Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024
Lord Clement-Jones Excerpts(6 days, 16 hours ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, I thank the noble Lord, Lord Leong, for his introduction, but I am slightly baffled by this SI. I looked up whether the Commons had had its debate on it and found that it took place on 21 May 2024. Then I looked at the impact assessment, which seems to be dated 2023. I do not quite know why we are dealing with a historic SI almost a year later. What has happened in the intervening period? The Minister did not mention anything to do with that. Is this some oversight by the department? Has something happened? Was somebody ill and could not deal with this in the House of Lords? It is a rather peculiar situation.
The second rather strange aspect of this is that, when the Automated Vehicles Bill was going through, my noble friend the late Baroness Randerson, who was mentioned by my noble friend Lady Smith—it is rather coincidental that this was one of her big issues: automated vehicles and the data relating to them—raised questions about protection of personal privacy and the national security implications of the data being retained by manufacturers of automated vehicles. She also raised the possibility of a cyberattack that could paralyse traffic over a considerable area. Those concerns were also raised by my honourable friend Wera Hobhouse in the Commons at the same time. I think the noble Lord, Lord Sharpe, might be interested in this: we were assured at that time by Ministers in the previous Government that GDPR was good enough protection in respect of automated vehicles, despite the concerns expressed by my late noble friend Baroness Randerson. Now it turns out, as set out in the Explanatory Memorandum, that special provisions are needed.
Again, this is rather baffling. We seem to be hearing either that we have an administrative problem or that there was a misunderstanding about the intended policy. In some respects, I should be pleased that the Explanatory Memorandum sets out more safeguards, because if we are going to exempt these three areas—in particular, automated vehicles—we need to know that those safeguards will be in place through other mechanisms. I will go through what those might be and put questions to the Minister about them.
How will the collection, storage and use of personal data by automated vehicles be regulated to ensure compliance with data protection laws? What specific criteria must be met for a person or body to be authorised as a self-driving entity, particularly concerning data protection? Do they need to obtain a certificate of compliance with data protection legislation from the ICO, for instance? How can the public be reassured that their personal data will be protected? How will the regulations ensure that personal data is protected, not only during vehicle operation but after the ownership of a vehicle has ended? What are these robust personal data practices that need to be in place for companies to be authorised as self-driving entities?
What information about the data for the authorisation of automated vehicles must be provided and to whom? Will the Secretary of State consult the Information Commissioner’s Office before making regulations relating to the provision of personal data in automated vehicles, and will the ICO be including elements to do with personal data and automated vehicles in its annual report to Parliament? How will the Government protect against potential cyberattacks on automated vehicle systems?
Specifically, how do the regulations for consumer connectable products under the Product Security and Telecommunications Infrastructure Act interact with those that apply to automated vehicles and their components? Does this exempt the whole of the automated vehicle or, rather, particular connectable items in automated vehicles that would in fact be covered by the PSTI Act? How will the regulations prevent anti-competitive practices by vehicle manufacturers who might use data to restrict competition between them and independent operators?
The Explanatory Memorandum talks about the CAVPASS programme, which provides some information that is relevant. Currently, however, it does not deal directly with these specific questions regarding data handling in automated vehicles. We are promised, I think, that something is coming down the track in 2025. There is mention of a staged approach to regulations, which suggests that future measures will be introduced. When can we expect more information of the kind that I have raised? Is it not long overdue, given the speed of development of these vehicles? They are already in pilot form and we need to know that our data is secure. We are still left with questions, despite all that. I doubt whether CAVPASS is necessarily going to cover how data is collected in relation to cybersecurity and how they will be protected in that respect.
There are quite a lot of questions here, and it is rather peculiar that we were not in a position to ask these questions at the same time as the House of Commons last May. I am therefore looking forward to what the Minister has to say in reply.
Lord Sharpe of Epsom (Con)
My Lords, I thank the Minister for his explanation. I would say to the noble Lord, Lord Clement-Jones, that something did happen, and that was the general election, which we, unfortunately, lost. That no doubt explains something of the delay.
The noble Lord, Lord Clement-Jones, has asked some pertinent questions. I will keep mine a little more general, because this SI amends the original regulations and broadens the exceptions under Schedule 3. The most notable change concerns the automotive sector, as has been noted, where vehicles were previously exempt from certain cybersecurity provisions.
The new regulations align the UK’s approach with international standards. They recognise the unique nature of vehicle systems and the need for specialised cybersecurity measures. UN Regulation No. 155 on cyber security and cybersecurity management systems, which governs the security of vehicles, is now set to be the primary framework for automotive security. As far as it goes, that would obviously seem eminently sensible, but the noble Lord, Lord Clement-Jones, has highlighted that there are a number of broader, perhaps more philosophical, questions about the direction of travel—that is not a pun—with regard to EVs, self-driving vehicles and vehicle autonomy, which we will have to grapple with at some point in the future. I imagine that this is a subject to which we will return.
My questions are a little more general. The regulations are undoubtedly important for protecting consumers and securing digital infrastructure, but we must consider the broader implications. The automotive sector is rapidly evolving, as has been noted, and the development of automated vehicles holds significant economic and societal potential. However, with innovation comes the risk of regulatory frameworks that struggle to keep pace; that is self-evident. How do we ensure that these cybersecurity measures do not inadvertently stifle technological advancement in areas and sectors such as the automotive sector? How do we end up striking the right balance between securing the technologies and enabling them to flourish?
There is also a question here around consumer awareness; again, this was highlighted by the noble Lord, Lord Clement-Jones. How long would an individual’s data be attached to a particular vehicle, for example, even after it is sold? These regulations require manufacturers to disclose the duration of product security support, but how well are consumers equipped to understand and act on this information? Are we confident that the public are sufficiently informed about the critical nature of cybersecurity? Will the Government commit to taking the necessary steps to help customers and consumers protect their devices and data? It seems to us that this is an area where the education of the public must go beyond the bare minimum. We need to ensure that consumers are not left in the dark about the sorts of security risks that they may face.
We must also consider enforcement. With the proliferation of smart products entering the market at such an unprecedented rate, how will we ensure consistent and effective compliance across such a diverse range of industries, from household appliances to vehicles? As new technologies emerge and evolve, the enforcement mechanisms that are in place today may not be enough. Are we allocating the necessary resources to monitor and enforce these standards effectively? Are the Government allocating additional resources to help those things along? Does the current enforcement mechanism system adequately address the rising complexity and scale of the challenges ahead?
