(11 months, 2 weeks ago)
Public Bill CommitteesIt is good to see you back in the Chair, Mr Vickers. I am pleased to finally address clause 48, which I am happy to support. I will begin by outlining why this part of the Bill is so important.
The introduction of the Digital Markets, Competition and Consumers Bill was welcomed by Labour, which has led the way in calling for large tech companies to be properly regulated and for the need to ensure competition in digital markets. However, although the DMCC Bill contains a package of measures to protect consumers, enhance innovation and unlock growth, it is cross-economy legislation that is not tailored to the unique challenges faced by UK radio services.
The Government have recognised that in an age of shifting consumption habits, there is a need for provisions that protect our public service broadcasters, so it was absolutely vital that the Media Bill did not miss the opportunity to provide protections for radio, too. As has been mentioned, radio stations are of great importance to 50 million weekly listeners from all corners of the country, so it is vital that as technology rapidly evolves, people in the UK are guaranteed access to the radio services they know and love. The new regime set up by the Bill does not seek to give radio undue benefits, but rather looks to preserve the current state of play, in which such services can be listened to at first request and without unneeded interruption. That is for the benefit of listeners.
That means that voice-activated platforms cannot play their own playlists or services when a customer requests an Ofcom-licensed radio service, or overlay their own advertising into radio broadcasts without the permission of the broadcaster. Interruptions will be allowed only if a listener has explicitly made a request to be notified, for example through an alarm or call. That is important if radio services are to reach their listeners and continue to secure advertising revenue, and important for platforms, which will be able to ensure that their customers’ requests are dealt with precisely. Indeed, it hardly seems favourable to platforms to allow their customers to become frustrated after not receiving a service that they have requested multiple times through a voice command.
Importantly, the Bill has retained the requirement on designated radio selection services to use a broadcaster’s preferred way of delivering their station to listeners —for example, they might want it delivered via the BBC Sounds app, or through the Global Player. That vital safeguard will ensure that radio services can access the valuable data they need to improve their services, innovate and best serve their audiences. However, I recognise that platforms have been concerned about the number of routes they might be expected to deliver. Google said in evidence to the Culture, Media and Sport Committee that it can take around a year of engineering and tech work to onboard a preferred route, particularly because listeners can ask for a station in various ways; for example, a listener could refer to the same service as “6 Music”, “BBC 6” or “BBC Radio 6”, or use one of a number of nicknames. However, as Radiocentre has argued, the vast majority of stations are covered by a small number of apps.
The explanatory notes to the Bill clarify that a preferred route may be ruled out if it is “unduly burdensome”. That balances radio services’ needs with platforms’ ability to realistically cater for those needs. I am hopeful that this clarification will provide a solid basis on which the regime can be built.
On radio selection services, the definition in the Bill is designed to capture smart speakers, but it can be amended by the Secretary of State via the affirmative procedure. We discussed why an ability to amend the definition is so important during our debate on the inclusion of car entertainment systems. I am also pleased that there is now a requirement for the Secretary of State to consult Ofcom when making regulations to alter this definition, as the Culture, Media and Sport Committee recommended. However, there has been some confusion about the existing definition and whether the regulations will apply to smart TVs and streaming players using voice activation. Can the Minister confirm whether such devices will be included? If not, could they be in future?
Turning to designated radio selection services, as I said in debate on my amendments 32 and 33, it is a shame that the CMS Committee’s recommendations on delegated legislation were not accepted. I am pleased, however, that it seems that there will be mechanisms for de-designating devices, to ensure the exclusion of legacy devices. That is beneficial for platforms and broadcasters, who would find it quite a burden if requirements applied where devices were no longer supported.
I do not have any particular problems with the lines in the Bill relating to the meaning of “internet radio service”, or the list of relevant internet radio services, particularly as there is now a power in the Bill to amend that definition through the affirmative procedure. However, as has been discussed, the Bill misses the opportunity to bring within scope podcasts and IP-only services.
Finally, I would like to raise concerns passed on to me by TuneIn, a radio aggregator that allows listeners to easily access online the radio stations that they want to listen to. It worries that without an explicit “must offer” requirement, the Bill risks unintentionally making it legal for a radio station to deny its service to any platform or device. TuneIn warns that, without a requirement on radio broadcasters to ensure that their services are always offered to platforms, devices and apps, there can be no guarantee that radio will be freely accessible across those platforms. That could threaten the entire premise of the regime outlined in this clause and, of course, potentially damage TuneIn’s business as a radio aggregator. I therefore ask the Minister whether the Department has considered the concerns of TuneIn, and whether he can guarantee that the Bill will ensure that radio is freely accessible across all platforms, rather than just a handful of platforms.
To conclude, there has been lots of contention over this part of the Bill, but I am pleased with its intent to protect radio services, and with the changes that have already been made to improve it and make it more workable. There are a few changes to delegated legislation that I would have liked to have seen, and a few questions to be asked around scope, particularly when it comes to the exclusion of podcasts and the devices covered. However, overall, I welcome the inclusion of this part in the Bill, and I look forward to seeing the regime in action, so that listeners across the country can continue to enjoy their favourite, trusted radio services.
We have had a useful debate on one of the central parts of the Bill, and although the hon. Lady described it as one of the more contentious parts, I think there is widespread agreement on it. We were very grateful to the CMS Committee for strongly supporting the inclusion of these measures in the Bill, and since then, we have had extensive consultations with both the radio sector and the platforms. Some of the concerns expressed by platforms were not entirely justified, and I hope that we have been able to reassure them.
This part is focused on live radio broadcast, but obviously we will monitor the development of consumers’ listening habits, and there are powers available to broaden the scope of the Bill if it becomes clear that that is necessary. However, in summation, I am most grateful to the hon. Lady for her support, and to the rest of the Committee, and commend clause 48 to the Committee.
Amendment 12 agreed to.
Amendments made: 13, in clause 48, page 102, line 12, after “service” insert
“or (as the case may be) a relevant internet radio service”
See the explanatory statement to Amendment 12.
Amendment 14, in clause 48, page 103, line 12, after “service” insert
“, or
(b) a person who was but is no longer a provider of a relevant internet radio service,”
This amendment and Amendment 15 enable OFCOM to give a confirmation decision to a former provider of a relevant internet radio service.
Amendment 15, in clause 48, page 103, line 13, after “service” insert
“or (as the case may be) a relevant internet radio service”—(Sir John Whittingdale.)
See explanatory statement to Amendment 14.
Clause 48, as amended, ordered to stand part of the Bill.
Schedule 9 agreed to.
Clause 49
Penalties under Parts 3A and 3B of the Communications Act 2003
Question proposed, That the clause stand part of the Bill.
Clause 49 inserts proposed new schedules 16A and 16B, as set out in schedules 10 and 11, into the Communications Act 2003. These new schedules make further provisions about financial penalties and the liability of joint entities in relation to designated internet programme services, regulated television selection services, relevant internet radio services and designated radio selection services. In particular, schedule 16A sets out the principles by which Ofcom will assess penalty amounts and maximum penalties for non-compliance with the requirements on providers of those services set out in parts 2 and 6 of the Bill. For the BBC, S4C or a person who fails to comply with an information notice, the maximum penalty is £250,000. In all other cases, the maximum penalty that Ofcom can impose against providers of services is the greater of £250,000 or 5% of the provider’s qualifying worldwide revenue.
As is the case under the existing prominence regime, Ofcom will have responsibility for enforcing the new online prominence framework and that relating to radio selection services. It is therefore important that the regulator has a range of enforcement tools at its disposal for tackling contraventions, including the ability to impose a financial penalty. We believe that these provisions ensure that Ofcom can take enforcement action against the relevant provider in a proportionate and effective manner.
Clause 49 introduces schedules 10 and 11, which provide further information about enforcement and how it relates to the new prominence regime for our public service broadcasters, as well as the new regime for radio services on smart speakers and voice-activated platforms. I will speak briefly about both schedules in turn.
Schedule 10 sets out how penalties for failure to comply with the relevant regimes will be calculated. The ability to issue penalties is an important backstop that will ensure compliance with the regime while incentivising mutually beneficial commercial partnerships. However, to secure the integrity of the regime, it is important that there is consistency and fairness in how the backstop can be used, so it is good to see set out in legislation the principles that Ofcom must apply when determining the amount of any penalty, as well as how maximum penalties will be calculated. It is right that these should have the potential to be significant—they can amount to either £250,000 or 5% of the person’s qualifying worldwide revenue—so that they can serve their purpose as an effective deterrent. I am also pleased that the schedule allows for those amounts to be adjusted, should they need future-proofing in any way. Any change would be subject to the affirmative procedure, which would allow for scrutiny. Overall, I believe that schedule 10 is a necessary consequence of the regimes that the Bill sets up, and I have no particular issues to raise with the way that they have been drafted.
Schedule 11 is an important extension of the backstop powers awarded to Ofcom. It sets out the liability of parent entities and subsidiaries, and explains how confirmation decisions, penalty notices or provisional notices may be issued to them. Having that clarification in the Bill will hopefully make for a clear enforcement framework for Ofcom, and will make clear the responsibilities on those to whom the rules apply, so I welcome the inclusion of the schedule, which is necessary to the introduction of the two prominence regimes.
Question put and agreed to.
Clause 49 accordingly ordered to stand part of the Bill.
Schedules 10 and 11 agreed to.
Clause 50
Awards of costs
When Leveson produced his report over 10 years ago, he attempted to strike a careful balance between two important competing objectives: enforcing press standards and protecting the free press. As such, although the inquiry paved the way for the existence of an approved press regulator, it was decided that membership in such a regulator would be voluntary rather than mandatory for news publishers, with incentives put in place to encourage active take-up of membership. One of the major incentives to encourage membership was introduced in the form of section 40. Where papers had not signed up to an approved regulator, they would be vulnerable to paying their legal opponents’ costs where the judge considered it reasonable to do so, even if they were to win the wider case. If they were signed up to a recognised regulator, however, they would be protected from that.
Despite being introduced in the Crime and Courts Act 2013, section 40 has never been commenced and would be repealed by clause 50. We appreciate that section 40 is not a particularly well-drafted piece of legislation. Representatives from and of the press, including the NMA, have long argued that it is morally wrong to attempt to persuade them to sign up to external regulation on the basis that they would have to pay the legal fees of both sides, even when they had won the case. They say if the section was commenced, it would prove financially ruinous to them as on principle they would never sign up to such a regulator.
With over a decade passed, the media landscape has changed significantly since the Leveson report was published, as we have discussed. Almost every major press news outlet has introduced some form of regulation, whether individually or through the Independent Press Standards Organisation, which was not anticipated when the law was drafted. Publishers face significant new challenges that threaten the ability of the industry to carry out its vital work, from inflation and falls in advertising revenue to the rise of social media and the ability to share disinformation more easily online.
Amendment 41, tabled by the hon. Member for Aberdeen North, acknowledges what we will do when section 40 is repealed. It remains important that we have a press that is accountable for its reporting and meets the highest ethical and journalistic standards, but given the poor drafting of section 40 and the fundamental imbalance of costs, I believe that those questions are best answered outside the matter of repeal itself. On that basis, I will not stand in the way of this Bill as a result of the Government’s decision to repeal section 40.
My hon. Friends the Members for Folkestone and Hythe, and for Aylesbury, set out some of the background to this issue in two extremely well argued speeches. This is an issue that my hon. Friend the Member for Folkestone and Hythe and I have been living with for over 10 years.
The Leveson inquiry came out of what was undoubtedly a serious abuse by the press, which resulted in criminal prosecutions and some convictions, and a general acceptance that the existing system of press regulation by the Press Complaints Commission had failed. However, the royal charter and section 40 were constructs of the then Liberal-Conservative Government; they were an attempt to find another way of dealing with the issue that would be acceptable to the press but did not represent state regulation. A royal charter was created, and the Press Recognition Panel was created, which would authorise an independent regulator and confer on it the advantages that section 40 gave.
The understanding was that the vast majority of the press would sign up to the independent regulator, and that perhaps one or two of the more recalcitrant, hard-line—probably red-top—tabloids might stand out and would need persuasion, as the hon. Member for Aberdeen North said when speaking to her amendment. Section 40 was about persuading those one or two remaining outliers to join the system. I must say that I still feel slightly ashamed, because I was persuaded to support the establishment of section 40 after a long discussion with the then Prime Minister.
What none of us, or at least hardly anybody, anticipated was that there would be unanimity across the whole of the media—across all the national newspapers, including those that were certainly not sympathetic to the Government, nor had committed any particular sins of the kind being looked at by Leveson. The Financial Times, The Guardian, The Independent—none of them was prepared to go along with that. It was not just the national newspapers that did not join, but all the local and regional papers; the big groups such as Newsquest, Reach and Johnston Press did not join.
The number of publications that chose to sign up to the regulator, which was created in order to qualify for recognition by the panel, was and is pretty small as a proportion of the industry. I think that the hon. Member for Aberdeen North said that there were 200 publications now signed up. Most of them are niche and very small. There is nothing wrong with them; they are doing a good job, and it was their choice to join, but I am afraid that the system has failed to persuade the vast majority of publications to go along with it.
The opposition of the vast majority of publications meant that the system had failed to deliver what was intended. It was my choice, when I was Secretary of State, not to implement section 40. We announced that the Government would not bring in the order required for the powers in section 40 to come into effect. Ever since then, it has been sitting on the statute book unused, and in its place we have a new system of self-regulation.
The hon. Member for Aberdeen North kept talking about the need for independent regulation. Some may have criticisms of IPSO, but IPSO is an independent regulator. It is a self-regulator, and it is outside the statutory framework. There will be decisions taken by IPSO that I do not agree with, as there were by the Press Complaints Commission, and one will never be entirely satisfied, but as I think my hon. Friend the Member for Aylesbury pointed out, IPSO has been considered quite carefully by an independent assessor, and was found to be independent and delivering the kind of principles in the editors’ code that it was set up to enforce.
It is curious that the Minister is critiquing the Opposition’s position. The Government might be in trouble on the vote in the main Chamber today, but we are not yet in government. I think I outlined quite clearly in my speech that we do not oppose the repeal of section 40, and we appreciate that it has not worked. I also acknowledge that the media landscape has significantly changed, and any future consideration of the challenges of the press should take into account advertising, misinformation and the real challenges for local news. As much as the Minister tempts me to go into more detail, I remind him that he is still in government.
I am not sure that has cast any greater light on the Opposition’s position, but it was helpful to hear more from the hon. Lady about her position. At least we know where the SNP stands; the hon. Member for Aberdeen North made it absolutely plain that the SNP is happy to support our removing this pressure on newspapers to join a state-approved or recognised regulator, but only if we put in its place another mechanism that will put equal pressure on them, and that might prove more successful, as she said, in persuading them to join up to the recognised regulator. She and her party may accept the criticism of the existing position, but at least we understand that she still wants Government pressure on newspapers to join a state-recognised regulator. That is the principle we cannot support. I am afraid that in my view her amendment is no better than the existing system. It removes one point of leverage on the press, only to replace it with a yet unspecified alternative.
I do not think it is right that Government should be involved in regulation of the press; I think it is very dangerous. Even the rather convoluted and complicated mechanism of the royal charter still represents state involvement. That flies in the face of belief in the importance to democracy of the freedom of the press, which we on the Government side regard as paramount. I am therefore absolutely committed to supporting clause 50 and the repeal of section 40 of the Crime and Courts Act 2013.
The clause introduces schedule 12, which sets out minor and technical amendments to existing broadcasting legislation in relation to retained EU law. These are straightforward fixes to ensure that legislation does not become inoperable following the UK’s exit from the EU.
Part 1 of this schedule removes references to the audiovisual media services directive from the Broadcasting Act 1990 and the Broadcasting Act 1996. Part 2 of schedule 12 amends part 4A of the Communications Act 2003 to remove references to the European Commission, obligations under the audiovisual media services directive, and to other European legislation.
It is important that our legislation addresses issues of retained EU law. As such, I have no particular issues with the contents of the clause or with schedule 12.
Question put and agreed to.
Clause 51 accordingly ordered to stand part of the Bill.
Schedule 12 agreed to.
New Clause 1
Delivery of public service content on relevant television services
“After section 264A of the Communications Act 2003, insert—
“264B Delivery of public service content on relevant television services
(1) Ofcom must monitor the extent to which the public service remit for television in the United Kingdom is met in respect of relevant television services.
(2) If Ofcom considers that the public service remit for television in the United Kingdom is not being met in respect of such services, it may set whatever programming quotas it considers necessary to ensure that the remit is met.
(3) For the purposes of this section, ‘relevant television services’ means—
(a) the television broadcasting services provided by the BBC;
(b) the television programme services that are public services of the Welsh Authority (within the meaning of section 207);
(c) every Channel 3 service;
(d) Channel 4;
(e) Channel 5.””—(Stephanie Peacock.)
This new clause would give Ofcom powers to measure the delivery of public service content on the linear services of the public service broadcasters, and set quotas if it considered the current level to be unsatisfactory.
Brought up, and read the First time.
Question put, That the clause be read a Second time.
I suspect that the entire Committee agrees that it is important that children have access to public service broadcast content. The educational value of children’s television is hugely important, and it is indispensable for happy parenthood. It is for that reason that proposed new subsection 264(5)(c) of the Communications Act 2003 puts children’s television front and centre of the public service broadcasting regime. That will ensure that the public service remit can be fulfilled only by the public service broadcasters collectively producing a wide range of children’s content, including original content that reflects the lives and concerns of children and young people in the UK, and helps them to understand the world around them. The inclusion of children’s content as part of the remit will ensure that the needs of children feature prominently in Ofcom’s regular reporting. That will also complement its strengthened powers in respect of under-served content areas.
Although the provision of public service children’s programming is key, children—and especially older children—do of course watch other kinds of public service content as well, whether with their parents or on their own. As the hon. Member for Luton North set out, children access public service content via a wide range of devices. The Government agree that internet access and streaming services have fundamentally changed how audiences access TV, and that certainly applies to younger audiences, perhaps even more so than for any other group. On online advertising, I have recently been chairing a separate initiative—the online advertising taskforce—whose purpose is to ensure that online advertising does not advertise illegal products, and that children do not see advertising of inappropriate products.
The Bill tries to create flexibility by allowing our PSBs to deliver their remits across a wider range of services, including in new on-demand and short formats. We have made it clear that our PSBs must serve all audiences, and that extends not just to the content they make, but to how they choose to distribute it. These changes will ensure that our public service remit stays relevant and continues to reflect how audiences, including children and young people, are accessing PSB content.
We have to remember that PSB content has to be funded. All speakers paid tribute to the BBC’s output in this area, including CBBC and CBeebies, which are a core part of its output. Of course, the BBC receives public funding and is required under the charter to deliver content of that kind. It is more challenging for commercial television, as those broadcasters are dependent on advertising funding. I merely observe that the more we impose restrictions on what can be advertised to children, the more there is a detrimental impact on the amount of revenue gain by commercial broadcasters, which will influence their decisions about how much they invest in children’s programming.
That was one of the reasons why we previously established the young audiences content fund, which was designed to address the fact that almost all the children’s content was being produced by the BBC. The fund was there to support the commissioning of children’s content on other channels, and it proved very successful. It was a three-year pilot, but the Government continue to remain committed to the principle. I hope that, one day, it might be possible to resurrect something of that kind.
If it was a successful pilot, why did the Government not continue it?
It was a successful pilot funded by the BBC, because it was licence-fee funded. Personally, I would have liked it to continue, but the BBC obviously was under financial pressure and put up a strong case that it could not continue to fund it. The principle that it was seeking to address remains an important one, and the Government have tried to provide alternative support, through things such as tax relief, for the production of children’s content. I share the hon. Lady’s sadness that it was brought to an end after three years, but it was always intended to be a pilot, and viewers will still be able to see content produced by the fund for some years to come.
I hope that the sitting can end very soon in any case; I think we have pretty much concluded the debate, and the remaining clauses are relatively technical.
I think the best people to conduct the review that the hon. Member for Barnsley East has called for are Ofcom. Ofcom has given a commitment in its planning work to take an in-depth look at how the market is best serving the interests of children, which I think will give us the insight that she wants. For that reason, I do not think her new clause is necessary.
I appreciate the Minister’s point about it being harder for commercial stations than it perhaps is for the BBC—of course, I made a point of praising Channel 5 and Paramount in my comments. I asked a number of quite broad questions about children’s television. I hope that Ofcom will consider them, but I am not sure that the Bill mandates it to do that. For those reasons, I would like to push the new clause to a vote.
Question put, That the clause be read a Second time.
I do not intend to detain the Committee at great length. Clause 52 gives the Secretary of State a regulation-making power to make amendments to other existing legislation, which is needed as a result of changes contained in the Bill. If the proposed changes are to other primary legislation, the regulations will be subject to debate in both Houses. If the proposed changes are to secondary legislation, the regulations will be subject to the negative procedure.
Clause 53 authorises expenditure from the Bill. It covers the possibility that increased spending by Ofcom might require the payment of grants to incur or meet liabilities in respect of capital and revenue expenditure, or the possibility that the Secretary of State makes a grant to S4C.
