(7 months, 4 weeks ago)
Grand CommitteeIt did complete a pilot phase this year. As it operationalises, more and more will sign up. I do not know the actual number that have signed up today, but I will find out.
NUAR does not duplicate existing commercial services. It is a standardised, interactive digital map of buried infrastructure, which no existing service is able to provide. It will significantly enhance data sharing and access efficiency. Current services—
I am concerned. We get the principle behind NUAR, but is there an interface between NUAR and this other service—which, on the face of it, looks quite extensive—currently in place? Is there a dialogue between the two? That seems to be quite important, given that there is some doubt over NUAR’s current scope.
I am not sure that there is doubt over the current scope of NUAR; it is meant to address all buried infrastructure in the United Kingdom. LSBUD does make extensive representations, as indeed it has to parliamentarians of both Houses, and has spoken several times to the Geospatial Commission. I am very happy to commit to continuing to do so.
In addition to the situation that the noble Lord, Lord Bassam, described, I was braced for a really horrible situation, because these things very often lead to danger and death, and there is a very serious safety argument to providing this information reliably and rapidly, as NUAR will.
My Lords, it took them half a day to discover where the hole had gone and what the damage was. The water flooded several main roads and there were traffic delays and the rest. So these things are very serious. I was trying to make a serious point while being slightly frivolous about it.
No, indeed, it is a deeply serious point. I do not know the number off the top of my head but there are a number of deaths every year as a result of these things.
As I was saying, a thorough impact assessment was undertaken for the NUAR measures, which received a green rating from the Regulatory Policy Committee. Impacts on organisations that help facilitate the exchange of data related to assets in the street were included in the modelling. Although NUAR could impact existing utility—
The Committee will be relieved to know that I will be brief. I do not have much to say because, in general terms, this seems an eminently sensible amendment.
We should congratulate the noble Lord, Lord Clement-Jones, on his drafting ingenuity. He has managed to compose an amendment that brings together the need for scrutiny of emerging national security and data privacy risks relating to advanced technology, aims to inform regulatory developments and guidance that might be required to mitigate risks, and would protect the privacy of people’s genomics data. It also picks up along the way the issue of the security services scrutinising malign entities and guiding researchers, businesses, consumers and public bodies. Bringing all those things together at the end of a long and rather messy Bill is quite a feat—congratulations to the noble Lord.
I am rather hoping that the Minister will tell the Committee either that the Government will accept this wisely crafted amendment or that everything it contains is already covered. If the latter is the case, can he point noble Lords to where those things are covered in the Bill? Can he also reassure the Committee that the safety and security issues raised by the noble Lord, Lord Clement-Jones, are covered? Having said all that, we support the general direction of travel that the amendment takes.
(8 months ago)
Grand CommitteeMy Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for tabling these amendments to Clauses 44 and 45, which would reform the framework for data protection complaints to the Information Commissioner.
The noble Lord, Lord Clement-Jones, has given notice of his intention to oppose Clause 44 standing part of the Bill. That would remove new provisions from the Bill that have been carefully designed to provide a more direct route to resolution for data subjects’ complaints. I should stress that these measures do not limit rights for data subjects to bring complaints forward, but instead provide a more direct route to resolution with the relevant data controller. The measures formalise current best practice, requiring the complainant to approach the relevant data controller, where appropriate, to attempt to resolve the issue prior to regulatory involvement.
The Bill creates a requirement for data controllers to facilitate the making of complaints and look into what may have gone wrong. This should, in most cases, result in a much quicker resolution of data protection-related complaints. The provisions will also have the impact of enabling the Information Commissioner to redeploy resources away from handling premature complaints where such complaints may be dealt with more effectively, in the first instance, by controllers and towards value-added regulatory activity, supporting businesses to use data lawfully and in innovative ways.
The noble Lord’s Amendment 153 seeks, in effect, to expand the scope of the Information Commissioner’s duty to investigate complaints under Section 165 of the Data Protection Act. However, that Section of the Act already provides robust redress routes, requiring the commissioner to take appropriate steps to respond to complaints and offer an outcome or conclude an investigation within a specified period.
The noble Lord raised the enforcement of the UK’s data protection framework. I can provide more context on the ICO’s approach, although noble Lords will be aware that it is enforced independently of government by the ICO; it would of course be inappropriate for me to comment on how the ICO exercises its enforcement powers. The ICO aims to be fair, proportionate and effective, focusing on areas with the highest risk and most harm, but this does not mean that it will enforce every case that crosses its books.
The Government have introduced a new requirement on the ICO—Clause 43—to publish an annual report on how it has exercised its enforcement powers, the number and nature of investigations, the enforcement powers used, how long investigations took and the outcome of the investigations that ended in that period. This will provide greater transparency and accountability in the ICO’s exercise of its enforcement powers. For these reasons, I am not able to accept these amendments.
I also thank the noble Baroness and the noble Lord for their Amendments 154 and 287 concerning Section 190 of the Data Protection Act. These amendments would require the Secretary of State to legislate to give effect to Article 80(2) of the UK GDPR to enable relevant non-profit organisations to make claims against data controllers for alleged data breaches on behalf of data subjects, without those data subjects having requested or agreeing to the claim being brought. Currently, such non-profit organisations can already pursue such actions on behalf of individuals who have granted them specific authorisation, as outlined in Article 80(1).
In 2021, following consultation, the Government concluded that there was insufficient evidence to justify implementing Article 80(2) to allow non-profit organisations to bring data protection claims without the authorisation of the people affected. The Government’s response to the consultation noted that the regulator can and does investigate complaints raised by civil society groups, even when they are not made on behalf of named individuals. The ICO’s investigations into the use of live facial recognition technology at King’s Cross station and in some supermarkets in southern England are examples of this.
I also thank the noble Baroness, Lady Kidron, for raising her concerns about the protection of children throughout the debate—indeed, throughout all the days in Committee. The existing regime already allows civil society groups to make complaints to the ICO about data-processing activities that affect children and vulnerable people. The ICO has a range of powers to investigate systemic data breaches under the current framework and is already capable of forcing data controllers to take decisive action to address non-compliance. We are strengthening its powers in this Bill. I note that only a few member states of the EU have allowed non-governmental organisations to launch actions without a mandate, in line with the possibility provided by the GDPR.
I turn now to Amendments 154A, 154B—
Before the noble Lord gets there and we move too far from Amendment 154, where does the Government’s thinking leave us regarding a group of class actions? Trade unions take up causes on behalf of their membership at large. I guess, in the issue of the Post Office and Mr Bates, not every sub-postmaster or sub-postmistress would have signed up to that class action, even though they may have ended up being beneficiaries of its effects. So where does it leave people with regard to data protection and the way that the data protection scheme operates where there might be a class action?
Perhaps the Minister could in due course say what evidence would help to persuade the Government to adopt the article.
I want to help the Minister. Perhaps he could give us some more detail on the nature of that consultation and the number of responses and what people said in it. It strikes me as rather important.
Fair enough. Maybe for the time being, it will satisfy the Committee if I share a copy of that consultation and what evidence was considered, if that would work.
I will turn now to Amendments 154A to 155 and Amendment 175, which propose sweeping modifications to the jurisdiction of the court and tribunal for proceedings under the Data Protection Act 2018. These amendments would have the effect of making the First-tier Tribunal and Upper Tribunal responsible for all data protection cases, transferring both ongoing and future cases out of the court system and to the relevant tribunals.
The Government of course want to ensure that proceedings for enforcement of data protection rules, including redress routes available to data subjects, are appropriate for the nature of the complaint. As the Committee will be well aware, at present there is a mixture of jurisdiction for tribunals and courts under data protection legislation, depending on the precise nature of the proceedings in question. Tribunals are indeed the appropriate venue for some data protection proceedings, and the legislation already recognises that—for example, for application by data subjects for an order requiring the ICO to progress their complaint. However, courts are generally the more appropriate venue for cases involving claims for compensation and successful parties can usually recover their costs. Courts also apply stricter rules of procedure and evidence than tribunals. That is because some cases are appropriate to fall under the jurisdiction of the tribunal, while others are more appropriate for court jurisdiction. For example, claims by individuals against organisations for breaches of legal requirements can result in awards of compensatory damages for the individuals and financial and reputational damage for the organisations. It is appropriate that such cases are handled by a court in accordance with its strict procedural and evidential rules, where the data subject may recover their costs if successful.
As such, the Government are confident that the current system is balanced and proportionate and provides clear and effective administrative and judicial redress routes for data subjects seeking to exercise their rights.
I will go away and look at those; I look forward to learning more about them. There are obvious implications in what the noble Lord said as to the most effective ways of distributing cases between courts and other channels.
For these reasons, I hope that the noble Lord will withdraw his amendment.
I am intrigued by the balance between what goes to a tribunal and what goes to the courts. I took the spirit behind the stand-part notice in the name of the noble Lord, Lord Clement-Jones, as being about finding the right place for the right case and ensuring that the wheels of justice are much more accessible. I am not entirely persuaded by what the Minister has said. It would probably help the Committee if we had a better understanding of where the cases go, how they are distributed and on what basis.
I thank the noble Lord; that is an important point. The question is: how does the Sorting Hat operate to distribute cases between the various tribunals and the court system? We believe that the courts have an important role to play in this but it is about how, in the early stages of a complaint, the case is allocated to a tribunal or a court. I can see that more detail is needed there; I would be happy to write to noble Lords.
My Lords, I have looked at the government amendments in this group and have listened very carefully to what the Minister has said—that it is largely about interpretation. There are no amendments that I wish to comment on, save to say that they seem to be about consistency of language and bringing in part EU positions into UK law. They seem also to be about consistency of meaning, and for the most part the intention seems to be to ensure that nothing in EU retained law undoes the pre-existing legal framework.
However, I would appreciate the Minister giving us a bit more detail on the operation of Amendment 164. Amendment 297 seems to deal with a duplication issue, so perhaps he can confirm for the Committee that this is the case. We have had swathes of government amendments of a minor and technical nature, largely about chasing out gremlins from the drafting process. Can he confirm that this is the case and assure the Committee that we will not be left with any nasty surprises in the drafting that need correction at a later date?
The amendments tabled in the name of the noble Lord, Lord Clement-Jones, are of course of a different order altogether. The first two—Amendments 165 and 166—would restore the relationship between the UK GDPR and the 2018 Act and the relevant provisions of the Retained EU Law (Revocation and Reform) Act 2023. Amendment 168 would ensure that assimilated case law referring to the European Charter of Fundamental Rights would still be relevant in interpreting the UK GDPR. It would give greater certainty in how the UK’s data protection framework is interpreted. Amendment 169 would ensure that the interpretation is carried over from the UK GDPR and 2018 legislation in accordance with the general principle of the protection of personal data.
The noble Lord’s Amendments 170 to 174B would bring back into law protections that existed previously when UK law was more closely aligned with EU law and regulation. There is also an extension of the EU data protection of personal data to the assimilated standard that existed by virtue of Section 4 of the European Union (Withdrawal) Act 2018. I can well understand the noble Lord’s desire to take the UK back to a position where we are broadly in the same place in terms of protections as our former EU partners. First, having—broadly speaking—protections that are common across multiple jurisdictions makes it easier and simpler for companies operating in those markets. Secondly, from the perspective of data subjects, it is much easier to comprehend common standards of data protection and to seek redress when required. The Government, for their part, will no doubt argue that there is some sort of big Brexit benefit in this, although I think that advisers and experts are divided on the degree of that benefit, and indeed who benefits.
