Read Bill Ministerial Extracts
Earl of Lytton
Main Page: Earl of Lytton (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Lytton's debates with the Home Office
(7 years ago)
Lords ChamberMy Lords, I start by thanking the Minister for the opportunity to meet him and officials earlier today.
I welcome the stated purpose of the Bill. In my mind, it must be sensible to unify and consolidate the law in this area, and to update its application to more recent technologies. Bringing the GDPR into UK law is unquestionably desirable. I have been impressed by the GDPR’s elegance and sense of purpose, following, as it does—or claims to do—the European Charter of Fundamental Rights in 88 pages of self-reinforcing statements of principles.
I cannot go on without welcoming the EU Select Committee’s report, so ably spoken to by the noble Lord, Lord Jay, who I see is not in his place. I think it is a pity that the report did not have its own slot. Despite acknowledging that the Bill fleshes out the regulation to make it member-state applicable, like the noble Lord, Lord Stevenson, I worry about a Bill of 218 pages and an explanatory note of 112 pages, plus a departmental pack of 247 pages to deal with it all. That all adds to the complexity. I admit that the GDPR conceals its highly challenging requirements in wording of beguiling simplicity under the flag of private rights, but it is no wonder that the European Parliament did not want its handiwork contextualised by inclusion in what we have before us. It is not a particularly encouraging start to bringing 40 years of EU legislation into domestic law.
In what I felt was an inspirational contribution, the noble Baroness, Lady Lane-Fox—I am sorry she is not in her place—referred to the tortuous use of language in parts of the Bill. I agree with her—parts of it are gobbledygook that deny transparency to ordinary mortals. She referred also to my direct ancestor, Ada Lovelace, some of whose expressions of mathematical principles, even for a non-mathematician such as me, make a good deal more sense than parts of the Bill.
The Bill sets out to replace the 1998 Act with new GDPR provisions, meaning new and enhanced rights of data subjects for access, portability and transparency, and duties on controllers on specific consent—not by default, it should be noted—procedural audit trails, a more clearly defined regulatory and supervisory framework, and potential for substantially increased fines for infractions. There is enough that is new, apart from public expectations and the revised geometry as between data subject and data controller, which will naturally give rise to a fresh view of precedent and practice.
Consistency of the Bill with the GDPR core principles, as well as the fundamental rights upon which it is based, will be our focus at the Bill proceeds. A lot of organisations will need to review the way in which they are authorised, in their logging of the origins and possible destinations of personal data they hold, as well as the protocols for responding to requests for information from data subjects. I do not doubt that there will be some pitfalls for the unwary. It may no longer be possible to rely on the continuing acceptability and lawfulness of the previous arrangements under which they have operated, nor to second guess with accuracy how regulation and enforcement will unfold henceforward.
So there may be something going well beyond the more benign narrative of updating, modernising and extending the application on its own. There seem to be some particularly uncharted waters here, with the burden of proof as to compliance and adequacy of arrangements being firmly in the lap of the controller on what looks very like a strict liability basis. That alters the geometry of what will be dealt with.
As regards international cross-jurisdictional data— I am thinking of beyond the EU—I wonder how successfully the proposed arrangements will carry forward in the longer term, bearing in mind that the world market contains numerous players who for their own purposes and advantage might not be that keen to match the standards we claim to set for ourselves. Indeed, the construct of ethical data comes to mind, with all the usual caveats previously associated with ethical foreign policy—the noble Lord, Lord Knight, referred to the ethics; I agree with him that there is a strong threat. That would follow a global principle that sits behind GDPR.
The GDPR is hypothecated on the principle of individual compliance of each processor enterprise, so in a data-processing daisy chain across continents the continued tying in to the tenets of the GDPR is an obvious practical problem with some limitations and it should give us cause for reflection, although I have some admiration for the algorithm that the GDPR sets out to create.
I question how the Government view the ongoing processing of more historical personal data, referred to by other noble Lords, when the purpose for collecting it or the basis for any implied or deemed consent either had not been met or should long since have been refreshed or treated as expired. We all know that old data is still sloshing around in the ether, some of it potentially of dubious accuracy, but I merely point to the fact that this is often an ongoing processing operation without beginning or end point or any apparent possibility of amending or deleting records, as mentioned by other noble Lords. The amount of screening needed to ensure accuracy would be vast. I am entirely unclear that this Bill or the GDPR will improve things for those data subjects for whom this sort of thing can be harmful. I am not thinking just of social media. How will legacy data be dealt with, especially as it does not seem to have been entirely successfully corralled by the 1998 Act or by all other member states under the 1995 data protection directive? I see the correction of that as one of the fundamental principles behind the GDPR—it is the trip wire which has been put there deliberately.
