Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Monday 30th October 2017

(7 years, 1 month ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, in moving Amendment 5, I will also speak to Amendment 6. Both are in my name. I will respond later to Amendment 115, which is in the same group but was tabled by other noble Lords. Amendments 5 and 6 are probing amendments to try to tease out what appears to be a change of definition between various parts of the Act.

Amendment 5 relates to page 3 and Clause 3(1), (2) and (3) in Chapter 1, which raise concerns about what exactly is happening with the arrangements. It is easier if I read out the two subsections concerned. Clause 3(2) states that:

“Chapter 2 of this Part … applies to the types of processing of personal data to which the GDPR applies by virtue of Article 2 of the GDPR”.


That is the question I want to peruse, because later in the Bill, on page 11, Clause 19(1)(a) refers to activities which operate. This amendment is a probing one to try to tease out an answer that we can read in Hansard so as to know what exactly we are talking about. It may appear to be a narrow difference or nitpicking, but “an activity” is a very broad term for anything in relation to data processing and contrasts with the narrow way in which Clause 3(2)(a) talks about “types of processing”. Are these the same? If they are not, what differentiates the two? If they are different, why have we got different parts in different areas of the Bill?

Amendment 6 relates to page 3, line 31. This question of definition has come up in relation to Chapter 3 of the part. I understand this to be more of a recital, if I may use that word, than a particular piece of statute and it may not have normative effect, if that is the correct terminology. Clause 3(3)(b) says that the part to which this applies,

“makes provision for a regime broadly equivalent to the GDPR to apply to such processing”.

What is “broadly” in this context? Maybe I am obsessed with the use of English words that have common meanings, but again it would be helpful to have a bit more information on the definition from the Minister when he responds.

Perhaps more than the “quite” used in response to an earlier amendment, this has not got transatlantic resonances, but it is important in questions of adequacy in any agreement we might seek with the EU in the future. “Broadly equivalent” carries echoes of an adequacy agreement, which would assert that the arrangements in the two countries concerned—the EU on the one hand and the third country on the other—were sufficiently equivalent to allow for future reliance on the processes in the third country to be treated as appropriate for the transfer of data into and from, in relation to future industrial processes.

We are aware that an element of legal decision-making arises, which might change that “broadly equivalent” to a higher bar of requirement in the sense that the court is beginning to think in terms of “essentially equivalent”, which is very different from “broadly equivalent”. Again, I would be grateful if the Minister could respond to that. I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

I will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.

Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.

Recital 80 of the GDPR explains the role of the representative:

“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.


Supposing that a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?

Baroness Hamwee Portrait Baroness Hamwee (LD)
- Hansard - - - Excerpts

My Lords, I am glad that the noble Lord, Lord Stevenson, has raised the question of the meaning of “broadly equivalent”. It encapsulates a difficulty I have found throughout the Bill: the language of the GDPR and of the law enforcement directive is more narrative and descriptive than language to which we are accustomed in UK legislation. Though one might say we should just apply a bit of common sense, that is not always the first thing to apply in interpreting UK legislation.

In this clause, there is another issue apart from the fact that “broadly equivalent” gives a lot of scope for variation. Although Clause 3 is an introduction to the part, if there are problems of interpretation later in Part 2, one might be tempted to go back to Clause 3 to find out what the part is about and be further misled or confused.

--- Later in debate ---
We have been clear, as I mentioned with the previous group of amendments, that the future free flow of data is the number one priority in respect of our data protection policy and will ensure that we maintain the international high standards in this respect. I hope my clarification is sufficient and that the noble Lord will withdraw the amendment.
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister for that interesting exposition, which ranged from now into the future. He has given a vision of the post-Brexit shape of our data protection legislation. Extraterritoriality will apply even though the language used may be that of the applied GDPR as opposed to the GDPR itself—just to be confusing, perhaps as much as the Minister confused us.

I want to be absolutely clear that we are not derogating from the GDPR in extraterritoriality. That seems to be the nub of it. The Bill makes changes to the applied GDPR—I would like to read in Hansard exactly what the Minister said about the applied GDPR because I did not quite get the full logic of it—but there is no derogation in the GDPR on extraterritoriality. It would be helpful if he could be absolutely clear on that point.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

Perhaps the Minister will respond to that because I, too, am troubled about the same point. If I am right, and I will read Hansard to make sure I am not misreading or mishearing what was said, the situation until such time as we leave through Brexit is covered by the GDPR. The extraterritorial—I cannot say it but you know what I am going to say—is still in place. Therefore, as suggested by the noble Lord, Lord Clement-Jones, a company operating out of a foreign country which was selling goods and services within the UK would have to have a representative, and that representative could be attached should there be a requirement to do so. It is strange that we are not doing that in the applied GDPR because, despite the great improvement that will come from better language, the issue is still the same. If there is someone that our laws cannot attack, there is obviously an issue. Perhaps the Minister would like to respond.

