Data (Use and Access) Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 16th December 2024
(2 months ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-III(a) Amendments for Grand Committee (Supplementary to the Third Marshalled List) - (13 Dec 2024)
Lord Russell of Liverpool (CB)
My Lords, I rise briefly to support my noble friend Lady Kidron on Amendment 137. The final comments from the noble and learned Lord, Lord Thomas, in our debate on the previous group were very apposite. We are dealing with a rapidly evolving and complex landscape, which AI is driving at warp speed. It seems absolutely fundamental that, given the panoply of different responsibilities and the level of detail that the different regulators are being asked to cover, there is on the face of what they have to do with children absolute clarity in terms of a code of practice, a code of conduct, a description of the types of outcomes that will be acceptable and a description of the types of outcomes that will be not only unacceptable but illegal. The clearer that is in the Bill, the more it will do something to future-proof the direction in which regulators will have to travel. If we are clear about what the outcomes need to be in terms of the welfare, well-being and mental health of children, that will give us some guidelines to work within as the world evolves so quickly.
Lord Stevenson of Balmacara (Lab)
My Lords, I have co-signed Amendment 137. I do not need to repeat the arguments that have already been made by those who have spoken before me on it; they were well made, as usual. Again, it seems to expose a gap in where the Government are coming from in this area of activity, which should be at the forefront of all that they do but does not appear to be so.
As has just been said, this may be as simple as putting in an initial clause right up at the front of the Bill. Of course, that reminds me of the battle royal we had with the then Online Safety Bill in trying to get up front anything that made more sense of the Bill. It was another beast that was difficult to ingest, let alone understand, when we came to make amendments and bring forward discussions about it.
My frustration is that we are again talking about stuff that should have been well inside the thinking of those responsible for drafting the Bill. I do not understand why a lot of what has been said today has not already appeared in the planning for the Bill, and I do not think we will get very far by sending amendments back and forward that say the same thing again and again: we will only get the response that this is all dealt with and we should not be so trivial about it. Could we please have a meeting where we get around the table and try and hammer out exactly what it is that we see as deficient in the Bill, to set out very clearly for Ministers where we have red lines—that will make it very easy for them to understand whether they are going to meet them or not—and do it quickly?
Lord Clement-Jones (LD)
My Lords, the debate on this group emphasises how far behind the curve we are, whether it is by including new provisions in this Bill or by bringing forward an AI Bill—which, after all, was promised in the Government’s manifesto. It emphasises that we are not moving nearly fast enough in thinking about the implications of AI. While we are doing so, I need to declare an interest as co-chair of the All-Party Parliamentary Group on AI and a consultant to DLA Piper on AI policy and regulation.
I have followed the progress of AI since 2016 in the capacity of co-chair of the all-party group and chair of the AI Select Committee. We need to move much faster on a whole range of different issues. I very much hope that the noble Lord, Lord Vallance, will be here on Wednesday, when we discuss our crawler amendments, because although the noble Lord, Lord Holmes, has tabled Amendment 211A, which deals with personality rights, there is also extreme concern about the whole area of copyright. I was tipped off by the noble Lord, Lord Stevenson, so I was slightly surprised that he did not bring our attention to it: we are clearly due the consultation at any moment on intellectual property, but there seems to be some proposal within it for personality rights themselves. Whether that is a quid pro quo for a much-weakened situation on text and data mining, I do not know, but something appears to be moving out there which may become clear later this week. It seems a strange time to issue a consultation, but I recognise that it has been somewhat delayed.
In the meantime, we are forced to put forward amendments to this Bill trying to anticipate some of the issues that artificial intelligence is increasingly giving rise to. I strongly support Amendments 92, 93, 101 and 105 put forward by the noble Viscount, Lord Colville, to prevent misuse of Clause 77 by generative AI developers; I very much support the noble Lord, Lord Holmes, in wanting to see protection for image, likeness and personality; and I very much hope that we will get a positive response from the Minister in that respect.
We have heard from the noble Baronesses, Lady Kidron and Lady Harding, and the noble Lords, Lord Russell and Lord Stevenson, all of whom have made powerful speeches on previous Bills—the then Online Safety Bill and the Data Protection and Digital Information Bill—to say that children should have special protection in data protection law. As the noble Baroness, Lady Kidron, says, we need to move on from the AADC. That was a triumph she gained during the passage of the Data Protection Act 2018, but six years later the world looks very different and young people need protection from AI models of the kind she has set out in Amendment 137. I agree with the noble Lord, Lord Stevenson, that we need to talk these things through. If it produces an amendment to this Bill that is agreed, all well and good, but it could mean an amendment or part of a new AI Bill when that comes forward. Either way, we need to think constructively in this area because protection of children in the face of generative AI models, in particular, is extremely important.
This group, looking forward to further harms that could be caused by AI, is extremely important on how we can mitigate them in a number of different ways, despite the fact that these amendments appear to deal with quite a disparate group of issues.
Viscount Camrose (Con)
My Lords, given the hour, I will try to be as brief as possible. I will start by speaking to the amendments tabled in my name.
Amendment 142 seeks to prevent the Information Commissioner’s Office sending official notices via email. Official notices from the ICO will not be trivial: they relate to serious matters of data protection, such as monetary penalty notices or enforcement notices. My concern is that it is all too easy for an email to be missed. An email may be filtered into a spam folder, where it sits for weeks before being picked up. It is also possible that an email may be sent to a compromised email address, meaning one that the holder has lost control of due to a hacker. These concerns led me also to table Amendment 143, which removes the assumption that a notice sent by email had been received within 48 hours of being sent.
Additionally, I suspect I am right in saying that a great many people expect official correspondence to arrive via the post. I wonder, therefore, whether there might be a risk that people ignore an unexpected email from the ICO, concerned that it might well be a scam or a hack of some description. I, for one, am certainly deeply suspicious of unexpected but official-looking messages that arrive. I believe that official correspondence which may have legal ramifications should really be sent by post.
On some of the other amendments tabled, Amendment 135A, which seeks to introduce a measure from the DPDI Bill, makes provision for the introduction of a statement of strategic priorities by the Secretary of State that sets out the Government’s data protection priorities, to which the commissioner must have regard, and the commissioner’s duties in relation to the statement. Although I absolutely accept that this measure would create more alignment and efficiency in the way that data protection is managed, I understand the concerns that it would undermine the independence of the Information Commissioner’s Office. That in itself, of course, would tend to bear on the adequacy risk.
I do not support the stand part notices on Clauses 91 and 92. Clause 91 requires the Information Commissioner to prepare codes of practice for the processing of data, which seems a positive measure. It provides guidance to controllers, helping them to control best practice when processing data, and is good for data subjects, as it is more likely that their data will be processed in an appropriate manner. As for Clause 92, which would effectively increase expert oversight of codes of practice, surely that would lead to more effective codes, which will benefit both controllers and data subjects.
I have some concerns about Amendment 144, which limits the Information Commissioner to sending only one reprimand to a given controller during a fixed period. If a controller or processor conducts activities that infringe the provisions of the GDPR and does so repeatedly, why should the commissioner be prevented from issuing reprimands? Indeed, what incentives does that give for people to commit a minor sin and then a major one later?
I welcome Amendment 145, in the name of the noble Baroness, Lady Kidron, which would ensure that the ICO’s annual report records activities and action taken by the ICO in relation to children. This would clearly give the commissioner, parliamentarians and the data and tech industry as a whole a better understanding of how policies are affecting children and what changes may be necessary.
Finally, I turn my attention to many of the amendments tabled by the noble Lord, Lord Clement-Jones, which seek to remove the involvement of the Secretary of State from the functions of the commissioner and transfer the responsibility from government to Parliament. I absolutely understand the arguments the noble Lord advances, as persuasively as ever, but I am concerned even so that the Secretary of State for the relevant department is the best person to work with the commissioner to ensure both clarity of purpose and rapidity of decision-making.
Lord Stevenson of Balmacara (Lab)
I wanted to rise to my feet in time to stop the noble Viscount leaping forward as he gets more and more excited as we reach—I hope—possibly the last few minutes of this debate. I am freezing to death here.
I wish only to add my support to the points of the noble Baroness, Lady Kidron, on Amendment 145. It is much overused saw, but if it is not measured, it will not get reported.
Baroness Jones of Whitchurch (Lab)
My Lords, I thank noble Lords for their consideration of the issues before us in this group. I begin with Amendment 134 from the noble Lord, Lord Clement-Jones. I can confirm that the primary duty of the commissioner will be to uphold the principal objective: securing an appropriate level of data protection, carrying out the crucial balancing test between the interests of data subjects, controllers and wider public interests, and promoting public trust and confidence in the use of personal data.
The other duties sit below this objective and do not compete with it—they do not come at the expense of upholding data protection standards. The commissioner will have to consider these duties in his work but will have discretion as to their application. Moreover, the new objectives inserted by the amendment concerning monitoring, enforcement and complaints are already covered by legislation.
I thank the noble Lord, Lord Lucas for Amendment 135A. The amendment was a previous feature of the DPDI Bill but the Government decided that a statement of strategic priorities for the ICO in this Bill is not necessary. The Government will of course continue to set out their priorities in relation to data protection and other related areas and discuss them with the Information Commissioner as appropriate.
Amendment 142 from the noble Viscount, Lord Camrose, would remove the ICO’s ability to serve notices by email. We would argue that email is a fast, accessible and inexpensive method for issuing notices. I can reassure noble Lords that the ICO can serve a notice via email only if it is sent to an email address published by the recipient or where the ICO has reasonable grounds to believe that the notice will come to the attention of the person, significantly reducing the risk that emails may be missed or sent to the wrong address.
Regarding the noble Viscount’s Amendment 143, the assumption that an email notice will be received in 48 hours is reasonable and equivalent to the respective legislation of other regulators, such as the CMA and Ofcom.
I thank the noble Lord, Lord Clement-Jones, for Amendment 144 concerning the ICO’s use of reprimands. The regulator does not commonly issue multiple reprimands to the same organisation. But it is important that the ICO, as an independent regulator, has the discretion and flexibility in instances where there may be a legitimate need to issue multiple reprimands within a particular period without placing arbitrary limits on that.
Turning to Amendment 144A, the new requirements in Clause 101 will already lead to the publication of an annual report, which will include the regulator’s investigation and enforcement activity. Reporting will be categorised to ensure that where the detail of cases is not public, commercially sensitive investigations are not inadvertently shared. Splitting out reporting by country or locality would make it more difficult to protect sensitive data.
Turning to Amendment 145, with thanks to the noble Baroness, Lady Kidron, I agree with the importance of ensuring that the regulator can be held to account on this issue effectively. The new annual report in Clause 101 will cover all the ICO’s regulatory activity, including that taken to uphold the rights of children. Clause 90 also requires the ICO to publish a strategy and report on how it has complied with its new statutory duties. Both of these will cover the new duty relating to children’s awareness and rights, and this should include the ICO’s activity to support and uphold its important age-appropriate design code.
I thank the noble Lord, Lord Clement-Jones, for Amendments 163 to 192 to Schedule 14, which establishes the governance structure of the information commission. The approach, including the responsibilities conferred on the Secretary of State, at the core of the amendments follows standard corporate governance best practice and reflects the Government’s commitment to safeguarding the independence of the regulator. This includes requiring the Secretary of State to consult the chair of the information commission before making appointments of non-executive members.
Amendments 165 and 167A would require members of the commission to be appointed to oversee specific tasks and to be from prescribed fields of expertise. Due to the commission’s broad regulatory remit, the Government consider that it would not be appropriate or helpful for the legislation to set out specific areas that should receive prominence over others. The Government are confident that the Bill will ensure that the commission has the right expertise on its board. Our approach safeguards the integrity and independence of the regulator, draws clearly on established precedent and provides appropriate oversight of its activities.
Finally, Clauses 91 and 92 were designed to ensure that the ICO’s statutory codes are consistent in their development, informed by relevant expertise and take account of their impact on those likely to be affected by them. They also ensure that codes required by the Secretary of State have the same legal effect as pre-existing codes published under the Data Protection Act.
