(6 years, 11 months ago)
Lords ChamberMy Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.