Lord Clement-Jones (LD)

- Hansard -

Copy Link

- - Excerpts

My Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?

At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.

Lord Clement-Jones

- Hansard -

Copy Link

- - Excerpts

I may have to add later to what I have said, which I think the Minister will find totally unpalatable. I will try to move on.

The Minister also said:

“You are concerned that if consent is not a genuine option in these situations and there are no specific processing conditions in the Bill to cover this on grounds of substantial public interest. Processing in these circumstances would be unlawful. To make their consent GDPR compliant, an employer or school must provide a reasonable alternative that achieves the same ends, for example, offering ‘manual’ entry by way of a reception desk”.


Consent is rarely valid in an employment context. If an employer believes that certain premises require higher levels of security, and that biometric access controls are a necessary and proportionate solution, it cannot be optional with alternative mechanisms that are less secure, as that undermines the security reasons for needing the higher levels of security in the first place: for example, where an employer secures a specific office or where the staff are working on highly sensitive or confidential matters, or where the employer secures a specific room in an office, such as a server room, where only a small number of people can have access and the access needs to be more secure.

Biometrics are unique to each person. A pass card can easily be lost or passed to someone else. It is not feasible or practical to insist that organisations employ extra staff for each secure office or secure room to act as security guards to manually let people in.

The Minister further stated:

“You also queried whether researchers involved in improving the reliability or ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. Article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing that appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards of clause 18 of the Bill. For the purposes of GDPR, ‘scientific research’ has a broad meaning. When taken together with the obvious possibility of consent-based research, we are confident that the Bill allows for the general type of testing you have described”.


It is good to hear that the Government interpret the research provisions as being broad enough to accommodate the research and development described. However, for organisations to use these provisions with confidence, they need to know whether the ICO and courts will take the same broad view.

There are other amendments which would broaden the understanding of the research definition, which no doubt the Minister will speak to and which the Government could support to leave no room for doubt for organisations. However, it is inaccurate to assume that all R&D will be consent based; in fact, very little of it will be. Given the need for consent to be a genuine choice to be valid, organisations can rarely rely on this as they need a minimum amount of reliable data for R&D that presents a representative sample for whatever they are doing. That is undermined by allowing individuals to opt in and out whenever they choose. In particular, for machine learning and AI, there is a danger of discrimination and bias if R&D has incomplete datasets and data that does not accurately represent the population. There have already been cases of poor facial recognition programmes in other parts of the world that do not recognise certain races because the input data did not contain sufficient samples of that particular ethnicity with which to train the model.

This is even more the case where the biometric data for research and development is for the purpose of improving systems to improve security. Those employing security and fraud prevention measures have constantly to evaluate and improve their systems to stay one step ahead of those with malicious intent. The data required for this needs to be guaranteed and not left to chance by allowing individuals to choose. The research and development to improve the system is an integral aspect of providing the system in the first place.

I hope that the Minister recognises some of those statements that he made in his letter and will be able, at least to some degree, to respond to the points that I have made. There has been some toing and froing, so I think that he is pretty well aware of the points being raised. Even if he cannot accept these amendments, I hope that he can at least indicate that biometrics is the subject of live attention within his department and that work will be ongoing to find a solution to some of the issues that I have raised. I beg to move.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

- - Excerpts

I will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.

Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.

Recital 80 of the GDPR explains the role of the representative:

“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.


Supposing that a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?