Clause 54 sets out the Bill’s territorial extent. The Bill will extend and apply to the United Kingdom, except for the repeal of section 40 of the Crime and Courts Act 2013, which will extend and apply to England and Wales.
Clause 55 provides for the commencement of the provisions in the Bill. The majority of the provisions will be brought into force by regulations made by the Secretary of State. The provisions that come into force on the day on which this Bill is passed will be the regulation-making powers in relation to the prominence of television selection services and the general provisions in the Bill, such as the clauses dealing with the power to make consequential provisions, financial provision, extent, commencement, and the title of the Bill. Clause 50, which repeals section 40 of the Crime and Courts Act 2013, will come into force two months after the Bill receives Royal Assent. The rest of the Bill will come into force when the Secretary of State decides.
Finally, clause 56 establishes the short title of this legislation, which, when enacted, will be the Media Act 2024. I commend clauses 52 to 56 to the Committee.
I am pleased to have reached the final stages of our Committee. I have no issue with the clauses in this group. Perhaps I could seek your guidance, Mr Vickers, on whether it would be appropriate to say a few words in conclusion, or perhaps on a point of order.
(11 months, 2 weeks ago)
Public Bill CommitteesAs I mentioned on Second Reading, part 6 is one of the most contentious parts of the Media Bill. The Culture, Media and Sport Committee picked up on it immediately and published a dedicated report on the radio clauses prior to its report on the Bill more broadly. The report highlighted issues with the drafting as well as with the content, which I will speak about in more detail as we debate the various aspects of, and additions to, this part. It also expressed full support for the inclusion of measures intended to protect our treasured radio services. I wanted to mention that at the beginning of my remarks.
I have been extremely supportive of radio and the principles of inclusion, but I know that platforms are extremely concerned. A few weeks ago, I hosted a roundtable with radio services and platforms and we had a really constructive discussion about the Bill. It was one of the first times that stakeholders had been invited together to have a discussion, albeit a virtual one. During the discussion, it was clear that platforms were largely happier, albeit to varying degrees, with the latest version of the Bill compared with the draft. That is to the credit of the Committee and the Department, which took seriously the matter of rectifying some of the problems with the Bill while maintaining a commitment to the importance of the part and radio as a whole. I believe the Bill is all the better for it. We are now on a much better footing for discussing some of the remaining issues in the clause. We can focus on the nuances, rather than discussing whether our radio services should be protected.
I therefore approach the amendments today keeping in mind the fact that a good balance has been struck. My overwhelming priority is to ensure that radio services get the protections they have been waiting for. I do not wish to cause any major further disruption to a part of the Bill that has been fine-tuned, to the benefit of both radio and platforms.
To address amendments 42 to 44 specifically, as with the smart speakers explicitly included in the Bill, car entertainment systems are a platform that have the potential to make it hard for users to find radio services. Some sophisticated car entertainment systems, for example, have the ability to preference their own content over radio services, to force users to swipe through pages of options to find their favourite radio station, or indeed to refuse to offer radio, full stop. Radiocentre claims that some recent models of Tesla cars do not have a broadcast radio at all, and though it is theoretically possible to stream radio through an interface on such models, no protections are in place to ensure that that will remain the case in a genuinely accessible and convenient way.
That issue is only more worrying when coupled with the reality that listening via car entertainment systems is on the rise, in particular among younger people. Ofcom reports that 9% of people listen to a streaming service via an in-car system, rising to 19% in the 16-to-24 age group. I therefore ask the Minister why such car systems were not considered for inclusion in the initial definition in the Bill alongside smart speakers. The CMS Committee report said that
“the Government may have overestimated the extent to which listeners are easily able to find their preferred stations in in-car systems.”
I agree with that statement and with the Committee’s recommendation to the Minister and Ofcom that they keep the issue under “close review”.
The Government agreed to that in their response to the Committee report, so how do they actively plan to do it? At what threshold will they consider extending the regime to cars or to any other device that poses similar problems? While I am in favour of exploring the inclusion of car entertainment systems, given the scope in the Bill to extend the regime, I think it is important that any extension is properly consulted on; in particular, car manufacturers themselves will need to be consulted.
Similar to the prominence regime for public service broadcasters, , it is right the Bill should be future-proofed so that new technologies can be accounted for, not just with cars, but further into the future. I hope that the Minister will consider that and will explain with clarity how we can be sure the Bill does enough to protect radio not just in today’s world, but in the years to come.
I apologise to the Committee for croaking a little. I also declare that on Sunday I attended the Jingle Bell ball with Capital Radio, which is organised by Global Media. In between some excellent performances, we talked briefly about the Media Bill.
The hon. Member for Barnsley East described part 6 of the Bill as perhaps one of the more contentious ones, although in fact I think that there is widespread agreement in Committee. On Thursday, we spoke about the importance of radio and how it continues to achieve a significant proportion of listening, despite having been written off a number of times in the past years. Part 6 of the Bill relates to the recognition that the way in which people access radio is changing. We spoke for a bit of time about updating the regime governing broadcast television to take account of the move to digital so, similarly, this part of the Bill is concerned with the fact that a growing proportion of radio listening is done through smart speakers.
The amendment moved by the hon. Member for Aberdeen North relates to cars in particular, but as my hon. Friend the Member for Warrington South pointed out, listening to the radio in cars represents a significant proportion of radio listening. Research carried out in 2021 by WorldDAB Forum, which is the international standards and co-ordination body for digital radio, showed that more than 90% of prospective car buyers across a range of international markets say that a broadcast radio tuner should be standard equipment in every car. Research has also found that 82% of potential car buyers say they would be less likely to buy or lease a vehicle that is not equipped with a built-in radio tuner. Consumer demand for new cars to have a radio installed as standard remains powerful.
Yes. We understand why the Bill is not prescriptive in setting out designated radio selection services, but if that is to change, there should be further parliamentary scrutiny.
On amendment 32, the hon. Lady and I have debated the secondary legislation provided for in this Bill, and in other Bills in the past. In this case, we do not agree that the affirmative procedure is appropriate. As the Bill sets out, the designation of a radio selection service will reflect the fact that it is used by a significant number of people who access radio services. Advice on what level of use is significant, and which services cross that threshold, is a matter for Ofcom in its role as independent regulator.
As is set out in proposed new section 362BB(3) to the Communications Act 2003, the Secretary of State must have received a report from Ofcom before making the relevant designation regulations. The framework for designation is therefore set by this Bill, and advice on which services are used by significant numbers of people will be provided by Ofcom. On receipt of Ofcom’s advice, the Secretary of State must consult with radio selection services and the radio industry, as well as others whom they consider appropriate, in accordance with proposed new section 362BB(4), before coming to a decision. They can disagree with Ofcom’s recommendation, as provided for in proposed new section 362BC(6), but must provide reasons for doing so.
The order-making power relates to orders confirming the Secretary of State’s decision to designate a platform or platforms. The order will be laid before Parliament and follow the negative procedure. We felt that the affirmative procedure, which would trigger a debate in both Houses, was not appropriate, given that the exercise of this power relates to decisions affecting one or more companies. I hope that the hon. Member for Barnsley East will accept that in this case, a negative resolution is sufficient.
I am extremely grateful to the hon. Member for Barnsley East for tabling amendment 33, and I absolutely recognise the intention behind it: to ensure that the Secretary of State consults before making regulations adding, removing or altering a condition that that must be satisfied before a radio selection service may be designated. A similar consultation requirement is imposed by proposed new section 362BB(4) before the Secretary of State can make regulations designating a radio selection service.
I acknowledge that it is reasonable to seek an equivalent requirement with regard to making any changes to the conditions that need to be satisfied before a service may be designated. However, the full impact of the amendment’s wording will need to be looked at by parliamentary counsel. In particular, the hon. Lady’s proposal will need to be considered in the context of subsection (4) of proposed new section 362BB to the Communications Act 2003. I hope that she is willing to withdraw the amendment, on the understanding that the Government will consider the matter further before Report.
I thought for a moment that the Minister was going to support my amendment. However, I am happy with his explanation, and so am willing not to move amendment 33. On amendment 32, I am afraid that once again we disagree on the statutory instrument, and once again I am not comfortable with the fact that Ofcom’s recommendations can be ignored, with no subsequent debate. For that reason, I will press the amendment to a vote.
I appreciate what the Government are saying about drawing the line, but does the hon. Gentleman accept that that leaves us with a contradiction between audio and visual? For a Bill that is aiming to future-proof, it fails to do that.
The regime that the Bill introduces for TV public service broadcasting has slightly different objectives from the regime that we are introducing for radio. In the case of radio, as we have debated, it is much more to do with ensuring that things like advertising are still supplied by the broadcaster, rather than being replaced by the platform, so that, for instance, there is no possibility of the platforms charging radio stations. They are slightly different objectives. It could always be said that there are distinct differences between the regime for audio and the regime for visual, and I think that is going to be inevitable. As I say, this is something where consumer habits are changing and we will of course keep the matter under review. There are powers to make amendments, should they prove necessary in future.
All the amendments in this group refer to the relationship between internet radio stations and radio selection services. As I have mentioned previously, striking the right balance between the two groups will be integral to the success of the regime as a whole. It is with that in mind that I will address amendments 48 and 49 together, before looking at amendments 52, 50 and 53.
On amendments 48 and 49, data is among the, or possibly the most, highly valued assets in our modern, tech-forward society. I am well aware of that, having served as shadow Minister for Data not too long ago and, having sat opposite the Minister for a lengthy discussion on the Data Protection and Digital Information Bill, I know he is too.
Data is key to innovation, unlocking benefits for users and growing an organisation more broadly. It is also crucial for creating the mutually beneficial advertising partnerships on which commercial radio naturally relies, alongside many of our other creative industries. I realise the vital importance of radio stations being able to access data for their audiences, regardless of the fact that such audiences might be listening through a smart speaker. I therefore appreciate the intent of amendments 48 and 49, which seek to ensure designated radio selection services provide stations with user data.
It was my understanding, however, that the need for data was one of the primary reasons for including preferred routes as part of the clause. Indeed, the BBC told the Culture, Media and Sport Committee that
“having the ability to play out through our preferred service means that we then get that data to allow us to improve our services. That is why it is such an important provision that should remain in the Bill”.
I am therefore keen to understand from the Minister whether it is his understanding that the requirement for smart speakers to provide a service through a preferred route inherently includes a guarantee that data will be accessible to radio stations as a result. If not, I hope the Minister can take on board what the amendments are trying to achieve and provide us with a comprehensive reassurance that radio stations will have access to user data as they deserve.
I turn to amendment 52. Unlike the draft version of the Bill, the published version signals that pre-roll advertising might be allowed, subject to the agreement of a station. That means that an advert or branded message of the smart speaker’s choosing could play on a smart speaker before the requested radio station begins playing. That is one of a number of changes from the draft version that I believe has helped alleviate some of the strong concerns tech platforms held about this part of the Bill.
On the other hand, Radiocentre, which represents commercial radio, has worries about the new addition. In particular, it cites the difference in bargaining power that radio stations may have in comparison with a tech firm, fearing that may result in the phrase “subject to the agreement of a station” being abused through effective coercion. That would effectively mean that radio stations are forced to take on adverts before their content starts playing.
I understand the concern and am supportive of the way the part as a whole has sought to redress the power imbalance between radio and platforms and secure a healthy future partnership between the two. However, I hope that Ofcom’s ability to enforce the regime more broadly as a result of the Bill will provide protections against abuse of the system, so long as Ofcom is appropriately empowered. There should be protections against any situation where a radio station is forced to allow a pre-roll advertisement against its will.
Can the Minister confirm whether the Bill does enough to ensure that will be the case and provide assurances that the protections for radio stations to refuse will be properly enforced? If he can—and I hope he will—I believe the amendment may not be necessary. After all, it is hard to imagine a situation where a radio provider would freely request a pre-roll advertisement, and I worry that, as a result, the amendment may have the counterintuitive effect of disrupting tech platforms’ precarious acceptance of the part more generally in its published version, compared with its draft.
Amendment 50 seeks to remove the restriction that would mean radio stations cannot charge smart speakers for their services. Conversely, amendment 53 seeks to extend the equivalent restriction on platforms to cover non-financial charges. It is my understanding that the premise of the relevant sections of the Bill is quite simple: to ensure that neither party charges the other. That seems fair to me, as it applies both ways. Can the Minister confirm whether this part looks to ensure that neither radio services nor smart speakers can charge the other when carrying out their duties under this part? If that is the case, any change to that arrangement, as sought by these amendments, may cause an unfair imbalance where it is currently an equal measure.
However, by way of reassurance for radio services that may be concerned about their bargaining power, I hope that the Minister will outline explicitly the protections in place throughout the Bill to ensure that the regime will be enforced with integrity. It is, of course, important that radio stations can be carried by platforms regardless of any power imbalance, and without having to face any unnecessary charges or burdens. That will provide certainty for radio stations and clarity for platforms, both of which need to accept and understand of the regime if it is to work as intended.
I will start with amendment 50. As the hon. Member for Barnsley East has set out, the whole purpose of the regime we are putting in place is to ensure that the provision of live radio via smart speakers or similar devices is not monetised by either party and that there are protections for radio stations from having to sadly face charges imposed on them by platforms. At the moment, we agree that it is very unlikely that a station would be in a position to extract charges from a platform; the reverse is the case. However, in the widespread consultation we had—the hon. Lady has also referred to the discussions she has had with platforms—it was felt that nevertheless there did need to be some fall-back protection in place. If the hon. Lady’s proposed amendments were to be made, there would be no ability for the regime to be updated in the future, were the market to develop in such a way as to make it a realistic prospect. We think it is important to have that safeguard power should we one day encounter a situation where radio stations sought to extract charges from a platform.
Any exercise of the power within the Bill is subject to consultation, as set out in proposed new section 362BH to the Communications Act 2003, and it would also need to be approved by each House through the affirmative procedure. We nevertheless think the power is an important one, and I therefore hope that the hon. Member for Barnsley East will consider not pressing her amendment.
Turning to amendment 52, we do not think there is a need to change the wording of the current provision. There are a number of ways through which a station can reach its listeners via their connected devices. They can do so directly, through the use of a service operated by the platform; there are, in particular, means such as the Amazon Alexa radio skills kit, which offers an extremely effective way—particularly for small stations—to provide their content via the internet. Some of the aggregators, such as Global Player or BBC Sounds, act as a portal through which a number of different stations provided by the same operator can be made available. Others, such as TuneIn, bring together a range of different stations from different providers.
It will be for each station to decide the option that best fits its needs and to take advantage of the protections offered by the Bill. Some of those options may involve the inclusion of a short period of advertising before the radio station is played. However, the provisions in proposed new section 362BI are clear that advertising cannot be imposed on a station—it must be agreed to. This will ensure there remains scope for mutually beneficial arrangements, while ensuring that radio maintains control over the content that reaches its listeners. For that reason, I do not think the amendment, as the hon. Member for Barnsley East suggests, is necessary.
I appreciate the argument the Minister is making, and I did not really want to interrupt, but for clarity, these amendments are in the name of the hon. Member for Aberdeen North, not mine.
I do apologise. I am not sure whether the hon. Lady was endorsing them, but I will direct my remarks particularly to the hon. Member for Aberdeen North.
If the Minister was listening to my speech, he would know that I am more sympathetic to his position than to that of the hon. Member for Aberdeen North, but it is a fine balance between both the platforms and the radio.
And indeed a fine balance between the Government and the SNP. I am grateful to the hon. Lady for clarifying her position; I direct my remarks particularly to the hon. Member for Aberdeen North.
The Government absolutely recognise the intention behind amendments 48 and 49, but we do not think it appropriate to include such provisions within the Bill. We absolutely acknowledge that it would be of benefit to radio stations to be assured of access to listener data above and beyond the data that radio stations collect themselves, from monitoring their own streams or from surveys such as those by Radio Joint Audience Research. The provisions in the Bill are being put in place to address issues specific to radio, namely securing BBC and Ofcom-licensed commercial and community stations’ ability to access their listeners. As my hon. Friend the Member for Warrington South made clear, the issues raised in the amendment tabled by the hon. Member for Aberdeen North could apply across a wide range of sectors and are therefore more appropriately addressed in the context of the Government’s wider work on competition in digital markets.
I hope that the hon. Member for Aberdeen North will, to some extent, be reassured by the provisions in proposed new section 362BI that allow radio stations to nominate a preferred route for their service to be delivered to listeners, provided that the route is not unduly burdensome for the platform to deliver. I take the point from the hon. Member for Barnsley East about the importance that some stations attach to the ability to designate a preferred route. These measures do provide scope for a route through which—subject to a listener’s consent, for example through logging in—a broadcaster may be able to access valuable data to enable it to further improve its service. For those reasons, we do not support the amendment; I hope that the hon. Member for Aberdeen North will not press it.
In addressing amendment 53, it may be helpful to set out the context of the overall regime. At the moment, platforms and radio stations both benefit from carriage: the platforms provide radio with another way to reach its audiences, and listening to radio is one of the main reasons why people buy devices such as smart speakers. At this stage, there is no evidence to suggest that the platforms are seeking to charge stations for access, but as more and more listening shifts online, there is a risk that the balance will shift in favour of the platforms, creating an economic incentive for them to monetise the content to which they provide access.
Proposed new section 362BI will address the issue by limiting the scope for platforms to use their position to monetise the carriage of radio in the future. In the event that they seek to do so in ways that might not be covered by these provisions, or indeed by the ongoing work within Government on competition in digital markets, the new provisions will provide the Secretary of State with powers to intervene. In particular, proposed new section 362BP(2) will enable the Secretary of State to make provision by regulations
“about the terms and conditions that may be offered by the provider of a radio selection service to the provider of a relevant internet radio service for or in connection with the use of the service to access the relevant internet radio service”
and
“about the charges that may be imposed by the provider of a radio selection service”.
On that basis, I hope that the hon. Member for Aberdeen North will not press her amendment.
(11 months, 2 weeks ago)
Public Bill CommitteesI am pleased to be starting part 2 of the Bill today. Indeed, an update to the prominence regime is arguably the most anticipated of all the Bill’s measures, and I am certainly keen to see it come into force.
As I have spoken about many times already, our public service broadcasters are the cornerstone of our broadcasting sector in the UK, investing billions in original productions and creating content that is trusted, valuable and entertaining for UK audiences. Historically, in return for the high standard of programming and investment that public service broadcasters provide, their channels have been made easy to find on linear television sets—to the benefit of audiences across the country. However, amid rapid changes in how viewers access television and content more generally, the prominence regime, which has not been updated for decades, is at increasing risk of becoming diluted and outdated.
As ITV identified in its submission to the Culture, Media and Sport Committee, the major risks are twofold. First, public service broadcasters are in danger of being cut out of view, as global content players and platforms strike international deals with online platforms for prominence. Secondly, as a result, our public service broadcasters are at risk of being forced to concede increasingly material percentages of their revenue to these platforms, simply to appear on them. In this situation, it seems like almost everyone loses out—from audiences, to the wider UK production economy, to even the platforms themselves, which may find themselves in a position where they cannot promote the content that UK viewers most want to see. A new prominence framework for the digital era, therefore, was always going to be crucial.
The next question to answer was how prescriptive such a new regime would be in legislation. I am pleased that, in response to this, the Government have avoided explicitly spelling out what prominence looks like in the Bill, or making primary legislation restrictive or resistant to future changes in technology and behaviour. Instead, we have before us a principles-based approach based on finding mutually beneficial carriage deals between what is branded “designated internet programme services” and “regulated television selection services”, with Ofcom being able to provide a framework in which these negotiations can operate.
That is then backed up by a strong dispute resolution and enforcement powers for Ofcom, including the ability to improve significant penalties in the result of non-compliance. This allows for maximum flexibility in both legislation and negotiations, as well as proper protections where agreements cannot be reached. It also allows for the regime to be expanded where necessary to capture new technology that people might be watching television content on. Platforms and PSBs have a history of successful negotiations, creating mutually beneficial deals and partnerships that would be counterintuitive for the prominence regime to undermine.
With that in mind, I am glad that the Department has made a few changes to the initial drafting of the Bill, in particular regarding the agreement objectives that are designed to incentivise the agreement of appropriate terms between platforms and PSBs. The original phrasing had concerned both parties. For PSBs, there were fears that the stated focus on costs would see platforms making unfavourable demands on advertising and data. For the platforms, there was concern that the phrasing could imply a responsibility on their behalf to cover the cost of PSBs. The new phrasing, which looks at the provision of public service content to audiences in the round, will hopefully alleviate some of these worries.
It is also welcome that there has been a clarification over legacy devices. It is important that technical feasibility is taken into account when deciding which devices are designated as being in scope of the regime. I would, however, like to ask for some clarity on the requirement to secure “appropriate” prominence. This was a major topic of discussion during the pre-legislative scrutiny process, with the majority of PSBs calling for this to be upgraded to “significant” prominence. The arguments around this were mostly based on the differences between linear and digital streaming landscapes.