Considering the explanations I have offered, I hope that the noble Lords, Lord Clement-Jones and Lord Lucas, the noble Viscount, Lord Camrose, and the noble Baroness, Lady Kidron, will agree not to press their amendments.
Data (Use and Access) Bill [HL]
Lord Stevenson of Balmacara ExcerptsTuesday 10th December 2024
(2 months ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-II(a) Amendment for Grand Committee (Supplementary to the Second Marshalled List) - (9 Dec 2024)
Baroness Kidron (CB)
My Lords, I will speak to Amendments 59, 62, 63 and 65 in the name of my noble friend Lord Colville, and Amendment 64 in the name of the noble Lord, Lord Clement-Jones, to which I added my name. I am also very much in sympathy with the other amendments in this group more broadly.
My noble friend Lord Colville set out how he is seeking to understand what the Government intend by “scientific research” and to make sure that the Bill does not offer a loophole so big that any commercial company can avoid data protections of UK citizens in the name of science.
At Second Reading, I read out a dictionary definition of science:
“The systematic study of the structure and behaviour of the physical and natural world through observation, experimentation, and the testing of theories against the evidence obtained”—
i.e. everything. I also ask the Minister if the following scenarios could reasonably be considered scientific. Is updating or improving a new tracking app for fitness, or a bot for an airline, scientific? Is the behavioural science of testing children’s response to persuasive design strategies in order to extend the stickiness of commercial products scientific? These are practical scenarios, and I would be grateful for an answer in order to understand what is in and out of the scope of the Bill.
When I raised Clause 67 at a briefing meeting, it was said that it was, as my noble friend Lord Colville suggested, just housekeeping. The law firm Taylor Wessing suggests that what can
“‘reasonably be described as scientific’ is arguably very wide and fairly vague, so it will be interesting to see how this is interpreted, but the assumption is that it is intended to be a very broad definition”.
Each of the 14 law firm blogs and briefings that I read over the weekend described it variously as loosening, expanding or broadening. Not one suggested that it was a tightening and not one said that it was a no-change change. As we have heard, the European Data Protection Supervisor published an opinion stating that
“scientific research is understood to apply where … the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests”.
When the Minister responds, perhaps she could say whether the particular scenarios I have set out fall within the definition of scientific and why the Government have failed to reflect the critical clarification of the European Data Protection Supervisor in transferring the recital into the Bill.
I turn briefly to Amendment 64, which would limit the use of children’s personal data for the purposes of research and education by making it subject to a public interest requirement and opt-in from the child or a parent. I will speak in our debate on a later grouping to amendments that would enshrine children’s right to higher protection and propose a comprehensive code of practice on the use of children’s data in education, which is an issue of increasing scandal and concern. For now, it would be good to understand whether the Government agree that education is an area of research where a public interest requirement is necessary and appropriate and that children’s data should always be used to support their right to learn, rather than to commoditise them.
During debate on the DPDI Bill, a code of practice on children’s data and scientific research was proposed; the Minister added her name to it. It is by accident rather than by design that I have failed to lay it here, but I will listen carefully to the Minister’s reply to see whether children need additional protections from scientific research as the Government now define it.
Lord Stevenson of Balmacara (Lab)
My Lords, I have in subsequent groups a number of amendments that touch on many of the issues that are raised here, so I will not detain the Committee by going through them at this stage and repeating them later. However, I feel that, although the Government have had the best intentions in bringing forward a set of proposals in this area that were to update and to bring together rather conflicting and difficult pieces of legislation that have been left because of the Brexit arrangements, they have managed to open up a gap between where we want to be and where we will be if the Bill goes forward in its present form. I say that in relation to AI, which is a subject requiring a lot more attention and a lot more detail than we have before us. I doubt very much whether the Government will have the appetite for dealing with that in time for this Bill, but I hope that at the very least—it would be a minor concession at this stage—they will commit at the Dispatch Box to seeking to resolve these issues in the legislation within a very short period because, as we have heard from the arguments made today, it is desperately needed.
More importantly, if, by bringing together documentation that is thought to represent the current situation, either inadvertently or otherwise, the Government have managed to open up a loophole that will devalue the way in which we currently treat personal data—I will come on to this when I get to my groups in relation to the NHS in particular—that would be a grievous situation. I hope that, going forward, the points that have been made here can be accommodated in a statement that will resolve them, because they need to be resolved.
Lord Holmes of Richmond (Con)
My Lords, it is a pleasure to take part in today’s Committee proceedings. In doing so, I declare my technology interests as set out in the register, not least as adviser to Socially Recruited, an AI business.
I support the noble Viscount, Lord Colville, in his amendments and all the other amendments in this group. They were understandably popular, to the extent that when I got my pen out, there was no space left for me to co-sign them, so I was left with the oral tradition in which to reflect my support for them. Before going into the detail, I just say that we have had three data Bills in just over three years: DPDI, DISD and this Bill. Over that period, though the names have changed, much of the meat remains the same in the legislation. Yet, in that period, everything and nothing haschanged —everything in terms of what has happened with generative AI.
Considering that seismic shift that has occurred over these three Bills, could the Minister say what in this Bill specifically has changed, not least in this part, to reflect that seismic change? Regarding “nothing has changed”, nothing has changed in terms of the incredibly powerful potential of AI for positive or negative outcomes, ably demonstrated with this set of amendments.
If you went on to Main Street and polled the public, I believe that you would get a pretty clear understanding of what they considered scientific research to be. You know it. You understand why we would want to have a specified definition of scientific research and what that would mean for the researchers and for the country.
However, if we are to draw that definition as broadly as it currently is in the Bill, why would we bother to have such a definition at all? If the Government’s intention is to enable so much to come within the perimeter, let us not have the definition at all and let us allow to continue what is happening right now, not least in the reuse of scrape data or in how data is being treated in these generative AI models.
We have seen what has happened in terms of the training, but when you look at what could be called development and improvement, as the noble Viscount has rightly pointed out, all this and more could easily fit within the scientific research definition. It could even more easily fit in when lawyers are deployed to ensure that that is so. I know we are going to come on to rehearsing a number of these subjects in the next group but, for this group, I support all the amendments as set out.
I ask the Minister these two questions. First, what has changed in all the provisions that have gone through all these three iterations of the data Bill? Secondly, what is the Government’s intention when it comes to scientific research, if it is not truly to mean scientific research, if it is not to have ethics committee involvement and if it is not to feel sound and be defined as what most people on Main Street would recognise as scientific research?
“7. For the avoidance of doubt, consent as defined here is not sufficient for the purposes of Article 6(1)(a) (lawful processing) and Article 9(2)(a) (processing of special categories of personal data).”Member's explanatory statement
This amendment would mitigate the lowering of the threshold for a data subject to be deemed to have given consent.
Lord Stevenson of Balmacara (Lab)
My Lords, I rise to move the amendment standing in my name and to speak to my other amendments in this group. I am grateful to the noble Baroness, Lady Kidron and the noble Lord, Lord Clement-Jones, for signing a number of those amendments, and I am also very grateful to Foxglove Legal and other bodies that have briefed me in preparation for this.
My amendments are in a separate group, and I make no apology for that because although some of these points have indeed been covered in other amendments, my focus is entirely on NHS patient data, partly because it is the subject of a wider debate going on elsewhere about whether value can be obtained for it to help finance the National Health Service and our health in future years. This changes the nature of the relationship between research and the data it is using, and I think it is important that we focus hard on this and get some of the points that have already been made into a form where we can get reasonable answers to the questions that it leaves.
If my amendments are accepted or agreed—a faint hope—they would make it clear beyond peradventure that the consent protections in the Bill apply to the processing of data for scientific research, that a consistent definition of consent is applied and that that consistent definition is the one with which researchers and the public are already familiar and can trust going forward.
The Minister said at the end of Second Reading, in response to concerns I and others raised about research data in general and NHS data in particular, that the provisions in this Bill
“do not alter the legal obligations that apply in relation to decisions about whether to share data”.—[Official Report, 19/11/24; col. 196.]
I accept that that may be the intention, and I have discussed this with officials, who make the same point very strongly. However, Clause 68 introduces a novel and, I suggest, significantly watered-down definition of consent in the case of scientific research. Clause 71 deploys this watered-down definition of consent to winnow down the “purpose limitation” where the processing is for the purposes of scientific research in the public interest. Taken together, this means that there has been a change in the legal obligations that apply to the need to obtain consent before data is shared.
Clause 68 amends the pivotal definition of consent in Article 4(11). Instead of consent requiring something express—freely given, specific, informed, and unambiguous through clear affirmative action—consent can now be imputed. A data subject’s consent is deemed to meet these strict requirements even when it does not, as long as the consent is given to the processing of personal data for the purposes of an area of scientific research; at the time the consent is sought, it is not possible to identify fully the purposes for which the personal data is to be processed; seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research; and, so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent to processing for only part of the research. These all sound very laudable, but I believe they cut down the very strict existing standards of consent.
Proposed new paragraph 7, in Clause 68, then extends the application of this definition across the regulation:
“References in this Regulation to consent given for a specific purpose (however expressed) include consent described in paragraph 6.”
Thus, wherever you read “consent” in the regulation you can also have imputed consent as set out in proposed new paragraph 6 of Article 4. This means that “consent” within the meaning of proposed new paragraph 6(a)—i.e. the basis for lawful processing—can be imputed consent in the new way introduced by the Bill, so there is a new type of lawful basis for processing.
The Minister is entitled to disagree, of course; I expect him to say that when he comes to respond. I hope that, when he does, he will agree that we share a concern on the importance of giving researchers a clear framework, as it is this uncertainty about the legal framework that could inadvertently act as a barrier to the good research we all need. So my first argument today is that, as drafted, the Bill leaves too much room for different interpretations, which will lead to exactly the kind of uncertainty that the Minister—indeed, all of us—wish to avoid.
As we have heard already, as well as the risk of uncertainty among researchers, there is also the risk of distrust among the general public. The public rightly want and expect to have a say in what uses their data is put to. Past efforts to modernise how the NHS uses data, such as care.data, have been expensive failures, in part because they have failed to win the public’s trust. More than 3.3 million people have already opted out of NHS data sharing under the national data opt-out; that is nearly 8% of the adults who could have been part of surveys. We have talked about the value of our data and being the gold standard or gold attractor for researchers but, if we do not have all the people who could contribute, we are definitely devaluing and debasing that research. Although we want to respect people’s choice as to whether to participate, of course, this enormous vote against research reflects a pretty spectacular failure to win public trust—one that undermines the value and quality of the data, as I said.
So my second point is that watering down the rights of those whose data is held by the NHS will not put that data for research purposes on a sustainable, long-term footing. Surely, we want a different outcome this time. We cannot afford more opt-outs; we want people opting back in. I argue that this requires a different approach—one that wins the public’s trust and gains public consent. The Secretary of State for Health is correct to say that most of the public want to see the better use of health data to help the NHS and to improve the health of the nation. I agree, but he must accept that the figures show that the general public also have concerns about privacy and about private companies exploiting their data without them having a say in the matter. The way forward must be to build trust by genuinely addressing those concerns. There must not be even a whiff of watering down legal protections, so that those concerns can instead be turned into support.
This is also important because NHS healthcare includes some of the most intimate personal data. It cannot make sense for that data to have a lower standard of consent protection going forward if it is being used for research. Having a different definition of consent and a lower standard of consent will inevitably lead to confusion, uncertainty and mistrust. Taken together, these amendments seek to avoid uncertainty and distrust, as well as the risk of backlash, by making it abundantly clear that Article 4 GDPR consent protections apply despite the new wording introduced by this Bill. Further, these are the same protections that apply to other uses of data; they are identical to the protections already understood by researchers and by the public.
I turn now to a couple of the amendments in this group. Amendment 71 seeks to address the question of consent, but in a rather narrow way. I have argued that Clause 68 introduces a novel and significantly watered-down definition of consent in the case of scientific research; proposed new paragraph 7 deploys this watered-down definition to winnow down the purpose limitation. There are broader questions about the wisdom of this, which Amendments 70, 79 and 81 seek to address, but Amendment 71 focuses on the important case of NHS health data.
