(7 months, 1 week ago)
Lords ChamberMy Lords, I thank all noble Lords who have contributed to the debate today and, of course, throughout the development of this legislation. It has been a characteristically brilliant debate; I want to thank all noble Lords for their various and valuable views.
I turn first to the Motions tabled by the noble Lord, Lord Faulks, in relation to appeals and proportionality. I thank him for his continued engagement and constructive debate on these issues. We of course expect the CMA to behave in a proportionate manner at all times as it operates the digital market regime. However, today we are considering specifically the statutory requirement for proportionality in the Bill. We are making it clear that the DMU must design conduct requirements and PCIs to place as little burden as possible on firms, while still effectively addressing competition issues. The proposed amendments would not remove the reference to proportionality in Clause 21 and so, we feel, do not achieve their intended aim, but I shall set out the Government’s position on why proportionality is required.
On the question of the wording of “appropriate” versus “proportionate”, proportionality is a well-understood and precedented concept with a long history of case law. “Appropriate” would be a more subjective threshold, giving the CMA broader discretion. The Government’s position is that proportionality is the right threshold to be met in legislation due to the fact that it applies, in the vast majority of cases, because of ECHR considerations. It is the Government’s view that the same requirement for proportionality should apply whether or not ECHR rights are engaged.
As Article 1 of Protocol 1—A1P1—of the European Convention on Human Rights will apply to the vast majority of conduct requirements and PCIs imposed by the CMA, with the result that the courts will apply a proportionality requirement, we consider it important that it should be explicit that there is a statutory proportionality requirement for all conduct requirements and PCIs. We believe that proportionality should be considered beyond just those cases where A1P1 may apply, in particular when a conduct requirement or PCI would impact future contracts of an SMS firm.
The courts’ approach to proportionality in relation to consideration of ECHR rights has been set out by the Supreme Court, and we do not expect them to take a different approach here. Furthermore, the CAT will accord respect to the expert judgments of the regulator and will not seek to overturn its judgments lightly. I hope this answers the question put by the noble Lord, Lord Faulks.
On appeals, I thank noble Lords for their engagement on this matter, and in particular the noble Baroness, Lady Jones of Whitchurch, for setting out the rationale for her Amendments 32B and 32C, which seek to provide further clarity about where on the merits appeals apply. I want to be clear that the Government’s intention is that only penalty decisions will be appealable on the merits and that this should not extend to earlier decisions about whether an infringement occurred. I do not consider these amendments necessary, for the following reasons.
The Bill draws a clear distinction between penalty decisions and those about infringements, with these being covered by separate Clauses 89 and 103. There is a Court of Appeal precedent in BCL v BASF 2009 that, in considering a similar competition framework, draws a clear distinction between infringement decisions and penalty decisions. The Government consider that the CAT and the higher courts will have no difficulty in making this distinction for digital markets appeals to give effect to the legislation as drafted.
I now turn to the Motion tabled by the noble Lord, Lord Clement-Jones, in respect of the countervailing benefits exemption. I thank the noble Lord for his engagement with me and the Bill team on this important topic. The noble Lord has asked for clarification that the “indispensability” standard in Section 9 of the Competition Act 1998, and the wording,
“those benefits could not be realised without the conduct”,
are equivalent to each other. I want to be clear that the exemption within this regime and the exemption in Section 9 of the Competition Act 1998 are different. This is because they operate in wholly different contexts, with different criteria and processes. This would be the case however the exemption is worded in this Bill. That is why the Explanatory Notes refer to a “similar” exemption, because saying it is “equivalent” would be technically incorrect.
Having said that, the “indispensability” standard and the threshold of the Government’s wording,
“those benefits could not be realised without the conduct”,
are equally high. While the exemptions themselves are different, I hope I can reassure noble Lords that the Government’s view is that the standard—the height of the threshold—is, indeed, equivalent. The Government still believe that the clarity provided by simplifying the language provides greater certainty to all businesses, while ensuring that consumers get the best outcomes.
I thank the noble Lord, Lord Clement-Jones, for his question in relation to the Google privacy sandbox case. The CMA considers a range of consumer benefits under its existing consumer objective. This can include the privacy of consumers. It worked closely with the ICO to assess data privacy concerns in its Google privacy sandbox investigation and we expect it would take a similar approach under this regime.
I urge all noble Lords to consider carefully the Motions put forward by the Government and hope all Members will feel able—
Indeed. In principle I am very happy to update the Explanatory Notes, but I need to engage with ministerial colleagues. However, I see no reason why that would not be possible.
Meanwhile, I hope all noble Lords will feel able to support the Government’s position.
My Lords, I have already spoken to Motion B. I beg to move.
Motion B1 (as an amendment to Motion B)
Tabled by
Leave out from “House” to end and insert “do not insist on its Amendment 12, to which the Commons have disagreed for their Reason 13A, and do insist on its Amendment 13.”
(7 months, 2 weeks ago)
Lords ChamberIndeed—and let me first thank my noble friend for bringing up this important matter. That sounds to me like something that would be likely to be applied under the false communications offence in the Online Safety Act—Section 179—although I would not be able to say for sure. The tests that it would need to meet are that the information would have to be knowingly false and cause non-trivial physical or psychological harm to those offended, but that would seem to be the relevant offence.
My Lords, does not the Question from the noble Baroness, Lady Jones, highlight that we must hold to account with legal liability not only those who create this kind of deepfake content and facilitate its spread, but those who enable the production of deepfakes with software, such as by having standards and risk-based regulation for generative AI systems, which the Government in their White Paper have resolutely refused to do?
The Government set out in their White Paper response that off-the-shelf AI software that can in part be used to create these kinds of deepfakes is not, in and of itself, something that we are considering placing any ban on. However, there are ranges of software, a sort of middle layer to the AI production, that can greatly facilitate the production of deepfakes of all kinds, not just political but other kinds of criminal deepfakes—and there the Government would be actively considering moving against those purpose-built criminal tools.
(8 months ago)
Grand CommitteeI start by thanking the noble Lords, Lord Clement-Jones and Lord Bassam, for their respective replies. As I have said, the Geospatial Commission has been engaging extensively with stakeholders, including the security services, on NUAR since 2018. This has included a call for evidence, a pilot project, a public consultation, focus groups, various workshops and other interactions. All major gas and water companies have signed up, as well as several large telecoms firms.
While the Minister is speaking, maybe the Box could tell him whether the figure of only 33% of asset owners having signed up is correct? Both I and the noble Lord, Lord Bassam, mentioned that; it would be very useful to know.
It did complete a pilot phase this year. As it operationalises, more and more will sign up. I do not know the actual number that have signed up today, but I will find out.
NUAR does not duplicate existing commercial services. It is a standardised, interactive digital map of buried infrastructure, which no existing service is able to provide. It will significantly enhance data sharing and access efficiency. Current services—
I am not sure that there is doubt over the current scope of NUAR; it is meant to address all buried infrastructure in the United Kingdom. LSBUD does make extensive representations, as indeed it has to parliamentarians of both Houses, and has spoken several times to the Geospatial Commission. I am very happy to commit to continuing to do so.
My Lords, the noble Lord, Lord Bassam, is absolutely right to be asking that question. We can go only on the briefs we get. Unlike the noble Lord, Lord Bassam, I have not been underground very recently, but we do rely on the briefings we get. LSBUD is described as a
“sustainably-funded UK success story”—
okay, give or take a bit of puff—that
“responds to most requests in 5 minutes or less”.
It has
“150+ asset-owners covering nearly 2 million km and 98% of high-risk assets—like gas, electric, and fuel pipelines”.
That sounds as though we are in the same kind of territory. How can the Minister just baldly state that NUAR is entirely different? Can he perhaps give us a paragraph on how they differ? I do not think that “completely different” can possibly characterise this relationship.
As I understand it, LSBUD services are provided on a pdf, on request. It is not interactive; it is not vector-based graphics presented on a map, so it cannot be interrogated in the same way. Furthermore, as I understand it—and I am happy to be corrected if I am misstating—LSBUD has a great many private sector asset owners, but no public sector data is provided. All of it is provided on a much more manualised basis. The two services simply do not brook comparison. I would be delighted to speak to LSBUD.
My Lords, we are beginning to tease out something quite useful here. Basically, NUAR will be pretty much an automatic service, because it will be available online, I assume, which has implications on data protection, on who owns the copyright and so on. I am sure there are all kinds of issues there. It is the way the service is delivered, and then you have the public sector, which has not taken part in LSBUD. Are those the two key distinctions?
Indeed, there are two key distinctions. One is the way that the information is provided online, in a live format, and the other is the quantity and nature of the data that is provided, which will eventually be all relevant data in the United Kingdom under NUAR, versus those who choose to sign up on LSBUD and equivalent services. I am very happy to write on the various figures. Maybe it would help if I were to arrange a demonstration of the technology. Would that be useful? I will do that.
Unlike the noble Lord, Lord Bassam, I do not have that background in seeing what happens with the excavators, but I would very much welcome that. The Minister again is really making the case for greater co-operation. The public sector has access to the public sector information, and LSBUD has access to a lot of private sector information. Does that not speak to co-operation between the two systems? We seem to have warring camps, where the Government are determined to prove that they are forging ahead with their new service and are trampling on quite a lot of rights, interests and concerns in doing so—by the sound of it. The Minister looks rather sceptical.
I am not sure whose rights are being trampled on by having a shared database of these things. However, I will arrange a demonstration, and I confidently state that nobody who sees that demonstration will have any cynicism any more about the quality of the service provided.
All I can say is that, in that case, the Minister has been worked on extremely well.
In addition to the situation that the noble Lord, Lord Bassam, described, I was braced for a really horrible situation, because these things very often lead to danger and death, and there is a very serious safety argument to providing this information reliably and rapidly, as NUAR will.
Before the Minister’s peroration, I just want to check something. He talked about the discovery project and contact with the industry; by that, I assume he was talking about asset owners as part of the project. What contact is proposed with the existing company, LinesearchbeforeUdig, and some of its major supporters? Can the Government assure us that they will have greater contact or try to align? Can they give greater assurance than they have been able to give today? Clearly, there is suspicion here of the Government’s intentions and how things will work out. If we are to achieve this safety agenda—I absolutely support it; it is the fundamental issue here—more work needs to be done in building bridges, to use another construction metaphor.
As I said, the Government have met the Geospatial Commission many times. I would be happy to meet it in order to help it adapt its business model for the NUAR future. As I said, it has attended the last three discovery workshops, allowing this data.
I close by thanking noble Lords for their contributions. I hope they look forward to the demonstration.
My Lords, I recognise the feeling of the Committee on this issue and, frankly, I recognise the feeling of the whole country with respect to Horizon. I thank all those who have spoken for a really enlightening debate. I thank the noble Baroness, Lady Kidron, for tabling the amendment and my noble friend Lord Arbuthnot for speaking to it and—if I may depart from the script—his heroic behaviour with respect to the sub-postmasters.
There can be no doubt that hundreds of innocent sub-postmasters and sub-postmistresses have suffered an intolerable miscarriage of justice at the hands of the Post Office. I hope noble Lords will indulge me if I speak very briefly on that. On 13 March, the Government introduced the Post Office (Horizon System) Offences Bill into Parliament, which is due to go before a Committee of the whole House in the House of Commons on 29 April. The Bill will quash relevant convictions of individuals who worked, including on a voluntary basis, in Post Office branches and who have suffered as a result of the Post Office Horizon IT scandal. It will quash, on a blanket basis, convictions for various theft, fraud and related offences during the period of the Horizon scandal in England, Wales and Northern Ireland. This is to be followed by swift financial redress delivered by the Department for Business and Trade.
On the amendment laid by the noble Baroness, Lady Kidron—I thank her and the noble Lords who have supported it—I fully understand the intent behind this amendment, which aims to address issues with computer evidence such as those arising from the Post Office cases. The common law presumption, as has been said, is that the computer which has produced evidence in a case was operating effectively at the material time unless there is evidence to the contrary, in which case the party relying on the computer evidence will need to satisfy the court that the evidence is reliable and therefore admissible.
This amendment would require a party relying on computer evidence to provide proof up front that the computer was operating effectively at the time and that there is no evidence of improper use. I and my fellow Ministers, including those at the MoJ, understand the intent behind this amendment, and we are considering very carefully the issues raised by the Post Office cases in relation to computer evidence, including these wider concerns. So I would welcome the opportunity for further meetings with the noble Baroness, alongside MoJ colleagues. I was pleased to hear that she had met with my right honourable friend the Lord Chancellor on this matter.
We are considering, for example, the way reliability of evidence from the Horizon system was presented, how failures of investigation and disclosure prevented that evidence from being effectively challenged, and the lack of corroborating evidence in many cases. These issues need to be considered carefully, with the full facts in front of us. Sir Wyn Williams is examining in detail the failings that led to the Post Office scandal. These issues are not straightforward. The prosecution of those cases relied on assertions that the Horizon system was accurate and reliable, which the Post Office knew to be wrong. This was supported by expert evidence, which it knew to be misleading. The issue was that the Post Office chose to withhold the fact that the computer evidence itself was wrong.
This amendment would also have a significant impact on the criminal justice system. Almost all criminal cases rely on computer evidence to some extent, so any change to the burden of proof would or could impede the work of the Crown Prosecution Service and other prosecutors.
Although I am not able to accept this amendment for these reasons, I share the desire to find an appropriate way forward along with my colleagues at the Ministry of Justice, who will bear the brunt of this work, as the noble Lord, Lord Clement-Jones, alluded to. I look forward to meeting the noble Baroness to discuss this ahead of Report. Meanwhile, I hope she will withdraw her amendment.
Can the Minister pass on the following suggestion? Paul Marshall, who has been mentioned by all of us, is absolutely au fait with the exact procedure. He has experience of how it has worked in practice, and he has made some constructive suggestions. If there is not a full return to Section 69, there could be other, more nuanced, ways of doing this, meeting the Minister’s objections. But can I suggest that the MoJ has contact with him and discusses what the best way forward would be? He has been writing about this for some years now, and it would be extremely useful, if the MoJ has not already engaged with him, to do so.
I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones of Whitchurch, for tabling the amendments in this important group. I very much share the concerns about all the uses of deepfake images that are highlighted by these amendments. I will speak more briefly than I otherwise would with a view to trying to—
My Lords, I would be very happy to get a letter from the Minister.
I would be happy to write one. I will go for the abbreviated version of my speech.
I turn first to the part of the amendment that would seek to criminalise the creation, alteration or otherwise generation of deepfake images depicting a person engaged in an intimate act. The Government recognise that there is significant public concern about the simple creation of sexually explicit deepfake images, and this is why they have announced their intention to table an amendment to the Criminal Justice Bill, currently in the other place, to criminalise the creation of purposed sexual images of adults without consent.
The noble Lord’s Amendment 294 would create an offence explicitly targeting the creation or alteration of deepfake content when a person knows or suspects that the deepfake will be or is likely to be used to commit fraud. It is already an offence under Section 7 of the Fraud Act 2006 to generate software or deepfakes known to be designed for or intended to be used in the commission of fraud, and the Online Safety Act lists fraud as a priority offence and as a relevant offence for the duties on major services to remove paid-for fraudulent advertising.
Amendment 295 in the name of the noble Baroness, Lady Jones of Whitchurch, seeks to create an offence of creating or sharing political deepfakes. The Government recognise the threats to democracy that harmful actors pose. At the same time, the UK also wants to ensure that we safeguard the ability for robust debate and protect freedom of expression. It is crucial that we get that balance right.
Let me first reassure noble Lords that the UK already has criminal offences that protect our democratic processes, such as the National Security Act 2023 and the false communications offence introduced in the Online Safety Act 2023. It is also already an election offence to make false statements of fact about the personal character or conduct of a candidate or about the withdrawal of a candidate before or during an election. These offences have appropriate tests to ensure that we protect the integrity of democratic processes while also ensuring that we do not impede the ability for robust political debate.
I assure noble Lords that we continue to work across government to ensure that we are ready to respond to the risks to democracy from deepfakes. The Defending Democracy Taskforce, which seeks to protect the democratic integrity of the UK, is engaging across government and with Parliament, the UK’s intelligence community, the devolved Administrations, local authorities and others on the full range of threats facing our democratic institutions. We also continue to meet regularly with social media companies to ensure that they continue to take action to protect users from election interference.
Turning to Amendments 295A to 295F, I thank the noble Lord, Lord Clement-Jones, for them. Taken together, they would in effect establish a new regulatory regime in relation to the creation and dissemination of deepfakes. The Government recognise the concerns raised around harmful deepfakes and have already taken action against illegal content online. We absolutely recognise the intention behind these amendments but they pose significant risks, including to freedom of expression; I will write to noble Lords about those in order to make my arguments in more detail.
For the reasons I have set out, I am not able to accept these amendments. I hope that the noble Lord will therefore withdraw his amendment.
My Lords, I thank the Minister for that rather breathless response and his consideration. I look forward to his letter. We have arguments about regulation in the AI field; this is, if you like, a subset of that—but a rather important subset. My underlying theme is “must try harder”. I thank the noble Lord, Lord Leong, for his support and pay tribute to Control AI, which is vigorously campaigning on this subject in terms of the supply chain for the creation of these deepfakes.
Pending the Minister’s letter, which I look forward to, I beg leave to withdraw my amendment.
The Committee will be relieved to know that I will be brief. I do not have much to say because, in general terms, this seems an eminently sensible amendment.
We should congratulate the noble Lord, Lord Clement-Jones, on his drafting ingenuity. He has managed to compose an amendment that brings together the need for scrutiny of emerging national security and data privacy risks relating to advanced technology, aims to inform regulatory developments and guidance that might be required to mitigate risks, and would protect the privacy of people’s genomics data. It also picks up along the way the issue of the security services scrutinising malign entities and guiding researchers, businesses, consumers and public bodies. Bringing all those things together at the end of a long and rather messy Bill is quite a feat—congratulations to the noble Lord.
I am rather hoping that the Minister will tell the Committee either that the Government will accept this wisely crafted amendment or that everything it contains is already covered. If the latter is the case, can he point noble Lords to where those things are covered in the Bill? Can he also reassure the Committee that the safety and security issues raised by the noble Lord, Lord Clement-Jones, are covered? Having said all that, we support the general direction of travel that the amendment takes.
Nothing makes me happier than the noble Lord’s happiness. I thank him for his amendment and the noble Lord, Lord Bassam, for his points; I will write to them on those, given the Committee’s desire for brevity and the desire to complete this stage tonight.
I wish to say some final words overall. I sincerely thank the Committee for its vigorous—I think that is the right word—scrutiny of this Bill. We have not necessarily agreed on a great deal, but I am in awe of the level of scrutiny and the commitment to making the Bill as good as possible. Let us be absolutely honest—this is not the most entertaining subject, but it is something that we all take extremely seriously and I pay tribute to the Committee for its work. I also extend sincere thanks to the clerks and our Hansard colleagues for agreeing to stay a little later than agreed, although that may not even be necessary. I very much look forward to engaging with noble Lords again before and during Report.
My Lords, I thank the Minister, the noble Baroness, Lady Jones, and all the team. I also thank the noble Lord, Lord Harlech, whose first name we now know; these things are always useful to know. This has been quite a marathon. I hope that we will have many conversations between now and Report. I also hope that Report is not too early as there is a lot to sort out. The noble Baroness, Lady Jones, and I will be putting together our priority list imminently but, in the meantime, I beg leave to withdraw my amendment.
(8 months ago)
Grand CommitteeMy Lords, tracking the provenance of Clause 113 has been a very interesting exercise. If we think that Clause 114 is pretty politically motivated, Clause 113 is likewise. These rules relating to the fact that political parties cannot avail themselves of the soft opt-in provision have been there since 2005. The Information Commissioner issued guidance on political campaigning, and it was brought within the rules. Subsequently, there has been a ruling in a tribunal case which confirmed that: the SNP was issued with an enforcement notice and the information tribunal dismissed the appeal.
The Conservative Party was fined in 2021 for sending emails to people who did not ask for them. Then, lo and behold, there was a Conservative Party submission to the House of Lords Democracy and Digital Technologies Committee in 2020, and that submission has been repeated on a number of occasions. I have been trying to track how many times the submission has been made by the Conservative Party. The submission makes it quite clear that there is frustration in the Conservative Party. I have the written evidence here. It says:
“We have a number of concerns about the Information Commissioner’s draft code”—
as it then was: it is now a full code—
“on the use of data for political campaigning. In the interests of transparency, I enclose a copy of the response that the Conservative Party sent to the consultation. I … particularly flag the potential chilling effect on long-standing practices of MPs and councillors from engaging with their local constituents”.
Now, exactly as the noble Baroness has said, I do not think there is any call from other political parties to change the rules. I have not seen any submissions from any other political party, so I would very much like to know why the Government have decided to favour the Conservative Party in these circumstances by changing the rules. It seems rather peculiar.
The guidance for personal data in political campaigning, which I read while preparing for this debate, seems to be admirably clear. It is quite long, but it is admirably clear, and I congratulate the ICO on tiptoeing through the tulips rather successfully. However, the fact is that we have very clear guidance and a very clear situation, and I entirely agree with the noble Baroness that we are wholly in favour of charities being able to avail themselves of the new provisions, but allowing political parties to do so is a bridge too far and, on that basis, I very much support the amendment.
My Lords, I thank the noble Baroness, Lady Jones, for Amendments 209 and 210, which would amend Clause 113 by removing electronic communications sent by political parties from the scope of the soft opt-in direct marketing rule. A similar rule to this already exists for commercial organisations so that they can message customers who have previously purchased goods or services about similar products without their express consent. However, the rule does not apply if a customer has opted out of receiving direct marketing material.
The Government consider that similar rules should apply to non-commercial organisations. Clause 113 therefore allows political parties, charities and other non-commercial organisations that have collected contact details from people who have expressed an interest in their objectives to send them direct marketing material without their express consent. If people do not want to receive political messaging, we have included several privacy safeguards around the soft opt-in measure that allow people to easily opt out of receiving further communications.
Support for a political party’s objectives could be demonstrated, for example, through a person’s attendance at a party conference or other event, or via a donation made to the party. In these circumstances, it seems perfectly reasonable for the party to reach out to that person again with direct marketing material, provided that the individual has not objected to receiving it. I reassure the Committee that no partisan advantage is intended via these measures.
My Lords, perhaps the Minister could elucidate exactly what is meant by “supporting the party’s objectives”. For instance, if we had a high street petition, would that be sufficient to grab their email address and start communicating with them?
I suppose it would depend on the petition and who was raising it. If it were a petition raised or an activity supported by a particular party, that would indicate grounds for a soft opt-in, but of course anyone choosing not to receive these things could opt out either at the time or later, on receipt of the first item of material.
So what the Minister is saying is that the solicitor, if you like, who is asking you to sign this petition does not have to say, “Do you mind if I use your email address or if we communicate with you in future?” The person who is signing has to say, “By the way, I may support this local campaign or petition, but you’re not going to send me any emails”. People need to beware, do they not?
Indeed. Many such petitions are of course initiated by charitable organisations or other not-for-profits and they would equally benefit from the soft opt-in rule, but anyone under any of those circumstances who wished not to receive those communications could opt out either at the time or on receipt of the first communication on becoming aware that they were due to receive these. For those reasons, I hope that the noble Baroness will not press her amendments in relation to these provisions.
(8 months, 1 week ago)
Grand CommitteeMy Lords, just so that the Minister might get a little note, I will ask a question. He has explained what is possible—what can be done—but not why the Government still resist putting Article 80(2) into effect. What is the reason for not adopting that article?
The reason was that an extensive consultation was undertaken in 2021 by the Government, and the Government concluded at that time that there was insufficient evidence to take what would necessarily be a complex step. That was largely on the grounds that class actions of this type can go forward either as long as they have the consent of any named individuals in the class action or on behalf of a group of individuals who are unnamed and not specifically raised by name within the investigation itself.
Perhaps the Minister could in due course say what evidence would help to persuade the Government to adopt the article.
I want to help the Minister. Perhaps he could give us some more detail on the nature of that consultation and the number of responses and what people said in it. It strikes me as rather important.
Fair enough. Maybe for the time being, it will satisfy the Committee if I share a copy of that consultation and what evidence was considered, if that would work.
I will turn now to Amendments 154A to 155 and Amendment 175, which propose sweeping modifications to the jurisdiction of the court and tribunal for proceedings under the Data Protection Act 2018. These amendments would have the effect of making the First-tier Tribunal and Upper Tribunal responsible for all data protection cases, transferring both ongoing and future cases out of the court system and to the relevant tribunals.
The Government of course want to ensure that proceedings for enforcement of data protection rules, including redress routes available to data subjects, are appropriate for the nature of the complaint. As the Committee will be well aware, at present there is a mixture of jurisdiction for tribunals and courts under data protection legislation, depending on the precise nature of the proceedings in question. Tribunals are indeed the appropriate venue for some data protection proceedings, and the legislation already recognises that—for example, for application by data subjects for an order requiring the ICO to progress their complaint. However, courts are generally the more appropriate venue for cases involving claims for compensation and successful parties can usually recover their costs. Courts also apply stricter rules of procedure and evidence than tribunals. That is because some cases are appropriate to fall under the jurisdiction of the tribunal, while others are more appropriate for court jurisdiction. For example, claims by individuals against organisations for breaches of legal requirements can result in awards of compensatory damages for the individuals and financial and reputational damage for the organisations. It is appropriate that such cases are handled by a court in accordance with its strict procedural and evidential rules, where the data subject may recover their costs if successful.
As such, the Government are confident that the current system is balanced and proportionate and provides clear and effective administrative and judicial redress routes for data subjects seeking to exercise their rights.
My Lords, is the Minister saying that there is absolutely no confusion between the jurisdiction of the tribunals and the courts? That is, no court has come to a different conclusion about jurisdiction—for example, as to whether procedural matters are for tribunals and merits are for courts or vice versa. Is he saying that everything is hunky-dory and clear and that we do not need to concern ourselves with this crossover of jurisdiction?
No, as I was about to say, we need to take these issues seriously. The noble Lord raised a number of specific cases. I was unfamiliar with them at the start of the debate—
I will go away and look at those; I look forward to learning more about them. There are obvious implications in what the noble Lord said as to the most effective ways of distributing cases between courts and other channels.
For these reasons, I hope that the noble Lord will withdraw his amendment.
I would be very happy to participate in that discussion, absolutely.
My Lords, I thank the Minister for his response. I have surprised myself: I have taken something positive away from the Bill.
The noble Baroness, Lady Jones, was quite right to be more positive about Clause 44 than I was. The Minister unpacked its relationship with Clause 45 well and satisfactorily. Obviously, we will read Hansard before we jump to too positive a conclusion.
On Article 80(2), I am grateful to the Minister for agreeing both to go back to the consultation and to look at the kinds of evidence that were brought forward, because this is a really important aspect for many civil society organisations. He underestimates the difficulties faced when bringing complaints of this nature. I would very much like this conversation to go forward because this issue has been quite a bone of contention; the noble Baroness, Lady Kidron, remembers that only too well. We may even have had ping-pong on the matter back in 2017. There is an appetite to keep on the case so, the more we can discuss this matter—between Committee and Report in particular—the better, because there is quite a head of steam behind it.
As far as the jurisdiction point is concerned, I think this may be the first time I have heard a Minister talk about the Sorting Hat. I was impressed: I have often compared this place to Hogwarts but the concept of using the Sorting Hat to decide whether a case goes to a tribunal or a court is a wonderful one. You would probably need artificial intelligence to do that kind of thing nowadays; that in itself is a bit of an issue because, after all, these may be elaborate amendments but, as the noble Lord, Lord Bassam, said, the case being made here is about the possibility of there being confusion and things not being clear in terms of where jurisdiction lies. It is really important that we determine whether the courts and tribunals themselves understand this and, perhaps more appropriately, whether they have differing views about it.
We need to get to grips with this; the more the Minister can dig into it, and into Delo, Killock and so on, the better. We are all in the foothills here but I am certainly not going to try to unpack those two judgments and the differences between Mrs Justice Farbey and Mr Justice Mostyn, which are well beyond my competency. I thank the Minister.
My Lords, the UK has rightly moved away from the EU concept of supremacy, under which retained EU law would always take precedence over domestic law when they were in conflict. That is clearly unacceptable now that we have left the EU. However, we understand that the effective functioning of our data protection legislation is of critical importance and it is appropriate for us to specify the appropriate relationship between UK and EU-derived pieces of legislation following implementation of the Retained EU Law (Revocation and Reform) Act, or REUL. That is why I am introducing a number of specific government amendments to ensure that the hierarchy of legislation works in the data protection context. These are Amendments 156 to 164 and 297.
Noble Lords may be aware that Clause 49 originally sought to clarify the relationship between the UK’s data protection legislation, specifically the UK GDPR and EU-derived aspects of the Data Protection Act 2018, and future data processing provisions in other legislation, such as powers to share or duties to disclose personal data, as a result of some legal uncertainty created by the European Union (Withdrawal) Act 2018. To resolve this uncertainty, Clause 49 makes it clear that all new data processing provisions in legislation should be read consistently with the key requirements of the UK data protection legislation unless it is expressly indicated otherwise. Since its introduction, the interpretation of pre-EU exit legislation has been altered and there is a risk that this would produce the wrong effect in respect of the interpretation of existing data processing provisions that are silent about their relationship with the data protection legislation.
Amendment 159 will make it clear that the full removal of the principle of EU law supremacy and the creation of a reverse hierarchy in relation to assimilated direct legislation, as provided for in the REUL Act, do not change the relationship between the UK data protection legislation and existing legislation that is in force prior to commencement of Clause 49(2). Amendment 163 makes a technical amendment to the EU withdrawal Act, as amended, to support this amendment.
Amendment 162 is similar to the previous amendment but it concerns the relationship between provisions relating to certain obligations and rights under data protection legislation and on restrictions and prohibitions on the disclosure of information under other existing legislation. Existing Section 186 of the Data Protection Act 2018 governs this relationship. Amendment 162 makes it clear that the relationship between these two types of provision is not affected by the changes to the interpretation of legislation that I have already referred to made by the REUL Act. Additionally, it clarifies that, in relation to pre-commencement legislation, Section 186(1) may be disapplied expressly or impliedly.
Amendment 164 relates to the changes brought about by the REUL Act and sets out that the provisions detailed in earlier Amendments 159, 162 and 163 are to be treated as having come into force on 1 January 2024—in other words, at the same time as commencement of the relevant provisions of the REUL Act.
Amendment 297 provides a limited power to remove provisions that achieve the same effect as new Section 183A from legislation made or passed after this Bill receives Royal Assent, as their presence could cause confusion.
Finally, Amendments 156 and 157 are consequential. Amendments 158, 160 and 161 are minor drafting changes made for consistency, updating and consequential purposes.
