Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, I too thank the Minister for her introduction to the three Motions in this group.

On these Benches, we welcome the Supreme Court’s judgment on the meaning of “sex” in the Equality Act 2010. However, as Ministers have stressed—and we agree—it is paramount that we work through the implications of this judgment carefully and sensitively. As we have previously discussed, the EHRC is currently updating its statutory guidance.

Ministers have previously given assurances that they are engaged in appropriate and balanced work on data standards and data accuracy, and we accept those assurances. They have given a further assurance today about how the digital verification services framework will operate. We rely on those ministerial assurances. In summary, we believe that the previously proposed amendments were premature in the light of the EHRC guidance and that they risk undermining existing data standards work. On that basis, we support the Minister in her Motions A and D.

Turning to Motion B, the noble Viscount, Lord Colville, will not press his Amendment 43B at this stage, as he intends to accept the assurances given by Ministers. We have consistently supported the noble Viscount’s efforts to ensure that scientific research benefiting from the Bill’s provisions for data reuse is conducted according to appropriate ethical, legal and professional frameworks. The Government have given significant assurances in this area. We understand that their position is that the Bill does not alter the existing legal definition or threshold for what constitutes scientific research under UK GDPR. The Bill does not grant any new or expanded permissions for the reuse of data for scientific research purposes, and, specifically, it does not provide blanket approval for using personal data for training AI models under the guise of scientific research. The use of personal data for scientific research remains subject to the comprehensive safeguards of UK GDPR, including the requirement for a lawful basis, the adherence to data protection principles and the application of the reasonableness test, which requires an objective assessment.

The collection of assurances given during several stages of the Bill provides reassurance against the risk that commercial activities, such as training AI models purely for private gain, could improperly benefit from exemptions intended for genuine scientific research serving the public good. I very much hope that the Minister can reaffirm these specific points and repeat those assurances.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, I declare an interest as chair of the Authors’ Licensing and Collecting Society.

I express the extremely strong support of all on these Benches for Motion C1, proposed by the noble Baroness, Lady Kidron. I agree with every speech that we have heard so far in today’s debate—I did not hear a single dissenting voice to the noble Baroness’s Motion. Once again, I pay tribute to her; she has fought a tireless campaign for the cause of creators and the creative industries throughout the passage of the Bill.

I will be extremely brief, given that we want to move to a vote as soon as possible. The House has already sent a clear message by supporting previous amendments put forward by the noble Baroness, and I hope that the House will be as decisive today. As we have heard this afternoon, transparency is crucial. This would enable the dynamic licensing market that is needed, as we have also heard. How AI is developed and who it benefits are two of the most important questions of our time—and the Government must get the answer right. As so many noble Lords have said, the Government must listen and must think again.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, an onlooker might be forgiven for not perceiving a common theme in this group of amendments, but I thank the Minister for his introduction and the noble Viscounts for introducing their amendments so clearly.

I acknowledge that Motion 32A and Amendments 32B and 32C and Motion 52A and Amendments 52B and 52C from the noble Viscount, Lord Camrose, are considerably less prescriptive than the Spencer amendment in the House of Commons to introduce new Clause 21, which seemed to require public authorities to comb through every record to rectify data, went significantly further than the findings of the Supreme Court judgment, and potentially failed to account for the privacy afforded to GRC holders under the Gender Recognition Act. However, the Liberal Democrats will abstain from votes on the noble Viscount’s amendments for several key reasons.

Our primary reason is the need to allow time for the EHRC’s guidance to be finalised. I thought the Minister made his case there. The EHRC is currently updating its code of practice, as we have heard, to reflect the implications of the Supreme Court judgment on the meaning of sex in the Equality Act, with the aim of providing it to the Government by the end of June. This guidance, as I understand it, is intended specifically to support service providers, public bodies and others in understanding their duties under the Equality Act and putting them into practice in the light of the judgment. The EHRC is undertaking a public consultation to understand how the practical implications can best be reflected. These amendments, in our view, are an attempt to jump the gun on, second-guess or at the least pre-empt the EHRC’s code of practice.

On these Benches, we believe that any necessary changes or clarifications regarding data standards should be informed by the official guidance and implemented consistently in a coherent and workable manner. We should allow time for the EHRC’s guidance to be finalised, ensuring that any necessary changes or clarifications regarding data standards are informed by its advice and implemented consistently across public authorities in a coherent and workable manner. We have concerns about workability and clarity. Although the amendments proposed by the noble Viscount, Lord Camrose, are less prescriptive than previous similar proposals in the Commons tabled by Dr Spencer, we have concerns about their practical implementation. Questions arise about how public authorities would reliably ascertain biological sex if someone has a gender recognition certificate and has updated their birth certificate. I have long supported same-sex wards in the NHS, but I do not believe that these amendments are helpful in pursuing clarity following the Supreme Court judgment. We heard what the Minister had to say about passports.

I welcome the clarity provided by the Supreme Court judgment, but there are clearly implications, both practical and legal, to be worked out, such as those mentioned by the noble Viscount, Lord Hailsham. I thought he put his finger on many of those issues. I trust that the EHRC will deliver the right result. I agree that data needs to be accurate, and I welcome the Sullivan report, as did my noble friend. In summary, we will be abstaining. We believe that the EHRC process needs to conclude and provide comprehensive guidance, while also reflecting concerns about the workability and appropriateness of specific legislative interventions on data standards at this time.

I move on to Amendment 43B, tabled by the noble Viscount, Lord Colville. This amendment may not reinstate the precise wording

“conducted in the public interest”

that we previously inserted in this House, but it would introduce safeguards that seek to address the same fundamental concerns articulated during our debate on Report. It does two important things.

First, it provides a definition of “scientific research”, clarifying it as

“creative and systematic work undertaken in order to increase the stock of knowledge”.

This directly addresses the concerns raised on Report that the line between product development and scientific research is often blurred, with developers sometimes positing efforts to increase model capabilities or study risks as scientific research. Having a clear definition helps to distinguish genuine research from purely commercial activity cloaked as such.

Secondly, and critically, Amendment 43B would require:

“To meet the reasonableness test”


already present in the Bill,

“the activity being described as scientific research must be conducted according to appropriate ethical, legal and professional frameworks, obligations and standards”.

This requirement seeks to embed within the reasonableness test the principles that underpinned our arguments for the public interest requirement on Report and is the same as the amendment put forward by the chair of the Science, Innovation and Technology Select Committee, Chi Onwurah MP, which ties the definition to the definition in the OECD’s Frascati Manual: Guidelines for Collecting and Reporting Data on Research and Experimental Development:

“creative and systematic work undertaken in order to increase the stock of knowledge—including knowledge of humankind, culture and society—and to devise new applications of available knowledge”.

The Frascati framework is used worldwide by Governments, universities and research institutions to report R&D statistics, inform science policy and underpin R&D tax credit regimes, and it serves as a common language and reference point for international comparisons and policy decisions related to scientific research and innovation. These frameworks, obligations and standards are important because they serve the very purposes we previously identified for the public interest test: ensuring societal benefit, building public trust, preventing misuse for commercial ends, addressing harmful applications, and alignment with standards.

Amendment 43B in the name of the noble Viscount, Lord Colville, is a thoughtful and necessary counter-proposal. It is Parliament’s opportunity to insist that the principles of public benefit, trust and responsible conduct, rooted in established frameworks, must remain central to the definition of scientific research that benefits from data re-use exceptions.

I heard what the noble Lord, Lord Winston, had to say in his very powerful speech, but I cannot see how the amendment from the noble Viscount, Lord Colville, cuts across all the things that he wants to see in the outcomes of research.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I have had a misspent not-so-youth over the past 50 years. As a lawyer, when I read the wording in the amendment, I cannot see the outcome that he is suggesting. This wording does not cut across anything that he has had to say. I genuinely believe that. I understand how genuine he is in his belief that this is a threat, but I do not believe this wording is such a threat.

I also understand entirely what the noble Lord, Lord Tarassenko, had to say, but an awful lot of that was about the frustration and some of the controls over health data. That does not apply in many other areas of scientific research. The Frascati formula is universal and well accepted. The noble Viscount made an extremely good case; we should be supporting him.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, it has been a privilege to listen to today’s debate. The noble Baroness, Lady Kidron, really has opened the floodgates to expressions of support for human creativity. I thank her for tabling her Motion. I also thank the Minister for setting out the Government’s position and their support for the creative industries.

I suppose I straddle the world of AI and creativity as much as anybody in this House. I co-founded the All-Party Group on Artificial Intelligence and I have been a member of the All-Party Group on Intellectual Property for many years. That is reflected in my interests, both as an advisor to DLA Piper on AI policy and regulation, and as the newly appointed chair of the Authors’ Licensing and Collecting Society. I declare those interests, which are more than merely formal.

The subject matter of the amendments in this group is of profound importance for the future of our creative industries and the development of AI in the UK: the critical intersection of AI training and copyright law, and, specifically, the urgent need for transparency. As the noble Baroness, Lady Kidron, described, the rapid development of AI, particularly large language models, relies heavily on vast volumes of data for training. This has brought into sharp focus the way copyright law applies to such activity. It was impossible to miss the letter over the weekend from 400 really important creatives, and media and creative business leaders urging support for her Motion 49A. Rights holders, from musicians and authors to journalists and visual artists, are rightly concerned about the use of their copyrighted material to train AI models, often without permission or remuneration, as we have heard. They seek greater control over their content and remuneration when it is used for this purpose, alongside greater transparency.

Like others, I pay tribute to the noble Baroness, Lady Kidron, who has brilliantly championed the cause of creators and the creative industries throughout the passage of this Bill in her tabling of a series of crucial amendments. Her original amendments on Report, passed in this House but deleted by the Government in the Commons and then retabled in the Commons on Report by my honourable friends, aimed to make existing UK copyright law enforceable in the age of generative AI. The core argument behind Amendment 49B, which encapsulates the essence of the previous amendments, is that innovation in the AI field should not come at the expense of the individuals and industry creating original content.

The central plank of the noble Baroness’s proposals, and one these Benches strongly support, is the requirement for transparency from AI developers regarding the copyrighted material used in their training data. Her Amendment 49B specifically requires the Secretary of State to make regulations setting out strict transparency requirements for web crawlers and general-purpose AI models. This would include disclosing the identity and purpose of the crawlers used, identifying their owners and, crucially, keeping records of where and when copyrighted material is gathered. This transparency is vital for ensuring accountability and enabling copyright holders to identify potential infringements and enforce their rights.

The Minister described the process in the consultation on AI and copyright, published last December. That consultation proposed a text and data mining exception that would allow AI developers to train on material unless the rights holder expressly reserved their rights or opted out. The arguments against this proposed opt-out mechanism are compelling; they have been made by many noble Lords today and have been voiced by many outside, as we have heard. This mechanism shifts the burden on to creators to police the use of their work and actively opt out, placing an undue responsibility on them.

This approach undermines the fundamental principles of copyright, effectively rewarding the widespread harvesting or scraping of copyrighted material that has occurred without permission or fair remuneration. The Government’s proposed text and data-mining exception, which it appears that they are no longer proposing—as the noble Lord, Lord Brennan, asked, perhaps the Minister can clarify the Government’s position and confirm that that is indeed the case—risks harming creative sectors for minimal gain to a small group of global tech companies and could erode public trust in the AI sector. As the noble Baroness observed, this approach is selling the creative industries down the river. Voluntary measures for transparency proposed by the Government are insufficient. Clear legal obligations are needed.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, it is a pleasure to follow the three noble Baronesses, and I too congratulate the noble Baroness, Lady Owen, on her magnificent and successful campaign to outlaw the making and requesting of non-consensual images, first with her Private Member’s Bill and then with amendments to this Bill. She has fought it with huge skill and determination, and, rightly, she has pushed it to the wire in wanting the most robust offence and tightest defences possible. I thank the Minister for his flexibility that he has shown so far—with the emphasis on “so far”.

The amendments that the noble Baroness has put forward represent a compromise, given the strong and rather extraordinary opinion of the Attorney-General that the defence of “reasonable excuse” is needed for the defence to be compliant with the ECHR and that, therefore, the whole Bill risks being non-compliant if that is not contained in the defence for these offences. That is the equivalent of a legal brick wall, despite an excellent opinion from Professor Clare McGlynn, which in my view demolished the Attorney-General’s case, which seems to be based on ensuring the ability of big tech companies to red team their models on images used without consent. That is a rather peculiar basis. Why cannot the big tech companies use images with consent? They would then be red teaming in a rather different and more compliant way.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, the Children’s Commissioner, Dame Rachel de Souza, and the IWF have both called for a total ban on apps which allow nudification, where photos of real people are edited by AI to make them appear naked. The commissioner has been particularly critical about the fact that such apps

“go unchecked with extreme real-world consequences”.

Will the Government act and ban these AI-enabled tools outright?

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for her introduction to this draft statutory instrument; it was brief and to the point. These penalties will be able to reach 10% of turnover or £100,000 per day for continuing breaches, so getting the calculations right is crucial. However, I have some concerns about the SI, the first of which is about timing.

I do not understand why we are looking at a three-year gap between the enabling powers and the calculation rules. The Telecommunications (Security) Act 2021, which I worked on, was presented to this House as urgent legislation to protect critical national infrastructure, yet here we are, in 2025, only now establishing how to calculate penalties for breaches in the way set out in this SI. During this period, we have had enforcement powers without the ability to properly determine penalties. As I understand it, tier 1 providers had to comply by March 2024, yet the penalty calculation mechanism will not be in place until this year—no doubt in a few weeks’ time.

Secondly, there is the absence of consultation. The Explanatory Memorandum cites the reason as the SI’s “technical nature”, but these penalties—I mentioned their size—could have major financial implications for providers. The telecoms industry has complex business structures and revenue streams. Technical expertise from the industry could have helped to ensure that these calculations are practical and comprehensive. The technical justification seems remarkably weak, given the impact these rules could have. For example, the current definition of “relevant business” for these calculations focuses on traditional network and service provision, but modern telecoms companies often have diverse revenue streams. There is no clear provision for new business models or technologies. How will we handle integrated service providers? What about international revenues? The treatment of associated services needs clarification.

Thirdly, the implementation sequence is an issue. We are being asked to approve penalty calculations before seeing the enforcement guidelines. There is no impact assessment, so we cannot evaluate potential consequences. I understand that the post-implementation review is not scheduled until 2026, and there is no clear mechanism for adjusting the framework if problems emerge. The interaction with the existing penalty regime needs clarification.