On a traditional television set, appropriate prominence has, in practice, meant a fixed and high slot on programme guides—a relatively straightforward goal to achieve. However, the BBC said in its evidence that it has still sometimes struggled to secure high listings for its children’s channels on linear televisions. Likewise, S4C noted that it remained channel 166 on Virgin Media in Wales until 2021 due to a wide interpretation of the word “appropriate”. On streaming sticks and smart TVs, however, there is an ambiguity as to what appropriate prominence should provide in practice, especially given the many ways one programme might be reached within only one such device. Therefore, for the regime to have its intended impact, the argument is that significant prominence will be needed to ensure that public service content is easy to find on every necessary interface. That was also recommended by the Culture, Media and Sport Committee. However, I am aware that Sky and others have expressed that there may be some unintended consequences to upgrading to significant prominence, particularly because of the risk of overriding consumer choice and preference.
Will the Minister provide a full response to the argument for significant prominence and outline the reasons why the prominence requirement has not been upgraded? Further, what conversations have been had with Ofcom on how the detail of the regime will be set out in the code of practice to ensure that it meets its aims? As I will go on to say throughout the Bill’s passage, we need a strongly empowered Ofcom if this Bill is to be a success.
On a similar note, Will the Minister tell me whether the Department has considered the possibility of including remote controls and multi-use devices in the prominence regime? I know that is something the BBC has consistently called for. Its latest thinking is that electronic programme guides could be given a prominent button on remotes, rather than one PSB in particular. Although my priority remains to see this clause passed, we must explore these questions to make sure that we are fully seizing this once-in-a-generation opportunity to ensure that public service content is easily findable in a digital age.
I will also take this opportunity to briefly discuss the role of regional prominence. Before I continue, I want to reassure colleagues that I do not mean to imply through the use of the phrase “regional prominence” that Wales and Scotland are regions, rather than nations in their own right. I use that terminology because that is how the Bill refers to prominence arrangements that will be required for the likes of S4C and STV, as well as other, genuinely regional services provided by our PSBs. For those broadcasters and their respective audiences in Scotland and Wales, proper prominence will be absolutely crucial. That is perhaps even more so the case when we consider that S4C simply cannot match the promotion budgets of those that dominate streaming platforms, yet it provides a unique service in the Welsh language that others simply do not.
However, some platforms have raised concerns over the technical feasibility of ensuring regional prominence. For example, techUK has said that technical and privacy challenges mean that providing regional variation in prominence would be a disproportionate burden. As a result, S4C has raised concerns that user selection might be used in lieu of guaranteed prominence. That would be quite different to the envisaged package of benefits that the prominence regime would provide for PSBs.
First, will the Minister first reaffirm that the Bill does not require regional prominence for S4C, STV and other regional programming that our PSBs provide? Secondly, will he update us on what discussions his Department has had with both Ofcom and platforms on how this requirement on regional prominence will be enforced and adhered to on a practical level? I know that the detail of what is required will become clear when Ofcom’s code is published after the Bill, but some baseline reassurances are needed now to clarify whether changes are needed to primary legislation to secure the kind of prominence we had all envisaged for the likes of S4C. The Bill must empower Ofcom as much as it can. Regional prominence goes to the very heart of why these changes are being made in the first place, and it is vital that its inclusion in the Bill is in no way compromised or diluted.
Finally, I will address my two technical amendments to this clause. First, I suggested an amendment that changes the power of the Secretary of State to designate or specify a description of regulated television selection services from the negative procedure to the affirmative. As the CMS Committee report recognises, although the Secretary of State can only designate services deemed to be used by a significant number of viewers, and must receive a report from Ofcom, the Minister can still make a decision that goes against Ofcom’s recommendations. Given that, it seems sensible that their decision should be open to greater parliamentary scrutiny.
Too many Bills coming through this Parliament have given sweeping powers to the Secretary of State, as the Minister and I discussed at length during the Data Protection and Digital Information Bill. Though such measures are sometimes needed to futureproof a regime, it is absolutely crucial to ensure that parliamentary scrutiny is not seen as an onerous task to be bypassed, but an important part of shaping good policies. With that in mind, I would like to see the affirmative procedure used in this case.
Secondly, the BBC has raised concern that the new framework creates a level playing field for licensed public service broadcasters in a way that it does not for the BBC. Indeed, the BBC is required under its framework agreement to publish a distribution policy, outlining the conditions under which it makes its services available. The conditions include securing appropriate prominence, quality and value for money. The BBC is also legally required to offer services to third parties without charge and on a fair, reasonable and non-discriminatory basis.
The Media Bill largely recognises that the BBC has a distinct regulatory framework—no less so than in this very clause, where it is made clear that there will be no additional “must offer” obligations on the BBC given its equivalent obligations. However, though there is explicit reference to the BBC’s “must offer” duties in the Bill, there is no matching reference to the BBC’s charter and framework agreement in the “must carry” section of the Bill. Both a “must carry” and a “must offer” requirement are needed to create the conditions for PSBs and platforms to have successful negotiations on prominence from a level playing field. The exclusion of comprehensive “must carry” requirements on platforms when it comes to the BBC may therefore make such negotiations harder. That is particularly worrying given the BBC says it already faces increasing difficulty when negotiating with some platforms that have little interest in supporting UK PSBs. It says global platforms, in particular, are more focused on self-preferencing their own content, monetising user interfaces and controlling data and algorithms.
My amendment would seek to rectify that inequality in the Bill. It would give the BBC an equivalent negotiating position to the commercial broadcasters, setting out that any regulated platform must also act consistently with the charter and framework agreement. That is hopefully a largely technical change to ensure no unintended consequences that could put the BBC at a disadvantage. My absolute priority on prominence is to ensure that the new measures are brought into force, but it is also important that we take the opportunity to ensure the new regime is as robust and effective as possible while we still have the chance.
This section of the Bill on prominence is a central part of the changes the Government wish to make. Although the hon. Lady has done a good job setting out the reasons we decided it necessary to update the prominence requirements, I hope she will forgive me if I recap them since I think it is important that the Government’s position is set out in some detail.
As the hon. Lady described, the objective of the UK system of public service broadcasting is to ensure that public service content is readily available to as wide an audience as possible and is easy to find. PSB prominence plays a crucial role in delivering that. In doing so, it boosts viewership and engagement, which are important to sustain advertising revenue and brand value for PSBs. In turn, that ensures they can continue to deliver the high-quality original programming that UK viewers expect. PSBs receive the benefit of prominence in recognition of the additional obligations placed on them, such as news and current affairs provision, and that has become known as the PSB compact.
However, the existing regulatory framework for ensuring carriage and prominence of PSB channels, set out in the Communications Act 2003, does not extend to the PSBs’ on-demand services, nor services other than electronic programme guides that enable viewers to navigate and select TV programmes. Audiences increasingly watch TV online and, in many cases, bypass traditional distribution platforms altogether, so without the new prominence frame- work, we risk undermining the long-term sustainability of the PSB system in the UK. All PSBs have been calling for an update for some time.
Clause 28 introduces a new online prominence framework for PSB apps, referred to in the Bill as “designated internet programme services”, wherever they appear on particular user interfaces, referred to as “regulated television selection services”. The framework is principles-based to ensure that regulation is proportionate and adaptable for the future without negatively impacting consumer choice and experiences. This approach to regulation aligns with the consistent feedback we have had from stakeholders on both sides through our engagement with them on this issue.
My hon. Friend makes an interesting point, and I have sympathy with the concern he expresses. However, if this Bill was not passed, the advantages of being a public service broadcaster would be very small. All the PSBs have made it clear that they regard prominence as an essential benefit of the compact, in order that they are easily found and accessible. Because they have laid such stress on that, we assume that it is still their wish to remain designated as PSBs.
It is, of course, up to any PSB to walk away from the compact if they chose to do so. In doing so, they would no longer necessarily be able to benefit from prominence and the other advantages that come with PSB designation. However, I know that both my hon. Friend and I believe that there is a continuing need for public service broadcasting in this country. One of the purposes of the Bill is exactly to address the point he makes, by ensuring that PSB designation is still an attractive proposition for broadcasters to seek.
Let me return to one or two details of precisely how the system will operate. Once the necessary internet programme services and regulated television selection service providers have been designated, new sections 362AJ to 362AN introduce new rules to ensure the availability of public service content. That is achieved by requiring providers to offer their designated IPSs to RTSS providers and requiring RTSS providers to carry these designated services. After all, prominence would be redundant if the PSB services are not on the platform to begin with.
These availability requirements will be underpinned by statutory agreement objectives that providers of designated IPSs and RTSSs must act consistently with when reaching an agreement on the availability and prominence of designated services and when keeping that agreement in force. These include that the arrangements support the sustainability of public service broadcasting and do not disproportionately restrict how the platform may innovate its service. The intention behind these agreement objectives is for Parliament to provide expectations for the outcome of negotiations between designated IPS providers and RTSS providers. These objectives are to be supplemented by more detailed Ofcom guidance on how providers may act consistently with them.
In that respect, let me address the point made by the hon. Member for Barnsley East in her amendment 29. Proposed new section 362AL requires Ofcom to
“prepare…guidance about how providers of designated internet programme services and providers of regulated television selection services may act consistently with the agreement objectives”
when negotiating on the carriage and prominence of designated services and after an agreement has been reached. The Government absolutely recognise that Ofcom’s guidance should take into account the BBC’s equivalent duties under the framework agreement, as also reflected in its relevant strategies and policies under the agreement, including clause 62. However, I can tell the hon. Lady that proposed new section 362AL(2) already provides for such considerations by Ofcom by referring to
“any duty of the BBC under the BBC Charter and Agreement that is comparable to the duty of providers of designated internet programme services other than the BBC”.
This may be a good opportunity to expand on another point. By convention, the BBC is not regulated in statute. It is the Government’s intention for the new prominence framework to apply to the BBC through the framework agreement. We plan to work at pace with the BBC to make corresponding changes to the its framework agreement to ensure that the relevant parts of the prominence regime apply to the BBC, while also acknowledging how it legally functions. It is the Government’s view that there is already provision in the Bill for Ofcom to consider the BBC’s comparable duties and corresponding policies under its framework agreement in its guidance on the agreement objectives. It is for that reason that I am unable to accept the amendment of the hon. Member for Barnsley East.
Overall, we think the principles-based approach that we are taking, with Ofcom playing a vital role, is the correct one. It will give Ofcom the tools it needs to ensure that the regime is functioning effectively without being too inflexible or overly prescriptive. Once designated services are available on the platform in question, new sections 362A0 to 362AR introduce specific duties on providers of RTSSs, including the requirement to carry and display designated IPSs with an appropriate degree of prominence. That includes the requirement to carry and give regional prominence to designated S4C services in Wales and STV services in relevant parts of Scotland.
I asked the Minister to reaffirm that it does not require regional prominence. Obviously, I am very keen to hear that it does because I know that there are some concerns, particularly from S4C, that it might do so in theory but not in practice.
I am happy to address that point. The hon. Lady also raised the subject, which was debated on Second Reading and in the Select Committee, of whether the requirement for “appropriate prominence” is a better description than “significant prominence”. That is something we looked at carefully, particularly as it was one of the Select Committee’s recommendations, but we feel that it is important that the approach to regulation should be proportionate and allow for flexibility and operability across different RTSSs. We believe that an appropriate level of prominence, as determined by Ofcom in the code of practice, provides that flexibility and enables Ofcom to implement the regime in a practical way.
The hon. Lady makes an absolutely fair point. I hope Ofcom will look into that as it draws up the rules. Finally, on the point about voice activation, she is right that I can talk to my television set without even needing to pick up a remote control. Again, it is an obligation of Ofcom’s to consider appropriate prominence in that respect, and I am sure that it will take that into account.
I hope the BBC is reassured by the Minister’s explanation. I am happy not to press amendment 29 to a Division. This has been a useful debate, involving Members on both sides of the room, and it was particularly good to note the points about TV remote controls and gaming, which affect so many of the population.
On amendment 21, I continue to disagree with the Minister on the use of the affirmative procedure. For that reason, I would like to vote on it.
Question put, That the amendment be made.
I will begin by discussing clause 31, which I think requires a bit more attention, before briefly addressing clauses 29 and 30. In perhaps the most significant of the changes made to Channel 4 throughout the Bill, clause 31 ends the restriction on Channel 4 that means it cannot be involved in the making of any programmes that it broadcasts.
Before I speak in a little more detail about the clause, I want to take the opportunity to set some context. I welcome the fact that an even more significant measure has not made its way into the Bill, as the Minister alluded to. The Government’s initial plans to privatise Channel 4 would have been disastrous. Channel 4 has a truly unique role in British broadcasting. As a company owned by the British public, which costs the public nothing, it commissions new programming, creates jobs, and discovers new talent across the country.
The channel plays a key role in the pipeline of talent and skills in the industry. For example, 4Skills has provided opportunities to young people who might never have considered a career in broadcasting, through apprenticeships, training schemes and the Content Creatives scheme. 4Skills has reached over 10,000 people since 2015 and aims to reach a further 100,000 over the next decade. Channel 4 has also brought us Film4, which spends more on British film than any other UK broadcaster. It invests millions in feature films that nurture new talent and help to sustain writers, directors and production companies across the UK. In addition, Channel 4 takes seriously the need to enable opportunities outside London, spending over 50% of its commissioning budget outside London—something it has committed to continue even after the introduction of the clause.
The Government’s plan to sell off Channel 4 was a plan to sell out Britain, heavily disrupt the broadcasting industry, and puncture several local economies. I am very pleased that Ministers finally came to their senses, although I question why it took them so long, and I reiterate the disappointment that I expressed on Second Reading that the process has delayed the introduction of other important measures in the Bill.
The clause is best understood in the context of the U-turn on privatisation. Channel 4 never asked for the removal of the publisher broadcaster restriction. Instead, the measure was announced as part of the package that the Government put forward when announcing Channel 4 would not be for sale. The statement that the then Secretary of State, the right hon. Member for Chippenham (Michelle Donelan), put out at the time said that the change would give the channel more “commercial flexibilities”, and
“exploit Intellectual Property…as other public service broadcasters are able to.”
What the announcement did not include was a detailed assessment of what impact the change might have on the independent production sector more widely. Even Channel 4 warned that there could be
“unintended consequences on the UK production sector”
as a result of the new powers. Directors UK also pointed out that the changes could
“distort or negatively impact the market in which our members are employed”.
Furthermore, the Media Reform Coalition expressed concern that even the current state of play was seeing smaller independent companies suffer, with Channel 4 becoming overly reliant on super indies. It was therefore crucial that the wider market was properly considered before the change was implemented.
I am pleased that the Department and Channel 4 have made a range of commitments to mitigate any potential negative impacts of the change. 4Skills will receive increased annual investment, the number of roles outside London will be doubled and, perhaps most important, Channel 4’s independent quota will rise to 35% of qualifying programmes. If Channel 4 does commence production, which I understand would be a gradual process and is some way off at the moment, further measures would be put in place. There would be a separate C4C production business with its own board and governance, a proper dispute resolution procedure and new reporting requirements. All of that will then be underpinned by a new requirement for Ofcom to consider whether Channel 4’s in-house productions have impacted on the fulfilment of its remit.
Nevertheless, I do not believe that package of measures has eased everyone’s concerns. I know the Media Reform Coalition, for example, has called for the restriction to remain in place and for further measures, such as a small and medium-sized enterprises guarantee, to ensure that a majority of commissioning spend goes to producers with an annual turnover of less than £25 million. Although I believe that significant progress has been made since the first draft was published to assess the impact of the clause on the market, I continue to understand and recognise that the changes will be worrisome to independent producers, particularly small ones.
If Channel 4 decides to exercise the new powers in the Bill, I hope it continues the approach it has taken thus far of doing everything possible to allow the independent sector to thrive, from top to bottom, and keeping itself accountable by setting targets that ensure this. With that in mind, I am happy to proceed with the measures within and without the Bill in the hope that they will be the start of a longer process of assessment and engagement with the wider market. I am grateful that Channel 4 will remain in public ownership, and hopeful that it will continue to deliver a unique contribution to the industry, as well as our screens, for years to come.
I know there was some concern over the initial drafting of clause 29, not because anyone disagrees with the principle of the duty, but because of a fear of unintended consequences if the clause did not take into account the primary functions of Channel 4 in looking to mirror the Companies Act 2006. Indeed, the new duty outlined in this Bill should largely only reinforce what Channel 4 is already doing. As such, it is right that the wording has been adjusted so that it directly references the primary functions of the channel, and is based on the well understood directors’ duties in the Companies Act 2006 while recognising the channel’s status as a statutory corporation rather than a limited company. Having spoken with Channel 4 since the new version of the Bill was published, I understand it is much happier with this drafting.
Clause 30 places C4C under a duty to facilitate fair competition for its commissions for broadcast and on- demand services; both Ofcom and Channel 4 are then given duties to report on C4C’s performance in adhering to that policy. As mentioned when we discussed the terms of trade regime in part 1, it is incredibly important to ensure that basic principles of fair competition are applied when public service broadcasters are commissioning work, so I am pleased that this clause will further enshrine good practice in legislation.
Perhaps I should start by saying the one thing we agree on is that Channel 4 has played a valuable role in the UK broadcasting ecology, and that we want that to continue. I do not always agree with everything I see on Channel 4—I suspect few in this room do—but it has a history of innovative programming that is of real benefit. As the hon. Member for Barnsley East says, it has been hugely important in supporting the independent production sector and creating jobs across the UK. I should say that “Married at First Sight” is made, in part, in my constituency of Maldon. I think that Channel 4 has just announced there is going to be a dedicated channel to “Married at First Sight”, although how much of a contribution to the public service broadcasting remit that will make is perhaps debateable. Nevertheless, Channel 4 has a wide range of diverse content.
The Government considered whether there should be a change of ownership because we want to make sure Channel 4 is in a strong position to thrive going forward. There is no doubt that the Channel 4 model is under pressure. It becomes particularly vulnerable when faced with an advertising downturn, as indeed we are seeing at the moment. To provide Channel 4 with greater support through diversification of its revenue streams, the Government have decided it is appropriate to remove the restriction to allow Channel 4 to make its own programmes.
Clauses 32 to 36 relate to S4C and enact the recommendations made in the “Building an S4C for the future” independent review. The clauses update S4C’s powers, public service remit, and audit and governance arrangements. They also adjust the approval arrangements for S4C’s commercial activities, and update the BBC’s responsibilities to support S4C in delivery of its public service remit.
Clause 32 amends the Communications Act 2003 to update S4C’s powers and public service remit. It removes the current geographical restriction on S4C’s powers, ensuring that it is able to provide services outside Wales, and confirms that it is allowed to provide digital or online services, as recommended by the independent review published in 2018. That will allow S4C to broaden its reach and offer its content on a range of new platforms in the UK and beyond, ensuring that it continues to play a vital role as a public service broadcaster and has a strong future delivering high-quality content for Welsh-speaking audiences in the UK and indeed around the world.
The clause also simplifies the framework of S4C’s functions, public service duties and public service remit currently set out in the Communications Act 2003, reflecting the new public service remit introduced for all public service broadcasters in part 1 of the Bill. In recognition of S4C’s position as the UK’s only dedicated Welsh-language broadcaster, the clause retains the requirement that a substantial proportion of S4C’s public service remit content must be in Welsh. However, to ensure that S4C is not unnecessarily limited in its ability to deliver for Welsh-speaking audiences, the clause confirms that S4C may also provide content that does not fulfil the public service remit alongside the content that does. That brings S4C’s powers into line with those of other public service broadcasters.
The clause also adjusts the approval arrangements for S4C’s commercial activities. It replaces the previous requirement for approval to be provided by way of an order in secondary legislation with the requirement for approval in writing. That will give S4C greater flexibility in responding to market developments, as was recommended by the independent review.
The Secretary of State will have the power to approve a range of activities by way of a general approval, or to approve a particular activity in a specific approval. Any other activities already being carried out by S4C are to be treated as approved at the point of commencement, whether or not they were previously approved by the Government, given that it would be impractical to pause them purely for the purposes of obtaining approval after commencement.
It is important that S4C is given commercial flexibility as recommended by the review. However, at the same time, as it is a PSB in receipt of significant public funding, it is also appropriate for the Secretary of State to be given the opportunity to consider the suitability of specific activities to ensure that they remain in line with S4C’s functions. The clause therefore specifies that S4C must obtain the Secretary of State’s approval in writing before providing any television programme service, or doing anything for a charge or with a view to making a profit.
It would be difficult to create an exhaustive list on the face of the Bill of approved activity for payment, or intended to make a profit, that S4C could undertake, because we cannot predict precisely what future commercial activity might constitute. The clause therefore allows the Secretary of State to determine which activities can be covered by a general approval and which would need specific approval, for example, on the basis of a financial threshold.