--- Later in debate ---
Indeed, it can also be invaluable to charities. Proper, clear information and guidance is vital to them and their data controllers. They face the same uncertainties, costs, and commercial and reputational risk from prosecution. I therefore also support Amendment 170, which would add charities, and I am delighted that it comes from the noble Lord, Lord Clement-Jones, with whom I have had such productive dealings on intellectual property. I beg to move.
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the noble Baroness for that accolade. I rise to speak to Amendment 170, which is a small contribution to perfecting Amendment 169. It struck me as rather strange that Amendment 152 has a reference to charities, but not Amendment 169. For charities, this is just as big an issue so I wanted to enlarge slightly on that. This is a huge change that is overtaking charities. How they are preparing for it and the issues that need to be addressed are of great concern to them. The Institute of Fundraising recently surveyed more than 300 charities of all sizes on how they are preparing for the GDPR, and used the results to identify a number of areas where it thought support was needed.

The majority of charities, especially the larger ones, are aware of the GDPR and are taking action to get ready for May 2018, but the survey also highlighted areas where charities need additional advice, guidance and support. Some 22% of the charities surveyed said that they have yet to do anything to prepare for the changes, and 95% of those yet to take any preparatory action are the smaller charities. Some 72% said that there was a lack of clear available guidance. Almost half the charities report that they do not feel they have the right level of skills or expertise on data protection, and 38% report that they have found limits in their administration or database systems, or the costs of upgrading these, a real challenge. That mirrors very much what small businesses are finding as well. Bodies such as the IoF have been working to increase the amount of support and guidance on offer. The IoF runs a number of events, but more support is needed.

A targeted intervention is needed to help charities as much as it is needed for small business. This needs to be supported by government—perhaps through a temporary extension of the existing subsidised fundraising skills training, including an additional training programme on how to comply with GDPR changes; or a targeted support scheme, directly funded or working with other funding bodies and foundations, to help the smallest charities most in need to upgrade their administrative or database systems. Charities welcome the recently announced telephone service from the ICO offering help on the GDPR, which they can access, but it is accessible only to organisations employing under 250 people and it is only a telephone service.

There are issues there, and I hope the Minister will be able to respond, in particular by recognising that charities are very much part of the infrastructure of smaller organisations that will certainly need support in complying with the GDPR.

Lord Knight of Weymouth Portrait Lord Knight of Weymouth (Lab)
- Hansard - - - Excerpts

My Lords, I broadly support what these interesting amendments are trying to do. I declare my interest as a member of the board of the Centre for Acceleration of Social Technology. Substantially, what it does is advise normally larger charities on how to best take advantage of digital to solve some of their problems.

Clearly, I support ensuring that small businesses, small charities and parish councils, as mentioned, are advised of the implications of this Act. If she has the opportunity, I ask the noble Baroness, Lady Neville-Rolfe, to explain why she chose staff size as the measure. I accept that hers is a probing amendment and she may think there are reasons not to go with staff size. The cliché is that when Instagram was sold to Facebook for $1 billion it had 13 members of staff. That would not come within the scope of the amendment, but there are plenty of digital businesses that can achieve an awful lot with very few staff. As it stands, my worry is this opens up a huge loophole.

--- Later in debate ---
Lord Knight of Weymouth Portrait Lord Knight of Weymouth
- Hansard - - - Excerpts

My Lords, I will be brief on this group but I have two points to make. One is a question in respect of Amendment 51, where I congratulate the insurance industry on its lobbying. Within proposed new paragraph 15A(1)(b) it says,

“if … the controller has taken reasonable steps to obtain the data subject’s consent”.

Can the Minister clarify, or give some sense of, what “reasonable” means in this context? It would help us to understand whether that means an email, which might go into spam and not be read. Would there be a letter or a phone call to try to obtain consent? What could we as citizens reasonably expect insurance companies to do to get our consent?

Assuming that we do not have a stand part debate on Clause 4, how are the Government getting on with thinking about simplifying the language of the Bill? The noble Baroness, Lady Lane-Fox, is temporarily not in her place, but she made some good points at Second Reading about simplification. Clause 4 is quite confusing to read. It is possible to understand it once you have read it a few times, but subsection (2) says, for example, that,

“the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR”.

