was that some consultation respondents said that the current legislation can deter organisations, particularly in the voluntary sector, from sharing information that might help to prevent crime or protect children from harm. The same goes for the list of exemptions to the purpose limitation principle introduced by Clause 6.
There could be many instances where personal data collected for one purpose may have to be reused to protect children from crime or safeguarding risks. The Bill will provide greater clarity around this and has been welcomed by stakeholders, including in the voluntary sector.
While some provisions in the Bill do not specifically mention children or children’s rights, data controllers will still need to carefully consider the impact of their processing activities on children. For example, the new obligations on risk assessments, record keeping and the designation of senior responsible individuals will apply whenever an organisation’s processing activities are likely to result in high risks to people, including children.
Thirdly, the changes we are making in the Bill must be viewed in a wider context. Taken together, the UK GDPR, the Data Protection Act 2018 and the Online Safety Act 2023 provide a comprehensive legal framework for keeping children safe online. Although the data protection legislation and the age-appropriate design code make it clear how personal data can be processed, the Online Safety Act makes clear that companies must take steps to make their platforms safe by design. It requires social media companies to protect children from illegal, harmful and age-inappropriate content, to ensure they are more transparent about the risks and dangers posed to children on their sites, and to provide parents and children with clear and accessible ways to report problems online when they do arise.
After those general remarks, I turn to the specific amendments. The noble Baroness’s Amendments 2 and 3 would amend Clause 1 of the Bill, which relates to the test for assessing whether data is personal or anonymous. Her explanatory statement suggests that these amendments are aimed at placing a duty on organisations to determine whether the data they are processing relates to children, thereby creating a system of age verification. However, requiring data controllers to carry out widespread age verification of data subjects could create its own data protection and privacy risks, as it would require them to retain additional personal information such as dates of birth.
The test we have set out for reidentification is intended to apply to adults and children alike. If any person is likely to be identified from the data using reasonable means, the data protection legislation will apply. Introducing one test for adults and one for children is unlikely to be workable in practice and fundamentally undermines the clarity that this clause seeks to bring to organisations. Whether a person is identifiable will depend on a number of objective factors, such as the resources and technology available to organisations, regardless of whether they are an adult or a child. Creating wholly separate tests for adults and children, as set out in the amendment, would add unnecessary complexity to the clause and potentially lead to confusion.
As I understand it, the basis on which we currently operate is that children get a heightened level of protection. Is the Minister saying that that is now unnecessary and is captured by the way in which the legislation has been reframed?
I am saying, specifically on Clause 1, that separating the identifiability of children and the identifiability of adults would be detrimental to both but particularly, in this instance, to children.
Amendment 9 would ensure that children’s data is included in the definition of special category data and is subject to the heightened protections afforded to this category of data by Article 9 of the UK GDPR. This could have unintended consequences, because the legal position would be that processing of children’s data would be banned unless specifically permitted. This could create the need for considerable additional legislation to exempt routine and important processing from the ban; for example, banning a Girl Guides group from keeping a list of members unless specifically exempted would be disproportionate. However, more sensitive data such as records relating to children’s health or safeguarding concerns would already be subject to heightened protections in the UK GDPR, as soon as the latter type of data is processed.
I am grateful to the noble Baroness, Lady Kidron, for raising these issues and for the chance to set out why the Government feel that children’s protection is at least maintained, if not enhanced. I hope my answers have, for the time being, persuaded her of the Government’s view that the Bill does not reduce standards of protection for children’s data. On that basis, I ask her also not to move her Amendment 290 on the grounds that a further overarching statement on this is unnecessary and may cause confusion when interpreting the legislation. For all the reasons stated above, I hope that she will now reconsider whether her amendments in this group are necessary and agree not to press them.
Can I press the Minister more on Amendment 290 from the noble Baroness, Lady Kidron? All it does is seek to maintain the existing standards of data protection for children, as carried over from the 2018 Act. If that is all it does, what is the problem with that proposed new clause? In its current formulation, does it not put the intention of the legislation in a place of certainty? I do not quite get why it would be damaging.
I believe it restates what the Government feel is clearly implied or stated throughout the Bill: that children’s safety is paramount. Therefore, putting it there is either duplicative or confusing; it reduces the clarity of the Bill. In no way is this to say that children are not protected—far from it. The Government feel it would diminish the clarity and overall cohesiveness of the Bill to include it.
In answer to both questions, what I am saying is that, first, any risk of misinterpreting the Bill with respect to children’s safety is diminished, rather than increased, by the Bill. Overall, it is the Government’s belief and intention that the Bill in no way diminishes the safety or privacy of children online. Needless to say, if over the course of our deliberations the Committee identifies areas of the Bill where that is not the case, we will absolutely be open to listening on that, but let me state this clearly: the intent is to at least maintain, if not enhance, the safety and privacy of children and their data.