Clause 33 formally replaces S4C’s governance arrangements, currently set out in legislation, with a new unitary board that is composed of both executive and non-executive members. That is also in response to a recommendation made by the 2018 review, which recommended that the governance structure at the time, which was the S4C Authority, should be replaced with a new unitary board comprising executive and non-executive directors. That replaces the previous two-tier management structure, which the review concluded created uncertainty around responsibilities.
In response to the review, and with the support of the Government, S4C has already created a shadow unitary board that undertakes governance responsibilities, with provision in its standing orders for specific situations where the differences between the previous model and the unitary-board model have required a bespoke approach. The clause therefore places that arrangement on a statutory footing by establishing S4C’s new unitary board and confirming that the board has overall responsibility for S4C’s activities in pursuit of its powers and duties.
The clause makes further changes to the Broadcasting Act 1990 to create the unitary board, adding the requirement for non-executive and executive members in accordance with the principle of the unitary board, and confirms that, as now, the chair must be appointed by the Secretary of State, along with a specific number of non-executive members.
The rest of the clause is largely limited to updating existing legislation with references to non-executive and executive members.
Clause 34 amends S4C’s financial audit arrangements in schedule 6 to the Broadcasting Act 1990, so that the Comptroller and Auditor General is formally appointed in legislation as S4C’s external auditor, rather than S4C’s being able to choose its own auditor. Again, this is in response to a recommendation made by the review. The review recommended that the Government consider whether the audit arrangements were suitable, and the Government accepted the recommendation. Although the Comptroller and Auditor General has actually taken over the auditing of S4C’s accounts, the clause puts the arrangement on a statutory footing.
The clause also places requirements on S4C subsidiaries. It requires each S4C subsidiary to appoint the Comptroller and Auditor General as auditor unless the Comptroller and Auditor General agrees that the subsidiary may appoint a different auditor. The Comptroller and Auditor General may inspect the accounts of any S4C subsidiary regardless of the identity of the subsidiary’s auditor, and S4C must give the Secretary of State access to the accounts and related documents of an S4C subsidiary.
Clause 35 allows the BBC and S4C to come to an alternative arrangement on ways for the BBC to support S4C in delivery of the public service remit. Current legislation results in a fixed approach of requiring the BBC to provide at least 10 hours of programmes in Welsh to S4C per week. The clause amends the 1990 Act to allow the BBC and S4C to agree in writing an alternative arrangement to the BBC’s existing responsibility if it is mutually and commercially beneficial for both parties. That reflects the fact that the BBC may be able to provide to S4C other types of support that are more relevant to its functions and remit in the modern digital broadcasting age. That could include, for instance, the use of spectrum, specific services, rights, funding or content. This will better enable S4C to broadcast a wide range of high-quality content and serve Welsh-speaking audiences. The BBC will be required to publish the terms of an alternative agreement as soon as reasonably practicable. The BBC will be able to exclude from publication any information that it considers to be commercially sensitive.
The clause also removes references to S4C’s analogue television service and the requirement for Channel 4 to provide S4C with programme schedules and programmes to deliver that service. This simply reflects the fact that S4C’s analogue television service, which showed programmes in English from the Channel 4 service alongside Welsh language programmes when Channel 4 was not available in all parts of Wales, no longer exists.
Finally, clause 36 introduces schedule 4, which contains further amendments to the Broadcasting Act 1990, the Broadcasting Act 1996 and the Communications Act 2003 that are required as a consequence of the provisions in this part. The changes also reflect S4C’s new public service remit.
Taken together, these clauses reflect the Government’s recognition of the valuable contribution that S4C makes to the lives and wellbeing of Welsh speakers and learners. We remain committed to helping S4C to adapt to the changing media landscape and remain relevant as an independent and modern public service broadcaster in the UK. I urge that clauses 32 to 36 and schedule 4 stand part of the Bill.
The second chapter of part 3 of the Bill makes a number of changes to S4C, which I understand is largely very welcoming of the Bill and wants to see it passed, particularly in order to benefit from prominence measures and to become in scope of the listed events regime. These clauses are of crucial importance, but are not quite as immediately transformative as the changes made to C4C, as they largely provide a legislative basis for changes that have already started to roll out. Indeed, it was all the way back in 2018 that the “Building an S4C for the future” review made recommendations, which the Government accepted and which form the basis of the clauses.
Given the long wait for the new laws, S4C and DCMS agreed for many of the changes to be adopted early in the meantime. As such, although clause 32 introduces a new remit, S4C has already taken advantage of the changes within it, offering online and digital services and providing services outside Wales. This has allowed S4C to adapt to the changing landscape and broaden its reach and appeal beyond just those Welsh speakers situated in Wales. It is therefore welcome that the clause ensures that legislation reflects the new reality of how S4C can be accessed and delivered.
(11 months, 2 weeks ago)
Public Bill CommitteesI am pleased that we are making good progress in scrutinising the Bill, having reached part 4 on the regulation of on-demand services. We have spoken at length about the growth and popularity of on-demand services, so it may come as a surprise to some members of the public that the content on most of our video on-demand services is not regulated. We are all used to high standards, thanks to the high-quality content provided by PSBs, which we see when we turn on our television set, and the regulatory landscape that complements that content; but it is easy not to consider whether regulatory standards apply to content on demand. Indeed, the high standards set by our PSBs have played a big part in creating an atmosphere in which newer streaming services have had to provide content of the highest standards. They have to model best practice to compete with traditional television.
That has put us on a good footing, and the streaming services and on-demand providers I have spoken to actually welcome the regulatory clarity that a new regime will provide. Currently, if a complaint is received against a piece of on-demand content, the service that has provided that content has nowhere to point towards in handling that complaint, and does not have to prove compliance with a regulatory regime. Part 4 brings on-demand services under the scope of Ofcom, and gives it new responsibilities, including to follow a new on-demand code. It is a good thing for viewers and providers, who will benefit from consistent high standards in the on-demand space.
However, I have concerns regarding the proposed tiered approach to the framework. Clause 37 and schedule 5 both set out that only tier 1 services will be regulated under the new regime. The only real information we have about how tier 1 will be defined, however, is that it will be based on size, which is determined by audience figures, turnover and catalogues.
In many areas of the Bill, there has rightly been a desire to avoid being too prescriptive in the primary legislation in order to allow flexibility in the light of rapidly changing technological advances and viewer habits, but in the uncertainty and lack of detail about on-demand services has been troublesome for some providers. Netflix said in its submission to the Culture, Media and Sport Committee that without clarity on scope, there was no way for it to tell whether the scope will ultimately be discriminatory.
I know that there are good intentions behind taking what might be considered to be a proportionate approach that avoids placing new burdens on smaller video services that are trying to grow and compete with much larger services. However, the approach could create perverse incentives. One can imagine smaller services becoming averse to growing, for fear of meeting the regulatory threshold and having to contort their services to comply.
Putting all services on a level playing field will ensure that no service is deterred from competing with those at the very top, and no one at the bottom can feel that the situation is unfair, or that they are being unfairly given burdens that others are not. Further, everyone will be given an entire year’s grace period in which to become compliant; that will ensure that those who are less prepared can come up to speed.
Perhaps even more pressing than the impact of the tiered approach on providers, however, is the effect that it will have on viewers. As the CMS Committee highlighted, the Government said that part of their purpose in introducing the provisions was
“to protect audiences from the potential harm arising from the gaps in the existing regulatory framework”
and to
“ensure UK audiences receive a similar level of protection no matter how they watch television— whether it be live or on-demand.”
Clearly, requiring only the largest video-on-demand providers to abide by the new regulatory scheme would not achieve that aim. For the average viewer who does not invest their leisure time in understanding the nuances of a tier 1 service, a category in which I believe most of the general public will fall, how will such a person possibly be aware whether they are watching a regulated service?
To strive to create a consistent regulatory approach between broadcast and on-demand services, while simultaneously creating an inconsistency within the regulation for on-demand services, seems counterintuitive. Viewers deserve to have certainty over the level of protection they are being provided with. Put simply, I believe that the best way to meet that aim is for the new video-on-demand code, and the various other changes in this part of the Bill, to be applied universally across all video-on-demand services watched by UK audiences.
Such a move has been also recommended by everyone from the Culture, Media and Sport Committee and the Voice of the Listener & Viewer to Amazon and Netflix. Including all services would provide the harmonisation in regulatory approach that I believe the clause sets out to achieve. It would get rid of confusion for viewers and prevent any definition from being discriminatory or drawing what could have been a somewhat arbitrary line between services.
If the Government cannot accept my amendments, which would pave the way, I would be grateful if the Minister at least explained their current plans for the definition of tier 1 at this stage, and detail how they will work to create consistency in experience for viewers. I believe that we are on the same page about the importance of the new framework and what it could achieve, and I hope we can work constructively to ensure that it is the best it can be.
I welcome the hon. Lady’s general support for what the Government are trying to do by bringing video-on-demand services within the scope of regulation. We believe it is important for audiences to be appropriately protected when watching TV on demand. We will do that through what we see as a proportionate regulatory approach, which will ensure that all the mainstream streaming services that target UK audiences are subject to rules similar to the existing ones governing UK TV broadcasters.
Under the Bill, any UK on-demand service used by a PSB other than the BBC will automatically be designated as tier 1. Alongside that, other mainstream TV-like video-on-demand services will be designated after the Media Bill comes into force, following a review of the market by Ofcom. I can tell the hon. Lady that all the streaming services with which most people are familiar will certainly come under tier 1, but at this stage we cannot publish a list or the general categories to determine it because the market is rapidly evolving. Once again, as elsewhere in the Bill, we want to have a degree of flexibility and we believe that regulatory change needs to be proportionate and practical.
At the moment, more than 270 video-on-demand services are notified with Ofcom. Many of them simply do not provide TV-like content and nor are they widely accessible, so it is important to balance audience protection with freedom of expression, and to avoid placing unnecessary burdens on them. Consultations that have been conducted already tell us that extending tier 1 regulations to the smallest niche services, such as a football team’s on-demand service, could unfairly and unnecessarily penalise them with little or no benefit to audience protection.
My hon. Friend is right that there are different levels of service that require different amounts of monitoring and oversight. To my hon. Friend the Member for Warrington South, I would say that UK-based on-demand services are already required to abide by the on-demand programme service rules, which are less restrictive than the Ofcom regulations but control things such as hate speech and have basic protections for young audiences. It is appropriate that we determine the appropriate level of regulation on the basis of the audience and the size of the station. As I say, Parliament will be given further information that sets out the list or description of services at least five sitting days ahead of any regulation, so there will be transparency and oversight. For that reason, we do not feel it necessary to bring all the existing video-on-demand services within tier 1 at this time.
I am, of course, aware of the complexity of removing the tier 1 element from the Bill at this stage, and I acknowledge that agreeing to this set of amendments would create difficulties for the Bill more generally. I was aware of that when drafting the amendments, but I wanted to raise the issue that the Bill is perhaps not clear enough about—what the video-on-demand provisions will apply to and how audiences would receive the certainty they need. The Minister has alleviated some of those concerns today, so I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I completely agree. That is the point I am attempting to convey to the Committee: that we want to see everyday life reflected on television, and that obviously includes disabled people. What work is the Minister’s Department doing to open up opportunities for disabled people in the creative industries and to encourage better representation in the media?
As I have said before, if we to implement a new regime whose effects we really believe in, but that regime relies on Ofcom being a strong regulatory presence, Ofcom must be empowered to act with strength where that is needed; otherwise, the desired impact will not be realised. As such, I am happy with the powers set out in schedule 6, but what recent conversations has the Minister had with Ofcom about its capacity to carry out all the new duties bestowed upon it by the Bill? It is important to the integrity of the new regime for on-demand services, and to the Bill more widely, that there is confidence on all sides in Ofcom’s ability to enforce the new regulation.
Schedule 7 amends references to tier 1 services in the Representation of the People Act 1983, the Communications Act 2003, the Wireless Telegraphy Act 2006 and the Online Safety Act 2023. I will speak specifically about the amendments to the Broadcasting Act 1996, as those changes will have a more tangible impact. The changes in this schedule require Ofcom to create a tier 1 fairness and privacy code and to bring tier 1 services in line with Ofcom’s enforcement powers on breaches of the fairness and privacy code. Hopefully, that will protect members of the public from unwarranted infringements of privacy resulting from the activities of video-on-demand services, but some on-demand and streaming services, particularly Netflix, have raised concerns about the impact on their content and on Ofcom’s resources. They warn that, since the fairness and privacy code will enable complaints to be made from outside the UK, Ofcom could become something of a global policeman, and will have use its resources dealing with complaints from people who do not live in the UK but have failed to seek redress elsewhere.
That practice—complaint tourism—is of particular concern to Netflix in relation to its catalogue. It says it is aware of international complainants previously trying to use the UK regulator to get material removed. It appears from the pre-legislative scrutiny process that Ofcom does not share those concerns. Its approach seems to be that if harm is happening, or there is a risk of harm to UK audiences, it wants to know, regardless of whether a complaint is being raised by someone outside the UK. However, it would be reassuring if the Government and Ofcom worked together to monitor the extent to which the code requires Ofcom to manage a high volume of complaints from abroad, to ensure that genuine complaints can be handled appropriately and that complaints with malicious intent are not encouraged.
Overall, I hope it is clear that I am pleased that the on-demand services will finally be regulated. I look forward to hearing more from the Minister in response to my questions about the details.
As I said in my earlier remarks, we feel that the hon. Lady’s amendment in particular is unnecessary. Regarding the phrase “matters to be taken into account” by Ofcom in drawing up the list, those matters that are specified in the Bill are not exclusive; there is an ability to take other matters into account. The purpose of this measure is to set out the general regard for the principles that Ofcom is required to consider, so I do not think that this amendment would add anything to the existing position. For that reason, we do not support it.
I agree with the hon. Lady very much about the importance of accessibility. As she rightly said, that is something that the organisations representing disabled people have been campaigning on for a long time. Regarding the targets in the Bill, it is the hope and expectation that broadcasters will exceed the minimum targets wherever possible, but it is possible for the Secretary of State to increase the minimum targets at some future date.
Interestingly, the hon. Lady said that she does not want to add to the burden on smaller services. To some extent, that is exactly why the tier 1 provisions were put in place: so that the requirements are different for much smaller services, which would otherwise find them quite burdensome. As for her comments about Ofcom’s resource, it is certainly not the intention that Ofcom should become a sort of global policeman acting on behalf of anybody around the world who wants to make a complaint, particularly about content that is designed for global audiences. Some of the big streaming platforms commission programmes that are intended to be viewed right around the world, but Ofcom’s role is to protect UK consumers, and obviously it will need to take that into account in how it administers the code.
I am grateful to the hon. Lady for her support for the overall intention behind these measures. I am sorry that I cannot accept her amendment, but I think the Bill will deliver what she wants to see.
Question put and agreed to.
Clause 37 accordingly ordered to stand part of the Bill.
Schedules 5 to 7 agreed to.
Clause 38
Audience protection reviews
I beg to move amendment 30, in clause 38, page 78, line 25, at end insert—
“(e) information about where viewers can seek help if they have been affected by content.”
This amendment would add “signposting” measures to the audience protection measures which OFCOM must review under new section 368OB of the Communications Act 2003.
I am interested to hear that example. There will always be disagreement about what is suitable for children and what is not. Some parents will take a much stronger view on what is appropriate than others, who will think it part of the education. Ofcom has a lot of experience in this. I am not sure whether it was “A Christmas Carol”. I remember a good version that contained some quite graphic material, which perhaps was not in the original by Dickens. I think that was on the BBC, so it would have already been subject to Ofcom’s scrutiny.
Part of Ofcom’s overall objective, in determining whether a system of age rating is appropriate or viable, will be to make sure that it is in line with other systems, so that parents have a basic level of assurance, whatever they are watching and whatever system for determining age ratings is chosen by that provider.
Amendment 30, tabled by the hon. Member for Barnsley East, seeks to add information about where viewers can seek help, if they have been affected by content, to the list in new section 3680B of examples of audience protection measures. I completely agree that it is sometimes absolutely right that audiences be given a warning if they might suddenly encounter content that they were not expecting and which could be distressing. That already takes place across the broadcasting sector, and it is appropriate. However, the Bill already fully enables Ofcom to review or provide guidance on any such measures. The Bill purposely does not give an exhaustive list of measures that Ofcom can consider. As a result, it will enable Ofcom to take into account anything it considers to be appropriate. That can certainly include signposting.
The hon. Lady’s amendment 34 would impose requirements on Ofcom when it is assessing age ratings on VOD services. However, we feel that there is a danger that that might restrict innovation and impose extra requirements and costs on VOD providers that will not necessarily equate to increased protection. As I think I said on Second Reading, I am a great admirer of the work of the BBFC, with which I have worked for at least 30 years. Generally, it reaches very sensible decisions on what is deemed appropriate. It goes to great lengths to ensure that its ratings reflect the current standards of what the public views as appropriate for particular age ratings. My reluctance to support the hon. Lady’s amendment in this area is not in any way a reflection on or a criticism of the BBFC. The Government take the view that we do not think it appropriate to mandate the use of BBFC ratings at this time.
The important thing is that each channel should have a system of age ratings that delivers effective protection for young people. It is for Ofcom to assess whatever audience protection measures are put in place by that channel to ensure that they are effective and fit for purpose. We think that that is more effective than specifying any individual system. Ofcom will have the power it needs to provide guidance and to report and deal with any providers that it considers are not providing appropriate audience protections. For that reason, we feel that amendment 34 would put unnecessary restrictions on Ofcom and could preclude any new form of age ratings from entering the market. I am afraid that I am therefore unable to accept the hon. Lady’s amendments.
I appreciate the Minister’s comments. Although I do not fully agree with his explanation, I am quite happy to withdraw amendment 30.
I will not press amendment 34, but I will just clarify that although I think there is agreement across the Committee that we support and praise the work of the BBFC, my amendment was not specifically mandating BBFC ratings or the use of the BBFC, however well it does. My amendment set out three best practice criteria: recognition, transparency and consultation. It proposed that those three things be taken into account by Ofcom. Obviously the BBFC does that very well, and others might too. The distinction that we are making is that where those are not taken into account and the public cannot necessarily trust age verification ratings, where problems emerge. However, I have put my points on the record and I am happy not to press amendment 34.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 38 ordered to stand part of the Bill.
Clause 39
S4C: on-demand programme services
Question proposed, That the clause stand part of the Bill.
This is a very brief return to S4C, which we debated before our lunchtime break. All clause 39 will do is amend the Communications Act to update the regulation of S4C’s video-on-demand services to bring them into line with other UK on-demand services. It removes the red tape that currently means that Clic, the S4C on-demand service, is regulated not by Ofcom directly, but by S4C’s board, which could be fined by Ofcom if it contravened the basic requirements that other VOD services have to follow. The change will also mean that Clic will, in due course, be rightly regulated under Ofcom’s new VOD code. It will also have the accessibility requirements for subtitles, audio description and signing to support those with sight and hearing loss. I should add that the clause is also fully supported by S4C.
Clause 39 will make amendments to the Communications Act to update the regulation of S4C’s video-on-demand services, as the Minister has just outlined. I believe these to be largely technical changes to create consistency, and I therefore have no further comments.
Question put and agreed to.
Clause 39 accordingly ordered to stand part of the Bill.
Clause 40
Other amendments of Part 4A of the 2003 Act
Question proposed, That the clause stand part of the Bill.
Clause 40 introduces schedule 8, which contains minor amendments to part 4A of the Communications Act 2003, covering existing legislation for video-on-demand services. The changes will ensure that existing legislation will be updated where necessary to take into account the new regulatory regime for tier 1 services. These are simple, minor and technical amendments, which include updates to existing enforcement definitions to include the newly defined tier 1 non-UK services. Schedule 8 will also remove or amend old target-setting provisions on accessibility that are not needed after the addition of new, more robust accessibility requirements contained in schedule 5. I commend clause 40 and schedule 8 to the Committee.
I have no particular concerns to raise about the content of the changes. As the Minister said, they make minor amendments to part 4A of the Communications Act, and update requirements and definitions to reflect the changes made in this part, and in the media landscape more generally.
Question put and agreed to.
Clause 40 accordingly ordered to stand part of the Bill.
Schedule 8 agreed to.
Clause 41
Licensing of analogue radio services
Question proposed, That the clause stand part of the Bill.
We now turn to part 5 and the provisions affecting radio. Clause 41 is the first of seven clauses through which the Government are updating the legislative framework for the licensing and regulation of commercial radio. The intention behind the changes is to ensure that the regulatory structure continues to support investment by broadcasters in content and the long-term sustainability of the sector. They will also strengthen the protections for local news and information which are a fundamental part of radio’s public value.
To that end, clause 41 will make a number of changes to the Broadcasting Act 1990 to allow Ofcom greater flexibility when exercising its powers in relation to analogue radio licensing. Subsection (2) removes the current statutory requirement for Ofcom to provide for a diversity of analogue services. The requirement is no longer necessary, given the wide range of stations now available over digital. Subsection (3) gives Ofcom a new power to extend analogue licences in the event that a date is set for a digital switchover which postdates the expiry of any remaining licences. I commend the clause to the Committee.