As I said, these are broader, more philosophical questions—I do not expect the Minister to be in a position to answer them and there is no need to write—but these are the sorts of things that we all need to consider as a society. Obviously, that will have political, economic and societal ramifications that we all need to consider, but the Opposition have no objection to these regulations; they make perfect sense for now. I suspect, however, that this is a subject to which we will return.
Lord Leong (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Sharpe, for their contributions.
I will first address the question asked by the noble Lord, Lord Clement-Jones: why the delay? As the noble Lord, Lord Sharpe, mentioned, it was a result of the general election. At the same time, we were waiting for the Department for Transport to progress UN regulation No. 155, until such time as we knew that we must take this exception out of the current regulations. That is the reason for the delay, basically; it was also about finding parliamentary time to table these regulations. That is that on the delay.
Lord Clement-Jones (LD)
I am sorry to interrupt the Minister but, frankly, this is the same instrument as the one that was debated last May. Nothing has changed apart from the lack of parliamentary time. We could have done this in September, October or whenever. I forget quite when we had the King’s Speech—in July? We could have done this at any time in the past few months.
Lord Leong (Lab)
This is beyond my pay grade, I am afraid. I will need to ask my leader, the Chief Whip, why we could not allocate any parliamentary time for this legislation.
As far as personal data is concerned, the GDPR is still the lead legislation. I respectfully say to the noble Lord that, for the purposes of today’s regulations, the whole issue of such data is outside the scope of this instrument for now. However, I am sure that we will be talking about personal data in the months and, probably, years to come in other forms of legislation, or even about it being regulated itself.
Lord Clement-Jones (LD)
Out of scope? On the basis that we are being asked to exempt automated vehicles, is it not proper that we ask for reassurance about automated vehicles and the implications for safety, data or whatever else? We are exempting them from these connected product regulations, so we need to be reassured that there are other ways of regulating them other than through these regulations. So this is not out of scope; the debate is about whether we should be exempting them.
Lord Leong (Lab)
I take the point, but the instrument is about the two amendments to the regulations. I take the noble Lord’s point about data. Yes, it is important, and we must preserve the data, but this instrument is not within that scope.
Moving on to cybersecurity within autonomous vehicles, cybersecurity is at the heart of the Government’s priorities for the rollout of all self-driving vehicles. The Automated Vehicles Act 2024 enables an obligation to be placed on those responsible for self-driving vehicles to maintain a vehicle’s software and ensure that appropriate cybersecurity measures are in place throughout its service life.
In response to the point made by the noble Lord, Lord Sharpe, about innovation, the Government are committed to supporting the development and deployment of self-driving vehicles in the UK. Our permissive trialling regime means that self-driving cars, buses and freight vehicles are already on UK roads with safety drivers. The Automated Vehicles Act will pave the way to scale deployments beyond trials. The Act delivers one of the most comprehensive legal frameworks of its kind anywhere in the world for self-driving vehicles, with safety at its core. It sets out clear legal responsibilities, establishes a safety framework and creates the necessary powers to regulate this new industry.
On the point about cybersecurity from the noble Lord, Lord Clement-Jones, the Government take national security extremely seriously and are actively monitoring threats to the UK. The Department for Transport works closely with the transport sector, the National Cyber Security Centre and other government departments to understand and respond to cybersecurity issues associated with connected vehicles. UN regulation No. 155 more comprehensively addresses cybersecurity risks with automotive vehicles and has adequate provisions to deal with the prospect of self-driving vehicles. The PSTI regime is designed for consumer contactable devices or products and is not fully equipped to address the specific needs and complexities of vehicle cybersecurity. UN regulation No. 155, which was developed through international collaboration, provides a more suitable and rigorous framework for ensuring the security of vehicles.
More everyday products than ever are now connected to the internet. The Government have taken action to ensure that UK consumers and businesses purchasing consumer connectable products are better protected from the risks of cyberattack, fraud, or even, in the most serious cases, physical danger. The PSTI product security regulatory regime builds on the ETSI international standard and is the first of its kind in the world to come into force.
The cybersecurity regulatory landscape will continue to evolve. The Government need to be agile to ensure that there is synergy between existing and new laws. Through this draft instrument, the Government are delivering on the commitment in 2021 to except certain categories of automotive vehicles from the scope of the PSTI products security regulatory regime. This is because the Government, via the Department for Transport, are in the process of introducing sector-specific regulations that have been developed at an international level to address the cybersecurity of these products. These requirements, which are specifically tailored to these vehicles and their functionality, will create a more precise regime for the sector. This draft instrument therefore ensures that the automotive industry, which contributed £13.3 billion to the economy in 2022, will not be placed under undue burdens from dual regulations.
Lord Clement-Jones (LD)
My Lords, the Minister has not mentioned the point raised in the Explanatory Memorandum, which was designed, I think, to give us comfort about cybersecurity and data: the Government’s Connected and Automated Vehicles: Process for Assuring Safety and Security—CAVPASS—which I mentioned. I did not hear him give us an assurance that that will be developed during 2025 to ensure the safety and cybersecurity of self-driving vehicles. As well as reiterating that the GDPR is an absolutely splendid way of regulating these automated vehicles, I hope that he will reiterate that this will be produced, because I have had a look at what CAVPASS currently says in the area of data, and it is not very much. After all, these connected regulations from which we are exempting automated vehicles are about safety, data and everything else.
Lord Leong (Lab)
My Lords, the noble Lord makes a very important point. Rather than waiting for my officials to give me a briefing note, I will ensure that I write to him on all the points that he has just mentioned.
Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024
Lord Clement-Jones Excerpts(11 months, 1 week ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Hamwee (LD)
My Lords, I thank the Minister for that explanation. I have to say that my recollection is that the issue is much wider than the exemption and ensuring that there is no tip-off to somebody who is about to be visited by immigration enforcement. Let me give an example that was borne out after the Act was passed: solicitors acting for data subjects were unable, as we had anticipated, to find out what the Home Office thought it knew—I put it that way deliberately —about their clients.
I have some general points to make; I will do so fairly quickly. It would be optimistic to think that the Home Office had taken from this saga that objections and criticisms—in the form of amendments, obviously—can be helpful because we could have avoided a lot of effort in rectification. My noble friend Lord Clement-Jones will go into some of the history; I must admit, I do not recall much detail except for being teased frequently by the noble Baroness, Lady Williams, when she was the Home Office Minister, because I brought up our objection to the immigration exemption so often.