Later, we will get to discuss data adequacy standards. Concern exists in some quarters as to whether we have this right and what this legislative opportunity might be missing to ensure that the UK meets those international standards that the EU requires. That is a debate for later, but we are broadly sympathetic to the desire of the noble Lord, Lord Clement-Jones, to find the highest level of protection for UK citizens. That is the primary motivation for many of the amendments and debates that we have had today. We do not want to weaken what were previously carefully crafted and aligned protections. I do not entirely buy the argument that the Minister made earlier about this group of amendments causing legal uncertainty. I believe it is the reverse of that: the noble Lord, Lord Clement-Jones, is trying to provide greater certainty and a degree of jurisdictional uniformity.
I hope that I have understood what the noble Lord is trying to achieve here. For those reasons, we will listen to the Minister’s concluding comments—and read Hansard—very carefully.
I thank the noble Lords, Lord Clement-Jones and Lord Bassam, for their comments. As the noble Lord, Lord Clement-Jones, points out, it is a pretty complex and demanding area, but that in no way diminishes the importance of getting it right. I hope that in my remarks I can continue that work, but of course I am happy to discuss this: it is a very technical area and, as all speakers have pointed out, it is crucial for our purposes that it be executed correctly.
While the UK remains committed to strong protections for personal data through the UK GDPR and Data Protection Act, it is important that it is able to diverge from the EU legislation where this is appropriate for the UK. We have carefully assessed the effects of EU withdrawal legislation and the REUL Act and are making adjustments to ensure that the right effect is achieved. The government amendments are designed to ensure legal certainty and protect the coherence of the data protection framework following commencement of the REUL Act—for example, by maintaining the pre-REUL Act relationship in certain ways between key elements of the UK data protection legislation and other existing legislation.
The purpose of the REUL Act is to ensure that the UK has control over its laws. Resurrecting the principle of EU law supremacy in its entirety or continuing to apply case law principles is not consistent with the UK’s departure from the EU and taking back control over our own laws. These amendments make it clear that changes made to the application of the principle of EU law supremacy and new rules relating to the interpretation of direct assimilated legislation under the REUL Act do not have any impact on existing provisions that involve the processing of personal data.
The noble Lord, Lord Bassam, asked for more detail about Amendment 164. It relates to changes brought about by the REUL Act and sets out that the provisions detailed in Amendments 159, 162 and 163 are to be treated as having come into force on 1 January 2024—in other words, at the same time as commencement of the relevant provisions of the REUL Act. The retrospective effect of this provision addresses the gap between the commencement of the REUL Act 2023 and the Data Protection and Digital Information Bill.
On the immigration exemption case, I note that it was confined to the immigration exemption and did not rule on the other exemptions. The Government will continue to keep the exemptions under review and, should it be required, the Government have the power to amend the other exemptions using an existing power in the DPA 2018. Before doing so, of course the Government would want to ensure that due consideration is given to how the particular exemptions are used. Meanwhile, I thank noble Lords for what has been a fascinating, if demanding, debate.
My Lords, I thank the noble Baronesses, Lady Bennett, Lady Young of Old Scone and Lady Jones, for their proposed amendments on extending the definition of business data in smart data schemes, the disclosure of climate and nature information to improve public service delivery and the publication of an EU adequacy risk assessment.
On Amendment 195A, we consider that information about the carbon and energy intensity of goods, services or digital content already falls within the scope of “business data” as information about goods, services and digital content supplied or provided by a trader. Development of smart data schemes will, where relevant, be informed by—among other things—the Government’s Environmental Principles Policy Statement, under the Environment Act 2021.
With regard to Amendment 218, I thank the noble Baroness, Lady Young of Old Scone, for her sympathies; they are gratefully received. I will do my best in what she correctly pointed out is quite a new area for me. The powers to share information under Part 5 of the Digital Economy Act 2017—the DEA—are supplemented by statutory codes of practice. These require impact assessments to be carried out, particularly for significant changes or proposals that could have wide-ranging effects on various sectors or stakeholders. These impact assessments are crucial for understanding the implications of the Digital Economy Act and ensuring that it achieves its intended objectives, while minimising any negative consequences for individuals, businesses and society as a whole. As these assessments already cover economic, social and environmental impact, significant changes in approach are already likely to be accounted for. This is in addition to the duty placed on Ministers by the Environment Act 2021 to have due regard to the Environmental Principles Policy Statement.
Lastly, turning to Amendment 296, the Government are committed to maintaining their data adequacy decisions from the EU, which we absolutely recognise play a pivotal role in enabling trade and fighting crime. As noble Lords alluded to, we maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood.
The EU adequacy assessment of the UK is, of course, a unilateral, autonomous process for the EU to undertake. However, we remain confident that our reforms deliver against UK interests and are compatible with maintaining EU adequacy. As the European Commission itself has made clear, a third country—the noble Lord, Lord Clement-Jones, alluded to this point—is not required to have the same rules as the EU to be considered adequate. Indeed, 15 countries have EU adequacy, including Japan, Israel and the Republic of Korea. All these nations pursue independent and, often, more divergent approaches to data protection.
The Government will provide both written and oral evidence to the House of Lords European Affairs Committee inquiry on UK-EU data adequacy and respond to its final report, which is expected to be published in the summer. Many expert witnesses already provided evidence to the committee and have stated that they believe that the Bill is compatible with maintaining adequacy.
As noble Lords have noted, the Government have published a full impact assessment alongside the Bill, which sets out in more detail what both the costs and financial benefits of the Bill would be—including in the unlikely scenario of the EU revoking the UK’s adequacy decision. I also note that UK adequacy is good for the EU too: every EU company, from multinationals to start-ups, with customers, suppliers or operations in the UK relies on EU-UK data transfers. Leading European businesses and organisations have consistently emphasised the importance of maintaining these free flows of data to the UK.
For these reasons, I hope that the noble Baronesses will agree to withdraw or not move these amendments.
The Minister made the point at the end there that it is in the EU’s interest to agree to our data adequacy. That is an important point but is that what the Government are relying on—the fact that it is in the EU’s interest as much as ours to continue to agree to our data adequacy provisions? If so, what the Minister has said does not make me feel more reassured. If the Government are relying on just that, it is not a particularly strong argument.
I do not know what I could possibly have said to create the impression that the Government are flying blind on this matter. We continue to engage extensively with the EU at junior official, senior official and ministerial level in order to ensure that our proposed reforms are fully understood and that there are no surprises. We engage with multiple expert stakeholders from both the EU side and the UK side. Indeed, as I mentioned earlier, a number of experts have submitted evidence to the House’s inquiry on EU-UK data adequacy and have made clear their views that the DPDI reforms set out in this Bill are compatible with EU adequacy. We continue to engage with the EU throughout. I do not want to be glib or blithe about the risks; we recognise the risks but it is vital—
Could we have a list of the people the noble Lord is talking about?
Yes. I would be happy to provide a list of the people we have spoken to about adequacy; it may be a long one. That concludes the remarks I wanted to make, I think.
(8 months, 3 weeks ago)
Grand CommitteeAs I said, I will write. I do not believe that follows axiomatically from the ATRS’s existence.
On Amendment 144, the Government are sympathetic to the idea that the ICO should respond to new and emerging technologies, including the use of children’s data in the development of AI. I assure noble Lords that this area will continue to be a focus of the ICO’s work and that it already has extensive powers to provide additional guidance or make updates to the age-appropriate design code, to ensure that it reflects new developments, and a responsibility to keep it up to date. The ICO has a public task under Article 57(1)(b) of the UK GDPR to
“promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing”.
It is already explicit that:
“Activities addressed specifically to children shall receive specific attention”.
That code already includes a chapter on profiling and provides guidance on fairness and transparency requirements around automated decision-making.
Taking the specific point made by the noble Baroness, Lady Kidron, on the contents of the ICO’s guidance, while I cannot speak to the ICO’s decisions about the drafting of its guidance, I am content to undertake to speak to it about this issue. I note that it is important to be careful to avoid a requirement for the ICO to duplicate work. The creation of an additional children’s code focused on AI could risk fragmenting approaches to children’s protections in the existing AADC—a point made by the noble Baroness and by my noble friend Lady Harding.
I have a question on this. If the Minister is arguing that this should be by way of amendment of the age-related code, would there not be an argument for giving that code some statutory effect?
As the noble Lord, Lord Clement-Jones, explained, his intention to oppose the question that Clause 19 stands part seeks to retain the status quo. As I read Section 62 of the Data Protection Act 2016, it obliges competent authorities to keep logs of their processing activities, whether they be for collection, alteration, consultation, disclosure, combination or the erasing of personal data. The primary purpose is for self-monitoring purposes, largely linked to disciplinary proceedings, as the noble Lord said, where an officer has become a suspect by virtue of inappropriately accessing PNC-held data.
Clause 19 removes the requirement for a competent authority to record a justification in the logs only when consulting or disclosing personal data. The Explanatory Note to the Bill explains this change as follows:
“It is … technologically challenging for systems to automatically record the justification without manual input”.
That is not a sufficiently strong reason for removing the requirement, not least because the remaining requirements of Section 62 of the Data Protection Act 2018 relating to the logs of consultation and disclosure activity will be retained and include the need to record the date and time and the identity of the person accessing the log. Presumably they will be able to be manually input, so why remove the one piece of data that might, in an investigation of abuse or misuse of the system, be useful in terms of evidence and self-incrimination? I do not understand the logic behind that at all.
I rather think the noble Lord, Lord Clement-Jones, has an important point. He has linked it to those who have been unfortunate enough to be AIDS sufferers, and I am sure that there are other people who have become victims where cases would be brought forward. I am not convinced that the clause should stand part, and we support the noble Lord in seeking its deletion.
This is a mercifully short group on this occasion. I thank the noble Lord, Lord Clement-Jones, for the amendment, which seeks to remove Clause 19 from the Bill. Section 62 of the Data Protection Act requires law enforcement agencies to record when personal data has been accessed and why. Clause 19 does not remove the need for police to justify their processing; it simply removes the ineffective administrative requirement to record that justification in a log.
The justification entry was intended to help to monitor and detect unlawful access. However, the reality is that anyone accessing data unlawfully is very unlikely to record an honest justification, making this in practice an unreliable means of monitoring misconduct or unlawful processing. Records of when data was accessed and by whom can be automatically captured and will remain, thereby continuing to ensure accountability.
In addition, the National Police Chiefs’ Council’s view is that this change will not hamper any investigations to identify the unlawful processing of data. That is because it is unlikely that an individual accessing data unlawfully would enter an honest justification, so capturing this information is unlikely to be useful in any investigation into misconduct. The requirements to record the time, date and, as far as possible, the identity of the person accessing the data will remain, as will the obligation that there is lawful reason for the access, ensuring that accountability and protection for data subjects is maintained.
Police officers inform us that the current requirement places an unnecessary burden on them as they have to update the log manually. The Government estimate that the clause could save approximately 1.5 million policing hours, representing a saving in the region of £46.5 million per year.
I understand that the amendment relates to representations made by the National AIDS Trust concerning the level of protection for people’s HIV status. As I believe I said on Monday, the Government agree that the protection of people’s HIV status is vital. We have met the National AIDS Trust to discuss the best solutions to the problems it has raised. For these reasons, I hope the noble Lord will not oppose Clause 19 standing part.
(8 months, 4 weeks ago)
Grand CommitteeMy Lords, I thank the noble Baroness, Lady Jones, for tabling her amendments. Amendment 19 would remove processing which is necessary for the purposes of democratic engagement from the list of recognised legitimate interests. It is essential in a healthy democracy that registered political parties, elected representatives and permitted participants in referendums can engage freely with the electorate without being impeded unnecessarily by data protection legislation.