I have concerns about some of the “get out” provisions included in the Bill. The first is the “too difficult” excuse; businesses already use this as a blocking measure. How does one get round the argument that it is too difficult to extract the individual personal data despite knowing that it is the targeted agglomeration of such data, relating to a natural individual, that is the outcome of the processing? The second is that the request is regarded as vexatious. This of course can be concocted by the simple expedient of being evasive towards the first two requests and from the third onwards treating it as repetitive or vexatious—it already happens. I would like reassurance from the Minister that the basic individual rights promised under the GDPR cannot be so circumvented.
The third excuse is “too much data”, referred to by other noble Lords; in other words, there is a lot of personal data held on an individual data subject. Here, there is a provision that the data controller may decline to give information if the precise nature of the data sought is not specified. My impression is that failure of a data subject to specify allows the controller to become unresponsive. If that is the intention, it seems to me to fail the broader test of article 14 of the GDPR, the basic premise of which is that the data subject is entitled to accurate and intelligible information.
It cannot be assumed that the data subject already knows what the scale and nature of the data held actually are or precisely who holds it, although it is clear that the GDPR gives an entitlement to this information. It must follow that, at very least, the controller, in making his “too much data” response, has to identify the general nature, categories and type of data held about that person. I invite the Minister to comment on what is intended. I concur very much with the point so eloquently made by the noble Baroness, Lady Lane-Fox, on the asymmetry of technical knowledge, resource and political clout as between the data subject and the controller, particularly when set against the practical challenge of extracting individual personal data in response to a formal request.
I was reminded of something only yesterday, as a result of a question as to whether a person was or was not at a certain place at a certain time, which was averred by a complainant in a harassment case who used CCTV footage they had created themselves. It was pointed out that the person against whom the complaint was made said they were somewhere else, in a retail premises covered by other CCTV footage. However, it appeared that the retail premises operator would not release the data because it also contained images of other people and there were, accordingly, privacy issues. What is the balance of rights and protections to be in such a case, where somebody faces prosecution?
That leads me to the issue of data collected by public bodies and agencies. I do not think it is generally understood what personal data is shared by police, social services, health bodies and others, some of them mentioned by the noble Lord, Lord Marlesford. Indeed, I am clear that I do not know either, but I believe that many of these agencies hold data in a number of different forms and on a variety of platforms, many of which are bespoke and do not readily talk to other systems. The data are collected for one purpose and used for other purposes, as the noble Lord, Lord Knight, rightly observed. It is on record in debates in this House that some of these bodies do not actually know how many data systems they have, even less what data—whether usable, personal, relevant or accurate, as the case may be—they actually contain. How does one enforce that situation? Some of these databases may not even be operating with the knowledge of the Information Commissioner. There will be an expectation that that is going to be tightened up.
A considerable measure of latitude is afforded to the processing of personal data in the public interest. I will be very brief on this point. I would not rest easy that we have an adequate separation of genuine public interest from administrative convenience and I looked in vain for clarification as to what public interest would amount to in this context. I have to say that I am even more confused than I was when I started. In the longer term it remains to be seen how the GDPR will work, incorporated into UK law, interpreted and enforced firstly through our domestic courts under the aegis of the EU but subsequently on a twin-track basis, when we will be dealing with it ourselves through the precedents of our own judicial system and the same GDPR will be being looked at in a European context elsewhere.
I want the Bill to work; I want to enable proper business use of data and to empower data subjects, as the GDPR promises, with a minimum of obfuscation, prevarication and deceit. Transparency has not been the hallmark of UK data businesses or government administration in this respect, but without it there is no justice, due process or citizen confidence in the rule of law and it will be corrosive if we do not get this right. However, I do not see any fundamental mismatch between this and best business practice, so I look forward to further debates on the Bill as we proceed.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateEarl of Lytton
Main Page: Earl of Lytton (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Lytton's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I suspect that this is going to be a shorter debate than perhaps was at first imagined, but I feel it is important that I add one or two words. When I was Minister at the Ministry of Justice, preceded by the noble Lord, Lord Faulks, I met a distinguished American lawyer. I said to him by way of introduction, as I regularly did, “Now, I’m not a lawyer”. He looked at me and said, “Then I’ll speak very, very slowly”.
