Read Bill Ministerial Extracts
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Lords ChamberMy Lords, I say to my noble friend Lord McNally that it is even worse having people say to you, “You’re a lawyer, you must understand this”, when too often you do not.
I have a question for the Minister. Am I right in thinking that the Charter of Fundamental Rights will apply to all member states after Brexit? Is it not the objective that we are on all fours with them as other users of data and, therefore, if there is no provision such as the ones that we have been debating contained in the Bill, how will that affect the adequacy arrangements?
My Lords, I want to say a couple of words about privacy. A very important basic point has been raised here. I am not going to argue with lawyers about whether this is the right way in which to do it, but the right to privacy is something about which people feel very strongly—and you will also find that the Open Rights Group and other people will be very vociferous and worry about it, as should all of us here. When we go out and do things on the internet, people can form some interesting conclusions just by what we chance to browse on out of interest, if they can record that and find it out. I became very aware of this, because I have been chairing a steering group that has been producing, along with the British Standards Institution, a publicly available specification, PAS 1296, on age verification. It is designed to help business and regulators to comply with Section 3 of the Digital Economy Act, which we passed just the other day, which is about protecting children online. The point is to put age verification at the front of every website that could be a problem. We want it to be anonymous, because it is not illegal for an adult to visit sites like that; if it was recorded for certain people in certain jobs, it could destroy their careers, so it must be anonymous. So a question arises about trying to put in the specification a right to privacy.
One thing that we have to be very careful about is not to interpret laws or regulations or tread on the toes of other standards. Therefore, when this Bill and the GDPR are passed, we must make sure that people processing any of that material ensure that any data is kept completely secure, or anonymised, or is anonymous in the first place. Websites, first of all, should not know the identity of a temporary visitor when they get verified—there are ways of doing that—so that there are rights to privacy. The thing about the right to privacy is that it is a right that you, the individual, should have. The GDPR and this Bill are about how you process data; in other words, it is about what you do with the data when you have it. The legislation builds in lots of safeguards, but there is nothing that says, when you decide what data to keep or whatever it is, that people should have a right to know that it will not be revealed to the general world.
The question is where we should put it in. People used to think that Article 8 of the European Convention on Human Rights covered them, but I realised just now that it covers only your relationship with Governments. What about your relationship with other corporates, other individuals or ordinary websites? It should cover everybody. So there is an issue here that we should think about. How do we protect ourselves as individuals, and is this the right place to do it? I think that this is probably the only place where we can put something in—but I leave that to the very bright lawyers such as the noble Lord, Lord Pannick, to think about.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Lords ChamberMy Lords, we have to face the reality that children are going online at a younger and younger age, so anything that facilitates that and makes it work more sensibly is essential. We need to think about the interface with the right of erasure in Clause 44 and the clauses just after it. I am not sure whether parental consent is still required for this when someone is under 16. There have been problems where children or younger people have put images and other material online which they want removed but are far too embarrassed to tell their parents about them. The problem is that data processors are not allowed to remove them without parental consent, so the children do not tell their parents, the images stay there and a lot of trouble is caused. That area should be looked at in relation to these clauses and Clause 44. I would love to leave it to someone else to sort this out who is better qualified to deal with the legal position.
My Lords, I support this amendment and apologise to the Minister and the House for not being present at Second Reading as I was overseas. However, my noble friend Lady Jay more than adequately set out some of my concerns around Part 5 of the Bill. However, this is also a very important amendment. In the debate initiated by the noble Baroness, Lady Lane-Fox, on 7 September, the noble Baroness, Lady Kidron, said:
“There is an awkward tension in having a technology that is able to help us to confront our societal needs … and a corporate culture that aggressively balks at … long-term societal responsibilities”.—[Official Report, 7/9/17; col. 2118.]
In the end, that is precisely what this comes down to. The noble Baroness, Lady Harding, made a very important point a little earlier. She referred to barriers to entry being used by corporations to not do the things that they should do, and at the time they should do them.
