All 3 Baroness Ludford contributions to the Data Protection Act 2018

Read Bill Ministerial Extracts

Tue 10th Oct 2017
Data Protection Bill [HL]
Lords Chamber

2nd reading (Hansard): House of Lords
Mon 30th Oct 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 1st sitting (Hansard): House of Lords
Mon 11th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 1st sitting: House of Lords

Data Protection Bill [HL]

Baroness Ludford Excerpts
2nd reading (Hansard): House of Lords
Tuesday 10th October 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
Baroness Ludford Portrait Baroness Ludford (LD)
- Hansard - -

My Lords, I welcome the modernisation of data protection law that the Bill represents and the intention to comply with EU law in the regulation and directive—which of course we must do while we are still in the EU. I am particularly concerned with the future and the prospects for an adequacy decision from the Commission if we find ourselves outside both the EU and the EEA. A failure to get such a decision would be extremely harmful for both businesses and other organisations and for law enforcement.

I will look briefly at the past. In 2013 in the European Parliament I was one of the lead MEPs establishing the Parliament’s position on the regulation. I believe that we did a decent job—that was before the negotiations with the Council, which watered it down somewhat. The Government rightly acknowledge that the new system will build accountability with less bureaucracy, alleviating administrative and financial burdens while holding data controllers more accountable for data being processed—backed up by the possibility of remedies for abuse including notable fines. But the purpose is to provide incentives to build in privacy from the beginning through such instruments as data protection impact assessments and having a data protection officer, through data protection by design and default—thereby avoiding getting to the point of redress being necessary. As an aside, the routine registration with the Information Commissioner’s Office will be abolished, and I am not aware of how the ICO will be funded in future, because that was a revenue stream.

I will say briefly that the new rights that are in the regulation include tougher rules on consent, so we should see the end of default opt-ins or pre-selected tick boxes. That will probably be one of the most visible things for consumers; I hope that it does not become like the cookies directive, which has become a bit of a joke. The need for explicit consent for processing sensitive data is important, as is the tightening of conditions for invoking legitimate interests.

There are several matters which will give improved control over one’s own data, which is very important. There is also the right to be told if your data has been hacked or lost—so-called data breach notification—and a strengthened ability to take legal action to enforce rights. All these are considerable improvements. However, I am rather concerned about the clarity of this very substantial Bill. It is explained that the format is chosen to provide continuity with the Data Protection Act 1998, but whether or not as a result of this innocent, no doubt valuable, choice, it seems to me that some confusion is thereby created.

First, there is the fact that the GDPR is the elephant in the room—unseen and yet the main show in town. You could call it Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet without the Prince. Traces exist without the GDPR being visible. Is the consequent cross-referencing to an absent document the best that can be done? I realise that there are constraints while we are in the EU, but it detracts from the aims of simplicity and coherence. Apparently, things are predicted to be simpler post Brexit, at least in this regard, when the GDPR will be incorporated into domestic law under the withdrawal Bill in a “single domestic legal basis”, according to the Explanatory Memorandum. Does that mean that this Bill—by then it will be an Act—will be amended to incorporate the regulation? It seems odd to have more clarity post Brexit than pre-Brexit. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.

Secondly, we seem to have some verbal gymnastics regarding what “apply” means. The departmental briefing says that the Bill will apply GDPR standards, but then we have the so-called “applied GDPR” scheme, which is an extension of the regulation in part 2, chapter III. Can the Minister elaborate on precisely what activities part 2, chapter III covers? The Bill says that manual unstructured files come within that category. I do not know how “structured” and “unstructured” are defined, but what other data processing activities or sectors are outside the scope of EU law and the regulation, and are they significant enough to justify putting them in a different part?