That sort of sentence is quite difficult for most people to understand, and I will be interested to hear of the Government’s progress.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the noble Baroness for introducing these amendments in not too heavy a style, but this is an opportunity to ask a couple of questions in relation to them. We may have had since 20 October to digest them; nevertheless, that does not make them any more digestible. We will be able to see how they really operate only once they are incorporated into the Bill. Perhaps we might have a look at how they operate on Report.

The Bill is clearly a work in progress, and this is an extraordinary number of amendments even at this stage. It begs the question as to whether the Government are still engaged in discussions with outside bodies. Personally, I welcome that there has been dialogue with the insurance industry—a very important industry for us. We obviously have to make sure that the consumer is protected while it carries out an important part of its business. I know that the industry has raised other matters relating to third parties and so on. There have also been matters raised by those in the financial services industry who are keen to ensure that fraud is prevented. Even though they are private organisations, they are also keen to ensure that they are caught under the umbrella of the exemptions in the Bill. Can the noble Baroness tell us a little about what further discussions are taking place? It is important that we make sure that when the Bill finally hits the deck, so to speak, it is right for all the different sectors that will be subject to it.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.

I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:

“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.


I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.

I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.

My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?

--- Later in debate ---
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I suspect that if you scratched half the Members of this House, they would have to declare an interest. I will just add a bit of non-Oxford variety as chair of the council of Queen Mary University of London. I express Front Bench support for my noble friend’s amendment and that of the noble Baroness, Lady Royall.

There is no doubt about the interaction of article 6 and the unfortunate inclusion of universities in the Freedom of Information Act definition, and there is no reason that I can see—we have heard about the alumni issues and the importance of fundraising to universities—why universities should not be put on all fours with charities, which can take advantage of the exemption in article 6. I very much hope that the Minister, who was nodding vigorously throughout most of the speeches, is prepared to state that he will come forward with an amendment, or accept this one, which would be gratefully received.

Lord Lucas Portrait Lord Lucas
- Hansard - - - Excerpts

My Lords, perhaps I may say a word on behalf of the victims. I very much hope that we will be given the right to ask the college to cross our name off.

I very much enjoyed my time at Oxford. It took Oxford 37 years to cotton on to the idea that, having spent three years doing physics there, perhaps I was interested in physics and it might offer me something in continued involvement other than students being pestered into asking me for money twice a year. That is not a relationship; that is not a community; that is a one-way suck. It is a Dyson vacuum cleaner designed to hoover money in on the basis of creating some sort of obligation. It was a contract 40 years ago, for goodness’ sake: create something now or keep something going.

Fundamentally, I have very little sympathy with the idea—

--- Later in debate ---
Moved by
11: Clause 7, page 5, line 6, leave out “includes” and insert “means”
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I shall also speak to Amendments 13, 15 and 21. It is slightly putting the cart before the horse to deal with Amendment 11. I will do so since it comes earlier in the order, but it covers a rather less general issue than the less general amendments.

Under the current Data Protection Act, controllers need a Schedule 2 legal basis to process personal data. Schedule 2 lists six main groupings and the controller has to select at least one from the list. If the controller does not have a legal basis for processing, then the controller cannot process the personal data. So it is surprising to discover that Clause 7, through the use of the word “includes”, can legitimise public sector processing of personal data on a ground not listed in the Bill. Such a basis might be, for instance, not necessary for the controller’s statutory functions, and that is why I seek the Minister’s reassurance.

There is all the difference between setting out the bases in an exhaustive way and a non-exhaustive way. In looking at how the position is reached, one needs to look at Clause 7, which states:

“In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for … administration of justice”,


and so on until (d),

“the exercise of a function of the Crown, a Minister of the Crown or a government department”.

It can be seen by comparison with Schedule 2 of the DPA that the only missing basis for processing is,

“the exercise of any other functions of a public nature exercised in the public interest by any person”.

The Explanatory Notes to Clause 7 state:

“Article 6(2) of the GDPR enables Member States to, amongst other things, set out more specific provisions in respect of Article 6(1)(c) and (e). This clause provides a non-exhaustive list of examples of processing under Article 6(1)(e)”.


That seems slightly paradoxical; it says it is going to be more specific but the Explanatory Notes say it is going to be non-exhaustive. The note continues:

“This includes processing of personal data that is necessary for the administration of justice”,


and so on. The section on Clause 7 concludes:

“The list is similar to that contained in paragraph 5 of Schedule 2 to the 1998 Act”.


