(6 years, 11 months ago)
Lords ChamberMy Lords, we have had something of a break, so perhaps I should remind the House what lies behind my Amendments 106, 125 and 127. It is the wish to reduce, as far as possible, the burden that the GDPR and the Bill will place especially on small entities—notably, small businesses, small charities and parish councils. I might add that it behoves us to stand back from time to time and recognise the burdens we all too often impose on people and businesses. This is very often for good reasons, but it can seem overwhelming for those at the receiving end, and it is important to minimise the burden where we can legitimately do so.
I also place on record my thanks to the Minister for a helpful meeting about my concerns. Against this background, Amendment 106 would place a duty on the Information Commissioner to support such small entities in meeting their obligations under the GDPR and the Bill. It gives examples of how this should be done, including compliance advice and zero or discounted fees. This is important both practically and as a manifestation of how the state expects the commissioner to approach her duties. We should always remember that data protection will sound forbidding to some small organisations.
Furthermore, parish councils are fearful that they could face new costs of up to £20 million in total on one reasonable interpretation of the present text. They have been advised that an existing officer of a council could not act as a DPO because they are not independent. My noble friend Lord Marlesford mentioned this issue at Questions in December but, happily, I believe the Government take a different view, and it would be helpful to hear that on the record from my noble friend.
On the same lines, Amendment 125 would require the Secretary of State to consider fixing charges levied on small entities by the commissioner at a discounted or zero level. We need to find a way to avoid the imposition of significant costs for small entities into the future as cost recovery escalates in the administration of data protection.
Amendment 127 goes a little further. It would require the commissioner to have regard to economic factors in conducting her business. This is a fundamental point. The commissioner’s remit contains elements which are similar to those of a judge and focuses predominantly on individual rights and protections. But the analogy is imperfect. Judges must go where justice takes them. The commissioner’s role is different in important respects, and economic factors ought to hold a high place in her consideration. This is important for UK competitiveness and for continued growth and innovation, which is also of benefit to business, citizens and data science—and, indeed, UK plc.
The amendment seeks to ensure that the commissioner concentrates on this economic angle by reference to the commissioner’s annual report. The noble Lord, Lord Stevenson, may remember that we introduced a special reporting requirement into intellectual property legislation which helped to ensure the right culture in that increasingly important area.
I should add that I am grateful to my noble friend Lord Arbuthnot and to the noble Lord, Lord Stevenson, for their involvement, and I am hopeful that the Minister will be able to meet the concerns I have outlined in my three amendments in a sympathetic and practical way.
My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
(7 years, 1 month ago)
Lords ChamberWe are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.
The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.
The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.
I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.
I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.