I am pleased we have reached the stage of the Bill when we can discuss the importance of our radio services. There will be further opportunities to talk about protecting radio services in the digital age in part 6, but I would like to begin by acknowledging my support for radio. Indeed, as the digital radio and audio review recognised back in 2021, radio is a great British success story. Almost 90% of the population tune in to the radio each week, where they find trusted news, entertainment, music and cultural programming. It is important that these clauses look to protect the future of those services, from commercial to BBC to community radio, and ensure that people are able to enjoy them for years to come.
Despite the continued popularity of radio, however, the provision of services and listening habits have both changed significantly over the past few decades, particularly with regard to the decline of analogue radio. Since the launch of DAB, its popularity has grown and grown, resulting in 76% of listening to commercial radio now being on digital platforms. That trend has led to an estimate that analogue radio listening will account for just 12% to 14% of all radio listening by 2030. As a result, we must ensure no one who listens to analogue radio is prematurely excluded from accessing those services. As is the case with those who watch broadcast television, it is vital that we update our legislation to reflect the new realities in the sector.
The clause seeks to do just that by removing Ofcom’s duty to provide a range and diversity of national and local analogue radio services. Of course, is still important that a range and diversity of radio services are available. However, the rules applying specifically to analogue services were conceived when there was an inherently limited number of stations. Ensuring diversity within this small range of services was therefore sensible in order to cater for as many people’s needs as possible. Now that we are no longer limited to a small choice of analogue stations, there is an unprecedented range of radio services available. These truly do cater for everyone, covering genres from country to dance, and eras from the ’60s right through to the present day. Radiocentre confirms that these digital services will be unaffected by the changes in regulation, so this immense choice will remain available despite the changes in this Bill.
In that context, it seems appropriate to remove legal requirements on creating diversity in analogue services specifically. That is not to say that analogue services do not remain important; indeed, FM coverage is greater than DAB coverage, so it is vital to rural areas, particularly in Scotland. However, with the new and heavy regulatory responsibilities that Ofcom is taking on as a result of the Online Safety Act and this Bill, it is sensible that we alleviate outdated duties by recognising the bigger picture.
The clause will also make one other major change, following the commercial radio deregulation consultation in 2017. In the event of a digital switchover date being issued for radio, the clause allows Ofcom to extend for a short period any licences that are due to run out before that date, so that they can continue operating until the switchover date. It is my understanding that there is currently no nominated date for switchover. The digital radio and audio review has confirmed that FM spectrum will be needed for BBC, commercial and community analogue radio until at least 2030.
Should a date be announced in future, it makes sense that there be flexibility in licence arrangements to ensure that they can continue until any end date. Placing that flexibility in the Bill will hopefully save parliamentary time in the long run. The very fact that it was 2017 when the Government decided that that change would be made shows how rarely the opportunities come about to make legislative changes. However, although this measure will be sensible if the time comes, it is still very important for the timing to be right. It would therefore be good if the Minister outlined today the Department’s current thinking on the future of analogue radio beyond 2030. As has been mentioned, although we must take into account the dominance and range of DAB services provided, DAB is not available as widely as FM. The future of FM is still vital to people, particularly in rural areas.
As I did in speaking about broadcast television, I point to the Broadcast 2040+ campaign and its work to highlight the importance of preserving broadcast services despite the rise of online services; I was pleased to attend its event in Parliament. It is with that question on analogue radio’s future in mind, and with full support for the future of a diverse programme of radio services, that I would like to conclude.
I welcome the hon. Lady’s invitation to speak a little more broadly on radio in general. About 20 years ago, lots of people were saying that radio was in permanent decline. It was thought that the advent of things like podcasts and streaming services such as Spotify would mean that people slowly gave up listening to radio.
I am delighted that that has proved to be completely wrong. Actually, radio is going from strength to strength, particularly in the commercial radio sector, at which these clauses of the Bill are primarily aimed. It is doing very well, which is extremely welcome.
Similarly, about 20 years ago there was a great debate about when we should switch off analogue transmission as people moved to digital. The hon. Lady is right to say that the take-up of digital broadcasting has been considerable and continues to grow. We now have additional means of radio reception, such as via smart speakers or online, which we will debate when we consider later clauses of the Bill. There is a wealth of ways in which listeners can access radio, but I think analogue, rather like digital terrestrial television, will be around for some considerable time. I am afraid that I cannot give the hon. Lady a date by which we think we might switch off analogue, but it is not under consideration at the moment. Actually, I do not think that radio is particularly pressing for it in the way it was some time ago, for cost reasons.
If the hon. Member bears with me, I will give him the answer and the opportunity to perhaps vote for the amendment, too.
I want to raise the importance of local programming that is not also local news. Although I understand that there is a range of DAB services offering a whole host of programmes, it is a shame that there has not been some recognition of the value of non-news-related local programming among the changes, which dropped requirements on local spoken material and music. Again, as I spoke to in the debates on BBC local radio services, I hope that a range of the content continues to be delivered on local analogue services, as well as digital ones.
On the newly relaxed requirements on production, which mean that stations can provide local programming from studios outside the coverage of their area, I note that concerns were raised during the consultation process about the impact of that on local opportunities and routes in the industry, with production becoming concentrated in larger cities. Respondents said that a local presence can be important for listeners who want to feel connected to the content the station produces, so they might be less likely to engage with call-ins and competitions if they feel presenters and production are not based where they are.
I understand the need to carefully balance requirements on analogue services and to release undue burdens where possible, particularly given the changing landscape of listenership and the fact that there are no such localness requirements on DAB commercial services. However, I would still like to ask the Minister whether the Government have assessed the impact the requirement relaxations will have on listeners and local people, rather than just on the services themselves. It is important that communities and those who actually benefit from local radio services are taken into account.
Separate to the requirements on analogue services, the clause also provides the Government with the ability to introduce local news obligations on DAB radio services in the event that analogue services cease at some point in the future. It is my understanding that multiplex owners will be responsible for requiring that there is at least one digital local radio service that carries local news, rather than that being a direct obligation on the radio services themselves. Radiocentre, which represents the commercial radio sector, has said that it is sensible to introduce the powers to guarantee the provision of local news in the future. Indeed, I have already discussed how important local news is to local people.
Radiocentre has also shared that it is not entirely clear how that will work in practice. I would therefore be grateful if the Minister could explain, in the event of the power, how multiplexes would decide which service must carry local news. Furthermore, in the event that the chosen service stops doing so, or goes out of business, how would the obligation be transferred to another service? Lastly, how would all that be enforced between Ofcom and the multiplex owners? What conversations has the Minister had with both Ofcom and the multiplex owners, including Arqiva, to ensure readiness when the time comes? The preservation of local news is very important, and I look forward to hearing some clarity on how the new system could work.
Finally, I tabled amendment 31 on what counts as local news, which was raised by the Department for Culture, Media and Sport during the pre-legislative scrutiny process. Indeed, the Committee noted that in 2017 the Government promised to provide greater legislative clarity on what local news actually meant, and stated that it would enable Ofcom to produce guidance in the policy area. However, the issue was never fully resolved, leading to Ofcom calling for clearer guidance regarding its responsibility to enforce the provision of locally gathered news.
In its submission to the Committee, Ofcom said:
“We think it is important the Bill is clear what is intended by this new requirement.”
In response, although the Government said that they accepted
“the principle that the definition and enforcement of the obligations on local radio to provide locally-gathered news could be clearer”,
there was a lack of detail on how they would put this principle into practice, other than references to some technical changes on the face of the Bill. I would therefore be grateful if the Minister could talk us through the technical changes and how, or whether, they might be able to act as a replacement for full guidance on this issue. In the absence of such confirmation or detail in the Government’s response to the Select Committee report, I felt it important to raise the issue again. It seems like people from all parties in the House and, indeed, radio services and viewers alike can agree on the importance of local news and information, but if the new requirements on local news are not enforced properly, such unanimous agreement is futile. I look forward to hearing the Minister’s response.
Perhaps I should start by outlining the purpose of clause 44, which makes changes to section 314 of the Communications Act to reflect the evolution of the market and the findings of the Government’s 2017 consultation on commercial radio deregulation.
In particular, it is clear from that consultation, and the steps taken since by Ofcom to relax its definition of locally made programming, that the requirements in this area are too onerous and are constraining the industry from rationalising its production base. This is making it harder for stations to compete effectively against new online services, so the clause removes the requirement for Ofcom to secure that stations provide a certain amount of programming from a studio within their coverage area. However, it is the case that local news and information remain of great importance to listeners, and their provision remains central to radio’s public value. Commercial radio’s local news provision plays an important role in ensuring plurality in the sector. Stations will, then, be specifically required to provide news that has been gathered within the area to which they broadcast.
The provisions do not require stations to directly employ journalists to gather local news. A station could, for example, enter into a partnership with a newspaper agency or a freelance journalist who gathers news in the local area. We also taking powers to apply the requirements to DAB services if there is a future shortage of available local news. This could take a variety of forms—for example, Ofcom could be required to impose conditions in local radio multiplex licences that require the multiplex operator to carry at least one digital radio station that carries local news and information. Alternatively, the multiplex operator could be required to reserve capacity on the multiplex for a radio service that carries local news and information. At the moment, many existing digital radio services are simulcast versions of analogue stations that carry local news and information, so we do not consider that there is currently a need to consider in detail how the powers would be exercised.
Amendment 31 seeks to add a requirement for the Government to publish statutory guidance on the interpretation of the clause, including on the meaning of “local news”. Ofcom would then need to have regard to that guidance in developing its own guidance for holders of local sound broadcast licences on how they are able to meet the new local news and information requirements as set out in the Bill.
I would love to spend time debating the importance of local newspapers with the hon. Lady; it is a point on which I completely agree. I also share her concern about the disappearance of local newspapers in so many places, but that matter of concern is slightly outside this Bill. Nevertheless, she is right that it means that the remaining sources of local news become all the more important.
As she suggests, I would expect Ofcom to consult widely in local communities before it decides precisely how the guidance should work. We differ from the Opposition, however, in not thinking that it would be helpful to have two sets of guidance, one emanating from the Bill and the other from Ofcom. I think that would simply add to the complication and confusion, and we need Ofcom to be able to apply the new provisions across a wide range of stations with flexibility. The provisions, which include a requirement for at least some local news to be gathered locally, give a degree of clarification. I hope that on that basis, that the hon. Member for Barnsley East will withdraw her amendment.
I appreciate the Minister’s comments. My amendment was based on concerns put forward by Ofcom and the CMS Committee. The issue of, and debate around, local news is important. Further to the point made by my hon. Friend the Member for Luton North about consultation, although this debate is of course not about the BBC, we are all very familiar with its changes to local radio, which were made without any local consultation. Further to the point made by the hon. Member for Aylesbury, the listeners from Barnsley who used to tune into BBC Radio Sheffield are now listening to programming for the entirety of Yorkshire. Obviously, that is a parallel issue not connected to this, but having local people involved in these decisions is really important. I hope that Ofcom is genuinely satisfied with the Minister’s comments, and I beg to ask leave to withdraw my amendment accordingly.
Amendment, by leave, withdrawn.
Clause 44 ordered to stand part of the Bill.
Clause 45
Financial assistance for radio
Question proposed, That the clause stand part of the Bill.
The clause amends section 359 of the Communications Act 2003 to give the Secretary of State the power to provide financial assistance for, or in connection with, the provision of community radio, commercial radio services and audio production. It is a technical amendment.
The covid-19 pandemic provided an illustration of circumstances in which the Government may need to make grants directly to radio stations, potentially on an urgent basis. In particular, during the pandemic the Government relied on the funding powers found in section 70 of the Charities Act 1993 and common law powers, in conjunction with section 86 of the Coronavirus Act 2020, to provide funding in relation to various radio services. However, relying on provisions such as section 70 of the Charities Act and common law powers is not always straightforward; it requires a considerable amount of legal and policy analysis to establish whether the relevant power is available for the need identified.
The purpose of the clause is therefore to make it explicit that radio stations and audio producers, whether their content is for on-demand or broadcast access, as well as those who facilitate the transmission of radio and audio content, can benefit from potential future grant schemes. I commend the clause to the Committee.
As I have spoken at length about my support for radio services, it will come as no surprise that I welcome the power for the Secretary of State to give financial assistance for the provision of such services. The measure is welcomed by AudioUK and Radiocentre, which ran a successful three-year pilot of the audio content fund. I understand that that came to an end, having previously been funded through the TV licence fee, but I hope that the measure will make it easier for the Department to support like-minded projects directly in future, where needed.
Does the Department have any plans to use the provisions? If so, how? The answer to that question is of interest not just to those who seek to benefit from this new opportunity, but to those benefiting from other funding pots. Indeed, the UK Community Radio Network has shared with me its concern that the commitment would be delivered off the back of funding currently allocated to the community radio fund. The UK Community Radio Network says that opening up the fund to more broadcasters could have negative consequences for the sector. Will the Minister clarify whether the aim of the clause is to expand the community radio fund?
Many colleagues spoke in support of local TV on Second Reading. Local TV forms a vital part of the wider television ecology and makes a great contribution to communities up and down the country. The Local TV Network has also been in touch with me to share that, although it is not seeking financial assistance, it would have liked a similar clause for local television to have enabled an increase in local programming or expansion of geographic coverage. Did the Department consider such a clause during the development of the Bill? It would be good to hear the Minister’s response, particularly given that the Bill does not give local TV the same prominence benefits as our public service broadcasters.
The hon. Lady raises a number of issues. I remain a great supporter of the audio content fund, which was created when I was first in the Department and responsible for the renewal of the BBC charter. Of course, the audio content fund, along with the young audiences content fund, was funded for a time through licence fee money. It did a good job, but at the moment there is no plan to resurrect it. I remain a great supporter of community radio, and certainly there are no plans to raid the community radio fund for that purpose either. The clause creates a general power that will make it much simpler for us to provide grants directly to radio stations or for the transmission of radio, but I regret that at the moment there is no immediate prospect of doing so.
The hon. Lady touched on local television. I met local TV representatives yesterday. The Government will shortly announce the result of the consultation on the renewal of licences for local TV. I remain supportive of local TV. We continue to discuss issues around prominence with local TV representatives. Again, I am afraid that there is no current likelihood of our being able to provide financial assistance.
Question put and agreed to.
Clause 45 accordingly ordered to stand part of the Bill.
Clause 46
Licensing of non-UK digital sound programme services
Question proposed, That the clause stand part of the Bill.
The clause allows the Secretary of State, by regulation, to specify a country in which international digital radio services can come under Ofcom’s regulation and be broadcast in the UK, as the Minister outlined. I understand, as he said, that this was done with the intention of specifying Ireland as a qualifying country first, so that Irish radio services can apply for digital licences for broadcast in the UK. When this issue was consulted on back in 2017, the majority of respondents were in favour of allowing this, particularly in the case of Ireland; the station RTÉ was identified as long having been important to members of the Irish community living in the UK.
While there must always be careful consideration of the spectrum available and the need to ensure a diversity of UK-based services, I see no reason why selected non-UK stations of particular importance to those living in the UK cannot complement UK services. Indeed, these non-UK services may be uniquely placed to attract new audiences to radio and subsequently advertisers and sponsors. It is due to those same concerns about prioritising UK services, however, that it seems the Government have opted to take a gradual approach to the change, allowing the Secretary of State to specify one country at a time, rather than opening things up more broadly. This gradual approach has perhaps been even more gradual than expected, given the five-year gap between consultation and the Bill.
Could the Minister share with us whether the Department has any intention of specifying countries other than Ireland under the clause? For example, does the Secretary of State intend to extend this arrangement to any other station’s licence, in the EU or beyond? I am pleased to support the clause, but I am keen to hear an update on whether there are plans to actually use it.
The hon. Lady is right that, at the moment, the demand is primarily from Ireland. If there were to be significant demand from other countries, this would need to be reviewed in the context of views from industry and advice from Ofcom. The regulations would then be in the form of an affirmative order, which would need to be laid before the House, but there is no current intention of doing that.
Question put and agreed to.
Clause 46 accordingly ordered to stand part of the Bill.
Clause 47
Radio multiplex licences
Question proposed, That the clause stand part of the Bill.
This clause updates provisions in the Broadcasting Act 1996 to remove Ofcom’s function of overseeing the line-ups of national and local radio multiplexes, in light of the Government’s 2017 consultation on commercial radio deregulation and the responses to it. As long as applicants for a multiplex licence can demonstrate that they are able to provide a sustainable service with sufficient geographic coverage, and that they will enable fair and effective competition, they will otherwise be free to decide the number and nature of the radio stations they carry. This change reflects the availability of a wide range of stations across the UK, and will allow for simpler arrangements between multiplex operators and Ofcom.
Clause 47 continues the deregulation of requirements on radio, this time simplifying radio multiplex licence applications. In effect, this means that Ofcom will no longer have to oversee the line-up of national and local radio multiplexes, other than by ensuring that there is regard for sustainability and competition. Again, when this was consulted on in 2017, most respondents agreed that there was no longer a need for Ofcom to oversee station line-ups on multiplexes and approve changes. As I have said multiple times, the need to oversee the content and diversity of radio services has decreased significantly since the introduction of a vast range of digital services. I believe this relaxation of requirements, therefore, should not have any negative effects on the range of services available for audiences in the UK, with their different tastes, needs and preferences.
As we come to the end of our consideration of the provisions on regulation of radio services, I reiterate my support for radio services, which provide so much to audiences. I am pleased that this package of long-awaited changes will finally be implemented, and I hope that the future of radio is protected for years to come. That hopefully leads us nicely to the next part of the Bill, which we will debate next week.
Question put and agreed to.
Clause 47 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Mike Wood.)
(11 months, 3 weeks ago)
Public Bill CommitteesI welcome you to the Chair, Mrs Cummins. Clause 3 amends section 265 of the Communications Act 2003 to update public service remits of licensed public service channels to make clear that the high-quality and diverse programmes they make available must themselves contribute to the public service remit and together represent an adequate contribution. In line with the changes made by clause 1, it allows licensed public service channels to fulfil their remits by using a wider range of services.
Government amendment 1 ensures that when a public service broadcaster is required to fulfil the public service remit for a given channel, and that remit is to make available content, then it is the public service broadcaster that should be making that content available, either themselves or through others. That point of detail was arguably included in the Bill at its introduction, but we felt it necessary to bring forward the amendment in order to put this matter beyond doubt. It is a technical amendment, and I hope the Committee can support it.
I too welcome you to the Chair this afternoon, Mrs Cummins. As well as the remit covering all the public service broadcasters, there also exist separate remits covering the activity and content of each individual channel. The channel remits are important, as they ensure that the specific aims of each channel are clear in the context of the wider contribution these channels must make as a whole.
Section 265 of the Communications Act 2003 sets out the specific remit for channel 3, Channel 4 and Channel 5. As will become the theme in coming clauses, only channel 3, Channel 4 and Channel 5 are dealt with by this clause, with many of the same changes to the BBC and S4C made later on in the Bill due to their differing arrangements. In any case, section 265 ensures that channel 3 and Channel 5 must provide a range of high-quality and diverse programming. Meanwhile, Channel 4 has an extended remit that requires its programming to: be innovative, creative, experimental and distinctive; appeal to the tastes and interests of cultural diversity; include a significant contribution to meeting the need for education programmes; and exhibit a distinctive character.
The clause amends section 265 to update the remits. First, it makes clear that the high-quality and diverse programmes they make available must themselves make an adequate contribution to the wider public service remit. This is sensible, as it makes it explicitly clear how the individual channels will feed into the broader remit. Secondly, the clause allows public service broadcasters to fulfil their channel remits by means of any audio-visual service, echoing changes made in clause 1 that allow for on-demand programming to count toward the wider remit.
While I believe it is important we see public service programming on linear services protected, it makes sense that as on-demand viewership increases, channel remits should be given the same flexibility as was provided for the wider remit in clause 1. I therefore welcome the clause and the clarification it provides for each channel and the consistency it ensures for the new public service remit as a whole. I understand that amendment 1 is largely a technical clarification that specifies that audio-visual content contributing to a channel remit must be content made available by the provider of that channel. This seems to be a very sensible tidying up of phrasing.
Amendment 1 agreed to.
Clause 3, as amended, ordered to stand part of the Bill.
Clause 4
Statements of programme policy
Question proposed, That the clause stand part of the Bill.
Section 266 of the Communications Act 2003 puts a duty on Ofcom to require providers of licensed public service channels to prepare statements of their programme policies that set out how they intend to fulfil their individual channel remits. Currently, these statements must only be prepared in relation to the content provided by public service broadcasters on their traditional TV channels. Clause 4 amends section 266 of the 2003 Act. It expands these statements to reflect that the fulfilment of the public service remit could now include, as set out in clause 1, content delivered by on-demand services.
Going forward, the providers of licensed public service channels—channels 3, 4 and 5—must set out in their statement the services they are using to contribute to the fulfilment of the public service remit and explain how each service is contributing. The publication of these statements is important to allow proper scrutiny of our public service broadcasters.