The provisions in the Bill will mean that these individuals and organisations do not have to carry out legitimate interest assessments or look for a separate legal basis. They will, however, still need to comply with other requirements of data protection legislation, such as the data protection principles and the requirement for processing to be necessary.
On the question posed by the noble Baroness about the term “democratic engagement”, it is intended to cover a wide range of political activities inside and outside election periods. These include but are not limited to democratic representation; communicating with electors and interested parties; surveying and opinion gathering; campaigning activities; activities to increase voter turnout; supporting the work of elected representatives, prospective candidates and official candidates; and fundraising to support any of these activities. This is reflected in the drafting, which incorporates these concepts in the definition of democratic engagement and democratic engagement activities.
The ICO already has guidance on the use of personal data by political parties for campaigning purposes, which the Government anticipate it will update to reflect the changes in the Bill. We will of course work with the ICO to make sure it is familiar with our plans for commencement and that it does not benefit any party over another.
On the point made about the appropriate age for the provisions, in some parts of the UK the voting age is 16 for some elections, and children can join the electoral register as attainers at 14. The age of 14 reflects the variations in voting age across the nation; in some parts of the UK, such as Scotland, a person can register to vote at 14 as an attainer. An attainer is someone who is registered to vote in advance of their being able to do so, to allow them to be on the electoral roll as soon as they turn the required age. Children aged 14 and over are often politically engaged and are approaching voting age. The Government consider it important that political parties and elected representatives can engage freely with this age group—
I am interested in what the Minister says about the age of attainers. Surely it would be possible to remove attainers from those who could be subject to direct marketing. Given how young attainers could be, it would protect them from the unwarranted attentions of campaigning parties and so on. I do not see that as a great difficulty.
Indeed. It is certainly worth looking at, but I remind noble Lords that such communications have to be necessary, and the test of their being necessary for someone of that age is obviously more stringent.
But what is the test of necessity at that age?
The processor has to determine whether it is necessary to the desired democratic engagement outcome to communicate with someone at that age. But I take the point: for the vast majority of democratic engagement communications, 14 would be far too young to make that a worthwhile or necessary activity.
As I recall, the ages are on the electoral register.
I am not aware one way or the other, but I will happily look into that to see what further safeguards we can add so that we are not bombarding people who are too young with this material.
I am not sure whether it is written in the Bill. I will check, but the Bill would not function without the existence of the guidance.
I am sorry to drag this out but, on the guidance, can we be assured that the Minister will involve the Electoral Commission? It has a great deal of experience here; in fact, it has opined in the past on votes for younger cohorts of the population. It seems highly relevant to seek out its experience and the benefits of that.
My Lords, I have been through this large group and, apart from my natural suspicion that there might be something dastardly hidden away in it, I am broadly content, but I have a few questions.
On Amendment 20, can the Minister conform that the new words “further processing” have the same meaning as the reuse of personal data? Can he confirm that Article 5(1)(b) will prohibit this further processing when it is not in line with the original purpose for which the data was collected? How will the data subject know that is the case?
On Amendment 196, to my untutored eye it looks like the regulation-making power is being extended away from the data holder to include authorised persons and third-party recipients. My questions are simple enough: was this an oversight on the part of the original drafters of that clause? Is the amendment an extension of those captured by the effect of the clause? Is it designed to achieve consistency across the Bill? Finally, can I assume that an authorised person or third party would usually be someone acting on behalf of an agent of the data holder?
I presume that Amendments 198, 212 and 213 are needed because of a glitch in the drafting—similarly with Amendment 206. I can see that Amendments 208, 216 and 217 clarify when time periods begin, but why are the Government seeking to disapply time periods in Amendment 253 when surely some consistency is required?
Finally—I am sure the Minister will be happy about this—I am all in favour of flexibility, but Amendment 283 states that the Information Commissioner has the power to do things to facilitate the exercise of his functions. The noble Lord, Lord Kamall, picked up on this. We need to understand what those limits are. On the face of it, one might say that the amendment is sensible, but it seems rather general and broad in its application. As the noble Lord, Lord Kamall, rightly said, we need to see what the limits of accountability are. This is one of those occasions.
I thank the noble Lords, Lord Kamall and Lord Bassam, for their engagement with this group. On the questions from the noble Lord, Lord Kamall, these are powers that the ICO would already have in common law. As I am given to understand is now best practice, they are put on a statutory footing in the Bill as part of best practice with all Bills. The purpose is to align with best practice. It does not confer substantial new powers but clarifies the powers that the regulator has. I can also confirm that the ICO was and remains accountable to Parliament.
The Information Commissioner is directly accountable to Parliament in that he makes regular appearances in front of Select Committees that scrutinise the regulator’s work, including progress against objectives.
The noble Lord, Lord Bassam, made multiple important and interesting points. I hope he will forgive me if I undertake to write to him about those; there is quite a range of topics to cover. If there are any on which he requires answers right away, he is welcome to intervene.
I want to be helpful to the Minister. I appreciate that these questions are probably irritating but I carefully read through the amendments and aligned them with the Explanatory Notes. I just wanted some clarification to make sure that we are clear on exactly what the Government are trying to do. “Minor and technical” covers a multitude of sins; I know that from my own time as a Minister.
Indeed. I will make absolutely sure that we provide a full answer. By the way, I sincerely thank the noble Lord for taking the time to go through what is perhaps not the most rewarding of reads but is useful none the less.
First, on the point made by the noble Lord, Lord Bassam, it is not to be argumentative—I am sure that there is much discussion to be had—but the intention is absolutely not to lower the standard for a well-intended request.
Sadly, a number of requests that are not well intended are made, with purposes of cynicism and an aim to disrupt. I can give a few examples. For instance, some requests are deliberately made with minimal time between them. Some are made to circumvent the process of legal disclosure in a trial. Some are made for other reasons designed to disrupt an organisation. The intent of using “vexatious” is not in any way to reduce well-founded, or even partially well-founded, attempts to secure information; it is to reduce less desirable, more cynical attempts to work in this way.
But the two terms have a different legal meaning, surely.
The actual application of the terms will be set out in guidance by the ICO but the intention is to filter out the more disruptive and cynical ones. Designing these words is never an easy thing but there has been considerable consultation on this in order to achieve that intention.
As I said, the intent of the Government is: yes to more automated data processing to take advantage of emerging technologies, but also yes to maintaining appropriate safeguards. The safeguards in the present system consist—if I may characterise it in a slightly blunt way—of providing quite a lot of uncertainty, so that people do not take the decision to positively embrace the technology in a safe way. By bringing in this clarity, we will see an increase not only in the safety of their applications but in their use, driving up productivity in both the public and private sectors.
My Lords, I said at the outset that I thought this was the beginning of a particular debate, and I was right, looking at the amendments coming along. The theme of the debate was touched on by the noble Baroness, Lady Bennett, when she talked about these amendments, in essence, being about keeping humans in the loop and the need for them to be able to review decisions. Support for that came from the noble Baroness, Lady Kidron, who made some important points. The point the BMA made about risking eroding trust cut to what we have been talking about all afternoon: trust in these processes.
The noble Lord, Lord Clement-Jones, talked about this effectively being the watering down of Article 22A, and the need for some core ethical principles in AI use and for the Government to ensure a right to human review. Clause 14 reverses the presumption of that human reviewing process, other than where solely automated decision-making exists, where it will be more widely allowed, as the Minister argued.
However, I am not satisfied by the responses, and I do not think other Members of your Lordships’ Committee will be either. We need more safeguards. We have moved from one clear position to another, which can be described as watering down or shifting the goalposts; I do not mind which, but that is how it seems to me. Of course, we accept that there are huge opportunities for AI in the delivery of public services, particularly in healthcare and the operation of the welfare system, but we need to ensure that citizens in this country have a higher level of protection than the Bill currently affords them.
At one point I thought the Minister said that a solely automated decision was a rubber-stamped decision. To me, that gave the game away. I will have to read carefully what he said in Hansard¸ but that is how it sounded, and it really gets our alarm bells ringing. I am happy to withdraw my amendment, but we will come back to this subject from time to time and throughout our debates on the rest of the Bill.
I am not philosophically averse to such regulation. As to implementing it in the immediate future, however, I have my doubts about that possibility.
My Lords, this has been an interesting and challenging session. I hope that we have given the Minister and his team plenty to think about—I am sure we have. A lot of questions remain unanswered, and although the Committee Room is not full this afternoon, I am sure that colleagues reading the debate will be studying the responses that we have received very carefully.
I am grateful to the noble Baroness, Lady Kidron, for her persuasive support. I am also grateful to the noble Lord, Lord Clement-Jones, for his support for our amendments. It is a shame the noble Lord, Lord Holmes, was not here this afternoon, but I am sure we will hear persuasively from him on his amendment later in Committee.
The Minister is to be congratulated for his consistency. I think I heard the phrase “not needed” or “not necessary” pretty constantly this afternoon, but particularly with this group of amendments. He probably topped the lot with his response on the Equality Act on Amendment 41.
I want to go away with my colleagues to study the responses to the amendments very carefully. That being said, however, I am happy to withdraw Amendment 41 at this stage.
(9 months ago)
Grand CommitteeAs I was saying, it is important for the framework on data protection that we take a precautionary approach. I hope that the Minister will this afternoon be able to provide a plain English explanation of the changes, as well as giving us an assurance that those changes to definitions do not result in watering down the current legislation.
We broadly support Amendments 1 and 5 and the clause stand part notice, in the sense that they provide additional probing of the Government’s intentions in this area. We can see that the noble Lord, Lord Clement-Jones, is trying with Amendment 1 to bring some much-needed clarity to the anonymisation issue and, with Amendment 5, to secure that data remains personal data in any event. I suspect that the Minister will tell us this afternoon that that is already the case, but a significant number of commentators have questioned this, since the definition of “personal data” is seemingly moving away from the EU GDPR standard towards a definition that is more subjective from the perspective of the controller, processor or recipient. We must be confident that the new definition does not narrow the circumstances in which the information is protected as personal data. That will be an important standard for this Committee to understand.
Amendment 288, tabled by the noble Lord, Lord Clement- Jones, seeks a review and an impact assessment of the anonymisation and identifiability of data subjects. Examining that in the light of the EU GDPR seems to us to be a useful and novel way of making a judgment over which regime better suits and serves data subjects.
We will listen with interest to the Minister’s response. We want to be more than reassured that the previous high standards and fundamental principles of data protection will not be undermined and compromised.
I thank all noble Lords who have spoken in this brief, interrupted but none the less interesting opening debate. I will speak to the amendments tabled by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones; I note that I plan to that form of words quite a lot in the next eight sessions on this Bill. I thank them for tabling these amendments so that we can debate what are, in the Government’s view, the significant benefits of Clause 1.
In response to the points from the noble Lord, Lord Clement-Jones, on the appetite for the reforms in the Bill, we take very seriously the criticisms of the parties that he mentioned—the civil society groups—but it is important to note that, when the Government consulted on these reforms, we received almost 3,000 responses. At that time, we proposed to clarify when data would be regarded as anonymous and proposed legislating to confirm that the test for whether anonymous data can be reidentified is relative to the means available to the controller to reidentify the data. The majority of respondents agreed that greater clarity in legislation would indeed be beneficial.
