Data Protection and Digital Information Bill
Debate between Lord Clement-Jones and Lord Kirkhope of HarrogateMonday 22nd April 2024
(2 weeks ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-VI Sixth marshalled list for Grand Committee - (18 Apr 2024)
Lord Kirkhope of Harrogate (Con)
My Lords, I support Amendment 208A. I declare my interest as a solicitor but not one who has been directly involved with personal injury claims. This is an area of particular specialism that requires particular expertise and experience for it to be carried out to the best advantages of those who seek that help.
Looking back, I am concerned that this matter has been raised, in different fora, on a number of occasions. For instance, in 2016, the Telephone Preference Scheme opt-out was discussed when it was removed from the control of Ofcom to that of the ICO. At that point, there was a great opportunity for this matter to be dealt with. Indeed, a number of organisations, including personal injury lawyers, the Motor Accident Solicitors Society and others, said that it was vital to carry this out and that cold calling should be ended because of the pressures it placed on an awful lot of very vulnerable people.
Since 2016, things have got worse in one respect—although, perhaps, they are a little less bad in respect of telephone calling. It is a little while now since I was last told that I had just had a major accident in my car as I was sitting enjoying a glass of wine and not having such worries in my mind. Telephone cold calling seems to have diminished but pressures through social media contact, various scams and so on have increased dramatically. I have been told this by a number of my legal colleagues.
In 2023, the Government produced the UK’s Fraud Strategy. As I am sure noble Lords will know, when it was published, it specifically pursued the question of extending the ban on cold calling to personal injury cases; that was very important and included all servers. So, unless there is some relationship already in place—something where that is a defence, as it were, here—and a voluntary willingness on the part of those who suffer from personal injuries to be contacted by an organisation with which they already have a relationship, this is something that we should pursue very strongly indeed.
Although it is correct that the legal profession, and perhaps other professions, are banned from this procedure, on a regulatory or disciplinary basis, some of my colleagues in the profession are, in some cases, susceptible to financial and commercial challenges through these organisations, such that they would become—sometimes, almost inadvertently—part of the process. Therefore, I hope that, in passing such an amendment, we would give a clear sign to the Solicitors Regulation Authority and the Law Society that it underlines yet again that these practices are not acceptable to those members of the profession.
Lord Clement-Jones (LD)
My Lords, I support Amendment 208A. I am a recovering solicitor. Many moons ago, I gave public affairs advice to the Association of Personal Injury Lawyers, which is a fine organisation. I very much support its call and this amendment on that basis. I congratulate the noble Lord, Lord Leong, on his introduction to this amendment; he and the noble Lord, Lord Kirkhope, made a terrific case.
APIL took the trouble to commission research from YouGov, which showed that 38% of UK adults had received a cold call or text while 86% had a strong emotional response and were left feeling annoyed, angry, anxious, disgusted or upset. Therefore, the YouGov research reveals that almost all those who received a call supported a total ban on personal injury cold calls and text messages.
There is little for me to add but I am sorry that the noble Baroness, Lady Buscombe, is not with us—she has just exited the Room, which is unhappy timing because, in looking back at some of the discussions we have had in the House, I was about to quote her. During Report stage in the Lords on the Financial Guidance and Claims Bill, when she was a Minister, she told us:
“We know that cold calls continue and understand that more needs to be done truly to eradicate this problem. We have already committed to ban cold calls relating to pensions, and are minded to bring forward similar action in relation to the claims management industry. I have asked officials to consider the evidence for implementing a cold-calling ban in relation to claims management activities, and I am pleased to say that the Government are working through the detail of a ban on cold calling by claims management companies. There are complex issues to work through, including those relating, for example, to EU directives”;
of course, we do not have those any more. She went on to say:
“We would therefore like time to consider this important issue properly, and propose bringing forward a government amendment in the other place to meet the concerns of this House”.—[Official Report, 24/10/17; col. 861.]
How much time do the Government need? Talk about unfinished business. I know it is slightly unfair as you can unearth almost anything in Hansard but the fact is that this is bull’s eye. It is absolutely spot on on the part of APIL to have found this. I thought for one delirious minute that the noble Baroness, Lady Buscombe, was going to stand up and say, “Yes, I plead guilty. We never pursued this”.