There are also technical concerns that need some attention. The switch from “notified provider” to “person” in the 2003 order, as a result of this SI, needs rather more explanation. The calculation method for continuing breaches is not fully detailed, there is no specific provision for group companies or complex corporate structures and the treatment of joint ventures and partnerships remains unclear.

Finally, I hope that, in broad terms, the Minister can give us an update on progress on the removal of equipment covered by the Telecommunications (Security) Act 2021. That was mandated by the Act; I know it is under way but it is not yet complete.

This is about not merely technical calculations but creating an effective deterrent to the telecoms industry, while ensuring fair and practical enforcement of important security measures. Getting these rules right is essential for both national security and our telecoms sector. I look forward to the Minister’s response on these points.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

Is the Minister confident that the 2027 deadline will be met; that no vendor, purchaser or telecoms company will be caught by the Act; that no fines will be levied; and that what we are talking about today is, therefore, entirely theoretical?

Lord Clement-Jones

- View Speech - Hansard -

Copy Link

-

At end insert “but that this House regrets that the Regulations do not impose duties available under the parent Act on small, high-risk platforms where harmful content, often easily accessible to children, is propagated; calls on the Government to clarify which smaller platforms will no longer be covered by Ofcom’s illegal content code and which measures they will no longer be required to comply with; and calls on the Government to withdraw the Regulations and establish a revised definition of Category 1 services.”

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I am very pleased to see the Minister back in her place. I thank her for her introduction to this statutory instrument. Her disappointment at my tabling this regret amendment is exceeded only by my own disappointment at the SI. However, I hope that she will provide the antidote to the Government’s alarming tendency to pick unnecessary fights on so many important issues—a number of them overseen by her department.

Those of us who were intimately involved with its passage hoped that the Online Safety Act would bring in a new era of digital regulation, but the Government’s and Ofcom’s handling of small but high-risk platforms threatens to undermine the Act’s fundamental purpose of creating a safer online environment. That is why I am moving this amendment, and I am very grateful to all noble Lords who are present and to those taking part.

The Government’s position is rendered even more baffling by their explicit awareness of the risks. Last September, the Secretary of State personally communicated concerns to Ofcom about the proliferation of harmful content, particularly regarding children’s access. Despite this acknowledged awareness, the regulatory framework remains fundamentally flawed in its approach to platform categorisation.

The parliamentary record clearly shows that cross-party support existed for a risk-based approach to platform categorisation, which became enshrined in law. The amendment to Schedule 11 from the noble Baroness, Lady Morgan—I am very pleased to see her in her place—specifically changed the requirement for category 1 from a size “and” functionality threshold to a size “or” functionality threshold. This modification was intended to ensure that Ofcom could bring smaller, high-risk platforms under appropriate regulatory scrutiny.

Subsequently, in September 2023, on consideration of Commons amendments, the Minister responsible for the Bill, the noble Lord, Lord Parkinson—I am pleased to see him in his place—made it clear what the impact was:

“I am grateful to my noble friend Lady Morgan of Cotes for her continued engagement on the issue of small but high-risk platforms. The Government were happy to accept her proposed changes to the rules for determining the conditions that establish which services will be designated as category 1 or 2B services. In making the regulations, the Secretary of State will now have the discretion to decide whether to set a threshold based on either the number of users or the functionalities offered, or on both factors. Previously, the threshold had to be based on a combination of both”.—[Official Report, 19/9/23; col. 1339.]


I do not think that could be clearer.

This Government’s and Ofcom’s decision to ignore this clear parliamentary intent is particularly troubling. The Southport tragedy serves as a stark reminder of the real-world consequences of inadequate online regulation. When hateful content fuels violence and civil unrest, the artificial distinction between large and small platforms becomes a dangerous regulatory gap. The Government and Ofcom seem to have failed to learn from these events.

At the heart of this issue seems to lie a misunderstanding of how harmful content proliferates online. The impact on vulnerable groups is particularly concerning. Suicide promotion forums, incel communities and platforms spreading racist content continue to operate with minimal oversight due to their size rather than their risk profile. This directly contradicts the Government’s stated commitment to halving violence against women and girls, and protecting children from harmful content online. The current regulatory framework creates a dangerous loophole that allows these harmful platforms to evade proper scrutiny.

The duties avoided by these smaller platforms are not trivial. They will escape requirements to publish transparency reports, enforce their terms of service and provide user empowerment tools. The absence of these requirements creates a significant gap in user protection and accountability.

Perhaps the most damning is the contradiction between the Government’s Draft Statement of Strategic Priorities for Online Safety, published last November, which emphasises effective regulation of small but risky services, and their and Ofcom’s implementation of categorisation thresholds that explicitly exclude these services from the highest level of scrutiny. Ofcom’s advice expressly disregarded—“discounted” is the phrase it used—the flexibility brought into the Act via the Morgan amendment, and advised that regulations should be laid that brought only large platforms into category 1. Its overcautious interpretation of the Act creates a situation where Ofcom recognises the risks but fails to recommend for itself the full range of tools necessary to address them effectively.

This is particularly important in respect of small, high-risk sites, such as suicide and self-harm sites, or sites which propagate racist or misogynistic abuse, where the extent of harm to users is significant. The Minister, I hope, will have seen the recent letter to the Prime Minister from a number of suicide, mental health and anti-hate charities on the issue of categorisation of these sites. This means that platforms such as 4chan, 8chan and Telegram, despite their documented role in spreading harmful content and co-ordinating malicious activities, escaped the full force of regulatory oversight simply due to their size. This creates an absurd situation where platforms known to pose significant risks to public safety receive less scrutiny than large platforms with more robust safety measures already in place.

The Government’s insistence that platforms should be “safe by design”, while simultaneously exempting high-risk platforms from category 1 requirements based solely on size metrics, represents a fundamental contradiction and undermines what we were all convinced—and still are convinced—the Act was intended to achieve. Dame Melanie Dawes’s letter, in the aftermath of Southport, surely gives evidence enough of the dangers of some of the high-risk, smaller platforms.

Moreover, the Government’s approach fails to account for the dynamic nature of online risks. Harmful content and activities naturally migrate to platforms with lighter regulatory requirements. By creating this two-tier system, they have, in effect, signposted escape routes for bad actors seeking to evade meaningful oversight. This short-sighted approach could lead to the proliferation of smaller, high-risk platforms designed specifically to exploit these regulatory gaps. As the Minister mentioned, Ofcom has established a supervision task force for small but risky services, but that is no substitute for imposing the full force of category 1 duties on these platforms.

The situation is compounded by the fact that, while omitting these small but risky sites, category 1 seems to be sweeping up sites that are universally accepted as low-risk despite the number of users. Many sites with over 7 million users a month—including Wikipedia, a vital source of open knowledge and information in the UK—might be treated as a category 1 service, regardless of actual safety considerations. Again, we raised concerns during the passage of the Bill and received ministerial assurances. Wikipedia is particularly concerned about a potential obligation on it, if classified in category 1, to build a system that allows verified users to modify Wikipedia without any of the customary peer review.

Under Section 15(10), all verified users must be given an option to

“prevent non-verified users from interacting with content which that user generates, uploads or shares on the service”.

Wikipedia says that doing so would leave it open to widespread manipulation by malicious actors, since it depends on constant peer review by thousands of individuals around the world, some of whom would face harassment, imprisonment or physical harm if forced to disclose their identity purely to continue doing what they have done, so successfully, for the past 24 years.

This makes it doubly important for the Government and Ofcom to examine, and make use of, powers to more appropriately tailor the scope and reach of the Act and the categorisations, to ensure that the UK does not put low-risk, low-resource, socially beneficial platforms in untenable positions.

There are key questions that Wikipedia believes the Government should answer. First, is a platform caught by the functionality criteria so long as it has any form of content recommender system anywhere on UK-accessible parts of the service, no matter how minor, infrequently used and ancillary that feature is?

Secondly, the scope of

“functionality for users to forward or share regulated user-generated content on the service with other users of that service”

is unclear, although it appears very broad. The draft regulations provide no guidance. What do the Government mean by this?

Thirdly, will Ofcom be able to reliably determine how many users a platform has? The Act does not define “user”, and the draft regulations do not clarify how the concept is to be understood, notably when it comes to counting non-human entities incorporated in the UK, as the Act seems to say would be necessary.

The Minister said in her letter of 7 February that the Government are open to keeping the categorisation thresholds under review, including the main consideration for category 1, to ensure that the regime is as effective as possible—and she repeated that today. But, at the same time, the Government seem to be denying that there is a legally robust or justifiable way of doing so under Schedule 11. How can both those propositions be true?

Can the Minister set out why the regulations, as drafted, do not follow the will of Parliament—accepted by the previous Government and written into the Act—that thresholds for categorisation can be based on risk or size? Ofcom’s advice to the Secretary of State contained just one paragraph explaining why it had ignored the will of Parliament—or, as the regulator called it, the

“recommendation that allowed for the categorisation of services by reference exclusively to functionalities and characteristics”.

Did the Secretary of State ask to see the legal advice on which this judgment was based? Did DSIT lawyers provide their own advice on whether Ofcom’s position was correct, especially in the light of the Southport riots?

How do the Government intend to assess whether Ofcom’s regulatory approach to small but high-harm sites is proving effective? Have any details been provided on Ofcom’s schedule of research about such sites? Do the Government expect Ofcom to take enforcement action against small but high-harm sites, and have they made an assessment of the likely timescales for enforcement action?

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, I shall be extremely brief. I thank all noble Lords who have contributed this evening. The noble Lord, Lord Stevenson, used the expression “emotions raised”. That is exactly what this regret amendment has done. There is real anger about the way in which this statutory instrument has been put together. I think many noble Lords who were involved in the Act were extremely proud of our work, as has been expressed.

The Minister has made a valiant attempt, but I am afraid that she has been given a hospital pass. It is quite clear that the Secretary of State did not have to accept the advice from Ofcom. Its advice about functionalities, as the noble Baroness, Lady Kidron, made absolutely clear, and the evidence that the noble Lord, Lord Russell of Liverpool, put forward, not to mention the evidence from the anti-Semitism foundation, all indicate that there is considerable belief around this House that we are not dealing with the high-risk but smaller sites such as Telegram, 8chan and 4chan.

In these circumstances, as I believe is accepted by many noble Lords across the House, the Government have got this completely wrong and it needs rethinking. Therefore, I would like to test the opinion of the House.

Lord Clement-Jones

- View Speech - Hansard -

Copy Link

-

That this House regrets that the Copyright and Performances (Application to Other Countries) (Amendment) (No. 2) Order 2024, laid before the House on 13 November 2024 (SI 2024/1124), did not involve consultation on Option 0A, which will result in inequitable treatment of performers on sound recordings based on their nationality.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I will start by saying that I am delighted that the Minister is treating this as one of her first engagements back in the House; how flattering to have her here at this time of day for a regret Motion. I also want to put on record my thanks to the Minister, Feryal Clark, who has taken the trouble to engage. Time will tell whether that engagement bears fruit, as we will see.

We on these Benches agree with Equity—the actors’ union—and the Musicians’ Union that this statutory instrument should be withdrawn due to several significant concerns regarding its fairness, its consultation process and its potential impact on performers, particularly those from the United States. The key arguments against the statutory instrument revolve around the implementation of option 0A, which maintains the status quo for producers of sound recordings while extending public performance rights to foreign performers only if their producer is a UK national or based in a country that is a signatory to the Rome convention, thereby excluding performers from countries that are not signatories, such as the United States. This option was not explicitly consulted on, and it creates an inequitable system of remuneration for performers.

The consultation presented four options, numbered 0 to 3, but option 0A emerged after the consultation. The Government have acknowledged that option 0A is a new option. However, the Government’s claim that they carefully considered all views is wrong, as a key policy option was developed and implemented without input from key stakeholders. Impacted organisations were not given an opportunity to formally submit their views on option 0A. As such, this lack of consultation raises concerns about the transparency and fairness of the decision-making process, and in fact undermines it.

As I have mentioned, option 0A creates a system where some foreign performers receive public performance rights based on national treatment, while others, specifically US performers, are denied those rights, based on the principle of material reciprocity. This means that US performers will not receive equitable remuneration for their work in the UK, even though their recordings are being used. US producers will continue to enjoy protection and equitable remuneration in the UK, while US performers on the same recordings are denied these rights. This disparity is difficult to justify and is clearly discriminatory.

It will also extend public performance rights to some additional foreign performers who will qualify through their producer, regardless of whether their nation offers material reciprocity to UK performers. The situation is further complicated by the fact that performers from countries such as Australia and New Zealand, which also do not offer material reciprocity to UK performers, will still receive public performance rights in the UK. This inconsistency makes the policy arbitrary and unjust. The Government’s approach effectively singles out US performers for less favourable treatment.

The Government further justifies their position by arguing that expanding performers’ rights would negatively impact the UK music sector. The Government’s decision to not expand performers’ eligibility is partly based on the argument that UK affiliates of overseas record labels retain a significant proportion of the revenues attributable to foreign rights holders. Specifically, the British Phonographic Industry, BPI, claimed that UK labels retain 30% of the revenues collected in the UK on behalf of foreign affiliates, and that any reduction in revenues for US record labels would mean less money for the UK music sector.

Little evidence for this claim has been made and the Musicians’ Union disputes it, arguing that this paints an “exaggerated, bleak picture”, that the UK and US operations remain financially separate in practice, and that it cannot find any workings in the BPI’s redacted submission to the consultation. This suggests that the Government’s financial justification is based on flawed information, not solid evidence. Smaller independent record companies have, by contrast, expressed that the current situation is unfair and supported option 1, which would expand performers’ eligibility for remuneration.

The Government also claim that denying US performers public performance rights is intended to encourage the US to adopt material reciprocity. However, the revised economic impact assessment acknowledges that this is unlikely to influence US policy. In the view of Equity, a more effective strategy would be to offer US performers rights for a limited term, such as 10 years, and then use that as leverage to negotiate material reciprocity with the US Government. This approach would provide US performers with fair compensation while creating an incentive for the US to reciprocate. The current strategy effectively withholds remuneration from performers as a negotiating tactic, while a more effective strategy will still guarantee that performers get paid for their work.