As noble Lords will know, the UK’s data protection legislation applies only to personal data, which is data relating to an identified or identifiable living individual. It does not apply to non-personal, anonymous data. This is important because, if organisations can be sure that the data they are handling is anonymous, they may be able to more confidently put it to good use in important activities such as research and product development. The current data protection legislation is already clear that a person can be identified in a number of ways by reference to details such as names, identification numbers, location data and online identifiers, or via information about a person’s physical, genetic, mental, economic or cultural characteristics. The Bill does not change the existing legislation in this respect.
With regard to genetic information, which was raised by my noble friend Lord Kamall and the noble Lord, Lord Davies, any information that includes enough genetic markers to be unique to an individual is personal data and special category genetic data, even if names and other identifiers have been removed. This means that it is subject to the additional protections set out in Article 9 of the UK GDPR. The Bill does not change this position.
However, the existing legislation is unclear about the specific factors that a data controller must consider when assessing whether any of this information relates to an identifiable living person. This uncertainty is leading to inconsistent application of anonymisation and to anonymous data being treated as personal data out of an abundance of caution. This, in turn, reduces the opportunities for anonymous data to be used effectively for projects in the public interest. It is this difficulty that Clause 1 seeks to address by providing a comprehensive statutory test on identifiability. The test will require data controllers and processors to consider the likelihood of people within or outside their organisations reidentifying individuals using reasonable means. It is drawn from recital 26 of the EU GDPR and should therefore not be completely unfamiliar to most organisations.
I turn now to the specific amendments that have been tabled in relation to this clause. Amendment 1 in the name of the noble Lord, Lord Clement-Jones, would reiterate the position currently set out in the UK GDPR and its recitals: where individuals can be identified without the use of additional information because data controllers fail to put in place appropriate organisational measures, such as technical or contractual safeguards prohibiting reidentification, they would be considered directly identifiable. Technical and organisational measures put in place by organisations are factors that should be considered alongside others under new Section 3A of the Data Protection Act when assessing whether an individual is identifiable from the data being processed. Clause 1 sets out the threshold at which data—and, therefore, personal data—is identifiable and clarifies when data is anonymous.
On the technical capabilities of a respective data controller, these are already relevant factors under current law and ICO guidance in determining whether data is personal. This means that the test of identifiability is already a relative one today in respect of the data controller, the data concerned and the purpose of the processing. However, the intention of the data controller is not a relevant factor under current law, and nor does Clause 1 make it a factor. Clause 1 merely clarifies the position under existing law and follows very closely the wording of recital 26. Let me state this clearly: nothing in Clause 1 introduces the subjective intention of the data controller as a relevant factor in determining identifiability, and the position will remain the same as under the current law and as set out in ICO guidance.
In response to the points made by the noble Lord, Lord Clement-Jones, and others on pseudonymised personal data, noble Lords may be aware that the definition of personal data in Article 4(1) of the UK GDPR, when read in conjunction with the definition of pseudonymisation in Article 4(5), makes it clear that pseudonymised data is personal data, not anonymous data, and is thus covered by the UK’s data protection regime. I hope noble Lords are reassured by that. I also hope that, for the time being, the noble Lord, Lord Clement-Jones, will agree to withdraw his amendment and not press the related Amendment 5, which seeks to make it clear that pseudonymised data is personal data.
Amendment 4 would require the Secretary of State to assess the difference in meaning and scope between the current statutory definition of personal data and the new statutory definition that the Bill will introduce two months after its passing. Similarly, Amendment 288 seeks to review the impact of Clause 1 six months after the enactment of the Bill. The Government feel that neither of these amendments is necessary as the clause is drawn from recital 26 of the EU GDPR and case law and, as I have already set out, is not seeking to substantially change the definition of personal data. Rather, it is seeking to provide clarity in legislation.
I follow the argument, but what we are suggesting in our amendment is some sort of impact assessment for the scheme, including how it currently operates and how the Government wish it to operate under the new legislation. Have the Government undertaken a desktop exercise or any sort of review of how the two pieces of legislation might operate? Has any assessment of that been made? If they have done so, what have they found?
Obviously, the Bill has been in preparation for some time. I completely understand the point, which is about how we can be so confident in these claims. I suggest that I work with the Bill team to get an answer to that question and write to Members of the Committee, because it is a perfectly fair question to ask what makes us so sure.
In the future tense, I can assure noble Lords that the Department for Science, Innovation and Technology will monitor and evaluate the impact of this Bill as a whole in the years to come, in line with cross-government evaluation guidance and through continued engagement with stakeholders.
The Government feel that the first limb of Amendment 5 is not necessary given that, as has been noted, pseudonymised data is already considered personal data under this Bill. In relation to the second limb of the amendment, if the data being processed is actually personal data, the ICO already has powers to require organisations to address non-compliance. These include requiring it to apply appropriate protections to personal data that it is processing, and are backed up by robust enforcement mechanisms.
That said, it would not be appropriate for the processing of data that was correctly assessed as anonymous at the time of processing to retrospectively be treated as processing of personal data and subject to data protection laws, simply because it became personal data at a later point in the processing due to a change in circumstances. That would make it extremely difficult for any organisation to treat any dataset as anonymous and would undermine the aim of the clause, significantly reducing the potential to use anonymous data for important research and development activities.
My Lords, we on the Labour Benches have become co-signatories to the amendments tabled by the noble Baroness, Lady Kidron, and supported by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Harding. The noble Baroness set out very clearly and expertly the overarching purpose of retaining the level of protection currently afforded by the Data Protection Act 2018. Amendments 2 and 3 specifically stipulate that, where data controllers know, or should reasonably know, that a user is a child, they should be given the data protection codified in that Act. Amendment 9 takes it a stage further and includes children’s data in the definition of sensitive personal data, and gives it the benefit of being treated to a heightened level of protection—quite rightly, too. Finally, Amendment 290—the favourite of the noble Lord, Lord Clement-Jones—attempts to hold Ministers to the commitment made by Paul Scully in the Commons to maintain existing standards of data protection carried over from that 2018 Act.
Why is all this necessary? I suspect that the Minister will argue that it is not needed because Clause 5 already provides for the Secretary of State to consider the impact of any changes to the rights and freedoms of individuals and, in particular, of children, who require special protection.
We disagree with that argument. In the interests of brevity and the spirit of the recent Procedure Committee report, which says that we should not repeat each other’s arguments, I do not intend to speak at length, but we have a principal concern: to try to understand why the Government want to depart from the standards of protection set out in the age-appropriate design code—the international gold standard—which they so enthusiastically signed up to just five or six years ago. Given the rising levels of parental concern over harmful online content and well-known cases highlighting the harms that can flow from unregulated material, why do the Government consider it safe to water down the regulatory standards at this precise moment in time? The noble Baroness, Lady Kidron, valuably highlighted the impact of the current regulatory framework on companies’ behaviour. That is exactly what legislation is designed to do: to change how we look at things and how we work. Why change that? As she has argued very persuasively, it is and has been hugely transformative. Why throw away that benefit now?
My attention was drawn to one example of what can happen by a briefing note from the 5Rights Foundation. As it argued, children are uniquely vulnerable to harm and risk online. I thought its set of statistics was really interesting. By the age of 13, 72 million data points have already been collected about children. They are often not used in children’s best interests; for example, the data is often used to feed recommender systems and algorithms designed to keep attention at all costs and have been found to push harmful content at children.
When this happens repeatedly over time, it can have catastrophic consequences, as we know. The coroner in the Molly Russell inquest found that she had been recommended a stream of depressive content by algorithms, leading the coroner to rule that she
“died from an act of self-harm whilst suffering from depression and the negative effects of online content”.
We do not want more Molly Russell cases. Progress has already been made in this field; we should consider dispensing with it at our peril. Can the Minister explain today the thinking and logic behind the changes that the Government have brought forward? Can he estimate the impact that the new lighter-touch regime, as we see it, will have on child protection? Have the Government consulted extensively with those in the sector who are properly concerned about child protection issues, and what sort of responses have the Government received?
Finally, why have the Government decided to take a risk with the sound framework that was already in place and built on during the course of the Online Safety Act? We need to hear very clearly from the Minister how they intend to engage with groups that are concerned about these child protection issues, given the apparent loosening of the current framework. The noble Baroness, Lady Harding, said that this is hard-fought ground; we intend to continue making it so because these protections are of great value to our society.
I am grateful to the noble Baroness, Lady Kidron, for her Amendments 2, 3, 9 and 290 and to all noble Lords who have spoken, as ever, so clearly on these points.
All these amendments seek to add protections for children to various provisions in the Bill. I absolutely recognise the intent behind them; indeed, let me take this opportunity to say that the Government take child safety deeply seriously and agree with the noble Baroness that all organisations must take great care, both when making decisions about the use of children’s data and throughout the duration of their processing activities. That said, I respectfully submit that these amendments are not necessary for three main reasons; I will talk in more general terms before I come to the specifics of the amendments.
First, the Bill maintains a high standard of data protection for everybody in the UK, including—of course—children. The Government are not removing any of the existing data protection principles in relation to lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, data security or accountability; nor are they removing the provisions in the UK GDPR that require organisations to build privacy into the design and development of new processing activities.
The existing legislation acknowledges that children require specific protection for their personal data, as they may be less aware of the risks, consequences and safeguards concerned, and of their rights in relation to the processing of personal data. Organisations will need to make sure that they continue to comply with the data protection principles on children’s data and follow the ICO’s guidance on children and the UK GDPR, following the changes we make in the Bill. Organisations that provide internet services likely to be accessed by children will need to continue to comply with their transparency and fairness obligations and the ICO’s age-appropriate design code. The Government welcome the AADC, as Minister Scully said, and remain fully committed to the high standards of protection that it sets out for children.
Secondly, some of the provisions in the Bill have been designed specifically with the rights and safety of children in mind. For example, one reason that the Government introduced the new lawful ground of recognised legitimate interest in Clause 5, which we will debate later, was that some consultation respondents said that the current legislation can deter organisations, particularly in the voluntary sector, from sharing information that might help to prevent crime or protect children from harm. The same goes for the list of exemptions to the purpose limitation principle introduced by Clause 6.
There could be many instances where personal data collected for one purpose may have to be reused to protect children from crime or safeguarding risks. The Bill will provide greater clarity around this and has been welcomed by stakeholders, including in the voluntary sector.
While some provisions in the Bill do not specifically mention children or children’s rights, data controllers will still need to carefully consider the impact of their processing activities on children. For example, the new obligations on risk assessments, record keeping and the designation of senior responsible individuals will apply whenever an organisation’s processing activities are likely to result in high risks to people, including children.
Thirdly, the changes we are making in the Bill must be viewed in a wider context. Taken together, the UK GDPR, the Data Protection Act 2018 and the Online Safety Act 2023 provide a comprehensive legal framework for keeping children safe online. Although the data protection legislation and the age-appropriate design code make it clear how personal data can be processed, the Online Safety Act makes clear that companies must take steps to make their platforms safe by design. It requires social media companies to protect children from illegal, harmful and age-inappropriate content, to ensure they are more transparent about the risks and dangers posed to children on their sites, and to provide parents and children with clear and accessible ways to report problems online when they do arise.
After those general remarks, I turn to the specific amendments. The noble Baroness’s Amendments 2 and 3 would amend Clause 1 of the Bill, which relates to the test for assessing whether data is personal or anonymous. Her explanatory statement suggests that these amendments are aimed at placing a duty on organisations to determine whether the data they are processing relates to children, thereby creating a system of age verification. However, requiring data controllers to carry out widespread age verification of data subjects could create its own data protection and privacy risks, as it would require them to retain additional personal information such as dates of birth.