I feel strongly that it should not have to be for non-governmental organisations that are no doubt strapped for cash to do so much in order to get things right. I appreciate that that is part of our democracy; I do not object at all to the fact that they can do so, of course, but they should not have to. An application, an appeal, another judicial review, another appeal—at what cost to those organisations and the taxpayer! I emphasise that there is an exclamation mark, not a question mark, at the end of that sentence.
This saga is one of those episodes that vindicates the role of the courts, often in language that I, for one, relish. We have spent a lot of time in the Chamber recently discussing the role of the courts in our constitution; to give one example of the language, I really liked the understated use of
“over-broad derogations from fundamental rights”.
As the Minister said, the litigants were consulted before the publication of the SI. The Secondary Legislation Scrutiny Committee reports that it made three points, of which one, on oversight, was rejected by the Home Office and one was regarded by the Home Office as not necessary. Can the Minister tell the Committee what these were and why they were not pursued?
On the detail of the instrument, I note that it will be a matter for the Secretary of State to balance the risks to the individual and the risks to the state. I happen to think that it is in the public interest to apply exemptions with a very light touch, but of course it is no secret that the Liberal Democrats have problems with the Home Office’s immigration policy, and I fear that the reputational ship is well on its way. Clearly, there is an imbalance of power. That is inevitable, but it is not easy for the individual data subject to exercise his rights, and we should be aware of that.
Can the Minister also tell us what the Home Office will do to ensure that there will be transparency of decisions so that it can appropriately be held to account? Mechanisms must be written into the procedures. New paragraph 4B of Schedule 2 provides for a record of decisions and reasons. How will that be published and what will happen to it?
Will the Minister also comment on the capacity of immigration enforcement—and whoever else needs to—to look at prospective decisions on a case-by-case basis for each disapplication? I recognise that that will not necessarily be a straightforward and easy exercise, but it certainly requires a great deal more than, “It’s okay; it’s immigration, so we can just rely on the exemption”. Case-by-case decision-making is very important.
Finally, I note that the Explanatory Memorandum tells us that there is no full impact assessment because the instrument
“does not substantively alter the safeguards and considerations for applying the Immigration Exemption”.
I have to say that I thought that was the point.
Lord Clement-Jones (LD)
My Lords, this set of regulations is a step forward, but with all the caveats that my noble friend made, and I have some more.
As the Minister confirmed, these regulations are the result of the Open Rights Group case—the Court of Appeal judgment in the3million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor—which confirms the earlier High Court judgment in March 2023. In broad terms, the Court of Appeal found that the immigration exemption in Schedule 2 to the Data Protection Act 2018 conflicted with the safeguards in Article 23 of the UK GDPR, as the Minister said. This was because the immigration exemption was drafted too broadly and failed to incorporate the safeguards prescribed for exemptions under Article 23 of the UK GDPR. It was therefore held to be unlawful and was disapplied.
These regulations follow two previous attempts by the Home Office to craft an immigration exemption which contained sufficient safeguards to satisfy the requirements set out in Article 23 of the UK GDPR. This is the third shot at it. In order to make the immigration exemption compatible with the requirements of Article 23, as the Minister explained, the Government added a number of safeguards to the exemption which were not there before. These are set out in the regulations. They are worth stating because they are really important requirements, which were omitted previously.
They include requirements to: make decisions on the application of the exemption on a case-by-case basis; make separate decisions in respect of each of the relevant UK GDPR provisions which relates to the data subject; make fresh decisions on each occasion where there is consideration or restriction of any of the relevant UK GDPR provisions in relation to the data subject; take into account all the circumstances of the case, including the potential vulnerability of the data subject, and so on; and apply the exemption only if the application of the particular UK GDPR provision would give rise to a substantial risk of prejudice that outweighs the risk of prejudice to the interests of the data subject, ensuring that the application of the exemption is necessary and proportionate to the risks in the particular case.
You would think it rather extraordinary that those are excluded from the previous regulations. In addition, a record must be made of the decision to apply the exemption, together with the reasons for that decision. There is also a rebuttable presumption that the data subject will be informed of the use of the exemption.
The ICO welcomed them in its letter to the Home Office as, in its view, satisfying the requirements of the Open Rights Group case. In its view, the proposed changes will ensure that the exemption complies with Article 23(2) of the UK GDPR and ensure that there are appropriate safeguards to protect individuals. Since it took part in the case as an interested party, this is of considerable reassurance. I congratulate the Open Rights Group and the3million on not one but two notable successes in court cases which have forced the Home Office to amend the exemption twice.
Lord Sharpe of Epsom (Con)
I thank all noble Lords for their contributions. I shall start with justification and the public interest, which is obviously at the core of this. Parliament included the immigration exemption as part of the Data Protection Act 2018, as has been noted, for the legitimate purpose of effective immigration control. The Court of Appeal declared in its judgment,
“that there can be no dispute that the Immigration Exemption has a legitimate aim and indeed seeks to advance important public interests.”
We agree with the court: the immigration exemption is vital to prevent the release of information which would otherwise prejudice effective immigration control. I particularly welcome its endorsement by the noble Lord, Lord Coaker.
I want to be clear with noble Lords what those important public interests are. Through targeted use of the immigration exemption, we are able to maintain our capability at the border to prevent criminals and those who seek to cause us harm threatening our country as well as to support other agencies and international partners. We are able to frustrate and prevent sham marriages and protect the integrity of ongoing immigration removal and enforcement action and forgery investigations. The immigration exemption is also used to protect people being forced into a marriage and to prevent individuals absconding when there is a planned immigration visit. The central aims are to protect our citizens, ensure the integrity of the border and prevent abuses of the immigration system.
The noble Lord, Lord Coaker, asked about the balancing test. I will come on to the use of the exemption in practice, but it is always clear that the balancing test has to be carried out, and will now be explicitly in the Act. In practice, I can reassure noble Lords that the exemption is employed at around 70% of subject access requests relating to immigration and the Border Force. The amount of data that is restricted by the use of the exemption is, in the vast majority of cases, very little. It is not simply the case that where one piece of information is found to be prejudicial to immigration control, the Home Office does not respond to a request. The piece of information may be redacted as a result, but otherwise a full response will be given. It must be both necessary and proportionate to use the exemption, and this must be balanced against the risk to an individual’s rights. These existing standards will now be set out explicitly in the legislation.