Turning to the amendments introduced by the noble Lord, Lord Clement-Jones, I hope that he can see from the government amendments to Clause 49 that we have given a good deal of thought to the impact of the REUL Act 2023 on the UK’s data protection framework and have been prepared to take action on this where necessary. We have also considered whether some of the changes made by the REUL Act could cause confusion about how the UK GDPR and the Data Protection Act 2018 interrelate. Following careful analysis, we have concluded that they would largely continue to be read alongside each other in the intended way, with the rules of the REUL Act unlikely to interfere with this. Any new general rule such as that suggested by the noble Lord could create confusion and uncertainty.
Amendments 168 to 170, 174, 174A and 174B seek to reverse changes introduced by the REUL Act at the end of 2023, specifically the removal of EU general principles from the statute book. EU general principles and certain EU-derived rights had originally been retained by the European Union (Withdrawal) Act to ensure legal continuity at the end of the transition period, but this was constitutionally novel and inappropriate for the long term.
The Government’s position is that EU law concepts should not be used to interpret domestic legislation in perpetuity. The REUL Act provided a solution to this by repealing EU general principles from UK law and clarifying the approach to be taken domestically. The amendments tabled by the noble Lord, Lord Clement-Jones, would undo this important work by reintroducing to the statute book references to rights and principles which have not been clearly defined and are inappropriate now that we have left the EU.
The protection of personal data already forms part of the protection offered by the European Convention on Human Rights, under the Article 8 right to respect for private and family life, and is further protected by our data protection legislation. The UK GDPR and the Data Protection Act 2018 provide a comprehensive set of rules for organisations to follow and rights for people in relation to the use of their data. Seeking to apply an additional EU right to data protection in UK law would not significantly affect the way the data protection framework functions or enhance the protections it affords to individuals. Indeed, doing so may well add unnecessary uncertainty and complexity.
Amendments 171 to 173 pertain to exemptions to specified data subject rights and obligations on data controllers set out in Schedules 2 to 4 to the DPA 2018. The 36 exemptions apply only in specified circumstances and are subject to various safeguards. Before addressing the amendments the noble Lord has tabled, it is perhaps helpful to set out how these exemptions are used. Personal data must be processed according to the requirements set out in the UK GDPR and the DPA 2018. This includes the key principles of lawfulness, fairness and transparency, data minimisation and purpose limitation, among others. The decision to restrict data subjects’ rights, such as the right to be notified that their personal data is being processed, or limit obligations on the data controller, comes into effect only if and when the decision to apply an exemption is taken. In all cases, the use of the exemption must be both necessary and proportionate.
One of these exemptions, the immigration exemption, was recently amended in line with a court ruling that found it was incompatible with the requirements set out in Article 23. This exemption is used by the Home Office. The purpose of Amendments 171 to 173 is to extend the protections applied to the immigration exemption across the other exemptions subject to Article 23, apart from in Schedule 4, where the requirement to consider whether its application prejudices the relevant purposes is not considered relevant.
The other exemptions are each used in very different circumstances, by different data controllers—from government departments to SMEs—and work by applying different tests that function in a wholly different manner from the immigration exemption. This is important to bear in mind when considering these broad-brush amendments. A one-size-fits-all approach would not work across the exemption regime.
It is the Government’s position that any changes to these important exemptions should be made only after due consideration of the circumstances of that particular exemption. In many cases, these amendments seek to make changes that run counter to how the exemption functions. Making changes across the exemptions via this Bill, as the noble Lord’s amendments propose, has the potential to have significant negative impacts on the functioning of the exemptions regime. Any potential amendments to the other exemptions would require careful consideration. The Government note that there is a power to make changes to the exemptions in the DPA 2018, if deemed necessary.
For the reasons I have given, I look forward to hearing more from the noble Lord on his amendments, but I hope that he will not press them. I beg to move.
My Lords, I thank the Minister for that very careful exposition. I feel that we are heavily into wet towel, if not painkiller, territory here, because this is a tricky area. As the Minister might imagine, I will not respond to his exposition in detail, at this point; I need to run away and get some external advice on the impact of what he said. He is really suggesting that the Government prefer a pick ‘n’ mix approach to what he regards as a one size fits all. I can boil it down to that. He is saying that you cannot just apply the rules, in the sense that we are trying to reverse some of the impacts of the previous legislation. I will set out my stall; no doubt the Minister and I, the Box and others, will read Hansard and draw our own conclusions at the end, because this is a complicated area.
Until the end of 2023, the Data Protection Act 2018 had to be read compatibly with the UK GDPR. In a conflict between the two instruments, the provisions of the UK GDPR would prevail. The reversing of the relationship between the 2018 Act and the UK GDPR, through the operation of the Retained EU Law (Revocation and Reform) Act—REUL, as the Minister described it—has had the effect of lowering data protection rights in the UK. The case of the Open Rights Group and the3million v the Secretary of State for the Home Office and the Secretary of State for Digital, Culture, Media and Sport was decided after the UK had left the EU, but before the end of 2023. The Court of Appeal held that exemptions from data subject rights in an immigration context, as set out in the Data Protection Act, were overly broad, contained insufficient safeguards and were incompatible with the UK GDPR. The court disapplied the exemptions and ordered the Home Office to redraft them to include the required safeguards. We debated the regulations the other day, and many noble Lords welcomed them on the basis that they had been revised for the second time.
This sort of challenge is now not possible, because the relationship between the DPA and the UK GDPR has been turned on its head. If the case were brought now, the overly broad exemptions in the DPA would take precedence over the requirement for safeguards set out in the UK GDPR. These points were raised by me in the debate of 12 December, when the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 were under consideration. In that debate, the noble Baroness, Lady Swinburne, stated that
“we acknowledge the importance of making sure that data processing provisions in wider legislation continue to be read consistently with the data protection principles in the UK GDPR … Replication of the effect of UK GDPR supremacy is a significant decision, and we consider that the use of primary legislation is the more appropriate way to achieve these effects, such as under Clause 49 where the Government consider it appropriate”.—[Official Report, 12/12/23; col. GC 203.]
This debate on Clause 49 therefore offers an opportunity to reinstate the previous relationship between the UK GDPR and the Data Protection Act. The amendment restores the hierarchy, so that it guarantees the same rights to individuals as existed before the end of 2023, and avoids unforeseen consequences by resetting the relationship between the UK GDPR and the DPA 2018 to what the parliamentary draftsmen intended when the Act was written. The provisions in Clause 49, as currently drafted, address the relationship between domestic law and data protection legislation as a whole, but the relationship between the UK GDPR and the DPA is left in its “reversed” state. This is confirmed in the Explanatory Notes to the Bill at paragraph 503.
The purpose of these amendments is to restore data protection rights in the UK to what they were before the end of 2023, prior to the coming into force of REUL. The amendments would restore the fundamental right to the protection of personal data in UK law; ensure that the UK GDPR and the DPA continue to be interpreted in accordance with the fundamental right to the protection of personal data; ensure that there is certainty that assimilated case law that references the fundamental right to the protection of personal data still applies; and apply the protections required in Article 23 of the UK GDPR to all the relevant exemptions in Schedule 2 to the Data Protection Act. This is crucial in avoiding diminishing trust in our data protection frameworks. If people do not trust that their data is protected, they will refuse to share it. Without this data, new technologies cannot be developed, because these technologies rely on personal data. By creating uncertainty and diminishing standards, the Government are undermining the very growth in new technologies that they want.
I thank the noble Lord, Lord Clement-Jones, the noble Baroness, Lady Jones, and my noble friend Lord Kamall for their amendments. To address the elephant in the room first, I can reassure noble Lords that the use of digital identity will not be mandatory, and privacy will remain one of the guiding principles of the Government’s approach to digital identity. There are no plans to introduce a centralised, compulsory digital ID system for public services, and the Government’s position on physical ID cards remains unchanged. The Government are committed to realising the benefits of digital identity technologies without creating ID cards.
I shall speak now to Amendment 177, which would require the rules of the DVS trust framework to be set out in regulations subject to the affirmative resolution procedure. I recognise that this amendment, and others in this group, reflect recommendations from the DPRRC. Obviously, we take that committee very seriously, and we will respond to that report in due course, but ahead of Report.
Part 2 of the Bill will underpin the DVS trust framework, a document of auditable rules, which include technical standards. The trust framework refers to data protection legislation and ICO guidance. It has undergone four years of development, consultation and testing within the digital identity market. Organisations can choose to have their services certified against the trust framework to prove that they provide secure and trustworthy digital verification services. Certification is provided by independent conformity assessment bodies that have been accredited by the UK Accreditation Service. Annual reviews of the trust framework are subject to consultation with the ICO and other appropriate persons.
Requiring the trust framework to be set out in regulations would make it hard to introduce reactive changes. For example, if a new cybersecurity threat emerged which required the rapid deployment of a fix across the industry, the trust framework would need to be updated very quickly. Developments in this fast-growing industry require an agile approach to standards and rule-making. We cannot risk the document becoming outdated and losing credibility with industry. For these reasons, the Government feel that it is more appropriate for the Secretary of State to have the power to set the rules of the trust framework with appropriate consultation, rather than for the power to be exercised by regulations.
I turn to Amendments 178 to 195, which would require the fees that may be charged under this part of the Bill to be set out in regulations subject to the negative resolution procedure. The Government have committed to growing a market of secure and inclusive digital identities as an alternative to physical proofs of identity, for those that choose to use them. Fees will be introduced only once we are confident that doing so will not restrict the growth of this market, but the fee structure, when introduced, is likely to be complex and will need to flex to support growth in an evolving market.
There are built-in safeguards to this fee-charging power. First, there is a strong incentive for the Secretary of State to set fees that are competitive, fair and reasonable, because failing to do so would prevent the Government realising their commitment to grow this market. Secondly, these fee-raising powers have a well-defined purpose and limited scope. Thirdly, the Secretary of State will explain in advance what fees she intends to charge and when she intends to charge them, which will ensure the appropriate level of transparency.
The noble Baroness, Lady Jones, asked about the arrangements for the office for digital identities and attributes. It will not initially be independent, as it will be located within the Department for Science, Innovation and Technology. As we announced in the government response to our 2021 consultation, we intend for this to be an interim arrangement until a suitable long-term home for the governing body can be identified. Delegating the role of Ofdia—as I suppose we will call it—to a third party in the future, is subject to parliamentary scrutiny, as provided for by the clauses in the Bill. Initially placing Ofdia inside government will ensure that its oversight role could mature in the most effective way and that it supports the digital identity market in meeting the needs of individual users, relying parties and industry.
Digital verification services are independently certified against the trust framework rules by conformity assessment bodies. Conformity assessment bodies are themselves independently accredited by the UK Accreditation Service to ensure that they have the competence and impartiality to perform certification. The trust framework certification scheme will be accredited by the UK Accreditation Service to give confidence that the scheme can be efficiently and competently used to certify products, processes and services. All schemes will need to meet internationally agreed standards set out by the UK Accreditation Service. Ofdia, as the owner of the main code, will work with UKAS to ensure that schemes are robust, capable of certification and operated in line with the trust framework.
Amendment 184A proposes to exclude certified public bodies from registering to provide digital verification services. The term “public bodies” could include a wide range of public sector entities, including institutions such as universities, that receive any public funding. The Government take the view that this exclusion would be unnecessarily restrictive in the UK’s nascent digital identity market.
Amendment 195ZA seeks to mandate organisations to implement a non-digital form of verification in every instance where a digital method is required. The Bill enables the use of secure and inclusive digital identities across the economy. It does not force businesses or individuals to use them, nor does it insist that businesses which currently accept non-digital methods of verification must transition to digital methods. As Clause 52 makes clear, digital verification services are services that are provided at the request of the individual. The purpose of the Bill is to ensure that, when people want to use a digital verification service, they know which of the available products and services they can trust.
Some organisations operate only in the digital sphere, such as online-only banks and energy companies. To oblige such organisations to offer manual document checking would place obligations on them that would go beyond the Government’s commitment to do only what is necessary to enable the digital identity market to grow. In so far as this amendment would apply to public authorities, the Equality Act requires those organisations to consider how their services will affect people with protected characteristics, including those who, for various reasons, might not be able or might choose not to use a digital identity product.
Is the Minister saying that, as a result of the Equality Act, there is an absolute right to that analogue—if you like—form of identification if, for instance, someone does not have access to digital services?
On this point, the argument that the Government are making is that, where consumers want to use a digital verification service, all the Bill does is to provide a mechanism for those DVSs to be certified and assured to be safe. It does not seek to require anything beyond that, other than creating a list of safe DVSs.
The Equality Act applies to the public sector space, where it needs to be followed to ensure that there is an absolute right to inclusive access to digital technologies.
My Lords, in essence, the Minister is admitting that there is a gap when somebody who does not have access to digital services needs an identity to deal with the private sector. Is that right?
In the example I gave, I was not willing to use a digital system to provide a guarantee for my son’s accommodation in the private sector. I understand that that would not be protected and that, therefore, someone might not be able to rent a flat, for example, because they cannot provide physical ID.
The Bill does not change the requirements in this sense. If any organisation chooses to provide its services on a digital basis only, that is up to that organisation, and it is up to consumers whether they choose to use it. It makes no changes to the requirements in that space.
I will now speak to the amendment that seeks to remove Clause 80. Clause 80 enables the Secretary of State to ask accredited conformity assessment bodies and registered DVS providers to provide information which is reasonably required to carry out her functions under Part 2 of the Bill. The Bill sets out a clear process that the Secretary of State must follow when requesting this information, as well as explicit safeguards for her use of the power. These safeguards will ensure that DVS providers and conformity assessment bodies have to provide only information necessary for the functioning of this part of the Bill.
My Lords, the clause stand part amendment was clearly probing. Does the Minister have anything to say about the relationship with OneLogin? Is he saying that it is only information about systems, not individuals, which does not feed into the OneLogin identity system that the Government are setting up?
It is very important that the OneLogin system is entirely separate and not considered a DVS. We considered whether it should be, but the view was that that comes close to mandating a digital identity system, which we absolutely want to avoid. Hence the two are treated entirely differently.
That is a good reassurance, but if the Minister wants to unpack that further by correspondence, I would be very happy to have that.
I am very happy to do so.
I turn finally to Amendments 289 and 300, which aim to introduce a criminal offence of digital identity theft. The Government are committed to tackling fraud and are confident that criminal offences already exist to cover the behaviour targeted by these amendments. Under the Fraud Act 2006, it is a criminal offence to make a gain from the use of another person’s identity or to cause or risk a loss by such use. Where accounts or databases are hacked into, the Computer Misuse Act 1990 criminalises the unauthorised access to a computer programme or data held on a computer.
Furthermore, the trust framework contains rules, standards and good practice requirements for fraud monitoring and responding to fraud. These rules will further defend systems and reduce opportunities for digital identity theft.
My Lords, I am sorry, but this is a broad-ranging set of amendments, so I need to intervene on this one as well. When the Minister does his will write letter in response to today’s proceedings, could he tell us what guidance there is to the police on this? Because when the individual, Mr Arron, approached the police, they said, “Oh, sorry, there’s nothing we can do; identity theft is not a criminal offence”. The Minister seems to be saying, “No, it is fine; it is all encompassed within these provisions”. While he may be saying that, and I am sure he will be shouting it from the rooftops in the future, the question is whether the police have guidance; does the College of Policing have guidance and does the Home Office have guidance? The ordinary individual needs to know that it is exactly as the Minister says, and identity theft is covered by these other criminal offences. There is no point in having those offences if nobody knows about them.
That is absolutely fair enough: I will of course write. Sadly, we are not joined today by ministerial colleagues from the Home Office, who have some other Bill going on.
I have no doubt that its contribution to the letter will be equally enjoyable. However, for all the reasons I set out above, I am not able to accept these amendments and respectfully encourage the noble Baroness and noble Lords not to press them.
Yes. I would be happy to provide a list of the people we have spoken to about adequacy; it may be a long one. That concludes the remarks I wanted to make, I think.
Perhaps the Minister could just tweak that a bit by listing not just the people who have made positive noises but those who have their doubts.
I apologise if I have misunderstood. It sounds like it would be a unit within the ICO responsible for that matter. Let me take that away if I have misunderstood—I understood it to be a separate organisation altogether.
The Government deem Amendment 238 unnecessary, as using biometric data to categorise or make inferences about people, whether using algorithms or otherwise, is already subject to the general data protection principles and the high data protection standards of the UK’s data protection framework as personal data. In line with ICO guidance, where the processing of biometric data is intended to make an inference linked to one of the special categories of data—for example, race or ethnic origin—or the biometric data is processed for the intention of treating someone differently on the basis of inferred information linked to one of the special categories of data, organisations should treat this as special category data. These protections ensure that this data, which is not used for identification purposes, is sufficiently protected.
Similarly, Amendment 286 intends to widen the scope of the Forensic Information Databases Service—FINDS—strategy board beyond oversight of biometrics databases for the purpose of identification to include “classification” purposes as well. The FINDS strategy board currently provides oversight of the national DNA database and the national fingerprint database. The Bill puts oversight of the fingerprint database on the same statutory footing as that of the DNA database and provides the flexibility to add oversight of new biometric databases, where appropriate, to provide more consistent oversight in future. The delegated power could be used in the medium term to expand the scope of the board to include a national custody image database, but no decisions have yet been taken. Of course, this will be kept under review, and other biometric databases could be added to the board’s remit in future should these be created and should this be appropriate. For the reasons I have set out, I hope that the noble Baroness, Lady Jones of Whitchurch, will therefore agree not to move Amendments 238 and 286.
Responses to the data reform public consultation in 2021 supported the simplification of the complex oversight framework for police use of biometrics and surveillance cameras. Clauses 147 and 148 of the Bill reflect that by abolishing the Biometrics and Surveillance Camera Commissioner’s roles while transferring the commissioner’s casework functions to the Investigatory Powers Commissioner’s Office.
Noble Lords referred to the CRISP report, which was commissioned by Fraser Sampson—the previous commissioner—and directly contradicts the outcome of the public consultation on data reform in 2021, including on the simplification of the oversight of biometrics and surveillance cameras. The Government took account of all the responses, including from the former commissioner, in developing the policies set out in the DPDI Bill.
There will not be a gap in the oversight of surveillance as it will remain within the statutory regulatory remit of other organisations, such as the Information Commissioner’s Office, the Equality and Human Rights Commission, the Forensic Science Regulator and the Forensic Information Databases Service strategy board.
One of the crucial aspects has been the reporting of the Biometrics and Surveillance Camera Commissioner. Where is there going to be and who is going to have a comprehensive report relating to the use of surveillance cameras and the biometric data contained within them? Why have the Government decided that they are going to separate out the oversight of biometrics from, in essence, the surveillance aspects? Are not the two irretrievably brought together by things such as live facial recognition?
Yes. There are indeed a number of different elements of surveillance camera oversight; those are reflected in the range of different bodies doing that it. As to the mechanics of the production of the report, I am afraid that I do not know the answer.
Does the Minister accept that the police are one of the key agencies that will be using surveillance cameras? He now seems to be saying, “No, it’s fine. We don’t have one single oversight body; we had four at the last count”. He probably has more to say on this subject but is that not highly confusing for the police when they have so many different bodies that they need to look at in terms of oversight? Is it any wonder that people think the Bill is watering down the oversight of surveillance camera use?
No. I was saying that there was extensive consultation, including with the police, and that that has resulted in these new arrangements. As to the actual mechanics of the production of an overall report, I am afraid that I do not know but I will find out and advise noble Lords.
His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services also inspects, monitors and reports on the efficiency and effectiveness of the police, including their use of surveillance cameras. All of these bodies have statutory powers to take the necessary action when required. The ICO will continue to regulate all organisations’ use of these technologies, including being able to take action against those not complying with data protection law, and a wide range of other bodies will continue to operate in this space.
On the first point made by the noble Lord, Lord Vaux, where any of the privacy concerns he raises concern information that relates to an identified or identifiable living individual, I can assure him that this information is covered by the UK’s data protection regime. This also includes another issue raised by the noble Lord—where the ANPR captures a number-plate that can be linked to an identifiable living individual—as this would be the processing of personal data and thus governed by the UK’s data protection regime and regulated by the ICO.
For the reasons I have set out, I maintain that these clauses should stand part of the Bill. I therefore hope that the noble Lord, Lord Clement-Jones, will withdraw his stand part notices on Clauses 147 and 148.
Clause 149 does not affect the office of the Biometrics and Surveillance Camera Commissioner, which the noble Lord seeks to maintain through his amendment. The clause’s purpose is to update the name of the national DNA database board and update its scope to include the national fingerprint database within its remit. It will allow the board to produce codes of practice and introduce a new delegated power to add or remove biometric databases from its remit in future via the affirmative procedure. I therefore maintain that this clause should stand part of the Bill and hope that the noble Lord will withdraw his stand part notice.
Clauses 147 and 148 will improve consistency in the guidance and oversight of biometrics and surveillance cameras by simplifying the framework. This follows public consultation, makes the most of the available expertise, improves organisational resilience, and ends confusing and inefficient duplication. The Government feel that a review, as proposed, so quickly after the Bill is enacted is unnecessary. It is for these reasons that I cannot accept Amendment 292 in the name of the noble Lord, Lord Clement-Jones.
I turn now to the amendments tabled by the noble Lord, Lord Clement-Jones, which seek to remove Clauses 130 to 132. These clauses make changes to the Counter-Terrorism Act 2008, which provides the retention regime for biometric data held on national security grounds. The changes have been made only following a formal request from Counter Terrorism Policing to the Home Office. The exploitation of biometric material, including from international partners, is a valuable tool in maintaining the UK’s national security, particularly for ensuring that there is effective tripwire coverage at the UK border. For example, where a foreign national applies for a visa to enter the UK, or enters the UK via a small boat, their biometrics can be checked against Counter Terrorism Policing’s holdings and appropriate action to mitigate risk can be taken, if needed.
(8 months, 1 week ago)
Grand CommitteeI welcome the Committee back after what I hope was a good Easter break for everybody. I thank all those noble Lords who, as ever, have spoken so powerfully in this debate.
I turn to Amendments 111 to 116 and 130. I thank noble Lords for their proposed amendments relating both to Schedule 5, which reforms the UK’s general processing regime for transferring personal data internationally and consolidates the relevant provisions in Chapter 5 of the UK GDPR, and to Schedule 7, which introduces consequential and transitional provisions associated with the reforms.
Amendment 111 seeks to revert to the current list of factors under the UK GDPR that the Secretary of State must consider when making data bridges. With respect, this more detailed list is not necessary as the Secretary of State must be satisfied that the standard of protection in the other country, viewed as a whole, is not materially lower than the standard of protection in the UK. Our new list of key factors is non-exhaustive. The UK courts will continue to be entitled to have regard to CJEU judgments if they choose to do so; ultimately, it will be for them to decide how much regard to have to any CJEU judgment on a similar matter.
I completely understand the strength of noble Lords’ concerns about ensuring that our EU adequacy decisions are maintained. This is also a priority for the UK Government, as I and my fellow Ministers have repeatedly made clear in public and on the Floor of the House. The UK is firmly committed to maintaining high data protection standards, now and in future. Protecting the privacy of individuals will continue to be a national priority. We will continue to operate a high-quality regime that promotes growth and innovation and underpins the trustworthy use of data.
Our reforms are underpinned by this commitment. We believe they are compatible with maintaining our data adequacy decisions from the EU. We have maintained a positive, ongoing dialogue with the EU to make sure that our reforms are understood. We will continue to engage with the European Commission at official and ministerial levels with a view to ensuring that our respective arrangements for the free flow of personal data can remain in place, which is in the best interests of both the UK and the EU.
We understand that Amendments 112 to 114 relate to representations made by the National AIDS Trust concerning the level of protection for special category data such as health data. We agree that the protection of people’s HIV status is vital. It is right that this is subject to extra protection, as is the case for all health data and special category data. As I have said before this Committee previously, we have met the National AIDS Trust to discuss the best solutions to the problems it has raised. As such, I hope that the noble Lord, Lord Clement-Jones, will agree not to press these amendments.
Can the Minister just recap? He said that he met the trust then swiftly moved on without saying what solution he is proposing. Would he like to repeat that, or at least lift the veil slightly?
The point I was making was only that we have met with it and will continue to do so in order to identify the best possible way to keep that critical data safe.
The Minister is not suggesting a solution at the moment. Is it in the “too difficult” box?
I doubt that it will be too difficult, but identifying and implementing the correct solution is the goal that we are pursuing, alongside our colleagues at the National AIDS Trust.
I am sorry to keep interrogating the Minister, but that is quite an admission. The Minister says that there is a real problem, which is under discussion with the National AIDS Trust. At the moment the Government are proposing a significant amendment to both the GDPR and the DPA, and in this Committee they are not able to say that they have any kind of solution to the problem that has been identified. That is quite something.
I am not sure I accept that it is “quite something”, in the noble Lord’s words. As and when the appropriate solution emerges, we will bring it forward—no doubt between Committee and Report.
On Amendment 115, we share the noble Lords’ feelings on the importance of redress for data subjects. That is why the Secretary of State must already consider the arrangements for redress for data subjects when making a data bridge. There is already an obligation for the Secretary of State to consult the ICO on these regulations. Similarly, when considering whether the data protection test is met before making a transfer subject to appropriate safeguards using Article 46, the Government expect that data exporters will also give consideration to relevant enforceable data subject rights and effective legal remedies for data subjects.
Our rules mean that companies that transfer UK personal data must uphold the high data protection standards we expect in this country. Otherwise, they face action from the ICO, which has powers to conduct investigations, issue fines and compel companies to take corrective action if they fail to comply. We will continue to monitor and mitigate a wide range of data security risks, regardless of provenance. If there is evidence of threats to our data, we will not hesitate to take the necessary action to protect our national security.
My Lords, we heard from the two noble Lords some concrete examples of where those data breaches are already occurring, and it does not appear to me that appropriate action has been taken. There seems to be a mismatch between what the Minister is saying about the processes and the day-to-day reality of what is happening now. That is our concern, and it is not clear how the Government are going to address it.
As I said, a number of important points were raised there. First, I would not categorise the changes to Article 45 as watering down—they are intended to better focus the work of the ICO. Secondly, the important points raised with respect to Amendment 115 are points primarily relating to enforcement, and I will write to noble Lords setting out examples of where that enforcement has happened. I stress that the ICO is, as noble Lords have mentioned, an independent regulator that conducts the enforcement of this itself. What was described—I cannot judge for sure—certainly sounded like completely illegal infringements on the data privacy of those subjects. I am happy to look further into that and to write to noble Lords.
Amendment 116 seeks to remove a power allowing the Secretary of State to make regulations recognising additional transfer mechanisms. This power is necessary for the Government to react quickly to global trends and to ensure that UK businesses trading internationally are not held back. Furthermore, before using this power, the Secretary of State must be satisfied that the transfer mechanism is capable of meeting the new Article 46 data protection test. They are also required to consult with the Information Commissioner and such other persons felt appropriate. The affirmative resolution procedure will also ensure appropriate parliamentary scrutiny.
I reiterate that the UK Government’s assessment of the reforms in the Bill is that they are compatible with maintaining adequacy. We have been proactively engaging with the European Commission since the start of the Bill’s consultation process to ensure that it understands our reforms and that we have a positive, constructive relationship. Noble Lords will appreciate that it is important that officials have the ability to conduct candid discussions during the policy-making process. However, I would like to reassure noble Lords once again that the UK Government take the matter of retaining our adequacy decisions very seriously.
Finally, Amendment 130 pertains to EU exit transitional provisions in Schedule 21 to the Data Protection Act 2018, which provide that certain countries are currently deemed as adequate. These countries include the EU and EEA member states and those countries that the EU had found adequate at the time of the UK’s exit from the EU. Such countries are, and will continue to be, subject to ongoing monitoring. As is the case now, if the Secretary of State becomes aware of developments such as changes to legislation or specific practices that negatively impact data protection standards, the UK Government will engage with the relevant authorities and, where necessary, amend or revoke data bridge arrangements.
For these reasons, I hope noble Lords will not press their amendments.
My Lords, I thank the Minister for his response, but I am still absolutely baffled as to why the Government are doing what they are doing on Article 45. The Minister has not given any particular rationale. He has given a bit of a rationale for resisting the amendments, many of which try to make sure that Article 45 is fully effective, that these international transfers are properly scrutinised and that we remain data adequate.
By the way, I thought the noble Lord, Lord Kirkhope, made a splendid entry into our debate, so I hope that he stays on for a number of further amendments—what a début.
The only point on which I disagreed with the noble Lord, Lord Bethell—as the noble Baroness, Lady Jones, said—was when he said that this is a terrific Bill. It is a terrifying Bill, not a terrific one, as we have debated. There are so many worrying aspects—for example, that there is no solution yet for sensitive special category data and the whole issue of these contractual clauses. The Government seem almost to be saying that it is up to the companies to assess all this and whether a country in which they are doing business is data adequate. That cannot be right. They seem to be abrogating their responsibility for no good reason. What is the motive? Is it because they are so enthusiastic about transfer of data to other countries for business purposes that they are ignoring the rights of data subjects?
The Minister resisted describing this as watering down. Why get rid of the list of considerations that the Secretary of State needs to have so that they are just in the mix as something that may or may not be taken into consideration? In the existing article they are specified. It is quite a long list and the Government have chopped it back. What is the motive for that? It looks like data subjects’ rights are being curtailed. We were baffled by previous elements that the Government have introduced into the Bill, but this is probably the most baffling of all because of the real importance of this—its national security implications and the existing examples, such as Yandex, that we heard about from the noble Lord, Lord Kirkhope.
Of course we understand that there are nuances and that there is a difference between adequacy and equivalence. We have to be pragmatic sometimes, but the question of whether these countries having data transferred to them are adequate must be based on principle. This seems to me a prime candidate for Report. I am sure we will come back to it, but in the meantime I beg leave to withdraw.
I am very happy to try to find a way forward on this. Let me think about how best to take this forward.
My Lords, I thank the Minister for his response and, in particular, for that exchange. There is a bit of a contrast here—the mood of the Committee is probably to go with the grain of these clauses and to see whether they can be improved, rather than throw out the idea of an information commission and revert to the ICO on the basis that perhaps the information commission is a more logical way of setting up a regulator. I am not sure that I personally agree, but I understand the reservations of the noble Baroness, Lady Jones, and I welcome her support on the aspect of the Secretary of State power.
We keep being reassured by the Minister, in all sorts of different ways. I am sure that the spirit is willing, but whether it is all in black and white is the big question. Where are the real safeguards? The proposals in this group from the noble Baroness, Lady Kidron, to which she has spoken to so well, along with the noble Baroness, Lady Harding, are very modest, to use the phrase from the noble Baroness, Lady Kidron. I hope those discussions will take place because they fit entirely with the architecture of the Bill, which the Government have set out, and it would be a huge reassurance to those who believe that the Bill is watering down data subject rights and is not strengthening children’s rights.