The test we have set out for reidentification is intended to apply to adults and children alike. If any person is likely to be identified from the data using reasonable means, the data protection legislation will apply. Introducing one test for adults and one for children is unlikely to be workable in practice and fundamentally undermines the clarity that this clause seeks to bring to organisations. Whether a person is identifiable will depend on a number of objective factors, such as the resources and technology available to organisations, regardless of whether they are an adult or a child. Creating wholly separate tests for adults and children, as set out in the amendment, would add unnecessary complexity to the clause and potentially lead to confusion.
As I understand it, the basis on which we currently operate is that children get a heightened level of protection. Is the Minister saying that that is now unnecessary and is captured by the way in which the legislation has been reframed?
I am saying, specifically on Clause 1, that separating the identifiability of children and the identifiability of adults would be detrimental to both but particularly, in this instance, to children.
Amendment 9 would ensure that children’s data is included in the definition of special category data and is subject to the heightened protections afforded to this category of data by Article 9 of the UK GDPR. This could have unintended consequences, because the legal position would be that processing of children’s data would be banned unless specifically permitted. This could create the need for considerable additional legislation to exempt routine and important processing from the ban; for example, banning a Girl Guides group from keeping a list of members unless specifically exempted would be disproportionate. However, more sensitive data such as records relating to children’s health or safeguarding concerns would already be subject to heightened protections in the UK GDPR, as soon as the latter type of data is processed.
I am grateful to the noble Baroness, Lady Kidron, for raising these issues and for the chance to set out why the Government feel that children’s protection is at least maintained, if not enhanced. I hope my answers have, for the time being, persuaded her of the Government’s view that the Bill does not reduce standards of protection for children’s data. On that basis, I ask her also not to move her Amendment 290 on the grounds that a further overarching statement on this is unnecessary and may cause confusion when interpreting the legislation. For all the reasons stated above, I hope that she will now reconsider whether her amendments in this group are necessary and agree not to press them.
Can I press the Minister more on Amendment 290 from the noble Baroness, Lady Kidron? All it does is seek to maintain the existing standards of data protection for children, as carried over from the 2018 Act. If that is all it does, what is the problem with that proposed new clause? In its current formulation, does it not put the intention of the legislation in a place of certainty? I do not quite get why it would be damaging.
I believe it restates what the Government feel is clearly implied or stated throughout the Bill: that children’s safety is paramount. Therefore, putting it there is either duplicative or confusing; it reduces the clarity of the Bill. In no way is this to say that children are not protected—far from it. The Government feel it would diminish the clarity and overall cohesiveness of the Bill to include it.
In answer to both questions, what I am saying is that, first, any risk of misinterpreting the Bill with respect to children’s safety is diminished, rather than increased, by the Bill. Overall, it is the Government’s belief and intention that the Bill in no way diminishes the safety or privacy of children online. Needless to say, if over the course of our deliberations the Committee identifies areas of the Bill where that is not the case, we will absolutely be open to listening on that, but let me state this clearly: the intent is to at least maintain, if not enhance, the safety and privacy of children and their data.
My Lords, that creates another question, does it not? If that is the case, why amend the original wording from the 2018 Act?
Sorry, the 2018 Act? Or is the noble Lord referring to the amendments?
Why change the wording that provides the protection that is there currently?
Okay. The Government feel that, in terms of the efficient and effective drafting of the Bill, that paragraph diminishes the clarity by being duplicative rather than adding to it by making a declaration. For the same reason, we have chosen not to make a series of declarations about other intentions of the Bill overall in the belief that the Bill’s intent and outcome are protected without such a statement.
(9 months, 1 week ago)
Lords ChamberMy Lords, the Government fundamentally believe that public transparency is vital for the new digital markets regime. We noted the strength of feeling on this issue from noble Lords in Committee, which is why the Government have tabled amendments to enhance the transparency of the regime. The amendments will require the Digital Markets Unit to publish the full notices relating to SMS designation, conduct requirements and PCIs, so that all interested parties can access them. Amendment 54 makes it explicit that the DMU may make redactions for confidentiality purposes when publishing notices or other documents.
Finally, as a consequence of the other amendments in this group, Amendment 3 will require the DMU to send other regulators a full copy of an SMS investigation notice provided to the firm under investigation, rather than a summary. I hope that noble Lords will support these amendments, which address concerns raised in Committee on the transparency of DMU decisions. I beg to move.
My Lords, as the Minister described, this group has government amendments, from Amendment 2 to Amendment 38, which add greater transparency to the process adopted by the CMA in disclosing information about cases involving SMS status firms where the challenger companies have an interest. We are pleased with the Minister’s amendments and, broadly speaking, happy to give them our support, as they respond to points that a number of noble Lords made at earlier stages of the Bill about the need for greater transparency and openness.
The SMS companies are in a position of significant market strength vis-à-vis the challenger firms and have a clear interest in seeing the bigger picture when disclosure is made of information that is of material interest. By obliging the publication of the notices and orders, rather than summaries of the documents, we feel that challenger companies will have greater access to key information that may impact on their market performance. Our amendments, from Amendment 4 to Amendment 39, attempt to achieve a similar result; I suspect that Ministers will argue that their amendments have greater elegance and a similar effect.
I turn to government Amendment 54 and our own Amendment 5. We are clearly of a similar mind and share concerns about commercial confidentiality so that, where reasonable, the redaction of documents can take place. We differ in our approach simply by suggesting that there should be a system for registering the documents that are relevant; the Minister might like to think about that at a later date. In essence, this is an operational issue so, to satisfy our concerns, perhaps he can put on record that there will be an effective system for the registration of documents and a notification process that enables the challenger firms to understand better what information has been disclosed to the CMA in the course of its inquiries. On that basis, we will be content not to move our amendments, and we thank the Government for responding to the concerns behind them.
My Lords, this is a very straightforward group, and I congratulate the noble Baroness, Lady Jones, and the noble Lord, Lord Bassam, on having persuaded the Government to move further on the transparency agenda. I like the description given by the noble Lord, Lord Bassam, of the government amendment being more elegant. It is nice to think of amendments being elegant; it is not often that we think in those terms. We very much support the new amendments with some of the caveats that he made.
(10 months, 1 week ago)
Lords ChamberAs regards the overall regulation of AI, I hope that noble Lords have had a chance to peruse the Government’s response to the AI White Paper consultation. It makes the argument very clearly that there will come a time when it is right to legislate to create binding rules on all creators of AI. When that time comes, due to the policies that we are putting in place, we will have an agreed risk register informing us. We will have set up monitoring and evaluation techniques, again gathering evidence. We will have working relationships with the AI labs, defined procedures for the creation of AI, and regulators trained to regulate AI within their own sectors. That means that, when we do regulate AI, it will be done in a targeted and sophisticated way, on the basis of evidence.
My Lords, the Government have been far too complacent on this issue. During the passage of the then Online Safety Bill, we warned a number of times that, given that this is a fast-moving technology, as the Minister says, the Government needed to get ahead of the game. Given the proliferation of these ghastly images and the appalling impact this has on people’s lives, does the Minister now agree that neither the emergence of these apps nor their misuse is surprising? If that is the case, why did the Government not broaden the scope of their amendments when they had the opportunity to do so? Will the Minister now look for ways in which we can plug the gaps that are clearly emerging?
As the noble Lord said, it is a fast-moving space, and that requires an adaptive, agile response in legislating for it. That is the approach that we are taking. As to the argument that we can now see that it is not working, I am not sure that that is the case. The intimate image abuse offences commenced on 31 January—two weeks ago. I am pleased to see that, yesterday, we had our first cyberflashing conviction under those provisions. Using an evidence base, looking forward, we will have to consider carefully what is working before we go ahead and implement further bans.
(10 months, 1 week ago)
Lords ChamberInformation on NSOIT is posted on GOV.UK, and I am happy to share that location with the noble Lord. I can confirm not only that it is not the role of NSOIT or the CDU to go after any individuals, regardless of their political belief, but that it never has been. NSOIT looks for large-scale attempts to pollute the information environment, generally as a result of threats from foreign states. I am happy to say in front of the House that the idea that its purpose is also to go after, in some ways, those who disagree politically with the Government is categorically false.
My Lords, the issue is much more complex than that. I am concerned that the unit to which the Minister referred seems to be concerned only about security issues now. In December, I asked the Minister about the rise of political deepfakes, which often originate from overseas and have the potential to undermine trust in political leaders and our wider democratic processes. With the Data Protection and Digital Information Bill currently before the House already containing measures on what the Government call “democratic engagement”, can I tempt the Minister to bring forward new anti-deepfake provisions to help preserve the integrity of our upcoming general election—and not just our election in a year of big elections?
Indeed. It is worth reminding the House that close to 2 billion people will go to the polls over this calendar year. A great many of those elections in which they participate will come under attack from malign foreign influences. Therefore, we have implemented the Defending Democracy Taskforce, chaired by the Security Minister, which set up a new unit last year specifically dedicated to safeguarding our coming election, whenever it may be. It continues to engage with various committees of Parliament and with the Electoral Commission. We will look carefully at any proposals on deepfake provisions in the DPDI Bill. Deepfakes are already illegal today if they violate either the foreign interference offence or the false communications offence.
(10 months, 3 weeks ago)
Grand CommitteeMy Lords, this is the beginning of an important couple of debates about accountability. The breadth and the import of what noble Lords have said so far underlines how much we value that. We on the Labour Benches are co-signatories to both amendments in this group—the first, Amendment 76 in the name of the noble Viscount, Lord Colville, and the second, led by the noble Baroness, Lady Stowell.
Put simply, if the CMA is to be a regulator genuinely independent of government and accountable to Parliament, these amendments should stand. As it is, the legislation seems to suggest that, before the CMA can take any initiative on guidance, it first has to receive the approval of the Secretary of State. This is surely not only a time-consuming process but a wholly inefficient way of conducting business. I can well understand and appreciate why the Government desire to understand how the CMA intends to implement its regulatory policy, but do they really require such a firm and strong hand in the process? As it is, the CMA will be in constant consultation, discussion and interaction with government Ministers, and I do not see why, in the final analysis, approval has to come from the Secretary of State.
Can the Minister tell us how the regulatory regime compares with others? Do regulators like the Charity Commission, Ofcom, Ofwat, the Electoral Commission et cetera all require approval from the Secretary of State before issuing guidance? How does this process contrast with these other regulators? Is there a standard practice, or does it vary across regulatory frameworks? We need something that will work for this particular part of our economy, and it has to be built on trust and understanding and not reliant on the heavy hand of the centre of government coming in and ruling things in or out of guidance which the experts, in the form of the CMA and the DMU, have reflected and consulted on.
We obviously support the amendment of the noble Baroness, Lady Stowell, which, as I said, we co-signed. Consulting the relevant parliamentary committees seems a wholly sensible solution and step. These committees are powerful entities, as we know, full of expertise and insight, and they provide a layer of accountability that Parliament rightly expects. After all, the CMA is a creature of Parliament and of legislation that we will put through this House.
I am sure there are plenty of examples of where legislation, particularly secondary legislation, has benefited from the input and oversight of Select Committees and other committees of both Houses. The points made about lobbying the Secretary of State were important and powerful. We need maximum transparency, and we need openness in this process; otherwise, suspicion will abound, and we will always have cynics who say that Secretaries of State are very much in the pockets of business and commercial interests. We do not want that in this legislation; we want something that works for the market, for the competitive interests in the digital world, and particularly for consumers.