If the public are worried that their health data might be shared with private companies without their consent, we need an answer to that. We see from the large number of opt-outs that there is already a problem; we have also seen it recently in NHS England’s research on public attitudes to health data. This amendment would ensure that the Bill does not increase uncertainty or fuel patient distrust of plans for NHS data. It would help to build the trust that data-enabled transformation of the NHS requires.
The Government may well retort that they are not planning to share NHS patient data with commercial bodies without patient consent. That is fine, but it would be helpful if, when he comes to respond, the Minister could say that clearly and unambiguously at the Dispatch Box. However, I put it to him that, if he could accept these amendments, the law would in fact reflect that assurance and ensure that any future Government would need to come back to Parliament if they wanted to take a different approach.
It is becoming obvious that whether research is in the public interest will be the key issue that we need to resolve in this Bill, and Amendment 72 provides a proposal. The Bill makes welcome references to health research being in the public interest, but it does not explain how on earth we decide or how that requirement would actually bite. Who makes the assessment? Do we trust a rogue operator to make its own assessment of how its research is in the public interest? What would be examples of the kind of research that the Government expect this requirement to prevent? I look forward to hearing the answer to that, but perhaps it would be more helpful if the Minister responded in a letter. In the interim, this amendment seeks to introduce some procedural clarity about how research will be certified as being in the public interest. This would provide clarity and reassurance, and I commend it to the Minister.
Finally, Amendment 131 seeks to improve the appropriate safeguards that would apply to processing for research, archiving and scientific purposes, including a requirement that the data subject has given consent. This has already been touched on in another amendment, but it is a way of seeking to address the issues that Amendments 70, 79 and 81 are also trying to address. Perhaps the Government will continue to insist that this is addressing a non-existent problem because nothing in Clauses 69 or 71 waters down the consent or purpose limitation protections and therefore the safeguards themselves add nothing. However, as I have said, informed readers of the Bill are interpreting it differently, so spelling out this safeguard would add clarity and avoid uncertainty. Surely such clarity on such an important matter is worth a couple of lines of additional length in a 250-page Bill. If the Government are going to argue that our Amendment 131 adds something objectionable, let them explain what is objectionable about consent protections applying to data processing for these purposes. I beg to move.
Lord Clement-Jones (LD)
My Lords, I support Amendments 70 to 72, which I signed, in the name of the noble Lord, Lord Stevenson of Balmacara. I absolutely share his view about the impact of Clause 68 on the definition of consent and the potential and actual mistrust among the public about sharing of their data, particularly in the health service. It is highly significant that 3.3 million people have opted out of sharing their patient data.
I also very much share the noble Lord’s views about the need for public interest. In a sense, this takes us back to the discussion that we had on previous groups about whether we should add that in a broader sense so not purely for health data or whatever but for scientific research more broadly, as he specifies. I very much support what he had to say.
Broadly speaking, the common factor between my clause stand part and what he said is health data. Data subjects cannot make use of their data rights if they do not even know that their data is being processed. Clause 77 allows a controller reusing data under the auspices of scientific research to not notify a data subject in accordance with Article 13 and 14 rights if doing so
“is impossible or would involve a disproportionate effort”.
We on these Benches believe that Clause 77 should be removed from the Bill. The safeguards are easily circumvented. The newly articulated compatibility test in new Article 8A inserted by Clause 71 that specifies how related the new and existing purposes for data use need to be to permit reuse is essentially automatically passed if it is conducted
“for the purposes of scientific research or historical research”.
This makes it even more necessary for the definition of scientific research to be tightened to prevent abuse.
Currently, data controllers must provide individuals with information about the collection and use of their personal data. These transparency obligations generally do not require the controller to contact each data subject. Such obligations can usually be satisfied by providing privacy information using different techniques that can reach large numbers of individuals, such as relevant websites, social media, local newspapers and so on.
Lord Leong (Lab)
My Lords, I thank noble Lords for another thought-provoking debate on consent in scientific research. First, let me set out my staunch agreement with all noble Lords that a data subject’s consent should be respected.
Regarding Amendment 70, Clause 68 reproduces the text from the current UK GDPR recitals, enabling scientists to obtain “broad consent” for an area of research from the outset and to focus on potentially life-saving research. This has the same important limitations, including that it cannot be used if the researcher already knows its specific purpose and that consent can be revoked at any point.
I turn to Amendments 71 and 72, in the name of my noble friend Lord Stevenson, on assessments for research. Requiring all research projects to be submitted for assessments could discourage or delay researchers in their important work, as various noble Lords mentioned. However, I understand that my noble friend’s main concern is around NHS data. I assure him that, if NHS data is used for research, individual patients cannot be identified unless either a patient has specifically agreed for that data to be shared or the Health Research Authority has approved an application for this information to be used, informed by advice from the independent and expert Confidentiality Advisory Group. Research projects using confidential patient data are always subject to rigorous governance, including the approval of an ethics committee; the Minister, my noble friend Lady Jones, mentioned this earlier. There are also strict controls around who can see the data and how it is used and stored. Nothing in this clause will change that approach.
I turn to Amendments 81 and 131 on consent. I understand the motivations behind adding consent as a safeguard. However, organisations such as the Health Research Authority have advised researchers against relying on consent under the UK GDPR; for instance, an imbalance of power may mean that consent cannot truly be “freely given”.
On Amendment 79, I am happy to reassure my noble friend Lord Stevenson that references to “consent” in Clause 71 do indeed fall under the definition in Article 4.11.
Lastly, I turn to Clause 77, which covers the notification exemption; we will discuss this in our debates on upcoming groups. The Government have identified a gap in the UK GDPR that may disproportionately affect researchers. Where data is not collected from the data subject, there is an exemption from notifying them if getting in contact would mean a disproportionate amount of effort. This does not apply to data collected from the data subject. However, in certain studies, such as those of degenerative neurological conditions, it can be impossible or involve a disproportionate effort to recontact data subjects to inform them of any change in the study. The Bill will therefore provide a limited exemption with strong safeguards for data subjects.
Numerous noble Lords asked various questions. They touched on matters that we care about very much: trust in the organisation asking for data; the transparency rules; public interest; societal value; the various definitions of “consent”; and, obviously, whether we can have confidence in what is collected. I will not do noble Lords’ important questions justice if I stand here and try to give answers on the fly, so I will do more than just write a letter to them: I will also ask officials to organise a technical briefing and meeting so that we can go into everyone’s concerns in detail.
With that, I hope that I have reassured noble Lords that there are strong protections in place for data subjects, including patients; and that, as such, noble Lords will feel content to withdraw or not press their amendments.
Lord Stevenson of Balmacara (Lab)
My Lords, I thank those who participated in this debate very much indeed. It went a little further than I had intended in drafting these amendments, but it has raised really important issues which I think we will probably come back to, if not later in Committee, certainly at Report.
At the heart of what we discussed, we recognise, as the noble Baroness, Lady Kidron, put it, that our data held by the NHS—if that is a better way of saying it—is valuable both in financial terms and because it should and could bring better health in future. Therefore, we value it specifically among some of the other datasets that we are talking about, because it has a returning loop in it. It is of benefit not just to the individual but to the UK as a whole, and we must respect that.
However, the worry that underlies framing it in that way is that, at some point, a tempting offer will be made by a commercial body—perhaps one is already on the table—which would generate new funding for the NHS and our health more generally, but the price obtained for that will not reflect the value that we have put into it over the years and the individual data that is being collected. That lack of trust is at the heart of what we have been talking about. In a sense, these amendments are about trust, but they are also bigger. They are also about the whole question of what it is that the Government as a whole do on our behalf in holding our data and what value they will obtain for that—something which I think we will come back to on a later amendment.
I agree with much of what was said from all sides. I am very grateful to the noble Lords, Lord Kamall and Lord Holmes, from the Opposition for joining in the debate and discussion, and their points also need to be considered. The Minister replied in a very sensible and coherent way; I will read very carefully what he said in Hansard and we accept his kind offer of a technical briefing on the Bill—that would be most valuable. I beg leave to withdraw the amendment.
Lord Russell of Liverpool (CB)
My Lords, I put my name to the amendments from the noble Baroness, Lady Kidron, and will briefly support them. I state my interest as a governor of Coram, the children’s charity. One gets a strong sense of déjà vu with this Bill. It takes me back to the Online Safety Bill and the Victims and Prisoners Bill, where we spent an inordinate amount of time trying to persuade the Government that children are children and need to be treated as children, not as adults. That was hard work. They have an absolute right to be protected and to be treated differently.
I ask the Minister to spend some time, particularly when her cold is better, with some of her colleagues whom we worked alongside during the passage of those Bills in trying to persuade the then Government of the importance of children being specifically recognised and having specific safeguards. If she has time to talk to the noble Lords, Lord Ponsonby, Lord Stevenson and Lord Knight, and the noble Baroness, Lady Thornton —when she comes out of hospital, which I hope will be soon—she will have chapter, book and verse about the arguments we used, which I hope we will not have to rehearse yet again in the passage of this Bill. I ask her please to take the time to learn from that.
As the noble Baroness said, what is fundamental is not what is hinted at or implied at the Dispatch Box, but what is actually in the Bill. When it is in the Bill, you cannot wriggle out of it—it is clearly there, stating what it is there for, and it is not open to clever legal interpretation. In a sense, we are trying to future-proof the Bill by, importantly, as she said, focusing on outcomes. If you do so, you are much nearer to future-proofing than if you focus on processes, which by their very nature will be out of date by the time you have managed to understand what they are there to do.
Amendment 135 is important because the current so-called safeguard for the Information Commissioner to look after the interests of children is woefully inadequate. One proposed new section in Clause 90 talks of
“the fact that children may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing”.
It is not just children; most adults do not have a clue about any of that, so to expect children to have even the remotest idea is just a non-starter. To add insult to injury, that new section begins
“the Commissioner must have regard to such of the following”—
of which the part about children is one—
“as appear to the Commissioner to be relevant in the circumstances”.
That is about as vague and weaselly as it is possible to imagine. It is not adequate in any way, shape or form.
In all conscience, I hope that will be looked at very carefully. The idea that the commissioner might in certain circumstances deem that the status and importance of children is not relevant is staggering. I cannot imagine a circumstance in which that would be the case. Again, what is in the Bill really matters.
On Amendment 94, not exempting the provision of information regarding the processing of children’s data is self-evidently extremely important. On Amendment 82, ring-fencing children’s data from being used by a controller for a different purpose again seems a no-brainer.
Amendment 196, as the noble Lord, Lord Clement-Jones, says, is a probing amendment. It seems eminently sensible when creating Acts of Parliament that in some senses overlap, particularly in the digital and online world, that the left hand should know what the right hand is doing and how two Acts may be having an effect on one another, perhaps not in ways that had been understood or foreseen when the legislation was put forward. We are looking for consistency, clarity, future-proofing and a concentration on outputs, not processes. First and foremost, we are looking for the recognition, which we fought for so hard and finally got, that children are children and need to be recognised and treated as children.
Lord Stevenson of Balmacara (Lab)
My Lords, I think we sometimes forget, because the results are often so spectacular, the hard work that has had to happen over the years to get us to where we are, particularly in relation to the Online Safety Act. It is well exemplified by the previous speaker. He put his finger on the right spot in saying that we all owe considerable respect for the work of the noble Baroness, Lady Kidron, and others. I helped a little along the way. It is extraordinary to feel that so much of this could be washed away if the Bill goes forward in its present form. I give notice that I intend to work with my colleagues on this issue because this Bill is in serious need of revision. These amendments are part of that and may need to be amplified in later stages.
I managed to sign only two of the amendments in this group. I am sorry that I did not sign the others, because they are also important. I apologise to the noble Lord, Lord Clement-Jones, for not spotting them early enough to be able to do so. I will speak to the ones I have signed, Amendments 88 and 135. I hope that the Minister will give us some hope that we will be able to see some movement on this.