The Government’s policy is intended to ensure that UK law meets its international obligations under the Rome convention and the WIPO Performances and Phonograms Treaty. However, the implementation of option 0A undermines the spirit of these treaties by creating a system of unequal treatment for performers based on their nationality. Equity believes that all foreign performers in countries that qualify for public protection rights should benefit from the same level of protection. It considers the current approach to be unethical, and we agree. As a matter of principle, performers should be remunerated for their work. This option leaves some performers benefiting from national treatment, ignoring lack of material reciprocity, while US performers are denied remuneration on the basis of material reciprocity.

The Government have stated that the current statutory instrument corresponds closely to option 0, which was the status quo option. However, the Intellectual Property Office itself stated in its revised impact assessment that

“Parliament has passed the CPTPP Act. The CPTPP Act contains measures that will, when it comes into force (expected in December 2024), expand eligibility for performers’ rights generally, in a way that approximates the effects of Option 1. Doing nothing therefore now means allowing the law to change in a way similar to that set out in Option 1, rather than maintaining the effect of existing law”.

Therefore, the Government’s claim that they are maintaining the status quo is actually incorrect, because the status quo is already changing due to the CPTPP Act, which has now come into effect. The Government are claiming to maintain the status quo, but that status quo is already changing due to that legislation.

Equity, SAG-AFTRA, the Musicians’ Union and PPL have all raised concerns regarding the Government’s proposed course of action. This statutory instrument should be withdrawn due to a flawed consultation, the unfair treatment of US performers, the disputed financial claims, its ineffective approach to achieving material reciprocity, the ethical concerns and the contradictions with existing legislation. The Government should reconsider their approach, consult on both option 0A and option 1 and implement a system that provides equitable remuneration for all performers. I beg to move.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, I thank the Minister for her response. I do not doubt her motives at all; it is just the outcome that we are not happy with. I thank those who have spoken in favour of this regret Motion. The noble Earl, Lord Clancarty, talked about US session musicians, who are an important aspect of this. Clearly, they are being discriminated against if they are working with musicians from countries that are reciprocating and paying our musicians. This seems to be unfairly singling out those session musicians in those circumstances.

My noble friend Lady Featherstone talked about fair play and the risk of US retaliation. The Government may have the right motives, but I do not think they have quite come to terms with what a US Administration might do in this regard.

The noble Lord, Lord Markham, rightly said that any system needs to have the confidence of those who are supposed to benefit from it. I thought that his injunction to tread carefully in these circumstances was very important.

I do not propose to put this Motion to a vote; the SI has already gone through on the negative procedure. However, we are not wholly reassured. I very much hope that the Government will initiative a dialogue with Equity. When I raised with Minister Clark whether they had actually met Equity to discuss this SI, it was interesting that they had not. There are other issues that Equity would, I am sure, very much want to talk about, such as synthesisation of performances, in relation to AI—that is probably another area. It seemed rather extraordinary that a Labour Government had not properly engaged with Equity in the last six months. I very much hope that the Minister will be able to take that back to the department and reinforce the desire to meet with Equity and the Musicians’ Union.

The Government have been unduly influenced by the figures from the BPI. I do not recognise the figures that the Minister maintained about the income which would be forgone if another option had been taken. As I said when I introduced the Motion, those figures are very much disputed by the MU. We have not seen any real workings that prove that that would be the loss of income, but we can argue the toss on that.

I very much hope that the Government will at least take back from this regret Motion that in producing an option at the last minute, however creative it may be—I would not deny that creativity is a useful thing to have in the department—you can be slightly overly creative if you are not consulting on a particular option. I thought it was a neat piece of speechwriting but not necessarily to be desired. It is the kind of thing that would go to judicial review if a commercial organisation was involved in this SI. If this was BT, or another major telecom company, disputing an SI in which an option had not been consulted on, they would take this kind of thing to court. As it happens, this is about artists and unions, so they are not going to do that; they are going to go through the political process. I welcome that, but it nevertheless shows the fragility of the decision that has been taken in this case. I beg leave to withdraw the Motion.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, unusually, I rise to move an amendment, Amendment 138. For the second time in Committee, I find myself heading a group when I know that the noble Baroness, Lady Kidron, will be much better qualified to introduce the subject. Indeed, she has an amendment, Amendment 141, which is far preferable in many ways to mine.

Amendment 138 is designed to ensure that the Information Commissioner produces a code of practice specific to children up to the age of 18 for the purposes of UK law and Convention 108, and pupils as defined by the Education Act 1996, who may be up to the age of 19 or, with special educational needs, up to 25 in the education sector. The charity Data, Tech & Black Communities put it this way in a recent letter to the noble Baroness, Lady Jones:

“We recently completed a community research project examining the use of EdTech in Birmingham schools. This project brought us into contact with over 100 people … including parents, school staff and community members. A key finding was the need to make it easier for those with stewardship responsibility for children’s data, to fulfil this duty. Even with current data protection rights, parents and guardians struggle to make inquiries (of schools, EdTech companies and even DfE) about the purpose behind the collection of some of their children’s data, clarity about how it is used (or re-used) or how long data will be retained for. ‘Opting out’ on behalf of their children can be just as challenging. All of which militates against nuanced decision-making about how best to protect children’s short and long-term interests … This is why we are in support of an ICO Code of Practice for Educational Settings that would enable school staff, parents and learners, the EdTech industry and researchers to responsibly collect, share and make use of children’s data in ways that support the latter’s agency over their ‘digital selves’ and more importantly, will support their flourishing”.


The duties of settings and data processers and rights appropriate to the stage of education and children’s capacity needs clarity and consistency. Staff need confidence to access and use data appropriately within the law. As the UNCRC’s General Comment No. 16 (2013) on State Obligations Regarding the Impact of the Business Sector on Children’s Rights set out over a decade ago,

“the realization of children’s rights is not an automatic consequence of economic growth and business enterprises can also negatively impact children’s rights”.

The educational setting is different from only commercial interactions or in regard to the data subjects being children. It is more complex because of the disempowered environment and its imbalance of power between the authority, the parents and the child. The additional condition is the fact that parents’ and children’s rights are interlinked, as exemplified in the right to education described in UDHR Article 26(3), which states:

“Parents have a prior right to choose the kind of education that shall be given to their children.”


A code is needed because the explicit safeguards are missing that the GDPR requires in several places but were left out of the UK Data Protection Act 2018 drafting. Clause 80 of the Bill—“Automated decision-making”—does not address the necessary safeguards of GDPR Article 23(1) for children. Furthermore, removing the protections of the balancing test under the recognised legitimate interest condition will create new risks. Clauses on additional further processing or changes to purpose limitation are inappropriately wide without child-specific safeguards. The volume, sensitivity and intrusiveness of identifying personal data collection in educational settings only increases, while the protections are only ever reduced.

Obligations specific to children’s data, especially

“solely automated decision-making and profiling”

and exceptions, need to be consistent with clear safeguards by design where they restrict fundamental freedoms. What does that mean for children in practice, where teachers are assumed to be the rights bearers in loco parentis? The need for compliance with human rights, security, health and safety, among other standards proportionate to the risks of data processing and respecting the UK Government’s accessibility requirements, should be self-evident and adopted in a code of practice, as recommended in the five rights in the Digital Futures Commission’s blueprint for educational data governance.

The Council of Europe Strategy for the Rights of the Child (2022-2027) and the UNCRC General Comment No. 25 on Children’s Rights and the Digital Environment make it clear that

“children have the right to be heard and participate in decisions affecting them”.

They recognise that

“capacity matters, in accordance with their age and maturity. In particular attention should be paid to empowering children in vulnerable situations, such as children with disabilities.”

Paragraph 75 recognises that surveillance in educational settings should not take place without the right to object and that teachers need training to keep up with technological developments.

Participation of young people themselves has not been invited in the development of this Bill and the views of young people have not been considered. However, a small sample of parent and pupil voices has been captured in the Responsible Technology Adoption Unit’s public engagement work together with the DfE in 2024. The findings back those of Defend Digital Me’s Survation poll in 2018 and show that parents do not know that the DfE already holds named pupil records without their knowledge or permission and that the data is given away to be reused by hundreds of commercial companies, the DWP, the Home Office and the police. It stated:

“There was widespread consensus that work and data should not be used without parents’ and/or pupils’ explicit agreement. Parents, in particular, stressed the need for clear and comprehensive information about pupil work and data use and any potential risks relating to data security and privacy breaches.”


A code of practice is needed to explain the law and make it work as intended for everyone. The aims of a code of practice for educational settings would be that adherence to a code creates a mechanism for controllers and processors to demonstrate compliance with the legislation or approve certification methods. It would give providers confidence in consistent and clear standards and would be good for the edtech sector. It would allow children, parents, school staff and systems administrators to build trust in safe, fair and transparent practice so that their rights are freely met by design and default.

Further, schools give children’s personal data to many commercial companies during a child’s education—not based on consent but assumed for the performance of a task carried out in the public interest. A code should clarify any boundaries of this lawful basis for commercial purposes, where it is an obligation on parents to provide the data and what this means for the child on reaching maturity or after leaving the educational setting.

Again, a code should help companies understand “data protection by design and default” in practice, and appropriate “significant legal effect”, the edges of “public interest” in data transfers to a third country, and how special categories of data affect children in schools. A code should also support children and families in understanding the effect of the responsibilities of controllers and processes for the execution or limitation of their own rights. It would set out the responsibilities of software platforms that profile users’ metadata to share with third parties, or of commercial apps signed up for in schools that offer adverts in use.

I hope that I have explained exactly why we believe that a code of conduct is required in educational settings. I beg to move.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for her response and all speakers in this debate. On the speech from the noble Lord, Lord Knight, I entirely agree with the Minister and the noble Viscount, Lord Camrose, that it is important to remind ourselves about the benefits that can be achieved by AI in schools. The noble Lord set out a number of those. The noble Lord, Lord Russell, also reminded us that this is not a purely domestic issue; it is international across the board.

However, all noble Lords reminded us of the disbenefits and risks. In fact, the noble Lord, Lord Knight, used the word “dystopian”, which was quite interesting, although he gets very close to science fiction sometimes. He said that

“we have good reason to be concerned”,

particularly because of issues such as the national pupil database, where the original purpose may not have been fulfilled and was, in many ways, changed. He gave an example of procurement during Covid, where the choice was either Google or Microsoft—Coke or Pepsi. That is an issue across the board in competition law, as well.

There are real issues here. The noble Lord, Lord Russell, put it very well when he said that there is any number of pieces of guidance for schools but it is important to have a code of conduct. We are all, I think, on the same page in trying to find—in the words of the noble Baroness, Lady Kidron—a fairer and more equitable set of arrangements for children in schools. We need to navigate our way through this issue; of course, organisations such as Defend Digital Me and 5rights are seriously working on it.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I was delighted to see these amendments tabled by the noble Lord, Lord Holmes. He, the noble Lord, Lord Arbuthnot, and I, along with many other parliamentarians, have long argued for changes to the Computer Misuse Act. For context, the original Act was created largely in response to a famous incident in which professional hackers and a technology journalist broke into British Telecom’s Prestel system in the mid-1980s. The Bill received Royal Assent in June 1990, barely two months after Tim Berners-Lee and CERN made the world wide web publicly available for the first time. Who remembers Prestel? Perhaps this is the wrong House in which to ask that question.

As the noble Lord, Lord Holmes, explained, there is no statutory public interest defence in the Act. This omission creates a legal risk for cybersecurity researchers and professionals conducting legitimate activities in the public interest. The Post Office Horizon scandal demonstrated how critical independent computer system investigation is for uncovering systemic problems and highlighted the need for protected legal pathways for researchers and investigators to examine potentially flawed systems.

I am delighted that the noble Lord, Lord Vallance, is here for this set of amendments. His Pro-innovation Regulation of Technologies Review explicitly recommends incorporating such a defence to provide stronger legal protections for cybersecurity researchers and professionals engaged in threat intelligence research. This recommendation was rooted in the understanding that such a defence would have, it said,

“a catalytic effect on innovation”

within the UK’s cybersecurity sector, which possesses “considerable growth potential”.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, we ought to be mindful and congratulate the noble Lord on having been parliamentarian of the year as a result of his campaigning activities.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

Just to follow up, have the Government formally responded to the original review from the noble Lord, Lord Vallance? That would be very helpful as well, in unpacking what were clearly extremely well-informed recommendations. It should, no doubt, be taken extremely seriously.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

Before the Minister sits down or stands up or whatever the appropriate phrase should be, I very much hope that, since the previous Government gave that indication, this Government will take that as a spur to non-glacial progress. I hope that at least the speed might get up to a number of miles per hour before too long.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, the trouble with this House is that some have long memories. The noble Earl, Lord Erroll, reminded us all to look back, with real regret, at the Digital Economy Act and the failure to implement Part 3. I think that that was a misstep by the previous Government.

Like all of us, I warmly welcome the inclusion of data access provisions for researchers studying online safety matters in Clause 123 of the Bill. As we heard from the noble Baroness, Lady Kidron, and the noble Lord, Lord Knight, this was very much unfinished business from the Online Safety Act. However, I believe that, in order for the Bill to be effective and have the desired effect, the Government need to accept the amendments in the names of the noble Baroness, Lady Kidron, and the noble Lord, Lord Bethell. In terms of timeframe, the width of research possible, enforceability, contractual elements and location, they cover the bases extremely effectively.

The point was made extremely well by the noble Lords, Lord Bethell and Lord Russell, that we should not have to rely on brave whistleblowers such as Frances Haugen. We should be able to benefit from quality researchers, whether from academia or elsewhere, in order to carry out this important work.

My Amendment 198B is intended as a probing amendment about the definition of researchers under Clause 123, which has to be carefully drawn to allow for legitimate non-governmental organisations, academics and so on, but not so widely that it can be exploited by bad actors. For example, we do not want those who seek to identify potential exploits in a platform to use this by calling themselves “independent researchers” if they simply describe themselves as such. For instance, could Tommy Robinson seek to protect himself from liabilities in this way? After all, he called himself an “independent journalist” in another context when he clearly was not. I hope that when the Government come to draw up the regulations they will be mindful of the need to be very clear about what constitutes an independent or accredited researcher, or whatever phrase will be used in the context.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, we have had some powerful speeches in this group, not least from the noble Baronesses, Lady Kidron and Lady Owen, who drafted important amendments that respond to the escalating harms caused by AI-generated sexual abuse material relating to children and adults. The amendment from the noble Baroness, Lady Kidron, would make it an offence to use personal data or digital information to create digital models or files that facilitate the creation of AI or computer-generated child sexual abuse material. As she outlined and the noble Lord, Lord Bethell, confirmed, it specifically would become an offence to create, train or distribute generative AI models that enable the creation of computer-generated CSAM or priority legal content; to train AI models on CSAM or priority illegal content; or to possess AI models that produce CSAM or priority legal content.