Looking forward, I want to mention some of what I see as the possible weaknesses in the Bill which might undermine the potential for an adequacy decision for data transfers to the EU and the EEA. The future partnership paper published in August, which has already been mentioned by the noble Lord, Lord Jay, referred to a UK-EU model which could build on the existing adequacy model. Can the Minister explain what that really means? As the noble Lord, Lord Jay, said, while national security is outside EU law, when it comes to assessing the adequacy of our level of data protection as a third country, we could find ourselves held to a higher standard because the factors to be taken into account include the rule of law and respect for human rights, fundamental freedoms and relevant legislation, including concerning public security, defence, national security, criminal law and rules for the onward transfer of personal data to another third country. Therefore, our data retention and surveillance regime, such as the bulk collection of data under the Investigatory Powers Act, will be exposed to full, not partial, assessment by EU authorities. This will include data transfers, for instance to the United States, which I would expect to be very much under the spotlight, and could potentially lead to the same furore as other transatlantic transfers. I lived through a lot of that. I remember that in 2013 there was a lot of flak about the actions of the UK, but nothing could be done about it because we are inside the EU. However, in the future it could.

There are also a number of aspects in the Bill in which the bespoke standards applied to intelligence agencies are less protective than for general processing, such as data breach reporting and redress for infringement of rights. We will need to give serious thought to the wisdom of these, looking to the future. This will not just be a snapshot on Brexit day or even on future relationship day, because at issue will be how our standards are kept up to scratch with EU ones. The fact that with another part of their brain the Government intend to decline to incorporate the European Charter of Fundamental Rights into UK domestic law, with its Article 8 on data protection, will not help the part of the governmental brain which looks forward to the free flow of data exchange with the EU. Our Government seem to be somewhat at cross purposes on what their future intentions are.

I will highlight, rather at random, some other examples which need reflection. We may need seriously to look at the lack of definition of “substantial public interest” as a basis for processing sensitive data, or even of public interest. I think the noble Lord, Lord Stevenson, mentioned the failure or the non-taking-up of the option under Article 80(2) of the regulation to confer on non-profit organisations the right to take action pursuing infringements with the regulator or court. This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other consumer rights, including financial rights. Perhaps the Minister could explain that omission.

There is also concern that the safeguards for profiling and other forms of automated decision-making in the Bill are not strong enough to reflect the provisions of Article 22 of the GDPR. There is no mention of “similar effects” to a legal decision, which is the wording in the regulation, or of remedies such as the right of complaint or judicial redress.

Very significant is the power for the Government under Clause 15 to confer exemptions from the GDPR by regulation rather than put them in primary legislation. That will need to be examined very carefully, not only for domestic reasons but also because it could undermine significantly an adequacy assessment in the future.

I will make one or two points in the health and research area. The Conservative manifesto commitment to,

“put the National Data Guardian for Health and Social Care on a statutory footing”,

is not fulfilled in the Bill; perhaps the Minister could explain why not. I would also expect clarification as the Bill proceeds on whether Clauses 162 and 172 sufficiently protect patients’ rights in the use or abuse of medical records. We know this is a sensitive issue given the history in this area, particularly of care data and other attempts to inform patients.

As a final point, I am glad that the research community was broadly positive about the compromises reached in the GDPR, although they were less explicit than the Parliament’s position. That leads to some uncertainty. I took note of what the noble Baroness, Lady Neville-Jones, said. Therefore, close examination will be merited of whether the Bill provides a good legal framework with sufficient legal basis for research, which many of us have all sorts of interests in promoting, balanced with a respect for individual rights. I very much hope this will be explored carefully at future stages.

Data Protection Bill [HL]

Baroness Ludford Excerpts
Baroness Ludford Portrait Baroness Ludford (LD)
- Hansard - -

My Lords, I am also pleased, as co-signatory, to support the amendment, the purpose of which is to retain in domestic law wording from the European Charter of Fundamental Rights concerning data protection. This is for the benefit of British citizens and to help ensure that vital data flows for business and law enforcement can continue if we Brexit.

The specific article in the EU charter, Article 8 on data protection, is stronger in this respect than the older non-EU European Convention on Human Rights, which deals with privacy only under the rubric of protection of family and personal life. The Government plan that the charter should cease to be part of UK domestic law after Brexit in Clause 5(4) of the European Union (Withdrawal) Bill. This broader issue will be considered as part of the scrutiny of that Bill, and there is a cross-party amendment tabled in the House of Commons and led by Dominic Grieve MP to remove that clause such that the charter continues to apply domestically in the interpretation of retained EU law. Liberal Democrats strongly support that amendment, but it seems appropriate not to wait for or depend on the success of that broader effort and at least effectively to embed the thrust of the charter as it concerns data protection in this Bill, which largely concerns EU law.

