Debates between Lord Keen of Elie and Baroness Jones of Whitchurch during the 2015-2017 Parliament

Wed 8th Feb 2017
Digital Economy Bill
Lords Chamber

Committee: 4th sitting (Hansard - continued): House of Lords
Mon 6th Feb 2017
Digital Economy Bill
Lords Chamber

Committee: 3rd sitting (Hansard - continued): House of Lords

Digital Economy Bill

Debate between Lord Keen of Elie and Baroness Jones of Whitchurch
Committee: 4th sitting (Hansard - continued): House of Lords
Wednesday 8th February 2017

(7 years, 10 months ago)

Lords Chamber
Read Full debate Digital Economy Act 2017 View all Digital Economy Act 2017 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 80-IV Fourth marshalled list for Committee (PDF, 161KB) - (6 Feb 2017)
Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch
- Hansard - - - Excerpts

My Lords, again, given the lateness of the hour, I simply say that our views are well known, that we have supported the implementation of Section 40 in a number of previous debates in this Chamber, and on that basis we support the amendment.

Lord Keen of Elie Portrait Lord Keen of Elie
- Hansard - -

My Lords, I am obliged to the noble Baroness, Lady Hollins. I will address Amendments 233F and 234A together. The amendments, of course, mirror Section 40 of the Crime and Courts Act 2013 but would apply to digitally published news-related material only, as we know. The House has debated the issue of Section 40 on various recent occasions, including during passage of the Investigatory Powers Act and the Policing and Crime Act. There was also a stand-alone debate just before the Christmas Recess.

There is obviously a great strength of feeling about this matter. I realise that some Members of this House are frustrated by what they see as a lack of progress by government on Section 40. However, the Committee should also recall the strength of feeling on the other side of the debate. Many noble Lords have argued passionately in this House against Section 40 and are concerned about its commencement and its impact upon freedom of the press. That is why the Government ran a consultation to consider the matter further.

The press self-regulatory landscape has changed significantly in the past four years since the Leveson inquiry reported. It is right that the Government take stock, look at the changes which have already taken place and seek the views of all interested parties on the most effective way to ensure that the inexcusable practices which led to the Leveson inquiry being established can never happen again.

A consultation was the most appropriate way to ensure that the Government were listening to all views when considering options for the next step in respect of Section 40. Indeed, the consultation closed on 10 January, and it is estimated that we have received more than 140,000 responses. I know that many Members of this House responded to the consultation, and of course we are grateful that they took the time to do that, but many others have responded as well. It will be necessary to consider the many and diverse views that have been expressed with regard to this matter.

As many Members of the Committee will know, and as the noble Lord, Lord Prescott, mentioned, the consultation is now subject to a legal challenge. While I cannot comment on the ongoing legal proceedings, the Government have committed not to take any final decisions on the matters to which the consultation relates until the judicial review application has been determined. As such, it is not possible for me to set out a timetable for when the Government will respond to the consultation. But of course we hope that that judicial review application will be determined much sooner than later.

That brings me on to the amendments from the noble Baroness, Lady Hollins. The issues that she has raised are of critical importance. I appreciate that she and her family were themselves the subject of press abuse, as were other Members of this House. I also recognise the strength of feeling that parties have on the commencement of Section 40. However, with respect, now is not the right time for this House to consider the present amendment.

News consumption is becoming increasingly global and more and more people are reading their news online from a multitude of sources from around the world. Bringing in a law that effectively mirrors Section 40 but for relevant digital publications only would create an incoherent regime applying different rules depending on the mechanism by which an article has been published.

Noble Lords who have supported these amendments have raised the profile of this issue and given a clear signal of their intent—and of their continuing intent. This has not gone unnoticed in government. But we must ensure that we consider this matter properly. As I said before, a free press is an essential component of a fully functioning democracy and we must ensure that we protect that. I note what the noble Lord, Lord Prescott, said about the position in Ireland. I am not in a position to express a view as to the manner in which that operates but I am perfectly content to indicate that we will look at that going forward as well. I hope that that will satisfy the noble Lord. At this stage, however, I urge the noble Baroness, Lady Hollins, to withdraw her amendment.

Digital Economy Bill

Debate between Lord Keen of Elie and Baroness Jones of Whitchurch
Committee: 3rd sitting (Hansard - continued): House of Lords
Monday 6th February 2017

(7 years, 10 months ago)

Lords Chamber
Read Full debate Digital Economy Act 2017 View all Digital Economy Act 2017 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 80-IV Fourth marshalled list for Committee (PDF, 161KB) - (6 Feb 2017)
Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch (Lab)
- Hansard - - - Excerpts