The noble Lord, Lord Russell, mentioned the way in which the wording on page 113 seems not only to miss the point but to devalue the possibility of seeing protections for children well placed in the legislation. New Clause 120B(e), which talks of
“the fact that children may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing”,
almost says it all for me. I do not understand how that could possibly have got through the process by which this came forward, but it seems to speak to a lack of communication between parts of government that I hoped this new Government, with their energy, would have been able to overcome. It speaks to the fact that we need to keep an eye on both sides of the equation: what is happening in the online safety world and how data that is under the control of others, not necessarily those same companies, will be processed in support or otherwise of those who might wish to behave in an improper or illegal way towards children.
At the very least, what is in these amendments needs to be brought into the Bill. In fact, other additions may need to be made. I shall certainly keep my eye on it.
Viscount Camrose (Con)
My Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for bringing forward amendments in what is a profoundly important group. For all that data is a cornerstone of innovation and development, as we have often argued in this Committee, we cannot lose sight of our responsibility to safeguard the rights and welfare of our children.
Baroness Jones of Whitchurch (Lab)
To be on the safe side, I will write to the noble Baroness. We feel that other bits in the provisions of the Bill cover the other aspects but, just to be clear on it, I will write to her. On Amendment 196 and the Online Safety Act—
Lord Stevenson of Balmacara (Lab)
I am sorry to interrupt but I am slightly puzzled by the way in which that exchange just happened. I take it from what the Minister is saying that there is no dissent, in her and the Bill team’s thinking, about children’s rights having to be given the correct priority, but she feels that the current drafting is better than what is now proposed because it does not deflect from the broader issues that she has adhered to. She has fallen into the trap, which I thought she never would do, of blaming unintended consequences; I am sure that she will want to rethink that before she comes back to the Dispatch Box.
Surely the point being made here is about the absolute need to make sure that children’s rights never get taken down because of the consideration of other requirements. They are on their own, separate and not to be mixed up with those considerations that are truly right for the commissioner—and the ICO, in its new form—to take but which should never deflect from the way children are protected. If the Minister agrees with that, could she not see some way of reaching out to be a bit closer to where the noble Baroness, Lady Kidron, is?
Baroness Jones of Whitchurch (Lab)
I absolutely recognise the importance of the issues being raised here, which is why I think I really should write: I want to make sure that whatever I say is properly recorded and that we can all go on to debate it further. I am not trying to duck the issue; this issue is just too important for me to give an off-the-cuff response on it. I am sure that we will have further discussions on this. As I say, let me put it in writing, and we can pick that up. Certainly, as I said at the beginning, our intention was to enhance children’s protection rather than deflect from it.
Moving on to Amendment 196, I thank the noble Lord, Lord Clement-Jones, and other noble Lords for raising this important issue and seeking clarity on how the provision relates to the categorisation of services in the Online Safety Act. These categories are, however, not directly related to Clause 122 of this Bill as a data preservation notice can be issued to any service provider regulated in the Online Safety Act, regardless of categorisation. A list of the relevant persons is provided in paragraphs (a) to (e) of Section 100(5) of the Act; it includes any user-to-user service, search service and ancillary service.
I absolutely understand noble Lords saying that these things should cross-reference in some way but, as far we are concerned, they complement each other, and that protection is currently in the Online Safety Act. As I said, I will write to noble Lords and am happy to meet if that would be helpful. In the meantime, I hope that the explanations I have given are sufficient grounds for noble Lords not to press their amendments at this stage.
Data (Use and Access) Bill [HL]
Lord Stevenson of Balmacara ExcerptsTuesday 3rd December 2024
(2 months, 1 week ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-I(a) Amendments for Grand Committee (Supplementary to the Marshalled List) - (3 Dec 2024)
Baroness Kidron (CB)
My Lords, I support the amendments in the name of the noble Lord, Lord Clement-Jones. I perhaps did not say it at the beginning of my remarks on this section, but I fully support the Government’s efforts to create a trust framework. I think I started with criticism rather than with the fact that this is really important. Trust is in the name and if we cannot trust it, it is not going to be a trust framework. It is important to anticipate and address the likelihood that some will seek to abuse it. If there are not sufficient consequences for abusing it, I do not understand quite how we can have the level of trust needed for this to have wide adoption.
I particularly want to say that good systems cannot rely on good people. We know that and we see it. We are going to discuss it later in Committee, but good systems need checks and balances. In relation to this set of amendments, we need a disincentive for bad actors to mislead or give false information to government or the public. I am not going to rehearse each amendment that the noble Lord, Lord Clement-Jones, explained so brilliantly. The briefing on the trust framework is a very important one for us all. The amount of support there is for the idea, and the number of questions about what it means and how it will work, mean that we will come back to this if we do not have a full enough explanation of the disincentives for a bad actor.
Lord Stevenson of Balmacara (Lab)
My Lords, I support these amendments and applaud the noble Lord, Lord Clement-Jones, for his temerity and for offering a variety of choices, making it even more difficult for my noble friend to resist it.
It has puzzled me for some time why the Government do not wish to see a firm line being taken about digital theft. Identity theft in any form must be the most heinous of crimes, particularly in today’s world. This question came up yesterday in an informal meeting about a Private Member’s Bill due up next Friday on the vexed question of the sharing of intimate images and how the Government are going to respond to it. We were sad to discover that there was no support among the Ministry of Justice officials who discussed the Bill with its promoter for seeing it progress any further.
At the heart of that Bill is the same question about what happens when one’s identity is taken and one’s whole career and personality are destroyed by those who take one’s private information and distort it in such a way that those who see it regard it as being a different person or in some way involved in activities that the original person would never have been involved in. Yet we hear that the whole basis on which this digital network has been built up is a voluntary one, and the logic of that is that it would not be necessary to have the sort of amendments that are before us now.
I urge the Government to think very hard about this. There must be a break point here. Maybe the meeting that has been promised will help us, but there is a fundamental point about whether in the digital world we can rely on the same protections that we have in the real world—and, if not, why not?
Viscount Camrose (Con)
My Lords, I will address the amendments proposed by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron. I have nothing but the deepest respect for their diligence, and indeed wisdom, in scrutinising all three flavours of the Bill as it has come out, and for their commitment to strengthening the legislative framework against fraud and other misuse of digital systems. However, I have serious reservations about the necessity and proportionality of the amendments under consideration, although I look forward to further debates and I am certainly open to being convinced.
Amendments 51 and 52 would introduce criminal sanctions, including imprisonment, for the misuse of trust marks. While the protection of trust marks is vital for maintaining public confidence in digital systems, I am concerned that introducing custodial sentences for these offences risks overcriminalisation. The misuse of trust marks can and should be addressed through robust civil enforcement mechanisms. Turning every such transgression into a criminal matter would place unnecessary burdens on, frankly, an already strained justice system and risks disproportionately punishing individuals or small businesses for inadvertent breaches.
Furthermore, the amendment’s stipulation that proceedings could be brought only by or with the consent of the Director of Public Prosecutions or the Secretary of State is an important safeguard, yet it underscores the high level of discretion required to enforce these provisions effectively, highlighting the unsuitability of broad criminalisation in this context.
Amendment 53 seeks to expand the definition of identity documents under the Identity Documents Act 2010 to include digital identity documents. While the noble Lord, Lord Clement-Jones, makes a persuasive case, the proposal raises two concerns. First, it risks pre-emptively criminalising actions before a clear and universally understood framework for digital identity verification is in place. The technology and its standards are still evolving, and it might be premature to embed such a framework into criminal law. Secondly, there is a risk that this could have unintended consequences for innovation in the digital identity sector. Businesses and individuals navigating this nascent space could face disproportionate legal risks, which may hinder progress in a field critical to the UK’s digital economy.
Amendment 54 would introduce an offence of knowingly or recklessly providing false information in response to notices under Clause 51. I fully support holding individuals accountable for deliberate deception, but the proposed measure’s scope could lead to serious ambiguities. What constitutes recklessness in this context? Are we inadvertently creating a chilling effect where individuals or businesses may refrain from engaging with the system for fear of misinterpretation or error? These are questions that need to be addressed before such provisions are enshrined in law.
We must ensure that our legislative framework is fit for purpose, upholds the principles of justice and balances enforcement with fairness. The amendments proposed, while they clearly have exactly the right intentions, risk, I fear, undermining these principles. They introduce unnecessary criminal sanctions, create uncertainty in the digital identity space and could discourage good-faith engagement with the regulatory system. I therefore urge noble Lords to carefully consider the potential consequences of these amendments and, while expressing gratitude to the noble Lords for their work, I resist their inclusion in the Bill.
Lord Clement-Jones (LD)
My Lords, of course I welcome the fact that the Bill will enable people to register a death in person and online, which was a key recommendation from the UK Commission on Bereavement. I have been asked to table this amendment by Marie Curie; it is designed to achieve improvements to UK bereavement support services, highlighting the significant administrative burden faced by bereaved individuals.
Marie Curie points to the need for a review of the existing Tell Us Once service and the creation of a universal priority service register to streamline death-related notifications across government and private sectors. It argued that the Bill presents an opportunity to address these issues through improved data-sharing and online death registration. Significant statistics illustrate the scale of the problem, showing a large percentage of bereaved people struggling with numerous administrative tasks. It urges the Government, as I do, to commit to implementing those changes to reduce the burden on bereaved families.
Bereaved people face many practical and administrative responsibilities and tasks after a death, which are often both complex and time sensitive. This Bill presents an opportunity to improve the way in which information is shared between different public and private service providers, reducing the burden of death administration.
When someone dies, the Tell Us Once service informs the various parts of national and local government that need to know. That means the local council stops charging council tax, the DVLA cancels the driving licence, the Passport Office cancels the passport, et cetera. Unfortunately, Tell Us Once is currently not working across all Government departments and does not apply to Northern Ireland. No updated equality impact assessment has ever been undertaken. While there are death notification services in the private sector, they are severely limited by not being a public service programme—and, as a result, there are user costs associated, adding to bereaved people’s financial burden and penalising the most struggling families. There is low public awareness and take-up among all these services, as well as variable and inconsistent provision by the different companies. The fact that there is not one service for all public and private sector notifications means that dealing with the deceased’s affairs is still a long and painful process.
The Bill should be amended to require Ministers to carry out a review into the current operation and effectiveness of the Tell Us Once service, to identify any gaps in its operation and provisions and make recommendations as to how the scope of the service could be expanded. Priority service registers are voluntary schemes which utility companies create to ensure that extra help is available to certain vulnerable customers. The previous Government recognised that the current PSRs are disjointed, resource intensive and duplicative for companies, carrying risks of inconsistencies and can be “burdensome for customers”.
That Government concluded that there is “significant opportunity to improve the efficiencies and delivery of these services”. The Bill is an opportunity for this Government to confirm their commitment to implementing a universal priority services register and delivering any legislative measures required to facilitate it. A universal PSR service must include the interests of bereaved people within its scope, and charitable voluntary organisations such as Marie Curie, which works to support bereaved people, should be consulted in its development.
I have some questions to the Minister. First, what measures does this Bill introduce that will reduce the administrative burden on bereaved people after the death of a loved one? Secondly, the Tell Us Once service was implemented in 2010 and the original equality impact assessment envisaged that its operation should be kept under review to reflect the changing nature of how people engage with public services, but no review has ever happened. Will the Minister therefore commit the Government to undertake a review of Tell Us Once? Thirdly, the previous Government’s Smarter Regulation White Paper committed to taking forward a plan to create a “shared once” support register, which would bring together priority service registers. Will the Minister commit this Government to taking that work forward? I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, it occurred to me when the noble Lord was speaking that we had lost a valuable member of our Committee. This could not be the noble Lord, Lord Clement-Jones, who was speaking to us just then. It must have been some form of miasma or technical imposition. Maybe his identity has been stolen and not been replaced. Normally, the noble Lord would have arrived with a short but punchy speech that set out in full how the new scheme was to be run, by whom, at what price, what its extent would be and the changes that would result. The Liberal future it may have been, but it was always delightful to listen to. I am sad that all the noble Lord has asked for here is a modest request, which I am sure the noble Baroness will want to jump to and accept, to carry out a review—as if we did not have enough of those.