My Lords, that creates another question, does it not? If that is the case, why amend the original wording from the 2018 Act?
Sorry, the 2018 Act? Or is the noble Lord referring to the amendments?
Why change the wording that provides the protection that is there currently?
I assume the noble Lord is referring to Amendment 290.
Okay. The Government feel that, in terms of the efficient and effective drafting of the Bill, that paragraph diminishes the clarity by being duplicative rather than adding to it by making a declaration. For the same reason, we have chosen not to make a series of declarations about other intentions of the Bill overall in the belief that the Bill’s intent and outcome are protected without such a statement.
(10 months ago)
Lords ChamberInformation on NSOIT is posted on GOV.UK, and I am happy to share that location with the noble Lord. I can confirm not only that it is not the role of NSOIT or the CDU to go after any individuals, regardless of their political belief, but that it never has been. NSOIT looks for large-scale attempts to pollute the information environment, generally as a result of threats from foreign states. I am happy to say in front of the House that the idea that its purpose is also to go after, in some ways, those who disagree politically with the Government is categorically false.
My Lords, the issue is much more complex than that. I am concerned that the unit to which the Minister referred seems to be concerned only about security issues now. In December, I asked the Minister about the rise of political deepfakes, which often originate from overseas and have the potential to undermine trust in political leaders and our wider democratic processes. With the Data Protection and Digital Information Bill currently before the House already containing measures on what the Government call “democratic engagement”, can I tempt the Minister to bring forward new anti-deepfake provisions to help preserve the integrity of our upcoming general election—and not just our election in a year of big elections?
Indeed. It is worth reminding the House that close to 2 billion people will go to the polls over this calendar year. A great many of those elections in which they participate will come under attack from malign foreign influences. Therefore, we have implemented the Defending Democracy Taskforce, chaired by the Security Minister, which set up a new unit last year specifically dedicated to safeguarding our coming election, whenever it may be. It continues to engage with various committees of Parliament and with the Electoral Commission. We will look carefully at any proposals on deepfake provisions in the DPDI Bill. Deepfakes are already illegal today if they violate either the foreign interference offence or the false communications offence.
(10 months ago)
Lords ChamberAs regards the overall regulation of AI, I hope that noble Lords have had a chance to peruse the Government’s response to the AI White Paper consultation. It makes the argument very clearly that there will come a time when it is right to legislate to create binding rules on all creators of AI. When that time comes, due to the policies that we are putting in place, we will have an agreed risk register informing us. We will have set up monitoring and evaluation techniques, again gathering evidence. We will have working relationships with the AI labs, defined procedures for the creation of AI, and regulators trained to regulate AI within their own sectors. That means that, when we do regulate AI, it will be done in a targeted and sophisticated way, on the basis of evidence.
My Lords, the Government have been far too complacent on this issue. During the passage of the then Online Safety Bill, we warned a number of times that, given that this is a fast-moving technology, as the Minister says, the Government needed to get ahead of the game. Given the proliferation of these ghastly images and the appalling impact this has on people’s lives, does the Minister now agree that neither the emergence of these apps nor their misuse is surprising? If that is the case, why did the Government not broaden the scope of their amendments when they had the opportunity to do so? Will the Minister now look for ways in which we can plug the gaps that are clearly emerging?
As the noble Lord said, it is a fast-moving space, and that requires an adaptive, agile response in legislating for it. That is the approach that we are taking. As to the argument that we can now see that it is not working, I am not sure that that is the case. The intimate image abuse offences commenced on 31 January—two weeks ago. I am pleased to see that, yesterday, we had our first cyberflashing conviction under those provisions. Using an evidence base, looking forward, we will have to consider carefully what is working before we go ahead and implement further bans.
(10 months, 3 weeks ago)
Grand CommitteeMy Lords, this has been a really interesting and helpful debate, with a number of noble Lords answering other noble Lords’ questions, which is always pretty useful when you are summing up at the end. One thing absolutely ties every speaker together: agreement with the letter to the Prime Minister from the noble Baroness, Lady Stowell, on behalf of her committee, about the need to retain the JR principle throughout the Bill. That is what we are striving to do.
It was extremely interesting to hear what the noble Lord, Lord Lansley, had to say. He answered the second half of the speech by the noble Lord, Lord Tyrie. I did not agree with the first half but the second was pretty good. The “whiff” that the noble Lord, Lord Tyrie, talked about was answered extremely well by the noble Lord, Lord Lansley. It was a direct hit.