This amendment responds to a growing problem, as we have heard, around computer-generated sexual abuse material and a gap in the law. There is a total lack of safeguards preventing bad actors creating sexual abuse imagery, and it is causing real harm. Sites enabling this abuse are offering tools to harm, humiliate, harass, coerce and cause reputational damage. Without robust legal frameworks, victims are left vulnerable while perpetrators operate with impunity.

The noble Lord, Lord Bethell, mentioned the Internet Watch Foundation. In its report of July, One Step Ahead, it reported on the alarming rise of AI-generated CSAM. In October 2023, in How AI is Being Abused to Create Child Sexual Abuse Imagery, it made recommendations to the Government regarding legislation to strengthen legal frameworks to better address the evolving landscape of AI-generated CSAM and enhance preventive measures against its creation and distribution. It specifically recommended:

“That the Government legislates to make it an offence to use personal data or digital information to create digital models or files that facilitate the creation of AI or computer-generated child sexual abuse material”.


The noble Baroness, Lady Kidron, tabled such an amendment to the previous Bill. As she said, she was successful in persuading the then Government to accept it; I very much hope that she will be as successful in persuading this Government to accept her amendment.

Amendments 211G and 211H in the name of the noble Baroness, Lady Owen, are a response to the extraordinary fact that one in 14 adults has experienced threats to share intimate images in England and Wales; that rises to one in seven among young women. Research from Internet Matters shows that 49% of young teenagers in the UK aged between 13 and 16—around 750,000 children—said that they were aware of a form of image-based abuse being perpetrated against another young person known to them.

We debated the first of the noble Baroness’s amendments, which is incorporated in her Bill, last Friday. I entirely agree with the noble Lord, Lord Knight; I did not find the Government’s response at all satisfactory. I hope that, in the short passage of time between then and now, they have had time to be at least a little agile, as he requested. UK law clearly does not effectively address non-consensual intimate images. It is currently illegal to share or threaten to share non-consensual intimate images, including deepfakes, but creating them is not yet illegal; this means that someone could create a deepfake image of another person without their consent and not face legal consequences as long as they do not share, or threaten to share, it.

This amendment is extremely welcome. It addresses the gap in the law by criminalising the creation of non-consensual intimate images, including deepfakes. It rightly targets deepfakes due to their rising prevalence and potential for harm, particularly towards women. Research shows that 98% of deepfake videos online are pornographic, with 99% featuring women and girls. This makes it an inherently sexist problem that is a new frontier of violence against women—words that I know the noble Baroness has used.

I also very much welcome the new amendment not contained in her Bill, responding to what the noble Baroness, Lady Gohir, said at its Second Reading last Friday about including audio deepfakes. The words “shut down every avenue”, which I think were used by the noble Baroness, Lady Gohir, are entirely apposite in these circumstances. Despite what the noble Lord, Lord Ponsonby, said on Friday, I hope that the Government will accept both these amendments and redeem their manifesto pledge to ban the creation of sexually explicit deepfakes, whether audio or video.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I declare my AI interests as set out in the register. I will speak in support of Amendments 204, 205 and 206, which have been spoken to so inspiringly by the noble Baroness, Lady Kidron, and so well by the noble Lords, Lord Freyberg, Lord Lucas and Lord Hampton, the noble Earl, Lord Clancarty, and the noble Viscount, Lord Colville. Each demonstrated different facets of the issue.

I co-chair the All-Party Group on AI and chaired the AI Select Committee a few years ago. I wrote a book earlier this year on AI regulation, which had a namecheck from the noble Baroness, Lady Jones, at Question Time, which I was very grateful for. Before that, I had a career as an IP lawyer, defending copyright and creativity, and in this House, I have been my party’s creative industries spokesperson. The question of IP and the training of generative AI models is a key issue for me.

This is the case not just in the UK but around the world. Getty and the New York Times are suing in the United States, as are many writers, artists and musicians. It was at the root of the Hollywood actors’ and writers’ strikes last year. It is one thing to use the tech—many of us are AI enthusiasts—but it is another to be at the mercy of it.

Close to home, the FT has pointed out, using the index published by the creator of an unlicensed dataset called Books3, published online, that it is possible to identify that over 85 books written by 33 Members of the House of Lords have been pirated to train AI models from household names, such as Meta, Microsoft and Bloomberg. Although it is absolutely clear that we know that the use of copyrighted works to train AI models is contrary to UK copyright law, the laws around the transparency of these activities have not caught up. As we have heard, as well as using pirated e-books in their training data, AI developers scrape the internet for valuable professional journalism and other media, in breach of both the terms of service of websites and copyright law, to train commercial AI models. At present, developers can do this without declaring their identity, or they may use IP scraped to appear in a search index for the completely different commercial purpose of training AI models.

How can rights owners opt out of something that they do not know about? AI developers will often scrape websites or access other pirated material before they launch an LLM in public. This means that there is no way for IP owners to opt out of their material being taken before its inclusion in these models. Once used to train these models, the commercial value, as we have heard, has already been extracted from IP scraped without permission, with no way to delete data from these models.

The next wave of AI models responds to user queries by browsing the web to extract valuable news and information from professional news websites. This is known as retrieval-augmented generation—RAG. Without payment for extracting this commercial value, AI agents built by companies such as Perplexity, Google and Meta will, in effect, free-ride on the professional hard work of journalists, authors and creators. At present, such crawlers are hard to block. There is no market failure; there are well-established licensing solutions. There is no uncertainty around the existing law; the UK is absolutely clear that commercial organisations, including gen AI developers, must license the data that they use to train their large language models.

Here, as the Government’s intentions become clearer, the political, business and creative temperature is rising. Just this week, we have seen the creation of a new campaign, the Creative Rights in AI Coalition—CRAIC —across the creative and news industries and, recently, Ed Newton-Rex reached more than 30,000 signatories from among creators and creative organisations.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

I thank the noble Lord for that. He is anticipating a paragraph in my notes, which says that, although it is not set out in the amendments, robust enforcement of these provisions will be critical to their success. This includes oversight from an expert regulator that is empowered to issue significant penalties, including fines for non-compliance. There is a little extra work to do there, and I would very much like to see the Intellectual Property Office gain some teeth.

I am going to close. We are nearly at the witching hour, but it is clear that AI developers are seeking to use their lobbying clout—the noble Baroness, Lady Kidron, mentioned the Kool-Aid—to persuade the Government that new copyright law is required. Instead, this amendment would clarify that UK copyright law applies to gen AI developers. The creative industries, and noble Lords from across the House as their supporters, will rally around these amendments and vigorously oppose government plans for a new text and data- mining exception.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, it is a pity that this debate is taking place so late. I thank the noble Lord, Lord Arbuthnot, for his kind remarks, but my work ethic feels under considerable pressure at this time of night.

All I will say is that this is a much better amendment than the one that the noble Baroness, Lady Kidron, put forward for the Data Protection and Digital Information Bill, and I very strongly support it. Not only is this horrifying in the context of the past Horizon cases, but I read a report about the Capture software, which is likely to have created shortfalls that led to sub-postmasters being prosecuted as well. This is an ongoing issue. The Criminal Cases Review Commission is reviewing five Post Office convictions in which the Capture IT system could be a factor, so we cannot say that this is about just Horizon, as there are the many other cases that the noble Baroness cited.

We need to change this common law presumption even more in the face of a world in which AI use, with all its flaws and hallucinations, is becoming ever present, and we need to do it urgently.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I have far too little time to do justice to this subject. We on these Benches welcome this amendment. It is entirely consistent with the sovereign health fund proposed by Future Care Capital and, indeed, with the proposals from the Tony Blair Institute for Global Change on a similar concept called the national data trust. Indeed, this concept formed part of our Liberal Democrat manifesto at the last general election, so of course I support the amendment.

It would be very useful to hear more about the national data library, including on its purpose and operation, as the noble Baroness, Lady Kidron, said. I entirely agree with her that there is a great need for a sovereign cloud service or services. Indeed, the inability to guarantee that data on the cloud is held in this country is a real issue that has not yet been properly addressed.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I shall be #even shorter. Data centres and their energy consumption are important issues. I agree that at a suitable moment—probably not now—it would be very interesting to hear the Government’s views on that. Reports from UK parliamentary committees and the Government have consistently emphasised the critical importance of maintaining public trust in data use and AI, but sometimes, the actions of the Government seem to go contrary to that. I support the noble Lord, Lord Holmes, in his call for essentially realising the benefits of AI while making sure that we maintain public trust.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, listening to the noble Lord, Lord Lucas, is often an education, and today is no exception. I had no idea what local environmental records centres were, so I shall be very interested to hear what the Minister has to say in response.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, in carrying on on this group, I will speak to the question that Clause 78 stands part, and to Amendments 107, 109, 125, 154, 155 and 156, but to start I support Amendment 87 in the name of the noble and learned Lord, Lord Thomas of Cwmgiedd. We had a masterclass from him last Tuesday and he made an extremely good case for that amendment, which is very elegant.

The previous Government deleted the EU Charter of Fundamental Rights from the statute book through the Retained EU Law (Revocation and Reform) Act 2023, and this Bill does nothing to restore it. Although references in the UK GDPR to fundamental rights and freedoms are now to be read as references to the ECHR as implemented through the Human Rights Act 1998, the Government’s ECHR memorandum states:

“Where processing is conducted by a private body, that processing will not usually engage convention rights”.


As the noble and learned Lord mentioned, this could leave a significant gap in protection for individuals whose data is processed by private organisations and will mean lower data protection rights in the UK compared with the EU, so these Benches strongly support his Amendment 87, which would apply the convention to private bodies where personal data is concerned. I am afraid we do not support Amendments 91 and 97 from the noble Viscount, Lord Camrose, which seem to hanker after the mercifully defunct DPDI.

We strongly support Amendments 139 and 140 from the noble Baroness, Lady Kidron. Data communities are one of the important omissions from the Bill. Where are the provisions that should be there to support data-sharing communities and initiatives such as Solid? We have been talking about data trusts and data communities since as long ago as the Hall-Pesenti review. Indeed, it is interesting that the Minister herself only this April said in Grand Committee:

“This seems to be an area in which the ICO could take a lead in clarifying rights and set standards”.


Indeed, she put forward an amendment:

“Our Amendment 154 would therefore set a deadline for the ICO to do that work and for those rights to be enacted. The noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, made a good case for broadening these rights in the Bill and, on that basis, I hope the Minister will agree to follow this up, and follow up his letter so that we can make further progress on this issue”.—[Official Report, 17/4/24; col. GC 322.]


I very much hope that, now the tables are turned, so to speak, the Minister will take that forward herself in government.

Amendments 154, 155 and 156 deal with the removal of the principle of the supremacy of EU law. They are designed to undo the lowering of the standard of data protection rights in the UK brought about by the REUL Act 2023. The amendments would apply the protections required in Article 23.2 of the UK GDPR to all the relevant exceptions in Schedules 2 to 4 to the Data Protection Act 2018. This is important because data adequacy will be lost if the standard of protection of personal data in the UK is no longer essentially equivalent to that in the EU.

The EU’s adequacy decision stated that it did not apply in the area of immigration and referred to the case of Open Rights Group v the Secretary of State for the Home Department in the Court of Appeal. This case was brought after the UK left the EU, but before the REULA came into effect. The case is an example of how the preservation of the principle of the supremacy of EU law continued to guarantee high data protection standards in the UK, before this principle was deleted from the statute book by the REULA. In broad terms, the Court of Appeal found that the immigration exception in Schedule 2 to the Data Protection Act 2018 conflicted with the safeguards in Article 23 of the UK GDPR. This was because the immigration exemption was drafted too broadly and failed to incorporate the safeguards prescribed for exemptions under Article 23.2 of the UK GDPR. It was therefore held to be unlawful and was disapplied.

The Home Office redrafted the exemption to make it more protective, but it took several attempts to bring forward legislation which provided sufficient safeguards for data subjects. The extent of the safeguards now set out in the immigration exemption underscores both what is needed for compatibility with Article 23.2 of the UK GDPR and the deficiencies in the rest of the Schedule 2 exemptions. It is clear when reading the judgment in the Open Rights case that the majority of the exemptions from data subject rights under Schedule 2 to the Data Protection Act fail to meet the standards set out in Article 23.2 to the UK GDPR. The deletion of the principle of the supremacy of EU law has removed the possibility of another Open Rights-style challenge to the other exemptions in Schedule 2 to the Data Protection Act 2018. I hope that, ahead of the data adequacy discussions with the Commission, the Government’s lawyers have had a good look at the amendments that I have tabled, drafted by a former MoJ lawyer.

The new clause after Clause 107 in Amendment 154 applies new protections to the immigration exemption to the whole of Schedule 2 to the DPA 2018, with the exception of the exemptions that apply in the context of journalism or research, statistics and archiving. Unlike the other exemptions, they already contain detailed safeguards.

Amendment 155 is a new clause extending new protections which apply to the immigration exemption to Schedule 3 to the DPA 2018, and Amendment 156 is another new clause applying new protections which apply to the immigration exemption to Schedule 2 to the DPA 2018.

As regards Amendment 107, the Government need to clarify how data processing under recognised legitimate interests are compatible with conditions for data processing under existing lawful bases, including the special categories of personal data under Articles 5 and 9 of the UK GDPR. The Bill lowers the standard of the protection of personal data where data controllers only have to provide personal data based on

“a reasonable and proportionate search”.

The lack of clarity on what reasonable and proportionate mean in the context of data subject requests creates legal uncertainty for data controllers and organisations, specifically regarding whether the data subject’s consideration on the matter needs to be accounted for when responding to requests. This is a probing amendment which requires the Secretary of State to explain why the existing lawful bases for data processing are inadequate for the processing of personal data when additional recognised legitimate interests are introduced. It requires the Secretary of State to publish guidance within six months of the Act’s passing to clarify what constitutes reasonable and proportionate protections of personal data.

