Data Protection Bill [HL]
Debate between Lord Stevenson of Balmacara and Lord Arbuthnot of EdromWednesday 15th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Lord Stevenson of Balmacara
I thank your Lordships.
Amendment 108B would prevent regulations under this section being used to amend, repeal or revoke the GDPR after Brexit. This may seem a rather tough charge to lay at the Government’s door. However, concerns about adequacy after Brexit will be so important that it may be in the Government’s best interest to ensure that the Bill contains no hint that the GDPR after Brexit, which will be the responsibility of this Parliament and this Parliament alone, could be amended simply by secondary legislation. If the Government follow this argument they will see that it has a symmetry behind it that encourages the approach taken here, in that when we are a third party and need to rely on an adequacy agreement the GDPR will be seen to be especially ring-fenced.
I will also speak to the other amendments in this group, two of which come from recommendations on delegated legislation made by your Lordships’ House. Amendment 110B is about replacing the current requirement for a negative procedure with a requirement for an affirmative one. In order to explain that, it is probably best if I quote from the report itself. The DPRRC took the view that the framework for the transfer of personal data to third countries should be provided on a test greater than just simply the negative procedure. This is a major issue. One possible example is if the Government were to use the argument that it was in the public interest to transfer bulk personal data held by a UK government department to the agencies of a foreign power—a remote possibility, I know. That would be of interest to the House and probably would need to be debated. The recommendation is that a change should be made from a negative to an affirmative procedure, and that is what this amendment seeks to do.
In a similar vein, the proposal to delete Clause 21 comes from the DPRRC report. The report says that the committee was,
“puzzled by the inclusion of … a suite of delegated powers … to provide by regulations for various exemptions and derogations from the obligations and rights contained in the GDPR which, as noted above, may … be exercised in respect of ‘the applied GDPR’. The memorandum fails to explain why those powers are considered inadequate, or why the Government might need to have recourse to the distinct powers in section 2(2) of the 1972 Act—which allows Ministers to make regulations”,
around EU obligations. The point is that there will be a period after Royal Assent to the Bill and when the country leaves—if it does—the EU in which it is possible that the Government will wish to make regulations. The committee assumes that this clause has been included just in case the Government decide that these powers are required. But the committee goes on to say:
“We consider it unsatisfactory that the Government should seek to take this widely drafted power without explaining properly what it might be used for”.
I therefore call on the Government to do so if it is appropriate at this time.
The final two amendments in the group, Amendments 180A and 180B, play to the same issue: that the powers, however they are finally settled, will still be wide ranging and grant the Government of the day a considerable amount of power to introduce rules by secondary legislation. In a sense, that is inevitable given the way that things are going, and we are not attacking the main principle. The question is around what safeguards would be appropriate. On these powers we think it would be appropriate for the Government to consult not only the commissioner, for which there is a provision, but the data subjects affected by the regulations. This is not a power that is currently there and we recommend that the Government consider it. I beg to move.
Lord Arbuthnot of Edrom (Con)
My Lords, I hope I will not add to the troubles of the noble Lord, Lord Stevenson, when I say that I am troubled by a couple of his amendments, Amendments 108B and 180A. The former suggests that the Government should not be permitted to,
“amend, repeal or revoke the GDPR”.
I know the Government will have responsibility for the provisions of the GDPR, but these are surely provisions for which the regulations either are or are not. They are European Union regulations, and I would not have thought the Government would have the power to amend or repeal them.
I am also confused, as so often, by the fact that we have already discussed whether Clause 15 should stand part of the Bill but are now considering an amendment to it. No doubt that is just one of the usual vagaries that leads to my confusion about the procedures of this House.
I move on to Amendment 180A, which suggests that the Secretary of State must consult not only the commissioner but data subjects. I am not sure how on earth he could find out who those data subjects were in order to consult them. Therefore, due to practical concerns, I hope the noble Lord will not press the amendment to a Division.
Data Protection Bill [HL]
Debate between Lord Stevenson of Balmacara and Lord Arbuthnot of EdromMonday 30th October 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-I(Rev)(a) Amendment for Committee, supplementary to the revised marshalled list (PDF, 58KB) - (30 Oct 2017)
Lord Arbuthnot of Edrom (Con)
My Lords, I shall speak only to Amendment 188, and I do so because, as so often, I am confused. In Scotland, a person aged 12 is presumed to have capacity to exercise rights under the Data Protection Act 1998, and that position is perpetuated in the Bill. How does that mesh with the general data protection regulations, which provide that consent to process personal data is lawful below the age of 13 only if given by a parent? I think that is the position and that is why I have tabled my probing amendment. Perhaps my noble friend could explain why Scottish children are so much more mature than English children.
I was persuaded by the view expressed by the noble Baroness, Lady Lane-Fox, at Second Reading when she said that we do not want to bring in lots of new and different laws for 13 year-olds and we need to recognise the reality that children will wish to do what their peers are doing. We do not want to incentivise them to tell lies online. So I am perfectly happy with the Government’s position on the age of 13 and just a bit bewildered about Scotland.
Lord Stevenson of Balmacara
As a Scot I can hardly complain, and I am always bewildered, too—not only about this but about many other things. Our Amendment 17 in this group is also one of bewilderment. Clause 8 is headed:
“Child’s consent in relation to information society services”,
and refers to “preventive or counselling services” not being included. This goes back to an earlier amendment, when we established that these references are actually recitals and not part of the substantive GDPR, so we are back in what is not normative language and issues that we cannot possibly talk about in relation to the wider context because we are talking about the law that will apply.
There are three points that need to be made and I would be grateful if the noble Lord would either respond today or write to me about them. The first is to be clear that the reference to “information society services”, which is defined, has nothing in it that would suggest that it is a problem in relation to the lack of inclusion of preventive or counselling services. The answer is probably a straightforward yes. Secondly, what are the preventive or counselling services that we are talking about? I think the context is that these are meant to exclude any data processing relating to a data subject if the data subject concerned—with parental consent if the subject is younger than 13 and on their own if they are older than 13—who is taking a form of counselling that may be related to health or sexual issues would not be allowed to be included. Is my understanding of that right? I am sure that it is.
Thirdly, could we have a better definition of preventive or counselling services because those are very wide-ranging terms? Yes, they come from a recital and perhaps in that sense they can be tracked back to earlier discussions around the formation of the GDPR, but they have to be applied in this country to situations in real life. I am not sure what a preventive service is and I should like to have it explained. Counselling services I probably do get, but do they include face-to-face counselling or is this about only online counselling services? Is it the same if the child is being accompanied by a parent or guardian? There are other issues that come into this and there is a need for clarity on the point.
While I am on my feet I should like to respond to the amendment moved by the noble Baroness, Lady Howe, who has campaigned long and hard on these issues. We would be bereft if she did not enter into this Bill with all its implications for children, given the wisdom and experience that she brings to the table. The point she makes is one of simple clarity. There is a need to be very careful about the evidence gathering on this issue and it is probably not appropriate for it to be left to Ministers in regulations. There needs to be a wider discussion and debate on the matter, perhaps involving the Children’s Commissioner and other persons with expertise. She has made her point very well and I should like to support it.