I am less reassured by other aspects of what the Minister had to say, particularly about the Secretary of State’s powers in relation to the codes. As the noble Baroness, Lady Kidron, said, we had a lot of discussion about that in relation to the Ofcom codes, under the Online Safety Bill, and I do not think we got very far on that either. Nevertheless, there is disquiet about whether the Secretary of State should have those powers. The Minister said that the ICO is not required to act in accordance with the advice of the Secretary of State so perhaps the Minister has provided a chink of light. In the meantime, I beg leave to withdraw the amendment.
(9 months ago)
Grand CommitteeI am processing what the Minister has just said. He said it complements the AI regulation framework, and then he went on to talk about the central risk function, the AI risk register and what the ICO is up to in terms of guidance, but I did not hear that the loosening of safeguards or rights under Clause 14 and Article 22 of the GDPR was heralded in the White Paper or the consultation. Where does that fit with the Government’s AI regulation strategy? There is a disjunct somewhere.
I reject the characterisation of Clause 14 or any part of the Bill as loosening the safeguards. It focuses on the outcomes and by being less prescriptive and more adaptive, its goal is to heighten the levels of safety of AI, whether through privacy or anything else. That is the purpose.
On Secretary of State powers in relation to ADM, the reforms will enable the Government to further describe what is and is not to be taken as a significant effect on a data subject and what is and is not to be taken as meaningful human—
I am sorry, but I just do not accept that intervention. This is one of the most important clauses in the whole Bill and we have to spend quite a bit of time teasing it out. The Minister has just electrified us all in what he said about the nature of this clause, what the Government are trying to achieve and how it fits within their strategy, which is even more concerning than previously. I am very sorry, but I really do not believe that this is the right point for the Whip to intervene. I have been in this House for 25 years and have never seen an intervention of that kind.
Let me make the broad point that there is no single list of outcomes for the whole Bill but, as we go through clause by clause, I hope the philosophy behind it, of being less prescriptive about process and more prescriptive about the results of the process that we desire, should emerge—not just on Clause 14 but as the overall philosophy underlying the Bill. Regulation-making powers can also be used to vary the existing safeguards, add additional safeguards and remove additional safeguards added at a later date.
On the point about having regard, it is important that the law is drafted in a way that allows it to adapt as technology advances. Including prescriptive requirements in the legislation reduces this flexibility and undermines the purpose of this clause and these powers to provide additional legal clarity when it is deemed necessary and appropriate in the light of the fast-moving advances in and adoption of technologies relevant to automated decision-making. I would like to reassure noble Lords that the powers can be used only to vary the existing safeguards, add additional ones and remove them. They cannot remove any of the safeguards written into the legislation.
Amendments 53 to 55 and 69 to 71 concern the Secretary of State powers relating to the terms “significant decisions” and “meaningful human involvement”. These powers enable the Secretary of State to provide a description of decisions that do or do not have a significant effect on data subjects, and describe cases that can be taken to have, or not to have, meaningful human involvement. As technology adoption grows and new technologies emerge, these powers will enable the Government to provide legal clarity, if and when deemed necessary, to ensure that people are protected and have access to safeguards when they matter most. In respect of Amendment 59A, Clause 50 already provides for an overarching requirement for the Secretary of State to consult the ICO and other persons the Secretary of State considers appropriate before making regulations under the UK GDPR, including for the measures within Article 22.
Also, as has been observed—I take the point about the limitations of this, but I would like to make the point anyway—any changes to the regulations are subject to the affirmative procedure and so must be approved by both Houses. As with other provisions of the Bill, the ICO will seek to provide organisations with timely guidance and support to assist them in interpreting and applying the legislation. As such, I would ask the noble Lord, Lord Clement Jones, and my noble friend Lord Holmes—were he here—not to press their amendments.
Amendment 57 in the name of the noble Baroness, Lady Kidron, seeks to ensure that, when exercising regulation-making powers in relation to the safeguards in Article 22 of the UK GDPR, the Secretary of State should uphold the level of protection that children are entitled to in the Data Protection Act 2018. As I have said before, Clause 50 requires the Secretary of State to consult the ICO and other persons he or she considers appropriate. The digital landscape and its technologies evolve rapidly, presenting new challenges in safeguarding children. Regular consultations with the ICO and stakeholders ensure that regulations remain relevant and responsive to emerging risks associated with solely automated decision-making. The ICO has a robust position on the protection of children, as evidenced through its guidance and, in particular, the age-appropriate design code. As such, I ask the noble Baroness not to press her amendment.
Amendments 58, 72 and 73 seek to prevent the Secretary of State varying any of the safeguards mentioned in the reformed clauses. As I assured noble Lords earlier, the powers in this provision can be used only to vary the existing safeguards, add additional safeguards and remove additional safeguards added by regulation in future; there is not a power to remove any of the safeguards.
I feel under amazing pressure to get the names right, especially given the number of hours we spend together.
I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for tabling Amendments 74 to 78, 144 and 252 in this group. I also extend my thanks to noble Lords who have signed the amendments and spoken so eloquently in this debate.
Amendments 74 to 78 would place a legislative obligation on public authorities and all persons in the exercise of a public function to publish reports under the Algorithmic Transparency Recording Standard—ATRS—or to publish algorithmic impact assessments. These would provide information on algorithmic tools and algorithm-assisted decisions that process personal data in the exercise of a public function or those that have a direct or indirect public effect or directly interact with the general public. I remind noble Lords that the UK’s data protection laws will continue to apply throughout the processing of personal data.
The Government are already taking action to establish the necessary guard-rails for AI, including to promote transparency. In the AI regulation White Paper response, we announced that the use of the ATRS will now become a requirement for all government departments and the broader public sector. The Government are phasing this in as we speak and will check compliance accordingly, as DSIT has been in contact with every department on this issue.
In making this policy, the Government are taking an approach that provides increasing degrees of mandation of the ATRS, with appropriate exemptions, allowing them to monitor compliance and effectiveness. The announcement in the White Paper response has already led to more engagement from across government, and more records are under way. The existing process focuses on the importance of continuous improvement and development. Enshrining the standard into law prematurely, amid exponential technological change, could hinder its adaptability.
More broadly, our AI White Paper outlined a proportionate and adaptable framework for regulating AI. As part of that, we expect AI development and use to be fair, transparent and secure. We set out five key principles for UK regulators to interpret and apply within their remits. This approach reflects the fact that AI systems are not unregulated and need to be compliant with existing regulatory frameworks, including employment, human rights, health and safety and data protection law.
For instance, the UK’s data protection legislation imposes obligations on data controllers, including providers and users of AI systems, to process personal data fairly, lawfully and transparently. Our reforms in this Bill will ensure that, where solely automated decision-making is undertaken—that is, ADM without any meaningful human involvement that has significant effects on data subjects—data subjects will have a right to the relevant safeguards. These safeguards include being provided with information on the ADM that has been carried out and the right to contest those decisions and seek human review, enabling controllers to take suitable measures to correct those that have produced wrongful outcomes.
My Lords, I wonder whether the Minister can comment on this; he can write if he needs to. Is he saying that, in effect, the ATRS is giving the citizen greater rights than are ordinarily available under Article 22? Is that the actual outcome? If, for instance, every government department adopted ATRS, would that, in practice, give citizens a greater degree of what he might put as safeguards but, in this context, he is describing as rights?
I am very happy to write to the noble Lord, but I do not believe that the existence of an ATRS-generated report in and of itself confers more rights on anybody. Rather, it makes it easier for citizens to understand how their rights are being used, what rights they have, or what data about them is being used by the department concerned. The existence of data does not in and of itself confer new rights on anybody.
I understand that, but if he rewinds the reel he will find that he was talking about the citizen’s right of access, or something of that sort, at that point. Once you know what data is being used, the citizen has certain rights. I do not know whether that follows from the ATRS or he was just describing that at large.
As I said, I will write. I do not believe that follows axiomatically from the ATRS’s existence.
On Amendment 144, the Government are sympathetic to the idea that the ICO should respond to new and emerging technologies, including the use of children’s data in the development of AI. I assure noble Lords that this area will continue to be a focus of the ICO’s work and that it already has extensive powers to provide additional guidance or make updates to the age-appropriate design code, to ensure that it reflects new developments, and a responsibility to keep it up to date. The ICO has a public task under Article 57(1)(b) of the UK GDPR to
“promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing”.
It is already explicit that:
“Activities addressed specifically to children shall receive specific attention”.
That code already includes a chapter on profiling and provides guidance on fairness and transparency requirements around automated decision-making.
Taking the specific point made by the noble Baroness, Lady Kidron, on the contents of the ICO’s guidance, while I cannot speak to the ICO’s decisions about the drafting of its guidance, I am content to undertake to speak to it about this issue. I note that it is important to be careful to avoid a requirement for the ICO to duplicate work. The creation of an additional children’s code focused on AI could risk fragmenting approaches to children’s protections in the existing AADC—a point made by the noble Baroness and by my noble friend Lady Harding.
We have some numbers that I will come to, but I am very happy to share deeper analysis of that with all noble Lords.
There is also free access to this data for developers to innovate in the market. The Government also make this data available for free at the point of use to more than 6,000 public sector organisations, as well as postcode, unique identifier and location data available under open terms. The Government explored opening address data in 2016. At that time, it became clear that the Government would have to pay to make this data available openly or to recreate it. That was previously attempted, and the resulting dataset had, I am afraid, critical quality issues. As such, it was determined at that time that the changes would result in significant additional cost to taxpayers and represent low value for money, given the current widespread accessibility of the data. For the reasons I have set out, I hope that the noble Lords will withdraw their amendments.
My Lords, I thank the Minister for his response. There are a number of different elements to this group.
The one bright spot in the White Paper consultation is the ATRS. That was what the initial amendments in this group were designed to give a fair wind to. As the noble Lord, Lord Bassam, said, this is designed to assist in the adoption of the ATRS, and I am grateful for his support on that.
I thank the noble Baronesses, Lady Kidron and Lady Jones, and the noble Lord, Lord Clement-Jones, for their amendments, and I look forward to receiving the letter from the noble Baroness, Lady Kidron, which I will respond to as quickly as I can. As everybody observed, this is a huge group, and it has been very difficult for everybody to do justice to all the points. I shall do my best, but these are points that go to the heart of the changes we are making. I am very happy to continue engaging on that basis, because we need plenty of time to review them—but, that said, off we go.
The changes the Government are making to the accountability obligations are intended to make the law clearer and less prescriptive. They will enable organisations to focus on areas that pose high risks to people resulting, the Government believe, in improved outcomes. The new provisions on assessments of high-risk processing are less prescriptive about the precise circumstances in which a risk assessment would be required, as we think organisations are best placed to judge whether a particular activity poses a high risk to individuals in the context of the situation.
However, the Government are still committed to high standards of data protection, and there are many similarities between our new risk assessment measures and the previous provisions. When an organisation is carrying out processing activities that are likely to pose a high risk to individuals, it will still be expected to document that processing, assess risks and identify mitigations. As before, no such document would be required where organisations are carrying out low-risk processing activities.
One of the main aims of the Bill is to remove some of the UK GDPR’s unnecessary compliance burdens. That is why organisations will be required to designate senior responsible individuals, keep records of processing and carry out the risk assessments above only when their activities pose high risks to individuals.
The noble Viscount is very interestingly unpacking a risk-based approach to data protection under the Bill. Why are the Government not taking a risk-based approach to their AI regulation? After all, the AI Act approaches it in exactly that way.
I will briefly address it now. Based on that letter, the Government’s view is to avoid prescription and I believe that the ICO’s view— I cannot speak for it—is generally the same, except for a few examples where prescription needs to be specified in the Bill. I will continue to engage with the ICO on where exactly to draw that line.
My Lords, I can see that there is a difference of opinion, but it is unusual for a regulator to go into print with it. Not only that, but he has set it all out in an annexe. What discussion is taking place directly between the Minister and his team and the ICO? There seems to be quite a gulf between them. This is number 1 among his “areas of ongoing concern”.
I do not know whether it is usual or unusual for the regulator to engage in this way, but the Bill team engages with the Information Commissioner frequently and regularly, and, needless to say, it will continue to do so on this and other matters.
Children need particular protection when organisations are collecting and processing their personal data, because they may be less aware of the risks involved. If organisations process children’s personal data, they should think about the need to protect them from the outset and design their systems and processes with this in mind.
Before I turn to the substance of what the Bill does with the provisions on high-risk processing, I will deal with the first amendment in this group: Amendment 79. It would require data processors to consider data protection-by-design requirements in the same way that data controllers do, because there is a concern that controllers may not always be able to foresee what processors do with people’s data for services such as AI and cloud computing.
However, under the current legislation, it should not be for the processor to determine the nature or purposes of the processing activity, as it will enter a binding controller-processor agreement or contract to deliver a specific task. Processors also have specific duties under the UK GDPR to keep personal data safe and secure, which should mean that this amendment is not necessary.
I turn to the Clause 16 stand part notice, which seeks to remove Clause 16 from the Bill and reinstate Article 27, and Amendment 80, which seeks to do the same but just in respect of overseas data controllers, not processors. I assure the noble Lord, Lord Clement-Jones, that, even without the Article 27 representative requirement, controllers and processors will still have to maintain contact and co-operation with UK data subjects and the ICO to comply with the UK GDPR provisions. These include Articles 12 to 14, which, taken together, require controllers to provide their contact details in a concise, transparent, intelligible and easily accessible form, using clear and plain language, particularly for any information addressed specifically to a child.
By offering firms a choice on whether to appoint a representative in the UK to help them with UK GDPR compliance and no longer mandating organisations to appoint a representative, we are allowing organisations to decide for themselves the best way to comply with the existing requirements for effective communication and co-operation. Removing the representative requirement will also reduce unnecessary burdens on non-UK controllers and processors while maintaining data subjects’ safeguards and rights. Any costs associated with appointing a representative are a burden on and a barrier to trade. Although the variety of packages made available by representative provider organisations differ, our assessments show that the cost of appointing representatives increases with the size of a firm. Furthermore, there are several jurisdictions that do not have a mandatory or equivalent representative requirement in their data protection law, including other countries in receipt of EU data adequacy decisions.
Nevertheless, does the Minister accept that quite a lot of countries have now begun the process of requiring representatives to be appointed? How does he account for that? Does he accept that what the Government are doing is placing the interests of business over those of data subjects in this context?
No, I do not accept that at all. I would suggest that we are saying to businesses, “You must provide access to the ICO and data subjects in a way that is usable by all parties, but you must do so in the manner that makes the most sense to you”. That is a good example of going after outcomes but not insisting on any particular process or methodology in a one-size-fits-all way.
Yes—if the person they were supposed to communicate with did not speak English or was not available during reasonable hours, that would be in violation of the requirement.
I apologise if we briefly revisit some of our earlier discussion here, but Amendment 81 would reintroduce a list of high-risk processing activities drawn from Article 35 of the UK GDPR, with a view to helping data controllers comply with the new requirements around designating a senior responsible individual.
The Government have consulted closely with the ICO throughout the development of all the provisions in the Bill, and we welcome its feedback as it upholds data subjects’ rights. We recognise and respect that the ICO’s view on this issue is different to the Government’s, but the Government feel that adding a prescriptive list to the legislation would not be appropriate for the reasons we have discussed. However, as I say, we will continue to engage with it over the course of the passage of the Bill.
Some of the language in Article 35 of the UK GDPR is unclear and confusing, which is partly why we removed it in the first place. We believe organisations should have the ability to make a judgment of risk based on the specific nature, scale and context of their own processing activities. We do not need to provide prescriptive examples of high-risk processing on the face of legislation because any list could quickly become out of date. Instead, to help data controllers, Clause 20 requires the ICO to produce a document with examples of what the commissioner considers to be high-risk processing activities.
I turn to Clause 17 and Amendment 82. The changes we are making in the Bill will reduce prescription by removing the requirement to appoint a data protection officer in certain circumstances. Instead, public bodies and other organisations carrying out high-risk processing activities will have to designate a senior responsible individual to ensure that data protection risks are managed effectively within their organisations. That person will have flexibility about how they manage data protection risks. They might decide to delegate tasks to independent data protection experts or upskill existing staff members, but they will not be forced to appoint data protection officers if suitable alternatives are available.
The primary rationale for moving to a senior responsible individual model is to embed data protection at the heart of an organisation by ensuring that someone in senior management takes responsibility and accountability for it if the organisation is a public body or is carrying out high-risk processing. If organisations have already appointed data protection officers and want to keep an independent expert to advise them, they will be free to do so, providing that they also designate a senior manager to take overall accountability and provide sufficient support, including resources.
Amendment 83, tabled by the noble Baroness, Lady Kidron, would require the senior responsible individual to specifically consider the risks to children when advising the controller on its responsibilities. As drafted, Clause 17 of the Bill requires the senior responsible individual to perform a number of tasks or, if they cannot do so themselves, to make sure that they are performed by another person. They include monitoring the controller’s compliance with the legislation, advising the controller of its obligations and organising relevant training for employees who carry out the processing of personal data. Where the organisation is processing children’s data, all these requirements will be relevant. The senior responsible individual will need to make sure that any guidance and training reflects the type of data being processed and any specific obligations the controller has in respect of that data. I hope that this goes some way to convincing the noble Baroness not to press her amendment.
The Minister has not really explained the reason for the switch from the DPO to the new system. Is it another one of his “We don’t want a one-size-fits-all approach” arguments? What is the underlying rationale for it? Looking at compliance costs, which the Government seem to be very keen on, we will potentially have a whole new cadre of people who will need to be trained in compliance requirements.
The data protection officer—I speak as a recovering data protection officer—is tasked with certain specific outcomes but does not necessarily have to be a senior person within the organisation. Indeed, in many cases, they can be an external adviser to the organisation. On the other hand, the senior responsible individual is a senior or board-level representative within the organisation and can take overall accountability for data privacy and data protection for that organisation. Once that accountable person is appointed, he or she can of course appoint a DPO or equivalent role or separate the role among other people as they see fit. That gives everybody the flexibility to meet the needs of privacy as they see fit, but not necessarily in a one-size-fits-all way. That is the philosophical approach.
Does the Minister accept that the SRI will have to cope with having at least a glimmering of an understanding of what will be a rather large Act?
Yes, the SRI will absolutely have to understand all the organisation’s obligations under this Act and indeed other Acts. As with any senior person in any organisation responsible for compliance, they will need to understand the laws that they are complying with.
Amendment 84, tabled by the noble Lord, Lord Clement-Jones, is about the advice given to senior responsible individuals by the ICO. We believe that the commissioner should have full discretion to enforce data protection in an independent, flexible, risk-based and proportionate manner. The amendment would tie the hands of the regulator and force them to give binding advice and proactive assurance without full knowledge of the facts, undermining their regulatory enforcement role.
This is a mercifully short group on this occasion. I thank the noble Lord, Lord Clement-Jones, for the amendment, which seeks to remove Clause 19 from the Bill. Section 62 of the Data Protection Act requires law enforcement agencies to record when personal data has been accessed and why. Clause 19 does not remove the need for police to justify their processing; it simply removes the ineffective administrative requirement to record that justification in a log.
The justification entry was intended to help to monitor and detect unlawful access. However, the reality is that anyone accessing data unlawfully is very unlikely to record an honest justification, making this in practice an unreliable means of monitoring misconduct or unlawful processing. Records of when data was accessed and by whom can be automatically captured and will remain, thereby continuing to ensure accountability.
In addition, the National Police Chiefs’ Council’s view is that this change will not hamper any investigations to identify the unlawful processing of data. That is because it is unlikely that an individual accessing data unlawfully would enter an honest justification, so capturing this information is unlikely to be useful in any investigation into misconduct. The requirements to record the time, date and, as far as possible, the identity of the person accessing the data will remain, as will the obligation that there is lawful reason for the access, ensuring that accountability and protection for data subjects is maintained.
Police officers inform us that the current requirement places an unnecessary burden on them as they have to update the log manually. The Government estimate that the clause could save approximately 1.5 million policing hours, representing a saving in the region of £46.5 million per year.
I understand that the amendment relates to representations made by the National AIDS Trust concerning the level of protection for people’s HIV status. As I believe I said on Monday, the Government agree that the protection of people’s HIV status is vital. We have met the National AIDS Trust to discuss the best solutions to the problems it has raised. For these reasons, I hope the noble Lord will not oppose Clause 19 standing part.
I thank the Minister for his response, but he has left us tantalised about the outcome of his meeting. What is the solution that he has suggested? We are none the wiser as a result of his response.
This pudding has been well over-egged by the National Police Chiefs’ Council. Already, only certain senior officers and the data protection leads in police forces have access to this functionality. There will continue to be a legal requirement to record the time and date of access. They are required to follow a College of Policing code of practice. Is the Minister really saying that recording a justification for accessing personal data is such an onerous requirement that £46.5 million in police time will be saved as a result of this? Over what period? That sounds completely disproportionate.
The fact is that the recording of the justification, whether or not it is false and cannot be relied upon as evidence, is rather useful because it is evidence of police misconduct in relation to inappropriately accessing personal data. They are actually saying: “We did it for this purpose”, when it clearly was not. I am not at all surprised that the National AIDS Trust is worried about this. The College of Policing code of practice does not mention logging requirements in detail. It references them just once in relation to automated systems that process data.
I am extremely grateful to the noble Lord, Lord Bassam, for what he had to say. It seems to me that we do not have any confidence on this side of the House that removing this requirement provides enough security that officers will be held to account if they share an individual’s special category data inappropriately. I do not think the Minister has really answered the concerns, but I beg leave to withdraw my objection to the clause standing part.
My Lords, UK law enforcement authorities processing personal data for law enforcement purposes currently use internationally based companies for data processing services, including cloud storage. The use of international processors is critical for modern organisations and law enforcement is no exception. The use of these international processors enhances law enforcement capabilities and underpins day-to-day functions.
Transfers from a UK law enforcement authority to an international processor are currently permissible under the Data Protection Act 2018. However, there is currently no bespoke mechanism for these transfers in Part 3, which has led to confusion and ambiguity as to how law enforcement authorities should approach the use of such processors. The aim of this amendment is to provide legal certainty to law enforcement authorities in the UK, as well as transparency to the public, so that they can use internationally based processors with confidence.
I have therefore tabled Amendments 110, 117 to 120, 122 to 129 and 131 to provide a clear, bespoke mechanism in Part 3 of the Data Protection Act 2018 for UK law enforcement authorities to use when transferring data to their contracted processors based outside the UK. This will bring Part 3 into line with the UK GDPR while clarifying the current law, and give UK law enforcement authorities greater confidence when making such transfers to their contracted processors for law enforcement purposes.
We have amended Section 73—the general principles for transfer—to include a specific reference to processors, ensuring that international processors can be a recipient of data transfers. In doing so, we have ensured that the safeguards within Chapter 5 that UK law enforcement authorities routinely apply to transfers of data to their international operational equivalents are equally applicable to transfers to processors. We are keeping open all the transfer mechanisms so that data can be transferred on the basis of an applicable adequacy regulation, the appropriate safeguards or potentially the special circumstances.
We have further amended Section 75—the appropriate safeguards provision—to include a power for the ICO to create, specifically for Part 3, an international data transfer agreement, or IDTA, to complement the IDTA which it has already produced to facilitate transfers using Article 46(2)(d) of the UK GDPR.
In respect of transfers to processors, we have disapplied the duty to inform the Information Commissioner about international transfers made subject to appropriate safeguards. As such, a requirement would be out of line with equivalent provisions in the UK GDPR. There is no strong rationale for complying with the provision, given that processors are limited in what they can do with data because of the nature of their contracts and that it would be unlikely to contribute to the effective functioning of the ICO.
Likewise, we have also disapplied the duty to document such transfers and to provide the documentation to the commissioner on request. This is because extending these provisions would duplicate requirements that already exist elsewhere in legislation, including in Section 61, which has extensive recording requirements that enable full accountability to the ICO.
We have also disapplied the majority of Section 78. While it provides a useful function in the context of UK law enforcement authorities transferring to their international operational equivalents, in the law enforcement to international processor context it is not appropriate because processors cannot decide to transfer data onwards on their own volition. They can only do so under instruction from the UK law enforcement authority controller.
Instead, we have retained the general prohibition on any further transfers to processors based in a separate third country by requiring UK law enforcement authority controllers to make it a condition of a transfer to its processor that data is only to be further transferred in line with the terms of the contract with or authorisation given by the controller, and where the further transfer is permitted under Section 73. We have also taken the opportunity to tidy up Section 77 which governs transfers to non-relevant authorities, relevant international organisations or international processors.
In respect of Amendment 121, tabled by the noble Lord, Lord Clement-Jones, on consultation with the Information Commissioner, I reassure the noble Lord that there is a memorandum of understanding between the Home Office and the Information Commissioner regarding international transfers approved by regulations, which sets out the role and responsibilities of the ICO. As part of this, the Home Office consults the Information Commissioner at various stages in the process. The commissioner, in turn, provides independent assurance and advice on the process followed and on the factors taken into consideration.
I understand that this amendment also relates to representations made by the National AIDS Trust. Perhaps the simplest thing is merely to reference my earlier remarks and commitment to engage with the National AIDS Trust ongoing. I beg to move that the government amendments which lead this group stand part of the Bill.
My Lords, very briefly, I thank the Minister for unpacking his amendments with some care, and for giving me the answer to my amendment before I spoke to it—that saves time.
Obviously, we all understand the importance of transfers of personal data between law enforcement authorities, but perhaps the crux of this, and the one question in our mind is, what is—perhaps the Minister could remind us—the process for making sure that the country that we are sending it to is data adequate? Amendment 121 was tabled as a way of probing that. It would be extremely useful if the Minister can answer that. This should apply to transfers between law enforcement authorities just as much as it does for other, more general transfers under Schedule 5. If the Minister can give me the answer, that would be useful, but if he does not have the answer to hand, I am very happy to suspend my curiosity until after Easter.
(9 months ago)
Grand CommitteeThe balancing test remains there for legitimate interests, under Article 6(1)(f).
Amendment 16 seeks to prevent organisations that undertake third-party marketing relying on the legitimate interest lawful ground under Article 6(1)(f) of the UK GDPR. As I have set out, organisations can rely on that ground for processing personal data without consent when they are satisfied that they have a legitimate interest to do so and that their commercial interests are not outweighed by the rights and interests of data subjects.
Clause 5(4) inserts in Article 6 new paragraph (9), which provides some illustrative examples of activities that may constitute legitimate interests, including direct marketing activities, but it does not mean that they will necessarily be able to process personal data for that purpose. Organisations will need to assess on a case-by-case basis where the balance of interest lies. If the impact on the individual’s privacy is too great, they will not be able to rely on the legitimate interest lawful ground. I should emphasise that this is not a new concept created by this Bill. Indeed, the provisions inserted by Clause 5(4) are drawn directly from the recitals to the UK GDPR, as incorporated from the EU GDPR.
I recognise that direct marketing can be a sensitive—indeed, disagreeable—issue for some, but direct marketing information can be very important for businesses as well as individuals and can be dealt with in a way that respects people’s privacy. The provisions in this Bill do not change the fact that direct marketing activities must be compliant with the data protection and privacy legislation and continue to respect the data subject’s absolute right to opt out of receiving direct marketing communications.
Amendment 17 would make sure that the processing of employee data for “internal administrative purposes” is subject to heightened safeguards, particularly when it relates to health. I understand that this amendment relates to representations made by the National AIDS Trust concerning the level of protection afforded to employees’ health data. We agree that the protection of people’s HIV status is vital and that it is right that it is subject to extra protection, as is the case for all health data and special category data. We have committed to further engagement and to working with the National AIDS Trust to explore solutions in order to prevent data breaches of people’s HIV status, which we feel is best achieved through non-legislative means given the continued high data protection standards afforded by our existing legislation. As such, I hope that the noble Lord, Lord Clement-Jones, will agree not to press this amendment.
Amendment 18 seeks to allow businesses more confidently to rely on the existing legitimate interest lawful ground for the transmission of personal data within a group of businesses affiliated by contract for internal administrative purposes. In Clause 5, the list of activities in proposed new paragraphs (9) and (10) are intended to be illustrative of the types of activities that may be legitimate interests for the purposes of Article 6(1)(f). They are focused on processing activities that are currently listed in the recitals to the EU GDPR but are simply examples. Many other processing activities may be legitimate interests for the purposes of Article 6(1)(f) of the UK GDPR. It is possible that the transmission of personal data for internal administrative purposes within a group affiliated by contract may constitute a legitimate interest, as may many other commercial activities. It would be for the controller to determine this on a case-by-case basis after carrying out a balancing test to assess the impact on the individual.
Finally, I turn to the clause stand part debate that seeks to remove Clause 7 from the Bill. I am grateful to the noble Lord, Lord Clement-Jones, for this amendment because it allows me to explain why this clause is important to the success of the UK-US data access agreement. As noble Lords will know, that agreement helps the law enforcement agencies in both countries tackle crime. Under the UK GDPR, data controllers can process personal data without consent on public interest grounds if the basis for the processing is set out in domestic law. Clause 7 makes it clear that the processing of personal data can also be carried out on public interest grounds if the basis for the processing is set out in a relevant international treaty such as the UK-US data access agreement.
The agreement permits telecommunications operators in the UK to disclose data about serious crimes with law enforcement agencies in the US, and vice versa. The DAA has been operational since October 2022 and disclosures made by UK organisations under it are already lawful under the UK GDPR. Recent ICO guidance confirms this, but the Government want to remove any doubt in the minds of UK data controllers that disclosures under the DAA are permitted by the UK GDPR. Clause 7 makes it absolutely clear to telecoms operators in the UK that disclosures under the DAA can be made in reliance on the UK GDPR’s public tasks processing grounds; the clause therefore contributes to the continued, effective functioning of the agreement and to keeping the public in both the UK and the US safe.
For these reasons, I hope that the noble Lord, Lord Clement-Jones, will agree to withdraw his amendment.
My first reaction is “Phew”, my Lords. We are all having to keep to time limits now. The Minister did an admirable job within his limit.
I wholeheartedly support what the noble Baronesses, Lady Kidron and Lady Harding, said about Amendments 13 and 15 and what the noble Baroness, Lady Jones, said about her Amendment 12. I do not believe that we have yet got to the bottom of children’s data protection; there is still quite some way to go. It would be really helpful if the Minister could bring together the elements of children’s data about which he is trying to reassure us and write to us saying exactly what needs to be done, particularly in terms of direct marketing directed towards children. That is a real concern.
My Lords, it is a pleasure to follow the noble Baroness, Lady Harding and Lady Bennett, after the excellent introduction to the amendments in this group by the noble Baroness, Lady Jones. The noble Baroness, Lady Harding, used the word “trust”, and this is another example of a potential hidden agenda in the Bill. Again, it is destructive of any public trust in the way their data is curated. This is a particularly egregious example, without, fundamentally, any explanation. Sir John Whittingdale said that a future Government
“may want to encourage democratic engagement in the run up to an election by temporarily ‘switching off’ some of the direct marketing rules”.—[Official Report, Commons, 29/11/2023; col. 885.]