Amendment 109 would insert a new clause, to ensure that data controllers assess the risk of collective and societal harms,

“including to equality and the environment”,

when carrying out data protection impact assessments. It requires them to consult affected people and communities while carrying out these assessments to improve their quality, and requires data controllers to publish their assessments to facilitate informed decision-making by data subjects and to enable data controllers to be held accountable.

Turning to whether Clause 78 should stand part, on top of Clause 77, Clause 78 would reduce the scope of transparency obligations and rights. Many AI systems are designed in a way that makes it difficult to retrieve personal data once ingested, or understand how this data is being used. This is not principally due to technical limitations but the decision of AI developers who do not prioritise transparency and explainability.

As regards Amendment 125, it is clear that there are still further major changes proposed to the GDPR on police duties, automated decision-making and recognised legitimate interests which continue to make retention of data adequacy for the purposes of digital trade with the EU of the utmost priority in considering those changes. During the passage of the Data Protection and Digital Information Bill, I tabled an amendment to require the Government to publish an assessment of the impact of the Bill on EU/UK data adequacy within six months of the Act passing; I have tabled a similar amendment, with one change, to this Bill. As the next reassessment of data adequacy is set for June 2025, a six-month timescale may prove inconsequential to the overall adequacy decision. We must therefore recommend stipulating that this assessment takes place before this reassessment.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

I will take any compliment.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

The Minister said there is a power to amend, but she has not said whether she thinks that would be desirable. Is the power to be used only if we are found not to be data-adequate because the immigration exemption does not apply across the board? That is, will the power be used only if we are forced to use it?

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, the debate on this group emphasises how far behind the curve we are, whether it is by including new provisions in this Bill or by bringing forward an AI Bill—which, after all, was promised in the Government’s manifesto. It emphasises that we are not moving nearly fast enough in thinking about the implications of AI. While we are doing so, I need to declare an interest as co-chair of the All-Party Parliamentary Group on AI and a consultant to DLA Piper on AI policy and regulation.

I have followed the progress of AI since 2016 in the capacity of co-chair of the all-party group and chair of the AI Select Committee. We need to move much faster on a whole range of different issues. I very much hope that the noble Lord, Lord Vallance, will be here on Wednesday, when we discuss our crawler amendments, because although the noble Lord, Lord Holmes, has tabled Amendment 211A, which deals with personality rights, there is also extreme concern about the whole area of copyright. I was tipped off by the noble Lord, Lord Stevenson, so I was slightly surprised that he did not bring our attention to it: we are clearly due the consultation at any moment on intellectual property, but there seems to be some proposal within it for personality rights themselves. Whether that is a quid pro quo for a much-weakened situation on text and data mining, I do not know, but something appears to be moving out there which may become clear later this week. It seems a strange time to issue a consultation, but I recognise that it has been somewhat delayed.

In the meantime, we are forced to put forward amendments to this Bill trying to anticipate some of the issues that artificial intelligence is increasingly giving rise to. I strongly support Amendments 92, 93, 101 and 105 put forward by the noble Viscount, Lord Colville, to prevent misuse of Clause 77 by generative AI developers; I very much support the noble Lord, Lord Holmes, in wanting to see protection for image, likeness and personality; and I very much hope that we will get a positive response from the Minister in that respect.

We have heard from the noble Baronesses, Lady Kidron and Lady Harding, and the noble Lords, Lord Russell and Lord Stevenson, all of whom have made powerful speeches on previous Bills—the then Online Safety Bill and the Data Protection and Digital Information Bill—to say that children should have special protection in data protection law. As the noble Baroness, Lady Kidron, says, we need to move on from the AADC. That was a triumph she gained during the passage of the Data Protection Act 2018, but six years later the world looks very different and young people need protection from AI models of the kind she has set out in Amendment 137. I agree with the noble Lord, Lord Stevenson, that we need to talk these things through. If it produces an amendment to this Bill that is agreed, all well and good, but it could mean an amendment or part of a new AI Bill when that comes forward. Either way, we need to think constructively in this area because protection of children in the face of generative AI models, in particular, is extremely important.

This group, looking forward to further harms that could be caused by AI, is extremely important on how we can mitigate them in a number of different ways, despite the fact that these amendments appear to deal with quite a disparate group of issues.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I welcome the amendments spoken to so well by the noble Baroness, Lady Harding, regarding the open electoral register. They are intended to provide legal certainty around the use of the register, without compromising on any aspect of the data privacy of UK citizens or risking data adequacy. The amendments specify that companies are exempt from the requirement to provide individuals with information in cases where their personal data has not been obtained directly from them if that data was obtained from the open electoral register. They also provide further clarification on what constitutes “disproportionate effort” under new paragraph 5(e) of Article 14 of GDPR.

The noble Baroness covered the ground so effectively that all I need to add is that the precedent established by the current interpretation by the tribunal will affect not only the open electoral register but other public sources of data, including the register of companies, the Registry of Judgments, Orders and Fines, the Land Registry and the Food Standards Agency register. Importantly, it may even prevent the important work being done to create a national data library achieving its objectives of public sector data sharing. It will have far-reaching implications if we do not change the Bill in the way that the noble Baroness has put forward.

I thank the noble Lord, Lord Lucas, for his support for Amendment 160. I reciprocate in supporting—or, at least, hoping that we get clarification as a result of—his Amendments 158 and 161.

Amendment 159B seeks to ban what are colloquially known as cookie paywalls. As can be seen, it is the diametric opposite to Amendment 159A, tabled by the noble Viscount, Lord Camrose. For some unaccountable reason, cookie paywalls require a person who accesses a website or app to pay a fee to refuse consent to cookies being accessed from or stored on their device. Some of these sums can be extortionate and exorbitant, so I was rather surprised by the noble Viscount’s counter amendment.

Earlier this year, the Information Commissioner launched a call for views which looked to obtain a range of views on its regulatory approach to consent or pay models under data protection law. The call for views highlighted that organisations that are looking to adopt, or have already adopted, a consent-or-pay model must consider the data protection implications.

Cookie paywalls are a scam and reduce people’s power to control their data. I wonder why someone must pay if they do not consent to cookies being stored or accessed. The PEC regulations do not currently prohibit cookie paywalls. The relevant regulation is Regulation 6, which is due to be substituted by Clause 111, and is supplemented by new Schedule A1 to the PEC regulations, as inserted by Schedule 12 to the Bill. The regulation, as substituted by Clause 111 and Schedule 12, does not prohibit cookie paywalls. This comes down to the detail of the regulations, both as they currently are and as they will be if the Bill remains as drafted. It is drafted in terms that do not prevent a person signifying lack of consent to cookies, and a provider may add or set controls—namely, by imposing requirements—for how a person may signify that lack of consent. Cookie paywalls would therefore be completely legal, and they certainly have proliferated online.

This amendment makes it crystal clear that a provider must not require a person to pay a fee to signify lack of consent to their data being stored or accessed. This would mean that, in effect, cookie paywalls would be banned.

Amendment 160 is sought by the Advertising Association. It seeks to ensure that the technical storage of or access to information is considered necessary under paragraph 5 of the new Schedule A1 to the PEC regulations inserted by Schedule 12 if it would support measurement or verification of the performance of advertising services to allow website owners to charge for their advertising services more accurately. The Bill provides practical amendments to the PEC regulations through listing the types of cookies that no longer require consent.

This is important, as not all cookies should be treated the same and not all carry the same high-level risks to personal privacy. Some are integral to the service and the website itself and are extremely important for subscription-free content offered by publishers, which is principally funded by advertising. Introducing specific and target cookie exemptions has the benefit of, first, simplifying the cookie consent banner, and, secondly, increasing further legal and economic certainty for online publishers. As I said when we debated the DPDI Bill, audience measurement is an important function for media owners to determine the consumption of content, to be able to price advertising space for advertisers. Such metrics are crucial to assess the effectiveness of a media channel. For sites that carry advertising, cookies are used to verify the delivery and performance of a digital advertisement—ie, confirmation that an ad has been served or presented to a user and whether it has been clicked on. This is essential information to invoice an advertiser accurately for the number of ad impressions in a digital ad campaign.

My reading of the Bill suggests that audience measurement cookies would be covered under the list of exemptions from consent under Schedule 12, however. Can the Government confirm this? Is it the Government’s intention to use secondary legislation in future to exempt ad performance cookies?

Coming to Amendment 162 relating to the soft opt-in, I am grateful to the noble Lord, Lord Black of Brentwood, and the noble Baroness, Lady Harding of Winscombe, for their support. This amendment would enable charities to communicate to donors in the same way that businesses have been able to communicate to customers since 2003. The clause will help to facilitate greater fundraising and support the important work that charities do for society. I can do no better than quote from the letter that was sent to Secretary of State Peter Kyle on 25 November, which was co-ordinated by the DMA and involved nearly 20 major charities, seeking support for reinstating the original Clause 115 of the DPDI Bill into this Bill:

“Clause 115 of the previous DPDI Bill extended the ‘soft opt-in’ for email marketing for charities and non-commercial organisations. The DMA estimates that extending the soft opt-in to charities would increase annual donations in the UK by £290 million”,


based on analysis of 13.1 million donors by the Salocin Group. The letter continues:

“At present, the DUA Bill proposals remove this. The omission of the soft opt-in will prevent charities from being able to communicate to donors in the same way as businesses can. As representatives of both corporate entities and charitable organisations, it is unclear to the DMA why charities should be at a disadvantage in this regard”.


I hope that the Government will listen to the DMA and the charities involved.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

When does the Minister anticipate that the ICO will produce that report?

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

May I ask the Minister a hypothetical question? If the ICO believes that these are not desirable, what instruments are there for changing the law? Can the ICO, under its own steam, so to speak, ban them; do we need to do it in primary legislation; or can it be done in secondary legislation? If the Minister cannot answer now, perhaps she can write to me.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, in moving Amendment 108, I will also speak to all the other amendments in this group. They are all designed to transfer all existing provisions from the courts to the tribunals and simplify the enforcement of data rights. Is that not something to be desired? This is not just a procedural change but a necessary reform to ensure that the rights granted on paper translate into enforceable rights in reality.

The motivation for these amendments stems from recurring issues highlighted in cases such as Killock and Veale v the Information Commissioner, and Delo v the Information Commissioner. These cases revealed a troubling scenario where the commissioner presented contradictory positions across different levels of the judiciary, exacerbating the confusion and undermining the credibility of the regulatory framework governing data protection. In these cases, the courts have consistently pointed out the confusing division of jurisdiction between different courts and tribunals, which not only complicates the legal process but wastes considerable public resources. As it stands, individuals often face the daunting task of determining the correct legal venue for their claims, a challenge that has proved insurmountable for many, leading to denied justice and unenforced rights.

By transferring all data protection provisions from the courts to more specialised tribunals, which are better equipped to handle such cases, and clarifying the right-to-appeal decisions made by the commissioner, these amendments seek to eliminate unnecessary legal barriers. Many individuals, often representing themselves and lacking legal expertise, face the daunting challenge of navigating complex legal landscapes, deterred by high legal costs and the intricate determination of appropriate venues for their claims. This shift will not only reduce the financial burden on individuals but enhance the efficiency and effectiveness of the judicial process concerning data protection. By simplifying the legal landscape, we can safeguard individual rights more effectively and foster a more trustworthy digital environment.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for his response to my amendments and welcome him to the Dispatch Box and a whole world of pain on the Data (Use and Access) Bill, as he has, no doubt, noted already after just two hours’ worth of this Committee.

I found his response disappointing, and I think both he and the noble Viscount, Lord Camrose, have misunderstood the nature of this situation. This is not a blend, which is all beautifully logical depending on the nature of the case. This is an absolute mishmash where the ordinary litigant is faced with great confusion, not knowing quite often whether to go to the court or a tribunal, where the judges themselves have criticised the confusion and where there appears to be no appetite, for some reason, in government for a review of the jurisdictions.

I felt that the noble Viscount was probably reading from his previous ministerial brief. Perhaps he looked back at Hansard for what he said on the DPDI Bill. It certainly sounded like that. The idea that the courts are peerless in their legal interpretation and the poor old tribunals really just do not know what they are doing is wrong. They are expert tribunals, you can appear before them in person and there are no fees. It is far easier to access a tribunal than a court and certainly, as far as appeals are concerned, the idea that the ordinary punter is going to take judicial review proceedings, which seems to be the implication of staying with the current system on appeals if the merits of the ICO’s decisions are to examined, seems quite breathtaking. I know from legal practice that JR is not cheap. Appearing before a tribunal and using that as an appeal mechanism would seem far preferable.

I will keep on pressing this because it seems to me that at the very least the Government need to examine the situation to have a look at what the real objections are to the jurisdictional confusion and the impact on data subjects who wish to challenge decisions. In the meantime, I beg leave to withdraw the amendment.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I beg to move Amendment 110 and will speak to Amendments 112, 114, 120, 121, 122, 123 and Clause 80 stand part. As we have heard, artificial intelligence and algorithmic and automated decision-making tools, are increasingly being used across the public sector to make and support many of the highest impact decisions affecting individuals, families and communities across healthcare, welfare, education, policing, immigration and many other sensitive areas of an individual’s life.



The Committee will be pleased to hear that I will not repeat the contents of my speech on my Private Member’s Bill on this subject last Friday. But the fact remains that the rapid adoption of AI in the public sector presents significant risks and challenges, including: the potential for unfairness, discrimination and misuse, as demonstrated by scandals such as the UK’s Horizon and Australia’s Robodebt cases; automated decisions that are prone to serious error; lack of transparency and accountability in automated decision-making processes; privacy and data protection concerns; algorithmic bias; and the need for human oversight.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I was listening very carefully. Does “underpinned by the regulations” mean that it will be underpinned?

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

The issue of meaningful human involvement is absolutely crucial. Is the Minister saying that regulations issued by the Secretary of State will define “meaningful human involvement”, or is she saying that it is already in the primary legislation, which is not my impression?