Ministers would do well to listen carefully to what the noble Baroness, Lady Stowell, said. She is an experienced parliamentarian, but, more than that, she was the chair of a regulator, so she understands exactly the import of the pressure that can come from central government and how it can best be managed.
These amendments are important for us in order to secure accountability in this market and in the way in which the various institutions work and operate together. I happily lend my support to both of them.
I start by thanking my noble friends Lord Black, Lady Harding and Lady Stowell, the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, and the noble Lords, Lord Clement-Jones and Lord Bassam, for their thoughtful and valuable contributions. I absolutely recognise the seriousness of this part of the debate and look forward to setting out the Government’s position on it. I will address each amendment in turn.
I thank the noble Viscount, Lord Colville, and my noble friend Lady Stowell of Beeston for highlighting the subject of accountability to government and Parliament. As I said, I am aware of the importance of the topic, and I welcome the chance to speak to it now. Amendment 76, from the noble Viscount, Lord Colville, would remove the requirement that the Secretary of State must approve guidance produced by the CMA in relation to the digital markets regime. Amendment 77, from my noble friend Lady Stowell of Beeston, would also have this effect. Additionally, Amendment 77 would add a requirement for the CMA to consult certain parliamentary committees about proposed guidance and publish responses to any committee recommendations.
(10 months, 4 weeks ago)
Grand CommitteeMy Lords, I thank the noble Lord, Lord Faulks, for his neat and precise analysis of the position in which we find ourselves in the discussion on this group of amendments. This debate is a prequel to that which will follow on penalties, and we should see it in that light; the two things are very much connected, as the noble Lord, Lord Clement-Jones, made clear. Like him, I completely agreed with the noble Lord, Lord Vaizey, when he warned about using stray words. Proportionality is probably one of the most contested terms in law, and in all the 25 years or so that I have been in this House, I must have heard it in all the legal debates we have come across.
These are the first amendments seeking to restore some of the Bill’s original wording, which, as we have heard, was changed late in the day in the Commons. We are yet to receive a full explanation from the Minister of the reasons for that. The noble Lord, Lord Faulks, asked why, and we on these Benches pose the same question. Were Ministers lobbied into this and, if so, why? We support Amendments 16 and 53 in the name of the noble Lord, Lord Faulks, which, as he outlined, seek to restore the original wording of the Bill, taking out the word “proportionate”, removing proportionality as the determining factor behind a CMA pro-competition intervention and reinserting the word “appropriate”.
We have two, possibly three, sets of solutions to the problem that the Government have set. However, we also have added our names to Amendments 17 and 54, in the names of the noble Baronesses, Lady Stowell and Lady Harding, and the noble Lord, Lord Clement-Jones, with the intent of ensuring that clarifying that the condition for conduct requirements imposed by the CMA to be proportionate does not create that novel legal standard for appeals of decisions and the confusion that will flow from that. In our view, as the noble Baroness, Lady Harding, says, the original wording strikes the right balance, roughly speaking, whereas the Government’s version would weaken the intent of this part of the Bill.
The formulation of the noble Baroness, Lady Stowell, relies on prevailing public law standards—in other words, standards that are commonly understood. We take the view that we all need to know what rules we are working to, and if the Bill introduces or creates a new standard then that certainty is removed. Of course, when it comes to the issue of pre-emption, we will need to resolve the best way forward on this issue at the next stage of the Bill. For my part, I think that reversion might be the best route, but no doubt by negotiating round the Committee we can come up with a workable solution.
The amendments of the noble Lord, Lord Holmes, particularly Amendments 220 and 222, offer another way through it. However, on the face of it, for us they are useful in the context of reminding our Committee that guidance will need to be produced on the operation of this regime as it covers financial penalties and the countervailing benefits exemptions.
We have heard a lot about the new regime being flexible and participatory as a framework for regulation, and we agree with that principle. However, we think that, with this particular change, the Government strike at the heart of that and bring in a measure of uncertainty that is unwise, frankly, in this particular process. The intervention of the noble Lord, Lord Lansley, was very telling. What he told the Committee was extremely important and we should listen very carefully to what was said in that exchange of correspondence. He rather shot the Government’s fox.
In conclusion, the Minister has a bit of a difficult job on his hands here. He may feel the weight of the Committee against him. I rather hope that he can offer us a measure of reassurance and perhaps help us come to a point where the whole Committee can agree a sensible reversion or an amendment that makes the Bill as workable as it seemed when it was first drafted.
I thank the noble Lord, Lord Faulks, for raising the topic of proportionality in the digital markets regime and for doing so with such a clear and compelling analysis, which I think all of us, myself included, found deeply helpful. This is of course the requirement for the CMA to impose conduct requirements and pro-competition interventions on firms only where it is proportionate to do so.
First, I reassure my noble friend Lady Harding that this change is not about introducing a new standard or meaning of proportionality but about clarifying the scope of decisions that it applies to.
Amendments 16 and 53 from the noble Lord, Lord Faulks, seek to remove the explicit statutory requirement for PCIs and conduct requirements to be proportionate. Under these amendments, SMS firms would still be able to argue that their rights to peaceful enjoyment of property under Article 1 of the first protocol of the ECHR, or A1P1, were engaged in most cases, allowing them to appeal on the basis of proportionality. I refer noble Lords to the ECHR memorandum published by the department, which explains how the regime intersects with human rights and how this relates to property rights. A1P1 protects possessions, which can include enforceable rights such as contracts, and so regulating SMS firms under the regime would commonly affect possessions, and therefore engage A1P1.
The Government have always been clear that the CMA will need to act proportionately and comply with ECHR requirements, and that imposing obligations on SMS firms will very often engage the firm’s rights under A1P1. However, having a statutory requirement for proportionality in the Bill reinforces the Government’s expectations for how the CMA should design conduct requirements and PCIs, to place as little burden as possible on firms while still effectively addressing competition issues. This should be the case even when A1P1 property rights are not engaged, which this requirement provides for.
In particular, it is worth highlighting that A1P1 rights on their own would not amount to grounds to challenge interventions that impact a firm’s future contracts. It is right that these interventions should be proportionate. I understand the concern from many noble Lords about any extension to the grounds for appeal in the regime, but we are giving extensive new powers to the CMA to regulate digital markets.
My Lords, if I might help the Minister, this legislation has been knocking around for some time now, so what was it that provided that blinding flash of official or ministerial inspiration to bring this amendment about “proportionate” so late in the day in the other place that it was tabled right at the end of the Commons process? What was it that was so compelling as to make that dramatic change?
If noble Lords will forgive me; that was a large variety or questions. First, I can confirm right away that I have not received any lobbying from any big tech firms on this topic—none; zero. Secondly, as with any Bill, this was part of an ongoing pattern of constantly looking for means of improving the Bill, to maximise its clarity and effectiveness. I recognise the concern voiced by the Committee about this. I am very happy to set out in detail all the arguments I have attempted to make. I hope that will go some way further towards satisfying the Committee.
(11 months ago)
Grand CommitteeMy Lords, I am sure the noble Viscount has more important things to say than I have, but it falls to me to make a few comments from the Opposition Benches on this. While listening to my noble friend Lord Knight, I was reflecting that we might be the last profession ever to be dismissed or appointed by algorithm and wondering whether that is a good or a bad thing. I leave that for the Minister to ponder while I make my observations.
The noble Lord, Lord Clement-Jones, introduced these amendments with his customary skill and guile. No doubt, like the rest of us, he has been extremely well briefed by the Institute for the Future of Work; I pay tribute to my noble friend Lord Knight for his work in that regard. This group of amendments is extremely important. We know that, with algorithms, new digital technology and thinking, just as the history lesson from my noble friend showed, it is really important when technological revolutions happen that we grasp the moment to think about their wider social and economic impact—with this, in particular, the impact on the world of work.
On the face of it, these amendments would provide a valuable extension of the CMA’s remit and role and could lead to protection of consumers and workers from the adverse impacts brought about by the activities of digital companies that operate in a dominant position in the marketplace. As the noble Lord, Lord Clement-Jones, said, the near-monopoly position of some companies means that wage and price fixing are a real concern. The ability of the CMA to monitor, comment and have an impact on conduct could have a wider and beneficial impact on ensuring that the market works not only well but fairly and with equity. It is the case that social, environmental and well-being risks and impacts, including work conditions and the environment are under increasing scrutiny from consumer and corporate sustainability perspectives.
The noble Lord, Lord Clement-Jones, referenced the World Economic Forum’s Global Risks Report and the EU’s new corporate sustainability due diligence directive 2023, to be introduced later this year. They exemplify the importance and salience of the issue. As he said, this all suggests that consumer interests can extend to local supply chains, so, as a consequence, informed decision-making will need to have better information on work impacts in the future. Consumers are, as has been said, both consumers and workers, and they are bound to take much greater interest in digital workplaces. From these Benches, we therefore support, in general terms, better monitoring, intervention and information sharing by the CMA; if these amendments achieve that objective, they are certainly worthy of our support. The Minister will have to persuade us otherwise, or explain that the CMA will have the scope to use its powers to satisfy the objectives behind the amendments in the name of the noble Lord, Lord Clement-Jones.
I was intrigued by the reference by the noble Baroness, Lady Kidron, to sports officials being put out of a job. I am a big football fan, as many colleagues will know. It just seems to me that VAR is a great example of how you can generate even more activity and interest by the digitisation of assessments and the use of algorithms to judge whether something is or is not offside. We are happy to support these amendments; we think they potentially touch on a vital aspect of the CMA’s work and we look forward to what the Minister has to say about them.
My Lords, I apologise to the noble Lord, Lord Bassam, for jumping the gun before his interesting words. I reflect that the algorithm that puts exactly this combination of people in this Room would be fairly complex—but a good one.
I thank the noble Lord, Lord Clement-Jones, for using several amendments to raise the important issue of the impact of technologies, such as artificial intelligence, on workers and the nature of work. I also thank the noble Lords, Lord Knight and Lord Bassam, and the noble Baroness, Lady Kidron, for their contributions to what is an important part of our deliberations.
The Government of course recognise that new technologies can create challenges and risks, as well as opportunities and benefits. I agree with noble Lords that the impact of technology on work and workers deserves attention, and I will respond to each amendment in turn. However, I also hope that noble Lords agree that it is of paramount importance that this regime is effective and focused on promoting competition for the benefit of consumers, which is the CMA’s area of expertise. I know that future amendments propose that the CMA’s focus should go beyond that, so perhaps the bulk of that can be left for that debate.
The CMA has been considering future issues in the space of competition, and indeed recently published its first horizon-scanning report on 10 trends in digital markets and how they may develop over the next five years and beyond. However, the Government feel that wider issues around the impact of digital technologies on work and workers—those that do not impinge directly on competition for the benefit of consumers—are better dealt with elsewhere.
Amendment 2 would allow the CMA to establish that there is a link to the UK for the purposes of designating a firm with SMS when a digital activity is likely to have a substantial impact on work or work environments in the United Kingdom. The CMA’s objective is, as I say, to promote competition for the benefit of consumers, and it is important that the digital markets regime is focused on competition.
The current criteria to establish a link to the UK ensure that the regime is targeted and proportionate, and draw on similar approaches in other legislation, including Chapter 1 of the Competition Act 1998. However, this amendment would allow the CMA to link a digital activity to the UK on the basis of impacts that are explicitly unrelated to competition. It would therefore detract from the aims of the regime, which are competition focused. It would also be inappropriate for the CMA to assess impacts unrelated to competition, which is its area of expertise and jurisdiction.