I expected more people to be inspired by the contribution of the noble Lord, Lord Arbuthnot, and to join in the debate. I am rising to give my support to Amendments 105 and 106 and to thank the noble Lords, Lord Arbuthnot and Lord Carlile, for highlighting this simple failure in company policy, which can lead to much bigger dangers and threats. As the noble Lord said, it can have commercial implications, personal privacy implications and, ultimately, national security implications. While we all have a part to play setting the highest standards of data protection, it is true that all too often we put the focus on national Governments without recognising the equal responsibilities of the private sector and private companies to play their part. This is particularly vital, given the number of private sector organisations which access data for government contract work. However, it also extends into other realms of commercial activity, such as commercial personal profiling, in which companies build vast data banks of our shopping habits, our friends, our movements—literally, where we are moving around in cities and towns—and our vulnerabilities, all of which have huge value both in their own hands and in the hands of cyber-thieves. These are issues which we have also flagged up in other amendments tabled today, and we have tried to build in more safeguards. My noble friend Lord Collins has said that we believe that individuals should have the right to know what information is being held about them, for example. They should have the right to be able to withdraw permission for the data to be held, and they should have the right to know immediately if a data breach has taken place.

We welcome the amendments, which would begin to address some of our concerns, by putting a straightforward obligation on companies to prepare a cybersecurity report each year, detailing the measures being taken to ensure that data are being kept safely. It is a simple ask, and it should not really be necessary, but the all too frequent security breaches taking place underline why a legal requirement has to be imposed. An Institute of Directors report last year showed that companies tend to keep quiet when there has been a security breach. As a result, there are no accurate figures on the extent of this crime, or the extent to which companies are being held to ransom. A survey of business leaders found that only half had a formal strategy in place to protect themselves and just 20% held insurance against an attack. Yet we also know that companies are also losing confidence in their encryption systems, their staff capabilities and awareness and the ability of their software to withstand a deliberate assault.

This is a huge issue. Of course, we have a vested interest in sorting this out, as often it is our personal data which are being stolen. But on a wider sphere it impacts on everything from company finances to sensitive market data and research and development. So we very much welcome the initiative set out in these amendments, and agree with the noble Lord, Lord Arbuthnot, that they are helpful. In itself, they will not completely solve the problem, but they represent another small step in getting companies to act responsibly in managing the data that they hold.

Lord Keen of Elie Portrait The Advocate-General for Scotland (Lord Keen of Elie) (Con)
- Hansard - -

My Lords, Part 5 of the Bill requires public authorities and specified persons to specify and meet specific legislative conditions and controls on the handling of personal information. As I have said on a number of occasions this evening, these provisions will be underpinned by codes of practice setting out data security requirements, including cybersecurity. A body that fails to meet these could be prevented from using the data-sharing powers. That is the context in which I turn to Amendments 105 and 106.

Amendment 105 would require all but the smallest of companies to conduct audits on their cybersecurity and to report annually on it and their data protection measures. Clearly, the Government recognise that effective cybersecurity risk management is important to the success of the economy and, indeed, to ensuring the safety and integrity of private citizens’ data. The Government conducted the Cyber Security Regulation and Incentives Review in 2016 to consider whether we need additional regulation or incentives to boost cyber risk management in the wider economy and it showed strong justification for regulation to secure personal data.

The Government will seek to improve cyber risk management through our implementation of the EU general data protection regulation in May 2018. Its requirement to report breaches to the Information Commissioner and individuals affected, and the fines that can be issued under it, will represent a significant improvement. These will be supplemented by a number of measures to more clearly link data protection with cybersecurity, including through closer working of the Information Commissioner and the National Cyber Security Centre. However, we will not seek to pursue further general cybersecurity legislation for the wider economy as would be required by Amendment 105.

We believe that mandating the inclusion of cyber risk information in annual reports, or the introduction of legal provisions for cyber audit, is unlikely to be an effective way of encouraging large-scale change in cyber risk management. Instead, the National Cyber Security Centre plans to work with stakeholders to develop guidance for investors. The long-term aim of the organisation is to include cybersecurity in the guidance it provides to businesses on the kind of information it wants to see in an annual report, and in the reports it provides to investors each year on every listed company.

Amendment 106 is very broad in its aims and, as such, could have unintended consequences for the diverse range of grants that the Government fund each year. The supporting audit and insurance regime would be costly and challenging to enforce given the diversity of grant recipients, including those from voluntary and research communities. Furthermore, this amendment is unnecessary as many of these checks are in place as a matter of routine. The level of cybersecurity risk in grants will continue to be monitored and consideration given to how recently launched grant standards could be used to strengthen guidance in this area. This provides a far more flexible and proportionate solution than legislation.

With respect to subsection (2) of the proposed new clause in Amendment 106, the Government are already taking tangible steps to reduce the level of cybersecurity risk in their supply chain. As of October 2014, suppliers of central government contracts that involve the handling of personal data or the supply of IT products and services must demonstrate they have met the technical requirements set out as part of either the government-owned Cyber Essentials scheme or a suitable equivalent. The scheme was developed jointly with GCHQ and industry to support organisations of all sizes and across all sectors in getting a good, basic level of online security in place. In response to my noble friend Lord Arbuthnot I would observe that, as of the end of December 2016, nearly 5,500 certificates had been issued under the scheme, and we have a strategy in place to significantly increase the adoption of the scheme over the coming year. With that explanation, I hope my noble friend will withdraw his amendment.