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

I am sorry to interrupt again as we go along but, a sentence or so ago, the Minister said that the definition in Amendment 123 of meaningful human involvement in automated decision-making was unnecessary. The amendment is designed to change matters. It would not be the Secretary of State who determined the meaning of meaningful human involvement; in essence, it would be initiated by the Information Commissioner, in consultation with the Secretary of State. So I do not quite understand why the Minister used “unnecessary”. It may be an alternative that is undesirable, but I do not understand why she has come to the conclusion that it is unnecessary. I thought it was easier to challenge the points as we go along rather than at the very end.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

That is slightly splitting hairs. The noble Viscount, Lord Camrose, might want to comment because he wanted to delete the wording that says:

“The Secretary of State may by regulations provide that … there is, or is not, to be taken to be meaningful human involvement”.


He certainly will determine—or is able to determine, at least—whether or not there is human involvement. Surely, as part of that, there will need to be consideration of what human involvement is.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for her very detailed and careful response to all the amendments. Clearly, from the number of speakers in this debate, this is one of the most important areas of the Bill and one that has given one of the greatest degrees of concern, both inside and outside the Committee. I think the general feeling is that there is still concern. The Minister is quite clear that the Government are taking these issues seriously, in terms of ADM itself and the impact in the workplace, but there are missing parts here. If you add all the amendments together—no doubt we will read Hansard and, in a sense, tick off the areas where we have been given an assurance about the interpretation of the Bill—there are still great gaps.

It was very interesting to hear what the noble Lord, Lord Kamall, had to say about how the computer said “no” as he reached the gate. A lot of this is about communications. I would be very interested if any letter to the noble Lord, Lord Lucas, was copied more broadly, because that is clearly one of the key issues. It was reassuring to hear that the ICO will be on top of this in terms of definitions, guidance, audit and so on, and that we are imminently to get the publication of the records of algorithmic systems in use under the terms of the algorithmic transparency recording standard.

We have had some extremely well-made points from the noble Viscounts, Lord Colville and Lord Camrose, the noble Lords, Lord Lucas, Lord Knight and Lord Holmes, and the noble Baroness, Lady Kidron. I am not going to unpack all of them, but we clearly need to take this further and chew it over before we get to Report. I very much hope that the Minister will regard a will write letter on stilts as required before we go very much further, because I do not think we will be purely satisfied by this debate.

The one area where I would disagree is on treating solely automated decision-making as the pure subject of the Clause 80 rights. Looking at it in the converse, it is perfectly proper to regard something that does not have meaningful human involvement as predominantly automated decision-making. I do not think, in the words of the noble Viscount, Lord Camrose, that this does muddy the waters. We need to be clearer about what we regard as being automated decision-making for the purpose of this clause.

There is still quite a lot of work to do in chewing over the Minister’s words. In the meantime, I beg leave to withdraw my amendment.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, a key aspect of data protection rests in how it restricts the use of personal data once it has been collected. The public need confidence that their data will be used for the reasons they had shared it and not further used in ways that breach their legitimate expectations—or they will become suspicious as regards providing their data. The underlying theme that we heard on the previous group was the danger of losing public trust, which very much applies in the area of law enforcement and national security.

However, Schedules 4 and 5 would remove the requirement to consider the legitimate expectations of the individuals whose data is being processed, or the impact that this would have on their rights, for the purposes of national security, crime detection and prevention, safeguarding or answering to a request by a public authority. Data used for the purposes listed in these schedules would not need to undergo either a balancing test under Article 6.1(f) or a compatibility test under Article 6.4 of the UK GDPR. The combined effect of these provisions would be to authorise almost unconditional data sharing for law enforcement and other public security purposes while, at the same time, reducing accountability and traceability over how the police use the information being shared with them.

As with the previous DPDI Bill, Clauses 87 to 89 of this Bill grant the Home Secretary and police powers to view and use people’s personal data through the use of national security certificates and designation notices, which are substantially the same as Clauses 28 to 30 of the previous DPDI Bill. This risks further eroding trust in law enforcement authorities. Accountability for access to data for law enforcement purposes should not be lowered, and data sharing should be underpinned by a robust test to ensure that individuals’ rights and expectations are not disproportionately impacted. It is a bafflement as to why the Government are so slavishly following their predecessor and believe that these new and unaccountable powers are necessary.

By opposing that Clause 81 stand part, I seek to retain the requirement for police forces to record the reason they are accessing data from a police database. The public need more, not less, transparency and accountability over how, why and when police staff and officers access and use records about them. Just recently, the Met Police admitted that they investigated more than 100 staff over the inappropriate accessing of information in relation to Sarah Everard. This shows that the police can and do act to access information inappropriately, and there may well be less prominent cases where police abuse their power by accessing information without worry for the consequences.

Regarding Amendments 126, 128 and 129, Rights and Security International has repeatedly argued that the Bill would violate the UK’s obligations under the European Convention on Human Rights. On Amendment 126, the requirements in the EU law enforcement directive for logging are, principally, to capture in all cases the justification for personal data being examined, copied, amended or disclosed when it is processed for a law enforcement process—the objective is clearly to ensure that data is processed only for a legitimate purpose—and, secondarily, to identify when, how and by whom the data has been accessed or disclosed. This ensures that individual accountability is captured and recorded.

Law enforcement systems in use in the UK typically capture some of the latter information in logs, but very rarely do they capture the former. Nor, I am informed, do many commodity IT solutions on the market capture why data was accessed or amended by default. For this reason, a long period of time was allowed under the law enforcement directive to modify legacy systems installed before May 2016, which, in the UK, included services such as the police national computer and the police national database, along with many others at a force level. This transitional relief extended to 6 May 2023, but UK law enforcement did not, in general, make the required changes. Nor, it seems, did it ensure that all IT systems procured after 6 May 2016 included a strict requirement for LED-aligned logging. By adopting and using commodity and hyperscaler cloud services, it has exacerbated this problem.

In early April 2023, the Data Protection Act 2018 (Transitional Provision) Regulations 2023 were laid before Parliament. These regulations had the effect of unilaterally extending the transitional relief period under the law enforcement directive for the UK from May 2023 to May 2026. The Government now wish to strike the requirement to capture the justification for any access to data completely, on the basis that this would free up to 1.5 million hours a year of valuable police time for our officers so that they can focus on tackling crime on our streets, rather than being bogged down by administration, and that this would save approximately £42.8 million per year in taxpayers’ money.

This is a serious legislative issue on two counts: it removes important evidence that may identify whether a person was acting with malicious intent when accessing data, as well as removing any deterrent effect of them having to do so; and it directly deviates from a core part of the law enforcement directive and will clearly have an impact on UK data adequacy. The application of effective control over access to data is very much a live issue in policing, and changing the logging requirement in this way does nothing to improve police data management. Rather, it excuses and perpetuates bad practice. Nor does it increase public confidence.

Clause 87(7) introduces new Section 78A into the Act. This lays down a number of exemptions and exclusions from Part 3 of that Act when the processing is deemed to be in the interests of national security. These exemptions are wide ranging, and include the ability to suspend or ignore principles 2 through 6 in Part 3, and thus run directly contrary to the provisions and expectations of the EU law enforcement directive. Ignoring those principles in itself also negates many of the controls and clauses in Part 3 in its entirety. As a result, they will almost certainly result in the immediate loss of EU law-enforcement adequacy.

I welcome the ministerial letter from the noble Lord, Lord Hanson of Flint, to the noble Lord, Lord Anderson, of 6 November, but was he really saying that all the national security exemption clause does is bring the 2018 Act into conformity with the GDPR? I very much hope that the Minister will set out for the record whether that is really the case and whether it is really necessary to safeguard national security. Although it is, of course, appropriate and necessary for the UK to protect its national security interests, it is imperative that balance remains to protect the rights of a data subject. These proposals do not, as far as we can see, strike that balance.

Clause 88 introduces the ability of law enforcement, competent authorities and intelligence agencies to act as joint controllers in some circumstances. If Clause 88 and associated clauses go forward to become law, they will almost certainly again result in withdrawal of UK law enforcement adequacy and will quite likely impact on the TCA itself.

Amendment 127 is designed to bring attention to the fact that there are systemic issues with UK law enforcement’s new use of hyperscaler cloud service providers to process personal data. These issues stem from the fact that service providers’ standard contracts and terms of service fail to meet the requirements of Part 3 of the UK’s Data Protection Act 2018 and the EU law enforcement directive. UK law enforcement agencies are subject to stringent data protection laws, including Part 3 of the DPA and the GDPR. These laws dictate how personal data, including that of victims, witnesses, suspects and offenders, can be processed. Part 3 specifically addresses data transfers to third countries, with a presumption against such transfers unless strictly necessary. This contrasts with UK GDPR, which allows routine overseas data transfer with appropriate safeguards.

Cloud service providers routinely process data outside the UK and lack the necessary contractual guarantees and legal undertakings required by Part 3 of the DPA. As a result, their use for law enforcement data processing is, on the face of it, not lawful. This non-compliance creates significant financial exposure for the UK, including potential compensation claims from data subjects for distress or loss. The sheer volume of data processed by law enforcement, particularly body-worn video footage, exacerbates the financial risk. If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually. The Government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR and the DPA.

The current effect of Section 73(4)(b) of the Data Protection Act is to restrict transfers for competent authorities who may have a legitimate operating need, and should possess the internal capability to assess that need, from making transfers to recipients who are not relevant authorities or international organisations and that cloud service provider. This amendment is designed to probe what impact removal of this restriction would have and whether it would enable them to do so where such a transfer is justified and necessary. I beg to move.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

I think the noble Viscount, Lord Camrose, referred to Amendment 156A from the noble Lord, Lord Holmes—I think he will find that is in a future group. I saw the Minister looking askance because I doubt whether she has a note on it at this stage.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

There were some raised eyebrows.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for her response on this group, which was, again, very detailed. There is a lot to consider in what she had to say, particularly about the clauses beyond Clause 81. I am rather surprised that the current Government are still going down the same track on Clause 81. It is as if, because the risk of abuse is so high, this Government, like the previous one, have decided that it is not necessary to have the safeguard of putting down the justification in the first place. Yet we have heard about the Sarah Everard police officers. It seems to me perverse not to require justification. I will read further what the Minister had to say but it seems quite extraordinary to be taking away a safeguard at this time, especially when the Minister says that, at the same time, they need to produce logs of the time of the data being shared and so on. I cannot see what is to be gained—I certainly cannot see £42 million being saved. It is a very precise figure: £42.8 million. I wonder where the £800,000 comes from. It seems almost too precise to be credible.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

No. As I was saying, it seems that the Minister is saying that there will still be the necessity to log the fact that data has been shared. However, it seems extraordinary that, at the same time, it is not possible to say what the justification is. The justification could be all kinds of things, but it makes somebody think before they simply share the data. It seems to me that, given the clear evidence of abuse of data by police officers—data of the deceased, for heaven’s sake—we need to keep all the safeguards we currently have. That is a clear bone of contention.

I will read what else the Minister had to say about the other clauses in the group, which are rather more sensitive from the point of view of national security, data sharing abroad and so on.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, in moving Amendment 134—it is the lead amendment in this group—I shall speak to the others in my name and my Clause 92 stand part notice. Many of the amendments in this group stem from concerns that the new structure for the ICO will diminish its independence. The ICO is abolished in favour of the commission.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for that response. If I speak for four minutes, that will just about fill the gap, but I hope to speak for less than that.

The Minister’s response was very helpful, particularly the way in which she put the clarification of objectives. Of course, this is shared with other regulators, where this new growth duty needs to be set in the context of the key priorities of the regulator. My earlier amendment reflected a nervousness about adding innovation and growth duties to a regulator, which may be seen to unbalance the key objectives of the regulator in the first place, but I will read carefully what the Minister said. I welcome the fact that, unlike in the DPDI Bill, there is no requirement for a statement of strategic priorities. That is why I did not support Amendment 135A.

It is somewhat ironic that, in discussing a digital Bill, the noble Viscount, Lord Camrose, decided to go completely analogue, but that is life. Maybe that is what happens to you after four and a half hours of the Committee.

I do not think the Minister covered the ground on the reprimands front. I will read carefully what she said about the annual report and the need for the ICO—or the commission, as it will be—to report on its actions. I hope, just by putting down these kinds of amendments on reprimands, that the ICO will take notice. I have been in correspondence with the ICO myself, as have a number of organisations. There is some dissatisfaction, particularly with companies such as Clearview, where it is felt that the ICO has not taken adequate action on scraping and building databases from the internet. We will see whether the ICO becomes more proactive in that respect. I was reassured, however, by what the Minister said about NED qualifications and the general objective on the independence of the regulator.

There is much to chew on in what the Minister said. In the meantime, I beg leave to withdraw my amendment.

Lord Clement-Jones

- View Speech - Hansard -

Copy Link

-

That the Bill be now read a second time.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I declare my AI interests as set out in the register. I thank Big Brother Watch, the Public Law Project and the Ada Lovelace Institute, which, each in their own way, have provided the evidence and underpinned my resolve to ensure that we regulate the adoption of algorithmic and AI tools in the public sector, which are increasingly being used across it to make and support many of the highest-impact decisions affecting individuals, families and communities across healthcare, welfare, education, policing, immigration and many other sensitive areas of an individual’s life. I also thank the Public Bill Office, the Library and other members of staff for all their assistance in bringing this Bill forward and communicating its intent and contents, and I thank all noble Lords who have taken the trouble to come to take part in this debate this afternoon.

The speed and volume of decision-making that new technologies will deliver is unprecedented. They have the potential to offer significant benefits, including improved efficiency and cost effectiveness in government operations, enhanced service delivery and resource allocation, better prediction and support for vulnerable people and increased transparency in public engagement. However, the rapid adoption of AI in the public sector also presents significant risks and challenges, with the potential for unfairness, discrimination and misuse through algorithmic bias and the need for human oversight, a lack of transparency and accountability in automated decision-making processes and privacy and data protection concerns.

Incidents such as the 2020 A-level and GCSE grading fiasco, where an algorithmic approach saw students, particularly those from lower-income areas, unfairly miss out on university places when an algorithm was used to estimate grades from exams that were cancelled because of Covid-19, have starkly illustrated the dangers of unchecked algorithmic systems in public administration disproportionately affecting those from lower-income backgrounds. That led to widespread public outcry and a loss of trust in government use of technology.