Seriously, I once used the service that we have been talking about when my father-in-law died, and I found it amazing. It was also one that I stumbled on and did not know about before it happened. Deaths did not happen often enough in my family to make me aware of it. But, like the noble Lord, Lord Clement-Jones, I felt that it should have done much more than what it did, although it was valuable for what it did. It also occurred to me, as life moved on and we produced children, that there would be a good service when introducing a new person—a service to tell you once about that, because the number of tough issues one has to deal with when children are born is also extraordinary and can be annoying, if you miss out on one—particularly with the schooling issues, which are more common these days than they were when my children were being born.
I endorse what was said, and regret that the amendment perhaps did not go further, but I hope that the Minister when she responds will have good news for us.
Viscount Camrose (Con)
I thank the noble Lord, Lord Clement-Jones, for raising this, and the noble Lord, Lord Stevenson, for raising the possibility that we are in the presence of a digital avatar of the noble Lord, Lord Clement-Jones. It is a scary thought, indeed.
The amendment requires a review of the operation of the Tell Us Once programme, which seeks to provide a simpler mechanism for citizens to pass information regarding births and deaths to the Government. It considers whether the pioneering progress of Tell Us Once could be extended to non-public sector holders of data. When I read the amendment, I was more cynical than I am now, having heard what the noble Lord, Lord Clement-Jones, had to say. I look forward to hearing the Minister’s answers. I take the point from the noble Lord, Lord Stevenson, that we do not necessarily need another review—but now that I have heard about it, it feels a better suggestion than I thought it was when reading about it.
I worry that expanding this programme to non-public sector holders of data would be a substantial undertaking; it would surely require the Government to hold records of all the non-public sector organisations that have retained and processed an individual’s personal data. First, I am not sure that this would even be possible—or practicable, anyway. Secondly, I am not sure that it would end up being an acceptable level of state surveillance. I look forward to hearing the Minister’s response but I am on the fence on this one.
Data (Use and Access) Bill [HL]
Lord Stevenson of Balmacara ExcerptsTuesday 19th November 2024
(2 months, 4 weeks ago)
Lords ChamberRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Stevenson of Balmacara (Lab)
My Lords, it is a feature of your Lordships’ House that certain topics and Bills within them tend to attract a small and very intense group of persons, who get together to talk a language that is not generally understood by the rest of the world—certainly not by the rest of this House—and get down to business with an enthusiasm and attitude which is very refreshing. I am seeing smiles from the other side of the House. This is not meant to be in any way a single-party point—just a very nice example of the way in which the House can operate.
I have already been struck today, as I am sure have others in the group that I am talking about—who know who they are—by the recognition that we have perhaps been a little narrow in our thinking. A couple of the speeches today have brought a new thought and a new sense of engagement with this particular subject and the others we deal with. We need to be aware of that, and I am very grateful to those noble Lords. In addition, I am grateful to the repeating by the noble Lord, Lord Knight, of the speeches he had to make in 2018 and subsequent dates, and also the wonderfully grumpy speech from the noble Baroness, Lady Kidron. We have also got to take into account what we got wrong on joining the European market—which I certainly look forward to. It is a serious point.
I am also very grateful to my noble friend the Minister for setting out the new Government’s vision for data protection, for her letters—which have been very useful—and for her help in setting up the meeting I had with her officials, which I found very useful indeed. Our Minister has done a really good job in getting the Bill ready so quickly. It is good that some of the more egregious measures included in the previous Bill—particularly the changes on direct marketing during elections and the extensive access to bank account details—have gone. There are indeed some good extras as well.
We have already had some excellent speeches setting out some concerns. I have one major concern about the current Bill and three rather lesser issues which I suspect will need further debate and discussion in Committee. I will cover them quite briefly. My major concern is that, although the Bill has the intention to boost growth and productivity, and also makes a valiant attempt to provide a unified set of rules and regulations on data processing, it may in the process have weakened the protections that we want to see here in the exploitation of personal data. Data, as other noble Lords have said, is of course not just for growth and prosperity. There will be, as we have heard, clear, practical benefits in making data work for the wider social good and for the empowerment of working people. There is huge potential for data to revitalise the public services. Indeed, I liked the point made by the noble Lord, Lord Knight, that data is in some way an asset missing from the balance sheet on many operations, and we need to think carefully about how best we can configure that to make sure that the reality comes to life.
There has been, of course, a huge change. We have moved into the age of AI, but we do not have the Bill in front of us that will deal with that. The GDPR needs a top-to-toe revision so that we can properly regulate data capture, data storage, and how it may be best shared in the public interest. As an example of that, following the Online Safety Act we have a new regulator in Ofcom with the power to regulate technology providers and their algorithmic impacts. The Digital Markets, Competition and Consumers Act has given the Competition and Markets Authority new and innovative powers to regulate commercial interests, which we heard about yesterday at an all-party group. However, this Bill has missed the opportunity to strengthen the role of the ICO so we can provide a third leg capable of regulating the use of data in today’s AI-dominated world. This is a gap that we need to think very carefully about.
I hope my noble friend the Minister will acknowledge that there is a long way to go if this legislation is to earn public confidence and if our data protection regime is to work not just for the tech monopolies but for small businesses, consumers, workers and democracy. We must end the confusion, empower the regulators, and in turn empower Parliament.
There are three specific issues, and I will go through them relatively quickly. The first is on Clauses 67 and 68, already referred to, where the Bill brings in wording from Recital 159 of the GDPR—as we inherited it from the EU. This sets out how the processing of personal data for scientific research purposes should be interpreted. The recital is drafted in extraordinarily broad terms, including
“technological development and demonstration, fundamental research, applied research and privately funded research”.
It specifically mentions that:
“Scientific research purposes should also include studies conducted in the public interest in the area of public health”.
The latest ICO guidance, which contains a couple of references to commercial scientific research, says that such research
“can also include research carried out in commercial settings, and technological development, innovation and demonstration”.
However, we lack a definition, and it is rather curious that the definition of research does exist elsewhere in statute in the UK laws. It is necessary in order to fund the research councils, for example. It is also part of the process of the tax code in order to get research benefits and tax benefits for research. So, we have a definition somewhere else, but somehow the Bill avoids that and tries to go down a clarification route of trying to bring forward into the current legislation that which is already the law—according to those who have drafted it—but which is of course so complicated that it cannot be understood. I think the Government’s thinking is to provide researchers with consistency, and they say very firmly that the Bill does not create any new permissions for using or reusing data for research purposes. In my meeting with officials, they were insistent that these clauses are about fine-tuning the data protection framework, making clarifications and small-scale changes but reducing uncertainties.
I agree that it is helpful to have the key provisions—currently buried, as they are, in the recitals—on the face of the Bill, and it may be that the new “reasonableness” test will give researchers greater clarity. Of course, we also retain the requirement that research must be in the public interest. But surely the issue that we need to address is whether the Bill, by incorporating new language and putting in this new “reasonableness” test, will permit changes to how data held by the NHS, including patients’ medical records, could be used and shared. It may be that the broad definition of “scientific research”, which can be “publicly or privately funded” and “commercial or non-commercial” inadvertently waters down consent protections and removes purpose-limitation safeguards. Without wishing to be too alarmist, we need to be satisfied that these changes will not instigate a seismic change in the rules currently governing NHS data.
It is relevant to note that the Government have stated in a separate way an intention to include in the next NHS 10-year plan significant changes as to how patients’ medical records are held and how NHS data is used. Launching a “national conversation” about the plans, the Secretary of State, my right honourable friend Wes Streeting MP, highlighted a desire to introduce electronic health records called “patient passports” and to work “hand in hand” with the private sector to use data to develop new treatments. He acknowledged that these plans would raise concerns about privacy and about how to get the
“best possible deal for the NHS in return”
for private sector access to NHS data. The details of this are opaque. As currently drafted, the Bill is designed to enable patient passports and sharing of data with private companies, but to my mind it does not address concerns about patient privacy or private sector access to health data. I hope we can explore that further in Committee and be reassured.
My second point concerns the unlicensed use of data created by the media and broader creative industries by developers of the large language models—this has already been referred to. UK copyright law is absolutely clear that AI developers must obtain a licence when they are text or data mining—the technique used to train AI models. The media companies have suggested that the UK Government should introduce provisions to ensure that news publishers and others can retain control over their data; that there must be significant penalties for non-compliance; and that AI developers must be transparent about what data their crawlers have “scraped” from websites—a rather unpleasant term, but that is what they say. Why are the Government not doing much more to stop what seems clearly to be theft of intellectual property on a mass scale, and if not in this Bill, what are their plans? At a meeting yesterday of the APPG which I have already referred to, it was clear that the CMA does not believe that it is the right body to enforce IP law. But if it is not, who is, and if there is a gap in regulatory powers, should this Bill not be used to ensure that the situation is ameliorated?
My third and final point is about putting into statute the previous Government’s commitments about regulating AI, as outlined in the rather good Bletchley declaration. Does my noble friend not agree that it would be at least a major statement of intent if the Bill could begin to address
“the protection of human rights, transparency and explainability, fairness, accountability, regulation, safety, appropriate human oversight, ethics, bias mitigation, privacy and data protection”?
These are all points raised in the Bletchley declaration. We will need to address the governance of AI technologies in the very near future. It does not seem wise to delay, even if the detailed approach has yet to be worked through and consulted upon. At the very least, as has been referred to, we should be picking up the points made by the Ada Lovelace Institute about: the inconsistent powers across regulators; the absence of regulators to enforce the principles such as recruitment and employment, or diffusely regulated areas of public service such as policing; the absence of developer-focused obligations; and the absence and high variability of meaningful recourse mechanisms when things go wrong, as they will.
When my noble friend Lord Knight of Weymouth opened the Second Reading of the last Government’s data protection Bill, he referred to his speech on the Second Reading during the passage of the 2018 Act—so he has been around for a while. He said:
“We need to power the economy and innovation with data while protecting the rights of the individual and of wider society from exploitation by those who hold our data”.—[Official Report, 19/12/23; col. 2164.]
For me, that remains a vision that we need to realise. It concerns me that the Bill will not achieve that.
Baroness Jones of Whitchurch (Lab)
My Lords, I thank all noble Lords for what has genuinely been a fascinating, very insightful debate. Even though I was part, I think, of my noble friend Lord Stevenson’s gang that has been working on this for some time, one learns new things, and I have learned new things again today about some of the issues that are challenging us. So I thank noble Lords for their contributions this evening, and I am very pleased to hear that a number of noble Lords have welcomed the Government’s main approach to the Bill, though of course beyond that there are areas where our concerns will diverge and, I am sure, be subject to further debate. I will try to clarify the Government’s thinking. I am sure noble Lords will understand, because we have had a very wide-ranging discussion, that if I am not able to cover all points, I will follow those up in writing.
I shall start with smart data. As was raised by my noble friend Lord Knight of Weymouth, and other noble Lords, the Government are keen to establish a smart data economy that brings benefits to consumers across all sectors.
Through the Smart Data Council, the Government are working closely to identify areas where smart data schemes might be able to bring more benefits. I think the point was made that we are perhaps not using it sufficiently at the moment. The Government intend to communicate where and in what ways smart data schemes can support innovation and growth and empower customers across a spectrum of markets—so there is more work to be done on that, for sure. These areas include providing the legislative basis for the fuel finder service announced by the Department for Energy Security and Net Zero, and supporting an upcoming call for evidence on the smart data scheme for the energy sector. Last week, the Government set out their priorities for the future of open banking in the national payments vision, which will pave the way for the UK to lead in open finance.