I acknowledge that there was a difference of opinion in the House over whether the previous regulations amending the immigration exemption in 2022 met the requirements of Article 23 of the UK GDPR. The courts have agreed with the Government on a wide range of issues in the hearing. They declared that in two areas in particular the amended exemption did not, and the Government respect that ruling. We are confident that these regulations meet the requirements of the judgment in full, and we are supported by the ICO in that opinion.
The noble Baroness, Lady Hamwee, asked whether we consulted the claimants. They were consulted as part of the development of the provisions, and they suggested some additions to the provisions. We accepted suggestions to provide detail on applicable storage periods in the Explanatory Memorandum. We did not accept a suggestion to alter the existing model of ICO oversight of the exemption. The existing model of ICO oversight of the Home Office is robust, and data subjects are able to challenge use of the exemption. I welcome the noble Lord, Lord Clement-Jones, acknowledging the ICO’s part in this.
We also rejected the suggestion to specify in the legislation the wording that must be provided to data subjects when informing them that the provisions of the exemption have been applied. The provisions of the exemption are already accessible to data subjects and adding that detail to primary legislation would be unhelpful.
As regards how the ICO assesses the Government’s use of the immigration exemption, it already assesses the Home Office as part of its statutory role as regulator. Those assessments are published as data protection audit reports, setting out the findings and any recommendations. Should a data subject disagree with the decision to apply the immigration exemption in their case, the usual redress mechanisms to contact the ICO are available.
The noble Lord, Lord Coaker, asked about the application of these rules to children. The immigration exemption applies to all immigration data, but there are special considerations in relation to minors, which are set out in the ICO’s guidance.
The subject of an impact assessment also came up, which relates to oversight and transparency more generally. It is important that these regulations retain the presumption that a data subject should be informed that the immigration exemption has been used—for example, to redact information provided to them in response to a subject access request. That allows the data subject to challenge that decision, should they believe that the application of the exemption is not justified. The ICO has appropriate powers to investigate whether the immigration exemption has been applied appropriately in a specific case. This is in addition to its overall assessment of the Home Office’s data protection practices, which include the use of the immigration exemption more broadly.
An impact assessment was carried out as part of the inclusion of the provision for the immigration exemption in the Data Protection Act 2018. A further supplementary impact assessment was conducted as part of the amendment to the exemption by the SI in 2022. This is noted in the Explanatory Memorandum. Given that there is no substantive change to the safeguards and scope of the exemption, we have not completed a new IA for this instrument.
Lord Clement-Jones (LD)
I am sorry; the Minister seems to be moving on from the impact issue. Clearly there was a period when the old regulation, which is now being superseded, was in operation and individuals were impacted. In a sense, an inappropriate exemption was used. What data does the Minister have about those individuals and the impact on them? What redress do they have? The Minister skated over the ICO’s redress mechanism. Is there no direct mechanism to the Home Office?
Lord Sharpe of Epsom (Con)
I did not skate over it at all; I referred to it explicitly and am happy to do so again, if it would help. I do not know if there is any specific redress to the Home Office. I would imagine not, given that it is explicit that data subjects should go via the ICO. If I am wrong on that, I will clarify.
I have no particular data on the subjects who may have been covered by this before the court’s decision, so I will have to find out, come back and write to the noble Lord if there is anything useful to add.
The Home Office already has relevant guidance and training in place for those exercising the immigration exemption provisions, but we are undertaking a review of those materials to ensure that they align with these regulations. That will be completed in time for the 11 March deadline to amend the current exemption. The instrument is making existing safeguards explicit in the legislation, which are already captured in the existing training and guidance, so we do not expect substantive changes to be needed.
The costs of the court case are not yet settled, but I am happy to commit to write once they have been.
There are a couple more bits to say. How often is the exemption used? The honest answer is not very often. I think I referred to this earlier, so it is probably redundant to say it again but, for the record, in the year ending October 2023, the immigration exemption was applied in around 70% of subject access requests received in relation to immigration citizenship and the Border Force. Of those, the vast majority had only a small amount of data redacted under the use of the exemption. So I suppose the answer to the noble Lord’s question is that it will have a very minimal impact on people, but I commit to clarify that.
Finally, the noble Lord, Lord Clement-Jones, asked about the relationship between the DPA and retained EU law. The official answer is that the focus of this SI is the immigration exemption and that discussions of the rules and the implications for the DPA 2018 are probably best debated as part of the DPDI Bill, which will, I believe, come to the House on 20 March. The unofficial answer is that I cannot comment on the noble Lord’s disposition because I did not really understand it and I do not have much knowledge of this subject. However, I note that we have left the EU: the people voted. Our rules can now be amended to our own circumstances, and of course, that applies across the entire legal suite. It was a pretty clear vote by the people of this country; I know that that does not suit the Liberal Democrats.
In closing, I hope that I have satisfactorily answered the points that were made and that noble Lords understand the necessity—
Computer Systems: Independent Testing
Lord Clement-Jones Excerpts(1 year ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones
To ask His Majesty’s Government what action they are taking to reform the Computer Misuse Act 1990 to enable legitimate independent testing of computer systems.
The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
My Lords, the Government support people undertaking legitimate cybersecurity work to do so without fear of criminalisation. We are actively considering options to strengthen the legislative framework as part of the review of the Computer Misuse Act, which is ongoing. This work is complex and needs a lot of thought, not least to ensure that we do not inadvertently create a loophole that can be exploited by cybercriminals or hostile state actors.
Lord Clement-Jones (LD)
My Lords, the need to be able to carry out independent research into computer systems has been put into the spotlight by the Horizon scandal. We last discussed this issue at Oral Questions last July. Since then, the Government have had the conclusions of a stakeholder working group for several months but have done absolutely nothing to include a public interest defence in the Criminal Justice Bill that is now in the Commons. I described the Government’s progress last year as “glacial”. Was I being unkind to glaciers?
Lord Sharpe of Epsom (Con)
Regrettably, the noble Lord is wrong. We set up a multistakeholder group of systems owners, law enforcement, cybersecurity companies and prosecutors—a systems access group—to specifically consider the proposal of statutory defences. Six meetings were held between May 2023 and October 2023. Unfortunately, there is a lack of consensus among those participants and the cybersecurity industry, and with law enforcement and prosecutors, on whether there is a need for statutory defences and on what is considered to be legitimate activity. That lack of consensus proves the point that careful thought is needed in this area.