Nothing to see here—all very innocuous; but, as we know, in the past the ICO has been concerned about even the current rules on the use of data by political parties. It seems to me that, without being too Pollyannaish about this, we should be setting an example in the way we use the public’s data for campaigning. The ICO, understandably, is quoted as saying during the public consultation on the Bill that this is
“an area in which there are significant potential risks to people if any future policy is not implemented very carefully”.
That seems an understatement, but that is how regulators talk. It is entirely right to be concerned about these provisions.
Of course, they are hugely problematic, but they are particularly problematic given that it is envisaged that young people aged 14 and older should be able to be targeted by political parties when they cannot even vote, as we have heard. This would appear to contravene one of the basic principles of data protection law: that you should not process more personal data than you need for your purposes. If an individual cannot vote, it is hard to see how targeting them with material relating to an election is a proportionate interference with their privacy rights, particularly when they are a child. The question is, should we be soliciting support from 14 to 17 year-olds during elections when they do not have votes? Why do the rules need changing so that people can be targeted online without having consented? One of the consequences of these changes would be to allow a Government to switch off—the words used by Sir John Whittingdale—direct marketing rules in the run-up to an election, allowing candidates and parties to rely on “soft” opt-in to process data and make other changes without scrutiny.
Exactly as the noble Baroness, Lady Jones, said, respondents to the original consultation on the Bill wanted political communications to be covered by existing rules on direct marketing. Responses were very mixed on the soft opt-in, and there were worries that people might be encouraged to part with more of their personal data. More broadly, why are the Government changing the rules on democratic engagement if they say they will not use these powers? What assessment have they made of the impact of the use of the powers? Why are the powers not being overseen by the Electoral Commission? If anybody is going to have the power to introduce the ability to market directly to voters, it should be the Electoral Commission.
All this smacks of taking advantage of financial asymmetry. We talked about competition asymmetry with big tech when we debated the digital markets Bill; similarly, this seems a rather sneaky way of taking advantage of the financial resources one party might have versus others. It would allow it to do things other parties cannot, because it has granted itself permission to do that. The provisions should not be in the hands of any Secretary of State or governing party; if anything, they should be in entirely independent hands; but, even then, they are undesirable.
My Lords, I thank the noble Baroness, Lady Jones, for tabling her amendments. Amendment 19 would remove processing which is necessary for the purposes of democratic engagement from the list of recognised legitimate interests. It is essential in a healthy democracy that registered political parties, elected representatives and permitted participants in referendums can engage freely with the electorate without being impeded unnecessarily by data protection legislation.
The provisions in the Bill will mean that these individuals and organisations do not have to carry out legitimate interest assessments or look for a separate legal basis. They will, however, still need to comply with other requirements of data protection legislation, such as the data protection principles and the requirement for processing to be necessary.
On the question posed by the noble Baroness about the term “democratic engagement”, it is intended to cover a wide range of political activities inside and outside election periods. These include but are not limited to democratic representation; communicating with electors and interested parties; surveying and opinion gathering; campaigning activities; activities to increase voter turnout; supporting the work of elected representatives, prospective candidates and official candidates; and fundraising to support any of these activities. This is reflected in the drafting, which incorporates these concepts in the definition of democratic engagement and democratic engagement activities.
The ICO already has guidance on the use of personal data by political parties for campaigning purposes, which the Government anticipate it will update to reflect the changes in the Bill. We will of course work with the ICO to make sure it is familiar with our plans for commencement and that it does not benefit any party over another.
On the point made about the appropriate age for the provisions, in some parts of the UK the voting age is 16 for some elections, and children can join the electoral register as attainers at 14. The age of 14 reflects the variations in voting age across the nation; in some parts of the UK, such as Scotland, a person can register to vote at 14 as an attainer. An attainer is someone who is registered to vote in advance of their being able to do so, to allow them to be on the electoral roll as soon as they turn the required age. Children aged 14 and over are often politically engaged and are approaching voting age. The Government consider it important that political parties and elected representatives can engage freely with this age group—
My Lords, it is a pleasure to follow the noble Lord, Lord Sikka. He raised even more questions about Clause 9 than I ever dreamed of. He has illustrated the real issues behind the clause and why it is so important to debate its standing part, because, in our view, it should certainly be removed from the Bill. It would seriously limit people’s ability to access information about how their personal data is collected and used. We are back to the dilution of data subject rights, within which the rights of data subject access are, of course, vital. This includes limiting access to information about automated decision-making processes to which people are subject.
A data subject is someone who can be identified directly or indirectly by personal data, such as a name, an ID number, location data, or information relating to their physical, economic, cultural or social identity. Under existing law, data subjects have a right to request confirmation of whether their personal data is being processed by a controller, to access that personal data and to obtain information about how it is being processed. The noble Lord, Lord Sikka, pointed out that there is ample precedent for how the controller can refuse a request from a data subject only if it is manifestly unfounded or excessive. The meaning of that phrase is well established.
There are three main ways in which Clause 9 limits people’s ability to access information about how their personal data is being collected and used. First, it would lower the threshold for refusing a request from “manifestly unfounded or excessive” to “vexatious or excessive”. This is an inappropriately low threshold, given the nature of a data subject access request—namely, a request by an individual for their own data.
Secondly, Clause 9 would insert a new mandatory list of considerations for deciding whether the request is vexatious or excessive. This includes vague considerations, such as
“the relationship between the person making the request (the ‘sender’) and the person receiving it (the ‘recipient’)”.
The very fact that the recipient holds data relating to the sender means that there is already some form of relationship between them.
Thirdly, the weakening of an individual’s right to obtain information about how their data is being collected, used or shared is particularly troubling given the simultaneous effect of the provisions in Clause 10, which means that data subjects are less likely to be informed about how their data is being used for additional purposes other than those for which it was originally collected, in cases where the additional purposes are for scientific or historical research, archiving in the public interest or statistical purposes. Together, the two clauses mean that an individual is less likely to be proactively told how their data is being used, while it is harder to access information about their data when requested.
In the Public Bill Committee in the House of Commons, the Minister, Sir John Whittingdale, claimed that:
“The new parameters are not intended to be reasons for refusal”,
but rather to give
“greater clarity than there has previously been”.—[Official Report, Commons, Data Protection and Digital Information Bill Committee, 16/5/23; cols. 113-14.]
But it was pointed out by Dr Jeni Tennison of Connected by Data in her oral evidence to the committee that the impact assessment for the Bill indicates that a significant proportion of the savings predicted would come from lighter burdens on organisations dealing with subject access requests as a result of this clause. This suggests that, while the Government claim that this clause is a clarification, it is intended to weaken obligations on controllers and, correspondingly, the rights of data subjects. Is that where the Secretary of State’s £10 billion of benefit from this Bill comes from? On these grounds alone, Clause 9 should be removed from the Bill.
We also oppose the question that Clause 12 stand part of the Bill. Clause 12 provides that, in responding to subject access requests, controllers are required only to undertake a
“reasonable and proportionate search for the personal data and other information”.
This clause also appears designed to weaken the right of subject access and will lead to confusion for organisations about what constitutes a reasonable and proportionate search in a particular circumstance. The right of subject access is central to individuals’ fundamental rights and freedoms, because it is a gateway to exercising other rights, either within the data subject rights regime or in relation to other legal rights, such as the rights to equality and non-discrimination. Again, the lowering of rights compared with the EU creates obvious risks, and this is a continuing theme of data adequacy.
Clause 12 does not provide a definition for reasonable and proportionate searches, but when introducing the amendment, Sir John Whittingdale suggested that a search for information may become unreasonable or disproportionate
“when the information is of low importance or of low relevance to the data subject”.—[Official Report, Commons, 29/11/23; col. 873.]
Those considerations diverge from those provided in the Information Commissioner’s guidance on the rights of access, which states that when determining whether searches may be unreasonable or disproportionate, the data controller must consider the circumstances of the request, any difficulties involved in finding the information and the fundamental nature of the right of access.
We also continue to be concerned about the impact assessment for the Bill and the Government’s claims that the new provisions in relation to subject access requests are for clarification only. Again, Clause 12 appears to have the same impact as Clause 9 in the kinds of savings that the Government seem to imagine will emerge from the lowering of subject access rights. This is a clear dilution of subject access rights, and this clause should also be removed from the Bill.
We always allow for belt and braces and if our urging does not lead to the Minister agreeing to remove Clauses 9 and 12, at the very least we should have the new provisions set out either in Amendment 26, in the name of the noble Baroness, Lady Jones of Whitchurch, or in Amendment 25, which proposes that a data controller who refuses a subject access request must give reasons for their refusal and tell the subject about their right to seek a remedy. That is absolutely the bare minimum, but I would far prefer to see the deletion of Clauses 9 and 12 from the Bill.
As ever, I thank noble Lords for raising and speaking to these amendments. I start with the stand part notices on Clauses 9 and 36, introduced by the noble Lord, Lord Clement-Jones. Clauses 9 and 36 clarify the new threshold to refuse or charge a reasonable fee for a request that is “vexatious or excessive”. Clause 36 also clarifies that the Information Commissioner may charge a fee for dealing with, or refuse to deal with, a vexatious or excessive request made by any persons and not just data subjects, providing necessary certainty.
The actual application of the terms will be set out in guidance by the ICO but the intention is to filter out the more disruptive and cynical ones. Designing these words is never an easy thing but there has been considerable consultation on this in order to achieve that intention.
My Lords—sorry; it may be that the Minister was just about to answer my question. I will let him do so.
I will have to go back to the impact assessment but I would be astonished if that was a significant part of the savings promised. By the way, the £10.6 billion—or whatever it is—in savings was given a green rating by the body that assesses these things; its name eludes me. It is a robust calculation. I will check and write to the noble Lord, but I do not believe that a significant part of that calculation leans on the difference between “vexatious” and “manifestly unfounded”.
It would be very useful to have the Minister respond on that but, of course, as far as the impact assessment is concerned, a lot of this depends on the Government’s own estimates of what this Bill will produce—some of which are somewhat optimistic.
The noble Baroness, Lady Jones, has given me an idea: if an impact assessment has been made, clause by clause, it would be extremely interesting to know just where the Government believe the golden goose is.
I am not quite sure what is being requested because the impact assessment has been not only made but published.
I see—so noble Lords would like an analysis of the different components of the impact assessment. It has been green-rated by the independent Regulatory Policy Committee. I have just been informed by the Box that the savings from these reforms to the wording of SARs are valued at less than 1% of the benefit of more than £10 billion that this Bill will bring.
That begs the question of where on earth the rest is coming from.
Which I will be delighted to answer. With this interesting exchange, I have lost in my mind the specific questions that the noble Lord, Lord Sikka, asked but I am coming on to some of his other ones; if I do not give satisfactory answers, no doubt he will intervene and ask again.
I appreciate the further comments made by the noble Lord, Lord Sikka, about the Freedom of Information Act. I hope he will be relieved to know that this Bill does nothing to amend that Act. On his accounting questions, he will be aware that most SARs are made by private individuals to private companies. The Government are therefore not involved in that process and do not collect the kind of information that he described.
Following the DPDI Bill, the Government will work with the ICO to update guidance on subject access requests. Guidance plays an important role in clarifying what a controller should consider when relying on the new “vexatious or excessive” provision. The Government are also exploring whether a code of practice on subject access requests can best address the needs of controllers and data subjects.
On whether Clause 12 should stand part of the Bill, Clause 12 is only putting on a statutory footing what has already been established—
On the first point, I used the words carefully because the Government cannot instruct the ICO specifically on how to act in any of these cases. The question about the May deadline is important. With the best will in the world, none of the provisions in the Bill are likely to be in effect by the time of that deadline in any case. That being the case, I would feel slightly uneasy about advising the ICO on how to act.
My Lords, I am not quite getting from the Minister whether he has an understanding of and sympathy with the case that is being made or whether he is standing on ceremony on its legalities. Is he saying, “No, we think that would be going too far”, or that there is a good case and that guidance or some action by the ICO would be more appropriate? I do not get the feeling that somebody has made a decision about the policy on this. It may be that conversations with the Minister between Committee and Report would be useful, and it may be early days yet until he hears the arguments made in Committee; I do not know, but it would be useful to get an indication from him.
Yes. I repeat that I very much recognise the seriousness of the case. There is a balance to be drawn here. In my view, the best way to identify the most appropriate balancing point is to continue to work closely with the ICO, because I strongly suspect that, at least at this stage, it may be very difficult to draw a legislative dividing line that balances the conflicting needs. That said, I am happy to continue to engage with noble Lords on this really important issue between Committee and Report, and I commit to doing so.
On the question of whether Clause 11 should stand part of the Bill, Clause 11 extends the existing disproportionate effort exemption to cases where the controller collected the personal data directly from the data subject and intends to carry out further processing for research purposes, subject to the research safeguards outlined in Clause 26. This exemption is important to ensure that life-saving research can continue unimpeded.
Research holds a privileged position in the data protection framework because, by its nature, it is viewed as generally being in the public interest. The framework has various exemptions in place to facilitate and encourage research in the UK. During the consultation, we were informed of various longitudinal studies, such as those into degenerative neurological conditions, where it is impossible or nearly impossible to recontact data subjects. To ensure that this vital research can continue unimpeded, Clause 11 provides a limited exemption that applies only to researchers who are complying with the safeguards set out in Clause 26.
The noble Lord, Lord Clement-Jones, raised concerns that Clause 11 would allow unfair processing. I assure him that this is not the case, as any processing that uses the disproportionate effort exemption in Article 13 must comply with the overarching data protection principles, including lawfulness, fairness and transparency, so that even if data controllers rely on this exemption they should consider other ways to make the processing they undertake as fair and transparent as possible.
Finally, returning to EU data adequacy, the Government recognise its importance and, as I said earlier, are confident that the proposals in Clause 11 are complemented by robust safeguards, which reinforces our view that they are compatible with EU adequacy. For the reasons that I have set out, I am unable to accept these amendments, and I hope that noble Lords will not press them.
As ever, I thank the noble Baroness, Lady Jones, and the noble Lord, Lord Clement-Jones, for their detailed consideration of Clause 14, and all other noble Lord who spoke so well. I carefully note the references to the DWP’s measure on fraud and error. For now, I reassure noble Lords that a human will always be involved in all decision-making relating to that measure, but I note that this Committee will have a further debate specifically on that measure later.
The Government recognise the importance of solely automated decision-making to the UK’s future success and productivity. These reforms ensure that it can be responsibly implemented, while any such decisions with legal or similarly significant effects have the appropriate safeguards in place, including the rights to request a review and to request one from a human. These reforms clarify and simplify the rules related to solely automated decision-making without watering down any of the protections for data subjects or the fundamental data protection principles. In doing so, they will provide confidence to organisations looking to use these technologies in a responsible way while driving economic growth and innovation.
The Government also recognise that AI presents huge opportunities for the public sector. It is important that AI is used responsibly and transparently in the public sector; we are already taking steps to build trust and transparency. Following a successful pilot, we are making the Algorithmic Transparency Reporting Standard—the ATRS—a requirement for all government departments, with plans to expand this across the broader public sector over time. This will ensure that there is a standardised way for government departments proactively to publish information about how and why they are using algorithms in their decision-making. In addition, the Central Digital and Data Office—the CDDO—has already published guidance on the procurement and use of generative AI for the UK Government and, later this year, DSIT will launch the AI management essentials scheme, setting a minimum good practice standard for companies selling AI products and services.
My Lords, could I just interrupt the Minister? It may be that he can get an answer from the Box to my question. One intriguing aspect is that, as the Minister said, the pledge is to bring the algorithmic recording standard into each government department and there will be an obligation to use that standard. However, what compliance mechanism will there be to ensure that that is happening? Does the accountable Permanent Secretary have a duty to make sure that that is embedded in the department? Who has the responsibility for that?
That is a fair question. I must confess that I do not know the answer. There will be mechanisms in place, department by department, I imagine, but one would also need to report on it across government. Either it will magically appear in my answer or I will write to the Committee.
The CDDO has already published guidance on the procurement and use of generative AI for the Government. We will consult on introducing this as a mandatory requirement for public sector procurement, using purchasing power to drive responsible innovation in the broader economy.
I turn to the amendments in relation to meaningful involvement. I will first take together Amendments 36 and 37, which aim to clarify that the safeguards mentioned under Clause 14 are applicable to profiling operations. New Article 22A(2) already clearly sets out that, in cases where profiling activity has formed part of the decision-making process, controllers have to consider the extent to which a decision about an individual has been taken by means of profiling when establishing whether human involvement has been meaningful. Clause 14 makes clear that a solely automated significant decision is one without meaningful human involvement and that, in these cases, controllers are required to provide the safeguards in new Article 22C. As such, we do not believe that these amendments are necessary; I therefore ask the noble Baroness, Lady Jones, not to press them.
Turning to Amendment 38, the Government are confident that the existing reference to “data subject” already captures the intent of this amendment. The existing definition of “personal data” makes it clear that a data subject is a person who can be identified, directly or indirectly. As such, we do not believe that this amendment is necessary; I ask the noble Lord, Lord Clement-Jones, whether he would be willing not to press it.
Amendments 38A and 40 seek to clarify that, for human involvement to be considered meaningful, the review must be carried out by a competent person. We feel that these amendments are unnecessary as meaningful human involvement may vary depending on the use case and context. The reformed clause already introduces a power for the Secretary of State to provide legal clarity on what is or is not to be taken as meaningful human involvement. This power is subject to the affirmative procedure in Parliament and allows the provision to be future-proofed in the wake of technological advances. As such, I ask the noble Baronesses, Lady Jones and Lady Bennett, not to press their amendments.
I am not sure I agree with that characterisation. The ATRS is a relatively new development. It needs time to bed in and needs to be bedded in on an agile basis in order to ensure not only quality but speed of implementation. That said, I ask the noble Lord to withdraw his amendment.
The Minister has taken us through what Clause 14 does and rebutted the need for anything other than “solely”. He has gone through the sensitive data and the special category data aspects, and so on, but is he reiterating his view that this clause is purely for clarification; or is he saying that it allows greater use of automated decision-making, in particular in public services, so that greater efficiencies can be found and therefore it is freeing up the public sector at the expense of the rights of the individual? Where does he sit in all this?
As I said, the intent of the Government is: yes to more automated data processing to take advantage of emerging technologies, but also yes to maintaining appropriate safeguards. The safeguards in the present system consist—if I may characterise it in a slightly blunt way—of providing quite a lot of uncertainty, so that people do not take the decision to positively embrace the technology in a safe way. By bringing in this clarity, we will see an increase not only in the safety of their applications but in their use, driving up productivity in both the public and private sectors.
My Lords, I will speak to my Amendment 48. By some quirk of fate, I failed to sign up to the amendments that the noble Lord, Lord Bassam, so cogently introduced. I would have signed up if I had realised that I had not, so to speak.
It is a pleasure to follow the noble Baroness, Lady Kidron. She has a track record of being extremely persuasive, so I hope the Minister pays heed in what happens between Committee and Report. I very much hope that there will be some room for manoeuvre and that there is not just permanent push-back, with the Minister saying that everything is about clarifying and us saying that everything is about dilution. There comes a point when we have to find some accommodation on some of these areas.
Amendments 48 and 49 are very similar—I was going to say, “Great minds think alike”, but I am not sure that my brain feels like much of a great mind at the moment. “Partly” or “predominantly” rather than “solely”, if you look at it the other way round, is really the crux of what I think many of us are concerned about. It is easy to avoid the terms of Article 22 just by slipping in some sort of token human involvement. Defining “meaningful” is so difficult in these circumstances. I am concerned that we are opening the door to something that could be avoided. Even then, the terms of the new clause—we will have a clause stand part debate on Wednesday, obviously—put all the onus on the data subject, whereas that was not the case previously under Article 22. The Minister has not really explained why that change has been made.
I conclude by saying that I very much support Amendment 41. This whole suite of amendments is well drafted. The point about the Equality Act is extremely well made. The noble Lord, Lord Holmes, also has a very good amendment here. It seems to me that involving the ICO right in the middle of this will be absolutely crucial—and we are back to public trust again. If nothing else, I would like explicitly to include that under Clause 14 in relation to Article 22 by the time this Bill goes through.
I thank noble Lords and the noble Baroness for their further detailed consideration of Clause 14.
Let me take first the amendments that deal with restrictions on and safeguards for ADM and degree of ADM. Amendment 41 aims to make clear that solely automated decisions that contravene any part of the Equality Act 2010 are prohibited. We feel that this amendment is unnecessary for two reasons. First, this is already the case under the Equality Act, which is reinforced by the lawfulness principle under the present data protection framework, meaning that controllers are already required to adhere to the Equality Act 2010. Secondly, explicitly stating in the legislation that contravening one type of legislation is prohibited—in this case, the Equality Act 2010—and not referring to other legislation that is also prohibited will lead to an inconsistent approach. As such, we do not believe that this amendment is necessary; I ask the noble Baroness, Lady Jones, to withdraw it.
Amendment 44 seeks to limit the conditions for special category data processing for this type of automated decision-making. Again, we feel that this is not needed given that a set of conditions already provides enhanced levels of protection for the processing of special category data, as set out in Article 9 of the UK GDPR. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. Furthermore, where an organisation seeks to process special category data under solely automated decision-making on the basis that it is necessary for contract, in addition to the Articles 6 and 9 lawful bases, they would also have to demonstrate that the processing was necessary for substantial public interest.
Similarly, Amendment 45 seeks to apply safeguards when processing special category data; however, these are not needed as the safeguards in new Article 22C already apply to all forms of processing, including the processing of special category data, by providing sufficient safeguards for data subjects’ rights, freedoms and legitimate interests. As such, we do not believe that these amendments are necessary; I ask the noble Baroness, Lady Jones, not to press them.
It may be either the controller or the processor but for any legal or similarly significant decision right now—today—there is a requirement before the Bill comes into effect. That requirement is retained by the Bill.
In line with ICO guidance, children need particular protection when organisations collect and process their personal data because they may be less aware of the risks involved. If organisations process children’s personal data they should think about the need to protect them from the outset and should design their systems and processes with this in mind. This is the case for organisations processing children’s data during solely automated decision-making, just as it is for all processing of children’s data.
Building on this, the Government’s view is that automated decision-making has an important role to play in protecting children online, for example with online content moderation. The current provisions in the Bill will help online service providers understand how they can use these technologies and strike the right balance between enabling the best use of automated decision-making technology while continuing to protect the rights of data subjects, including children. As such, we do not believe that the amendment is necessary; I ask the noble Baroness if she would be willing not to press it.
Amendments 48 and 49 seek to extend the Article 22 provisions to “predominantly” and “partly” automated decision-making. These types of processing already involve meaningful human involvement. In such instances, other data protection requirements, including transparency and fairness, continue to apply and offer relevant protections. As such, we do not believe that these amendments are necessary; I ask the noble Baroness, Lady Jones, and the noble Lord, Lord Clement-Jones, if they would be willing not to press them.
Amendment 50 seeks to ensure that the Article 22C safeguards will apply alongside, rather than instead of, the transparency obligations in the UK GDPR. I assure the noble Baroness, Lady Jones, that the general transparency obligations in Articles 12 to 15 will continue to apply and thus will operate alongside the safeguards in the reformed Article 22. As such, we do not believe that this amendment is necessary; I ask the noble Baroness if she would be willing not to press it.
The changes proposed by Amendment 52A are unnecessary as Clause 50 already provides for an overarching requirement for the Secretary of State to consult the ICO and other persons that the Secretary of State considers appropriate before making regulations under the UK GDPR, including for the measures within Article 22. Also, any changes to the regulations are subject to the affirmative procedure so must be approved by both Houses of Parliament. As with other provisions of the Bill, the ICO will seek to provide organisations with timely guidance and support to assist them in interpreting and applying the legislation. As such, we do not believe that this amendment is necessary and, if he were here, I would ask my noble friend Lord Holmes if he would be willing not to press it.
Amendments 98A and 104A are related to workplace rights. Existing data protection legislation and our proposed reforms provide sufficient safeguards for automated decision making where personal data is being processed, including in workplaces. The UK’s human rights law, and existing employment and equality laws, also ensure that employees are informed and consulted about any workplace developments, which means that surveillance of employees is regulated. As such, we do not believe that these amendments are necessary and I ask the noble Baroness not to move them.
I hear what the Minister said about the workplace algorithmic assessment. However, if the Government believe it is right to have something like an algorithmic recording standard in the public sector, why is it not appropriate to have something equivalent in the private sector?
I would not say it is not right, but if we want to make the ATRS a standard, we should make it a standard in the public sector first and then allow it to be adopted as a means for all private organisations using ADM and AI to meet the transparency principles that they are required to adopt.
So would the Minister not be averse to it? It is merely so that the public sector is ahead of the game, allowing it to show the way and then there may be a little bit of regulation for the private sector.
I am not philosophically averse to such regulation. As to implementing it in the immediate future, however, I have my doubts about that possibility.
(9 months, 1 week ago)
Grand CommitteeI believe it restates what the Government feel is clearly implied or stated throughout the Bill: that children’s safety is paramount. Therefore, putting it there is either duplicative or confusing; it reduces the clarity of the Bill. In no way is this to say that children are not protected—far from it. The Government feel it would diminish the clarity and overall cohesiveness of the Bill to include it.
My Lords, not to put too fine a point on it, the Minister is saying that nothing in the Bill diminishes children’s rights, whether in Clause 1, Clause 6 or the legitimate interest in Clause 5. He is saying that absolutely nothing in the Bill diminishes children’s rights in any way. Is that his position?
I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for this series of amendments.
I will first address Amendment 6, which seeks to amend Clause 2. As the noble Lord said, the definitions created by Clause 2, including “scientific research purposes”, are based on the current wording in recital 159 to the UK GDPR. We are changing not the scope of these definitions but their legal status. This amendment would require individual researchers to assess whether their research should be considered to be in the public interest, which could create uncertainty in the sector and discourage research. This would be more restrictive than the current position and would undermine the Government’s objectives to facilitate scientific research and empower researchers.
We have maintained a flexible scope as to what is covered by “scientific research” while ensuring that the definition is still sufficiently narrow in that it can cover only what would reasonably be seen as scientific research. This is because the legislation needs to be able to adapt to the emergence of new areas of innovative research. Therefore, the Government feel that it is more appropriate for the regulator to add more nuance and context to the definition. This includes the types of processing that are considered—
I am sorry to interrupt but it may give the Box a chance to give the Minister a note on this. Is the Minister saying that recital 159 includes the word “commercial”?
I am afraid I do not have an eidetic memory of recital 159, but I would be happy to—
That is precisely why I ask this question in the middle of the Minister’s speech to give the Box a chance to respond, I hope.
Researchers must also comply with the required safeguards to protect individuals’ privacy. All organisations conducting scientific research, including those with commercial interests, must also meet all the safeguards for research laid out in the UK GDPR and comply with the legislation’s core principles, such as fairness and transparency. Clause 26 sets out several safeguards that research organisations must comply with when processing personal data for research purposes. The ICO will update its non-statutory guidance to reflect many of the changes introduced by this Bill.
Scientific research currently holds a privileged place in the data protection framework because, by its nature, it is already viewed as generally being in the public interest. As has been observed, the Bill already applies a public interest test to processing for the purpose of public health studies in order to provide greater assurance for research that is particularly sensitive. Again, this reflects recital 159.
In response to the noble Baroness, Lady Jones, on why public health research is being singled out, as she stated, this part of the legislation just adds an additional safeguard to studies into public health ensuring that they must be in the public interest. This does not limit the scope for other research unrelated to public health. Studies in the area of public health will usually be in the public interest. For the rare, exceptional times that a study is not, this requirement provides an additional safeguard to help prevent misuse of the various exemptions and privileges for researchers in the UK GDPR. “Public interest” is not defined in the legislation, so the controller needs to make a case-by-case assessment based on its purposes.
On the point made by the noble Lord, Lord Clement-Jones, about recitals and ICO guidance, although we of course respect and welcome ICO guidance, it does not have legislative effect and does not provide the certainty that legislation does. That is why we have done so via this Bill.
Amendment 7 to Clause 3 would undermine the broader consent concept for scientific research. Clause 3 places the existing concept of “broad consent” currently found in recital 33 to the UK GDPR on a statutory footing with the intention of improving awareness and confidence for researchers. This clause applies only to scientific research processing that is reliant on consent. It already contains various safeguards. For example, broad consent can be used only where it is not possible to identify at the outset the full purposes for which personal data might be processed. Additionally, to give individuals greater agency, where possible individuals will have the option to consent to only part of the processing and can withdraw their consent at any time.
Clause 3 clarifies an existing concept of broad consent which outlines how the conditions for consent will be met in certain circumstances when processing for scientific research purposes. This will enable consent to be obtained for an area of scientific research when researchers cannot at the outset identify fully the purposes for which they are collecting the data. For example, the initial aim may be the study of cancer, but it later becomes the study of a particular cancer type.
Furthermore, as part of the reforms around the reuse of personal data, we have further clarified that when personal data is originally collected on the basis of consent, a controller would need to get fresh consent to reuse that data for a new purpose unless a public interest exemption applied and it is unreasonable to expect the controller to obtain that consent. A controller cannot generally reuse personal data originally collected on the basis of consent for research purposes.
Turning to Amendments 132 and 133 to Clause 26, the general rule described in Article 13(3) of the UK GDPR is that controllers must inform data subjects about a change of purposes, which provides an opportunity to withdraw consent or object to the proposed processing where relevant. There are existing exceptions to the right to object, such as Article 21(6) of the UK GDPR, where processing is necessary for research in the public interest, and in Schedule 2 to the Data Protection Act 2018, when applying the right would prevent or seriously impair the research. Removing these exemptions could undermine life-saving research and compromise long-term studies so that they are not able to continue.
Regarding Amendment 134, new Article 84B of the UK GDPR already sets out the requirement that personal data should be anonymised for research, archiving and statistical—RAS—purposes unless doing so would mean the research could not be carried through. Anonymisation is not always possible as personal data can be at the heart of valuable research, archiving and statistical activities, for example, in genetic research for the monitoring of new treatments of diseases. That is why new Article 84C of the UK GDPR also sets out protective measures for personal data that is used for RAS purposes, such as ensuring respect for the principle of data minimisation through pseudonymisation.
The stand part notice in this group seeks to remove Clause 6 and, consequentially, Schedule 2. In the Government’s consultation on data reform, Data: A New Direction, we heard that the current provisions in the UK GDPR on personal data reuse are difficult for controllers and individuals to navigate. This has led to uncertainty about when controllers can reuse personal data, causing delays for researchers and obstructing innovation. Clause 6 and Schedule 2 address the existing uncertainty around reusing personal data by setting out clearly the conditions in which the reuse of personal data for a new purpose is permitted. Clause 6 and Schedule 2 must therefore remain to give controllers legal certainty and individuals greater transparency.