Clause 5 of the Bill, which is grouped with clause 4, amends section 267 of the 2003 Act to update the definition of “a significant change”, so that it would apply if any of the services that a licensed public service broadcaster is using to deliver its remit—not just the main channel, as before—were to become “materially different in character”. For example, this will include on-demand services as well as the traditional TV channels. And like the previous clause, clause 5 will ensure that these statements continue to allow scrutiny of all the ways that the public service remit is fulfilled.
Clause 4 amends requirements on channels 3, 4 and 5 to report on how they intend to fulfil their channel remit. Indeed, due to clause 3, these channels will now be able to meet this remit using qualifying audio-visual services, including both linear and on-demand programmes.
As a result, licensed PSBs will now have to set out in their statement of programme policy which audio-visual services they use to fulfil their channel remit, as well as the contributions that each service will make. This is a necessary change to ensure that reporting standards, and as a result the standards of public service TV, do not slip or falter as a result of the changes made by clause 3.
However, making this change will also be beneficial, as it will help Ofcom to build a clear picture of how the new rules are being used and whether they are working effectively to serve both linear and on-demand audiences. Therefore, as a result of both the necessity for and benefit of clause 4, I am happy to welcome it.
Similarly, clause 5 makes further updates to the reporting requirements on channels 3, 4 and 5. Currently, public service broadcasters must make changes to their statement of programme policy if their public service channel makes “a significant change”. “A significant change” is defined in the 2003 Act as the channel becoming
“materially different in character from in previous years.”
To reflect the new rules, which will mean channel remits can be met by services beyond the public service channel, clause 5 updates the definition of “a significant change”, so that it will apply if any of the services that a licensed public service broadcaster is using to deliver its remit becomes “materially different in character”.
Widening the scope of the 2003 Act to include more than just the public service channel is sensible and necessary in relation to the changes made in clause 3 and, as such, I welcome the inclusion of clause 5 in the Bill.
Question put and agreed to.
Clause 4 accordingly ordered to stand part of the Bill.
Clause 5 ordered to stand part of the Bill.
Clause 6
Enforcement of public service remits
We are about to debate the fact that individual channels will be subject to some quotas. There are also the statements of programme policy that Ofcom will be required to approve. Having said that, Ofcom will reach a judgment on delivery of the remit, looking across the broad extent of public service broadcasting. Ofcom will be able to make it clear if it thinks a particular genre has not been sufficiently provided either by an individual public service broadcaster or, indeed, across the whole range of public service content. It will be for Ofcom to determine that, but I believe the Bill gives it that ability.
Throughout the Bill, we are giving more powers and responsibility to Ofcom. The amendment speaks to the idea that prevention is better than cure. I do not agree with the Minister’s interpretation; indeed, the Select Committee spoke of the matter and the amendment echoes that. However, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 6 ordered to stand part of the Bill.
Clause 7 ordered to stand part of the Bill.
Clause 8
Quotas: independent productions
Question proposed, That the clause stand part of the Bill.
Clauses 8 to 17 make amendments to the current system of quotas, which I will discuss in this group and the next.
Quotas are an important tool to ensure that public service broadcasters produce an appropriate range of content. Unlike the public service remit, which is judged by Ofcom in regard to the PSBs as a whole, quotas allow Ofcom to put licence conditions on specific public service broadcasters to ensure that they make available certain types of content. That is how we can ensure an appropriate balance of key types of content, such as news and current affairs, independently produced content and original content. It is worth stressing that such requirements are floors, not ceilings, and that PSBs routinely exceed them, often by a considerable margin.
Section 277 of the Communications Act sets out a minimum proportion of broadcast hours that must be independent productions. It is set at 25% for each of the licensed public service channels. Clause 8 amends this to change the way in which the provider of a licensed channel may deliver the independent production quota. In particular, subsection (2) replaces the existing requirement on the
“provider of a licensed public service channel”
to allocate time on the channel to the broadcasting of a
“range and diversity of independent productions”.
Together with clauses 11 and 12, it will allow the requirements to be fulfilled using a public service broadcaster’s designated on-demand programme services to better reflect modern viewing habits.
The subsection also replaces references to a proportion of hours that the provider of licensed public service channels must make available, with reference to a number of hours. The number of hours that each licensed public service channel must include is to be specified by the order of the Secretary of State. Given that this requirement can now be met using on-demand services, it is more appropriate to use the number of hours of content made available as a measurement rather than the proportion of hours.
Subsections (5), (7) and (9) make comparable provision in relation to expenditure quotas for independent productions that the Secretary of State may establish. In setting the new hours-based quota, the intention is for them to be no more or less demanding than the existing 25% quota. We therefore intend to calculate the effective level of the quota over the last five years and replicate that. Of course, in Channel 4’s case, which we will come to later, that will be revised upward to the equivalent of 35% should Channel 4 decide to start a production business.
We believe that the consequence of that provision represents proportionate and reasonable requirements on our public service broadcasters. Of course, it is open to PSBs to go further and exceed their independent production quotas as they do now. Clause 9 makes similar amendments to section 278 of the Communications Act, which provides that a minimum proportion of broadcasting hours must be allocated to original productions. The proportion for each licensed public service channel, as well as the proportion in peak viewing times, is determined by Ofcom. As with clause 8, this clause ensures that the provider of the licensed public service channel can fulfil the quota using their designated on-demand services. That change is achieved by replacing the requirement to allocate time on the channel to the broadcasting of original productions with a more general requirement. Again, it makes provision for this to be measured by duration rather than as a proportion of broadcast hours as it is currently.
Clause 14 relates to the quotas for making programmes outside of London. The Communications Act currently provides that a minimum proportion of programmes made in the United Kingdom have to be made outside the M25 area. Similarly comparable provision is made in respect of expenditure. We debated this earlier, particularly in relation to the effect on production in Scotland and in Wales. Similarly, clause 14, read with the previous clauses, amends the Communications Act to preserve the substance of the provision, but it changes the way in which the provider may deliver their regional production quotas. In similar fashion, it again makes the change to measure the quota in terms of duration, rather than proportion of hours.
Together, these changes modernise our system to reflect the change that has occurred in audience viewing habits over the past 20 years, and ensure that it will continue to be meaningful and delivering value.
Clauses 8, 9 and 14 change the way in which licensed public service channels may deliver their independent production, original production and regional production quotas respectively. In short, they will first be changed to allow qualifying audio-visual services to fulfil this quota, meaning that on-demand and online services can make a contribution. That is the case with both the channel and the wider remit.
As a consequence of this move, the quotas are moving away from having to fill a certain proportion or percentage of content towards being based on a set number of hours of content and spend to be specified by the Secretary of State. I will look at each of these changes in turn, but first I want to emphasise how important the quotas themselves are, because they maximise the contribution our PSBs make to the wider broadcasting sector. For example, as the Minister just outlined, the requirement to have a number of programmes made outside the M25 area recognises the importance of reinvigorating our creative economy beyond simply the south-east. At the moment, our creative economy is densely concentrated in London, resulting in limited opportunities and entry points in the sector in other regions, including my constituency of Barnsley East. Yet, wherever we look in the UK, there is no shortage of culture and creativity. I am very supportive of the modernising and future-proofing of quotas, like those on content outside the M25, so that steps continue to be taken across the broadcasting industry to make use of the creativity that exists in every corner of the country.
Clause 18 inserts two new sections into the Communications Act to ensure that Ofcom has the powers to gather the information which it needs to regulate this part of the Bill effectively. Proposed new section 338A of the Communications Act will give Ofcom the power to issue information notices to request any information which it needs to carry out its functions under sections 198B to 198D, sections 263 to 294, schedule 11 and certain provisions in schedule 12 of the 2003 Act. It includes its functions and duties to regulate the public service remit, quotas and licence conditions. An information notice will compel the recipient to provide Ofcom with the information specified in the notice, including where such information must first be obtained or generated by the party. An information notice may be served on a PSB other than the BBC or, where necessary, a third party, but only where proportionate. Proposed new section 338A(7) clarifies that the power to require the provision of information includes the
“power to require the provision of information held outside the United Kingdom.”
Clause 18 also introduces proposed new section 338B of the Communications Act, which will allow Ofcom to take enforcement action against any party that does not comply with an information notice under proposed new section 338A. After allowing the person to make representations, Ofcom may issue a penalty notice imposing a financial penalty. This penalty in respect of an information notice cannot exceed £250,000. In the case of a continuing failure to comply with a notice, a penalty notice may also require a penalty of an amount not exceeding £500 per day for each day the failure continues after the penalty notice is issued. I commend the clause to the Committee.
During discussion of clause 6, I mentioned that, as a result of the changes in the Bill, it will be increasingly important for Ofcom to be able to step in where there is a risk of public service broadcasters failing to fulfil their remit and quotas. I am therefore supportive of this clause, as it gives Ofcom the power to issue information notices and financial penalties to public service broadcasters in respect of breaches in the fulfilment of their duties. Although I have confidence in the willingness of our excellent public service broadcasters to carry out their remits and quotas, it is important that Ofcom is able to ensure that and provide a backstop where necessary.
I will say this more than once: the Bill really does rely on a strong and empowered Ofcom. It is with that in mind that I believe the powers to find out further information and impose penalties where necessary are proportionate and important tools that will enable the regulator to do its job. I therefore welcome the clause.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19
Amount of financial penalties: qualifying revenue
Question proposed, That the clause stand part of the Bill.
Clause 19 addresses the calculation of financial penalties in respect of channels 3, 4 and 5. By way of context, the Broadcasting Act 1990 and schedule 9 to the Communications Act 2003 relate to the financial penalties that Ofcom may impose on the provider of a licensed public service channel in certain circumstances. In each case, the maximum penalty that Ofcom may impose is set by reference to the qualifying revenue of the provider or, in the case of section 18, whichever is greater—that or £500,000. Having maximum penalties in reference to revenue helps to ensure that penalties strike an appropriate balance between being dissuasive and proportionate. That link is important in accounting for the differences in size and revenue of different public service broadcasters.
The clause inserts proposed new section 18A of the Broadcasting Act 1990, which will amend the existing definition of the qualifying revenue of the provider of a licensed public service channel specifically in relation to financial penalties. The new definition includes revenues from both the licensed public service channel and certain services included in any designated internet programme service provided by that provider. As part 1 of the Bill will expand the ways in which PSBs can fulfil their remit and meet their quotas, it is only right that should a PSB not complete their responsibilities, the revenue of the internet programme services that they provide and which benefit from prominence should be taken into account. That is the purpose of the clause, which I commend to the Committee.
The clause amends the definition of “qualifying revenue” where it is used as a reference measure to help set the maximum penalty Ofcom can impose on public service broadcasters. The change will see the revenue a PSB gains by providing on-demand and online services included alongside the revenue that it gets from its public service channel when making the calculation. Given that online and on-demand content can now count towards quotas and remits, it makes sense that the revenue from such content should be considered when determining maximum fines. I am therefore happy to support the clause.
Question put and agreed to.
Clause 19 accordingly ordered to stand part of the Bill.
Clause 20
Categories of relevant service
Question proposed, That the clause stand part of the Bill.
This part of the Bill relates to the listed events regime, which seeks to strike a balance, so that broadcasts of key sporting events are widely available and free to air, while sports rights holders are able to use the income that they generate from rights to invest in their sport. Clause 20 updates the listed events regime to make qualification for the regime a PSB-specific benefit, reserved for PSB services that are free of charge. This change was first recommended by Ofcom in its “Small Screen: Big Debate” report in 2021.
The change we are proposing recognises both the practical difficulties around the current audience reach-based approach and the fact that our PSBs play a key role in distributing content that is of interest to British audiences. The current qualifying criteria stipulate that a qualifying service must be free and received by 95% of the UK population. In a changing market, in which audiences can use a range of technologies to access content, we need to ensure that the qualifying criteria are both appropriate and future-proofed.
The clause also closes the streamer loophole; it brings into the regime TV-like service providers that are not based in the UK but intend to show live coverage of listed events to UK audiences. The change recognises that audiences have increased access to content provided by global providers. If we did not bring these providers into scope, there is a risk that the contents of live listed events could be purchased via a streaming service and put behind a paywall, without the provider adhering to the rules of the regime.
The PSB services that will qualify are those that are free and genuinely used by PSBs to fulfil remit. Those are either the PSB licensed channels or the internet programme services that have been designated by Ofcom for prominence. It is important to note that changes to the regime do not preclude non-PSBs from bidding for rights. The regime does not guarantee that an event will be broadcast live or on a free-to-air channel. Rights holders are not required to sell live rights, and broadcasters are not obliged to purchase them or to show events. The legislation sets out that where live rights to a listed event are sold, they must be offered to both PSBs and non-qualifying services. That ensures that the right balance is struck between audiences being able to watch coverage of our major national sporting events, and rights holders and broadcasters having the commercial freedom to negotiate deals in their interest, so that they can reinvest in elite and grassroots sport.
The listed events regime is a vital scheme that allows for major sporting events of national importance to be broadcast on free-to-air channels. Its success since its introduction decades ago has been outstanding. Almost everyone in this room and across the country will have a fond memory of watching a listed event, whether that be watching Mo Farah cross the finish line at the London Olympics in 2012 or seeing Andy Murray win at Wimbledon.
These major occasions bring our country together, and unite us in victory and loss, but the benefit does not end after the programme has finished. An event being televised can be a catalyst for the nationwide success of a sport. The final of the women’s Euros, for example, was watched by more than 17 million people. As a result, the number of women and girls participating in grassroots football has no doubt increased, and attendance at women’s league events has reached a record high, generating further revenue for reinvestment in the sport. Televised sporting events are also a big boost for our hospitality businesses, allowing people to watch major matches together in pubs, bars and restaurants, no matter where they are in the country. With that in mind, it is right that we do all we can to preserve the listed events regime and ensure that important sporting events are available to watch as widely as possible.
An event’s being listed does not guarantee that it will be broadcast live or on a free-to-air channel, but if rights are made available to qualifying services, there is the best chance of the event being seen by as many people as possible. The definition of a qualified service is a broadcast channel that is received by 95% of the population and is free to air. I have spoken many times about the importance of ensuring that there is sufficient content available on linear television. Over the coming years, we must anticipate that viewing on a range of devices will increase. A listed events regime based on broadcast audience reach is therefore no longer fit for purpose because, as Channel 4 notes in its submission to the Culture, Media and Sport Committee, there is a risk of some PSBs falling out of the regime altogether in future. It is welcome, therefore, that the clause amends the scope of the listed events regime, so that it is a PSB-specific benefit. That ensures that no one drops out of the regime. It also allows channels such as S4C— a PSB that does not reach 95% of the UK—to be included.
I am also pleased that the clause looks to end the streaming loophole, which has caused widespread concern. Until now, the listed events regime has applied only to television programme providers, meaning those who hold Ofcom broadcast licences, plus the BBC and S4C. The draft Media Bill proposed extending the regime to include “internet programme services”, but that failed to capture unregulated online services such as livestreams. Theoretically, those services could buy the rights to a listed event and put it behind a paywall, and so undermine the regime. It is welcome that the new version of the Bill creates a new definition of services that fall within the scope of the regime, so that TV-like services providing live content to UK audiences via the internet are captured.
The likes of the BBC and ITV had concerns about the effectiveness of some of the other options on the table for shutting the loophole, such as extending regulation of electronic programme guides. What assurances has the Minister received, this time round, that the clause will close the loophole once and for all? If we can be confident that it is the solution, I will be more than happy to support the clause.
Given the effort that Ministers have put into future-proofing the integrity of the listed events regime when it comes to the streaming loophole, it is extremely disappointing that there has been no attempt to include digital rights in the Bill. It seems quite straightforward: if we want to ensure that sporting events of national importance are available for people to view for free in years to come, the regime should be extended to reflect the new ways that people consume content, including online.
Again, as Channel 4 highlights in its submission to the Culture, Media and Sport Committee, in recent years, its content on social media platforms, such as YouTube and TikTok, has generated a
“record number of hits for highlights and digital clips of live sport.”
Last year, Channel 4’s sport content on YouTube drew 16.8 million viewers globally and 8.2 million viewers in the UK. Those figures were driven mostly by Nations League and Formula 1 coverage, and were up 430% on the year before. That type of content seems to be catering to a growing younger audience: more than a quarter of the Channel 4 Corporation’s sport content on YouTube is viewed by 13 to 24-year-olds in the UK. However, this is not just about putting content where it is likely to be viewed in years to come. It is about ensuring the integrity of the regime.
As significant sporting events are often global competitions, they may take place in various time zones, including when it is night-time in the UK. In such situations, the live broadcast of the event may be of limited value to UK citizens, who will be asleep during the event. However, the next day, digital and on-demand clips could be immensely popular, as they would allow UK audiences to experience the moments they missed. As the BBC highlights, when Charlotte Worthington won gold at Tokyo in 2020, just 400,000 people were able to watch that in the middle of the night, but in the days that followed, different forms of short-form coverage of the event gathered more than 3.4 million views. If the BBC does not have access to those digital and on-demand rights, which will likely be the case in the future if there is no change to the regime, such national moments of pride could become restricted and hidden behind paywalls. That would go against the entire objective of the listed events regime. I know the Government recognise that, because they are conducting a review of digital rights, but we have had no updates on the progress of the review, and it is unclear how its recommendations will be implemented, if not through this Bill.
However, I understand her point. As the hon. Member for Arfon highlighted, under clause 20, the right to listed events that are broadcast free to air must be extended to public service broadcasters, so in future, that will include S4C. I am grateful for the support that the hon. Member for Barnsley East expressed for the closure of the streaming loophole; we think that the Bill will close that, and therefore preserve the ability to watch live broadcasts of listed events.
As more and more people access digital broadcasting, digital rights are clearly something that we will need to consider. That is why we are undertaking the digital rights review. I note that the review was a recommendation of the Culture, Media and Sport Committee, so we recognise that there is quite a lot of interest and support for it. It is important that we get this right. As I was saying, the listed events regime is about balancing the ability of a large number of people to watch iconic sporting events free to air, and the ability of rights holders to raise revenue from the sale of rights—revenue that can obviously be invested back into the sport. Striking that balance has always been the difficulty with the listed events regime. If the regime is to be extended in this way, we want to get it right.
New clause 2, tabled by the hon. Member for Barnsley East, does give quite a broad power, which could lead to uncertainty for broadcasters and rights holders when they are negotiating deals, given that at the moment we have not spelled out how and whether we would extend the regime to digital rights. That is actively under consideration.
I appreciate the points that the Minister makes, and I am not against them, but would he enlighten the Committee on how the recommendations made in the review will be put into action and into law, if not through this Media Bill?
I cannot guarantee that there will be a successor media Bill immediately. Equally, although it was suggested that media Bills only come around every 20 years, I hope that we would not have to wait that long. As I say, at this stage, we are concerned with getting this absolutely right, and I have no doubt that we will continue to debate the issue. I hope that we can publish the results of the review very soon, but at this stage, we cannot accept new clause 2.
I will start by discussing new clause 8. Once again, I reiterate my support for the listed events regime, which connects communities across the UK in experiencing moments of national sporting importance by prioritising rights for free to air channels, soon to be PSBs. In the following debates, I will also go on to speak about how any expansion of the regime requires consideration. In particular, that is due to the need to balance the benefits of investment in the relevant sport, gained through the funds gathered by financial television deals, and the desire for people to see events in that sport free to air.
I understand where the new clause is coming from in this respect, as it looks to recognise that balance and tip it in favour of making more events available on the regime, with the financial losses compensated by a new Government fund. I recognise also that a good attempt has been made to keep proportionality in mind, given that organisations with a turnover of more than £50 million per year are excluded from being entitled to anything from the proposed fund. However, I fear that there may be a few perverse incentives built into new clause 8.
First, if the Government anticipate that they will be responsible for making up for the financial distress of a sport on the listed events regime, that could disincentivise placing such a sport in the regime at all. Further, for the sports themselves, there may be a disincentive to grow beyond a turnover of £50 million, should that mean their Government support is taken away. I am not sure this is best for the health of the regime, or indeed for the sports, as a result. I believe also that the fiscal implications of this new clause more generally need to be analysed before they are committed to.
I would be interested to hear from the Minister, however, what he believes the best way forward is in terms of promoting sports and making them available to the public, while securing the investment needed to secure the future of such sports. It is worth exploring how we strike this balance, and I commend the new clause for bringing the issue at hand to the forefront for discussion as part of the passage of the Bill.
I will briefly address clause 21 as well. The clause updates other sections of the Broadcasting Act 1996 to acknowledge the changed definition of “relevant services” in clause 20. As previously mentioned, the changes made to close the streaming loophole are very welcome—and this clause will support that. Clause 21 also makes clarification about section 99 of the Broadcasting Act, which looks to be relatively straight forward. I am happy to move forward with that in mind.