Lord Sharpe of Epsom (Con)
My Lords, we are always interested in learning from the approaches taken by other countries and jurisdictions. We speak with our international counterparts, including all our major allies, to understand how they approach the issue of whether there should be defences to these types of offences. But the majority of our like-minded partners do not have statutory defences and are instead in favour of prosecutorial guidance. For example, the US Department of Justice introduced guidance for prosecutors on when to prosecute instances of potential breaches of its Computer Fraud and Abuse Act.
Lord Clement-Jones (LD)
My Lords, does the Minister agree that the Criminal Justice Bill is a good opportunity for the Government to bring forward a public interest amendment, perhaps with the bells and whistles that the Minister is talking about, or is he firmly of the view that this will occur only in the future?
Lord Sharpe of Epsom (Con)
My Lords, I am not quite sure where the bells and whistles come from. As I said, we are just considering all the potential implications. However, part of the Criminal Justice Bill introduces a new power for law enforcement and other investigative agencies to suspend IP addresses and domain names where they are being used to facilitate serious crime. So the answer is partially yes, but the other situation that the noble Lord described is very complicated.
National Crime Agency: Fraud and Economic Crime
Lord Clement-Jones Excerpts(1 year, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Sharpe of Epsom (Con)
My Lords, the noble Lord will be aware that the City of London Police partially fulfils that function. It prioritised investigators to the City of London as part of its recent increase in the numbers of police. Angela McLaren, the commissioner there, has a strong background in economic crime and its investigation, and the City of London Police runs an economic crime academy. The noble Lord makes an interesting point about having just one agency, but that agency is the National Economic Crime Centre, which co-ordinates all the various activities across the various police forces, including regional organised crime units.
Lord Clement-Jones (LD)
My Lords, given that the UK cyber industry plays a critical role in supporting law enforcement to tackle cyber-enabled fraud, when will the Government reform the Computer Misuse Act so that the cyber industry does not face legal jeopardy for protecting our citizens and businesses online? Is it not high time that the Home Office came to a conclusion on its review?
Lord Sharpe of Epsom (Con)
My Lords, I cannot speculate on that Act but the anti-fraud champion, Anthony Browne MP, has been having some close engagement with industry. An online sector charter—which I appreciate is not entirely the same thing but is certainly related—is due to be published in the autumn, so we should watch and wait for that.
Cybersecurity
Lord Clement-Jones Excerpts(1 year, 7 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones
To ask His Majesty’s Government what progress has been made in implementing the recommendations on cybersecurity made by Sir Patrick Vallance in his report Pro-innovation Regulation of Technologies Review: Digital Technologies, published in March.
The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
My Lords, in the Government’s response to the review, we set out that the Home Office is taking forward work to consider the merits and risks of the proposals made. We have created a group that includes law enforcement agencies, prosecutors, the cybersecurity industry and system owners to consider these issues and reach a consensus on the best way forward.
Lord Clement-Jones (LD)
My Lords, Sir Patrick made a very clear recommendation to amend the Computer Misuse Act to include a statutory public interest defence for cybersecurity researchers and professionals carrying out threat intelligence research. This has been extremely long awaited. We finally had a review, which started in 2021 and reported this year; we had a consultation, which concluded in April; and now we have the steps that the Minister talked about. What conclusion can we expect at the end of the day? Progress on this has been totally glacial given the importance to innovation and growth of this change to legislation.
Lord Sharpe of Epsom (Con)
My Lords, I agree that there is an enormous necessity to get this right, but that is part of the problem of why things are perhaps not happening as fast as the noble Lord would like—progress is far from glacial. These issues are incredibly complicated because, as the noble Lord noted, the proposals would potentially allow a defence for the unauthorised access by a person to another’s property, and in this case their computer systems and data, without their knowledge and consent. We therefore need to define what constitutes legitimate cybersecurity activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum. We also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. In short, these are complex matters, and it is entirely right to try to seek a consensus among the agencies I mentioned earlier.
Lord Sharpe of Epsom (Con)
The noble Viscount makes a good point. I am obviously unable to comment on the scheduling of parliamentary business but, when the group that I referred to in my initial Answer has finished its consultations and considerations and come to a consensus, we will of course report back to Parliament. I imagine that will include a debate.
Lord Clement-Jones (LD)
My Lords, does not everything that has been said on this Question today demonstrate the importance of fresh intelligence work and, therefore, the importance of changing the Computer Misuse Act?
Lord Sharpe of Epsom (Con)
I do not think that anybody disagrees with that. I am just saying that we need to get it right and do it properly.
National Security Bill
Lord Clement-Jones ExcerptsMonday 16th January 2023
(2 years, 1 month ago)
Lords ChamberRead Full debate National Security Act 2023 View all National Security Act 2023 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 68-V Fifth marshalled list for Committee - (16 Jan 2023)
Baroness Lister of Burtersett (Lab)
My Lords, I apologise for popping up at this point, not having taken part in the debates so far, but I was requested to do so by the British Academy, the UK’s national academy of humanities and social sciences, of which I am proud to be a fellow. I am also an academic who has in the past collaborated with colleagues from outside the UK in the area of social policy, which of course is trying to influence government.
I am sure I do not need to spell out the importance of international research collaboration, which was touched on by my noble friend Lord Stansgate, especially in the wake of the Science Minister’s speech last week which emphasised the importance of the Government’s global science strategy. Any such strategy requires international collaboration. The British Academy accepts that mechanisms to prevent foreign interference are necessary, but such mechanisms must safeguard the benefits of international research and protect academic freedom. It is worth just noting here what the Joint Committee on Human Rights had to say. It was concerned that this was introduced at such a late stage of the Bill’s passage that it could not comment properly on it, but it said:
“Any foreign influence registration scheme must contain adequate protections to ensure that it does not interfere unduly with democratic rights, including freedom of association and free speech.”
I think everything we have heard so today, other than from the Minister, suggests that it could interfere in that way.
Indeed, the British Academy argues that such mechanisms exist already and that FIRS would duplicate them in a way that creates totally unnecessary bureaucracy, which surely this Government, of all Governments, want to avoid. It is not helped by the lack of clarity in the wording, which was referred to by the noble Lord, Lord Wallace of Saltaire, with details left for secondary legislation. The effect, the British Academy argues, would be a significant negative impact on the ability of UK researchers to engage internationally, creating irreversible harm to the UK’s research and innovation standing. The academy is not prone to hyperbole.