Amendment 22 seeks to remove the power to add to or vary the conditions set out in Schedule 2. These conditions currently constitute a list of specific public interest purposes, such as safeguarding vulnerable individuals, for which an organisation is permitted to reuse data without needing consent or to identify a specific law elsewhere in legislation. Since this list is strictly limited and exhaustive, a power is needed to ensure that it is kept up to date with future developments in how personal data is used for important public interest purposes.
With respect to recital 38, that sounds like a really interesting idea. Yes, let us both have a look and see what the consultation involves and what the timing might look like. I confess to the Committee that I do not know what recital 38 says, off the top of my head. For the reasons I have set out, I am not able to accept these amendments. I hope that noble Lords will therefore not press them.
Returning to the questions by the noble Lord, Lord Clement-Jones, on the contents of recital 159, the current UK GDPR and EU GDPR are silent on the specific definition of scientific research. It does not preclude commercial organisations performing scientific research; indeed, the ICO’s own guidance on research and its interpretation of recital 159 already mention commercial activities. Scientific research can be done by commercial organisations—for example, much of the research done into vaccines, and the research into AI referenced by the noble Baroness, Lady Harding. The recital itself does not mention it but, as the ICO’s guidance is clear on this already, the Government feel that it is appropriate to put this on a statutory footing.
My Lords, that was intriguing. I thank the Minister for his response. It sounds as though, again, guidance would have been absolutely fine, but what is there not to like about the ICO bringing clarity? It was quite interesting that the Minister used the phrase “uncertainty in the sector” on numerous occasions and that is becoming a bit of a mantra as the Bill goes on. We cannot create uncertainty in the sector, so the poor old ICO has been labouring in the vineyard for the last few years to no purpose at all. Clearly there has been uncertainty in the sector of a major description, and all its guidance and all the work that it has put in over the years have been wholly fruitless, really. It is only this Government that have grabbed the agenda with this splendid 300-page data protection Bill that will clarify this for business. I do not know how much they will have to pay to get new compliance officers or whatever it happens to be, but the one thing that the Bill will absolutely not create is greater clarity.
I am a huge fan of making sure that we understand what the recitals have to say, and it is very interesting that the Minister is saying that the recital is silent but the ICO’s guidance is pretty clear on this. I am hugely attracted by the idea of including recital 38 in the Bill. It is another lightbulb moment from the noble Baroness, Lady Kidron, who has these moments, rather like with the age-appropriate design code, which was a huge one.
We are back to the concern, whether in the ICO guidance, the Bill or wherever, that scientific research needs to be in the public interest to qualify and not have all the consents that are normally required for the use of personal data. The Minister said, “Well, of course we think that scientific research is in the public interest; that is its very definition”. So why does only public health research need that public interest test and not the other aspects? Is it because, for instance, the opt-out was a bit of a disaster and 3 million people opted out of allowing their health data to be shared or accessed by GPs? Yes, it probably is.
Do the Government want a similar kind of disaster to happen, in which people get really excited about Meta or other commercial organisations getting hold of their data, a public outcry ensues and they therefore have to introduce a public interest test on that? What is sauce for the goose is sauce for the gander. I do not think that personal data should be treated in a particularly different way in terms of its public interest, just because it is in healthcare. I very much hope that the Minister will consider that.
I thank the noble Baroness, Lady Kidron, for raising this interesting and compelling set of ideas. I turn first to Amendments 10 and 35 relating to data communities. The Government recognise that individuals need to have the appropriate tools and mechanisms to easily exercise their rights under the data protection legislation. It is worth pointing out that current legislation does not prevent data subjects authorising third parties to exercise certain rights. Article 80 of the UK GDPR also explicitly gives data subjects the right to appoint not-for-profit bodies to exercise certain rights, including their right to bring a complaint to the ICO, to appeal against a decision of the ICO or to bring legal proceedings against a controller or processor and the right to receive compensation.
The concept of data communities exercising certain data subject rights is closely linked with the wider concept of data intermediaries. The Government recognise the existing and potential benefits of data intermediaries and are committed to supporting them. However, given that data intermediaries are new, we need to be careful not to distort the sector at such an early stage of development. As in many areas of the economy, officials are in regular contact with businesses, and the data intermediary sector is no different. One such engagement is the DBT’s Smart Data Council, which includes a number of intermediary businesses that advise the Government on the direction of smart data policy. The Government would welcome further and continued engagement with intermediary businesses to inform how data policy is developed.
I am sorry, but the Minister used a pretty pejorative word: “distort” the sector. What does he have in mind?
I did not mean to be pejorative; I merely point out that before embarking on quite a far-reaching policy—as noble Lords have pointed out—we would not want to jump the gun prior to consultation and researching the area properly. I certainly do not wish to paint a negative portrait.
It is a moment at which I cannot set a firm date for a firm set of actions, but on the other hand I am not attempting to punt it into the long grass either. The Government do not want to introduce a prescriptive framework without assessing potential risks, strengthening the evidence base and assessing the appropriate regulatory response. For these reasons, I hope that for the time being the noble Baroness will not press these amendments.
The noble Baroness has also proposed Amendments 147 and 148 relating to the role of the Information Commissioner’s Office. Given my response just now to the wider proposals, these amendments are no longer necessary and would complicate the statute book. We note that Clause 35 already includes a measure that will allow the Secretary of State to request the Information Commissioner’s Office to publish a code on any matter that she or he sees fit, so this is an issue we could return to in future if such a code were deemed necessary.
My Lords, I am sorry to keep interrupting the Minister. Can he give us a bit of a picture of what he has in mind? He said that he did not want to distort things at the moment, that there were intermediaries out there and so on. That is all very well, but is he assuming that a market will be developed or is developing? What overview of this does he have? In a sense, we have a very clear proposition here, which the Government should respond to. I am assuming that this is not a question just of letting a thousand flowers bloom. What is the government policy towards this? If you look at the Hall-Pesenti review and read pretty much every government response—including to our AI Select Committee, where we talked about data trusts and picked up the Hall-Pesenti review recommendations —you see that the Government have been pretty much positive over time when they have talked about data trusts. The trouble is that they have not done anything.
Overall, as I say and as many have said in this brief debate, this is a potentially far-reaching and powerful idea with an enormous number of benefits. But the fact that it is far-reaching implies that we need to look at it further. I am afraid that I am not briefed on long-standing—
May I suggest that the Minister writes? On the one hand, he is saying that we will be distorting something—that something is happening out there—but, on the other hand, he is saying that he is not briefed on what is out there or what the intentions are. A letter unpacking all that would be enormously helpful.
I am very happy to write on this. I will just say that I am not briefed on previous government policy towards it, dating back many years before my time in the role.
It was even further. Yes, I am very happy to write on that. For the reasons I have set out, I am not able to accept these amendments for now. I therefore hope that the noble Baroness will withdraw her amendment.
(9 months, 1 week ago)
Lords ChamberThat is a wide-ranging question, and I will do my best to cover some of those points. With respect to the effectiveness of clinical trials, on the whole they cannot take place without toxicology trials and most of those, sadly, have to be done on animals. We very much welcome any technology that allows for in silico methods of assessing toxicology and it is true that more of those are emerging, but they have to be validated in order to be assumed safe and usable in clinical trials.
My Lords, the Government produced a previous report on a road map for non-animal technologies from six UK government funders, including MRC, EPSRC and Innovate UK way back in 2015. How will they ensure that this new road map does not get left on the shelf again? Will DSIT set up an independent strategic advisory board with the key stakeholders to provide direction and oversight, as suggested by the RSPCA?
DSIT continues to be led on its approach to creating non-animal methods in clinical trials, toxicology trials and so on by the UK’s NC3Rs—the National Centre for the Replacement, Refinement and Reduction of Animals in Research—for toxicology and other scientific research, and that continues. There was a decrease of 10% in animal testing from the previous year, according to our most recent records, and that will continue. DSIT meanwhile has no plans to add a new oversight executive body to those already in existence.
(9 months, 2 weeks ago)
Lords ChamberMy Lords, this is a very straightforward group, and I congratulate the noble Baroness, Lady Jones, and the noble Lord, Lord Bassam, on having persuaded the Government to move further on the transparency agenda. I like the description given by the noble Lord, Lord Bassam, of the government amendment being more elegant. It is nice to think of amendments being elegant; it is not often that we think in those terms. We very much support the new amendments with some of the caveats that he made.
I thank both noble Lords for speaking so eloquently—indeed, so briefly and elegantly—and the noble Baroness, Lady Jones, for tabling her amendments, which would require the DMU to establish a process for non-SMS firms to register themselves with the DMU as an interested party. The DMU would then be required to send certain notices to these challenger firms.
The Government agree that it is important that affected parties should have access to appropriate information related to DMU investigations. That is why the Government amendments go further, we feel. They will ensure that, subject to confidentiality, the DMU is required to publish all its SMS conduct requirements and PCI notices online, where they are accessible to everyone and not just specific firms that have registered their interest, or those who might not be considered challenger firms. The noble Lord, Lord Bassam, made a point about being informed of these things: while we would prefer not to put any such mechanism in the Bill, it is straightforward to imagine mechanisms that the DMU could employ to automate that.
The CMA has already been updating its approach to identifying and seeking input from third parties, including outside of formal consultations—making calls for evidence when launching investigations, web submission portals, and information requests for businesses, among others It will be able to use these approaches to inform decisions under the new regime.
I agree very much with the spirit of the noble Baroness’s amendments, which is why these government amendments will go further, to promote transparency across the regime. I therefore welcome the statement of the noble Lord, Lord Bassam, that he feels sufficiently reassured to not press the opposition amendments at this time.
To address the concerns of the noble Lord, Lord Leong, that the current wording deviates from legal precedent, I note that, since this is a new regime, existing exemptions in different competition regimes would not be directly applicable. It is highly likely that the application of the exemption will be tested, no matter the wording.
Finally, Amendment 34, tabled by my noble friend Lord Black of Brentwood, would allow the final offer mechanism to be used after the breach of a conduct requirement, rather than after a breach of an enforcement order. This novel tool has been designed as a backstop to normal enforcement processes. It is a last resort to incentivise sincere negotiations concerning fair and reasonable payment terms between the SMS firm and third parties. I wholeheartedly agree with my noble friend that these incentives must be both compelling and credible. It is clearly preferable for parties to reach a privately agreed settlement rather than one chosen by the regulator. That is why we must ensure due consideration of less interventionist options before turning to the final offer mechanism.
However, if SMS firms try to frustrate the process or drag it out to the detriment of third parties, I agree that the DMU should be able to accelerate stages before the final offer mechanism is invoked. That is why we have ensured that the DMU will be able to set urgent deadlines for compliance with enforcement orders, supported by significant penalties where appropriate, in cases of non-compliance.
I can robustly reassure my noble friend that the CMA can, via conduct requirements and enforcement orders as well as the final offer mechanism, gather and share key information with third parties.
Finally, to his comment on the forced withdrawal of content, the Bill is able where appropriate to tackle this issue. A conduct requirement could, for example, prevent an SMS firm withdrawing a service in a discriminatory way or treating users more favourably if they purchase the SMS firm’s other products.
The Government have worked hard to strike a balanced approach to intervention. This includes ensuring that firms cannot undermine regulation, and prioritising benefits to consumers at the heart of the regime. I believe the tools, as drafted, achieve these goals, so I hope that noble Lords will not press their amendments.
My Lords, I thank the Minister for his response to the various amendments. I will be extremely brief; there will probably be quite a few votes now. I thank him for a full reassurance on Amendment 60, tabled by my noble friend, on standards and interoperability. I was looking closely at the noble Lord, Lord Black, when the Minister talked about Amendment 34, and I think there was a half-reassurance there—so that is one and a half so far.
It is clear to me, having discussed countervailing benefits further on Report, that this is, if anything, more dangerous than it appeared in Committee. I am sure that the noble Baroness, Lady Jones, will have noted the mood of the House as we discussed that.
On leveraging, the Minister made a valiant attempt to go through some points where the CMA might take more into account in terms of non-designated activities and so on. But the Minister sent through the technical note, and I am afraid that, if you look at it with care, it makes quite clear the circumscribed nature of the CMA’s powers under the Bill as currently drafted. It will be very important that we take a view on that. I am sure the noble Baroness, Lady Jones, has been alert to that as well. I withdraw my Amendment 12.
(10 months, 2 weeks ago)
Lords ChamberAn outright ban on the creation of any deepfake material presents a number of challenges, but obviously I applaud the sentiment behind the question. With respect particularly to deepfakes involved in intimate image abuse, we are clearly putting in place the offence of sharing, whether as part of the new intimate image abuse offences in the Online Safety Act that commenced two weeks ago, as part of the Criminal Justice Bill shortly to come before your Lordships’ House, or indeed under the existing child sexual exploitation and abuse offences. There are severe penalties for the sharing of intimate image abuse deepfakes, but it is a fast-moving space and we have to continue to monitor it.
My Lords, it is quite clear that simply banning the sharing of these deepfakes is not sufficient. This is an issue that concerns us all, whether in relation to sexual images, fraud or misinformation. Can the Government not overcome their reluctance to regulate AI? What evidence would persuade them to go further and make sure that the creators of these deepfakes are liable?
As regards the overall regulation of AI, I hope that noble Lords have had a chance to peruse the Government’s response to the AI White Paper consultation. It makes the argument very clearly that there will come a time when it is right to legislate to create binding rules on all creators of AI. When that time comes, due to the policies that we are putting in place, we will have an agreed risk register informing us. We will have set up monitoring and evaluation techniques, again gathering evidence. We will have working relationships with the AI labs, defined procedures for the creation of AI, and regulators trained to regulate AI within their own sectors. That means that, when we do regulate AI, it will be done in a targeted and sophisticated way, on the basis of evidence.
(10 months, 2 weeks ago)
Lords ChamberYes, I am very happy to write any such letter. I confirm now in front of the House that the function of the NSOIT, formerly the Counter Disinformation Unit, is to analyse attempts to artificially manipulate the information environment for purposes of national security. It is not its function—and never has been its function, regardless of its name—to go after individuals, whether they are politicians, journalists, or anybody else. It looks for at-scale attempts to manipulate the information environment.
My Lords, it is clear we need to be assured that the rather concerning activities reported about the CDU treating political criticism as disinformation are no longer practised by NSOIT. Can the Minister explain where we can find a copy of NSOIT’s policies? Can he confirm whether it has a policy to prohibit it from flagging lawful domestic speech for terms of service violations to social media companies?
Information on NSOIT is posted on GOV.UK, and I am happy to share that location with the noble Lord. I can confirm not only that it is not the role of NSOIT or the CDU to go after any individuals, regardless of their political belief, but that it never has been. NSOIT looks for large-scale attempts to pollute the information environment, generally as a result of threats from foreign states. I am happy to say in front of the House that the idea that its purpose is also to go after, in some ways, those who disagree politically with the Government is categorically false.
(10 months, 2 weeks ago)
Lords ChamberI start by sincerely thanking my noble friend Lady Stowell for tabling what we must all agree is a deeply important debate on this far-ranging and critical subject of digital exclusion, which we know affects millions of people across the UK, with costs to them as individuals and, as has been pointed out, to all society. I hope to be able to reassure noble Lords on most of the very wide range of points that were made, but I look forward to continuing the dialogue. As has been observed, this is not a problem that will go away overnight, but I hope some of the things I will put forward will provide some reassurance in the meantime.
Let me take a step back by way of introduction. Our transition to the digital age in the last two decades has brought with it a period of extraordinary change. The fourth industrial revolution has transformed our economies, our public services and our day-to-day lives. We can expect that change to continue as technology continues to develop, bringing with it opportunities that would have been unimaginable for previous generations.
On the whole, the UK is well positioned to seize those opportunities by taking the lead in technological innovation. We are able to do this because, among other things, we are building on a proud history of technological development that takes us right up to the present day, from Sir Tim Berners-Lee and the world wide web to pioneers such as Dr Katalin Karikó and Dr Drew Weissman, who led the world in the development of the Covid-19 vaccine.
Across the country, we have a wealth of science and tech expertise. We are home to four of the world’s top 10 universities, and in 2022 we became only the third country in the world to have a tech sector valued at over $1 trillion. It is important that we continue this tradition of leading technological development through digital transformation. Not only will it help us boost productivity and increase all kinds of operational efficiency but, if we manage the transition properly, these innovations can deliver wider social benefits too: we can connect communities, reduce loneliness, and make public services easier and faster to access.
But—and there is always a but at this point—we absolutely must recognise the deep, genuine concern that some will be left behind. This is something that I personally, and the Government overall, take very seriously. That is why we do not want just to drive progress in tech; we want to do so responsibly and ensure that the tech we develop improves all lives across the country. Tackling digital exclusion is a fundamental part of this and a complex issue. No one department can solve this challenge; it will require close collaboration across government.
Digital exclusion negatively affects people’s lives. Individuals who are digitally excluded are less likely to be in well-paying jobs. They have worse health outcomes and overall lower quality of life. As a result, digital exclusion creates new inequalities and exacerbates existing ones, making it difficult to participate fully in society.
Rising living costs have also made it more difficult for people to afford devices and internet access, which will increase digital exclusion. Some 18.7 million people—that is 35% of us in the UK—feel that increases in the cost of living are impacting their ability to go online, and 11.5 million—22% of people in the UK—have already taken steps to reduce the costs associated with going online by seeking alternative solutions such as libraries, community centres or, indeed, as we heard, churches for free access.
The Government have been clear that ensuring that no one is left behind in the digital age is a priority and consider that credible steps have been taken to offer needed support. Encouraging more people to engage and stay online requires overcoming the barriers to access, skills, motivation and trust. Digitally excluded people also require continued support to ensure that these barriers remain lowered, and this is what we continue to focus on across government.
I thank noble Lords on the Communications and Digital Committee for their important work on the digital exclusion inquiry last year. Since the committee’s report was published, we have established, again as a number of noble Lords observed, a new interministerial group to drive progress and accountability on digital inclusion priorities across government, to set clear objectives and to monitor delivery. I thank the noble Lord, Lord Clement-Jones, and can confirm that the Minister for Tech and the Digital Economy, Saqib Bhatti, is responsible for digital inclusion and that is why he is in the position of chairing the group. The group met for the first time in September, and departments agreed to undertake departmental mapping exercises to drive work on digital inclusion. With the group meeting, as has been said, every six months, this is the first step of many in a cross-government effort.
Does the noble Lord believe that meeting once every six months is adequate?
The crux of the work is done at departmental level and that feels to me more like a board meeting. So, yes, I think that set-up makes logical sense, but we will watch with interest and adapt as necessary.
Many noble Lords raised points about a new digital inclusion strategy. As the Secretary of State for Science, Innovation and Technology said to the committee on Tuesday, the Government are focusing their resources on delivery—on the doing rather than on the writing of the new strategy. The key themes for the last strategy on digital inclusion—access, skills, motivation and trust—are still relevant today. I will point to some of this action as I go through my speech.
I agree with the point that the noble Lord, Lord Foster, made very well: the digital strategy should and does include the basis for digital inclusion. The 2022 digital strategy outlined work across government that will promote digital inclusion, including broadband rollout across the UK, essential digital skills support and legislation to tackle online harms, now the Online Safety Act. I thank the noble Baroness, Lady Jones, for raising the issue of who in government is working on digital inclusion, and my noble friend Lady Stowell for asking about the relationship between teams working on AI. My department has various teams, from the newly named Responsible Technology Adoption Unit, formerly the Centre for Data Ethics and Innovation, to AI skills feeding in to work on digital inclusion. This is alongside teams working on telecom skills and the tech sector. Given its varied nature, there are teams across government that work on policy linked to digital inclusion, including the Department for Culture, Media and Sport’s work with libraries, the Department for Work and Pensions’ work on unemployment and the Department for Education’s work on digital skills. There is a new official-level working group that sits across government to support this cross-cutting work.
Starting with the issue of access, I will focus on the affordability and availability of telecom services. UK consumers have access to one of the most competitive telecom markets in Europe. The cost of a gigabyte of data, at 50p in the UK, is less than half that of the average price in the EU, at £1.18. The headline cost of an average broadband package and mobile service has actually decreased since 2019.
Prices have fallen, but usage has increased: the average household broadband connection uses 53% more data today than it did in 2019. Mobile data consumption has increased 25% year on year. We have been working hard to ensure that people have the access to the internet and broadband that they need. In March 2021, we launched Project Gigabit, our £5 billion mission to deliver fast, reliable broadband to the hardest-to-reach parts of the UK, areas that would have otherwise been left out of commercial gigabit rollout plans without government subsidy.
In 2021, the Department for Culture, Media and Sport, in partnership with the charities AbilityNet and Good Things Foundation, launched the £2.5 million digital lifeline fund. The fund aimed to reduce the digital exclusion of people with learning disabilities by providing free devices, data and digital support to over 5,000 people with learning disabilities who cannot afford to get online.
To support children with access to devices, the Department for Education has also delivered over 1.95 million laptops and tablets to schools, trusts, local authorities and further education providers for disadvantaged children and young people since 2020. This is part of a £520 million government investment to support access to remote education and online social care services.
Once again, I thank the noble Lord, Lord Clement-Jones, for his valuable contribution and for raising the broadband universal service obligation, which the Government introduced in March 2020. This gives everyone the legal right to request a decent and affordable broadband connection of at least 10 megabits per second. The broadband universal service obligation is a safety net, providing a minimum level of service to participate in society and the economy, based on information provided by Ofcom. Given the significant changes to the broadband market since the USO was designed in 2019, we want to take this opportunity to review the broadband USO and ensure it remains relevant and up to date with the current technical standards required in practice, reflects the current and future market environment, and delivers on the policy principles set out by the Government when it was established. In October last year, the Government published a consultation on reviewing the broadband universal service obligation, and a response to it will be published in due course.
I also thank the noble Baroness, Lady Armstrong, and the noble Lord, Lord Lipsey, for their thoughtful contributions, which noted the importance of social tariffs provided by telecoms companies, and the right reverend Prelate the Bishop of Bristol for her well-made point on affordability. We recognise that cost is a barrier for many. As I have noted, prices in the UK are falling and the Government have worked closely with the telecoms industry to ensure the provision of low-cost, high-quality fixed and mobile tariffs, also known as social tariffs, for those on universal credit as well as other means-tested benefits. There is of course a balance to be struck between ensuring investment in UK telecoms infrastructure and ensuring that services remain affordable.
We have established a pro-investment, pro-competition environment and remain committed to the idea that a competitive market will deliver the best outcomes for all consumers. Social tariffs are now available from 27 providers, up from 10 in November 2022, from the likes of BT, Sky and Virgin Media and across 99% of the UK. We have seen an increase in uptake of almost 160% since September 2022, but I am afraid to say that this represents just 8% of total eligible households. I absolutely acknowledge that we need to make more progress and we will continue to look at how to accelerate that.
Perhaps the Minister can give us just a little more detail. Is there any movement towards auto-enrolment and the kind of ideas that have come out of the committee?
Yes, but I am going to have to write because that would be a multi-bullet point communication.
There is also the timely issue of contract price rises. We appreciate that households across the country are struggling with their bills because of the rise in the cost of living, and that price rises in any services will be unwelcome. That is why it is essential that important clauses within telecoms contracts, such as in-contract price rises, are clear and transparent. Consumers need to be aware of what they are agreeing to when taking up a broadband or mobile contract.
In December, Ofcom completed its review of inflation-linked in-contract price rises and launched a consultation that would end CPI and RPI increases, replacing them with a clear pounds and pence figure for what consumers will pay. For the avoidance of doubt, social tariffs do not incur in-contract prices rises.
I draw noble Lords’ attention to the commitments made by industry bosses in June 2021 to support their customers. The sector agreed to allow consumers facing financial difficulties to enter into affordable payment plans or move to cheaper plans without penalty. We have been clear that any customer who believes they are facing digital exclusion can contact their provider to discuss the support that might be available.
On VAT, as noted by the noble Lord, Lord Young, it is important to remember that decisions to deviate from the standard VAT rate of 20% have to be considered carefully and based on clear evidence, as lowering tax in one place can mean raising tax in another. Taxation policy is kept under review, and we would be happy to receive evidence of the benefits of reducing VAT on social tariffs.
In addition to the provision of social tariffs, we have increased access to gigabit internet. Approximately 80% of UK premises can now access gigabit-capable broadband—a huge leap forward from 2019, when coverage was just 6%. We are on track to meet our target of 85% coverage by 2025. We will continue to expand our mobile network too. By 2025, we will have 95% coverage through the shared rural network, and we are aiming for the majority of the population to have access to 5G signal by 2027, via the 5G Testbeds and Trials Programme.
Government cannot, and should not, be expected to tackle the issue of digital inclusion alone. We call on private sector organisations to prioritise digital inclusion in their business, which they could do by joining device donation schemes, for example. We encourage telecoms providers to continue to provide social tariffs and advertise them to eligible households. We encourage companies to adhere to the public sector bodies accessibility regulations and other government accessibility guidance, which are published and freely available online, for their websites and other publicly available information.
I thank the noble Baroness, Lady Jones, and my noble friend Lady Stowell for their thoughtful contributions and for raising the important issue of high-quality localised hubs, including libraries and banking hubs. Banking hubs are a voluntary initiative provided by the UK’s largest high street banks. I agree that it is imperative that banks and building societies recognise the needs of all their customers, including those who need to use in-person services. Over 100 banking hubs have been announced so far, and the Government hope to see these hubs open as soon as possible.
Around 2,900 public libraries in England provide a trusted network of accessible locations, with staff, volunteers, free wifi funded by the Department for Culture, Media and Sport, public PCs, and assisted digital access to a wide range of digital services. My noble friend Lady Sanderson’s An Independent Review of English Public Libraries, published in January, called for the establishment of formal links between digital-by-default public services, particularly health services and libraries, to ensure the provision of one-to-one support. In his response to my noble friend Lady Sanderson, my noble friend Lord Parkinson committed to exploring her recommendations further, as part of the development of the Government’s libraries strategy, due to be published in 2024. The noble Baroness, Lady Jones, asked for a date for that, but I will have to come back to her with the timelines, as I do not have that detail.
On access to support for those seeking work, Jobcentre Plus work coaches can provide support to eligible claimants who are not online with financial support to buy six-month broadband connections. This is administered by the Department for Work and Pensions through the flexible support fund. This cross-government approach is working to reach millions of people across the UK and to provide necessary access for the digital age.
We know that, in addition to access, the right skills are needed, as many noble Lords rightly pointed out, to be able to use and take advantage of digital content and services. Digital skills are central to the jobs of today and the workforce of tomorrow. Ensuring that the workforce has the digital skills for the future is important to meet the UK’s ambition to be a global science and tech superpower.
I thank the noble Baroness, Lady Jones, for raising the skills gap. Tackling the digital skills gap and the shortage of digital workers across the economy cannot be done by government alone, which is why the Government launched the Digital Skills Council in June 2022, bringing together government and industry to strengthen the digital workforce. The council is focused on addressing industry’s current and future demand for digital skills, including through digital apprenticeships and by increasing the amount of business-led upskilling.
I thank the noble Baroness, Lady Jones, for raising also the role of the employer to support training staff. More than 80% of those who will be in the 2030 workforce are already in the workforce today. Given the need to continually refresh digital skills, upskilling existing workers with workplace training be essential. We have put employers at the heart of our apprenticeship system, empowering them to design the standards they need. Employers in the digital sector have developed 30 apprenticeship standards in digital. These high-quality apprenticeships are in a wide range of occupations and emerging technologies, including data scientist, software developer, cybersecurity and artificial intelligence specialist.
The noble Baroness, Lady Jones, also raised investment and support for young people. For children and young people, we are supporting and inspiring the next generation of technologists. It is crucial that we challenge perceptions of what being in a tech career is all about if we are to attract diverse and high-quality talent into our digital workforce. To achieve this, we are working closely with the Department for Education, industry and academia through the Digital and Computing Skills Education Taskforce, launched last summer to increase the numbers of students choosing digital and tech educational pathways into tech careers.
We are also working in partnership with industry and other government departments to inspire and engage students before they make key subject choices at GCSE and A-level—for example, through the CyberFirst programme, which encompasses technology-focused initiatives, from free online extracurricular learning to national competitions and bursaries. This includes DSIT’s Cyber Explorers programme, launched in February 2022, which seeks to support the teaching of computing in schools and to inspire young people aged 11 to 14 to take up computer science for GCSE and the opportunities that a career in cybersecurity can offer. Over 60,000 students are registered across nearly 2,500 schools.
I thank my noble friend Lord Holmes for his question on the national curriculum. In addition to the programmes that I have just outlined, the DfE introduced computing as a statutory national curriculum subject in 2014 from key stages 1 to 4. In addition to this, we are investing a total over the Parliament of £3.8 billion in skills in England by 2024-25 and, in October, we quadrupled the scale of skills bootcamps.
I thank the noble Baroness, Lady Jones, for raising the essential digital skills framework. The Department for Education has used that framework as the basis for the national standards for essential digital skills of 2019, which set out the skills that the qualifications funded and that the adult digital statutory entitlement must cover.
I thank the noble Baroness, Lady Lane-Fox, for her important question on the links to community groups. These really are an important part of the digital inclusion landscape. The Department for Education funds community learning and other non-regulated learning, such as building confidence in essential digital skills for learners who are not ready to take a qualification.
I reassure noble Lords that I am almost at the point of closing. The secondary barriers of trust and motivation must be tackled to have a true, positive impact on digital inclusion, but these are harder to measure. We recognise that some people are hesitant to access online services for fear that they may become victims of fraud, or that it is an unsafe environment. We have introduced the Product Security and Telecommunications Infrastructure Act, which will come into force in April this year.
(10 months, 3 weeks ago)
Grand CommitteeMy Lords, I strongly support Amendment 80 in the name of the noble Baroness, Lady Jones, which I have signed. She spoke powerfully about the power of big tech and its impact on democracy. My concerns, and those of many news organisations such as the Public Interest News Foundation, the News Media Association and the Professional Publishers Association, are consistent with that: we are all concerned to ensure the plurality of media as far as possible, as the noble Baroness, Lady Kidron, mentioned. She also helpfully reminded us of the duty of Ofcom, in Section 3 of the Communications Act, to
“further the interests of citizens”.
It seems to me that the CMA should be subject to exactly the same duty.
Local, specialist and national publishers are an essential part of the fabric of our society. On these Benches, we may have arguments, post Leveson, with some of the mainstream media about the appropriate legislation that should impact on it, but the media play a key role in promoting democracy, by scrutinising the Government with public interest journalism. Additionally, publishers provide vital support to industries, which often rely on the trade press to inform sectoral decision-making and provide what are described as workflow tools. A duty to further the interests of citizens as well as consumers would allow the CMA much better to prioritise media sustainability and more explicitly target anticompetitive conduct that harms media plurality.