Data Protection and Digital Information Bill
Debate between Lord Clement-Jones and Lord Kirkhope of HarrogateMonday 15th April 2024
(3 weeks ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-IV(a) Amendment for Grand Committee (Supplementary to the Fourth Marshalled List) - (15 Apr 2024)
Lord Clement-Jones (LD)
Once more unto the breach, my Lords—as opposed to “my friends”.
I will also speak to Amendments 112 to 114, 116 and 130. New Article 45B(2) lists conditions that the Secretary of State must consider when deciding whether a third country provides an adequate level of protection for data subjects. It replaces the existing conditions in Article 45(2)(a) to (c) of the UK GDPR, removing important considerations such as the impact of a third country’s laws and practices in relation to national security, defence, public security, criminal law and public authority access to personal data on the level of protection provided to UK data subjects.
Despite this shorter list of conditions to consider, the Secretary of State is none the less required to be satisfied that a third country provides a level of protection that is not materially lower than the UK’s. It is plain that such an assessment cannot be made without considering the impact of these factors on the level of protection for UK data in a third country. It is therefore unclear why the amendment that the Government have made to Article 45 is necessary, beyond a desire for the Government to draw attention away from such contentious and complicated issues.
It may be that through rewriting Article 45 of the UK GDPR, the Government’s intention is that assimilated case law on international data transfers is no longer relevant. If that is the case, that would be a substantial risk for UK data adequacy. Importantly, new Article 45B(2) removes the reference to the need for an independent data protection regulator in the relevant jurisdiction. This, sadly, is consistent with the theme of diminishing the independence of the ICO, which is one of the major concerns in relation to the Bill, and it is also an area where the European Commission has expressed concern. The independence of the regulator is a key part of the EU data adequacy regime and is explicitly referenced in Article 8 of the Charter of Fundamental Rights, which guarantees the right to protection of personal data. Amendment 111 restores the original considerations that the Secretary of State must take into account.
Amendments 112 and 113 would remove the proposed powers in Schedules 5 and 6 of the Secretary of State to assess other countries’ suitability for international transfers of data, and place these on the new information commission instead. In the specific context of HIV—the provenance of these amendments is in the National AIDS Trust’s suggestions—it is unlikely that the Secretary of State or their departmental officials will have the specialist knowledge to assess whether there is a risk of harm to an individual by transferring data related to their HIV status to a third country. Given that the activities of government departments are political by their nature, the Secretary of State making these decisions related to the suitability of transfer to third countries may not be viewed as objective by individuals whose personal data is transferred. Many people living with HIV feel comfortable reporting breaches of data protection law in relation to their HIV status to the Information Commissioner’s Office due to its position as an independent regulator, so the National AIDS Trust and others recommend that the Bill places these regulatory powers on the new information commission created by the Bill instead, as this may inspire greater public confidence.
As regards Amendment 114, paragraph 5 of Schedule 5 should contain additional provisions to mandate annual review of the data protection test for each third country to which data is transferred internationally to ensure that the data protection regime in that third country is secure and that people’s personal data, such as their HIV status, will not be shared inappropriately. HIV is criminalised in many countries around the world, and the transfer to these countries of personal data such as an individual’s HIV status could put an individual living with HIV, their partner or their family members at real risk of harm. This is because HIV stigma is incredibly pronounced in many countries, which fosters a real risk of HIV-related violence. Amendment 114 would mandate this annual review.
As regards Amendment 116, new Article 47A(4) to (7) gives the Secretary of State a broad regulation-making power to designate new transfer mechanisms for personal data being sent to a third country in the absence of adequacy regulations. Controllers would be able to rely on these new mechanisms, alongside the existing mechanisms in Article 46 of the UK GDPR, to transfer data abroad. In order to designate new mechanisms, which could be based on mechanisms used in other jurisdictions, the Secretary of State must be satisfied that these are
“capable of securing that the data protection test set out in Article 46 is met”.
The Secretary of State must be satisfied that the transfer mechanism is capable of providing a level of protection for data subjects that is not materially lower than under the UK GDPR and the Data Protection Act. The Government have described this new regulation-making power as a way to future-proof the UK’s GDPR international transfers regime, but they have not been able to point to any transfer mechanisms in other countries that might be suitable to be recognised in UK law, and nor have they set out examples of how new transfer mechanisms might be created.