Amendments 18 and 23 would ensure that the CMA can require the SMS firm, through conduct requirements, to carry out and share an assessment on wider social impacts. I agree with noble Lords that it is of crucial importance that users are given the information necessary to make informed decisions about the services they use. The current objectives and list of permitted types of conduct requirements have been carefully drafted to ensure that the regime can protect consumers and businesses that rely on SMS firms via targeted and tailored rules. Conduct requirements can be imposed for the purposes of the trust and transparency objective, to ensure that those who use or seek to use the relevant digital activity have the information they need to understand the terms on which the activity is provided. This amendment would go beyond the scope and competition remit of the CMA, potentially creating new burdens and additional complexities, which could slow down effective enforcement.
Amendment 56 would expand the concept of an adverse effect on competition to include the displacement or alteration of work conditions or environments within the United Kingdom. Pro-competition interventions are designed specifically to address the root causes of the substantial and entrenched market power which gives rise to strategic market status. Where adverse working conditions intersect with or create a substantial negative impact on the competition within a particular market or industry, it may be relevant for the CMA to consider these. However, explicitly amending the definition of adverse effects on competition to include workplace conditions would skew the focus of the regulator away from competition and shift PCIs away from the established precedent of the markets’ regime. During a PCI investigation, the CMA may identify actions that other regulators or public bodies would be better placed to act upon. This may include the DMU referring issues such as workplace conditions to a relevant regulator, better placed to deal with these key issues.
I refer to the digital regulators themselves—the ICO or the FCA and Ofcom—or indeed regulators with oversight of employment law.
Amendment 61 would enable the CMA to require algorithmic impact assessments, to assess the impact of algorithms on society and the environment, including working conditions, if it considered such information relevant to its digital markets functions. I agree wholeheartedly with the noble Lord about the importance of understanding the impact of algorithmic systems on society, the environment and working conditions in the UK.
Is the Minister saying that it is up to the CMA to decide whether it is a relevant consideration?
Yes, I think that I am saying that. The CMA, over the course of its investigations, can come across information beyond its own competitive remit but relevant for other regulators, and then could and should choose to advise those other regulators of a possible path for action.
(1 year ago)
Lords ChamberI thank my noble friend for that question on the important area of AI usage in defence. As she will recall, AI in defence is principally conducted within the remit of the Ministry of Defence itself. My role has very little oversight of that, but I will take steps with government colleagues to confirm an answer for my noble friend.
My Lords, the Minister referred earlier to new risks. Sadly, the rapid development of AI has given rise to deepfake video and audio of political leaders, most recently the London Mayor, Sadiq Khan. We debated such issues during the passage of the Online Safety Act, but many were left feeling that the challenges that AI poses to our democratic processes were not sufficiently addressed. With a general election on the horizon who knows when, what steps are the Minister and his ministerial colleagues taking to protect our proud democratic traditions from bad actors and their exploitation of these new technologies? This is urgent.
I thank the noble Lord for raising this; it is extremely urgent. In my view, few things could be more catastrophic than the loss of faith in our electoral process. In addition to the protections that will be in place through the Online Safety Act, the Government have set up the Defending Democracy Taskforce under the chairmanship of the Minister for Security, with a range of ministerial and official activities around it. That task force will engage closely, both nationally, with Parliament and other groups and stakeholders, and internationally, to learn from allies who are also facing elections over the same period.
(1 year, 1 month ago)
Lords ChamberTo ask His Majesty’s Government, following the action taken by the United States in respect of regulating artificial intelligence, including the recent signing of an Executive Order, whether they have plans to introduce similar provisions in UK law.
In the AI regulation White Paper we set out our first steps towards establishing a regulatory framework for AI. We are aligned with the United States in taking a proportionate, context-based and evidence-led approach to AI regulation. The White Paper did not commit to new legislation at this stage. However, we have not ruled out legislative action in future as and when there is evidence of substantial risks, where non-statutory measures would be ineffective.
My Lords, I am a little disappointed in the Minister’s response, but we welcome the discussions that took place at Bletchley Park. While the Prime Minister says he will not rush to regulate, as the Minister knows, other jurisdictions— the US and the EU—are moving ahead. Labour in government would act swiftly to implement a number of checks on firms developing this most powerful form of frontier AI. A Bill might not have been in the King’s Speech, but that does not mean that the Government cannot legislate. Will the Minister today commit to doing so?
The Government are by no means anti legislation; we are simply anti legislation that is developed in advance of fully understanding the implications of the technology, its benefits and indeed its risks. This is a widely shared view. One of the results of the Bletchley summit that the noble Lord mentioned will be a state-of-the-science report convened by Professor Bengio to take forward our understanding on this, so that evidence-based legislation can then as necessary be put in place. As I say, we feel that we are very closely aligned to the US approach in this area and look forward to working closely with the US and others going forward.
(1 year, 1 month ago)
Lords ChamberThat is an important part of the Government’s approach to this very difficult, nasty situation. Last week, the Secretary of State met leaders of Jewish communities, and ongoing meetings are similarly being convened by DLUHC with all communities. We are establishing bridges between these communities and the social media platforms. One advantage they have in that dialogue is that they are accorded trusted flagger status, which greatly reduces the amount of time it takes to raise content of concern.
My Lords, the House has previously debated the role and work of the Counter-Disinformation Unit. I do not think anybody was particularly convinced by the assurances which the Minister gave back in July. These issues have been brought into sharp focus by recent events. At the time of that last debate, we were promised a meeting. Unless our Front Bench was left off the invite list, I am not aware of that follow-up meeting having taken place. Given some of the Minister’s responses today, that meeting is now more urgent than ever. Can the Minister commit to meet with those of us who are deeply concerned about this issue?
I remember the July debate very well. I made a commitment then to meet with concerned Members, which I am happy to repeat. Again, I ask that concerned Members write to me to indicate that they would like to meet. Those who have written to me, have met with me.
(1 year, 3 months ago)
Grand CommitteeMy Lords, I am grateful to the Minister, as ever, and to the noble Lord, Lord Clement-Jones, for his contribution. He had lots of questions, as ever, many the same as those we asked during the passage of the Bill.
The Product Security and Telecommunications Infrastructure Act creates a regime that has three purposes, which the Minister set out. They are to minimise default or easy-to-guess passwords, to maintain an awareness of security threats and publish contact information for use by consumers and owners, and to encourage greater transparency about how long the products covered by this legislation will receive security updates and support. I agree with the noble Lord, Lord Clement-Jones, that these are low-hanging fruit for regulation. We should look at this instrument as a small step in the right direction.
With that in our minds, we supported the PSTI Bill during its passage and, in common with other Members of the House, tabled and supported a number of amendments to go further than the Government wished.
The requirements being imposed on manufacturers are widely supported by consumer groups, although they are rightly very nervous and watchful of the direction in which the legislation takes us in terms of data. Questions are being asked about whether the standards are sufficient and what role, if any, distributors will have in improving consumer knowledge of security issues.
As discussed in a debate earlier this week, people’s habits with regard to data and the digital world have changed enormously over the past few years. This includes the rapid take-up of smart and connectable devices, such as smart speakers, CCTV doorbells and so on. These products are highly desirable, and yet research has demonstrated that many contain significant security vulnerabilities and that consumers are generally not aware of the risks that they face.
A policy commitment was made back in January 2020 and the Bill was passed in December 2022, so why will the new regime come into force only by April next year? We understand the need for technical details to be worked through and for manufacturers to adjust their own systems, but could the Government not have moved more quickly than this? This is a fast-moving market, after all.
We supported the passage of the Bill and, as I said, worked with colleagues across the House to push the Government to be more ambitious about the regime’s scope and the security standards that should be met by manufacturers, but it seems that Ministers refused to raise the bar and continue to do so.
As the noble Lord, Lord Clement-Jones, said, Which? and others have noted that, while the Act allows the Government to place requirements on manufacturers, importers and distributors, these regulations cover only manufacturers. Is the hope that distributors and retailers will pass security information on to consumers voluntarily or is the department looking at other tailored requirements for them? If the latter, how long might this take? Perhaps the Minister could elucidate that.
It seems that every day we hear of another major hack or data breach. Some are used to defraud victims, while others harness networks of smart devices to launch attacks on major websites. Sadly, these dangers are likely only to grow, as we discovered in recent weeks, so it is vital that the Government keep their foot on the gas on these issues, rather than passing these regulations and considering them job done. There is much more to do.
Like the noble Lord, Lord Clement-Jones, I draw attention to the Which? briefing paper, reflected in a Guardian article today, which suggests that manufacturers may be using these devices to collect more data than the legislation seemingly enables, which is shocking. Asking for postcodes and date-of-birth data seems outwith the manufacturers’ immediate needs. Can the Minister throw some light on this issue? What are the Government’s intentions regarding it and how do they intend to address it? These issues of data retention and use are serious. They affect consumer behaviour, confidence and trust, and trust is a terribly important commodity in today’s world. I hope the Minister can answer those questions.
I am rather with the noble Lord, Lord Clement-Jones, on smart meters. We have one; it is a scary device, and it has become scarier in the last year as the bills have gone up. I am not sure of its value but my wife tells me it is an invaluable tool. I hope that is the case, that we can get better and more confident about the data that these things produce, and that they are in the service of the consumer rather than of the manufacturer, because that is really where we should be coming from.
I thank the crowds of noble Lords for their valuable contributions to the debate. I will make some general comments to start and then come to specific points that noble Lords have made.
Consumers assume that if a product is for sale it is secure, but too often—I think we are in agreement on this—that is not the case. Many consumers are at risk of cyberattacks, theft, fraud and even physical danger. These regulations will change that, ensuring that protections are implemented for our commonly used items such as smartphones, smartwatches and smart baby monitors, as well as the UK citizens and businesses that use them.
Cybercrime is thought to cost the UK billions of pounds every year, with one report by Detica and the Cabinet Office estimating the total cost at £27 billion a year. In 2020-21 the National Fraud Intelligence Bureau reported receiving over 30,000 reports of cybercrime, resulting in estimated losses of £9.6 million for the victims. Cybercrime is on the rise, and vulnerable internet-of-things products are a key attack vector for criminals. This instrument is an essential step in fighting the dangers of cyber risks.
While the product security regime will come into effect only next April, with the support of this House, I want to take this opportunity to reflect on how far we have come on this agenda. The development of the regime has been supported by a huge range of officials but I extend particular thanks to Peter Stephens, Jasper Pandza, Veena Dholiwar, Maria Bormaliyska, Jonathan Angwin, Warda Hassan, Howard Cheng and Eilidh Tickle for their dedicated and diligent advice.
I thank all experts who have contributed to delivering this regime since 2016. Among them stands Professor David Rogers, to whom I pay particular thanks for his leading role in developing the Code of Practice for Consumer IoT Security on which the security requirements of this instrument are based. Lastly, I too thank Which? for being a champion of consumer security, and for holding the Government to account throughout the process of delivering these important measures and on this agenda more broadly.
I shall now respond to the questions that have been asked. On the topic of why the security baseline does not go further, a matter raised by both noble Lords, we do not believe at this stage that there is sufficient evidence to suggest that mandating security requirements beyond the initial baseline would be appropriate. Specifically, we do not currently consider it appropriate to mandate minimum security-update periods for relevant connectable products before the impact of the initial security requirements is known. Governments mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits or of leaving citizens exposed to cyber threats.
However, the Government agree that, for a number of consumer connectable product verticals, implementation of the three security requirements alone would not be sufficient. Legislation, however, is not the only incentive driving the security practices adopted by tech manufacturers. Evidence suggests that consumers value and consider the security of a product when making purchasing decisions, but assume that products available for them to purchase will not expose them to avoidable security risks.
