Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Kidron
Main Page: Baroness Kidron (Crossbench - Life peer)Department Debates - View all Baroness Kidron's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
My Lords, I am very grateful to noble Lords for their comments. Although I have to say at the outset that we have some reservations about these amendments, I think we might be able to find a way forward this evening. I have listened to the noble Lords, Lord Stevenson and Lord Clement-Jones, and taken their remarks on board, but I have especially listened to the noble Baroness, Lady Kidron, who spoke about children. We have some experience of her input in this Bill. I obviously take a lot of notice of what the noble Lords, Lord Stevenson and Lord Clement-Jones, say but, as you know, familiarity and all that, so I have certainly listened especially to the noble Baroness, Lady Kidron.
The Government are sympathetic to the idea of facilitating greater private enforcement, but we continue to believe that the Bill as drafted provides significant and sufficient recourse for data subjects. In our view, there is no need to invoke article 80(2) of the GDPR, with all the risks and potential pitfalls that that entails. To recap, the GDPR provides for, and the Bill allows, data subjects to mandate a suitable non-profit organisation to represent their interests following a purported infringement. The power will, in other words, be in their hands. They will have control over which organisation is best placed to represent their interests, what action to take and what remedy to seek. The GDPR also places robust obligations on the data controller to notify the data subject if there has been a breach which is likely to result in a high risk to the data subject’s rights and freedoms. This is almost unprecedented and quite different from, say, consumer law where compulsory notification of customers is rarely proportionate or achievable.
These are very significant developments from the 1998 Act and augment a rapidly growing list of enforcement options available to data subjects. That list already includes existing provisions for collective redress, such as group litigation orders, which were used so effectively in the recent Morrisons data breach case, and the ability for individuals and organisations to independently complain to the Information Commissioner where they have concerns about how personal data is being processed.
What these initiatives have in common is that they, like the GDPR as a whole, seek to empower data subjects and ensure they receive the information they need to enforce their own data rights. By comparison, Amendments 175 and 175A would go much further. I stress that, as I have already said, we are not against greater private enforcement, and I have borne in mind the points the noble Baroness made about children. We also have reservations about the drafting and purpose of these amendments, all of which I could of course go through at length, if the House wishes, but in view of what I am about to say, I hope that will not be necessary.
Since Committee, the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of Clause 173 as it is currently drafted. The Government are fully prepared to look again at the issue of article 80(2) in the context of that review. We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions.
In view of that, I would be very grateful if the noble Lord will withdraw his amendment this evening and other noble Lords do not press theirs.
Before the Minister sits down, can I get absolute reassurance from him that this is not pushing it into the future, where it will languish? Will the Government be looking to this review to actually solve the problem that we have put forward on behalf of children?
It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.