Baroness Neville-Rolfe (Con)

- Hansard -

Copy Link

-

My Lords, in moving Amendment 7 I shall speak also to Amendments 152 and 169, which have been grouped together. They all stand in my name and that of my noble friend Lord Arbuthnot of Edrom, who spoke so eloquently at Second Reading.

Amendment 7 explores an exemption for small organisations in the business and charity sectors and for parish councils, all of whom have expressed concerns to me about the burdens of the Bill. At Second Reading, I, like others, supported the Bill because it brings us up to date for the digital age, encourages good data practice to minimise scams and cyberattacks, and prevents abuse. It gets us up to the standards we need to get a good deal on data protection in the Brexit talks, and it provides citizens with easier access to their data. However, as presently drafted, I fear it imposes disproportionate burdens, especially on small businesses, charities and other small organisations. Luckily we have my noble friend Lord Ashton to guide us through this part of the Bill, and I congratulate him on his response to the first group of amendments today.

I come to this matter because sometimes I feel like a voice in the wilderness, fighting over-regulation and complexity. Our recent record on productivity is bad, partly because of poorly constructed and complex regulation and, in some cases, overbearing regulators. I would add that the fashion for intervention on all sides of the House could actually make things worse.

Instead of questioning regulation as we used to do, the Government are now seeking to match every EU rule as part of the Brexit project. Detailed consideration of how to ameliorate the impact on small businesses and charities, for example, seems to have gone out of the window and conversations on how to improve things once Brexit has given us greater freedom are regrettably not encouraged. In short, economics gets less attention in this House than it ought to. Those of us who have worked in business and the charitable sector know that well-meaning measures can adversely affect business by reducing competitiveness and growth, and indeed the tax take we need to build schools and pay for welfare. We are regulating more and not thinking about how we can do less. I was struck by what the noble Lord, Lord McNally, said earlier about the good but light touch that he sought in Brussels when he was dealing with data protection legislation.

Research by the Federation of Small Businesses shows that data protection regulation is one of the most salient regulations for 59% of small businesses. The federation provided me with some estimates which suggest that small businesses in the ICT sector alone, representing 6% of the business sector according to the ONS, will spend £700 million in man hours on implementing the new requirements—and that is not allowing for the cost of materials and ongoing compliance. Nor does it allow for the opportunity cost, another economic concept that is widely ignored in government. What we sorely need is a proper impact assessment, not the one provided so far, which does not address the cost to business and, oddly, suggests that there is no need to consult the Regulatory Policy Committee. If it is not needed for this sort of burden, I am not sure what it is needed for.

This House rightly always supports proper costing, as I know from some of the Bills I have been involved in. Before the Committee stage ends, we need to know the updated cost impact for business of what is coming in: first, under the GDPR, which will take direct effect and, as I understand it, continue after Brexit under the terms of the withdrawal Bill; and secondly, under what is planned in this Bill through the regulations to be made using its powers. I hope the Minister can help us with that.

It is against this background that Amendment 7 proposes an exemption from the Bill’s provisions—not, of course, from the GDPR, which has direct effect. Inevitably, the amendment is exploratory in nature. However, I trust that it will give the Minister, DCMS and the Information Commissioner the opportunity to think carefully about what we might do to reduce the burden on small businesses, charities and parish councils, which the National Association of Local Councils says are very concerned about the panoply of new rules. I cannot believe that we would see these in Greece.

The argument I have heard from the Government is that the changes are good for these organisations because they are under-compliant at present: they would deter the cyberattacks and data leaks that can harm them. I accept that responsible bodies know that good data practices are business critical, but what they do not need is the full panoply of controls, fees and penalties being introduced by this Bill. There is a risk of fines for breaches of up €20 million or 4% of worldwide turnover. My fear is that the controls are so burdensome, open-ended and threatening that at the margin, businesses will either give up or be deterred from operating overseas—at a time when we need them to export more. We need to find a way of bringing in de minimis rules and reducing the powers of the commissioner to what is reasonable. Another look at the compensation provisions with an eye to small operators could also be useful. I note that the Delegated Powers and Regulatory Reform Committee shares some of my concerns about the powers being given to the commissioner, as well as the extraordinarily wide powers being delegated to Ministers, which we will discuss later.

One practical countermeasure would be to introduce a greater emphasis in the Bill on the economic and other consequences of the commissioner’s work and to make this transparent, so that it can be considered properly by all those affected and publicly debated before she takes measures in relation to the protection of individuals’ rights and the processing of personal data.

That is the purpose of Amendment 152, which adds a third duty after subsection (1)(b). Perhaps I may give an example of why this is of practical importance. I spoke to representatives from CACI, a leading firm in mapping and data analytics, which is the sort of business we want to encourage if we are to be world-leading here in the UK. They are concerned about the technical aspects of ICO draft statutory guidance on consent. The fear is that the ICO may be adopting a needlessly restrictive interpretation of the GDPR which will benefit the large social media multinationals at the expense of British operators in retail and marketing, as well as charities. This would threaten the way that they and others run their businesses. I urge Ministers to meet representatives of the business community most at risk, not just the trade associations, as soon as possible and before the ICO finalises its vital guidance.

I believe strongly that regulators with powers as wide as those of the Information Commissioner need to engage properly on the content of draft regulations and draft guidance, which is often equally important. They must be required and of course resourced to do so; otherwise—going back to my first point—the burdens and risks will be disproportionate.

Baroness Neville-Rolfe

- Hansard -

Copy Link

-

I chose five employees because it often denotes a small organisation or a small business. I can see that some of the businesses in that category might be fairly large. I would of course have no objection to adding an extra criterion, such as turnover, if there was a mood to write exemptions into the Bill. Other legislation has exemptions for smaller bodies. The overall objectives of the data protection legislation clearly have to be achieved but I am concerned that, in particular, some of the subsidiary provisions, such as fines and fees, which I mentioned, are demanding and worrying for smaller entities.

Baroness Neville-Rolfe

- Hansard -

Copy Link

-

My Lords, I was slightly disappointed when all my amendments were grouped, but bringing them together has led to an extremely useful and productive debate. I am very grateful to noble Lords right across the Committee for their support. I am also grateful to the Minister for saying that he will let us have a compliance cost assessment, which I will read with the detail and vigour that it merits, and for some of the other points he made.

I am a little disappointed about how we achieve some de minimis relief for the smaller organisations in these various sectors, including the ones mentioned by the noble Lord, Lord Kennedy, as well as on guidance—I am not sure we are quite there. We need to think a little further. I gave the Minister an example of the difficulties that the data analytics sector had had on consent. It would be good if he could look at that point and perhaps arrange for a meeting so that we could talk further. I will look in Hansard at the progress we have made in this very constructive discussion and possibly come back on Report on one or two points. I beg leave to withdraw the amendment.