Read Bill Ministerial Extracts
Baroness Neville-Rolfe
Main Page: Baroness Neville-Rolfe (Conservative - Life peer)Department Debates - View all Baroness Neville-Rolfe's debates with the Home Office
(7 years, 2 months ago)
Lords ChamberMy Lords, I congratulate our Ministers and the Government on bringing this Bill to our House in this timely way. It is extremely technical—and herein lies a danger, because it is also very important and covers matters that can be expected to become even more important over time. We must therefore put aside the temptation to think that technical matters are somehow of lesser importance, simply because we do not fully understand them. I declare an interest as the Minister responsible when the EU parent of this Bill, the GDPR, was adopted. While I saw it as a necessary single market measure and a modernising one, there were a number of provisions that we could have done without, mostly introduced by the European Parliament, such as requiring a specific age of consent, which the Government have now proposed should be 13 in the UK, in line with the United States.
In contrast, as always, our UK approach is market opening. We want a competitive, growing Europe, and we want the digital revolution, with its subset artificial intelligence, to continue to stoke growth. But some in the EU have always been most concerned with giving citizens back control over their personal data, an issues that assumed particular importance following the release of documents involving Chancellor Merkel by WikiLeaks. To be fair, the UK has also in this case stated its wish to simplify the regulatory environment for business, and we need to make sure that that actually happens here in the UK. Committee will give us the chance to talk about the merits of the digital revolution and its darker side, which we touched on during the excellent debate led by the noble Baroness, Lady Lane-Fox. I shall not go over that ground again now, but I add one point to the story told by the noble Lord, Lord Mitchell: my Google Maps app now highlights the location of future engagements in my diary. So that is pretty challenging.
I shall touch as others have done on three concerns. According to the Federation of Small Businesses, the measures represent a significant step up in the scope of data protection obligations. High-risk undertakings could phase additional costs of £75,000 a year from the GDPR. The MoJ did an impact assessment in 2012, which is no doubt an underestimate, since it did not take account of the changes made by the European Parliament, which estimated the cost at £260 million in 2018-19 and £310 million by 2025-26. I am not even sure if that covers charities or public organisations or others who have expressed concerns to me about the costs and the duties imposed. Then there are the costs of the various provisions in the Bill, many levelling up data protection measures outside the scope of the GDPR. It is less confusing, I accept, but also more costly to all concerned.
The truth is that overregulation is a plague that hits productivity. Small businesses are suffering already from a combination of measures that are justified individually—pension auto-enrolment, business rates and the living wage—but together can threaten viability at a time of Brexit uncertainty. We must do all we can to come to an honest estimate of the costs and minimise the burden of the new measures in this legislation.
Also, I know that CACI, one of our leading market analysis companies working for top brands such as John Lewis and Vodafone, thinks that the provisions in the Bill are needlessly gold-plated. Imperial College has contacted me about the criminalisation of the re-identification of anonymised data, which it thinks will needlessly make more difficult the vital security work that it and others do.
The noble Lord, Lord Patel, and the noble Baroness, Lady Manningham-Buller, were concerned about being able to contact people at risk where scientific advance made new treatments available—a provision that surely should be covered by the research exemption.
The second issue is complication. It is a long and complicated Bill. We need good guidance for business on its duties—old and new, GDPR and Data Protection Bill—in a simple new form and made available in the best modern way: online. I suggest that—unlike the current ICO site—it should be written by a journalist who is an expert in social media. The Minister might also consider the merits of online training and testing in the new rules. I should probably declare an interest: we used it in 2011 at Tesco for the Bribery Act and at the IPO for a simple explanation of compliance with intellectual property legislation.
The third issue is scrutiny. I am afraid that, as is usual with modern legislation, there are wide enabling powers in the Bill that will allow much burdensome and contentious subordinate detail to be introduced without much scrutiny. The British Medical Association is very concerned about this in relation to patient confidentiality. Clause 15, according to the excellent Library Note, would allow the amendment or repeal of derogations in the Bill by an affirmative resolution SI, thereby shifting control over the legal basis for processing personal data from Parliament to the Executive. Since the overall approach to the Bill is consensual, this is the moment to take a stand on the issue of powers and take time to provide for better scrutiny and to limit the delegated powers in the Bill. Such a model could be useful elsewhere—not least in the Brexit process.