In addition to not having a clear rationale to take the power, it is not clear how the Secretary of State could be satisfied that a new mechanism is capable of providing the appropriate level of protection for data subjects. This test is meant to be a lower standard than the test for controllers seeking to rely on a transfer mechanism to transfer overseas, which requires them to consider that the mechanism provides the appropriate level of protection. It is not clear to us how the Secretary of State could be satisfied of a mechanism’s capability without having a clear sense of how it would be used by controllers in reality. That is the reason for Amendment 116.
As regards Amendment 130, Ministers have continued all the adequacy decisions that the EU had made in respect of third countries when the UK stopped being subject to EU treaties. The UK also conferred data adequacy on the EEA, but all this was done on a transitional basis. The Bill now seeks to continue those adequacy decisions, but no analysis appears to have been carried out as to whether these jurisdictions confer an adequate level of protection of personal data. This is not consistent with Section 17B(1) of the DPA 2018, which states that the Secretary of State must carry out a review of whether the relevant country that has been granted data adequacy continues to ensure an adequate level of protection, and that these reviews must be carried out at intervals of not more than four years.
In the EU, litigants have twice brought successful challenges against adequacy decisions. Those decisions were deemed unlawful and quashed by the European Court of Justice. It appears that this sort of challenge would not be possible in the UK because the adequacy decisions are being continued by the Bill and therefore through primary legislation. Any challenge to these adequacy decisions could result only in a declaration of incompatibility under the Human Rights Act; it could not be quashed by the UK courts. This is another example of how leaving the EU has diminished the rights of UK citizens compared with their EU counterparts.
As well as tabling those amendments, I support and have signed Amendment 115 in the names of the noble Lords, Lord Bethell and Lord Kirkhope, and I look forward to hearing their arguments in relation to it. In the meantime, I beg to move.
Lord Kirkhope of Harrogate (Con)
My Lords, I rise with some temerity. This is my first visit to this Committee to speak. I have popped in before and have been following it very carefully. The work going on here is enormously important.
I am speaking to Amendment 115, thanks to the indulgence of my noble friend Lord Bethell, who is the lead name on that amendment but has kindly suggested that I start the discussions. I also thank the noble Lord, Lord Clement-Jones, for his support. Amendment 115 has one clear objective and that is to prevent transfer of UK user data to jurisdictions where data rights cannot be enforced and there is no credible right of redress. The word “credible” is important in this amendment.
I thank my noble friend the Minister for his letter of 11 April, which he sent to us to try to mop up a number of issues. In particular, in one paragraph he referred to the question of adequacy, which may also touch on what the noble Lord, Lord Clement-Jones, has just said. The Secretary of State’s powers are also referred to, but I must ask: how, in a fast-moving or unique situation, can all the factors referred to in this long and comprehensive paragraph be considered?
The mechanisms of government and government departments must be thorough and in place to satisfactorily discharge what are, I think, somewhat grand intentions. I say that from a personal point of view, because I was one of those who drafted the European GDPR—another reason I am interested in discussing these matters today—and I was responsible for the adequacy decisions with third countries. The word “adequacy” matters very much in this group, in the same way that we were unable to use “adequacy” when we dealt with the United States and had to look at “equivalence”. Adequacy can work only if one is working to similar parameters. If one is constitutionally looking at different parameters, as is the case in the United States, then the word “equivalence” becomes much more relevant, because, although things cannot be quite the same in the way in which administration or regulation is carried out, if you have an equivalence situation, that can be acceptable and lead to an understanding of the adequacy which we are looking for in terms of others being involved.
I have a marvellous note here, which I am sure noble Lords have already talked about. It says that every day we generate 181 zettabytes of personal data. I am sure noble Lords are all aware of zettabytes, but I will clarify. One zettabyte is 1,000 exabytes—which perhaps makes it simpler to understand—or, if you like, 1 billion trillion bytes. One’s mind just has to get around this, but this is data on our movements, finances, health and families, from our cameras, phones, doorbells and, I am afraid, even from our refrigerators—though Lady Kirkhope refuses point blank to have any kind of detector on her fridge door that will tell anybody anything about us or what we eat. Increasingly, it is also data from our cars. Our every moment is recorded—information relating to everything from shopping preferences to personal fitness to our anxieties, even, as they are displayed or discussed. It is stored by companies that we entrust with that data and we have a right to expect that such sensitive and private data will be protected. Indeed, one of the core principles of data protection, as we all know, is accountability.
Article 79 of the UK GDPR and Section 167 of our Data Protection Act 2018 provide that UK users must have the right to effective judicial remedy in the event of a data protection breach. Article 79 says that
“each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation”.