So the intent, as explained in paragraphs 85 and 86 of the Explanatory Notes, is for the Government to use the flexibility set out in Article 6(1)(c) and (e) to take an exhaustive list of legal bases for the processing of personal data and actually create a non-exhaustive list of grounds that public bodies can use in Clause 7. How paradoxical can you get?

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, this is a rather unusual occasion, in that normally noble Lords say that they are going to read very carefully what the Minister has said in Hansard. In this case, I am certainly going to have to read carefully what the noble Lord, Lord Clement-Jones, said, in Hansard. This is a complicated matter and I thought that I was following it and then thought that I did not—and then I thought that I did again. I shall set out what I think should be the answer to his remarks, but when we have both read Hansard we may have to get together again before Report on this matter.

I am glad that we have this opportunity to set out the approach taken in the Bill to processing that is in the public interests and the substantial public interests. Both terms are not new; they appeared before 1998, as the noble Lord, Lord Stevenson, said, in the 1995 data protection directive, in the same sense as they are used in the GDPR and the Bill. That is to say, “substantial public interest” is one of the bases for the processing of special categories of personal data, and this is a stricter test than the public interest test that applies in connection with the processing of all categories of personal data. The noble Lord, Lord Clement-Jones, was wrong to suggest that the list provided in the 1998 Act in relation to public interest was genuinely exhaustive, I think. As he said himself, the effect of paragraph 5(d) of Schedule 2 was to make that list non-exhaustive.

In keeping with the approach taken under the 1998 Act, the Government have not limited the public interest general processing condition. The list in Clause 7 is therefore non-exhaustive. This is intentional, and enables organisations which undertake legitimate public interest tasks to continue to process general data. Noble Lords may recall that the Government committed after Second Reading to update the Explanatory Notes to provide reassurance that Clause 7 should be interpreted broadly. Universities, museums and many other organisations carrying out important work for the benefit of society all rely on this processing condition. For much the same reason, “public interest” has not historically been defined in statute, recognising that the public interest will change over time and according to the circumstances of each situation. This flexibility is important, and I would not wish to start down the slippery slope of attempting to define it further.

The Government have, however, chosen to set out in Part 2 of Schedule 1 an exhaustive list of types of processing which they consider constitute, or could constitute, processing in the substantial public interest. That reflects the increased risks for data subjects when their sensitive personal data is processed. Again, this approach replicates that taken in the 1998 Act. Where the Government consider that processing meeting a condition in that part will sometimes, but not necessarily, meet the substantial public interest test, a sub-condition to that effect is included. This ensures that the exemption remains targeted on those processing activities in the substantial public interest. A similar approach was taken in secondary legislation made under the 1998 Act. The Government intend to keep Part 2 of Schedule 1 under review, and have proposed a regulation-making power in Clause 9 that would allow Schedule 1 to be updated or refined in a timelier manner than would be the case if primary legislation were required. We will of course return to that issue in a later group.

Amendment 15 seeks to make clear that the public interest test referred to in Clause 7 is not restricted by the substantial public interest test referred to in Part 2 of Schedule 1. Having described the purposes of both these elements of the Bill, I hope that noble Lords can see that these are two separate tests. The different wording used would mean that these would be interpreted as different tests, and there is no need to amend the Bill to clarify that further.

Amendment 154 would require the Information Commissioner to develop a code of practice in relation to the processing of personal data in the public interest and substantial public interest. As we have already touched on, the Information Commissioner is developing relevant guidance to support the implementation of the new data protection framework. Should there later prove a need to formalise this guidance as a code of practice, Clause 124 provides the Secretary of State with the power to direct the Information Commissioner to make such a code. There is no need to make further provision.

I hope that that explanation satisfies noble Lords for tonight, and I urge the noble Lord to withdraw his amendment. However, in this complicated matter, I am certainly prepared to meet noble Lords to discuss this further, if they so require.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister for that very helpful exposition. I shall return the compliment and read his contribution in Hansard with great care. I apologise to the noble Lord, Lord Kennedy, if the Bill has already had a befuddling influence on me. It comes from looking along the Labour Benches too much in profile.

With this amendment, I feel somewhat caught between the noble Lord, Lord Patel, and a very hard place. Clearly, he wants flexibility in a public interest test, and I can well understand that. But there are issues to which we shall need to return. The idea of a specific code seems the way forward; the way forward is not by granting overmighty powers to the Government to change the definitions according to the circumstances. I think that that was the phrase that the Minister used—they wish to have that flexibility so that the public interest test could be varied according to circumstances. If there is a power to change, it has to be pretty circumscribed. Obviously, we will come back to that in a later group. In the meantime, I beg leave to withdraw the amendment.

Amendment 11 withdrawn.