As currently drafted, as we have heard, FIRS would entangle wide swathes of international activities and is likely to have a chilling effect on international collaboration, not just deterring those with malign intent—as referred to by the Minister—but probably having a much greater impact on those with utterly benign intent. I cannot believe for a moment that this is what the Government want, especially given that it would undermine their own aspirations to forge a global science strategy.
It is in the Government’s own interest to accept the British Academy’s recommendation that they withdraw Part 3—I think I am echoing what the noble Lord, Lord Carlile, said—and consult with it and other relevant organisations to cocreate a framework that is proportionate and reasonable, taking into account existing reporting and oversight mechanisms. The academy argues that research and innovation should be largely excluded from FIRS. Is this something that the Government are willing to consider? If not, why not? Will the Minister agree to take this away, have discussions with the British Academy and others and, ideally, withdraw Part 3 altogether as has been suggested or, at the very least, come up with something less harmful before Report? I am echoing other noble Lords in calling for a longer pause than currently envisaged. The more I have listened to today’s debate, the more horrified I have become at what this part of the Bill might mean.
Lord Clement-Jones (LD)
My Lords, I rise to speak to Amendment 103, and I declare my interests as set out in the register.
Like the noble Baronesses, Lady Noakes and Lady Lister, I am new to the Bill and have been provoked by briefings. Like others who have spoken today, I emphasise that I am absolutely no fan of this foreign influence registration scheme, which is far too broad in its application, as we have heard. I think it will be highly damaging to UK research and development, inward investment and British interests around the world. The noble Baroness, Lady Hayter, listed those who might get caught up in the scheme, and clearly very few of those have any connection at all with national security. I am delighted to support many amendments in this group and, in particular, the clause stand part notices that the noble Lords, Lord Anderson of Ipswich and Lord Carlile of Berriew, and my noble friend Lord Wallace have spoken to so cogently.
This has given us the opportunity to debate the flawed nature of the whole scheme. I will make some remarks about the impact on business and investment, which my noble friend Lord Fox would have made were he able to be here. We have heard powerful testimony from the British Academy, referred to by the noble Baroness, Lady Lister, and from the Russell group, referred to by the noble Viscount, Lord Stansgate, about the hugely detrimental potential impact of the Bill on the international research and development front. The British Academy rightly says that international collaboration is critical to the excellence of UK research and the Government’s aim to become a scientific and global science superpower. As it says, as currently drafted the FIRS will have a severely negative impact on the UK’s ability to engage with researchers internationally and on the ability of researchers in the humanities and social sciences to engage on critical public policy topics, and it will irrevocably harm the UK’s research and innovation standing. Strong words.
Under the scheme as currently proposed, at minimum, research universities will be smothered in red tape and, at worst, heavy criminal penalties in undertaking international research partnerships will be imposed. Bluntly, I must tell the Minister that his amendments add very little to the clarity of this scheme. The Minister’s letter about the intersection with the National Security and Investment Act, which we debated in 2021, was far from convincing. There is already a raft of other legislation relating to the academic technology approval scheme and export control, which impact on a university’s international activities. If this scheme, by mischance, does go through, it makes Amendment 104, in the name of my noble friend Lord Wallace, the absolute bare minimum needed. Both the Russell group and the British Academy make the case for clarity, non-duplication, proportionality and a high threshold for registration, none of which is currently present in the scheme.
A further cause for withdrawal of this scheme is the strong reaction from the business and investment community. That is why this stand part debate is so important. The ABI states very clearly that the current proposal for the FIRS
“risks placing significant reporting burden on insurers and long-term savings providers investing in the UK, with the potential to negatively impact the UK’s international competitiveness and attractiveness as a place to invest”.
TheCityUK says these proposals
“if passed unamended would have a chilling effect on inward investment into the UK”.
Lord Sharpe of Epsom (Con)
My Lords, I thought I was very clear on the precise specified persons tier here. A UK university would need to be acting at the direction of a specified foreign power or a specified foreign power-controlled entity before registration requirements could apply. I think that covers the set of circumstances just outlined by the noble Viscount.
Lord Clement-Jones (LD)
The Minister spoke about universities. Did he mean the academics—any academic within the universities?
Lord Sharpe of Epsom (Con)
Yes.
Amendment 103 was tabled by the noble Lord, Lord Clement-Jones, to remove the exemption from the registration requirement in FIRS for lawyers providing legal activities. While I welcome the challenge, removing this exemption would risk undermining long-standing protections the UK has afforded to the provision of confidential legal advice and the equitable administration of justice. The exemption is available only to lawyers carrying out legal activity and so would not apply to other individuals carrying out legal activity.
I also reiterate what was said in Committee in the other place: that this exemption does not completely exempt legal professionals from engaging with the scheme. It does not cover all the activities that could be undertaken by a legal professional as part of an arrangement with a foreign principal. Activities that are not strictly legal activities, such as lobbying, for example, may still need to be registered. So, for example, if a lawyer were to enter into an arrangement with a foreign power to lobby a UK government Minister or parliamentarian on the UK’s foreign policy towards that foreign power, that would be registrable. The fact that the individual is a lawyer is not sufficient in and of itself to exempt them from registration.
Lord Clement-Jones (LD)
I heard what the Minister said about lobbying and the additional aspect of lobbying by law firms, but why is any exemption needed beyond what is contained in Clause 74, which covers legal professional privilege effectively—legal proceedings and so on—so that no confidential information needs to be divulged? Why is it not necessary that a law firm is acting for a foreign power or an entity controlled by a foreign power? Why should that be exempt?
Lord Sharpe of Epsom (Con)
I think I explained this in reasonable detail. It goes back to the sort of work the lawyers carry out. As I say, it is the long-standing protections that the UK has afforded—
Lord Clement-Jones (LD)
All the Minister is saying, in a highly circular way, is that it is in here because it has always been in here in some other forms of legislation. I do not think that is much of an answer.
Lord Sharpe of Epsom (Con)
In that case, I am very sorry to disappoint the noble Lord. I apologise for having spoken at such length.
Technology Rules: The Advent of New Technologies in the Justice System (Justice and Home Affairs Committee Report)
Lord Clement-Jones Excerpts(2 years, 2 months ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, it is a pleasure to follow three such excellent opening speeches. I draw attention to my interests in the register, particularly my interest in artificial intelligence technologies as a former chair of the AI Select Committee of this House. As a non-member of her committee, I congratulate my noble friend Lady Hamwee and the committee on such a comprehensive and well-argued report.