This is extremely important because if we Brexit, the UK will seek from the European Commission an adequacy decision on UK data protection so that transfers between the UK and the EU can continue smoothly—an objective the Prime Minister has singled out for mention. If we leave, EU states may no longer be able to share data with us unless our legal regime on matters including state surveillance powers aligns with EU requirements. The adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the UK. The embedding of the charter’s data protection right in this Bill would be an important safeguard for business continuity—especially for tech companies, which depend crucially on the free flow of data—as well as ensuring that essential cross-border police and intelligence co-operation is not disrupted.

I, my noble friends Lord McNally and Lord Paddick, and other noble Lords raised at Second Reading the need for measures to protect us from threats, not to undermine our civil liberties. We are used to the European Court of Human Rights ruling on privacy issues, several times finding the UK in breach of the convention, but more recently in the digital age it is the European Court of Justice—the EU court—that has come into play as EU law on protection of electronic communications and the provisions of the Charter of Fundamental Rights has begun to bite. The Snowden revelations brought heightened sensitivity about the extent of the legitimacy of the activities of our intelligence services.

The EU data retention directive—the EU law on mandatory mass data retention—was pushed through Brussels in 2005 when the UK had the presidency of the EU by the then UK Home Secretary in an expert piece of lobbying after the London bombings of that year. In a landmark 2014 judgment, the court struck it down as incompatible with the right to respect for private life and data protection under Articles 7 and 8 of the charter. Then, as mentioned by the noble Lord, Lord Stevenson, the judgment on DRIPA last December—technically, the Tele2/Watson case, although initially also involving the then Back-Bench David Davis MP—continued in the same vein, declaring that mass data retention was “disproportionate” to citizens’ rights to privacy. Its implications for the Investigatory Powers Act and the question of whether bulk collection of communications data could be permitted to infringe privacy on the grounds of pursuit of serious crime or threats to national security may be ascertained by the reference to the European court made by the Investigatory Powers Tribunal in September. Certainly, the wide range of powers in the Investigatory Powers Act might look vulnerable to being found in conflict with EU law. The Independent Reviewer of Terrorism Legislation, Max Hill, suggested that it was unclear whether the ruling in the Watson case on safeguards for data retention regimes could be interpreted as applicable to national security.

It is true that while in the EU the national security exemption from EU competence applies but, as was brought out at Second Reading, if we were outside the EU the arrangements for our intelligence agencies would go into the whole mix that is assessed for compliance with EU standards. The court’s decision in July, rejecting the legality of the EU agreement with Canada on the transfer of passenger name record details, provides a salutary lesson in how the court approaches third-country transfers. It struck down the agreement because several of its provisions were incompatible with EU fundamental rights. It is therefore crucial that we embed the wording of Article 8 of the charter.

The Labour Opposition have tabled an amended version of Amendment 4, namely Amendment 4A. This is an interesting variation and I look forward to learning a bit more as we progress about exactly how the new wording would work. As I understand it, the safeguards in subsection (1) of the proposed new clause and the first part of subsection (2), which are replicated from Amendment 4, would and should still govern the,

“provisions, exceptions and derogations of this Act”,

otherwise, the point of writing in safeguards is undermined.

I wonder about the reference to,

“purposes as set out in the GDPR”,

since the GDPR is concerned only with the processes for data manipulated in accordance with purposes set down in other instruments. I am slightly unclear about that.

I believe that there has been concern about a conflict with press freedom. Of course we are suffering here from the fact that we have only a partial bite from the charter, which contains a firm provision on freedom of expression and information as well as on the right to security. When we succeed in retaining the whole charter in domestic law via the EU withdrawal Bill, the whole balancing exercise will become more apparent than with this snapshot. In the meantime, we have to proceed with entrenching this partial aspect of the charter as concerns data protection.