I turn now to digital identity, as raised by the noble Earl, Lord Erroll, and a number of other noble Lords. The measures in the Bill aim to help people and businesses across Britain to use innovative digital identity technologies and to realise their benefits with confidence. As the noble Lord, Lord Arbuthnot, said, the Bill does not make digital identities mandatory. The Bill will create a legislative structure of standards, governance and oversight for digital verification services that wish to appear on a government register, so that people will know what a good digital identity looks like. It is worth saying that a lot of these digital verification schemes already exist; we are trying to make sure that they are properly registered and have oversight. People need to know what a good digital identity looks like.
The noble Lord, Lord Arbuthnot, raised points about Sex Matters. Digital verification services can be used to prove sex or gender in the same way that individuals can already prove their sex using their passport, for example. Regarding the concerns of the noble Lord, Lord Vaux, about the inclusion of non-digital identity, the Government are clear that people who do not want to use digital identity or the digital verification services can continue to access services and live their daily lives referring to paper documents when they need to. Where people want to use more technology and feel left behind, DSIT is working hard to co-ordinate government work on digital inclusion. This is a high priority for the Government, and we hope to come back with further information on that very soon.
The Office for Digital Identities and Attributes has today published its first digital identity inclusion monitoring report. The results show a broadly positive picture of inclusion at this early stage of the markets, and its findings will inform future policy interventions.
I would like to reassure the noble Lord, Lord Markham, and the noble Viscount, Lord Camrose, that NUAR takes advantage of the latest technologies to ensure that data is accessed only for approved purposes, with all access audited. It also includes controls, developed in collaboration with the National Protective Security Authority, the National Cyber Security Centre and the security teams of asset owners themselves.
We had a very wide-ranging debate on data protection issues, and I thank noble Lords for their support for our changes to this legislation. The noble Viscount, Lord Camrose, and others mentioned delegated powers. The Government have carefully considered each delegated power and the associated parliamentary procedure and believe that each is proportionate. The detail of our rationale is set out in our delegated powers memorandum.
Regarding the concerns of the noble Lord, Lord Markham, and the noble Viscount, Lord Camrose, about the effect of the legislation on SMEs, we believe that small businesses would have struggled with the lack of clarity in the term “high-risk processing activities” in the previous Bill, which could have created more burdens for SMEs. We would prefer to focus on how small businesses can be supported to comply with the current legislation, including through user-friendly guidance on the ICO’s small business portal.
Many noble Lords, including the noble Viscount, Lord Camrose, the noble and learned Lord, Lord Thomas, and the noble Lord, Lord Vaux, raised EU adequacy. The UK Government recognise the importance of retaining our personal data adequacy decisions from the EU. I reassure the noble Lord, Lord Vaux, and my noble friend Lord Bassam that Ministers are already engaging with the European Commission, and officials will actively support the EU’s review process in advance of the renewal deadline next year. The free flow of personal data between the UK and the EU is one of the underpinning actions that enables research and innovation, supports the improvement of public services and keeps people safe. I join the noble Lord, Lord Vaux, in thanking the European Affairs Committee for its work on the matter. I can reassure him and the committee that the Secretary of State will respond within the required timeframe.
The noble Lord, Lord Bethell, and others raised international data transfers. Controllers and processors must take reasonable and proportionate steps to satisfy themselves that, after the international transfer, the level of protection for the data subject will be “not materially lower” than under UK data protection law. The Government take their responsibility seriously to ensure that data and its supporting infrastructure are secure and resilient.
On the question from the noble Viscount, Lord Colville, about the new recognised legitimate interest lawful ground, the entire point of the new lawful ground is to provide more legal certainty for data controllers that they are permitted to process personal data for the activities mentioned in new Annexe 1 to the UK GDPR. However, the processing must still be necessary and proportionate and meet all other UK GDPR requirements. That includes the general data protection principles in Article 5 of the UK GDPR, and the safeguards in relation to the processing of special category data in Article 9.
The Bill has significantly tightened up on the regulation-making power associated with this clause. The only processing activities that can be added to the list of recognised legitimate interests are those that serve the objectives of public interest, as described in Article 23(1) of the UK GDPR. The Secretary of State would also have to have regard to people’s rights and the fact that children may be less aware of the risks and consequences of the processing of their data before adding new activities to the list.
My noble friends Lord Davies of Brixton and Lord Stevenson of Balama—do you know, I have never had to pronounce his full name—Balmacara, raised NHS data. These clauses are intended to ensure that IT providers comply with relevant information standards in relation to IT use for health and adult social care, so that, where data is shared, it can be done in an easier, faster and cheaper way. Information standards create binding rules to standardise the processing of data where it is otherwise lawful to process that data. They do not alter the legal obligations that apply in relation to decisions about whether to share data. Neither the Department of Health and Social Care nor the NHS sells data or provides it for purely commercial purposes such as insurance or marketing purposes.
With regard to data assets, as raised by the noble Baroness, Lady Kidron, and my noble friend Lord Knight of Weymouth, the Government recognise that data is indeed one of the most valuable assets. It has the potential to transform public services and drive cutting-edge innovation. The national data library will unlock the value of public data assets. It will provide simple, secure and ethical access to our key public data assets for researchers, policymakers and businesses, including those at the frontier of AI development, and make it easier to find, discover and make connections across those different databases. It will sit at the heart of an ambitious programme of reform that delivers the incentives, investment and leadership needed to secure the full benefits for people and the economy.
The Government are currently undertaking work to design the national data library. In its design, we want to explore the best models of access so that public sector data benefits our society, much in the way that the noble Baroness, Lady Kidron, outlined. So, decisions on its design and implementation will be taken in due course.
Regarding the concerns of the noble Lord, Lord Markham, about cybersecurity, as announced in the King’s Speech, the Government will bring forward a cybersecurity and resilience Bill this Session. The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected.
The noble Baroness, Lady Kidron, the noble Viscount, Lord Colville, and my noble friend Lord Stevenson of Balmacara, asked about the Government’s plans to regulate AI and the timing of this legislation. As set out in the King’s Speech, the Government are committed to establishing appropriate legislation for companies developing the most powerful AI systems. The Government will work with industry, civil society and experts across the UK before legislation is drawn up. I look forward to updating the House on these proposals in due course. In addition, the AI opportunities action plan will set out a road map for government to capture the opportunities of AI to enhance growth and productivity and create tangible benefits for UK citizens.
Regarding data scraping, as raised by the noble Baroness, Lady Kidron, the noble Viscount, Lord Colville of Culross, and others, although it is not explicitly addressed in the data protection legislation, any such activity involving personal data would require compliance with the data protection framework, especially that the use of data must be fair, lawful and transparent.
A number of noble Lords talked about AI in the creative industries, particularly the noble Lords, Lord Holmes and Lord Freyberg—
Lord Stevenson of Balmacara (Lab)
I am sorry to interrupt what is a very fluent and comprehensive response. I do not want to break the thread, but can I press the Minister a little bit on those companies whose information which is their intellectual property is scraped? How will that be resolved? I did not pick up from what the Minister said that there was going to be any action by the Government. Are we left where we are? Is it up to those who feel that their rights are being taken away or that their data has been stolen to raise appropriate action in the courts?
Baroness Jones of Whitchurch (Lab)
I was going to come on to some of those issues. Noble Lords talked about AI in the creative industries, which I think my noble friend is particularly concerned about. The Government are working hard on this and are developing an effective approach that meets the needs of the UK. We will announce more details in due course. We are working closely with relevant stakeholders and international partners to understand views across the creative sector and AI sectors. Does that answer my noble friend’s point?
Lord Stevenson of Balmacara (Lab)
With respect, it is the narrow question that a number of us have raised. Training the new AI systems is entirely dependent on them being fed vast amounts of material which they can absorb, process and reshape in order to answer questions that are asked of them. That information is to all intents and purposes somebody else’s property. What will happen to resolve the barrier? At the moment, they are not paying for it but just taking it—scraping it.
Baroness Kidron (CB)
Perhaps I may come in too. Specifically, how does the data protection framework change it? We have had the ICO suggesting that the current framework works perfectly well and that it is the responsibility of the scrapers to let the IP holders know, while the IP holders have not a clue that it is being scraped. It is already scraped and there is no mechanism. I think we are a little confused about what the plan is.
Social Media: Catfishing
Lord Stevenson of Balmacara Excerpts(3 months, 2 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Baroness Jones of Whitchurch (Lab)
Ofcom published its latest vision of the media literacy strategy just a couple of months ago, so its implementation is very much in its infancy. The Government very much support it and we will work with Ofcom very closely to roll it out. So Ofcom has a comprehensive media literacy strategy on these issues, but as we all know, schools have to play their part as well: it has to be part of the curriculum. We need to make sure that children are kept safe in that way.
The noble Viscount referred to AI. The rules we have—the Online Safety Act and so on—are tech-neutral in the sense that, even if an image is AI generated, it would still fall foul of that Act; it does not matter whether it is real or someone has created it. Also, action should be taken by the social media companies to take down those images.
Lord Stevenson of Balmacara (Lab)
My Lords, as a survivor of the seven-year long period during which the Online Safety Act was developed, I have to confess that I do not think we ever came across the word “catfishing”. In a quick moment, I looked it up on Google—and, of course, it has not even reached Google yet. It talks about those who wish to catch fish, rather than catfishing. I make a joke, but this is a serious issue and the Minister is trying to address it very fairly. The problem is that the technology is so efficient and quick that the offences are moving ahead of our ability as legislators to make the necessary laws. The key element of the Online Safety Act is that that which is illegal offline is also illegal online. When will we see the necessary offence on the statute book?
Baroness Jones of Whitchurch (Lab)
My noble friend is quite right about the expression “catfishing”. I had to check the definition before I came here today, and for anyone who wants that clarification, it is when someone sets up a fake online identity and uses it to trick and control others. It covers a whole range of offences, including scamming people out of money, blackmailing them or trying to harm them in another way.
On my noble friend’s general point, yes, we are of course looking at how we can match online safety with offline safety; that is part of ongoing work. But for the time being, as I have said several times from the Dispatch Box, rolling out the Online Safety Act is the crucial thing. We are within touching distance, and it will make a huge difference when it is fully implemented. That is our priority at this time.
Communications Act 2003 (Disclosure of Information) Order 2024
Lord Stevenson of Balmacara Excerpts(3 months, 2 weeks ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara (Lab)
My Lords, I begin with a comment that I hope will not be taken badly by either my noble friend the Minister or the large number of civil servants who have been involved in this Bill over the years. Colleagues may recall that the Bill took seven years to pass through the various processes and procedures of Parliament, including initial Green Papers and White Papers and then scrutiny by the Joint Select Committee, of which my noble friend opposite was also a member, and it seems slightly surprising and a bit odd that we are dealing with what seems to be an administrative oversight so late in the process. I do not expect a serious response from the Minister on that, but I wanted to put on the record that we are still very much aware of the fact that legislation has its faults and sometimes needs to be corrected, and we should perhaps be humble in expecting that the material we finally agree in Parliament is indeed the last word on things.
Having said that, I think I follow the noble Lord, Lord Clement-Jones, on this point: the subsequent legal analysis, which has identified a potential gap in provision on this instrument, tries to tidy it up but, in doing so, has left me a bit confused. I simply ask the Minister to make it clear to me when she responds that I am reading it correctly. The worry that has been exposed by this subsequent legal analysis is about the sharing of information when Ofcom is using its powers to address issues with the companies with which it has an engagement. Indeed, the whole purpose of the Bill is to ensure that companies are taking their burden of making sure that the Bill works in practice. There may be a deficiency in terms of what the Secretary of State has separate powers to do, but my confusion is that the Explanatory Memorandum says:
“The Secretary of State has several key functions relating to the implementation of the framework under the”
Online Safety Act. It is obviously sensible, therefore, that the sharing of information that Ofcom gathers is available for that. But is that all the powers of the Secretary of State or only the powers of the Secretary of State in relation to the Online Safety Act? The Explanatory Memorandum says:
“If Ofcom were not able to share business information relating to these areas”—
that is, the areas directly affected by the Online Safety Act—
“there is a risk that implementation and review of the framework could be delayed or ineffective”.