I entirely understand and welcome the width of the report but today I shall focus on live facial recognition technology, a subject that I have raised many times in this House and elsewhere in Questions and debates, and even in a Private Member’s Bill, over the last five years. The previous debate involving a Home Office Minister—the predecessor of the noble Lord, Lord Sharpe, the noble Baroness, Lady Williams—was in April, on the new College of Policing guidance on live facial recognition.
On each occasion, I drew attention to why guidance or codes are regarded as insufficient by myself and many other organisations such as Liberty, Big Brother Watch, the Ada Lovelace Institute, the former Information Commissioner, current and former Biometrics and Surveillance Camera Commissioners and the Home Office’s own Biometrics and Forensics Ethics Group, not to mention the Commons Science and Technology Committee. On each occasion, I have raised the lack of a legal basis for the use of this technology—and on each occasion, government Ministers have denied that new explicit legislation or regulation is needed, as they have in the wholly inadequate response to this report.
In the successful appeal of Liberal Democrat Councillor Ed Bridges, the Court of Appeal case on the police use of live facial recognition issued in August 2020, the court ruled that South Wales Police’s use of such technology had not been in accordance with the law on several grounds, including in relation to certain human rights convention rights, data protection legislation and the public sector equality duty. So it was with considerable pleasure that I read the Justice and Home Affairs Committee report, which noted the complicated institutional landscape around the adoption of this kind of technology, emphasised the need for public trust and recommended a stronger legal framework with primary legislation embodying general principles supported by detailed regulation, a single national regulatory body, minimum scientific standards, and local or regional ethics committees put on a statutory basis.
Despite what paragraph 4 of the response says, neither House of Parliament has ever adequately considered or rigorously scrutinised automated facial recognition technology. We remain in the precarious position of police forces dictating the debate, taking it firmly out of the hands of elected parliamentarians and instead—as with the recent College of Policing guidance—marking their own homework. A range of studies have shown that facial recognition technology disproportionately misidentifies women and BAME people, meaning that people from those groups are more likely to be wrongly stopped and questioned by police, and to have their images retained as the result of a false match.
The response urges us to be more positive about the use of new technology, but the UK is now the most camera-surveilled country in the Western world. London remains the third most surveilled city in the world, with 73 surveillance cameras for every 1,000 people. The last Surveillance Camera Commissioner did a survey, shortly before stepping down, and found that there are over 6,000 systems and 80,000 cameras in operation in England and Wales across 183 local authorities. The ubiquity of surveillance cameras, which can be retrofitted with facial recognition software and fed into police databases, means that there is already an apparatus in place for large-scale intrusive surveillance, which could easily be augmented by the widespread adoption of facial recognition technology. Indeed, many surveillance cameras in the UK already have advanced capabilities such as biometric identification, behavioural analysis, anomaly detection, item/clothing recognition, vehicle recognition and profiling.
The breadth of public concern around this issue is growing clearer by the day. Many cities in the US have banned the use of facial recognition, while the European Parliament has called for a ban on the police use of facial recognition technology in public places and predictive policing. In 2020 Microsoft, IBM and Amazon announced that they would cease selling facial recognition technology to US law enforcement bodies.
Public trust is crucial. Sadly, the new Data Protection and Digital Information Bill does not help. As the Surveillance Camera Commissioner said last year, in a blog about the consultation leading up to it:
“This consultation ought to have provided a rare opportunity to pause and consider the real issues that we talk about when we talk about accountable police use of biometrics and surveillance, a chance to design a legal framework that is a planned response to identified requirements rather than a retrospective reaction to highlighted shortcomings, but it is an opportunity missed.”
Now we see that the role of Surveillance Camera Commissioner is to be abolished in the new data protection Bill—talk about shooting the messenger. The much-respected Ada Lovelace Institute has called, in its report Countermeasures and the associated Ryder review in June this year, for new primary legislation to govern the use of biometric technologies by both public and private actors, for a new oversight body and for a moratorium until comprehensive legislation is passed.
The Justice and Home Affairs Committee stopped short of recommending a moratorium on the use of LFR, but I agree with the institute that a moratorium is a vital first step. We need to put a stop to this unregulated invasion of our privacy and have a careful review, so that its use can be paused while a proper regulatory framework is put in place. Rather than update and use toothless codes of practice, as we are urged to do by the Government, to legitimise the use of new technologies such as live facial recognition, the UK should have a root-and-branch surveillance camera and biometrics review, which seeks to increase accountability and protect fundamental rights. The committee’s report is extremely authoritative in this respect. I hope today that the Government will listen but, so far, I am not filled with optimism about their approach to AI governance.
Public Spaces Protection Orders
Lord Clement-Jones Excerpts(2 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones
To ask His Majesty’s Government, further to reports that (1) at least 48 councils employ private companies to issue penalties for public spaces protection orders, and (2) many councils pay those companies per fine issued which incentivises companies to issue more penalties than may be necessary, what plans they have to introduce statutory guidance prohibiting this practice.
The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
My Lords, it is for local authorities to determine how to operate the powers granted to them in legislation. Contracting enforcement to third parties is a common arrangement and it is for the local authority to ensure it is just. Contractors are bound by the same legal obligations and safeguards in legislation as the councils themselves.
Lord Clement-Jones (LD)
My Lords, that is a classic dusty reply from the Home Office. What a contrast with Defra: its guidance on littering, which is a criminal offence, says that incentivising enforcement undermines
“the legitimacy of the enforcement regime”.
Wherever it has occurred, fining for profit has been associated with cases of injustice and now Defra is putting that in statutory guidance. Why is the Home Office not going to do this in its own guidance on the Anti-social Behaviour, Crime and Policing Act?
Lord Sharpe of Epsom (Con)
My Lords, I think it is worth reminding the House about public space protection orders, which are intended to deal with a particular nuisance or problem, in a specific area, that is detrimental to the local community’s quality of life by imposing conditions on the use of that area which apply to everyone. So the Home Office did publish statutory guidance to support local areas to make effective use of these powers. The guidance sets out the importance of focusing of the needs of the victim and the local community, as well as ensuring that the relevant legal tests are met. I repeat that it is for local authorities to determine how to enforce PSPOs and that can include the use of private contractors. Local authorities are obliged to follow the rules set out in the Public Contract Regulations 2015 in their appointment of such companies.