In ensuring that manufacturers are transparent with UK consumers about how a product’s security will be maintained, we expect the product security regime to incentivise improved standards of cybersecurity beyond the initial three requirements. The Government will closely monitor the impact of the initial security requirements on standards of cybersecurity across the sector, and will not hesitate to mandate further requirements using the powers provided by the parent Act if necessary.
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
The Minister has referenced two pieces of legislation which almost—this is perhaps going a bit far—predate the digital age. Is he saying that those are fit for purpose, given that much has changed since 1986, to cite one of the dates he gave, and subsequent pieces of legislation? Are they right for what we are doing now?
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.
(1 year, 3 months ago)
Lords ChamberI thank the noble Lords, Lord Bassam and Lord Wallace of Saltaire. Dealing first with the comments of the noble Lord, Lord Bassam, I think it is a stretch by anybody’s imagination to describe this as a climbdown and a humiliation, albeit while welcoming it. In principle, three major advances in our standing have been made with the deal: first, the creation of the clawback mechanism to mitigate the risk that we spend more than we receive; secondly, the fact that we do not spend any money on any time or activities to which we do not have access or where we are not a member; and, thirdly, the ability to withdraw from Euratom or other areas of the programme from which we did not benefit.
Can the Minister clarify in which year, during any of the time that we were part of Horizon, we ever needed to have a clawback arrangement? My understanding was that we were net beneficiaries from Horizon for the entirety of the programme.
As a number of noble Lords have observed in this debate and previously, the fact that we were not members of the Horizon programme was of great concern and probably did lasting damage to the UK’s scientific community. One way to protect ourselves from further lasting damage was to create the clawback mechanism, to make sure that the money we put in would not exceed the money we took out.
It is worth reminding noble Lords that the United Kingdom did not decide to withdraw from Horizon association; the EU withdrew our association from us—making an association with the Northern Ireland protocol—which we appealed. It has always been our preference to be a member of the Horizon programme. The negotiations were hard fought and necessarily took a long time. We feel that they have given us a more than reasonable result. I do not enjoy the overhyping that the noble Lord, Lord Wallace of Saltaire, perhaps rightly points out, but on the other hand I think it a worthy cause for celebration that we are able to reassociate with the programme, which has been welcomed by the sector.
With respect to the Pioneer programme and the analysis of the opportunity cost, I argue that it would have been extremely reckless to have been negotiating with the EU and not had a programme. It would be like driving uninsured. I do not know the cost in terms of measuring the time of civil servants and other officials in creating the policy—I do not particularly know how to find out, but I am more than willing to try—but it was not a significant cost in that no actual investments were made beyond people’s time and effort to perform the preparations. The opportunity cost of the time we have missed in Horizon is a calculation that has to be performed at the end of the Horizon period in 2027, so that we can understand overall, end to end, what was paid and what was the effect of missing out.
Finally, I remind the House that the United Kingdom is putting £20 billion a year into R&D by 2024-25. This is the greatest increase ever in any public spending review period and shows how seriously we take our goals of becoming a science and technology superpower.
I will take back the comments that the noble Lord, Lord Wallace of Saltaire, made on how visa charges and health charges will be very off-putting. I take that on board, as well as the comparison of academic pay for scientists. I will absolutely have a look at that.
(1 year, 5 months ago)
Lords ChamberMy Lords, the Government’s intention has always been that this Bill should apply UK-wide. In the process of delivering this ambition, we were able to confirm that legislative consent was not required from Northern Ireland or Wales. However, in the case of Scotland, private property law, as affected by this Bill, is a devolved matter and therefore legislative consent is necessary. As a result of amendments made to the Bill in the other place, we have received legislative consent from the Scottish Parliament.
The Bill has been amended to the effect that it now confers the delegated power in Clause 5(2)(b) additionally on Scottish Ministers both to exercise the power alone within areas of devolved competence and to act jointly with the Secretary of State. By including the option for Scottish Ministers to act alone and also to act jointly with the Secretary of State, the delegated powers can be exercised in a flexible manner that best suits the prevailing need for secondary legislation. Moreover, it avoids any future uncertainty as to whether matters are within the devolved competence of Scottish Ministers, particularly if they cut across devolved and reserved matters. The requirement in Clause 5(4) for the Secretary of State to consult Scottish Ministers before exercising the power in Clause 5(2)(b) will be disapplied in circumstances where the Secretary of State and Scottish Ministers act jointly to make regulations.
As noted earlier, while the Bill is unlikely to need future amendment, we believe that such changes are best delivered through concurrent delegated powers, which will allow both the Secretary of State and Scottish Ministers to make those changes. The amendments will therefore enable Scottish Ministers to make such regulations in a case in which all the provision made by the regulations is within Scottish devolved competence, and to act jointly with, or be consulted by, the Secretary of State in other cases.
The delegated powers previously afforded to the Secretary of State by the Bill are not substantively affected by this amendment. In view of this, Amendment 6 provides for regulations under Clause 5 to be subject to the affirmative resolution procedure at Westminster and in the Scottish Parliament.
In addition to these two substantive amendments, we have also had to include four consequential amendments to update and correct cross-references within the Bill. I hope noble Lords will acknowledge the requirement for the amendment to Clause 5 to change the delegated power and the consequential amendments that allow this new clause to be inserted into the Bill.
I reiterate the thanks that my noble friend Lord Parkinson of Whitley Bay gave at Third Reading to all those involved in the passage of this transformational Bill. I beg to move.
My Lords, I have studied the amendments closely and I can see the beneficial net effect of them. I guess that Amendment 4 is probably the most crucial to the package, and I think the noble Viscount was right to introduce them together in the way he did. I do not have much to say other than that, except to congratulate the Government on having the foresight to bring this legislation forward, and to thank the noble Lord, Lord Parkinson, for the work he did both in the Special Public Bill Committee and on the Floor of the House in considering the legislation.
I have a question for the noble Viscount, which I asked the last time we considered the Bill. This is a very important and significant piece of legislation that will go a long way to making the passage of international trade much easier, considering the impact that it could have. It will make it much easier to trade across international boundaries, and the volume of trade is such that removing the constraint on the use of electronic communication is extremely important. It is estimated that it could save as much as 15% of current transaction costs. That would be a considerable net benefit to the UK economy.
The one thing that worried and troubled me during our consideration was that there did not seem to be an implementation plan. When I quizzed the noble Lord, Lord Parkinson, on this, I was less than convinced by his response; I hope he was more convinced than I was. I do not see a plan yet. There is a role for one of the government departments involved in this to take a lead. It is really important that it does so in a way that works well with business, and consults business and all other interests to ensure that we get the maximum from this legislation; otherwise, I suspect it will lie unused.
We are one of only two jurisdictions that have made advances and progress on this. I know that others are looking at our work in the field and, if we can make a success of it, others will undoubtedly follow—but it needs leadership at the top to make this useful piece of legislation workable in future and to enhance our credentials as an international trading country.
(1 year, 5 months ago)
Lords ChamberDSIT works extensively across universities on this and other programmes. In addition, the Government commission a range of research, particularly in the area of deafblindness, not least, for instance, into the procurement of hearing aids by the NHS.
My Lords, we on our Benches very much welcome the research and development that is taking place, and the pretty unprecedented pace at which new technologies become available. However, this poses a challenge, not just for government departments, charities and individuals but for wider society. To pursue the points raised by the noble Lord, Lord Clement-Jones, I would like to pin the Minister down a bit more on what he sees as his department’s role, and that of the Department of Health and Social Care, in accrediting and procuring these emerging technologies. He seems to suggest that departments should just get on and do it themselves, without any plan or strategy. That cannot be right.
I thank the noble Lord for that question. I certainly hope my remarks did not come across as me asking other ministries to merely improvise in this space. DSIT can contribute in three very important ways under the structure of the science and technology framework, the ambition of which is to make us a science and tech superpower by 2030. We can make three distinction contributions: first, by growing the economy overall through the use of science and technology; secondly, by driving innovation in all areas; and, thirdly, and most pertinently to this Question, by ensuring that the technology developed in this space is always as inclusive and accessible as it can possibly be.
(1 year, 5 months ago)
Lords ChamberThe White Paper set out the Government’s approach to regulation. The consultation on the White Paper closed on Wednesday; it has received a range of highly informed critiques, and praise from several surprising quarters. Once we have been through it and assessed the findings of that, we will take forward the approach to regulating AI, which, as the noble Lord quite rightly points out, is moving at a very fast pace.
My Lords, while we are told that the Online Safety Bill is both technology-neutral and future-proofed, concerns are being raised, with doubts that emerging AI-related threats are sufficiently covered. With the Bill finally approaching Report, do the Government intend to introduce any AI-focused protective measures? What if the Government realise after the Bill’s passage that more regulations are needed? How confident is the Minister that future legislation will not be subject to the same sorts of delays that we have experienced with the Online Safety Bill?
The noble Lord is absolutely right to point out that legislation must necessarily move more slowly than technology. As far as possible, the Online Safety Bill has been designed to be future-proof and not to specify or identify specific technologies and their effects. AI has been discussed as part of that, and those discussions continue.
(1 year, 6 months ago)
Lords ChamberMy Lords, it has now been 128 weeks of uncertainty, delay and broken promises since the Government took us out of the world’s biggest and most prestigious science fund, Horizon Europe. Will the Minister confirm or deny that part of the continued delay to the UK’s re-entry into the programme has been caused by a demand for a fee reduction? Does he agree that our continued exclusion from the scheme is damaging research and development collaborations across the EU that have benefited the UK in the past?
I thank the noble Lord for that question. The first thing to remind the House is that it was not a decision of the UK Government not to be associated with the Horizon programme. Following the trade and co-operation agreement—of which association to Horizon was a part—that association was withdrawn from the United Kingdom. Beyond that, as I say, I cannot comment on the forces at work behind individual negotiation points, but I recognise the frustration and concern that result from the lengthy period of negotiations.
(1 year, 7 months ago)
Lords ChamberI thank the noble Viscount for his question, and let me take the opportunity to commend the work of Cancer Research UK. The Government’s preference is to associate to Horizon, for the reasons he very ably sets out. However, it must be on fair and appropriate terms that reflect not just the past damage done by our missing two years, during which we were not associated with Horizon Europe, but ongoing and future uncertainties that not being associated have inevitably created for us. We have done the responsible thing by putting in place a suitable alternative, but I stress that it is not our preferred outcome of these very welcome talks with the EU.
Following on from the question from my noble friend Lord Stansgate, the Government must explain exactly where they are here. We were led to believe that after the Windsor Agreement, the UK’s transition to the Horizon research programme was to be straightforward. What has made the Government go through this rethink? How much has the country lost in net worth in investment in research and development by doing the hokey-cokey with the Horizon programme, given that we were massive net beneficiaries under the old EU scheme? We need clarity. We were promised this, and I do not understand why the Government are messing around with research and development in this country. We were promised that we would get better results by coming out of Europe, but we are not. We are going backwards.
I stress again that our preference is to go back into the Horizon programme. We are in negotiations with the EU to achieve that. We have understood our own requirements for doing that and are seeking them. The noble Lord would not expect me to comment on an ongoing negotiation, but our hope is that we can arrive at a deal which is fair and appropriate for UK taxpayers, businesses and, of course, universities. As to the results over the last brief period of negotiation since the signing of the Windsor Framework, I cannot put a figure on exactly how much research has not been conducted over the two months of the ongoing negotiations.