Lord Pannick Portrait Lord Pannick (CB)
- Hansard - - - Excerpts

My Lords, the problem with Amendment 4 is that it would not incorporate the charter provision relating to personal data. The reason for that is that it addresses the prima facie right to the protection of personal data, but not the limitations and exceptions recognised by the European charter itself. Article 8, like all the other rights in the European charter, is subject to the limitations stated in Article 52. That says that there can be limitations on protected rights if they are provided for by law, are necessary and meet,

“objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.

It is because there has to be a balance between this prima facie right and exceptions and limitations that the Bill contains a very large number of exemptions which cover a whole range of circumstances in which the rights of the data subject have to give way to other considerations, such as national security, the detection of crime, taxation, judicial appointments or confidential references for employment. There are many such exemptions.

The Bill contains exemptions because there are other interests in this area, and other rights, which conflict with the right to protection of personal data, and a fair balance is required. The Committee will want to debate the scope of those exceptions and limitations and be satisfied that the balance has been struck correctly. But Amendment 4 suggests that there is some absolute right to the protection of personal data. That is simply wrong. That is why, I imagine, the noble Lord, Lord Stevenson, has tabled manuscript Amendment 4A, which attempts to address the defect in Amendment 4.

I would have wished for more time to consider Amendment 4A, which I understand was tabled only this morning, particularly if the noble Lord, Lord Stevenson, intends to divide the Committee today. I am concerned that Amendment 4A poses two difficulties of its own. First, the value of including Amendment 4A is not clear to me. The Bill already sets out in considerable detail the domestic implementation of the charter obligation; that is, Article 8 read with Article 52. I fear that including Amendment 4A in the Bill would be likely to cause legal confusion and uncertainty in an area where precision and clarity are essential—and, indeed, are provided by the substance of the detailed provisions in the Bill.

Secondly, I fear that the purpose of Amendment 4A is to confer some special, elevated legal status on Article 8 rights concerning personal data for the future, as subsection (4) suggests. I think that would be very unwise because, as I have said, Article 8 rights often conflict with other rights—whether it is freedom of expression, which we heard about, or the right to property—or other interests. The detailed provisions of the Bill illustrate the difficult choices that have to be made in this area.

Amendment 4A seeks to give a special legal status to one charter right in isolation and that is simply inappropriate. For those reasons, I hope that the noble Lord, Lord Stevenson, will not divide the Committee on Amendment 4A. If he does, I will vote against it.

Data Protection Bill [HL]

Baroness Ludford Excerpts
Report: 1st sitting: House of Lords
Monday 11th December 2017

(6 years, 10 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, I thank the Minister for moving his amendment and for his concluding remarks, which I will return to. I welcome this amendment, and the implication it carries that the Government have listened to the discussions we have had in the last few weeks and have moved from their initial position.

I will speak to Amendment 2, which I am delighted has also been signed by the noble Baroness, Lady Ludford. I am sure that your Lordships’ House will recognise that, in bringing forward a revised draft, we have reflected very deeply on the points made by noble and noble and learned Lords in the debate on the original amendment moved in Committee. In addition to noble Lords who spoke on that occasion, I thank the academic and practising lawyers—as well as many in industry—who have contributed to our emerging thinking on this topic. Before it was submitted to the gruelling process that happens to all amendments when they go to the Public Bill Office, I sent an earlier draft of this amendment to many Members of this House who spoke in that earlier debate. I am grateful for the comments I have received.

It is unusual to have two amendments bearing on very similar points. It is an advantage to be able to see the conflicting, and often overlapping, thinking that has gone into this. It is clear to all who have read both and thought about them that, while we are not yet in full agreement, we are very close. Indeed, I venture to suggest that there is more that unites us on this issue than divides us. What do we agree on? We both recognise that the key data protection rights currently enjoyed by citizens in the UK crucially underpin any assessment of adequacy that might need to be made by the EU post Brexit. They are crucial for the future of our successful data-handling industry. We both want the key data protection rights currently enjoyed by citizens in the UK to continue once the Bill becomes law, while the GDPR is in force, and then after Brexit—if that happens. We agree that the key question to be determined is not the exact wording of one or other but whether it is necessary for these key rights, currently enjoyed by UK citizens through Article 8 of the EU Charter of Fundamental Rights, to be expressed clearly for all to see on the face of the Bill, or whether their existence in various parts of the Bill—and in the GDPR and its recitals—is sufficient.