I feel a bit like that after all the howitzers have been rolled out this afternoon—the noble Lords, Lord Faulks, Lord Lester and Lord Pannick, along with a more helpful contribution from the noble and learned Lord, Lord Goldsmith. I intervened because it would be very wrong, or very misleading, if Ministers were to take this mini-debate as an escape from a real problem. I was, although the post may have been slightly misnamed, Minister for Data Protection for three and a half years. Between 2010 and 2013 I had the job of going across to Brussels for negotiations on a lot of the issues that we are now discussing. What struck me there was how much influence we had in bringing together legislation that met the concerns mainly of western Europeans about a light-touch form of regulation and the concerns mainly of eastern Europeans who had fairly recent experience of how state abuse of power could be used against the citizen and the individual.
The point that I want to leave with Ministers is that, whatever fault our legal experts have found with the amendment, it underpins a real concern, which the noble and learned Lord, Lord Goldsmith, picked up: the layman, the ordinary citizen, wants to be assured that by the end of the Bill’s passage, on which we are only just starting, it will very much protect civil rights, civil liberties and individual freedoms. One of the great challenges we face is that this extraordinary change in the structure of our society, brought about by this fourth industrial revolution based on data, really calls into question a lot of the protections that we thought we had.
I hope the Minister will take and grab hold of what was said in introducing this Bill. We are attempting in these amendments, particularly in Amendment 4A, to meet a real and genuine concern of ordinary people who are perhaps not as clever as the noble Lords, Lord Pannick, Lord Lester, and others, but who have a concern about the abuse of power. There has been no sense of shame or regret. I understand and have been passionate all my life about the defence of the freedom of the press, but I wish that the press did not rush so quickly to scream, “They’re trying to curb the freedom of the press”, when all that the press has done since Leveson is try to sabotage any proper press regulation. I worry about saying, “Well, it will stop various parts of our society using this new data”, without seeing and recognising the huge amount of evidence already of massive abuses of data which impinge on our very democracy. I felt it worth saying, even if I had to listen to the lawyers, that the layman also has a voice in this, and we have a real duty to make sure that this legislation is up to the task presented by the new data world.
I realise that, in rising to speak on this particular part of the Bill, I depart slightly from the purpose of the noble Lord, Lord Stevenson—but I thank him for raising the issue all the same.
Of course, we are dealing with the overview of the Bill. The noble Lord, Lord McNally, almost wrote my introduction. What has worried me for some considerable time, notwithstanding the Bill’s provisions that provide for data subject to error correction, is the manifest inclusion of data in the data processing function, which is broadly drawn—namely, the inclusion of information that is knowingly false or recklessly included in that process, and which can affect the life chances of individuals. We know of significant and high-profile circumstances in which false information has been included and has either affected a significant class of people or has seriously damaged the life prospects of individuals.
Given that the collection of data is part of the processing function, it seems to me that very little is being said about responsibility for those sorts of errors—in other words, the things that one could or should have realised were incorrect or where there was a disregard for the norms of checking information before it got into data systems. We heard at Second Reading how difficult it is to excise that information from the system once it has got in there and been round the virtual world of information technology.
Could the noble Lord, Lord Stevenson, or the Minister in replying, say whether there is anything apart from the Bill—I do not see it there at the moment—that enables there to be some sort of sanction, for want of a better word, against knowingly or recklessly including data that is false and which affects the life chances and prospects of individuals because it is capable of being identified with them and can be highly damaging? That is something that we may need to look at further down the line. If I am speaking in error, I shall stand corrected.
My Lords, I say to my noble friend Lord McNally that it is even worse having people say to you, “You’re a lawyer, you must understand this”, when too often you do not.
I have a question for the Minister. Am I right in thinking that the Charter of Fundamental Rights will apply to all member states after Brexit? Is it not the objective that we are on all fours with them as other users of data and, therefore, if there is no provision such as the ones that we have been debating contained in the Bill, how will that affect the adequacy arrangements?