It could be argued—I expect that the Minister is going to marshal his arguments—that the current pure consumer focus still allows the CMA to implement solutions that will help to level the playing field between platforms and publishers, but the concern of many of us is that the absence of an interest-of-citizens duty may mean that the remedies that could support a sustainable and plural media and in turn our democracy will be used less effectively than they could be, or not used at all. The argument is powerfully made that we need to include that duty. We have a precedent and there is absolutely no reason why we should not include that in the duties of the CMA.
Turning to the amendment of the noble Lord, Lord Tyrie, Amendment 83A, I feel that this is perhaps something that he expresses throughout the Bill: he has the scars on his back of being the chair of a regulator. It is a surprising omission that these principles are not included. The noble Baroness, Lady Kidron, like the noble Lord, Lord Tyrie, has done her homework and found that the CMA is exceptional in this respect. They both made an extremely good case.
Beyond those principles, how do the Government impose such things as the Better Regulation Framework on the CMA? After all, that is part of the operational standards, if you like, that are expected of a regulator such as the CMA. Not only do I support what the noble Lord, Lord Tyrie, is putting forward, but I also ask how we make sure that the regulator performs its duties in line with what is a relatively new piece of guidance, the Better Regulation Framework, going forward.
As ever, let me start by thanking the noble Baroness, Lady Jones, and the noble Lord, Lord Tyrie, for drawing attention to and initiating this fascinating debate on the objectives of the digital markets regime with these amendments. Most speakers have anticipated many of my arguments in advance, but I hope none the less to persuade noble Lords of their value.
Clear objectives shape the work of the CMA, ensuring that its focus is on promoting competitive markets that drive better services, greater choice and lower prices for individuals and businesses. It is essential, in the Government’s view, that the objectives of the new regime are equally clear and support a coherent and effective regime. Amendment 80 proposes a duty for the CMA to further the interests of citizens, as well as consumers, in its digital markets work. As the UK’s competition regulator, the CMA’s existing statutory duty is to promote competition for the benefit of consumers. Consumer benefits are broad, as has been observed; they can include economic growth, innovation, media plurality and data privacy. An additional citizens’ duty that goes beyond the scope of the tools and the remit of the digital markets regime would reduce the clarity of the CMA’s role, create inconsistency with the CMA’s wider competition and consumer functions and overlap with the remit of other regulators. It is essential that the duties of the regime match the scope of its tools.
Noble Lords can all agree with the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, on the absolute, non-negotiable importance of supporting the sustainability of the press in the UK. There can be no doubt about the vital contribution of independent journalism to producing informed citizens and, therefore, democracy in this country. However, it would further confuse the regulatory landscape to require the CMA to consider issues already overseen by other expert regulators, such as online safety and data protection. Instead, the CMA will have a duty to consult other key regulators of digital markets, such as Ofcom and the FCA, where proposed interventions in digital markets impact their regulatory interests. This will ensure that the regime forms part of a coherent regulatory landscape that considers broader policy and societal concerns across digital markets.
I want to reassure noble Lords that the Government considered the advice of the CMA’s Digital Markets Taskforce and its recommendation for a citizens’ objective extensively, before consulting on it in 2021. Those we consulted were generally opposed to a role for the CMA that looks beyond its tried and tested duty to promote competition for the benefit of consumers, since this provides the greatest clarity for the digital markets regime. The CMA has testified in front of the House that it benefits from having a single, clear statutory duty. I again thank the noble Baroness for her amendment and for highlighting these important issues. However, for the reasons that I have set out, I hope that she will feel reassured and comfortable in withdrawing it.
I now turn to Amendment 83A from the noble Lord, Lord Tyrie. It would create a new requirement for the CMA to have regard to the principles of best regulatory practice when carrying out its digital markets functions under Part 1 of the Bill. Let me say at the outset that the Government agree with the spirit of the noble Lord’s amendment. Our 2021 consultation on this regime set out the Government’s principles for the pro-competition regulation of digital markets: that it should be transparent, accountable, targeted and coherent. These principles have informed how the regime is designed in legislation, from the high thresholds that we establish for SMS designation to the targeted and iterative nature of conduct requirements and pro-competition measures. Indeed, we have discussed previously in Committee the wide range of accountability mechanisms for the regime.
Earlier this month, the CMA set out its provisional approach to implementing the new digital markets regime, which aligns with our policy intent. The publication committed to the new regime being targeted, proportionate and transparent. It also included a set of operating principles that reflect the noble Lord’s concerns.
The Government’s strategic steer to the CMA sets out our expectation that the CMA should take a proportionate approach to interventions and minimise burden through transparent engagement with businesses. The CMA explains how it has taken the steer into account in its reporting to Parliament. The CMA’s prioritisation principles and annual plan set out that the CMA will target its work to that which provides the most impact for business and consumers. The proportionality amendments that the Government introduced at Commons Report stage are statutory duties narrowly targeted at conduct requirements and PCIs as the decisions that have the greatest impact on SMS firms. This amendment would introduce a very broad duty for the CMA to have regard to the principles of regulatory best practice for all its digital markets functions. An explicit requirement for the CMA to follow best regulatory practice when carrying out its digital market functions is not necessary.
(10 months, 4 weeks ago)
Grand CommitteeIt is very nice and helpful to be reminded of things that I had forgotten entirely. We need to make sure that we are consistent across the board. A full merits-based standard is not, for example, used to appeal against fines issued by Ofcom under the Online Safety Act. These Benches have serious concerns regarding the insertion of two different appeal standards in the Bill, as it may decrease the deterrent effect and risk lengthier appeals, as we have heard.
If we are not successful in persuading the Government to change back to JR for penalty appeals, and a merits appeal is to be included, a number of amendments—the amendment in the name of the noble Baroness, Lady Stowell, that in the name of the noble Lord, Lord Holmes, and my amendment—are of great relevance to make sure that we do not see that drift that the noble Lord, Lord Black, talked about. A failure to do so could run the same risks as an entirely novel appeals standard. On that basis, we very much support the amendments in the names of the noble Lord, Lord Holmes, and the noble Baroness, Lady Stowell, and my own Amendment 68, which would ensure that there is no further extension of the merits appeal standards into any other part of the Bill. It is intended to have the same impact and draw a clear line in the sand beyond which no court can go.
I am sorry that we do not have the noble Lord, Lord Lansley, here to reveal perhaps another letter from a Minister. We had an interesting discussion last Wednesday, when the noble Lord, Lord Lansley, quoted the letter, sent to Damian Collins and Sir Robert Buckland, about the nature of the intention behind including “proportionate”. It said:
“In practice this means that firms will be able to challenge whether the DMU could have achieved its purpose for intervention through less onerous requirements”.
In a sense, that is a massive invitation to litigation, compared to ordinary JR. If that move is an invitation to litigation, think how much further along the road we are travelling if we go for a merits test for the fine and the penalties. I hope the Minister will therefore reverse course back to the pre-Report situation in the Commons; that would give a great deal of satisfaction around this Committee.
I thank the noble Baroness, Lady Jones, for raising the important subject of digital markets appeals through Amendments 64, 65, 67, 71 and 72. I thank noble Lords for their powerful and compelling contributions. I am glad of the opportunity to set out the Government’s position.
These amendments seek to revert the changes made in the other place to the appeal standard of digital markets penalties. This would mean that penalties would be subject to judicial review principles, instead of being heard on their merits. It is important that decisions made by the CMA can be properly reviewed to ensure they are fair, rigorous and based on evidence. As the Bill stands, the key decisions—particularly the regulatory decisions that will drive the benefits from this regime—will be appealable on judicial review principles. Only penalty decisions will be appealable on the merits. This will provide SMS firms subject to penalties with additional reassurance, without compromising the regime’s effectiveness.
Penalty decisions will come at the very end of the regulatory process, if at all. They do not have the same impact on third parties as other decisions in the regime. Conduct requirements and pro-competition interventions will already have been in place to address their intended harm before penalty decisions are considered. Decisions on penalties are different from those about imposing requirements: they are more about making assessments of facts. They will assess what the SMS firm has or has not done. Other decisions that the CMA will take in the regime are forward-looking expert judgment calls. It is appropriate that the latter be given a wider margin of appreciation through a judicial review standard than decisions to impose penalties.
To address the point made by many noble Lords, I make it clear that challenging penalties does not open up the question of whether a breach occurred, or whether a conduct requirement or PCI was right in the first place. I will set this out in more detail in response to the next set of amendments—but perhaps I should say, as I did on the first day of this Committee, that I am happy to listen to and take forward any form of words that strengthens the clarity or intent of the Bill. As I said, the intent of the Bill is that the decision about whether a breach has occurred is made on JR principles.
The digital markets measures, as with other CMA regimes, have always treated penalties differently in the regime. For example, they are automatically suspended upon appeal, unlike other decisions. This would also have been the case under JR. We have aligned penalty appeals with those under the Enterprise Act 2002, as was said, so that parties can challenge these decisions on the merits to ensure that the value of penalties is suitable. The regimes in the Enterprise Act apply to firms from all sectors, rather than just tech firms. In addition, to give two examples, penalties are appealed on the merits in the financial services and markets regime, administered by the Financial Conduct Authority, and, under the Water Industry Act, overseen by Ofwat. In the EU’s Digital Markets Act, penalty appeals are similar to merits reviews in the UK.
I am sorry to interrupt the Minister, but, if the logic were being followed for what he said, there would be—at the very least—some form of affirmative resolution for the guidance, as with all the other powers in the Bill.
I am happy to look into that as a mechanism, but, as currently set out in the Bill, the logic is that the Secretary of State can approve the guidance.
The Government will continue to work closely with the CMA, as they have throughout the drafting of the Bill, to ensure that the timely publication of guidance is not disrupted by this measure. Published guidance is required for the regime to be active, and the Government are committed to ensuring that this happens as soon as possible. Guidance will be published in good time before the regime goes live, to allow affected stakeholders to prepare. The Government hope that, subject to parliamentary time and receipt of Royal Assent, the regime will be in force for the common commencement date in October this year.
In response to my noble friend Lord Black’s question about guidance and purdah, the essential business of government can continue during purdah. The CMA’s guidance relates to the CMA’s intentions towards the operation of the regime, rather than to a highly political matter. However, the position would need to be confirmed with the propriety and ethics team in the Cabinet Office at the appropriate time, should the situation arise that we were in a pre-election period.
I thank the noble Viscount, Lord Colville, and my noble friend Lady Stowell for their amendments, and I hope that this will go some way towards reassuring them that the Government’s role in the production of guidance is proportionate and appropriate. As I said, I recognise the grave seriousness of the powerful arguments being raised, and I look forward to continuing to speak with them.
My Lords, I am going to be extremely brief as the hour marches on: yes to Amendments 79 and 83. Most of the debate has been around Amendment 81 but I want to mention my noble friend’s Amendment 82 because the concept of lock-in is absolutely crucial. I am a big fan, particularly in the AI field, of trying to get common standards, whether it is NIST, IEEE or a number of them. The CMA’s role could be extremely helpful.
Of course, many other regulators are involved. That brings us into the landscape about which the noble Baroness, Lady Stowell, has—quite rightly—been so persistent over the course of the then Online Safety Bill and this Bill. She is pursuing something that quite a number of Select Committees, particularly her one, have been involved in: espousing the cause of a Joint Committee, as our Joint Committee previously did. It is going to be very interesting. I am a member of the Industry and Regulators Committee, which has been looking at the regulatory landscape.
These accountability, independence, resourcing and skills issues in the digital space are crucial, particularly for those of us in this Committee. For instance, the role of the DRCF and its accountability, which were raised by the noble Baroness, Lady Kidron, are extremely important. I very much liked what the noble Baroness, Lady Harding, said about us having talked about Ofcom before but that we are now talking about the CMA and will talk about the ICO very shortly; for me, AI brings a lot of that together, as it does for her.
So what is not to like about what I think is a rather cunning amendment? The noble Baroness gets more cunning through every Bill we get on to. The amendment is shaped in a way that is more parliamentary and gets through more eyes of needles than previously. I strongly commend it.
My Lords, I shall be as brief as I can possibly be, I promise.
I thank all noble Lords for their brilliant and stimulating contributions. Amendment 79 in the name of the noble Baroness, Lady Jones of Whitchurch, would require the Government to undertake an annual assessment of the operation of the CMA, to include the DMU specifically. The CMA is already required to present and lay its annual report in Parliament. This covers the operation and effectiveness of the CMA, including a review of its performance, governance and finances. The CMA recently published a road map setting out how it will report on the digital markets regime in its annual report. Although I of course appreciate the intent behind the noble Baroness’s amendment, adopting it would run the risk of being duplicative of the CMA’s assessment of its activities, which could lead to concerns regarding its operational independence. The Government set out their priorities for the CMA in their strategic steer and the CMA reports publicly on how it meets these priorities. The Government will also carry out a post-implementation review of the regime to assess how it is delivering on its aims.
Amendment 81 from my noble friend Lady Stowell of Beeston would require additional reporting by the CMA, the Financial Conduct Authority, the Information Commissioner’s Office and Ofcom. It would require these regulators to publish annual reports on the impact of the digital markets regime on their activity and its effectiveness in supporting them in regulating digital markets. The Government agree that it is vital that regulators are held to account for their activities. Each of these regulators already produces annual reports that are laid in Parliament covering their operations and effectiveness. An additional report by each of the sector regulators would again run the risk of being duplicative and creating an unnecessary additional administrative burden. Additionally, the Digital Regulation Cooperation Forum was established in 2020 to support the co-ordinated regulation of digital markets and includes the regulators named in this amendment; the DRCF also publishes an annual report on its activities and priorities.
In response to my noble friend Lady Stowell’s important point regarding a committee on digital regulation, I agree with her that parliamentary accountability is crucial and thank her for engaging so clearly with me and my noble friend Lord Offord earlier on this topic. I absolutely recognise the problem. Perhaps I can offer to continue to engage with her on how to drive this forward. At the risk of disappointing the noble Lord, Lord Tyrie, we have a concern that the formation of parliamentary committees is a matter for Parliament, not the Government, but I welcome ongoing work to determine how best to ensure that committee structures can scrutinise the important issue of digital regulation.
(11 months ago)
Grand CommitteeI believe that, in most cases, A1P1 rights would be invoked, but there are cases where A1P1 would not necessarily be invoked, rare as those cases are. The intention of the Government is to treat all those cases in the same way. As I say, it is important that we also consider the safeguards around the new powers. Having an explicit requirement for proportionality, rather than just the implicit link to A1P1, sets a framework for the CMA as to how it must design and implement significant remedies. A proportionate approach to regulation supports a pro-innovation regulatory environment and investor confidence. I am also aware, of course, that later we are due to debate concerns noble Lords may have about the accountability of the CMA. Without pre-empting that debate, it is worth pointing out that setting out the requirement for proportionality explicitly will help ensure that the CMA uses its powers responsibly.
This all sounds as though, really, the Minister should come clean and say that what he is trying to do is bring in merits by the back door.
It is not my intention to bring in merits by the back door, nor is it my intention not to come clean, or to conceal from Members of this Committee any intentions of the Government. All this is about producing the clarity that we need to safely deliver the wide-ranging new powers of the CMA.
In respect of my noble friend Lord Vaizey’s concern that proportionality will affect how the CAT conducts an appeal, the retention of judicial review in Clause 103 will still apply to the CAT, which will still have to conduct an appeal when a firm raises non-ECHR proportionality arguments in a JR style. It will not become a full merits appeal.
Amendments 33 and 52, from my noble friend Lord Holmes of Richmond, also remove the statutory requirement for proportionality but, in doing so, create greater impacts on the regime. Amendment 33 would remove the obligation on the CMA to set out, in its conduct requirement notice, the objective in relation to which it must consider proportionality. However, this is a key feature for setting a conduct requirement and it is important to include it in the notice for both the SMS firm and third parties.
Amendment 52, by removing Clause 46(1)(b), would reduce the Bill’s clarity that the primary objective of PCIs is to address competition problems. It is important that the Bill is clear on the objective that PCIs must pursue. Additionally, proportionality provisions will ensure that the CMA addresses its objectives without placing unnecessary burdens on firms and harming consumers.
I turn to my noble friend Lady Stowell’s Amendments 17 and 54. As she set out in her explanatory statement, these amendments seek to clarify that the use of “proportionate” does not create a novel legal standard. The amendment would state that it is defined in accordance with prevailing public law standards. Of course, I agree with her that it is important to be clear about what we expect from the CMA and concur with the spirit of her amendments. However, I hope my explanation of this provision as currently drafted will satisfy my noble friend’s concerns.
These amendments assume that there is a single public law definition of proportionality, when there is not. However, proportionality is also not a novel concept for either the CMA or the domestic courts to apply. There is domestic case law about how proportionality requirements have been interpreted. We expect that the CMA, the CAT and courts would follow the broad approach set out in the Bank Mellat 2 case, which considered proportionality in relation to the application of ECHR rights, as well as fundamental rights at common law. This is relevant when considering whether an infringement of a qualified ECHR right and/or a fundamental common-law right is justified. Noble Lords with an interest in this area will be familiar with the four-limb test set out by Lords Sumption and Reed. Previously, our domestic courts applied a separate, but broadly similar, test when considering proportionality under EU law.
In the event of an appeal against CMA interventions, it is the role of the courts to provide a definitive interpretation of the legislation, but they will likely give a certain amount of deference to the CMA as the expert regulator. When an intervention has engaged A1P1, there would be a clear link with the approach of the domestic courts to the ECHR proportionality requirements that I have already discussed. In the rare situation when an intervention did not engage A1P1, it seems logical that the courts would take an approach consistent with how they approach digital markets cases which do engage A1P1, although this could involve some modifications on a case-by-case basis.
The basic requirements of proportionality—that it balances private interests adversely affected against the public interests that the measure seeks to achieve—is well understood. As such, I hope my noble friend can appreciate that although I agree with the spirit of her amendments, in practice I do not believe they would provide the clarity they seek.
Amendments 220 and 222 from my noble friend Lord Holmes of Richmond would require the Secretary of State to publish guidance on how the appeals standard for financial penalties, proportionality and countervailing benefits exemption would operate. The amendments set out that the CMA could not impose conduct requirements, pro-competition interventions or financial penalties before this guidance was published.
I thank my noble friend for these amendments. He should be pleased to hear that the CMA will, as part of its approach to implementing the regime, produce guidance outlining its approach to delivering the regime before it is implemented. We expect this guidance to include the CMA’s approach to proportionality and the countervailing benefits exemption. The Secretary of State will have oversight of the CMA’s approach through the approval of that guidance. The Government feel that this approach strikes the right balance between maintaining the independence of the CMA and the CAT, and providing appropriate government oversight and clarity about how the regime will work. Suitable guidance will already be in place before the regime commences; as such, these amendments are not required.
I hope this has helped to address the concerns of the noble Lord, Lord Faulks, and my noble friends Lady Stowell of Beeston and Lord Holmes of Richmond, and that, as a consequence, they feel able to withdraw, or not to press, their amendments.
My Lords, what harms does the Minister think the inclusion of “proportionate” is designed to prevent? What does he really think would happen if that word was not included in the Bill?
(11 months ago)
Grand CommitteeI would struggle to name a particular one, but if we were to look back over the last five to 10 years we might reflect that there have been a number of developments in markets that have been largely unpredictable and that technology changes might drive further developments. The point is to create a balance between predictable and durable legislation and the ability to adapt to changes in business practice and technology as they emerge. As a thought experiment, if we were to flip it round and say, “No, we have to stick with only these four things for the duration of the eventual Act”, many of us would be concerned about an ongoing inability to adapt to change in what is a fast-moving marketplace that is likely to see an accelerating pace of change, rather than anything else.
That said, I hope my words provide the noble Baroness and noble Lords with sufficient assurance not to press their amendments.
My Lords, the Minister rather glossed over the importance of Clause 5. In Clause 2(2), the SMS conditions are that
“the undertaking has—
(a) substantial and entrenched market power (see section 5), and
(b) a position of strategic significance”.
The conditions in Clause 6 are rather formulaic, in the way that the noble Lord, Lord Knight, talked about, but the determination, examination and assessment in Clause 5 as to whether an undertaking has substantial and entrenched market power is really important. The Minister glossed over this and said that it is not necessary to have a determination based on current evidence and that this forward-looking element must be in there.
Can the Minister confirm that he has taken advice within the department from competition lawyers who deal with this kind of potential challenge on a daily basis? He seems extraordinarily complacent about the fact that big tech will look at that assessment and say, “The evidence is not there. It’s all speculation for the next five years. You haven’t based it on the actual conduct in our market currently, or indeed an adjacent market”. No doubt we will come to that later in another group. This is absolutely at the core of the Bill, and all the advice that I get, whether from the Open Markets Institute or others, is that this is a real failing in the Bill that could open up a litigation problem for the CMA in due course.
I certainly do not intend to gloss over any of these issues. I can confirm that the department receives extensive advice on these matters, as have those working on the Bill, not only from competition lawyers but from other stakeholders in the market of all different sizes and types, and indeed from the CMA itself. To turn around the noble Lord’s position, if we make a designation that is designed to last for five years, it is crucial that we take into account existing evidence and what is foreseeable today when determining whether to make that designation. Nobody is being asked to be overly speculative, but it is possible to identify existing trends and available information that can form part of the analysis, and use that to make the determination, particularly as the CMA will then have a duty to explain in detail the rationale behind its decision to designate a firm with SMS, or indeed not to do so.
The CMA does have power and remit to request an algorithmic impact assessment. I will take advice on this, because I believe that the algorithmic assessment that it undertakes must be in the direction of understanding anti-competitive behaviours, rather than a broader purpose. I will happily take advice on that.
As the Bill stands, the CMA will already have sufficient investigatory powers to understand the impact of complex algorithms on competition and consumers. The suggested expansion of this power would fall outside the role and remit of the CMA. Moreover, the CMA would not have appropriate tools to address such issues, if it did identify them. The Government will continue to actively look at whether new regulatory approaches are needed in response to developments in AI, and will provide an update on their approach through the forthcoming AI regulation White Paper response.
I thank the noble Lord once again for raising these important issues and hope that he feels able to withdraw the amendment.
I thank the Minister for his considered reply, and thank all those who have taken part in this extremely important and interesting debate, particularly the amplification by a number of noble Lords of some of the issues.
I was very much taken by what the noble Lord, Lord Knight, had to say about the risks for workers—hired, managed, fired. He used the word “dehumanising”, which was very powerful. The noble Baroness, Lady Kidron, referred back to some of the really interesting papers about automation from Osborne and Frey and others over the years, telling us that it is not just Elon Musk but, perhaps I might say, other more serious people who are warning us about the dangers of automation.
At the end of the day, I think the question is how relevant this is to competition. Those of us putting forward and supporting these amendments believe that monopoly, concentration and the power of big tech have the ability to determine working conditions. The Minister talks about this detracting from the CMA’s duties, saying that it is beyond its competition remit and so on. We think it is mainstream; we do not think that it is just an add-on to the CMA’s duties. There is a very strong argument for a wider focus by the CMA.
It feels rather like the Minister is passing the parcel to another regulator. It was instructive that we had to scrabble around at the back end of Clause 107 to see what other regulator might be available to deal with this, but there is nobody to pass this parcel to: this is a direct consequence of concentration and monopoly power. We should include these considerations in what the CMA does. It should have the power to insist on an algorithmic impact assessment.
I think the noble Baroness, Lady Kidron, used the word prescient. We need to be prescient and think forward to the future and the power of the algorithm, artificial intelligence and big tech. Our working population are extremely vulnerable in these circumstances. I do not get the feeling that the Government are really taking their duties to protect them seriously. I am sure that we will have further debates on this. In the meantime, I beg leave to withdraw Amendment 2.
My Lords, it is a pleasure to follow the noble Baroness, Lady Kidron, whose speech segues straight into my Amendments 14 and 63. This is all about the asymmetry of information. On the one hand, the amendments from the noble Baroness, Lady Jones, which I strongly support and have signed, are about giving information to challengers, whereas my amendments are about extracting information from SMS undertakings.
Failure to respond to a request for information allows SMS players to benefit from the information asymmetry that exists in all technology markets. Frankly, incumbents know much more about how things work than the regulators. They can delay, obfuscate, claim compliance while not fully complying and so on. By contrast, if they cannot proceed unless they have supplied full information, their incentives are changed. They have an incentive to fully inform, if they get a benefit from doing so. That is why merger control works so well and quickly, as the merger is suspended pending provision of full information and competition authority oversight. We saw that with the Activision Blizzard case, where I was extremely supportive of what the CMA did—in many ways, it played a blinder, as was subsequently shown.
We on these Benches consider that a duty to fully inform is needed in the Bill, which is the reason for our Amendments 14 and 63. They insert a new clause in Chapter 2, which provides for a duty to disclose to the CMA
“a relevant digital activity that may give rise to actual or likely detrimental impact on competition in advance of such digital activity’s implementation or effect”
and a related duty in Chapter 6 ensuring that that undertaking
“has an overriding duty to ensure that all information provided to the CMA is full, accurate and complete”.
Under Amendment 14, any SMS undertaking wishing to rely on it must be required to both fully inform and pre-notify the CMA of any conduct that risks breaching one of the Bill’s objectives in Clause 19. This is similar to the tried-and-tested pre-notification process for mergers and avoids the reality that the SMS player may otherwise simply implement changes and ignore the CMA’s requests. A narrow pre-notification system such as this avoids the risks.
We fully support and have signed the amendments tabled by the noble Baroness, Lady Jones. As techUK says, one of the benefits that wider market participants see from the UK’s pro-competition regime is that the CMA will initiate and design remedies based on the evidence it gathers from SMS firms in the wider market. This is one of the main advantages of the UK’s pro-competition regime over the EU DMA. To achieve this, we need to make consultation rights equal for all parties. Under the Bill currently, firms with SMS status, as the noble Baroness, Lady Harding, said, will have far greater consultation rights than those that are detrimentally affected by their anti-competitive behaviour. As she and the noble Lord, Lord Vaizey, said, there are opportunities for SMS firms to comment at the outset but none for challenger firms, which can comment only at a later public consultation stage.
It is very important that there are clear consultation and evidence-gathering requirements for the CMA, which must ensure that it works fairly with SMS firms, challengers, smaller firms and consumers throughout the process, ensuring that the design of conduct requirements applies to SMS firms and pro-competition interventions consider evidence from all sides, allowing interventions to be targeted and capable of delivering effective outcomes. This kind of engagement will be vital to ensuring that the regime can meet its objectives.
We do not believe that addressing this risk requires removing the flexibility given by the Bill. Instead, we believe that it is essential that third parties are given a high degree of transparency and input on deliberation between the CMA and SMS firms. The CMA must also—and I think this touches on something referred to by the noble Baroness, Lady Jones—allow evidence to be submitted in confidence, as well as engage in wider public consultations where appropriate. We very strongly support the amendments.
On the amendments from the noble Lord, Lord Tyrie, it is a bit of a curate’s egg. I support Amendments 12A and 12B because I can see the sense in them. I do not see that we need to have another way of marking the CMA’s homework, however. I am a great believer that we need greater oversight, and we have amendments later in the Bill for proposals to increase parliamentary oversight of what the CMA is doing. However, marking the CMA’s homework at that stage is only going to be an impediment. It will be for the benefit of the SMS undertakings and not necessarily for those who wish to challenge the power of those undertakings. I am only 50% with the noble Lord, rather than the whole hog.
I thank both noble Lords for speaking and for their thoughtful contributions. I will start by considering the amendments tabled by the noble Baroness, Lady Jones of Whitchurch, relating to information and transparency.
It is important to state from the outset that the Government agree it is vital that the Digital Markets Unit’s decisions are transparent and that the right information is available publicly. Currently, the DMU would be required to publish the key information related to its investigations in the summaries of its decisions. The amendments in this group, beginning with Amendment 8 and ending with Amendment 58, tabled by the noble Baroness, would create a new requirement for the DMU to send decision notices to firms that it assesses to be the most affected by decisions.
We agree it is vital that the DMU's decisions are transparent, and the appropriate information is accessible publicly. That is why the DMU is required to consult publicly before it imposes obligations such as conduct requirements or pro-competition orders. This gives third parties the opportunity to make representations on the design of interventions. While the precise nature of the consultation process is at the DMU’s discretion, we are aware of the imbalances in resources between different firms, as noble Lords have raised.
In its recently published overview, the CMA highlighted that engaging with a wide range of stakeholders will be a core principle of their approach. We therefore expect the DMU to put appropriate mechanisms in place for third parties to feed in. The consultation requirements are minimum requirements. As the CMA set out earlier this month, the DMU will undertake fair, inclusive and transparent engagement with third parties when designing its interventions. The participative approach will ensure that obligations are effective and appropriate, while minimising undue burdens and avoiding unintended consequences for both SMS firms and third parties.
However, requiring the DMU to identify appropriate third parties and send notices for each decision would introduce a significant burden on the DMU for minimal benefit. I think this will be a theme as we go through Committee: the burdens created by some of the proposed amendments are greater than they initially seem. For example, it could mean sending notices to potentially thousands of interested third parties in the case of app developers in the activity of app stores. Given this and the fact that the CMA will publish key information related to its decisions, we feel the burden would outweigh the benefit.
Amendment 14, tabled by the noble Lord, Lord Clement-Jones, would require SMS firms to inform the CMA before launching a digital activity that may give rise to competition issues. The Government agree that it is important that the CMA has access to information on potential competition issues in digital markets as they emerge. However, the CMA already has robust information-gathering powers under Part 1, supported by appropriate penalties for non-compliance. This amendment would create new burdens on the CMA, which could potentially be inundated with information. As a result, rather than focusing on priorities, the regulator would have to expend resources sifting the information provided. Further, it could introduce undue burdens on SMS firms looking to introduce innovative new products and services in areas that have healthy competition. It is important that obligations within the regime do not dissuade firms from developing innovations that are beneficial to consumers. I hope that sets out the position to the noble Lord.
My Lords, so that the Minister does not have to stand up a second time, I will just add the other side of the coin to the question from the noble Lord, Lord Vaizey. The Minister seems very concerned about the workload within an SMS, but they are an SMS for a reason.
I thank noble Lords for raising those points. My response to them both is that the key is that we are trying to set a balance between the workloads—the work that has to be performed by the regulator—and the benefit of that work for competition. We can certainly come up with examples. I shared the example of how many app developers there are and how many of them would have to exchange information with the regulator, but perhaps it would be more helpful to the Committee if I committed to giving a slightly deeper analysis of what the CMA estimates would be the time consumed on such activities and why we are concerned that it would have the potential to detract from the core basis of its mission.
In that example, I would cast the app developers as participants in the ecosystem and the customers as the users of the app, but that is perhaps an ontological problem. Perhaps the most straightforward thing, to satisfy the Committee’s concerns that we are not idly throwing out the possibility of an overworked regulator, would be to provide the Committee with a greater analysis of why we believe we have to be careful with what information we ask them to exchange with interested parties to avoid the situation in which the paperwork exceeds the value work.
My Lords, would the Minister also agree to add the whole question about the overworked SMS in his response?