The interesting aspect of all this is that the new better regulation framework that I heard the noble Lord, Lord Johnson, extolling from the heights in the Cholmondeley Room this afternoon includes a number of regulatory principles, including proportionality, but why not throw the whole kitchen sink at the Bill? Why is there proportionality in this respect? It was also really interesting to hear from the noble Lord, Lord Faulks, who unpacked very effectively the use of the proportionality principle. It looks as though there is an attempt to expand the way the principle is prayed in aid during a JR case. That seems fairly fundamental.
I hope that the Minister can give us assurance. We have a pincer movement here: there are a number of different ways of dealing with this, in amendments from the noble Lords, Lord Holmes and Lord Faulks, and the noble Baroness, Lady Stowell, but we are all aiming for the same end result. However we get there, we are all pretty determined to make sure that the word “proportionate” does not appear in the wrong place. In all the outside briefings we have had, from the Open Markets Institute, Foxglove and Which?, the language is all about unintended consequences and widening the scope of big tech firms to challenge. What the noble Lord, Lord Vaizey, had to say about stray words was pretty instructive. We do not want language in here which opens up these doors to further litigation. The debate on penalties is coming, but let us hold fast on this part of the Bill as much as we possibly can.
My Lords, I thank the noble Lord, Lord Faulks, for his neat and precise analysis of the position in which we find ourselves in the discussion on this group of amendments. This debate is a prequel to that which will follow on penalties, and we should see it in that light; the two things are very much connected, as the noble Lord, Lord Clement-Jones, made clear. Like him, I completely agreed with the noble Lord, Lord Vaizey, when he warned about using stray words. Proportionality is probably one of the most contested terms in law, and in all the 25 years or so that I have been in this House, I must have heard it in all the legal debates we have come across.
These are the first amendments seeking to restore some of the Bill’s original wording, which, as we have heard, was changed late in the day in the Commons. We are yet to receive a full explanation from the Minister of the reasons for that. The noble Lord, Lord Faulks, asked why, and we on these Benches pose the same question. Were Ministers lobbied into this and, if so, why? We support Amendments 16 and 53 in the name of the noble Lord, Lord Faulks, which, as he outlined, seek to restore the original wording of the Bill, taking out the word “proportionate”, removing proportionality as the determining factor behind a CMA pro-competition intervention and reinserting the word “appropriate”.
We have two, possibly three, sets of solutions to the problem that the Government have set. However, we also have added our names to Amendments 17 and 54, in the names of the noble Baronesses, Lady Stowell and Lady Harding, and the noble Lord, Lord Clement-Jones, with the intent of ensuring that clarifying that the condition for conduct requirements imposed by the CMA to be proportionate does not create that novel legal standard for appeals of decisions and the confusion that will flow from that. In our view, as the noble Baroness, Lady Harding, says, the original wording strikes the right balance, roughly speaking, whereas the Government’s version would weaken the intent of this part of the Bill.
The formulation of the noble Baroness, Lady Stowell, relies on prevailing public law standards—in other words, standards that are commonly understood. We take the view that we all need to know what rules we are working to, and if the Bill introduces or creates a new standard then that certainty is removed. Of course, when it comes to the issue of pre-emption, we will need to resolve the best way forward on this issue at the next stage of the Bill. For my part, I think that reversion might be the best route, but no doubt by negotiating round the Committee we can come up with a workable solution.
The amendments of the noble Lord, Lord Holmes, particularly Amendments 220 and 222, offer another way through it. However, on the face of it, for us they are useful in the context of reminding our Committee that guidance will need to be produced on the operation of this regime as it covers financial penalties and the countervailing benefits exemptions.
We have heard a lot about the new regime being flexible and participatory as a framework for regulation, and we agree with that principle. However, we think that, with this particular change, the Government strike at the heart of that and bring in a measure of uncertainty that is unwise, frankly, in this particular process. The intervention of the noble Lord, Lord Lansley, was very telling. What he told the Committee was extremely important and we should listen very carefully to what was said in that exchange of correspondence. He rather shot the Government’s fox.
In conclusion, the Minister has a bit of a difficult job on his hands here. He may feel the weight of the Committee against him. I rather hope that he can offer us a measure of reassurance and perhaps help us come to a point where the whole Committee can agree a sensible reversion or an amendment that makes the Bill as workable as it seemed when it was first drafted.
I thank the noble Lord, Lord Faulks, for raising the topic of proportionality in the digital markets regime and for doing so with such a clear and compelling analysis, which I think all of us, myself included, found deeply helpful. This is of course the requirement for the CMA to impose conduct requirements and pro-competition interventions on firms only where it is proportionate to do so.
First, I reassure my noble friend Lady Harding that this change is not about introducing a new standard or meaning of proportionality but about clarifying the scope of decisions that it applies to.