There are two other things I must mention on which my noble friend may be able to provide some reassurance. First, I now sit on the European Union Committee. I am sorry that duties there prevented me sitting through some of this important debate; we were taking important evidence on “no deal”. As the House knows, the committee is much concerned with the detail of Brexit. Data protection comes up a lot—almost as much as the other business concern, which is securing the continued flow of international talent. I would like some reassurance from my noble friend Lady Williams about the risks of Brexit in the data area. If there is no Brexit deal, will the measures that we are taking achieve equivalence—“adequacy”, in the jargon—so that we can continue to move data around? What international agreements on data are in place to protect us in the UK and our third-country investors? Under an agreed exit, which is my preference, is there a way that our regulator could continue to be part of the European data protection supervisory structure and attend the European Data Protection Board, as proposed by the noble Lord, Lord Jay of Ewelme, the esteemed interim chairman of our European Union Committee—or is that pie in the sky?
Secondly, there is a move among NGOs to add a provision for independent organisations to bring collective redress actions for data protection breaches. I am against this proposal. In 2015 we added such a provision to competition legislation—with some hesitation on my part. This provision needs to demonstrate its value before we add parallel provisions elsewhere. It is in everyone’s interests to have a vibrant economy, but business is already facing headwinds in many areas, notably because of the uncertainty surrounding Brexit. In future it will be subject to a much fiercer data protection enforcement regime under our proposals.
I have talked about the costs and others have mentioned the new duties and there will be maximum fines of up to 4% of turnover for data breaches, compared with £0.5 million at present. We certainly do not need yet another addition to the compensation culture. This could reduce sensible risk taking and perversely deter the good attitudes and timely actions to put things right that you see in responsible companies when they make a mistake. There is a real danger that the lawyers would get to take over in business and elsewhere and give the Bill a bad name. That would be unfortunate.
However, in conclusion, I welcome the positive aspects of this important Bill and the helpful attitude of our Ministers. I look forward to the opportunity of helping to improve it in its course through the House.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Neville-Rolfe
Main Page: Baroness Neville-Rolfe (Conservative - Life peer)Department Debates - View all Baroness Neville-Rolfe's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I thank the noble Lord for his eloquent disquisition, which made me much more aware of the issues than I was before. I have no problem in aligning myself with the two points of view that have just been expressed. I had come to the conclusion partly myself, but to be told that the wording is not in the equivalent article in the European GDPR just adds to my simple conclusion that the words “other adverse effects” add precisely nothing but open a potential cave of dark possibilities. The rain of the noble Lord’s eloquence has found a crack in my roof, and I am very happy to align myself with his remarks.
I also share the concerns expressed by my noble friend Lord Hunt, based on my experience, both in government and in a number of different businesses. We have the experience not only of the motor sector, which has been talked about, but obviously of PPI, where there was compensation that needed to be paid, but the whole business took years and generated not only claims management companies but also nuisance calls and lots of other harms. This is an area that one has to be very careful about, and I support looking at the drafting carefully to see what can be done, and at my noble friend’s idea of trying to estimate the economic impact—the costs—in terms of those affected. That would help one to come to a sensible conclusion on what is appropriate in this important Bill.
My Lords, I thank my noble friend Lord Hunt for explaining Amendment 170A and other noble Lords who have spoken. The amendment seeks to clarify the definition of “damage” provided by Clause 159 and its relationship to the language used in article 82 of the GDPR. This is important because article 82 of the GDPR provides a right to compensation when a person has suffered damage as the result of an infringement of the rights during the processing of their personal data.
Currently, the type of damage that can be claimed is broader under article 82 than Section 13 of the 1998 Act, as article 82 expressly extends to “non-material” damage. As a result, in drafting the Bill, the Government considered that some definition of “damage” was necessary, including specifying that it extends to distress, to provide clarity and certainty for data subjects and others as to their rights under article 82.
I stress that Clause 159 does not seek to provide a wider definition of “damage” than is currently provided in the GDPR, and nor indeed could it. The intention is simply to clarify the GDPR’s meaning. My noble friend Lord Hunt asked what estimates have been made of the financial consequences of the increase in litigation, but as Clause 159 does not provide a wider definition of damage there will be no financial consequence.
The concept of “damage” included in the GDPR reflects developments in case law over a period of some years. As such, I cannot agree with my noble friend’s suggestion that the Bill or the GDPR will suddenly unleash a free-for-all of claims. However, I am happy to reflect on my noble friend’s point that the Bill’s use of the term “other adverse effects” may unintentionally provide uncertainty rather than clarity. With the reassurance that I will go away and look at that, I hope my noble friend feels able to withdraw his amendment.
We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.
The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.
The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.
I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.
I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.
I very much support what my noble friend has just said. The noble Lord, Lord Stevenson, has tried to give an exemption for researchers, but a lot of these things will happen in the course of other research. You are not spending your time solely trying to break some system; you are trying to understand what you can get from it, and suddenly you see someone you know, or you can see a single person there. It is something that you can discover as a result of using the data; you can get to the point where you understand that this is a single person, and you could find out more about them if you wanted to. If it is a criminal offence, of course, you will then tell nobody, which rather defeats the point. You ought to be going back to the data controller and saying that it is not quite right.