Today is the 20th anniversary of my entering your Lordships’ House and, if I had to count the number of times I have been told that barriers to entry are the reason for not doing something, we would all be here all day. I well remember the noble Lord, Lord Oxburgh, who is in his place, and I having a meeting with the then Ministers for Energy and being told that “barriers to entry” were one reason that the large energy companies could not do the things that we suggested they might do at the time. Therefore the idea that the Silicon Valley companies have not reached a sufficient size or sophistication to be able to carry out the de minimis changes to their platforms—the effect of the amendment which the noble Baroness, Lady Kidron, set out so beautifully—is a nonsense. Please can the noble Lord, Lord Ashton, beg Matt Hancock, the Minister, to put to one side any more arguments about unacceptable barriers to entry being raised by this and indeed other amendments on the same subject?
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Lords ChamberI want to say a couple of words on consent, because it is something I have been thinking about for a while. Consent is often seen as a great panacea to this whole thing about protecting people, but I do not think it really is. The requests that really irritate me are the ones that ask for unnecessary information such as your date of birth, when all you are trying to do is to sign up for a warranty on a bit of equipment or whatever, because firms are trying to profile their customers. Those I agree should be stopped. But other consent requests are essential to giving a good service.
There are two things to say about such requests. One is that most people do not mind, because they assume that people know everything about them anyway—particularly the Government and the big boys. They just want the thing to be done properly so that they can get their money, or whatever it is. To put blocks in the way so that they have to click on or sign lots of different consent forms does not get them any further and just irritates them more. Those provisions are very sensible.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I will say a couple of things on this in full support of the proposition made by the noble Baroness, Lady Neville-Jones. These issues are very complicated. We tend to try to brush them aside and hope that they will be dealt with by the person who is enforcing and regulating. But that can be dangerous, because they will find it very difficult as well, and sometimes, if you do not have the intention in the Bill, it may just not happen.
This is important because, although I fully support the intention and objectives of the GDPR in the Data Protection Bill in front of us, which is there for all the right reasons, we have to be careful not to throw out the baby with the bathwater. This is one of those instances where, in trying overzealously to introduce a rules-based system in a complex world and a complex society, you find unexpected consequences. Some of them cannot be defined terribly easily in regulation, but I think it would be wise to put this in an amendment.
We in this House tend to think in principle much more than another place. To try to deal with this in another place when it gets there may be unwise in case they run out of time. It would be good to put something in the Bill in this House at Third Reading, if the Minister were so minded, and I would wholeheartedly support that.
My Lords, I have already spoken on this at length and I do not intend to repeat myself, but I support the amendment from the noble Baroness, Lady Neville-Jones. This is a very important database. It is not just national but international, and it is difficult to collect. That is why I am glad that an accommodation has been made to support the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.
Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.
We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.
My Lords, this amendment has a lot of merit. For some time I have been discussing with certain people who know an awful lot about this, as has the noble Lord, the concept of agency: having control over your own information. It is a very important concept because the GDPR and the Bill are all about data processors looking after your stuff for you, but the real issue is having control over things that affect you. Why, if people are using it to make money out of you or on your behalf, should you not sell them that control in return for better access?
There are many issues around this that might suit a modern world in which your data can be useful, but to you, so that data processors do not just mine it and use it for their own purposes—you have control over it. This amendment has a lot of merit because it gives a foundation for us to start researching this. There is no compulsion here, but it could move us down a line whereby the data subject—the person in the street— suddenly gets some control over what happens when people research things for their own good. We are going to have to give away our location and other things to use most of these apps, so why can we not also control that and decide how to sell it to other people and benefit from it ourselves?
I, too, support the amendment. I raised this issue at Second Reading and pointed to the work of the ethics committee of the IEEE, which has done a lot of work on this. This is not as blue sky as the noble Lord suggested; this is indeed the direction of travel.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
I just want to ask briefly whether small organisations will also include clubs and societies. I do not know whether that has been dealt with before. For instance, I am the chief of Clan Hay and we have a Clan Hay society. It does not make money, but it has membership lists and branches abroad. I discussed it with the ICO before this came up, and it thought we would definitely have to comply. I hope we will be covered as a small organisation.
My Lords, I have been involved from time to time in the creation of very small charities of a local nature, or have been involved in advising such organisations. I strongly support Amendment 106 moved by the noble Baroness. There is a real danger that, unless the ICO produces clear and simple pro formas that can be filled in quickly and easily by such organisations, they will be put off forming such charities, and local communities will thereby be deprived of great advantages that would be created by local citizens, which is something I understand the Government wish to encourage.