By putting down their own amendment on this issue, the Government seem to agree that explicit references in the Bill will be helpful, for the reasons given above. We now need to get together to find a form of words which will achieve this aim and which we can both support. I therefore agree with the noble Lord that the right thing to do is for both sides to withdraw their amendments on this issue today and for the Minister to confirm—as he has done—that the matter is of sufficient importance to be brought back for further consideration at Third Reading. If he will agree to that, I will not move my amendment when it is called.

Baroness Ludford Portrait Baroness Ludford (LD)
- Hansard - -

My Lords, I also welcome the fact that we are in touching distance of an agreement on this matter. I thank the Minister for bringing forward Amendment 1. However, there is a little way to go. Amendment 1 is declaratory of what is contained in the Bill, whereas Amendment 2 is rather stronger and clearer.

Embedding a general right to data protection inspired by the Charter of Fundamental Rights is not only important for UK citizens but, as we have agreed in many debates and exchanges in this House, it is crucial for unhindered data flows between the UK and the European Union if we Brexit. It is absolutely crucial for business and law enforcement to be able to exchange data and have access to EU databases, such as the Schengen Information System, Europol and so on. The Government’s review of the charter, which was also most welcome and was produced last week, says that,

“domestic courts will be required to interpret retained EU law consistently with the general principle reflected in Article 8, so far as it is possible to do so”.

Is the Minister able to elucidate what that caveat leaves out? What would not be possible?

In the Watson case, to which the Brexit Secretary was a party until he became the Brexit Secretary, the European Court of Justice found that the current UK data protection regime in relation to data retention and acquisition was incompatible with Article 8 of the charter. This demonstrated the deep importance that the European Union places on charter rights in the protection of privacy. The draft resolution that the European Parliament is due to debate and vote on this Wednesday, on the joint report on the phase 1 divorce agreement that was reached last Friday,

“underlines that it will accept a framework for the future EU-UK relationship as part of the Withdrawal Agreement only if it is in strict concordance with the following principles”,

including the,

“United Kingdom’s adherence to the standards provided by international obligations, including fundamental rights … data protection and privacy”.

So we can expect this to be a very important matter, on which there will be a spotlight in the consideration of an adequacy assessment by the European Commission, which I think we all agree it is essential to achieve.

As I said in Committee, the adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the United Kingdom. Of course, this will include the law and practice in terms of national security, which at the moment—rather ironically, or perversely—are excluded under the EU treaties. Once we are outside—if we are—there will be closer examination of how privacy fares in relation to the demands of national security than there is while we are in the EU. In that context, the national security issues in the Bill, which will be further debated as well, will perhaps take on a heightened importance.

On these Benches we believe that the rights under the charter in relation to data protection should be reflected in the Bill so as to have a general right to the protection of personal data in UK law. I very much agree with the course advocated by the noble Lord, Lord Stevenson, to reflect further and to accept the Government’s offer to come forward at Third Reading with something that we could all agree on.

--- Later in debate ---
Baroness Ludford Portrait Baroness Ludford
- Hansard - -

I thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I completely agree with the noble Baroness. We have applied the GDPR principles to areas such as defence, national security and the intelligence services in different parts of the Bill so that when we seek an adequacy arrangement, we can say to the EU that we have arranged a comprehensive data protection regime that takes all the GDPR principles into account, including areas that are not subject to EU law. That is why, contrary to what we said in Committee, we have taken the arguments on board and tabled government Amendment 1 to provide reassurance on that exact point. We originally said that the rights under article 8 were contained in the Bill, but we are now putting further reassurance in the Bill. Other areas of the Bill, without direct effect, signpost how the Bill should be regarded.

The noble Baroness supports the amendment but would like, I think, to create a free-standing right. I have explained why we do not agree with that. Before Third Reading, we will try to seek a form of words in our amendment that provides more reassurance, so that when it comes to seeking an adequacy decision—we cannot do that until we leave the EU—there will be no doubt about what this regime provides. That would be the best way to do it, I think.