Yes. The point is that we are very happy for these firms to keep delivering innovative new products in competitive markets; we are less happy about them spending their time frustrating the will of the regulator. It is more difficult for me to comment on SMS workloads but I am very happy to comment on the regulators’ workloads.
My Lords, the foundation of the Minister’s argument is SMS workload. The issue is exactly the point that the noble Baroness, Lady Kidron, made about information being power. The SMS companies will know what they are developing. They have huge teams of developers and marketeers, and they have huge amounts of information. This is a question of the CMA trying to keep abreast of what is happening in markets which are dominated by SMS companies, so it is important that there is a proactive duty on the SMS undertaking to give information to the CMA. Maybe the Minister could, as part of this letter, explain how many people there are whose job it is to gather information from the SMS companies—maybe that is the right way around—so we can judge whether it is right to require an SMS proactively to deliver information to the CMA.
Indeed. I am happy to include such analysis in my letter. However, I observe that were I to put myself in the SMS’s shoes and I had a desire to frustrate the will of the regulator, my approach would be to provide far more information than was necessary and create a significant burden on the regulator to sift that information. Any such request or any such standing order about the information coming from the SMS to the regulator must itself be quite carefully balanced.
My Lords, all the SMS has to do is put it through one of its large language models, and hey presto.
That is not incompatible. These are two sides of the same coin, which is why they are in this group. I suppose we could have degrouped it.
Indeed, and I apologise for getting slightly sidetracked on the issue. I think the outcomes we want are that challenger tech firms should be duly informed about the information they need, whether to rebut claims set out by an SMS or to understand the implications and contribute to the process of determining what interventions the regulator should need to make. In the Bill, we are trying to develop the machinery that balances both sides of that equation most effectively, and I remain concerned that we need to manage the workload requirements of the regulator so that it is optimally focused on delivering the right outcomes based on the right information.
I start by thanking all noble Lords who spoke so compellingly. It was a great pleasure to listen. I must say my head is slightly spinning, it is such an eclectic group of amendments, but I will do my best to respond properly to all the points raised.
I start with the discussion on the imposition and use of conduct requirements by the regulator. I thank my noble friend Lord Holmes of Richmond for tabling Amendment 15, which would remove the conduct requirement objectives—fair dealing, open choices and trust and transparency—and instead allow the CMA to impose conduct requirements for any purpose, so long as they fall within the list of permitted types. I intend to cover only the impacts of this amendment on the conduct requirement objectives, not its impacts on the proportionality requirement, as we shall be turning to that in detail later. Both the objectives and the permitted types of conduct requirement reflect extensive and expert evidence and analysis on types of harms in digital markets. These have been set out in legislation to provide clarity up front about the types of rules that designated firms could be subject to. It is right that the powers given to the CMA have clear and defined limits, and the objectives provide an appropriate framework for them to operate within. The Government feel that this clarity of objective is essential to the success of the regime, ensuring that it remains targeted and proportionate.
Amendment 19, tabled by the noble Lord, Lord Clement-Jones, would allow the CMA to gather and publish information relating to commercial deals. I sympathise with the sentiment behind his amendment and believe this regime will provide a crucial means to address the imbalance that exists between the most powerful tech firms and other parties. The CMA will already, as part of investigatory requirements, conduct requirements and the final offer mechanism process, be able to gather relevant information about payment terms and deals, and require SMS firms to share information with third parties. The CMA will also, where appropriate, be able to publish aggregated and anonymised information. As such, we do not believe that this amendment provides the CMA with any necessary additional powers.
Amendment 30 proposes that conduct requirements on unfair use of data be amended to allow the CMA to also prevent SMS firms using copyright material without permission. I absolutely agree, needless to say, with the sentiment that properly functioning, competitive markets that respect intellectual property rights have a vital role to play in stimulating growth and encouraging innovation.
I assure the noble Lord, Lord Clement-Jones, that the CMA is well equipped to address competition issues in a range of contexts, including where these issues intersect with intellectual property rights. When making interventions, the CMA will consider a range of factors, which can include the fairness of terms in issues related to copyright, where they are relevant, on a case-by-case basis. Existing permitted types of conduct requirements already allow the CMA to set requirements for unfair and unreasonable terms, which can include payment terms.
I am sorry to interrupt the Minister but that is very general. We have heard around the Room that people are really concerned. As we go forward, so many areas of intellectual property—the ingestion of copyright material, the issues with synthesisation of performances—are being affected by artificial intelligence. The kind of language the Minister is using sounds far too generic. It needs to be much more focused if we are to be convinced that the CMA really has a role in all of this. He is the Minister for both AI and IP, so he is right at the apex of this issue; maybe he is right on the point of the whole thing. He has the ability in his ministerial role to start trying to resolve some of these issues. We have the IPO coming up with a code of conduct—
This is a long intervention, I agree. I would just ask the Minister to focus on the fact that this is not just any old fairness of terms but something that should be explicitly stated in the Bill.
There is a much broader set of work looking at issues of copyright, intellectual property and artificial intelligence together—a hugely complex piece of work with many stakeholders pulling in a range of different directions. The goal of this Bill is to address that in so far as it affects competitive markets. We may debate this, but the design of the Bill is such that, in so far as competition is affected by the misuse of intellectual property or intellectual property infringements, the CMA is empowered to intervene to drive greater competition or address issues that limit competition. It is targeted only at addressing competitive issues but, in so far as they affect competitive issues, it is empowered to address IP infringement issues, as set out here.
Existing permitted types of conduct requirements already allow the CMA to set requirements for unfair and unreasonable terms, which can include payment terms. The Government are committed to our world-leading IP regime. Copyright legislation already provides a robust framework for rights holders to enforce against copyright infringement. We will take a balanced approach to the use of AI across the press sector and departments across government are working together closely to consider the impact of AI, ensuring that AI innovators and our world-leading creators can continue to flourish.
I turn to Amendments 26, 27 and 25. I thank noble Lords for their thoughtful and considered contributions on these amendments. Amendments 26 and 27 are intended to expand the ability of the CMA to intervene outside the designated digital activity. Amendment 25 also seeks to expand this power specifically in relation to self-preferencing behaviour that takes place outside the designated activity. We agree with noble Lords that it is crucial that the CMA can deal with anti-competitive behaviour outside the designated activity where appropriate. My noble friend Lord Offord and I have had a number of representations giving further examples of this kind of behaviour and we are committed to finding the right means of addressing it.
Our current drafting has sought to balance the need for proportionate intervention with clear regulatory perimeters. The regime is designed to address the issues that result from strategic market status and is therefore designed to address competition issues specifically in activities where competition concerns have already been identified. This recognises that SMS firms are likely to be active in a wide range of activities and will face healthy competition from other firms in many of them.
I assure noble Lords that the power to prevent self-preferencing is already sufficiently broad. It can apply where an SMS firm is using its power in the designated activity inappropriately to treat its own products more favourably, but without a need for those products to be linked to the designated activity. In addition, the existing power outlined in Clause 20(3)(c) to intervene in non-designated activities, which noble Lords are referring to as the whack-a-mole principle, has been carefully calibrated. It is available only where the conduct has a material impact on the strategic market status in respect of the designated activity.
The same conduct in respect of a different activity may not have the same impact on the market. It will not always be anti-competitive and may instead form a part of normal business practice in a more contestable market. The DMU will therefore take a targeted, evidence-based approach when considering intervention. The DMU can intervene via conduct requirements outside the designated activity to prevent leveraging into the designated activity or via PCIs to address an adverse effect on competition in a designated activity. Therefore, the Government’s view is that broadening the CMA’s powers would risk over-intervention, creating uncertainty for businesses and risks to innovation and investment.
My Lords, we are getting on in the Committee, but I was really interested in the Minister’s interpretation point, because quite a lot hangs on that. The noble Lord, Lord Lansley, illustrated extremely well the difference between promoting and not restricting, so to speak—that is a crucial distinction. The Minister prayed in aid Clause 20(2) versus (3), but could he write on that in due course?
I am very happy to do so. As I say, anything that ensures the clarity of the Bill is valuable and important.
On the reference to international technical standards, these can be an important tool in supporting good regulatory outcomes, and we expect the CMA to pay due regard to these, along with other relevant considerations.
Finally, Amendment 34 would place a duty on the DMU to consider opening a PCI investigation when reviewing the effectiveness of, and an SMS firm’s compliance with, conduct requirements. Conduct requirements are tailored rules to manage the effects of an SMS firm’s market power and prevent harms before they occur. PCIs will tackle the sources of SMS firms’ market power, which can arise from both structural features of a market and SMS firms’ conduct. These are different but complementary tools, and the CMA will need to carefully decide when it is appropriate to use each tool, depending on the specific competition issue at hand. This amendment risks narrowing and reframing PCIs as a tool of last resort for non-compliance with conduct requirements.
I hope noble Lords feel assured that the issues they have raised have been carefully considered and reflected throughout the Bill, and I hope that the noble Lord will be able to withdraw his amendment.
(11 months, 1 week ago)
Grand CommitteeMy Lords, I join the noble Lord, Lord Clement-Jones, in welcoming this SI, and I thank the Minister for his kind comments about the work that went into the Bill. I share with him our pleasure that it is now in force and up and running; this instrument is proof positive that it is indeed so. Like the noble Lord, Lord Clement-Jones, I have many questions about what is happening, but certainly no objections to what is proposed.
The helpful Explanatory Memorandum explains that the context for this instrument is
“the global nature of service providers”
and how they operate. In that sense, I recognise that there are some gaps as regards the areas from where difficulties and troubles might come. For instance, Poland and parts of the eastern European bloc are thought to be centres from which emanate quite a lot of damage and a certain amount of material that is almost certainly illegal, yet I see no reference to any organisation—maybe there is none—that might be able to help Ofcom explore what is happening there. I am also concerned about Canada, because it hosts the biggest—I think—pornography company in the world. Again, I would have thought it would be helpful to Ofcom to be able to contact a collaborative organisation in Canada to work with, but I do not see one in the list.
That leads me on to another, related point. There is, and has been for some time, a network of likeminded organisations with which Ofcom has worked well in the past. There is a list of them on its website. Not all of them are in the Government’s proposals before us, and I wonder whether that in any way reflects a clash of views by the Government. Perhaps the Minster will comment on why we do not see Korea or South Africa, for instance. I would have thought that at least those with which Ofcom has a good working relationship at the moment should have been close to appointment. Perhaps there is some sort of competition there or element that I am not aware of. Any light that could be shed on that would be helpful.
Paragraph 7.5 of the Explanatory Memorandum attached to the SI very helpfully specifies that these regulations have certain minimum standards by which they are judged—a point picked up by the noble Lord, Lord Clement-Jones. I felt they were very appropriate to the ones that the Minister mentioned, including the bespoke regulatory framework itself,
“whether its autonomy is protected in law; and whether the … jurisdiction that empowers them, upholds international human rights”.
These are all good things, and I am pleased to see them mentioned in the Explanatory Memorandum and referenced in his speech.
That raises the question: what happens if any of these organisations depart from these standards? Will another procedure or SI be required to remove them from the list, or would they just cease to be part of the group with which Ofcom discusses things? It would be helpful to have on the record some idea of what the procedure would be if that were required.
My last two points are relatively small. There is a hint that more regulators will be considered and brought forward. That is good; I think we are all in favour of more places, since, as has been said, this is a global issue. What is the timing of that, roughly? Perhaps we could have some speculative ideas about it.
Finally, as the noble Lord, Lord Clement-Jones, pointed out, this is the first of many SIs coming forward for consideration by the House. In Committee on the Bill, we discussed at length how Parliament could be involved. This SI is probably not a very good example of that, but in the codes of practice considerable work will be required by Parliament to make sure that the affirmative resolutions are properly researched and discussed.
The proposal we made, which was accepted by the noble Viscount’s colleague, the noble Lord, Lord Parkinson, was the Parkinson rule: that the statutory instruments would, in fact, be offered to the standing committees. I do not think that would have been necessary for this instrument; I just wonder whether that is still in progress and whether it is the Government’s intention to honour the idea announced at the Dispatch Box that the legwork for many of the substantial SIs that will come forward could be done with advantage by the committees, which would inform the debates required in both Houses before these instruments can be approved. I look forward to hearing from the noble Viscount whether that is likely to happen.
As ever, I thank noble Lords for their valuable contributions to this debate. Needless to say, it is vital that we recognise the global nature of regulated service providers under the Online Safety Act. This SI will ensure that Ofcom can co-operate and share online safety information with specified overseas regulators where appropriate.
As set out, we will review on an ongoing basis whether it is desirable and appropriate to add further overseas regulators to the list. That is an ongoing activity. I anticipate that, as more and more jurisdictions enter the online safety regulation business, we will see an acceleration of the rate at which they can join on the lines we have set out.
I will now respond to some of the specific questions raised in the debate. The noble Lord, Lord Clement-Jones, asked about the types of information that Ofcom might share using this mechanism. The Government anticipate Ofcom being able to share information and co-operate with other regulators, which will lead to international regulatory co-operation, which is likely to reduce the regulatory burden on Ofcom, as well as international counterparts—for example, in relation to duties that are quite similar between regulators, such as duties to deal with illegal content. I anticipate that being a particular focus of their co-operative activities.
Positive benefits may also result from Ofcom supporting overseas regulators in carrying out their online safety regulatory functions and co-operating with relevant criminal investigations or proceedings. That co-operation might address a source of harm for UK users—for example, preventing malign actors disseminating suicide and self-harm content on regulated services.
Regarding the scale of the exchange, Ofcom itself would have discretion as to the scale of the information sharing that takes place through these provisions. However, it is likely to be beneficial to both Ofcom and its regulatory counterparts to engage in information exchange of this nature.
On the question from the noble Lord, Lord Stevenson, on why certain regulators have not been added, we will of course work closely with Ofcom and other stakeholders. He raised a number of interesting examples that would have been quite tempting to add to the list of criteria applied by us, which we, along with Ofcom, produced for the time being but on an ongoing basis. The intention is to review that to add other regulators that can add value in this way.
My Lords, the Minister raised a very interesting point. He said “criteria”; I do not think we have quite heard what those criteria are. That would be very interesting so that we can gauge for the future whether the possibilities that the noble Lord, Lord Stevenson, raised are real possibilities.
Indeed. Perhaps noble Lords will forgive me if I restate “criteria” as “factors considered”, because they are less algorithmic in that sense. Those factors considered would have been an existing relationship or ways of working together; bespoke online safety laws with a bespoke online safety regulator designated to those laws; regulatory autonomy, as I said; and, of course, a regulator within a jurisdiction committed to upholding human rights laws. I should add that the precise nature of any co-operation with any of the regulators on the list remains the decision of Ofcom and not the Government.
To address the question from the noble Lord, Lord Stevenson of Balmacara, about whether further statutory instruments will be required to remove overseas regulators from the list, I can confirm that this is the case. I hope that noble Lords agree with me on the importance of implementing the Online Safety Act as swiftly as possible. Therefore, I commend these regulations to the Committee.
I apologise to the noble Lord; I misunderstood. I very much see the value of this and will strain my sinews to deliver just that. Meanwhile, I commend these regulations to the Committee.
My Lords, before the Minister finally sits down, I want to put to him a very interesting question raised by my noble friend, who the Minister knows is extremely expert on these matters. Is this purely regulators for sovereign Governments or is there flexibility so that, for instance, a US state such as California, which has a particularly powerful governance regime and a strong regulator—it hits the criteria the Minister stated, other than being a sovereign country—could possibly be added to the list under these powers?
I think we would continue to entertain the possibility. That is why I slightly withdrew from the word “criteria” and went to “factors under consideration”—so that we would have the ability to adapt to such opportunities as might arise.
(1 year ago)
Lords ChamberI think I would regret a characterisation of AI regulation in this country as non-existent. All regulators and their sponsoring government departments are empowered to act on AI and are actively doing so. They are supported and co-ordinated in this activity by new and existing central AI functions: the central AI risk function, the CDEI, the AI standards hub and others. That is ongoing. It is an adaptive model which puts us not behind anyone in regulating AI that I am aware of. It is an adaptive model, and as evidence emerges we will adapt it further, which will allow us to maintain the balance of AI safety and innovation. With respect to the noble Lord’s second question, I will happily write to him.
My Lords, the Government have just conducted a whole summit about the risks of AI, so why in the new data protection Bill are they weakening the already limited legal safeguards that currently exist to protect individuals from AI systems making automated decisions about them in ways that could lead to discrimination or disadvantage? Is this not perverse even by this Government’s standards?
I do not think “perverse” is justified. GDPR Article 22 addresses automated individual decision-making, but, as I am sure the noble Lord knows, the DPDI Bill recasts Article 22 as the right to specific safeguards rather than a general prohibition on automated decision-making, so that subjects have to be informed about it and can seek a human review of decisions. It also defines meaningful human involvement.
(1 year, 1 month ago)
Lords ChamberI thank the three noble Lords who spoke for their valuable and robust contributions to this debate. Let me start with some general remarks about the SI.
In 2022, the UK exported more than £99 billion in data-enabled services, such as finance and IT, to the US. That amounts to about 30% of the UK’s total data-enabled services exports globally. UK data bridges such as the one established with these regulations ensure that high data standards are upheld when UK individuals’ personal data is transferred internationally while reducing the compliance burdens for businesses, realising responsible innovation and growth. The UK-US data bridge restores a robust and reliable mechanism for transatlantic personal data flows and is expected to benefit around 16,000 UK businesses, 92% of which are small or micro businesses, and provide a combined benefit of an estimated £115 million per year.
The UK-US data bridge has been established following several years of collaboration between both countries and follows a robust assessment by the Secretary of State of the high standards and protections available to UK personal data when it is shared with organisations in the US under the bridge. DSIT published a series of supporting documents alongside the regulations for the US data bridge, including a policy explainer, a fact sheet for UK organisations, a series of letters detailing the operational delivery and enforcement of the frame- work, an analysis of the assessment which underpinned the Secretary of State’s decision and the Information Commissioner’s opinion.
I acknowledge absolutely the disappointment of the Secondary Legislation Scrutiny Committee that an impact assessment was not made available when the regulations were laid. As was remarked on, an initial impact assessment was submitted to the Regulatory Policy Committee in 2022 which was returned to my department with a green rating, meaning it was considered fit for purpose. Deeply regrettably, the updated version containing much of the same content was not reviewed and approved in a timely manner to coincide with the laying of the regulations. My officials worked at pace to address the additional comments from the Regulatory Policy Committee. I am pleased to say that the impact assessment for these regulations, which has been rated as fit for purpose, was published in mid-October. Furthermore, I can assure noble Lords that DSIT takes the concerns raised by the committee seriously.
In relation to the additional material included within the Explanatory Memorandum published alongside these regulations, as the noble Lord, Lord Clement-Jones, mentioned, an updated version of the Explanatory Memorandum addressing the areas raised by the committee in the report was laid, I am afraid as late as Monday 20 November, and is now available online. I am confident that these changes address the issues raised by the committee in its report.
On the concerns raised by the committee about the absence of a public consultation, I agree that these regulations may be an issue of public interest. These regulations have not been developed in isolation. As part of this assessment, the department worked closely with the UK’s independent data protection regulator, the Information Commissioner’s Office, throughout the assessment and the Information Commissioner was consulted by the Secretary of State prior to taking the decision to establish these regulations in accordance with the Data Protection Act 2018. Additionally, on five occasions since 2021, the department has publicly issued statements in relation to the progress made towards establishing these regulations. These include the UK-US comprehensive dialogue on technology and data launched in October 2022 and the Atlantic declaration announced by the Prime Minister and President Biden in June 2023.
Furthermore, the UK’s approach to facilitating international data transfers was the subject of a public consultation under mission five of the UK’s National Data Strategy, published in December 2020. This was focused on plans
“to remove unnecessary barriers to international data flows”,
drive high standards and build trust in the international use of data. These plans and the department’s approach in this area have been strongly and consistently welcomed by businesses of all sizes looking to operate and trade internationally between the US and UK.
I turn to questions specifically raised in this debate. The noble Lord, Lord Clement-Jones, asked what is being done by the department to address these issues in the future. The delays to the impact assessment and issues raised with the Explanatory Memorandum are unfortunate. It was always the department’s intention to publish the impact assessment once reviewed by the Regulatory Policy Committee and update the Explanatory Memorandum following the Secondary Legislation Scrutiny Committee’s report. As I have said, the department takes the concerns of the Secondary Legislation Scrutiny Committee seriously. There are steps being taken to ensure the delivery of high-quality, comprehensive documentation alongside future secondary legislation. This includes setting up a departmental better regulation team in the new year to support policy teams in the development of impact assessments, and providing a comprehensive library of best practice resources to officials and policy teams. I know that these steps do not help with the issues that arose in this statutory instrument, but I hope that it provides some reassurance towards the steps we are taking to prevent any repeat of these issues in future.
The noble Lord also raised how the data bridge agreements translate on to the US and whether they need to be approved on a state-by-state basis. The answer is that they do not need to be approved by individual states; they are arrangements which operate across the US in relation to any organisations which have signed up to the framework.
Regarding what guidance the department has provided to businesses, it has published a fact sheet on GOV.UK which provides additional clarity and information for businesses regarding using the data bridge, including explaining the need to specify certain types of data as sensitive. Additionally, the ICO has published a complaints tool to help businesses and individuals navigate the new redress mechanism which strengthens and protects UK data subjects’ rights when their personal data is transferred to the US.
Regarding the DPDI Bill, the changes to that Bill will not affect the validity of existing data bridges such as this one. They will continue to have effect under the new regime. The Secretary of State will continue to monitor the data bridge on an ongoing basis for any developments in the US which could affect the decision taken to make these regulations and will take such action to amend or revoke them if necessary.
The noble Lords, Lord Clement-Jones and Lord Fox, both raised what the longevity is of the data bridge, given the Max Schrems case, and the robustness of this legislation. We are aware of the stated intentions made by certain individuals such as Max Schrems to challenge the EU’s adequacy decision for the EU-US data privacy framework, as they have done twice previously. Our data bridge for the UK extension to that privacy framework is a separate decision from the EU’s adequacy decision, following the UK’s independent assessment of relevant laws and practices. We are continuing to work with the US now that the data bridge is online to ensure that it functions as intended and will continue to engage should any challenge to the EU’s adequacy decision be successful. Should the EU’s decision be invalidated, that would not directly impact the UK’s data bridge for the US.
In response to the noble Baroness, Lady Jones, I can confirm as above that the published impact assessment has a green rating. With regard to her question on how the data bridge differs from the EU framework, the UK is relying on our own extension to the EU-US data privacy framework, which mirrors the EU framework.
The noble Baroness asked whether individuals can opt out from the data bridge and about its robustness, including the important point about Palantir. UK individuals’ data is protected to the high standards expected within the UK under the UK GDPR and Data Protection Act 2018. We have conducted a robust and detailed assessment of the new US framework, which is published online on GOV.UK, and which the Secretary of State has decided meets the high standards necessary to establish a data bridge. This includes strict requirements and rules surrounding how US organisations should use, process and disclose personal data that they hold. When deciding whether to share personal data with a US organisation under the data bridge, the transferring organisation in the UK still needs to comply with all the requirements of the UK GDPR, including the need to have a lawful basis for sharing the personal data.
In response to the noble Lord, Lord Fox, who asked who the department engaged with in the US and which regulatory bodies are responsible for the US framework, this is a federal rather than a state government-level framework. The US Department of Commerce administers the framework and is our main counterpart, and the US Federal Trade Commission and US Department of Transportation enforce the framework. We also engaged with the US Department of Justice where there were questions in relation to US national security laws and practices. We have received reassurances from each of these bodies with regard to their commitments to upholding the principles and protecting the rights and protections of UK personal data shared with the US. These have been published online along with our full analysis detailing our assessment of the US data bridge and explaining the role of the different US bodies mentioned, which is on GOV.UK for anyone to view.
On the collection of data by UK political parties and the possibility of transfer to a server outside the UK, the policy governing this aspect falls outside the scope of data bridge policy, and so my department will follow up on that question.
Finally, on the question from the noble Lord, Lord Fox, about the self-certifying annual process for US companies and how the department can be sure that the process is being monitored, the US Department of Commerce has committed in the aforementioned reassurances to conduct verification checks on organisations certified to the framework, as well as to participate in periodic discussions with the UK Government about the operation of the framework, to ensure that the expectations and new practices of the data privacy framework are being met. This includes, where necessary, input from US enforcement bodies, the Federal Trade Commission and the US Department of Transportation, as well as from the UK’s independent data protection regulator, the Information Commissioner’s Office. Additionally, the Secretary of State is obliged to monitor on an ongoing basis any developments in the US or with the US framework that could affect the decision taken to make these regulations and to take such action to amend or revoke them as necessary.
I thank the noble Lord, Lord Clement-Jones, for bringing forward the debate today. The importance of proper scrutiny by parliamentarians for new legislation is paramount, and the department will continue to move forward with renewed determination to ensure that all necessary documentation is provided, not just to a high standard but at the point when regulations are laid. I believe and hope that I have answered all the questions. If not, I am of course more than happy to write with further detail. For now, I am once again grateful to the noble Lord.
My Lords, I thank the Minister for that response. I congratulate him on managing to pick up nearly all the questions and provide them with answers. He probably never thought that quite so many questions could be asked about a single SI, and there are a couple of areas where I think there is further inquiry to be made. This is a salutary lesson in how the SLSC really needs to get the information that it needs to scrutinise regulations, otherwise we all jump up and down and spend our evenings on regret Motions.
This has been a very useful debate. The record, and how the Minister unpacked and answered some of the questions, might be helpful for those who want to take advantage of the UK-US data bridge. It is a great illustration also as to why affirmative SIs, rather than negative ones, are actually rather useful. Why rely on me producing a regret Motion? Would not it have been better to have a proper affirmative procedure in this case, as this is a very important instrument? The Minister talked about its value, and, if it works, we will all agree.
I also very much appreciate the fact that there is a level of humility about this, in that the department is looking at its procedures and setting its house in order with a new regulatory policy process. We look forward, I am sure, to seeing how effective that will be in the future. When the Minister talks about fact sheets and the sensitive data aspects, the fact that the ICO is gearing itself on the complaints and redress side is appreciated as well.
(1 year, 1 month ago)
Grand CommitteePerhaps I had better write to all noble Lords present to say exactly what form that will take.
I am sorry to interrupt the Minister as well. In addition to the timing, it would be useful to know what the instrument is going to be. Will it be another consultation? We have had a consultation, which finished last year, and now we have the SI. Is there going to be another consultation with another SI? The whole process needs unpacking a bit.
That is fair enough. What I am hearing is that noble Lords want to know not just when it will be but what it will look like when it happens. That is an entirely reasonable request, to which I am happy to accede.
I note the views of the noble Lord, Lord Clement-Jones, on how the UK-plus regime supports the publishing industry in particular. I recognise the importance of this issue to a variety of businesses, which have provided extensive contributions to the public consultation on this matter. On behalf of the Government, I thank those businesses for their constructive engagement during the consultation and since. The noble Lord also—no, I am getting ahead of myself. I will move on, except to note that this issue has the potential to impact so many business sectors and therefore it is important for the Government to take the time to get it right.
The noble Lord also mentioned his concerns about a potential move to an international exhaustion regime. As I mentioned, no decision has been made. However, I should advise noble Lords that we intend a future regime to strike the right balance between consumer choice, fair market pricing, protecting creators and promoting competition.
I turn to the matters raised by the noble Lord, Lord Stevenson. I am grateful for his and his colleagues’ expertise on this important area of policy. He raised the review of design rights. The IPO began a review of that legislation last year, with a call for views published in January 2022. We want to make sure that the UK design system best meets the needs of designers and businesses. The IPO is now working on policy proposals on which to consult, which will likely happen in the first half of 2024. The review is fairly wide ranging, as the law around designs is complex and has not been reformed in any meaningful way for some time. It is important to do this work properly to make sure that any changes work for users and all stakeholders.
The noble Lord raised concerns about transparency reports issued by collective management organisations not being audited. The purpose here is to align the treatment of CMOs with that of other organisations in Companies House of similar size; to not treat them differently simply because of the nature of the work they do as CMOs, and therefore not to require organisations that qualify as small to conduct a formal audit in that way, along with other organisations of their size, scope and scale.
Small CMOs will still be required to produce annual transparency reports and to abide by the regulations that govern their conduct and operations. Removing the statutory audit requirement strikes a fairer, more proportionate balance between risk and cost for these small entities. The changes to the audit requirements were in recommendations evidenced by the additional burden imposed on them during a 2021 post-implementation review of the regulations. To provide some reassurance, I hope: this change affects just seven of the smallest CMOs.
The noble Lord, Lord Stevenson, also mentioned the expansion of the European Economic Area and how it would affect our exhaustion regime. Currently, the geographical scope of our exhaustion regime covers the UK and the European Economic Area. If the European Economic Area expanded the Government would consider how that would affect our exhaustion regime, but we would not wish to prejudice such a decision.
I hope all noble Lords will recognise that these proposed changes support a balanced, consistent and stable IP framework that is crucial for businesses, consumers and investors. I absolutely recognise the strength of feeling and argument in favour of maintaining this regime, but meanwhile I commend these regulations to the Committee.
(1 year, 1 month ago)
Lords ChamberThis is indeed a serious and complex issue, and yesterday I met the Creative Industries Council to discuss it. Officials continue to meet regularly both with creative rights holders and with innovating labs, looking for common ground with the goal of developing a statement of principles and a code of conduct to which all sides can adhere. I am afraid to say that progress is slow on that; there are disagreements that come down to legal interpretations across multiple jurisdictions. Still, we remain convinced that there is a landing zone for all parties, and we are working towards that.
My Lords, I welcome what the Minister has just said, and he clearly understands this technology, its risks and indeed its opportunities, but is he not rather embarrassed by the fact that the Government seem to be placing a rather higher priority on the regulation of pedicabs in London than on AI regulation?
I am pleased to reassure the noble Lord that I am not embarrassed in the slightest. Perhaps I can come back with a quotation from Yann LeCun, one of the three godfathers of AI, who said in an interview the other week that regulating AI now would be like regulating commercial air travel in 1925. We can more or less theoretically grasp what it might do, but we simply do not have the grounding to regulate properly because we lack the evidence. Our path to the safety of AI is to search for the evidence and, based on the evidence, to regulate accordingly.
(1 year, 2 months ago)
Lords ChamberI remember the July debate very well. I made a commitment then to meet with concerned Members, which I am happy to repeat. Again, I ask that concerned Members write to me to indicate that they would like to meet. Those who have written to me, have met with me.
My Lords, the Minister mentioned that the Online Safety Bill will come into law very shortly. Will he commit to setting up the advisory committee on disinformation and misinformation as soon as possible after this? The current situation clearly demonstrates both the need for it and for it to come to swift conclusions.