Lord Sharpe of Epsom (Con)
As I said earlier, the contracts that are awarded to these companies are governed by quite stringent guidance and rules. It is a matter for local authorities and the contracting companies.
Lord Clement-Jones (LD)
My Lords, if Defra is able to do this, why can the Home Office not do it? Defra is also very close to local government and clearly regards this as the wrong thing for local councils to be doing. Why does the Home Office not regard it as the wrong thing for councils to be doing?
Lord Sharpe of Epsom (Con)
Well, the noble Lord has already asked me that and I think I have already answered. The Home Office has provided statutory guidance to support local areas to make effective use of these powers. I go back to my earlier answer: the local areas are obliged to follow the rules set out in the Public Contracts Regulations 2015 before appointing such companies.
Queen’s Speech
Lord Clement-Jones Excerpts(2 years, 9 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, I shall focus mainly on the Government’s digital proposals. As my noble friend Lady Bonham-Carter, the noble Baroness, Lady Merron, and many other noble Lords have made clear, the media Bill and Channel 4 privatisation will face fierce opposition all around this House. It could not be clearer that the policy towards both Channel 4 and the BBC follows some kind of red wall-driven, anti-woke government agenda that has zero logic. The Up Next White Paper on PSB talks of
“embedding the importance of distinctively British content directly into the existing quota system.”
How does the Minister define “distinctively British content”? Is it whatever the Secretary of State believes it is? As for the Government’s response to the consultation on audience protection standards on VOD services, can the Minister confirm that Ofcom will have the power to assess whether a platform’s own-brand age ratings genuinely take account of the values and expectations of UK families, as the BBFC’s do?
Having sat alongside the noble Lord, Lord Stevenson, on the joint scrutiny committee on the draft Online Safety Bill, I agreed with all his remarks today. I welcome the fact that its provisions are directed primarily at the business model of the social media platforms—in particular, the inclusion of scam advertising within the Bill and the inclusion of pornographic sites—but it is vital, if we are to have privacy protecting age verification, that principles for age assurance are included in the Bill. I welcome the intention to legislate for the new criminal communications offences recommended by the Law Commission, but without these being passed into law, the Bill will be completely defective, and we must incorporate the hate crime offences too.
But there are key issues that will need dealing with in the Bill’s passage through Parliament. As we have heard from many noble Lords, the “legal but harmful” provisions are potentially dangerous to freedom of expression, with those harms not being defined in the Bill itself. Similarly, with the lack of definition of children’s harms, it needs to be clear that encouraging self-harm or eating disorders is explicitly addressed on the face of the Bill, as my honourable friend Jamie Stone emphasised on Second Reading. My honourable friend Munira Wilson raised whether the metaverse was covered. Noble Lords may have watched the recent Channel 4 “Dispatches” exposing harms in the metaverse and chat rooms in particular. Without including it in the primary legislation, how can we be sure about this? In addition, the category definitions should be based more on risk than on reach, which would take account of cross-platform activity.
One of the great gaps not filled by the Bill, or the recent Elections Act just passed, is the whole area of misinformation and disinformation which gives rise to threats to our democracy. The Capitol riots of 6 January last year were a wake-up call, along with the danger of Donald Trump returning to Twitter.
The major question is why the draft digital markets, competition and consumer Bill is only a draft Bill in this Session. The DCMS Minister Chris Philp himself said in a letter to the noble Baroness, Lady Stowell—the Chair of the Communications and Digital Committee—dated just this 6 May, that
“urgent action in digital markets is needed to address the dominance of a small number of very powerful tech firms.”
In evidence to the BEIS Select Committee, the former chair of the CMA, the noble Lord, Lord Tyrie, recently stressed the importance of new powers to ensure expeditious execution and to impose interim measures.
Given the concerns shared widely within business about the potential impact on data adequacy with the EU, the idea of getting a Brexit dividend from major amendments to data protection through a data reform Bill is laughable. Maybe some clarification and simplification are needed—but not the wholesale changes canvassed in the Data: A New Direction consultation. Apart from digital ID standards, this is a far lower business priority than reforming competition regulation. A report by the New Economics Foundation made what it said was a “conservative estimate” that if the UK were to lose its adequacy status, it would increase business costs by at least £1.6 billion over the next 10 years. As the report’s author said, that is just the increased compliance costs and does not include estimates of the wider impacts around trade shifting, with UK businesses starting to lose EU customers. In particular, as regards issues relating to automated decision-making, citizens and consumers need more protection, not less.
As regards the Product Security and Telecommunications Infrastructure Bill, we see yet more changes to the Electronic Communications Code, all the result of the Government taking a piecemeal approach to broadband rollout. I do, however, welcome the provisions on security standards for connectable tech products.
Added to a massive programme of Bills, the DCMS has a number of other important issues to resolve: the AI governance White Paper; gambling reform, as mentioned by my noble friend Lord Foster; and much-needed input into IP and performers’ rights reform and protection where design and AI are concerned. I hope the Minister is up for a very long and strenuous haul. Have the Government not clearly bitten off more than the DCMS can chew?
Live Facial Recognition: Police Guidance
Lord Clement-Jones Excerpts(2 years, 10 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones
To ask Her Majesty’s Government what assessment they have made of the new College of Policing guidance on live facial recognition.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, facial recognition is an important public safety tool that helps the police to identify and eliminate suspects more quickly and accurately. The Government welcome the College of Policing’s national guidance, which responds to a recommendation in the Bridges v South Wales Police judgment.
Lord Clement-Jones (LD)
My Lords, despite committing to a lawful, ethical approach, the guidance gives carte blanche to the use of live and retrospective facial recognition, potentially allowing innocent victims and witnesses to be swept on to police watch-lists. This is without any legislation or parliamentary or other oversight, such as that recently recommended by the Justice and Home Affairs Committee, chaired by my noble friend Lady Hamwee. Are we not now sleep-walking into a surveillance society, and is it not now time for a moratorium on this technology, pending a review?
Baroness Williams of Trafford (Con)
I disagree with everything that the noble Lord has said. I think every police force in the country uses retrospective facial recognition. Watch-lists are deleted upon use at a deployment, so there is no issue regarding ongoing data protection. Importantly, just as CCTV and retrospective recognition are still used to detect criminals, missing persons and vulnerable people, so is the application of LFR.