Big Brother Watch’s investigations have revealed that councils across the UK are conducting mass profiling and citizen scoring of welfare and social care recipients. Its report, entitled Poverty Panopticon [The Hidden Algorithms Shaping Britain’s Welfare State], uncovered alarming statistics. Some 540,000 benefits applicants are secretly assigned fraud risk scores by councils’ algorithms before accessing housing benefit or council tax support. Personal data from 1.6 million people living in social housing is processed by commercial algorithms to predict rent non-payers. Over 250,000 people’s data is processed by secretive automated tools to predict the likelihood of abuse, homelessness or unemployment.

Big Brother Watch criticises the nature of these algorithms, stating that most are secretive, unevidenced, incredibly invasive and likely discriminatory. It argues that these tools are being used without residents’ knowledge, effectively creating tools of automated suspicion. The organisation rightly expressed deep concern that these risk-scoring algorithms could be disadvantaging and discriminating against Britain’s poor. It warns of potential violations of privacy and equality rights, drawing parallels to controversial systems like the Metropolitan Police’s gangs matrix database, which was found to be operating unlawfully. From a series of freedom of information requests last June, Big Brother Watch found that a flawed DWP algorithm wrongly flagged 200,000 housing benefit claimants for possible fraud and error, which meant that thousands of UK households every month had their housing benefit claims unnecessarily investigated.

In August 2020, the Home Office agreed to stop using an algorithm to help sort visa applications after it was discovered that the algorithm contained entrenched racism and bias, and following a challenge from the Joint Council for the Welfare of Immigrants and the digital rights group Foxglove. The algorithm essentially created a three-tier system for immigration, with a speedy boarding lane for white people from the countries most favoured by the system. Privacy International has raised concerns about the Home Office's use of a current tool called Identify and Prioritise Immigration Cases—IPIC—which uses personal data, including biometric and criminal records to prioritise deportation cases, arguing that it lacks transparency and may encourage officials to accept recommended decisions without proper scrutiny.

Automated decision-making has been proven to lead to harms in privacy and equality contexts, such as in the Harm Assessment Risk Tool, which was used by Durham Police until 2021, and which predicted reoffending risks partly based on an individual’s postcode in order to inform charging decisions. All these cases illustrate how ADM can perpetuate discrimination. The Horizon saga illustrates how difficult it is to secure proper redress once the computer says no.

There is no doubt that our new Government are enthusiastic about the adoption of AI in the public sector. Both the DSIT Secretary of State and Feryal Clark, the AI Minister, are on the record about the adoption of AI in public services. They have ambitious plans to use AI and other technologies to transform public service delivery. Peter Kyle has said:

“We’re putting AI at the heart of the government’s agenda to boost growth and improve our public services”,


and

“bringing together digital, data and technology experts from across Government under one roof, my Department will drive forward the transformation of the state”.—[Official Report, Commons, 2/9/24; col. 89.]

Feryal Clarke has emphasised the Administration’s desire to “completely transform digital Government” with DSIT. As the Government continue to adopt AI technologies, it is crucial to balance the potential benefits with the need for responsible and ethical implementation to ensure fairness, transparency and public trust.

The Ada Lovelace Institute warns of the unintended consequences of AI in the public sector, including the risk of entrenching existing practices, instead of fostering innovation and systemic solutions. As it says, the safeguards around automated decision-making, which exist only in data protection law, are therefore more critical than ever in ensuring people understand when a significant decision about them is being automated, why that decision is made, and have routes to challenge it, or ask for it to be decided by a human.

Our citizens need greater, not less, protection, but rather than accepting the need for these, we see the Government following in the footsteps of their predecessor by watering down such rights as there are under GDPR Article 22 not to be subject to automated decision-making. We will, of course, be discussing these aspects of the Data (Use and Access) Bill in Committee next week.

ADM safeguards are critical to public trust in AI, but progress has been glacial. Take the Algorithmic Transparency Recording Standard, which was created in 2022 and is intended to offer a consistent framework for public bodies to publish details of the algorithms used in making these decisions. Six records were published at launch, and only three more seem to have been published since then. The previous Government announced earlier this year that the implementation of the Algorithmic Transparency Recording Standard will be mandatory for departments. Minister Clark in the new Government has said,

“multiple records are expected to be published soon”,

but when will this be consistent across government departments? What teeth do the Central Digital and Data Office and the Responsible Technology Adoption Unit, now both within DSIT, have to ensure the adoption of the standard, especially in view of the planned watering down of the Article 22 GDPR safeguards? Where is the promised repository for ATRS records? What about the other public services in local government too?

The Public Law Project, which maintains a register called Tracking Automated Government, believes that in October last year there were more than 55 examples of public ADM systems use. Where is the transparency on those? The fact is that the Government’s Algorithmic Transparency Recording Standard, while a step in the right direction, remains voluntary and lacks comprehensive adoption or indeed a compliance mechanism or opportunity for redress. The current regulatory landscape is clearly inadequate to address these challenges. Despite the existing guidance and framework, there is no legally enforceable obligation on public authorities to be transparent about their use of ADM and algorithmic systems, or to rigorously assess their impact.

To address these challenges, several measures are needed. We need to see the creation of and adherence to ethical guidelines and accountability mechanisms for AI implementation; a clear regulatory framework and standards for use in the public sector; increased transparency and explainability of the adoption and use of AI systems; investment in AI education; and workforce development for public sector employees. We also need to see the right of redress, with a strengthened right for the individuals to challenge automated decisions.

My Bill aims to establish a clear mandatory framework for the responsible use of algorithmic and automated decision-making systems in the public sector. It will help to prevent the embedding of bias and discrimination in administrative decision-making, protect individual rights and foster public trust in government use of new technologies.

I will not adumbrate all the elements of the Bill. In an era when AI and algorithmic systems are becoming increasingly central to government ambitions for greater productivity and public service delivery, this Bill, I hope noble Lords agree, is crucial to ensuring that the benefits of these technologies are realised while safeguarding democratic values and individual rights. By ensuring that ADM systems are used responsibly and ethically, the Bill facilitates their role in improving public service delivery, making government operations more efficient and responsive.

The Bill is not merely a response to past failures but a proactive measure to guide the future use of technology within government and empower our citizens in the face of these powerful new technologies. I hope that the House and the Government will agree that this is the way forward. I beg to move.

Lord Clement-Jones (LD)

- View Speech - Hansard -

Copy Link

-

My Lords, I thank the Minister for her response and all noble Lords who have taken part in this debate, which I thought was perfectly formed and very expert. I was interested in the fact that the noble Baroness, Lady Lane-Fox, has a role in the digital centre for government and in what she had to say about what might be desirable going forward, particularly in the areas of skills and procurement. The noble Baroness, Lady Freeman, said much the same, which indicates something to me.

By the way, I think the Minister has given new meaning to the word “reservations”. That was the most tactful speech I have heard for a long time. It is a dangerous confidence if the Government really think that the ATRS, combined with the watered-down ADM provisions in the GDPR, are going to be enough. They are going to reap the whirlwind if they are not careful, with public trust being eroded. We have seen what has happened in the NHS: unless you are absolutely on the case on this, you will see 3.3 million people opt out of sharing their data, as in the NHS. This is something live; it erupts without due warning.

The examples I gave show a pretty dangerous use of ADM systems. Big Brother Watch has gone into some detail on the particular models that I illustrated. If the Government think that the ATRS is adequate, alongside their watered-down GDPR provisions, then, as I said, they are heading for considerable problems.

As the noble Lord, Lord Knight, can see, if the Government have reservations about my limited Bill, they will have even more reservations about anything more broad.

I do not want to tread on the toes of the noble Lord, Lord Holmes, who I am sure will come back with another Bill at some stage, but I am very sympathetic to the need for algorithmic impact assessment, particularly in the workplace, as advocated by the Institute for the Future of Work. We may be inflicting more amendments on the Minister when the time comes in the ADM Bill.

This Bill is, as the noble Baroness, Lady Lane-Fox, mentioned, based on the Canadian experience. It is based on a Canadian directive that is now well under way and is perfectly practical.

The warning of the noble Lord, Lord Tarassenko, about the use of large language models, with their unpredictability and inability to produce the same result, was an object lesson in the need for proper understanding and training within the Civil Service in the future, and for the development of open source-type LLMs on the back of the existing large language models that are out there, to make sure that they are properly trained and tested as a sovereign capacity.

It is clear that I am not going to get a great deal further. I am worried that we are going to see a continuation, in the phrase used by my noble friend Lady Hamwee, of the culture of deference: the machine is going to continue saying no and our citizens will continue to be unable to challenge decisions in an effective way. That will lead to further trouble.

I thank the noble Viscount, Lord Camrose, for his in-principle support. If the Bill is to have a Committee stage, I look forward to debating some of the definitions. In the meantime, I commend the Bill to the House.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I support the amendments from the noble Viscount, Lord Colville, which I have signed, and will put forward my Amendments 64, 68, 69, 130 and 132 and my Clause 85 stand part debate.

This part of the GDPR is a core component of how data protection law functions. It makes sure that organisations use personal data only for the reason that it was collected. One of the exceptional circumstances is scientific research. Focus on the definitions and uses of data in research increased in the wake of the Covid-19 pandemic, when some came to the view that legal uncertainty and related risk aversion were a barrier to clinical research.

There is a legitimate government desire to ensure that valuable research does not have to be discarded because of a lack of clarity around reuse or very narrow distinctions between the original and new purpose. The Government’s position seems to be that the Bill will only clarify the law, incorporating recitals to the original GDPR in the legislation. While this may be the policy intention, the Bill must be read in the context of recent developments in artificial intelligence and the practice of AI developers.

The Government need to provide reassurance that the intention and impact of the research provisions are not to enable the reuse of personal data, as the noble Viscount said, scraped from the internet or collected by tech companies under legitimate interest for training AI. Large tech companies could abuse the provisions to legitimise mass data scraping of personal data from the internet or to collect via legitimate interest—for example, by a social media platform, about its users. This could be legally reused for training AI systems under the new provisions if developers can claim that it constitutes scientific research. That is why we very much support what the noble Viscount said.

In our view, the definition of scientific research adopted in the Bill is too broad and will permit abuse by commercial interests outside the policy intention. The Bill must recognise the reality that companies will likely position any AI development as “reasonably described as scientific”. Combined with the inclusion of commercial activities in the Bill, that opens the door to data reuse for any data-driven product development under the auspices that it represents scientific research, even where the relationship to real scientific progress is unclear or tenuous. That is not excluded in these provisions.

I turn to Amendments 64, 68, 69, 130 and 132 and the Clause 85 stand part debate. The definition of scientific research in proposed new paragraph 2 under Clause 67(1)(b) is drawn so broadly that most commercial development of digital products and services, particularly those involving machine learning, could ostensibly be claimed by controllers to be “reasonably described as scientific”. Amendment 64, taken together with those tabled by the noble Viscount that I have signed, would radically reduce the scope for misuse of data reuse provisions by ensuring that controllers cannot mix their commercial purposes with scientific research and that such research must be in the public interest and conducted in line with established academic practice for genuine scientific research, such as ethics approval.

Since the Data Protection Act was introduced in 2018, based on the 2016 GDPR, the education sector has seen enormous expansion of state and commercial data collection, partly normalised in the pandemic, of increased volume, sensitivity, intrusiveness and high risk. Children need particular care in view of the special environment of educational settings, where pupils and families are disempowered and have no choice over the products procured, which they are obliged to use for school administrative purposes, for learning in the classroom, for homework and for digital behavioural monitoring.

The implications of broadening the definition of research activities conducted within the state education sector include questions of the appropriateness of applying the same rules where children are in a compulsory environment without agency or routine practice for research ethics oversight, particularly if the definition is expanded to commercial activity.

Parental and family personal data is often inextricably linked to the data of a child in education, such as home address, heritable health conditions or young carer status. The Responsible Technology Adoption Unit within DSIT commissioned research in the Department for Education to understand how parents and pupils feel about the use of AI tools in education and found that, while parents and pupils did not expect to make specific decisions about AI optimisation, they did expect to be consulted on whether and by whom pupil work and data can be used. There was widespread consensus that work and data should not be used without parents’ and/or pupils’ explicit agreement.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I share the confusion of the noble Baroness, Lady Kidron, about the groupings. If we are not careful, we are going to keep returning to this issue again and again over four or five groups.

With the possible exception of the noble Lord, Lord Lucas, I think that we are all very much on the same page here. On the suggestion from the noble Viscount, Lord Colville, that we meet to discuss the precise issue of the definition of “scientific research”, this would be extremely helpful; the noble Baroness and I do not need to repeat the concerns.

I should declare an interest in two respects: first, my interests as regards AI, which are set out on the register; and, secondly—I very much took account of what the noble Viscount, Lord Camrose, and the noble Lord, Lord Markham, had to say—I chair the council of a university that has a strong health faculty. It does a great deal of health research and a lot of that research relies on NHS datasets.

This is not some sort of Luddism we are displaying here. This is caution about the expansion of the definition of scientific research, so that it does not turn into something else: that it does not deprive copyright holders of compensation, and that it does not allow personal data to be scraped off the internet without consent. There are very legitimate issues being addressed here, despite the fact that many of us believe that this valuable data should of course be used for the public benefit.



One of the key themes—this is perhaps where we come back on to the same page as the noble Lord, Lord Lucas—may be public benefit, which we need to reintroduce so that we really understand that scientific research for public benefit is the purpose we want this data used for.

I do not think I need to say much more: this issue is already permeating our discussions. It is interesting that we did not get on to it in a major way during the DPDI Bill, yet this time we have focused much more heavily on it. Clearly, in opposition, the noble Viscount has seen the light. What is not to like about that? Further discussion, not least of the amendment of the noble Baroness, Lady Kidron, further down the track will be extremely useful.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

Can the Minister say whether this will be a Bill, a draft Bill or a consultation?

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

Perhaps another aspect the Minister could speak to is whether this will be coming very shortly, shortly or imminently.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I welcome the noble Viscount to the sceptics’ club because he has clearly had a damascene conversion. It may be that this goes too far. I am slightly concerned, like him, about the bureaucracy involved in this, which slightly gives the game away. It could be seen as a way of legitimising commercial research, whereas we want to make it absolutely certain that that research is for the public benefit, rather than imposing an ethical board on every single aspect of research which has any commercial content.