I very much share the noble Lord’s analysis of the need for this group to come rapidly into existence. It is, of course, the role of Ofcom to create it. I will undertake to liaise with it to make sure that that is speeded up.
(1 year, 2 months ago)
Lords ChamberMy noble friend is absolutely right to highlight the essential need for interoperability of AI given the way that AI is produced across so many jurisdictions. In addition to the global safety summit next week, we continue our very deep engagement with a huge range of multilateral groups. These include the OECD, the Council of Europe, the GPAI, the UN, various standards development groups, the G20 and the G7, along with a range of bilateral groups, including —just signed this year—the Atlantic declaration with the US and the Hiroshima accord with Japan.
My Lords, Professor Stuart Russell memorably said:
“There are more regulations on sandwich shops than there are on AI companies”.
After a disappointing White Paper, in the light of the forthcoming summit will the Government put more risk and regulatory meat in their AI sandwich? Is it not high time that we started addressing the AI risks so clearly identified at the G7 meetings this year with clear, effective and proportionate regulation?
I am pleased to say that the Government spend more on AI safety than any other Government of any country. We have assembled the greatest concentration of AI safety expertise anywhere and, based on that input, we feel that nobody has sufficient understanding of the risks or potential of AI at this point to regulate in a way that is not premature. The result of premature regulation is regulation that creates unnecessary friction for businesses, or runs the risk of protecting or failing to protect from emerging dangers of which we are as yet unaware.
(1 year, 3 months ago)
Lords ChamberI apologise to the noble Lord for not having reached that bit. The concern about Newport Wafer Fab was that the ultimate owners of the buyer were Chinese investors; hence, under the NSI Act, that was blocked. I cannot comment any further on that specific case because it is under judicial review.
My Lords, the Government may have finally published a strategy on semiconductors, but is investment in our great south Wales compound semiconductor hub going to be encouraged by his ministerial colleague Paul Scully’s remarks about not wanting to recreate Taiwan in south Wales? Also, as has been referred to, there is the very much delayed decision over the future of Newport Wafer Fab.
What Minister Scully clearly meant was that there is no point attempting to construct an advanced silicon manufactory at the cost of tens of billions of pounds at considerable risk to both investors and the taxpayer when all those who have tried to mimic TSMC have failed at great expense. It is far better to focus on our strengths and on the compound semiconductor strategy that Minister Scully will have spoken about on that occasion. Again, Newport Wafer Fab is under judicial review and I cannot comment further.
(1 year, 3 months ago)
Grand CommitteeMy Lords, these regulations were laid before the House on 10 July 2023, and they will be made under the powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. They will mandate that the manufacturers of consumer connectable products made available to customers in the UK are, unless excepted, required to meet minimum security requirements.
In doing so, this instrument will complete the introduction of the UK’s pioneering product security regime, established by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022. Subject to noble Lords’ approval, this regime will afford UK citizens and businesses with world-leading protections from the threats of cybercrime, as well as equipping the Government with the tools to ensure the long-term security of a vital component of the broader technology ecosystem.
Acting to secure consumer connectable products has never been more critical than it is now, as we cross the threshold of the fourth industrial revolution. Before our eyes, artificial intelligence is rewriting how we live our lives, how we deliver our priorities and the rules of entire industries. AI models are already an inextricable part of the connectable products we use every day, from the convolutional neural networks that recognise the photos of loved ones on our smartphones, to the recurrent neural networks that allow our smart speakers to respond to our requests. The data collected through consumer devices is often also a vital part of a model’s training set.
These regulations are therefore not just crucial if we are to protect our citizens and economy from the array of threats posed by consumer connectable products today but a vital step if we are to mitigate the risks, and therefore fully realise the benefits, of the AI-enabled economy of tomorrow. With the support of this House and Members of another place, this is precisely what the Government aim to achieve with these regulations.
The key provisions of this instrument are as follows. First, the regulations mandate that manufacturers comply with the security requirements set out in Schedule 1. These requirements were selected, following extensive consultation, because they are applicable across a broad range of devices and are commended by security experts as the most fundamental measures for addressing cyber risks to products and their users. This means that businesses will no longer be able to sell consumer smart products with universal default or easily guessable default passwords to UK customers. These passwords not only expose users to unacceptable risks of cyberattack but can also allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyberattacks.
Manufacturers will also be required to publish, in a manner that is accessible, clear and transparent, the details of a point of contact for the reporting of security vulnerabilities. It pains me to share that, despite our entrusting the security of our data, finances and even homes to the manufacturers of these products, as of 2022, less than one-third of global manufacturers had a policy for how they can be made aware of vulnerabilities. With your support, the UK aims to change that.
The final security requirement in this instrument will ensure that the minimum length of time for which a product will receive security updates is not just published but published in an accessible, clear and transparent manner. We know that consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK consumers will be able to drive manufacturers to improve the security protections they offer through market forces.
We are confident, based on extensive policy development, consultation and advice from the National Cyber Security Centre, that these security requirements will make a fundamental difference to the security of products, their users and the wider connected technology ecosystem.
We also recognise the importance of cutting red tape or, better still, not introducing it in the first place. For this reason, Regulation 4 allows manufacturers that are already compliant with provisions in international standards equivalent to our security requirements to more readily demonstrate their compliance with our security requirements.
The instrument also sets out a list of products excepted from the scope of the product security regime. First, it excepts select product categories where made available for supply in Northern Ireland. This exception ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement, while extending the protections and benefits offered by the regime to consumers and businesses across the UK.
In addition, smart charge points, medical devices and smart metering devices are excepted to avoid double regulation and to ensure that these products are secured with the measures most appropriate to the particulars of their functions. This instrument also excepts laptops, desktop computers and tablets without a cellular connection from the regime’s scope. Engagement with industry highlighted that the manufacturers of these products would face unique challenges in complying with this regime, and in many cases where these products are in use they are already subject to suitable cyber protections. It is therefore not clear at this stage that including these products in the regime’s scope would be proportionate.
Finally, the regulations also contain uncontroversial administrative provisions, including provisions relating to statements of compliance. The regime will require that these documents accompany products, serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement.
These regulations and the regime of which they are a part represent a victory for UK consumers. They are the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure. These measures solidify the United Kingdom’s position at the forefront of the global cyber agenda, paving the way for other nations to follow in our footsteps. I commend the regulations to the Committee.
My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.
I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.
However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.
Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:
“Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found”.
This is part of its press release.
“The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth. The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data”.
We need to make sure that the Government and the regulator, whether the ICO or others, are on the case in that respect.
Nor did we see any intention to introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations. During the passage of the Bill, the Government resisted that—unlike the EU, which has imposed a five-year mandatory minimum period in which products must receive security updates. So consumers in Northern Ireland, for instance, are going to be far better off as a result of the TCA and the Windsor agreement.
That has inevitably followed through into these disappointing regulations, but they are even more disappointing than previously anticipated. Online marketplaces are not covered. Why not? My noble friend Lord Fox tabled an amendment on Report that sought to probe whether online marketplaces would be covered, a question that I think we all agree is of great importance. My noble friend quoted a letter from the noble Lord, Lord Parkinson, dated 21 September 2022 stating that
“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.
In response, the then Minister, the noble Lord, Lord Kamall, said:
“The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy”.
I accepted that assurance. I said:
“As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter”.—[Official Report, 12/10/22; cols. 794-95.]
That was the assurance that was given and accepted.
The Minister has moved on from talking about periods of assurance for consumers. I mentioned the EU introducing its five-year rule and the Northern Ireland aspect. That is rather useful for the Government to be able to see the impact of putting down a marker on a five-year period, because there is no alternative under the TCA and the Windsor agreement. Will the Government undertake to review how it is working in Northern Ireland? If it is working well and they think it is practical, will they introduce it across the UK?
That is an interesting experimental chamber to have, because we can compare the two regimes, so I am happy to make that commitment, yes.
The assurances about online marketplaces from my noble friends Lord Kamall and Lord Parkinson remain true. Products sold through online marketplaces are subject to the same requirements as all other products. No regulation is perfect and, if relevant parties do not comply, the parent Act empowers the Secretary of State, or those whom the Secretary of State has authorised to carry out enforcement functions, with robust powers to address non-compliance, including monitoring the market, warning consumers of risks and, where appropriate, seizing products and recalling products from customers.
The Government have made it clear that they expect online marketplaces to do more to keep unsafe products off their platforms, and are conducting a review of the product safety framework. The product safety review consultation is open until 24 October. Following this, we will review and analyse stakeholder feedback and publish a government response. Any legislation will be brought forward in line with parliamentary procedures and timetables, which will include proposals to tackle the sale of unsafe products online. Officials will continue—
I apologise to the Minister, but what is the reason for having two separate processes for manufacturers and online distributors? The assurance that I quoted could not have been clearer, and we all thought that these regulations would include not only manufacturers but online distributors. It still baffles me and I am sure it baffles the noble Lord, Lord Bassam, as well. The logic of doing it in two separate tranches entirely escapes me.
The processes we have put here resulted from extensive consultation with the stakeholders, both the manufacturers and the retailers.
So the Minister is saying that the retailers did not like it, did not have the systems required and could not do things quickly enough—despite the fact that some time has elapsed, as the noble Lord, Lord Bassam, mentioned—so they said, “Not now, Josephine”, basically.
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.
Before the Minister sits down, I wonder whether he could return to his notes on the cyber resilience Act. I heard what he said but it may have been a slip of the tongue because he said that it has not yet come into effect but we will monitor its impact on the continent. I think—at least, I assume—that he meant we will monitor its impact when it comes into effect in Northern Ireland. It will inevitably come into effect into Northern Ireland, will it not?
Perhaps the Minister could write to me or to us. The fact, as I understand it, is that the Act is a piece of EU legislation that is going to come into effect across the EU under the Windsor agreement and the TCA. Northern Ireland is subject to EU legislation of that kind; it will therefore come into effect in Northern Ireland and we will be able to monitor its impact there. So, it is not just a question of monitoring its impact on the continent. We have a homegrown example of how it will be implemented—a test bed.
(1 year, 5 months ago)
Lords ChamberThe unit is established within the Department for Science, Innovation and Technology. Its existence and mission, and indeed the legal basis for its activities, are posted on GOV.UK. Because the great majority of its activities are now directed at overseas state actors hostile to our interests, we do not share in a public forum any operational details pertaining to its activity, simply for fear of giving an advantage to our overseas adversaries. However, I recognise the importance and seriousness of the question. To that end, while I cannot in a public forum provide operational details, if the noble Lord or any other noble Lords would like an operational briefing, I would be happy to arrange that.
My Lords, the CDU outsources its surveillance activities to opaque companies such as Logically and Faculty. It does not respond to Freedom of Information Act requests. Its budget is not public. Is it not quite unacceptable that there is no parliamentary oversight by any Select Committee, and is the place for that not the Intelligence and Security Committee?
I am delighted to reassure the noble Lord that it is subject to parliamentary oversight. The DSIT Secretary of State is accountable to Parliament, and indeed to the relevant parliamentary Select Committee.
(1 year, 5 months ago)
Lords ChamberMy Lords, I rise very briefly to support the noble Baroness, Lady Merron, and to make only one point. As someone who has the misfortune of seeing a great deal of upsetting material of all kinds, I have to admit that it sears an image on your mind. I have had the misfortune to see the interaction of animal and human cruelty in the same sequences, again and again. In making the point that there is a harm to humans in witnessing and normalising this kind of material, I offer my support to the noble Baroness.
My Lords, Amendments 180 and 180A seek to require the Secretary of State to conduct a review of existing legislation and how it relates to certain animal welfare offences and, contingent on this review, to make them priority offences under the regulatory framework.
I am grateful for this debate on the important issue of protecting against animal cruelty online, and all of us in this House share the view of the importance of so doing. As the House has discussed previously, this Government are committed to strong animal welfare standards and protections. In this spirit, this Government recognise the psychological harm that animal cruelty content can cause to children online. That is why we tabled an amendment that lists content that depicts real or realistic serious violence or injury against an animal, including by fictional creatures, as priority content that is harmful to children. This was debated on the first day of Report.
In addition, all services will need proactively to tackle illegal animal cruelty content where this amounts to an existing offence such as extreme pornography. User-to-user services will be required swiftly to remove other illegal content that targets an individual victim once made aware of its presence.
The noble Baroness asked about timing. We feel it is important to understand how harm to animals as already captured in the Bill will function before committing to the specific remedy proposed in the amendments.
As discussed in Committee, the Bill’s focus is rightly on ensuring that humans, in particular children, are protected online, which is why we have not listed animal offences in Schedule 7. As many have observed, this Bill cannot fix every problem associated with the internet. While we recognise the psychological harm that can be caused to adults by seeing this type of content, listing animal offences in Schedule 7 is likely to dilute providers’ resources away from protecting humans online, which is the Bill’s main purpose.
However, I understand the importance of taking action on animal mistreatment when committed online, and I am sympathetic to the intention of these amendments. As discussed with the noble Baroness, Defra is confident that the Animal Welfare Act 2006 and its devolved equivalents can successfully bring prosecutions for the commission and action of animal torture when done online in the UK. These Acts do not cover acts of cruelty that take place outside the UK. I know from the discussion we have had in this House that there are real concerns that the Animal Welfare Act 2006 cannot tackle cross-border content, so I wish to make a further commitment today.
The Government have already committed to consider further how the criminal law can best protect individuals from harmful communications, alongside other communications offences, as part of changes made in the other place. To that end, we commit to include the harm caused by animal mistreatment communications as part of this assessment. This will then provide a basis for the Secretary of State to consider whether this offence should be added to Schedule 7 to the OSB via the powers in Clause 198. This work will commence shortly, and I am confident that this, in combination with animal cruelty content listed as priority harms to children, will safeguard users from this type of content online.
For the reasons set out, I hope the noble Baroness and the noble Lord will consider not pressing their amendments.
That really is not good enough, if I may say so. Does the Minister not have any brief of any kind on Amendment 180A?
I am sorry if the noble Lord feels that I have not dealt with it at all.
(1 year, 6 months ago)
Lords ChamberThe debate on this matter in Committee on the Online Safety Bill was well attended and certainly well received. The purpose of the Online Safety Bill is to intervene between the platforms on which the distressing images are published and the users who see those platforms. It is, first, for human beings and, secondly, for their experiences online. The appalling instances that the noble Baroness referenced, particularly in the BBC documentary, would themselves be covered by either the Animal Welfare Act or the Communications Act, both of which make those criminal offences without the need for recourse to the Online Safety Bill.
My Lords, these offences are bad enough by themselves, but does the Minister accept that there is a direct connection between animal cruelty and violence towards humans? If so, is this not yet another reason why the Government should use the Online Safety Bill to combat animal cruelty offences and make this a priority offence under the Bill?
I join the whole House in absolutely deploring these behaviours. The concern about adding animal cruelty offences to the Online Safety Bill is that it is a Bill built around the experiences online of human beings. To rearchitect the Bill around actions perpetrated or commissioned on animals runs the risk of diminishing the effectiveness of the Bill.
(1 year, 6 months ago)
Lords ChamberI thank the noble Baroness for raising her Question this week, which is, of course, Deafblind Awareness Week. I take this opportunity to pass my very best wishes to those who suffer from the affliction and those who work with them.
The Government are working with providers of technology of all different sizes in this space. The noble Baroness referred to Google’s new centre for technology for disabled people, which highlights its recognition that the UK is the right place for it to operate in this market. I could point to a number of fascinating new innovations by smaller organisations, but I will restrict myself to just one: BrightSign has created a life-changing AI-based smart glove, giving voice to the voiceless by enabling sign language users to communicate without an interpreter.
My Lords, the Minister rightly identified that there are many excellent technologies using smartphones and tablets that are designed to help those who are deafblind achieve greater independence. I too congratulate the noble Baroness, Lady Kennedy, on raising this Question during Deafblind Awareness Week. What co-ordination role does the new department, DSIT, have in this respect—there are many departments, and a couple have been mentioned already—and what resources does it have to help with training and information on these vital technologies?
As the noble Lord rightly points out, identifying the appropriate technologies by scanning the horizon for those that will be of most impact and use is, and must be, a cross-governmental matter. I take every opportunity to urge my fellow Ministers to fight the good fight in this respect. DSIT’s role is as the provider and exemplar of technology use to all of government and the public sector, and indeed all of the UK, but all government departments recognise their responsibility to continuously identify ways to use technology and to make technology in the United Kingdom as accessible as it can possibly be.
(1 year, 6 months ago)
Lords ChamberFollowing the failure of the system, three strands of investigation have been put in place. First, BT is performing its own internal investigation. Secondly, Ofcom is engaging directly with BT, which it is required to regulate. Thirdly, based on the findings of those two, there will be the Government’s lessons learned approach. The combination of all those will allow us to learn lessons to improve future resilience of the system.
My Lords, one of the worrying things about this incident is not the failure of the main 999 service itself—although that is bad enough—but the failure of the back-up as well. The Minister will know that I have raised the issue of the changeover from analogue to digital on a consistent basis, particularly BT’s digital voice changeover. This changeover from analogue to digital creates huge risks. Will the Minister say whether the incident report will also include a wider look at the changeover from analogue to digital? There are huge risks involved in this. This is critical infrastructure, and in the case of emergency, it is even more important that we have an analogue back-up to our digital services.
I pay tribute to the noble Lord’s frequent correspondence with me on this subject and recognise the importance of what he says. I do not want to prejudge the findings of the deep root-cause analysis that will now be going on at both BT and Ofcom level, but I will make sure that that question is at least asked, and asked forcefully.
(1 year, 6 months ago)
Lords ChamberWe must recognise that China is ranked number two in AI capabilities globally, and we would not therefore envisage excluding China from any such discussions on how to deal best with the frontier risks of AI. That said, in the way we approach China and involve it in this, we need to take full cognisance of the associated risks. Therefore, we will engage effectively with our partners to assess the best way forward.
My Lords, in a recent speech the Minister rightly said that AI regulation clarity is critical. How on earth, in trying to achieve this, is he going to reconcile the AI White Paper’s tentative and voluntary sectoral approach to AI governance with the Prime Minister saying that unregulated AI poses an existential threat to humanity and with his desire to lead the world in AI safety and regulation? Does this mean that a screeching U-turn is in prospect?
I thank the noble Lord for that question. The starting point for the AI White Paper—of which I do not accept the characterisation of tentative—was, first, not to duplicate existing regulators’ work; secondly, not to go after specific technologies, because the technology space is changing so quickly; and, thirdly, to remain agile and adaptive. We are seeing the benefits of being agile and adapting to a very rapidly shifting landscape.
(1 year, 7 months ago)
Lords ChamberMy Lords, I strongly support the amendment in the names of the noble Lords, Lord Knight and Lord Stevenson, as well as my noble friend Lady Featherstone. The essence of the message from the noble Lord, Lord Knight, about the need for trust and the fact that you can gain trust through greater transparency is fundamental to this group.
The Joint Committee’s report is now a historical document. It is partly the passage of time, but it was an extraordinary way in which to work through some of the issues, as we did. We were very impacted by the evidence given by Frances Haugen, and the fact that certain things came to light only as a result of her sharing information with the Securities and Exchange Commission. We said at the time that:
“Lack of transparency of service providers also means that people do not have insight into the prevalence and nature of activity that creates a risk of harm on the services that they use”.
That is very much the sense that the noble Lord, Lord Stevenson, is trying to get to by adding scope as well.
We were very clear about our intentions at the time. The Government accepted the recommendation that we made and said that they agreed with the committee that
“services with transparency reporting requirements should be required to publish their transparency reports in full, and in an accessible and public place”.
So what we are really trying to do is to get the Government to agree to what they have already agreed to, which we would have thought would be a relatively straightforward process.
There are some other useful aspects, such as the review of effectiveness of the transparency requirements. I very much appreciate what my noble friend just said about not reading transparency reports. I read the oversight reports but not necessarily the transparency reports. I am not sure that Frances Haugen was a great advert for transparency reports at the time, but that is a mere aside in the circumstances.
I commend my noble friend Lady Featherstone’s Amendment 171, which is very consistent with what we were trying to achieve with the code of practice about violence against women and girls. That would fit very easily within that. One of the key points that my noble friend Lord Allan made is that this is for the benefit of the platforms as well. It is not purely for the users. Of course it is useful for the users, but not exclusively, and this could be a way of platforms engaging with the users more clearly, inserting more fresh air into this. In these circumstances it is pretty conclusive that the Government should adhere to what they agreed to in their response to the Joint Committee’s report.
As ever, I thank all noble Lords who have spoken. I absolutely take, accept and embrace the point that transparency is wholly critical to what we are trying to achieve with the Bill. Indeed, the chandelier of transparency reports should be our shared aim—a greenhouse maybe. I am grateful for everyone’s contributions to the debate. I agree entirely with the views expressed. Transparency is vital in holding companies to account for keeping their users safe online. As has been pointed out, it is also to the benefit of the platforms themselves. Confident as I am that we share the same objectives, I would like to try to reassure noble Lords on a number of issues that have been raised.
Amendments 160A, 160B and 181A in the name of the noble Lord, Lord Knight of Weymouth, seek to require providers to make their transparency reports publicly available, subject to appropriate redactions, and to allow Ofcom to prevent their publication where it deems that the risks posed by drawing attention to illegal content outweigh the benefit to the public of the transparency report. Let me reassure the noble Lord that the framework, we strongly believe, already achieves the aim of those amendments. As set out in Clause 68, Ofcom will specify a range of requirements in relation to transparency reporting in a notice to categories 1, 2A and 2B. This will include the kind of information that is required in the transparency report and the manner in which it should be published. Given the requirement to publish the information, this already achieves the intention of Amendment 160A.
The specific information requested for inclusion within the transparency report will be determined by Ofcom. Therefore, the regulator will be able to ensure that the information requested is appropriate for publication. Ofcom will take into account any risks arising from making the information public before issuing the transparency notice. Ofcom will have separate information-gathering powers, which will enable the regulator to access information that is not suitable to be published in the public domain. This achieves the intention of Amendment 160B. There is also a risk of reducing trust in transparency reporting if there is a mechanism for Ofcom to prevent providers publishing their transparency reports.
Amendment 181A would require Ofcom to issue guidance on what information should be redacted and how this should be done. However, Ofcom is already required to produce guidance about transparency reports, which may include guidance about what information should be redacted and how to do this. It is important to provide the regulator with the flexibility to develop appropriate guidance.
Amendment 165 seeks to expand the information within the transparency reporting requirements to cover the scope of the terms of service set out by user-to-user providers. I very much agree with the noble Lord that it is important that Ofcom can request information about the scope of terms of service, as well as about their application. Our view is that the Bill already achieves this. Schedule 8 sets out the high-level matters about which information may be required. This includes information about how platforms are complying with their duties. The Bill will place duties on user-to-user providers to ensure that any required terms of service are clear and accessible. This will require platforms to set out what the terms of service cover—or, in other words, the scope. While I hope that this provides reassurance on the matter, if there are still concerns in spite of what I have said, I am very happy to look at this. Any opportunity to strengthen the Bill through that kind of clarity is worth looking at.
(1 year, 7 months ago)
Lords ChamberMy Lords, I rise to support Amendment 134, tabled by the noble Lord, Lord Stevenson, which was so ably introduced by the noble Baroness, Lady Merron. The Government accepted the Joint Committee’s recommendation that priority offences should be put in the Bill, and that is now contained in Schedules 5, 6 and 7. In particular, Schedule 7 sets out the priority offences. The noble Baroness, Lady Merron, has nailed it in setting out why these animal suffering-related offences fall within the Government’s criteria.
When the Government responded to the Joint Committee, they accepted our recommendation that we should put priority content in the Bill. As the noble Baroness, Lady Merron, said, the criteria are very clearly set out in paragraph 86 of their report:
“The prevalence of such content on regulated services … The risk of harm being caused to UK users by such content; and … The severity of that harm”.
The noble Baroness has absolutely set out how these offences fall within those criteria: the prevalence of these offences; the abuse that is present; the viewing by children and its impact on them; the impact on animal welfare, which would be positive if this content were treated as a priority offence; and the very strong public support.
Of course—the noble Baroness did not quite go here, but I will—there is a massive contrast with the inclusion of the encouragement of immigration offence in Schedule 7. These offences have far greater merit for inclusion in Schedule 7. I very much hope the Minister will accede to what I think is an extremely reasonable amendment.
I thank the noble Baroness for her amendment and the noble Lord, Lord Clement-Jones, for speaking so powerfully, as ever. I very much recognise the harms and horrors of cruelty to animals online or anywhere else. The UK has a proud history of championing and taking action on animal welfare, and the Government are committed to strengthening animal welfare standards and protections.
Our Action Plan for Animal Welfare demonstrates the Government’s commitment to a brighter future for animals both at home and abroad and provides a foundation for conversations on how we can continue to improve animal welfare and conservation in future. I can also reassure your Lordships that this Bill will tackle some of the worst online activities related to animal cruelty.
Amendment 134 seeks to add certain specified animal offences to the list of priority offences in Schedule 7. It is worth reminding ourselves that the Bill will already tackle some of the worst examples of animal cruelty online. This includes, for example, where the content amounts to an existing priority offence, such as extreme pornography, which platforms must prevent users encountering. Equally, where content could cause psychological harm to children, it must be tackled. Where the largest services prohibit types of animal abuse content in their terms of service, the Bill will require them to enforce those terms and remove such content. Improved user reporting and redress systems, as mandated by the Bill, will make it easier for users to report such content.
The Bill, however, is not designed to address every harm on the internet. For it to have an impact, it needs to be manageable for both Ofcom and the companies. For it to achieve the protections envisaged since the start of the Bill, it must focus on its mission of delivering protections for people. Schedule 7 has been designed to focus on the most serious and prevalent offences affecting humans in the UK, on which companies can take effective and meaningful action. The offences in this schedule are primarily focused on where the offences can be committed online—for example, threats to kill or the unlawful supply of drugs. The offences that the noble Baroness proposes cannot be committed online; while that would not stop them from being added for inchoate purposes, the Government do not believe that platforms would be able to take effective steps proactively to identify and tackle such offences online.
Crucially, the Government feel that adding too many offences to Schedule 7 that cannot be effectively tackled also risks spreading companies’ resources too thinly, particularly for smaller and micro-businesses, which would have to address these offences in their risk assessments. Expanding the list of offences in Schedule 7 to include the animal cruelty offences could dilute companies’ efforts to tackle other offences listed in the Bill which have long been the priority of this legislation.
Beyond the Bill, however, the Government are taking a very wide range of steps to tackle animal cruelty. Since publishing the Action Plan for Animal Welfare in 2021, the Government have brought in new laws to recognise animal sentience, introduced additional legislative measures to tackle illegal hare-coursing, and launched the animal health and welfare pathway as part of our agricultural transition plan. We will, of course, continue to discuss these important issues with colleagues at the Department for Environment, Food and Rural Affairs, who lead on our world-leading protections for animals, but, for the reasons I have set out, I am unable to accept this amendment. I therefore hope that the noble Baroness will withdraw it.
(1 year, 7 months ago)
Lords ChamberThey would go to the service provider in the first instance and then—
What recourse would they have, if Ofcom will not deal with individual complaints in those circumstances?
I am happy to meet and discuss this. We are expanding what they are able to receive today under the existing arrangements. I am happy to meet any noble Lords who wish to take this forward to help them understand this—that is probably best.
Amendments 287 and 289 from the noble Baroness, Lady Fox of Buckley, seek to remove the provision for super-complaints from the Bill. The super-complaints mechanism is an important part of the Bill’s overall redress mechanisms. It will enable entities to raise concerns with Ofcom about systemic issues in relation to regulated services, which Ofcom will be required to respond to. This includes concerns about the features of services or the conduct of providers creating a risk of significant harm to users or the public, as well as concerns about significant adverse impacts on the right to freedom of expression.
On who can make super-complaints, any organisation that meets the eligibility criteria set out in secondary legislation will be able to submit a super-complaint to Ofcom. Organisations will be required to submit evidence to Ofcom, setting out how they meet these criteria. Using this evidence, Ofcom will assess organisations against the criteria to ensure that they meet them. The assessment of evidence will be fair and objective, and the criteria will be intentionally strict to ensure that super-complaints focus on systemic issues and that the regulator is not overwhelmed by the number it receives.
Overall, the super-complaints mechanism is more for groupings of complaints and has a broader range than the individual complaints process, but I will consider that point going forward.
Many UK regulators have successful super-complaints mechanisms which allow them to identify and target emerging issues and effectively utilise resources. Alongside the Bill’s research functions, super-complaints will perform a vital role in ensuring that Ofcom is aware of the issues users are facing, helping them to target resources and to take action against systemic failings.
On the steps required after super-complaints, the regulator will be required to respond publicly to the super-complaint. Issues raised in the super-complaint may lead Ofcom to take steps to mitigate the issues raised in the complaint, where the issues raised can be addressed via the Bill’s duties and powers. In this way, they perform a vital role in Ofcom’s horizon-scanning powers, ensuring that it is aware of issues as they emerge. However, super-complaints are not linked to any specific enforcement process.
My Lords, it has just occurred to me what the answer is to the question, “Where does an individual actually get redress?” The only way they can get redress is by collaborating with another 100 people and raising a super-complaint. Is that the answer under the Bill?
No. The super-complaints mechanism is better thought of as part of a horizon-scanning mechanism. It is not—
So it is not really a complaints system; it is a horizon-scanning system. That is interesting.
The answer to the noble Lord’s question is that the super-complaint is not a mechanism for individuals to complain on an individual basis and seek redress.
(1 year, 9 months ago)
Lords ChamberI thank the noble Lord for his question. My first observation is that Palantir is a very good illustration of some of the new technology providers we are seeing, because the value it was able to provide and demonstrate is very great. However, the perfectly legitimate concerns about data privacy are, none the less, equally great. Any organisation operating in the UK or processing the personal data of people in the UK must comply with our strong and internationally renowned data protection laws, and those laws set out robust penalties for those who do not, including, as necessary, Palantir. Lastly, with respect to the Secretary of State’s remarks, the intention is by no means to reduce the requirement for data protection, merely in some cases to make it more straightforward to demonstrate that the requirements are being met.
My Lords, I join in welcoming the noble Viscount to the Dispatch Box in his role as the first Minister for AI and IP—I think it is the first time those two responsibilities have been joined together. I wish him every success. Given that there is a new data protection Bill in the Commons, does he agree that it would be highly damaging to our AI developers if we were to diverge too widely from the EU GDPR and risk access to the datasets on which they rely so heavily?
I thank the noble Lord and pay tribute to his expertise and knowledge in the area, of which I look forward to taking full advantage. The EU adequacy requirements are uppermost in our minds in continuing our ability to maintain the data relationship with it. I note that EU adequacy does not set out any particular legislative requirements to maintain adequacy, judged as it is on outcomes of data protection rather than its specific mechanisms. I am told that there are currently 14 jurisdictions that meet EU adequacy but have different legislative approaches to acquiring it. Our well-founded ambition is to be among them as well.