I accept the general point, but, to pull up the point made by the noble Lord, Lord Clement-Jones, is this an open invitation for Ofcom to share information that does not relate to its powers in relation to the Online Safety Act with the Secretary of State and, therefore, something for the Secretary of State to take on as a result of a slightly uncertain way of doing it? Are there are any restrictions to this power as set out in that paper? I could mention other points where it comes up, but I think my point is made.
The noble Lord, Lord Clement-Jones, also touched on the point that this is a power for Ofcom to share with the Secretary of State responsible for Ofcom, which is fair enough, but, as the Explanatory Memorandum points out:
“There are also certain functions relating to definitions conferred on Scottish and Welsh Ministers and Northern Ireland departments”—
presumably now Ministers—which may also be “relevant persons” of the Act, but we are not given much on that, except that
“these are unlikely to require business information for their exercise”.
I would like a bit more assurance on that. Again, that might be something for which the department is not prepared and I am quite happy to receive a letter on it, but my recollection from the discussions on the Online Safety Bill in this area, particularly in relation to Gaelic, was that there were quite a lot of powers that only Scottish Ministers would be able to exercise, and therefore it is quite possible that business activities which would not be UK-wide in their generality and therefore apropos of the Secretary of State might well be available to Ofcom to share with Scottish Ministers. If it is possible to get some generic points about where that is actually expected to fall, rather than simply saying that it is unlikely to require business information, I would be more satisfied with that.
Viscount Camrose (Con)
My Lords, I thank the Minister for setting out this instrument so clearly. It certainly seems to make the necessary relatively simple adjustments to fill an important gap that has been identified. Although I have some questions, I will keep my remarks fairly brief.
I will reflect on the growing importance of both the Online Safety Act and the duty we have placed on Ofcom’s shoulders. The points made by the noble Lord, Lord Clement-Jones, about the long-standing consequential nature of the creation of Ofcom and the Communications Act were well made in this respect. The necessary complexity and scope of the work of Ofcom, as our online regulator, has far outgrown what I imagine was foreseeable at the time of its creation. We have given it the tasks of developing and enforcing safety standards, as well as issuing guidance and codes of practice that digital services must follow to comply with the Act. Its role includes risk assessment, compliance, monitoring and enforcement, which can of course include issuing fines or mandating changes to how services operate. Its regulatory powers now allow it to respond to emerging online risks, helping to ensure that user-protection measures keep pace with changes in the digital landscape.
In recognising the daily growing risk of online dangers and the consequent burdens on Ofcom, we of course support any measures that bring clarity and simplicity. If left unaddressed, the identified gap here clearly could lead to regulatory inefficiencies and delays in crucial processes that depend on accurate and up-to-date information. For example, setting appropriate fee thresholds for regulated entities requires detailed knowledge of platform compliance and associated risks, which would be challenging to achieve without full data access. During post-implementation reviews, a lack of access to necessary business information could hamper the ability to assess whether the Act is effectively achieving its safety objectives or whether adjustments are needed.
That said, I have some questions, and I hope that, when she rises, the Minister will set out the Government’s thinking on them. My first question very much picks up on the point made—much better than I did—by the noble Lord, Lord Stevenson of Balmacara. It is important to ensure that this instrument does not grant unrestricted access to business information but, rather, limits sharing to specific instances where it is genuinely necessary for the Secretary of State to fulfil their duties under the Act. How will the Government ensure this?
Secondly, safeguards, such as data protection laws and confidentiality obligations under the Communications Act 2003, must be in place to guarantee that any shared information is handled responsibly and securely. Do the Government believe that sufficient safeguards are already in place?
Thirdly, in an environment of rapid technology change, how do the Government plan to keep online safety regulation resilient and adaptive? I look forward to hearing the Government’s views on these questions, but, as I say, we completely welcome any measure that increases clarity and simplicity and makes it easier for Ofcom to be effective.
Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2024
Lord Stevenson of Balmacara Excerpts(3 months, 2 weeks ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara (Lab)
My Lords, I started my discussion on the previous instrument on a slightly negative note. I want to change gear completely now and say how nice it is to see the first of the SIs relating to the Online Safety Act come forward. I welcome that.
Having said that, may I inquire what the Government’s intention is in relation to the Parkinson rule? I think I am correct in saying that we wish to see in place an informal but constant process by the Government when they bring forward legislation under the Online Safety Act, which would be offered to the standing committees so that they could comment and make advice available to Ministers before the Secretary of State finally approved any such legislation. This would primarily be concerned with the codes of practice, but this is exactly the sort of issue, well exemplified by the noble Baroness, Lady Owen, where there is still some concern about the previous Government’s approach to this Bill.
If I recall, this rule was in one of the later amendments brought in towards the end of the process. Rather unlike the earlier stuff, which was seven years in the making, this was rushed through in rather less than seven weeks as we got to the end of discussions on the Online Safety Bill. To get the deal that we all, across the political parties, hoped would happen, and so that the country would benefit from the best possible Act we could get out of the process, there were a number of quite late changes, including the question about deepfake issues, which was not given quite the scrutiny that it could have had. Of course, we are now receiving discussion and debate on those issues, and it is important that we understand them and the process that the Government will take to try to resolve them.
This question of having consent was hotly debated by those who led on it during the time the Bill was before your Lordships’ House. I felt the arguments very clearly came out in favour of those who argued that the question of consent, as mentioned by the noble Lord, Lord Clement-Jones, really is not relevant to this. The offence is caused by the circulation of material, and the Act should contain powers sufficient for the Secretary of State to be satisfied that Ofcom, in exercising its regulatory functions, has the powers to take down this material where it is illegal.
There are two issues tied up in that. I think all of us who have spoken in this debate are concerned that we have not really got to the end of the discussion on this, and we need to have more. Whether through the Private Member’s Bill that we will hear about in December or not, the Government need to get action on that. They need to consult widely with the committees, both in the Commons and here, to get the best advice. It may well be that we need further debate and discussion in this House to do so.
Having said that, the intention to clarify what exactly is legal lies at the heart of the Online Safety Act. The Act will not work and benefit the country if we go back to the question of legal but harmful. The acid test for how the material is to be treated by those who provide services to this country has to be whether it is legal. If it is illegal, it must be taken down, and there must be powers and action specifically for that to happen. It is unfortunate that, if material is not illegal, it is a matter not for the Government or Parliament but for the companies to ensure that their terms of service allow people to make judgments about whether they put material on their platforms. I hope that still remains the Government’s position. I look forward to hearing the Minister’s response.
Viscount Camrose (Con)
My Lords, I shall also start on a positive note and welcome the ongoing focus on online safety. We all aim to make this the safest country in the world in which to be online. The Online Safety Act is the cornerstone of how all of us will continue to pursue this crucial goal. The Act imposed clear legal responsibilities on social media platforms and tech companies, requiring them actively to monitor and manage the content they host. They are required swiftly to remove illegal content and to take proactive measures to prevent harmful material reaching minors. This reflects the deep commitment that we all share to safeguarding children from the dangers of cyberbullying, explicit content and other online threats.
We must also take particular account of the disproportionate harm that women and girls face online. The trends regarding the online abuse and exploitation that disproportionately affect female users are deeply concerning. Addressing these specific challenges is essential if we are to create a truly safe online environment for everyone.
With respect to the Government’s proposed approach to making sharing intimate images without consent a priority offence under the Online Safety Act, this initiative will require social media companies promptly to remove such content from their platforms. This aims to curb the rise in abuse that has been described as “intolerable”—I think rightly—by the Secretary of State. The intent behind this measure is to prevent generations becoming “desensitised” to the devastating effects of online abuse.
Although this appears to signal a strong stance against online harm, it raises the question of what this designation truly accomplishes in practical terms. I am grateful to the Minister for setting this out so clearly. I am not entirely sure that I altogether followed the differences between the old offences and the new ones. Sharing intimate images without consent is already illegal under current laws. Therefore, can we not say that the real issue lies in the absence not of legal provision but of effective enforcement of existing regulation? We have to ensure that any changes we make do not merely add layers of complexity but genuinely strengthen the protections available to victims and improve the responsiveness of platforms in removing harmful content.
With these thoughts in mind, I offer five questions. I apologise; the Minister is welcome to write as necessary, but I welcome her views whether now or in writing. First, why is it necessary to add the sharing of intimate images to the list of priority offences if such acts are already illegal under existing legislation and, specifically, what additional protections or outcomes are expected? The Minister gave some explanation of this, but I would welcome digging a little deeper into that.
Secondly, where consent is used as a defence against the charge of sharing intimate images, what are the Government’s thoughts on how to protect victims from intrusive cross-examination over details of their sexual history?
Thirdly, with respect to nudification technology, the previous Government argued that any photoreal image was covered by “intimate image abuse”—the noble Lord, Lord Clement-Jones, touched on this issue well. Is there any merit in looking at that again?
Fourthly, I am keen to hear the Government’s views on my noble friend Lady Owen’s Private Member’s Bill on nudification. We look forward to debating that in December.
Fifthly, and lastly, what role can or should parents and educators play in supporting the Act’s objectives? How will the Government engage these groups to promote online safety awareness?
Digital Markets, Competition and Consumers Bill
Lord Stevenson of Balmacara ExcerptsWednesday 13th March 2024
(11 months ago)
Lords ChamberRead Full debate Digital Markets, Competition and Consumers Act 2024 View all Digital Markets, Competition and Consumers Act 2024 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 47-II Second marshalled list for Report - (11 Mar 2024)
Lord Clement-Jones (LD)
My Lords, it is very good to see the full team back on the trading standards amendments. I congratulate all three noble Lords on their championing of trading standards. They need the powers that are being argued for in these amendments; they are the unsung champions of the consumer, and we should support them.
My main purpose in rising is to speak to Amendments 69, 91, 92 and 152. As regards Amendment 69, on misleadingly similar parasitic packaging, it was encouraging to hear the Minister confirm in Committee that the prohibition of misleading actions in Clause 224 and the banned practice in paragraph 14 of Schedule 19 will address the long-standing unaddressed practice of misleadingly similar packaging.
However, those provisions matter little if they are not enforced. During consultations and the debate on the Consumer Protection from Unfair Trading Regulations 2008, the then Government stressed that public enforcement would be effective and efficient. This has not proved to be the case, with just one enforcement action by trading standards in 2008—albeit a successful one. If shoppers are to be protected from this misleading practice, there must be a realistic expectation that the Bill’s provisions will be enforced.
Historically, the Government have placed the duty on public enforcers. That is unrealistic, as trading standards face diminishing resources. The CMA stated clearly that misleadingly similar packaging is a consumer protection, not an IP, issue, following its investigation of the groceries market in 2008. Yet is has undertaken no hard or soft enforcement and did not include it in its recent scrutiny of the grocery sector; there is no sign that it will take a different approach in the future. There are no other realistic public enforcement options available. For the Bill to make a difference, it is essential that affected branded companies are granted powers to bring civil cases using the Bill’s provisions on the specific practice of misleadingly similar packaging alone. It has been ignored by public enforcers for the last 15 years, despite the many examples that appear year on year. Granting affected brand owners such powers would mean that shoppers would have the protection envisaged by the Bill, and affected brand owners would have more effective redress at no cost to the taxpayer.
Amendments 91 and 92 concern an area of concern for the retail industry, expressed by its representative body, the British Retail Consortium, in which I was an active participant more years ago than I care to remember. The well-established and well-used primary authority system enables a business to request assured advice from a primary authority that it has appointed. Provided that the business follows the advice, it cannot be prosecuted by any local authority for its actions. Under the Bill, the CMA will receive additional powers on consumer protection, whereby it will move to administrative fines that are potentially very high. I am informed that the CMA currently refuses either to provide assured advice of its own or to accept primary authority advice. It says that it may not agree with the advice and that it would be too costly, ignoring the fact that it is at a cost to the business. That undermines the primary authority system and will do so even further when the CMA receives its new fining powers because businesses will feel unable to rely totally on primary authority advice for what they are doing in the overlapping areas.