The hon. Member for Aberdeen North rightly highlighted that the issue that the new clause addresses is a matter that the hon. Member for Paisley and Renfrewshire North has been rigorous in pursuing. Indeed, not only have I heard him speak about it in the Chamber; I have also actually met him to hear him put directly his case. I am afraid that we were unable to reach agreement, but I recognise that he feels strongly about the subject. In the grouping which follows this one, we will address the more specific issue which he wants to amend the Bill to cover, which is the inclusion of matches involving the Scottish national team. One of the reasons why we have been resistant to the suggestion—and as I have indicated in a previous debate—is that it is all about establishing a balance. Inclusion of any sport on the listed events regime inevitably means that the potential for raising revenue is diminished, because it excludes a number of broadcasters from bidding for that particular right. It is a question of establishing a balance between the need to raise revenue and the need to ensure that as many people as possible are able to view an event.
The new is clause is quite ingenious in seeking to address that dilemma by asking the Government to set up a fund to compensate rights holders who are subject to inclusion on the list and therefore unable to sell to a non-free-to-air broadcaster. I have to say that that is not something the Government would consider. It would be quite a significant market distortion, and it would be open to potentially a number of other sports or rights holders. What I would say, however, is that sport, as the hon. Member for Aberdeen North is very much aware, is a devolved matter. Should the Scottish Government decide to set up such a fund, they would be free to do so, but I am afraid we are not able to accept the new clause.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Clause 22
Restriction on showing live coverage of listed events
I begin by echoing the comments of the hon. Member for Aberdeen North on the women’s parliamentary football team, having been involved a little over the years. I will address clauses 22 and 23, as well as the associated amendments. It appears from the Government’s explanatory notes on these clauses that their intention is to ensure that partnership arrangements between qualifying and non-qualifying broadcasters on providing coverage of listed events continue as they do now.
I know that many of our commercial and public service broadcasters alike feel they have strong partnerships that allow sporting events to be shown to as many viewers as possible. Indeed, where an event is not on the listed events regime, this kind of commercial partnership is inevitably even more common; for example, Channel 4 has historically teamed up with Sky to show Formula 1 events to many viewers across the UK. These kinds of cross-industry partnerships are integral to the overall ecosystem of sports rights, and I therefore support any movement that seeks to protect these relationships and dynamics.
However, the BBC has raised concerns that clauses 22 and 23 together could undermine the listed events regime, in particular with regard to multi-sport group A events—the summer Olympics and Paralympics and the winter Olympics and Paralympics. In effect, the BBC says the clauses could potentially mean that Ofcom consent is not required for events where there are partnerships such as the BBC and Discovery deal for the Olympics, as long as each partner has adequate live coverage, which lowers the bar from the current expectation of having full and comprehensive rights on both sides. How much that bar is lowered is difficult to gauge. However, given that the Bill does not define what adequate will mean in this context, it only opens the door for live coverage and adequate coverage to be defined. It would be most unfortunate if a Bill that aimed to modernise and protect the listed events regime inserted a change that, in effect, allowed for exclusive rights to parts of the Olympics to be held behind a paywall.
I therefore ask the Minister for a clear indication of what “adequate” is now to be defined as under these new clauses. Further, why were these changes not included in the original drafting, and for what specific purpose did the Government choose to introduce them today? There was a detailed scrutiny process through the Culture, Media and Sport Committee, and it would have been beneficial for these additional clauses on the listed events regime to be analysed by those who know the regime best. If we cannot be absolutely clear on the real intent behind this clause and the impact that it will have on the listed events regime, it will be difficult to support it at this stage.
Let us move on to new clause 6. I hope that by this point it is clear that I am a strong supporter of the listed events regime. It is important in ensuring that British audiences are able to view moments of national sporting importance. However, many Scottish campaign groups and Scottish Members have been long discontented that the definition of such national moments did not seem to encompass crucial events that define their national sporting story. I am aware that these feelings are likely to be echoed by those in Wales and Northern Ireland, too, and I want to be clear that I believe the regime must not be overtly discriminatory in this sense. There has been particular concern over the lack of a formal plan to encourage making Scottish international football free to watch, something which may seem counterintuitive given the intent of the listed events regime. I understand that the new clause hopes to address this issue and to create equality of access to qualifying events for every UK nation.
When considering additions to the listed events regime, however, there is always a careful balance to be struck. It is important that sporting moments are available to watch, but is also important to secure investment in sports through the revenue generated by selling rights. The fact that the number of events in the regime is limited is indicative of the need to recognise that.
I also want to highlight the fact that the listed events regime is not the only method of ensuring that sports are available on a free-to-air basis. As I mentioned when praising commercial partnerships, it was extremely pleasing to see Sky and STV come to a formal agreement that allowed Scots to watch the World cup qualification play-off final. That was a truly beneficial outcome that did not rely on the structure of the regime.
Has the Department thought about the definition of a moment of national sporting importance? It is a fluid concept given changing public attitudes, and it is further complicated by the fact that inclusion in the regime can bolster the status of an event in the public consciousness. However, I think that there will be many more cases in which an argument is made for an event to be added to the regime, and there could therefore be merit in knowing the criteria that events are judged against when considering whether they should be included in the regime.
Finally, I would like to speak to new clause 7. As per section 97 of the Broadcasting Act 1996, the Secretary of State is required to consult
“(a) the BBC,
(b) the Welsh Authority,
(c) the Commission”
and rights holders before drawing up or revising listed events. I understand the intent behind that clause, especially given that many argue that Scottish football and sport has not been duly incorporated into the listed events regime.
Further, we have also discussed at length the desire to improve parity across broadcasting legislation between S4C and Gaelic language services. With that in mind, I believe that there would be benefits to broadening consultation requirements, so that the Gaelic viewpoint can be better taken into account when amendments to the list are being considered.
We could do with more clarity on how decisions about inclusion in the listed events regime are made. There would be a better sense of the fairness of such decisions if requirements to consult those who may be impacted by such a decision were expanded. In fact, the scope of this could have been broadened even further to require consultation with other relevant persons that the Secretary of State deems necessary. That could have perhaps included the other PSBs or relevant stakeholders, such as sporting bodies.
I do not wish to make additions to the listed events regime more onerous than they need be. However, having strong and varied input into decision making would certainly save time in the long run. I hope it is clear that I understand the intent of new clauses 6 and 7, but that I will need answers to my questions on clauses 22 and 23.
First, I welcome the support in principle of the hon. Lady for partnerships. They play a very important role in ensuring that iconic events are shown free to air even if they are not necessarily listed events. The one example that I can recall is Emma Raducanu’s US Open final, which certainly was not one of the listed events. Nevertheless, Amazon made it available to Channel 4, because clearly there was huge demand to watch it. Those kinds of partnerships play a very valuable role.
Regarding the definition of adequate live coverage, which the hon. Lady raised, and how Ofcom will define it, it is certainly not the intention of the new clauses to reduce the threshold. However, in terms of setting parameters as to what is adequate live coverage, that is a question for Ofcom, which has a lot of experience in this area, and it includes setting the standard for adequate alternative coverage for group B events, as well. In doing so, Ofcom would consult widely with stakeholders and analyse what metric works best to balance the interests of audience, broadcasters and rights-holders, and it can look at previous partnership deals to see how such partnerships have been arranged in the past. There are a number of different factors that are taken into account, but it is a matter for Ofcom to determine.
Before the Minister moves on, could he perhaps elaborate and let the Committee know why these new clauses were not included in the original drafting and say what the specific reason is for their being included now?
I cannot say specifically why they were not included earlier, although I have tried to set out why we think it is important that they should be included now. We will provide any additional information that we can provide in writing to the hon. Lady and to the rest of the Committee.
Regarding the support from the hon. Members for Aberdeen North and for Barnsley East for women’s football, there is no question that the increased popularity of and demand for women’s football has been enormous. Both hon. Members will be aware that the most recent changes to listed events were to include the FIFA Women’s World Cup finals and the European Women’s Football Championship finals on the list. I was not sure whether the hon. Ladies were suggesting that the parliamentary women’s football team should be put on that list, too. I am sure that the idea has considerable support, even if that team has not reached the iconic level quite yet.
I am also quite sure that the Opposition welcomed the recent announcement by my right hon. Friend the Secretary of State for Culture, Media and Sport of the £30 million Lionesses fund, which will be invested in grassroots women’s football. Hopefully, it will enable us to reach even greater heights than we have already reached.
I turn specifically to new clauses 6 and 7. New clause 6 is ingeniously phrased, but I understand the frustration of the hon. Member for Aberdeen North regarding coverage of the home nations. Of course the matches involving the England football team, and indeed the matches involving the Welsh football team, are available free to air— through S4C for the Welsh team—but it is harder to find coverage of the Scottish national team and indeed the Northern Ireland national team.
The only thing I would say to the hon. Lady is that inclusion on the list does not mean that events will be broadcast free to air; indeed, it does not mean that they will be broadcast at all. That is a matter for the broadcasters to determine. We have already debated the difficulty of balancing the need for audience accessibility with the need for revenue-raising. At the end of the day, however, it will remain a matter for the broadcasters to decide, as they do in England and Wales, as to whether or not they wish to bid for the right to cover the Scottish team. I am afraid that new clause 6 would not achieve that, because it remains a matter for the broadcasters to decide.
Turning to new clause 7, the Government believe that, as I say, regional and minority language broadcasting has an important role to play, providing an opportunity for speakers of minority languages to access them. Currently the Secretary of State does consult the BBC, S4C, Ofcom and relevant rights holders when revising the list of events protected under the listed events regime.
The BBC and S4C are of course licence-fee-funded public service broadcasters. Although the current legislation does not require the Secretary of State to consult other affected broadcasters, it does not restrict them from doing so. If updates to the list were to be proposed, my right hon. Friend the Secretary of State would of course listen to all relevant representations. We therefore do not feel there is any need to list out any additional organisations who may or may not have an interest in particular changes. I am afraid that we are unable to accept new clauses 6 and 7. I urge the Committee to accept Government amendments 8 to 10, and to agree to clauses 22 and 23 standing part of the Bill.
Clause 24 makes amendments to extend Ofcom’s existing powers to gather information and, if necessary, undertake enforcement action to reflect the changes made in clauses 20 to 23. Without these new powers, Ofcom would not be able to enforce the regime against the extended list of services brought in scope by the Bill. The clause amends section 104A of the Broadcasting Act 1996 to create a new power for Ofcom to require providers of the services in scope of the listed events regime and, in limited circumstances, certain other persons to supply it with any information it requires to carry out its functions in relation to listed events. It also creates a new section 104B that sets out the penalties that may be applied for failure to provide information.
Clause 25 is a saving provision for clauses 20 to 23. It ensures that contracts that have already been agreed before the introduction of the new provisions will not be affected. Any contract entered into prior to the commencement of the new provisions will be governed by the old listed events regime. That ensures certainty for deals that have already been concluded.
Government amendment 11 is needed to ensure that the existing list of events, as published on gov.uk, is revised into groups A and B. It replicates transitional provisions contained in the Communications Act 2003 that mean that the existing list will otherwise be preserved without need for consultation. While provision was made for this division in the Communications Act, for some reason, relevant sections have not been commenced. The Government’s overarching objective for the listed events regime is to ensure that key sporting events are widely available and free to air for all audiences, particularly those who cannot afford to watch sport behind a paywall. As has already been debated, rights holders use income for the benefit of the wider sporting sector, so it is important for the regime to strike the right balance.
The Government believe that the current list of events works well to deliver the best outcome and that it strikes an appropriate balance. The amendment requires the Secretary of State to revise the list into groups A and B but provides that, so long as the list remains the same—other than the division into groups A and B for the purposes of the legislation—there will be no need to consult in relation to that list. For reasons I set out, I hope that Members can support this amendment.
As I have mentioned more than once during this group of clauses on listed events, I am pleased to see that the Government have taken action to close the streaming loophole in the listed events regime. However, bringing into scope those who are not licensed by Ofcom will mean that Ofcom needs new powers to enforce this regime against new providers. I am therefore supportive of clause 24, which provides Ofcom with such powers, including the ability to require information and impose penalties where failures occur.
Clause 25 ensures the legality of contracts agreed before the introduction of this Bill. This sensible clause will minimise disruption and provides clarification and certainty for all involved.
Finally, I understand that Government amendment 11 requires the Secretary of State to categorise the listed events into groups A and B. I wonder therefore if we could hear from the Minister how the Secretary of State intends to use this power, and whether this will be limited to what is essentially a tidying up of the legislation. With that answer in mind, I would be very happy to support and move on.
I am grateful to the hon. Lady for her indication of support. Essentially, my understanding is exactly that: the division is in effect already there and it had to be formalised through this clause.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clause 25
Sections 20 to 23: saving provision
Amendment made: 11, in clause 25, page 29, line 34, at end insert—
“(2) On the date on which section 21 comes into force, the Secretary of State must revise the list maintained for the purposes of Part 4 of the Broadcasting Act 1996 in order to allocate each event which is a listed event on that date either to Group A or Group B.
(3) Where—
(a) the events listed in the list in force immediately before the Secretary of State revises it under subsection (2) are treated, for any of the purposes of the code in force under section 104 of the Broadcasting Act 1996 at that time, as divided into two categories, and
(b) the Secretary of State’s revision under subsection (2) makes the same division,
section 97(2) of the Broadcasting Act is not to apply in relation to that revision of the list.”.—(Sir John Whittingdale.)
This amendment requires the Secretary of State to revise the list of sporting and other national events so as to divide them into Group A and Group B events. It disapplies the requirement for consultation in section 97(2) of the Broadcasting Act 1996 if the division follows the division into Group A and Group B events by reference to which OFCOM’s code under section 104 of the 1996 Act operates at that time.
Clause 25, as amended, ordered to stand part of the Bill.
Clause 26
Public teletext service
Question proposed, That the clause stand part of the Bill.
I am very happy to join the hon. Lady in paying tribute to the huge number of benefits that Teletext brought for quite a considerable length of time. It was not just news that could be accessed via Teletext; I understand that one of my colleagues booked her holiday regularly through Teletext. I think there was even a dating service that was provided by Teletext for a time. All these things are now available online in perhaps a little more sophisticated form than was originally the case.
I am afraid it is the case that the most recent public teletext provider ceased to provide a service in 2009, and its licence was revoked in 2010. Therefore, in accordance with the intention of this Bill to modernise the legislative framework and to take account of the changes in the broadcasting landscape, I am afraid I must ask the Committee to support that clause 26 stand part of the Bill.
This clause repeals provisions in the Communications Act 2003 regarding teletext, due to it no longer existing. I would like to echo the Minister’s nostalgia, and also thank everyone who invented it and worked on it. I must take this opportunity to say that my dad was an avid user of teletext. Right until it closed, he would phone me up and be like, “It’s not really going to close, is it?”. He would always check his weather and his traffic. I feel like I should put that on the record, because people like my dad across the country relied on it. While he might, I do not take any issue with this clause in particular. It would be remiss of me not to reiterate how important it is that information and services are available to everyone, including those who are older, those who have disabilities, and those without the internet. While we remove old services, it should serve as a reminder to all of us to ensure new services are as universally accessible as possible.
I commend the clause, with sadness.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27
Further amendments relating to public service television
Question proposed, That the clause stand part of the Bill.
This clause and the Government amendments to it are technical in nature and I hope will not detain the Committee for long. Clause 27 introduces schedule 2, which makes amendments to broadcasting legislation to maintain operability of that legislation in light of the changes in part 1 of the Bill that we have already debated. For example, many of these amendments are intended to remove redundant references to the public teletext services from the 2003 Act. Government amendments 16 and 17 correct references to provision added by clause 20. If this were not taken forward, schedule 2 would incorrectly refer to the incorrect type of relevant service.
Government amendment 18 is essentially a tidying-up exercise. It removes transitional provisions that related to section 300 of the Communications Act, which was never brought into force and is now being repealed by this Bill. Government amendment 11 adds replacement transitional provisions. On this basis, I hope the Committee will support clause 27 and the Government amendments to it.
I believe the changes in schedule 2 and clause 27, as well as Government amendment 18, are consequential on the larger adjustments made in part 1. I have had no specific concerns about these changes drawn to my attention, so I am happy to move forward. I refer members of the Committee to my remarks throughout the discussion on the rest of part 1. I am also glad to see some mistakes corrected through amendments 16 and 17.
Question put and agreed to.
Clause 27 accordingly ordered to stand part of the Bill.
On a point of order, Mrs Cummins. If I may make a small correction, I understand that when we were debating the listed events earlier, I said that it excluded bidders if the event is listed. It is not the case that it excludes non-PSBs from bidding, but they may be inadvertently precluded from doing so.
(11 months, 3 weeks ago)
Public Bill CommitteesNot too long ago, just after the Scottish Affairs Committee concluded its important inquiry into the topic, I was joined by colleagues in Westminster Hall to talk about Scottish broadcasting. One of the biggest takeaways from the debate was just how important the sector is to people.
Scottish broadcasting brings communities together. It promotes pride in place and strengthens local economies. For those reasons, and many more, I strongly believe that Scottish broadcasting can and must continue to form a vital piece of the puzzle in the UK’s creative sectors. Indeed, Scotland is already a popular destination for broadcasters. Not only is it home to Amazon, but the BBC and Channel 4 operate there alongside STV, which in 2021 reached 80% of Scottish people through its main channel. Content made in Scotland often represents Scottish people’s lives and the diversity within them. That sort of representation matters. I know, for example, that it was exciting for many when the first Scottish family finally appeared on “Gogglebox”.
I am very sympathetic towards the aspect of the amendment that looks to ensure that the level of content made in and for Scotland is proportionate to the number of people who live there. However, I have questions about the mechanism used to achieve that. For example, what are the implications of directly attaching spend to population? How would population be measured and how frequently, and how would that impact the legislative requirements to match it? I wonder whether this issue could be better addressed through individual channel remits. For example, both the BBC and Channel 4 have existing nation quotas. Perhaps it would be better to focus on that rather than insert a strict spend requirement, tied to population, on the wider remit.
I would like to show my support for Scottish broadcasting, but further investigation might be needed into how we can best ensure that there is a comprehensive and holistic package of regulation and legislation to secure its future.
I start by agreeing with both Opposition spokesmen about the importance of supporting the production sector outside London and across every region and nation of the United Kingdom. The growth of the independent production sector outside London has been a phenomenal success in recent years, and we now have very strong companies in all parts of the UK. That is shown by the fact that since 2010, PSBs’ production spend allocated to programmes outside London has increased from 39% to over 50%, with ambitions to go even further. For instance, the recent publication of the BBC’s “Across the UK” strategy commits it to increasing the proportion of its own TV production budget outside London to 60% by 2027.
The amendment tabled by the hon. Member for Aberdeen North focuses on Scotland, where production spend is now worth over £266 million, supported by developments including the opening of a Channel 4 creative hub in Glasgow in 2019. As I say, the BBC’s “Across the UK” strategy includes commitments to expand its production studios within the city.
I am very happy to provide the hon. Lady with a written briefing on exactly how the powers can be used.
New clause 1 would put a specific duty on Ofcom to report on how public service broadcasters deliver the public service remit. We agree that that is very important, but we think that the Bill already achieves that. Clause 1 amends section 264 of the Communications Act to put a responsibility on Ofcom to review and report on the extent to which public service broadcasters fulfil the remit. Regarding the specific requirement of delivery of the remit on linear, I think that we are straying into the territory of debate on the next group, about how long viewers should be able still to rely on digital terrestrial television. I am very happy to debate that, but I think that discussion that is more appropriate to the next grouping.
The hon. Member for Aberdeen North raised a specific question about how the measurement of the 30 days requirement should operate. I can assure her that the broadcaster would certainly not be able to pick out individual days and put them all together to make up that 30. It is 30 consecutive days starting from the day that the content is first made available.
I believe that the clauses that we are debating represent a modernisation that will ensure that public service content remains at the heart of our broadcasting landscape but is modernised to take account of the extraordinary transformations that are occurring. On that basis, I commend clauses 1, 2 and 7 to the Committee, but I would, I am afraid, be unable to support new clause 1 or, indeed, amendment 19.
I appreciate the Minister’s comments on amendment 19, but it still remains the case that, without clear specifications as to what counts in the “range of genres”, there is no guarantee that Ofcom will monitor the levels of content in each of the removed genres. Without such monitoring, it will be very difficult to identify whether there is a reduction and to rectify that. With that in mind, I would like to press amendment 19 to a vote.
Question put, That the amendment be made.
I want first to make it clear that the Government remain committed to the future of digital terrestrial television. We absolutely accept that millions continue to rely on it. We have already legislated, as hon. Members know, to secure its continuity until at least 2034 through the renewal of the multiplex licences. Obviously, I understand that the Opposition would like to go further and give a commitment going beyond 2034, and the amendments are tabled with that purpose in mind.
I said “overwhelming majority” on Second Reading, because I do not want to be tied down to a specific figure, particularly when we are now looking 10 years ahead, but I repeat that it would be a brave Government who switched off DTT while there was still a significant number—even a small number—of people relying on it.