There are enormous uses in learning how to make a city work better by following people around with mobile phone data, for instance, but how do you anonymise it? Given greater computational power and more datasets becoming available, what can you show and use which does not have the danger of identifying people? This is ongoing technology—there will be new ways of breaking it and of maintaining privacy, and we have to have that as an active area of research and conversation. To my mind, this clause as it presently is just gets in the way.
My Lords, I simply wish to associate myself with the comments of the noble Lord, Lord Stevenson, and say that a meeting on this would be helpful. As I said, I hope that we can find a solution. If we cannot, I have reservations about this measure being part of the Bill.
I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Neville-Rolfe
Main Page: Baroness Neville-Rolfe (Conservative - Life peer)Department Debates - View all Baroness Neville-Rolfe's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, we have had something of a break, so perhaps I should remind the House what lies behind my Amendments 106, 125 and 127. It is the wish to reduce, as far as possible, the burden that the GDPR and the Bill will place especially on small entities—notably, small businesses, small charities and parish councils. I might add that it behoves us to stand back from time to time and recognise the burdens we all too often impose on people and businesses. This is very often for good reasons, but it can seem overwhelming for those at the receiving end, and it is important to minimise the burden where we can legitimately do so.
I also place on record my thanks to the Minister for a helpful meeting about my concerns. Against this background, Amendment 106 would place a duty on the Information Commissioner to support such small entities in meeting their obligations under the GDPR and the Bill. It gives examples of how this should be done, including compliance advice and zero or discounted fees. This is important both practically and as a manifestation of how the state expects the commissioner to approach her duties. We should always remember that data protection will sound forbidding to some small organisations.
Furthermore, parish councils are fearful that they could face new costs of up to £20 million in total on one reasonable interpretation of the present text. They have been advised that an existing officer of a council could not act as a DPO because they are not independent. My noble friend Lord Marlesford mentioned this issue at Questions in December but, happily, I believe the Government take a different view, and it would be helpful to hear that on the record from my noble friend.
On the same lines, Amendment 125 would require the Secretary of State to consider fixing charges levied on small entities by the commissioner at a discounted or zero level. We need to find a way to avoid the imposition of significant costs for small entities into the future as cost recovery escalates in the administration of data protection.
Amendment 127 goes a little further. It would require the commissioner to have regard to economic factors in conducting her business. This is a fundamental point. The commissioner’s remit contains elements which are similar to those of a judge and focuses predominantly on individual rights and protections. But the analogy is imperfect. Judges must go where justice takes them. The commissioner’s role is different in important respects, and economic factors ought to hold a high place in her consideration. This is important for UK competitiveness and for continued growth and innovation, which is also of benefit to business, citizens and data science—and, indeed, UK plc.
The amendment seeks to ensure that the commissioner concentrates on this economic angle by reference to the commissioner’s annual report. The noble Lord, Lord Stevenson, may remember that we introduced a special reporting requirement into intellectual property legislation which helped to ensure the right culture in that increasingly important area.
I should add that I am grateful to my noble friend Lord Arbuthnot and to the noble Lord, Lord Stevenson, for their involvement, and I am hopeful that the Minister will be able to meet the concerns I have outlined in my three amendments in a sympathetic and practical way.
My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
I thank the Minister for going into the issues in such detail, and for the support that is now being offered by the ICO through the transition. We have heard about the helpline, the websites, and new guidance—not only for parish councils, which I regard as a major breakthrough, but for small business and schools. That is all very good news. There will be a charge but it will be modulated, as I understand it, in a way to be decided and brought before the House in an order. I think the Minister understands the wish of this House not to load lots of costs on smaller businesses as a result of this important legislation, which we all know is necessary for a post-Brexit world.
My only concern related to the Minister’s comments on what we might put into the report, because he rightly said that the Information Commissioner had to be independent, which I totally agree with. Equally, I thought that without undermining her independence, it was possible to ask her to report on economic matters and, for example, on how business learns about data protection and how that is going. I do not know whether he is able to confirm that today, but he made a point about independence and it was not clear whether it would be possible to put something into the reporting system.
We are keen that the Information Commissioner be independent and is seen to be independent, and I know that the commissioner herself is aware of that. I cannot commit to anything today, but I will certainly take back my noble friend’s question and see what can be done while maintaining the Information Commissioner’s independence.
On that basis, I am happy to beg leave to withdraw my amendment.