The amendments attempt to deal with that, either by requiring the CMA to provide assured advice itself, as set out in Amendment 91, or, perhaps more practically, by accepting primary authority advice as binding up to the point that it may be repealed if it is shown to be inaccurate, as set out in Amendment 92. That would mean that a business could rely on it for anything it does up to any repeal. It should also be remembered that the CMA can, if it wishes, act as a supporting regulator, whereby it can be called on to provide its view to a primary authority when that authority is looking at providing advice in an area of relevance and overlap to the CMA.
Finally, it should be noted that the CMA has decided to provide what is, in effect, assured advice on competition matters in the sustainability area; namely, it has agreed not to prosecute a business that seeks its advice and follows it in a small area on the competition side. This means that, in principle, the CMA does not seem to be opposed to such an approach. Green claims on the consumer side are a key area of uncertainty for business, an area where assured advice would in fact be most useful.
I turn to my final amendment, Amendment 152. As I explained in Committee, standard essential patents are patents that are necessary to implement an industry standard, such as wifi or 5G. Because the market is locked into a standard, and to prevent abuse of the market power that this situation conveys, SEP owners are required to license their SEPs on fair terms. Unfortunately, there is widespread abuse of this monopoly power by SEP holders. The principal issue raised with me by the Fair Standards Alliance is the threat of injunctions; the costs to many businesses can be ruinous. This tactic not only threatens innovation by UK businesses but represents a strategic risk for UK priorities, such as 5G infrastructure diversification and smart energy network security, by limiting the competing players. The availability of injunctions for SEPs gives foreign SEP holders the ability to prevent others in the UK from entering, succeeding and innovating in those markets.
The Minister, the noble Lord, Lord Offord, gave a somewhat encouraging response in Committee—I keep using the word “encouraging” about his responses, although I keep hoping for better—to the effect that the Government would set out their thinking in the very near future, and that that would include the question of injunctions.
After many months of consultation, the IPO has published its 2024 forward look on this issue. It has reported its findings to Ministers and has agreed key objectives concerning SEPs. Those are
“helping implementers, especially SMEs, navigate and better understand the SEPs ecosystem and Fair Reasonable and Non-Discriminatory (FRAND) licensing … improving transparency in the ecosystem, both pricing and essentiality; and … achieving greater efficiency in respect of dispute resolution, including arbitration and mediation”.
Although the IPO has confirmed that SMEs are especially disadvantaged by the current SEP regulations, it states, disappointingly, on injunctions that
“we have concluded that we will not be consulting on making legislative changes to narrow the use of injunctions in SEPs disputes”,
with very limited justification for the decision, saying simply that it was taken after
“careful consideration of the evidence, operation of relevant legal frameworks and international obligations”.
The Coalition for App Fairness has pointed out to me that a day after the IPO announcement, the European Parliament voted by a large majority to approve its own SEP regulation. The EU framework will include the creation of an SEP register, database and essentiality checks; a defined maximum total royalty for an SEP; and an independent, expert-led conciliation process to establish the fair price for SEPs, which, crucially, will block the use of injunctions while the process is taking place. That seems entirely appropriate. The EU has proved that such a regulatory regime can be delivered; why cannot the UK Government, with all the freedom of Brexit? What is the basis for the IPO decision? What evidence, legal frameworks and international obligations prevent it from dealing with and legislating on injunctions? Why cannot the IPO likewise establish a truly fair SEP licensing ecosystem?
The least the Government can do is give more detail to the many SMEs affected by this decision. The forward look states, rather lamely:
“The IPO will continue engagement with relevant industry and institutions to continue to inform our ongoing policy development and implementation of those actions set out above”.
What on earth does that entail? That is pretty mealy-mouthed. What benefit will there be from that?
Lord Stevenson of Balmacara (Lab)
My Lords, this is a wide-ranging group; there is good news hidden in the middle of it, and bad news—we will have to wait for the Minister to respond to get a full picture. Others have spoken in some depth and so I will not try to repeat what has been said. I certainly will not try to follow the noble Lord, Lord Clement-Jones, whose expertise exceeds the combination of everybody’s in the Chamber at present. On SEPs, I can only stand back in amazement that he has been able to understand what is being recommended by the IPO, let alone to have come forward with a plan that might take us a bit further down the track that we clearly ought to have gone down.
I turn first to the questions the noble Baroness, Lady Bennett, raised, which cut to the heart of what, is in some senses, the purpose of the Bill. I am afraid that she rather weakened her case at the end by saying that it was a much broader basis for debate and discussion than could be encompassed within this Bill; I think she saw it primarily as a way of continuing a much larger battle, and I wish her well with that. In that sense, we do not need to take this forward. However, I hope that the Government are taking note of the impacts that some of the provisions in the Bill are having, in the sense that it is not achieving the aims and objectives, which I think we all share, of making sure that we reduce carbon and try to meet targets which have been set for us in the long term on this. Therefore, greenwashing will continue, but we hope that it will be better in scope and that the focus will be more across the range of government activity.
On imitation packaging, as the noble Lord, Lord Clement- Jones, said, we have also been discussing this for a number of years in various Bills as they have come forward, and it is good that the assertion now is that in Clause 224 and Schedule 19, there will be help. However, the question is, of course, enforcement. I would be grateful if, when the Minister comes to respond, he could give us a bit more information about how that might happen in practice.
The questions raised by the noble Earl, Lord Lindsay, and supported by “the team”, as it was described, are a continuation of debates and discussions we have been having in this House for as long as I have been here—and I certainly have participated in them. It is good to see the government amendments in as far as they go, but the three remaining questions, as raised in Amendments 99, 100 and 101, need answers. I hope the Minister will expand on where the Government have taken us so far and give us some assurances.
Lord Clement-Jones (LD)
My Lords, I am not sure that the Minister has a full brief about the nature of the available enforcement. Will he write to me to provide a few more particulars and give more assurance in this respect?
Lord Stevenson of Balmacara (Lab)
My Lords, it is important that we unpick the point made by the noble Lord, Lord Clement-Jones, which I think was touched on but not addressed by the Minister. If we rely on civil remedies, we are not really addressing the problem that there is, in effect, an opportunity, for those who wish to, to exercise criminality; this surely cannot be left to the civil courts.
Lord Offord of Garvel (Con)
As some clarification is required, I am happy to write further on the matter.
Amendments 70, 71 and 93 to 98 are technical government amendments. The Bill empowers the courts to impose monetary penalties for a breach of consumer law and procedures. To accommodate the different processes by which court orders are served or enforced in Scotland and Northern Ireland, the amendments provide that prescribed penalty information may accompany an order in a separate notice, as well as being contained within it.
On government Amendments 72 to 90, on online interface and the powers of consumer law enforcers to tackle illegal content, I thank noble Lords who have contributed on this important issue. I am pleased to bring forward government Amendments 72 to 90 to give all public designated enforcers take-down powers to tackle infringing online content. The amendments enact the commitment made by the Government in their recent consultation response.
I thank the noble Lord, Lord Clement-Jones, for Amendments 91 and 92. Amendment 91 would require the CMA to provide advice on a business’s compliance with consumer law on request. It would also prevent enforcement action by any enforcer if the advice were complied with. The CMA already provides general guidance and advice on compliance. It is businesses’ responsibility to comply with the law, referring to guidance and seeking independent legal advice where necessary. It would not be appropriate to transform the CMA into a bespoke legal advice service. The amendment would also drain CMA resources from much-needed enforcement activity. Moreover, Amendment 92 compels the CMA to accept primary authority advice received by a business where that advice has been complied with. It is common practice for the CMA to consult the primary authority before taking action; this strikes the right balance and avoids binding the CMA to such advice, thus inappropriately neutering its discretion. I hope the noble Lord will agree that the purpose of a direct enforcement regime is for the CMA to enforce faster and more frequently; these amendments would diminish this objective and remove the deterrent effects of the regime.
Post Office Horizon Scandal: Compensation Payments
Lord Stevenson of Balmacara Excerpts(11 months, 4 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Offord of Garvel (Con)
Perhaps I should have been clearer: the Government are funding this company, Post Office Ltd, to effectively commission a new system to replace Horizon. It might be reasonable to assume that it will not be Fujitsu that does the second system.
Lord Stevenson of Balmacara (Lab)
My Lords, I hope whoever takes on this responsibility will bear in mind the point made by the noble Lord, Lord Forsyth, that there may well be continuing problems deep inside the Post Office systems. I speak as an accountant, and I declare my interest. Basic double-entry accounting systems should never have allowed this system to have occurred. What guarantees can the noble Lord give us that a proper accounting-based system will be put in place of the current Horizon?
Lord Offord of Garvel (Con)
The issue here is that the sub-postmasters and sub-postmistresses who run these shops know their accounts back to front—that is the whole point. They know to a penny what they are doing from one week to the next, which is why perhaps the greatest sadness in this saga was those honourable people being told that they were alone, when in fact there were thousands of them. We are clear now that, in day-to-day operational matters, we do not have these issues. We are clear that we need to put a new system in place, which is what the Government are committed to doing.
Trade (Comprehensive and Progressive Agreement for Trans-Pacific Partnership) Bill [HL]
Lord Stevenson of Balmacara ExcerptsThursday 7th December 2023
(1 year, 2 months ago)
Grand CommitteeRead Full debate Trade (Comprehensive and Progressive Agreement for Trans-Pacific Partnership) Act 2024 View all Trade (Comprehensive and Progressive Agreement for Trans-Pacific Partnership) Act 2024 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 4-I(Rev) Revised marshalled list for Grand Committee - (6 Dec 2023)
Lord Johnson of Lainston (Con)
I apologise to my noble friend, but that is not how I read it. It is linked to designation—that is, if origin and geographical indication conflict with trademarks. It would be logical that “established by use” is in relation to geographical indications. I am afraid that that is how I have read it. I do not think that there is an inconsistency. As with all things, I am very comfortable having a further look at it, but I think it would be an issue if we took out “established by use” and inserted
“in use prior to that date”,
which could result in applications for GIs being rejected under our amended rule, which is not required under CPTPP.
It is important to note that this authority allows the Secretary of State to restrict the use of a geographical indication if it is likely to cause confusion for any GIs that come in after accession or after this Bill becomes an Act. Clearly, she must have an eye to the UK legislative framework. The provision gives her the power to clarify the geographical indications. I do not believe that I have missed anything, but I am probably about to be corrected.
Lord Stevenson of Balmacara (Lab)
You are not—I would not dream of doing so—but I think the point made by the noble Lord is worth further consideration. My—relatively recent—reading of it is that we are pointing in two directions. There is a question about trademarks and how they may or may not be protected consequent on us joining the CPTPP; there is also the question of the very new idea of GIs. They are recent inventions and I do not think we have quite tracked out where they go and what they do. For example, if Melton Mowbray pies are to become a standard under which we take this forward, we need to think quite carefully about what that means in relation to the countries that we are joining, because the tradition there is completely different. I am not saying that the wording is wrong, but it would be helpful to have a discussion offline.
I have always found in these matters—others will have heard me on this—that there is a small group in your Lordships’ House who really understand and like intellectual property. It has a nasty habit of tripping you up if you do not get it right first time round, and we might be in that sort of territory here.
Lord Johnson of Lainston (Con)
I am grateful to the noble Lord. I hope that he does not feel that I have been tripped up by this. I am very comfortable with what we have drafted. It gives protections in the right way for GIs which are established by use, and it clarifies the difference between those and trademarks. As with all things, it is important that we have a deep discussion about this, so I am very comfortable having further debates about it. We will no doubt return to this matter, because it is important. It is not a political point to make but a technical point to ensure that we are doing it in the right way. As the noble Lord rightly pointed out, GIs are a relatively new concept. At the same time, it makes sense to ensure that our historical GIs which have been in established use are properly protected. We have the opportunity to protect them into the future against other GIs that may cause confusion with commercial intent.
I ask the noble Lord to withdraw his amendment, but, clearly, we are happy to have further discussions and I am sure that my officials will engage on that at the first possible opportunity.