We keep coming back to this, but we seem to be degrouping all over the place. Even the Government Whips Office seems to have given up trying to give titles for each of the groups; they are just called “degrouped” nowadays, which I think is a sign of deep depression in that office. It does not tell us anything about what the different groups contain, for some reason. Anyway, it is good to see the noble Viscount, Lord Camrose, kicking the tyres on the definition of the research aspect.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I support Amendments 70 to 72, which I signed, in the name of the noble Lord, Lord Stevenson of Balmacara. I absolutely share his view about the impact of Clause 68 on the definition of consent and the potential and actual mistrust among the public about sharing of their data, particularly in the health service. It is highly significant that 3.3 million people have opted out of sharing their patient data.

I also very much share the noble Lord’s views about the need for public interest. In a sense, this takes us back to the discussion that we had on previous groups about whether we should add that in a broader sense so not purely for health data or whatever but for scientific research more broadly, as he specifies. I very much support what he had to say.

Broadly speaking, the common factor between my clause stand part and what he said is health data. Data subjects cannot make use of their data rights if they do not even know that their data is being processed. Clause 77 allows a controller reusing data under the auspices of scientific research to not notify a data subject in accordance with Article 13 and 14 rights if doing so

“is impossible or would involve a disproportionate effort”.

We on these Benches believe that Clause 77 should be removed from the Bill. The safeguards are easily circumvented. The newly articulated compatibility test in new Article 8A inserted by Clause 71 that specifies how related the new and existing purposes for data use need to be to permit reuse is essentially automatically passed if it is conducted

“for the purposes of scientific research or historical research”.

This makes it even more necessary for the definition of scientific research to be tightened to prevent abuse.

Currently, data controllers must provide individuals with information about the collection and use of their personal data. These transparency obligations generally do not require the controller to contact each data subject. Such obligations can usually be satisfied by providing privacy information using different techniques that can reach large numbers of individuals, such as relevant websites, social media, local newspapers and so on.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

So am I.

Lord Clement-Jones

- Hansard -

Copy Link

-

My Lords, I start with an apology, because almost every amendment in this group is one of mine and I am afraid I have quite a long speech to make about the different amendments, which include Amendments 73, 75, 76, 77, 78, 78A, 83, 84, 85, 86, 89 and 90, and stand part debates on Schedules 4, 5 and 7 and Clause 74. But I know that the Members of this Committee are made of strong stuff.

Clause 70 and Schedule 4 introduce a new ground of recognised legitimate interest, which in essence counts as a lawful basis for processing if it meets any of the descriptions in the new Annexe 1 to the UK GDPR, which is at Schedule 4 to the Bill—for example, processing necessary for the purposes of responding to an emergency or detecting crime. These have been taken from the previous Government’s Data Protection and Digital Information Bill. This is supposed to reduce the burden on data controllers and the cost of legal advice when they have to assess whether it is okay to use or share data or not. Crucially, while the new ground shares its name with “legitimate interest”, it does not require the controller to make any balancing test taking the data subject’s interests into account. It just needs to meet the grounds in the list. The Bill gives the Secretary of State powers to define additional recognised legitimate interests beyond those in Annexe 1—a power heavily criticised by the Delegated Powers and Regulatory Reform Committee’s report on the Bill.

Currently where a private body shares personal data with a public body in reliance on Article 6(1)(e) of the GDPR, it can rely on the condition that the processing is

“necessary for the performance of a task carried out in the public interest”.

New conditions in Annexe 1, as inserted by Schedule 4, would enable data sharing between the private and public sectors to occur without any reference to a public interest test. In the list of recognised legitimate interests, the most important is the ability of any public body to ask another controller, usually in the private sector, for the disclosure of personal data it needs to deliver its functions. This applies to all public bodies. The new recognised legitimate interest legal basis in Clause 70 and Schedule 4 should be dropped.

Stephen Cragg KC, giving his legal opinion on the DPDI Bill, which, as I mentioned, has the same provision, stated that this list of recognised legitimate interests

“has been elevated to a position where the fundamental rights of data subjects (including children) can effectively be ignored where the processing of personal data is concerned”.

The ICO has also flagged concerns about recognised legitimate interests. In its technical drafting comments on the Bill, it said:

“We think it would be helpful if the explanatory notes could explicitly state that, in all the proposed new recognised legitimate interests, an assessment of necessity involves consideration of the proportionality of the processing activity”.


An assessment of proportionality is precisely what the balancing test is there to achieve. Recognised legitimate interests undermine the fundamental rights and interests of individuals, including children, in specific circumstances.

When companies are processing data without consent, it is essential that they do the work to balance the interests of the people who are affected by that processing against their own interests. Removing recognised legitimate interests from the Bill will not stop organisations from sharing data with the public sector or using data to advance national security, detect crime or safeguard children and vulnerable people. The existing legitimate interest lawful basis is more than flexible enough for these purposes. It just requires controllers to consider and respect people’s rights as they do so.

During the scrutiny of recognised legitimate interests in the DPDI Bill—I am afraid to have to mention this—the noble Baroness, Lady Jones of Whitchurch, who is now leading on this Bill as the Minister, raised concerns about the broad nature of the objectives. She rightly said:

“There is no strong reason for needing that extra power, so, to push back a little on the Minister, why, specifically, is it felt necessary? If it were a public safety interest, or one of the other examples he gave, it seems to me that that would come under the existing list of public interests”.—[Official Report, 25/3/24; col. GC 106.]


She never spoke a truer word.

However, this Government have reintroduced the same extra power with no new articulation of any strong reason for needing it. The constraints placed on the Secretary of State are slightly higher in this Bill than they were in the DPDI Bill, as new paragraph (9), inserted by Clause 70(4), means that they able to add new recognised legitimate interests only if they consider processing the case to be necessary to safeguard an objective listed in UK GDPR Article 23(1)(c) to (j). However, this list includes catch-alls, such as

“other important objectives of general public interest”.

To give an example of what this power would allow, the DPDI Bill included a recognised legitimate interest relating to the ability of political parties to use data about citizens during election campaigns on the basis that democratic participation is an objective of general public interest. I am glad to say that this is no longer included. Another example is that a future Secretary of State could designate workplace productivity as a recognised legitimate interest—which, without a balancing test, would open the floodgates to intrusive workplace surveillance and unsustainable data-driven work intensification. That does not seem to be in line with the Government’s objectives.

Amendment 74 is rather more limited. Alongside the BMA, we are unclear about the extent of the impact of Clause 70 on the processing of health data. It is noted that the recognised legitimate interest avenue appears to be available only to data controllers that are not public authorities. Therefore, NHS organisations appear to be excluded. We would welcome confirmation that health data held by an NHS data controller is excluded from the scope of Clause 70 now and in the future, regardless of the lawful basis that is being relied on to process health data.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thank the Minister. She covered quite a lot of ground and all of us will have to read Hansard quite carefully. However, it is somewhat horrifying that, for a Bill of this size, we had about 30 seconds from the Minister on Schedule 7, which could have such a huge influence on our data adequacy when that is assessed next year. I do not think anybody has talked about international transfers at this point, least of all me in introducing these amendments. Even though it may appear that we are taking our time over this Bill, we are not fundamentally covering all its points. The importance of this Bill, which obviously escapes most Members of this House—there are just a few aficionados—is considerable and could have a far-reaching impact.

I still get Viscount Camrose vibes coming from the Minister.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

Perhaps I should stay that this kind of enthusiasm clearly conquers all. I should thank a former Minister, the noble Lord, Lord Kamall, and I thank the noble Baroness, Lady Kidron, for her thoughtful speech, particularly in questioning the whole recognised legitimate interest issue, especially in relation to vulnerable individuals.

It all seems to be a need for speed, whether it is the Secretary of State who has to make snappy decisions or a data controller. We are going to conquer uncertainty. We have to keep bustling along. In a way, to hell with individual data rights; needs must. I feel somewhat Canute-like holding up the barrier of data that will be flowing across us. I feel quite uncomfortable with that. I think the DPRRC is likewise going to feel pretty cheesed off.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, I thought I had no speech; that would have been terrible. In moving my amendment, I thank the noble Baronesses, Lady Kidron and Lady Harding of Winscombe, and the noble Lord, Lord Russell of Liverpool, for their support. I shall speak also to Amendments 94, 135 and 196.

Additional safeguards are required for the protection of children’s data. This amendment

“seeks to exclude children from the new provisions on purpose limitation for further processing under Article 8A”.

The change to the purpose limitation in Clause 71 raises questions about the lifelong implications of the proposed change for children, given the expectation that they are less aware of the risks of data processing and may not have made their own preferences or choices known at the time of data collection.

For most children’s data processing, adults give permission on their behalf. The extension of this for additional purposes may be incompatible with what a data subject later wishes as an adult. The only protection they may have is purpose limitation to ensure that they are reconsented or informed of changes to processing. Data reuse and access must not mean abandoning the first principles of data protection. Purpose limitation rests on the essential principles of “specified” and “explicit” at the time of collection, which this change does away with.

There are some questions that I would like to put to the Minister. If further reuses, such as more research, are compatible, they are already permitted under current law. If further reuses are not permitted under current law, why should data subjects’ current rights be undermined as a child and, through this change, never be able to be reclaimed at any time in the future? How does the new provision align with the principle of acting in the best interests of the child, as outlined in the UK GDPR, the UNCRC in Scotland and the Rights of Children and Young Persons (Wales) Measure 2011? What are the specific risks to children’s data privacy and security under the revised rules for purpose limitation that may have an unforeseeable lifelong effect? In summary, a blanket exclusion for children’s data processing conforms more with the status quo of data protection principles. Children should be asked again about data processing once they reach maturity and should not find that data rights have been given away by their parents on their behalf.

Amendment 196 is more of a probing amendment. Ofcom has set out its approach to the categorisation of category 1 services under the Online Safety Act. Ofcom’s advice and research, submitted to the Secretary of State, outlines the criteria for determining whether a service falls into category 1. These services are characterised by having the highest reach and risk functionalities among user-to-user services. The categorisation is based on certain threshold conditions, which include user numbers and functionalities such as content recommender systems and the ability for users to forward or reshare content. Ofcom has recommended that category 1 services should meet either of two sets of conditions: having more than 34 million UK users with a content recommender system or having more than 7 million UK users with a content recommender system and the ability for users to forward or reshare user-generated content. The categorisation process is part of Ofcom’s phased approach to implementing codes and guidance for online safety, with additional obligations for category 1 services due to their potential as sources of harm.

The Secretary of State recently issued the Draft Statement of Strategic Priorities for Online Safety, under Section 172 of the Online Safety Act. It says:

“Large technology companies have a key role in helping the UK to achieve this potential, but any company afforded the privilege of access to the UK’s vibrant technology and skills ecosystem must also accept their responsibility to keep people safe on their platforms and foster a safer online world … The government appreciates that Ofcom has set out to government its approach to tackling small but risky services. The government would like to see Ofcom keep this approach under continual review and to keep abreast of new and emerging small but risky services, which are posing harm to users online.


As the online safety regulator, we expect Ofcom to continue focusing its efforts on safety improvements among services that pose the highest risk of harm to users, including small but risky services. All search services in scope of the Act have duties to minimise the presentation of search results which include or lead directly to illegal content or content that is harmful to children. This should lead to a significant reduction in these services being accessible via search results”.


During the parliamentary debates on the Online Safety Bill and in Joint Committee, there was significant concern about the categorisation of services, particularly about the emphasis on size over risk. Initially, the categorisation was based largely on user numbers and functionalities, which led to concerns that smaller platforms with high-risk content might not be adequately addressed. In the Commons, Labour’s Alex Davies-Jones MP, now a Minister in the Ministry of Justice, argued that focusing on size rather than risk could fail to address extreme harms present on smaller sites.

The debates also revealed a push for a more risk-based approach to categorisation. The then Government eventually accepted an amendment allowing the Secretary of State discretion in setting thresholds based on user numbers, functionalities or both. This change aimed to provide flexibility in addressing high-risk smaller platforms. However, concerns remain, despite the strategy statement and the amendment to the original Online Safety Bill, that smaller platforms with significant potential for harm might not be sufficiently covered under the category 1 designation. Overall, while the final approach allows some flexibility, there is quite some debate about whether enough emphasis will be placed by Ofcom in its categorisation on the risks posed by smaller players. My colleagues on these Benches and in the Commons have emphasised to me that we should be rigorously addressing these issues. I beg to move.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

I thank the Minister for her response. I should say at the outset that, although I may have led the group, it is clear that the noble Baroness, Lady Kidron, leads the pack as far as this is concerned. I know that she wants me to say that the noble Baroness, Lady Harding, wished to say that she was extremely sorry not to be able to attend as she wanted to associate herself wholeheartedly with these amendments. She said, “It’s so disappointing still to be fighting for children’s data to have higher protection but it seems that that’s our lot!” I think she anticipated the response, sadly. I very much thank the noble Baroness, Lady Kidron, the noble Lords, Lord Russell and Lord Stevenson, and the noble Viscount, Lord Camrose, in particular for his thoughtful response to Amendment 196.

I was very interested in the intervention from the noble Lord, Lord Stevenson, and wrote down “Not invented here” to sum up the Government’s response to some of these amendments, which has been consistently underwhelming throughout the debates on the DPDI Bill and this Bill. They have brought out such things as “the unintended effects” and said, “We don’t want to interfere with the ICO”, and so on. This campaign will continue; it is really important. Obviously, we will read carefully what the Minister said but, given the troops behind me, I think the campaign will only get stronger.

The Minister did not really deal with the substance of Amendment 196, which was not just a cunning ploy to connect the Bill with the Online Safety Act; it was about current intentions on categorisation. There is considerable concern that the current category 1 is overconservative and that we are not covering the smaller, unsafe social media platforms. When we discussed the Online Safety Bill, both in the Joint Committee and in the debates on subsequent stages of the Bill, it was clear that this was about risk, not just size, and we wanted to cover those risky, smaller platforms as well. While I appreciate the Government’s strategic statement, which made it pretty clear, and without wishing to overly terrorise Ofcom, we should make our view on categorisation pretty clear, and the Government should do likewise.

This argument and debate will no doubt continue. In the meantime, I beg leave to withdraw my amendment.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

-

My Lords, the problem is that I have a 10-minute speech and there are five minutes left before Hansard leaves us, so is it sensible to draw stumps at this point? I have not counted how many amendments I have, but I also wish to speak to the amendment by the noble and learned Lord, Lord Thomas. I would have thought it sensible to break at this point.