Amendments 16 and 53 from the noble Lord, Lord Faulks, seek to remove the explicit statutory requirement for PCIs and conduct requirements to be proportionate. Under these amendments, SMS firms would still be able to argue that their rights to peaceful enjoyment of property under Article 1 of the first protocol of the ECHR, or A1P1, were engaged in most cases, allowing them to appeal on the basis of proportionality. I refer noble Lords to the ECHR memorandum published by the department, which explains how the regime intersects with human rights and how this relates to property rights. A1P1 protects possessions, which can include enforceable rights such as contracts, and so regulating SMS firms under the regime would commonly affect possessions, and therefore engage A1P1.
The Government have always been clear that the CMA will need to act proportionately and comply with ECHR requirements, and that imposing obligations on SMS firms will very often engage the firm’s rights under A1P1. However, having a statutory requirement for proportionality in the Bill reinforces the Government’s expectations for how the CMA should design conduct requirements and PCIs, to place as little burden as possible on firms while still effectively addressing competition issues. This should be the case even when A1P1 property rights are not engaged, which this requirement provides for.
In particular, it is worth highlighting that A1P1 rights on their own would not amount to grounds to challenge interventions that impact a firm’s future contracts. It is right that these interventions should be proportionate. I understand the concern from many noble Lords about any extension to the grounds for appeal in the regime, but we are giving extensive new powers to the CMA to regulate digital markets.
My Lords, this is not just to prevent the Minister getting up again; it is relevant to both points that have just been made. A number of noble Lords asked whether this huge volte-face by the Government between the publication of the Bill and the amendments made very late in the other place came about as a result of pressure from the platforms. Could he tell us whether the platforms lobbied for this change and whether he discussed it with them?
My Lords, if I might help the Minister, this legislation has been knocking around for some time now, so what was it that provided that blinding flash of official or ministerial inspiration to bring this amendment about “proportionate” so late in the day in the other place that it was tabled right at the end of the Commons process? What was it that was so compelling as to make that dramatic change?
If noble Lords will forgive me; that was a large variety or questions. First, I can confirm right away that I have not received any lobbying from any big tech firms on this topic—none; zero. Secondly, as with any Bill, this was part of an ongoing pattern of constantly looking for means of improving the Bill, to maximise its clarity and effectiveness. I recognise the concern voiced by the Committee about this. I am very happy to set out in detail all the arguments I have attempted to make. I hope that will go some way further towards satisfying the Committee.
My Lords, I associate myself with the remarks just made by the noble Lord, Lord Tyrie, about recognising how important it is that we embolden the CMA to tackle these merger issues. I do not have anything like the expertise in detailed drafting that my noble friend Lord Lansley has just demonstrated, but I encourage the Government to listen carefully to his advice and review the drafting. We should see if we cannot come together with a solution on Report that achieves what I think we are all trying to achieve here.
I would also like to briefly correct the record. On Monday, as the noble Lord, Lord Vaux, said, I said that all the companies had appealed their designation of the DMA. Much to my amusement, Google was very swift to email me on Tuesday morning to tell me no, it was very keen to collaborate, so I would hate that to become a considered fact of this Committee—I owe Google that.
I support the amendment by the noble Lord, Lord Vaux, but I point out to the Committee that it is actually a very small amendment. The CMA told us in one of its briefings last week that it could undertake only two SMS investigations at any one time. We should recognise that it is a very minor amendment meaning that, while the CMA is investigating two entities, those two entities will be required to report. We should accept that that is a very small improvement that we should encourage the Government to accept.
My Lords, I am sure the Committee will be relieved to know that we do not have a great deal to say on this, except that we see merit in the amendments from both the noble Lords, Lord Vaux and Lord Lansley.
I thought the noble Lord, Lord Vaux, made a very good point: this is very simple. It is about providing and encouraging greater transparency in the merger process. It is straightforward in ensuring that all parties are aware of the status of the undertaking involved, and it brings clarity where the SMS is concerned.
It has to be regretted that companies might want to use mergers and acquisitions as a way of delaying SMS designation. As the noble Baroness, Lady Harding, has just said, there are delays enough in the process as it is. If the CMA is going to be able to do only two of these a year, there is hardly much reason to encourage more, greater and longer delays in the process.
The noble Lord, Lord Vaux, argued that designations could take until 2025 and delays will occur. With the sheer volume of acquisitions taking place, if companies are going to use that as a means of gaming the system then that cannot be right. It cannot be in consumers’ interests either.
I turn to the elegant amendment by the noble Lord, Lord Lansley. It seeks to ensure, where a designated undertaking is involved, that there is an assessment of the impact on consumers. The Minister has argued from the Dispatch Box that the legislation is designed by the Government to place the interests of consumers at the very front of this piece of working legislation. So, if a merger is likely to lead to a loss of benefit to consumers, it must therefore be right that market intelligence is shared, and we assume from our perspective on the Labour Benches that that must be a public good to be supported.