Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness O'Neill of Bengarve
Main Page: Baroness O'Neill of Bengarve (Crossbench - Life peer)Department Debates - View all Baroness O'Neill of Bengarve's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Lords ChamberMy Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.
Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.
The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.
So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.
Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
Could I ask the noble Baroness to repeat which provision she is referring to?
Subsection (2) of Amendment 153:
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
My Lords, I support this amendment and identify myself totally with the remarks of the noble Lord, Lord Clement-Jones. I am trying to be practical, and I am possibly even pushing at an open door here. I have a facsimile of the 1931 Highway Code. The introduction by the then Minister says:
“By Section 45 of the Road Traffic Act, 1930, the Minister of Transport is directed to prepare a code of directions for the guidance of road users … During the passage of the Act through Parliament, the opinion was expressed almost universally … that much more could be done to ensure safety by the instruction and education of all road users as to their duties and obligations to one another and to the community as a whole”.
Those last few words are very important. This must be, in a sense, a citizens’ charter for users—a constantly updated notion—of the digital environment to be sure of their rights and of their rights of appeal against misuse. This is exactly where the Government have a duty of care to protect people from things they do not know about as we move into a very difficult, almost unknown digital environment. That was the thinking behind the 1931 Highway Code, and we could do a lot worse than do something similar. That is probably enough for now, but I will undoubtedly return to this on Report.
My Lords, I support the spirit of this amendment. I think it is the right thing and that we ultimately might aspire to a code. In the meantime, I suspect that there is a lot of work to be done because the field is changing extremely fast. The stewardship body which the noble Lord referred to, a deliberative body, may be the right prelude to identifying the shape that a code should now take, so perhaps this has to be taken in a number of steps and not in one bound.
My Lords, I too support the amendment. Picking up this last point, I am looking to see whether the draft clause contains provisions for keeping the code under review. A citizens’ charter is a very good way of describing the objective of such a code. I speak as a citizen who has very frequently, I am sure, given uninformed consent to the use of my data, and the whole issue of informed consent would be at the centre of such a code.