Since the Minister is not willing to commit to going further than 2034, will he outline when he will make a decision on whether he will extend it past 2034? If not—this is quite important—what plans are the Department putting in place to ensure any future transition takes place effectively?
I am happy to say a little more about what the Department is doing. First, the hon. Member for Aberdeen North is absolutely right that broadband availability is one of the factors that would need to be taken into account. I also have ministerial responsibility at the moment for digital infrastructure, and I can confirm to her that the Government remain committed to the universal availability of gigabit broadband by 2030; if we achieve that target, that is one factor that will have been met. There is also the availability of low-cost tariffs, and I agree with her about the importance of those.
The hon. Lady also talked about resilience. Resilience is important, but it is worth bearing in mind that the Bilsdale transmitter fire was not that long ago—that took out DTT for a significant number of people for quite a few months. Every technology is subject to occasional risk, and that was a rather more dramatic one.
On getting vital messaging across, I gently say to Opposition Committee members that radio is, of course, available through a variety of different technologies as well as television.
The fire that the Minister referenced really outlined how important linear television is to many parts of the country. Actually, the further north we go, the more communities rely on it. In that particular case, I think that a prison was affected as well as a number of older people. It is a good example of how important terrestrial TV still is to many in the country.
We completely recognise that terrestrial TV is important to many in the country. I was in my second incarnation as a Minister at the time of the Bilsdale fire, and I talked to Arqiva about the importance of restoring services as rapidly as possible. A very large number of people were left without the ability to access information, entertainment and all the things that people rely on television to provide.
Looking forward, as hon. Members may be aware the Secretary of State recently announced that the Department is going to carry out a new programme of work on the future of television distribution. That includes a six-month research project working with a consortium led by the University of Exeter, looking at changing viewing habits and technologies. We have also asked Ofcom to undertake an early review on market changes that may affect the future of content distribution. I am very happy to keep the House updated on those. That will be looking at all the various factors that would need to be taken into account.
I make one final point about amendment 37. It puts a particular requirement on channel 3 licensees to use particular standards for compression technology. As with all technologies, the standards for television distribution will change over time. We want to ensure that there remains flexibility, so restricting channel 3 to a particular use of one technology would be severely limiting and actually be contrary to precisely what the Bill is designed to achieve.
(1 year, 5 months ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
I take it back if the hon. Gentleman did, but he is still there.
One of the reasons the Media Bill is important is that the take-up of smart TV will continue at pace. I suspect I am one of only a very small number whose television set receives only internet protocol television—I do not have DTT or a freeview application in my TV—and I have to say that IPTV is extremely impressive. As we move forward with more and more access to gigabit broadband under the Government’s Project Gigabit scheme and the commercial roll-out, more and more people will move in that direction.
That prompts a longer-term question about whether DTT will remain the main means of accessing television. It is too soon to say. What the Government have said is that we foresee DTT continuing until at least 2034, but we will be looking in due course at what should happen after that. Giving that assurance until 2034 should give confidence. Obviously, the debate about what happens beyond that time will continue, and we will see how the market develops.
Is there a reason why the Government will not go further and give longer-term security until 2040, as some campaign groups have called for?
I think 2034 is still a long way off, and this technology is developing fast. Obviously, as we look at the roll-out and at consumer behaviour, that will influence our decision as to how much further to go. The roll-out is happening fast: Scotland is already approaching 70% gigabit coverage, and we anticipate that within a few years every part of the United Kingdom will have access to gigabit coverage. I was pleased to announce earlier this week that the Government will support the provision of gigabit coverage under Project Gigabit to the inhabitants of Papa Stour, a remote part of the Shetland islands, who will in future be able to obtain gigabit coverage from a low Earth orbit satellite as a result of Government investment in this area. No matter what part of the United Kingdom or how remote the area, it is our ambition that everybody should be able to enjoy gigabit coverage in due course. That may affect decisions as to how we continue to ensure that they have access to high-quality television content.
The hon. Member for Perth and North Perthshire concentrated a lot on the issue of listed events. This has always been a “but”. Under the Broadcasting Act 1996, we have a small number of events that are seen to be iconic, which bring all the nations of the United Kingdom together and should remain free to air. The obvious ones are things like the Olympic games, the grand national and the Derby. It is not the case that England football matches are listed. The reason people can watch them on television is that the free to air broadcasters have obtained those rights, but they do not have any exclusive ability to bid for them; others could, too. What are listed events are the FIFA World cup finals, women’s World cup finals, UEFA championship finals and UEFA women’s championship finals. If—as I am sure the hon. Gentleman and his colleagues believe will happen in due course—Scotland reaches the finals in one of those competitions, that will be free to air under the listed events regime. Until then, the Scottish team will have the same rights as the English team and those of other nations of the UK in terms of the football authorities’ ability to decide who they should sell their rights to.
(1 year, 6 months ago)
Public Bill CommitteesWe now turn to part 5 of the Bill. Clauses 100 to 103 and schedule 13 will establish a body corporate, the Information Commission, to replace the existing regulator, the Information Commissioner, which is currently structured as a corporation sole. I should make it clear that the clauses will make no changes to the regulator’s role and responsibilities; all the functions that rest with the Information Commissioner will continue to sit with the new Information Commission.
Clause 100 will establish a body corporate, the Information Commission, to replace the existing regulator, the Information Commissioner. The commission will be governed by an independent board, with chair and chief executive roles, thereby spreading the responsibilities of the Information Commissioner across a larger number of people.
Clause 101 will abolish the office of the Information Commissioner and amend the Data Protection Act 2018 accordingly. To ensure an orderly transfer of functions, the Information Commissioner’s Office will not be abolished until the new body corporate, the Information Commission, is established.
Clause 102 provides for all regulatory and other functions of the Information Commissioner to be transferred to the new body corporate, the Information Commission, once it is established. The clause also provides for references to the Information Commissioner in enactments or other documents to be treated as references to the Information Commission, where appropriate, as a result of the transfer of functions to the new Information Commission.
Clause 103 will allow the Secretary of State to make a scheme for the transfer of property, rights and liabilities, including rights and liabilities relating to employment contracts, from the commissioner to the new commission. The scheme may transfer property such as IT equipment or office furniture, or transfer staff currently employed by the commissioner to the commission. The transfer scheme will be designed to ensure continuity and facilitate a seamless transition to the new Information Commission.
Schedule 13 will insert a new schedule 12A to the Data Protection Act 2018, which describes the nature, form and governance structure of the new body corporate, the Information Commission. The commission will be governed by an independent statutory board, which will consist of a chair and other non-executive members, as well as executive members including a chief executive. The new structure formalises aspects of the existing governance arrangements of the Information Commissioner’s Office and brings the ICO in line with how other UK regulators, such as Ofcom and the Financial Conduct Authority, are governed. The chair of the new commission will be appointed by His Majesty by letters patent on the recommendation of the Secretary of State, as is currently the case for the commissioner.
Schedule 13 also provides for the current Information Commissioner to transfer to the role of chair of the Information Commission for the remainder of their term. I put on record the Government’s intention to preserve the title of Information Commissioner in respect of the chair, in acknowledgment of the fact that the commissioner’s brand is recognised and valued both domestically and internationally. Other non-executive members will be appointed by the Secretary of State, and the chief executive will be appointed by the non-executive members in consultation with the Secretary of State.
Government amendment 45 will allow the chair to appoint the first chief executive on an interim basis and for a term of up to a maximum of 24 months, which will minimise any delay in the transition from the commissioner to the new commission. As drafted, the Bill provides that the chief executive of the commission will be appointed by the non-executive members once they are in place, in consultation with the Secretary of State. The transition from the commissioner to the new Information Commission cannot take place until the board is properly constituted, with, as a minimum, a chair, another non-executive member and a chief executive in place. That requirement would be likely to cause delay to the transition, as the appointment of the non-executive members by the Secretary of State and the chief executive would need to take place consecutively.
Amendment 44 is a minor consequential amendment to paragraph 3(3)(a) of proposed new schedule 12A, making it clear that the interim chief executive is appointed as an executive member.
The amendments seek to minimise any delay in the transfer of functions to the new commission by enabling the appointment of the chief executive to take place in parallel with the appointments process for non-executive members. The appointment of the interim chief executive will be made on the basis of fair and open competition and in consultation with the Secretary of State. I commend clauses 100 to 103, schedule 13 and Government amendments 44 and 45 to the Committee.
It is a pleasure to serve under your chairship once again, Mr Hollobone. The clauses that restructure the Information Commissioner’s Office are among those that the Opposition are pleased to welcome in the Bill.
The Information Commissioner is the UK’s independent regulator for data protection and freedom of information under the Data Protection Act 2018 and the Freedom of Information Act 2000. Under the current system, as the Minister outlined, the Information Commissioner’s Office is a corporation sole, meaning that one person has overall responsibility for data protection and freedom of information, with a group of staff supporting them. However, as the use of data in our society has grown, so too has the ICO, from a team of 10 in 1984 to an organisation with more than 500 staff.
In that context, the corporation sole model is obviously not fit for purpose. Clauses 100 to 103 recognise that: they propose changes that will modernise the Information Commissioner’s Office, turning it into the Information Commission by abolishing the corporation sole and replacing it with a body corporate. It is absolutely right that those changes be made, transforming the regulator into a commission with a broader set-up structure and a board of executives, among other key changes. That will bring the ICO in line with other established UK regulators such as Ofcom and the Financial Conduct Authority, reflect the fact that the ICO is not just a small commissioner’s office, and ensure that it is equipped to deal with the volume of work for which it has responsibility.
It is essential that the ICO remains independent and fair. We agree that moving from an individual to a body will ensure greater integrity, although the concerns that I have raised about the impact of earlier clauses on the ICO’s independence certainly remain. Overall, however, we are pleased that the Government recognise that the ICO must be brought in line with other established regulators and are making much-needed changes, which we support.
Question put and agreed to.
Clause 100 accordingly ordered to stand part of the Bill.
Schedule 13
The Information Commission
Amendments made: 44, in schedule 13, page 195, line 21, after “members” insert
“or in accordance with paragraph 23A”.
This amendment is consequential on Amendment 45.
Amendment 45, in schedule 13, page 204, line 6, at end insert—
“Transitional provision: interim chief executive
23A (1) The first chief executive of the Commission is to be appointed by the chair of the Commission.
(2) Before making the appointment the chair must consult the Secretary of State.
(3) The appointment must be for a term of not more than 2 years.
(4) The chair may extend the term of the appointment but not so the term as extended is more than 2 years.
(5) For the term of appointment, the person appointed under sub-paragraph (1) is ”the interim chief executive”.
(6) Until the expiry of the term of appointment, the powers conferred on the non-executive members by paragraph 11(2) and (3) are exercisable in respect of the interim chief executive by the chair (instead of by the non-executive members).
(7) In sub-paragraphs (5) and (6), the references to the term of appointment are to the term of appointment described in sub-paragraph (3), including any extension of the term under sub-paragraph (4).”—(Sir John Whittingdale.)
The Bill establishes the Information Commission. This new paragraph enables the chair of the new body, in consultation with the Secretary of State, to appoint the first chief executive (as opposed to the appointment being made by non-executive members). It also enables the chair to determine the terms and conditions, pay, pensions etc relating to the appointment.
Schedule 13, as amended, agreed to.
Clauses 101 to 103 ordered to stand part of the Bill.
Clause 104
Oversight of retention and use of biometric material
Question proposed, That the clause stand part of the Bill.
Clause 104 will repeal the role of the Biometrics Commissioner and transfer the casework functions to the Investigatory Powers Commissioner. There is an extensive legal framework to ensure that the police can make effective use of biometrics, for example as part of an investigation to quickly and reliably identify suspects, while maintaining public trust. That includes the Police and Criminal Evidence Act 1984, which sets out detailed rules on DNA and fingerprints, and the Data Protection Act 2018, which provides an overarching framework for the processing of all personal data.
The oversight framework is complicated, however, and there are overlapping responsibilities. The Bio -metrics Commissioner currently has specific oversight responsibilities just for police use of DNA and fingerprints, while the Information Commissioner’s Office regulates the use of all personal data, including biometrics, by any organisation, including the police. Clause 104 will simplify the framework by removing the overlap, leaving the ICO to provide independent oversight and transferring the casework functions to another existing body.
The casework involves extending retention periods in certain circumstances, particularly on national security grounds, and is quasi-judicial in nature. That is why clause 104 transfers those functions to the independent Investigatory Powers Commissioner, which has the necessary expertise, and avoids the conflict of interest that could occur if the functions were transferred to the ICO as regulator. Transparency in police use of biometrics is essential to retaining public trust and will continue through the annual reports of the Forensic Information Databases Service strategy board, the Investigatory Powers Commissioner and the ICO. I commend clause 104 to the Committee.
I will speak in more detail about my more general views on the oversight of biometrics, particularly their private use, when we come to new clauses 13, 14 and 15. However, as I look specifically at clauses 104 and 105, which seek to abolish the currently combined offices of Biometrics Commissioner and Surveillance Camera Commissioner, I would like to draw on the direct views of the Information Commissioner. In his initial response to “Data: a new direction”, which proposed absorbing the functions of the Biometrics Commissioner and Surveillance Camera Commissioner into the ICO, the commissioner said that there were some functions that,
“if absorbed by the ICO, would almost certainly result in their receiving less attention”.
Other functions, he said,
“simply do not fit with even a reformed data protection authority”
with there being
“far more intuitive places for them to go.”
That was particularly so, he said, with biometric casework.
It is therefore pleasing that as a result of the consultation responses the Government have chosen to transfer the commissioner’s biometric functions not to the ICO but to the Investigatory Powers Commissioner, acknowledging the relevant national security expertise that it can provide. However, in written evidence to this Committee, the commissioner reiterated his concern about the absorption of his office’s functions, saying that work is currently being undertaken within its remit that, under the Bill’s provisions, would be unaccounted for.
Given that the commissioner’s concerns clearly remain, I would be pleased if the Minister provided in due course a written response to that evidence and those concerns. If not, the Government should at the very least undertake their own gap analysis to identify areas that will not be absorbed under the current provisions. It is important that this Committee and the office of the Biometrics and Surveillance Camera Commissioner can be satisfied that all the functions will be properly delegated and given the same degree of attention wherever they are carried out. Equally, it is important that those who will be expected to take on these new responsibilities are appropriately prepared to do so.
I am happy to provide the further detail that the hon. Lady has requested.
Question put and agreed to.
Clause 104 accordingly ordered to stand part of the Bill.
Clause 105
Oversight of biometrics databases
Having outlined my broad concerns about clause 105 when I spoke to clause 104, I will focus briefly on the specific concern raised by the hon. Member for Glasgow North West, which is that the Surveillance Camera Commissioner’s functions will not be properly absorbed.
In evidence to the Committee, the commissioner outlined a number of non-data protection functions in relation to public space surveillance that their office currently carries out, but that, they believe, the Bill does not make provision to transfer. They cite the significant work that their office has undertaken to ensure that Government Departments are able
“to cease deploying visual surveillance systems onto sensitive sites where they are produced by companies subject to the National Intelligence Law of the People’s Republic of China”,
following a November 2022 instruction from the Chancellor of the Duchy of Lancaster. The commissioner says that such non-data protection work, which has received international acclaim, is not addressed in the Bill.
I am therefore hopeful that the explicit mention in amendment 123 that that the functions of the Surveillance Camera Commissioner will be transferred provides a backstop to ensure that all the commissioner’s duties, including the non-data protection work, are accounted for. If the amendment is not accepted, a full-depth analysis should be conducted, as argued previously, with a full response issued to the commissioner’s evidence to ensure that every one of the functions is properly and appropriately absorbed.
I understand the argument that the Surveillance Camera Commissioner’s powers would be better placed with the Investigatory Powers Commissioner, rather than the ICO. Indeed, the commissioner’s evidence to the Committee referenced the interim findings of an independent report it had commissioned, as the hon. Member for Glasgow North West just mentioned. The report found that most of the gaps left by the Bill could be addressed if responsibility for the surveillance camera code moved under the IPCO, harmonising the oversight of traditional and remote biometrics.
I end by pointing to a recent example that shows the value of proper oversight of the use of surveillance. Earlier this year, following a referral from my hon. Friend the Member for Bristol North West (Darren Jones), the ICO found a school in Bristol guilty of unlawfully installing covert CCTV cameras at the edge of their playing fields. Since then, the Surveillance Camera Commissioner has been responding to freedom of information requests on the matter, with more information about the incident thereby emerging as recently as yesterday. It is absolutely unacceptable that a school should be filming people without their knowledge. The Surveillance Camera Commissioner is a vital cog in the machinery of ensuring that incidents are dealt with appropriately. For such reasons, we must preserve its functions.
In short, I am in no way opposed to the simplification of oversight in surveillance or biometrics, but I hope to see it done in an entirely thorough way, so that none of the current commissioner’s duties get left behind or go unseen.
I am grateful to the hon. Members for Glasgow North West and for Barnsley East for the points they have made. The hon. Member for Glasgow North West, in moving the amendment, was right to say that the clause as drafted abolishes the role of the Surveillance Camera Commissioner and the surveillance camera code that the commissioner promotes compliance with. The commissioner and the code, however, are concerned only with police and local authority use in England and Wales. Effective, independent oversight of the use of surveillance camera systems is critical to public trust. There is a comprehensive legal framework for the use of such systems, but the oversight framework is complex and confusing.
The ICO regulates the processing of all personal data by all UK organisations under the Data Protection Act; that includes surveillance camera systems operated by the police and local authorities, and the ICO has issued its own video surveillance guidance. That duplication is confusing for both the operators and the public and it has resulted in multiple and sometimes inconsistent guidance documents covering similar areas. The growing reliance on surveillance from different sectors in criminal investigations, such as footage from Ring doorbells, means that it is increasingly important for all users of surveillance systems to have clear and consistent guidance. Consolidating guidance and oversight will make it easier for the police, local authorities and the public to understand. The ICO will continue to provide independent regulation of the use of surveillance camera systems by all organisations. Indeed, the chair of the National Police Data Board, who gave evidence to the Committee, said that that will significantly simplify matters and will not reduce the level of oversight and scrutiny placed upon the police.
Amendment 123, proposed by the hon. Member for Glasgow North West, would retain the role of the Surveillance Camera Commissioner and the surveillance camera code. In our view, that would simply continue the complexity and duplication with the ICO’s responsibilities. Feedback that we received from our consultation showed broad support for simplifying the oversight framework, with consultees agreeing that the roles and responsibilities, in particular in relation to new technologies, were unclear.
The hon. Lady went on to talk about the oversight going beyond that of the Information Commissioner, but I point out that there is a comprehensive legal framework outside the surveillance camera code. That includes not only data protection, but equality and human rights law, to which the code cross-refers. The ICO and the Equality and Human Rights Commission will continue to regulate such activities. There are other oversight bodies for policing, including the Independent Office for Police Conduct and His Majesty’s inspectorate of constabulary, as well as the College of Policing, which provide national guidance and training.
The hon. Lady also specifically mentioned the remarks of the Surveillance Camera Commissioner about Chinese surveillance cameras. I will simply point out that the responsibility for oversight, which the ICO will continue to have, is not changed in any way by the Bill. The Information Commissioner’s Office continues to regulate all organisations’ use of surveillance cameras, and it has issued its own video surveillance guidance.
New clause 17 would transfer the functions of the commissioner to the Investigatory Powers Commissioner. As I have already said, we believe that that would simply continue to result in oversight resting in two different places, and that is an unnecessary duplication. The Investigatory Powers Commissioner’s Office oversees activities that are substantially more intrusive than those relating to overt surveillance cameras. IPCO’s existing work requires it to oversee over 600 public authorities, as well as several powers from different pieces of legislation. That requires a high level of expertise and specialisation to ensure effective oversight.
For those reasons, we believe that the proposals in the clause to bring the oversight functions under the responsibility of the Information Commissioner’s Office will not result in any reduction in oversight, but will result in the removal of duplication and greater clarity. On that basis, I am afraid that I am unable to accept the amendment, and I hope that the hon. Lady will consider withdrawing it.
Clause 106 makes changes to the national DNA database strategy board, which provides oversight of the operation of the national DNA database, including setting policies for access and use by the police. Amendment 119 would seem to extend the power to widen the board’s potential scope beyond biometrics databases for the purpose of identification, to include the purpose of classification.
The police can process data only for policing purposes. It is not clear what policing purpose there would be in being able to classify, for example, emotions or gender, even assuming it was proven to be scientifically robust, or what sort of data would be on such a database. Even if one were developed in the future, it is likely to need knowledge, skills and resources very different from what is needed to oversee a database that identifies and eliminates suspects based on biometric identification, so it would probably make sense for a different body to carry out any oversight.
New clause 8 aims to make changes in a similar way to amendment 119 in relation to the definition of biometric data for the purposes of article 9 of the GDPR. As the GDPR is not concerned with the police’s use of biometric data for law enforcement purposes, the new clause would apply to organisations that are processing biometric data for general purposes. The aim seems to be to ensure that enhanced protections afforded by GDPR to biometric data used for unique identification purposes also apply to biometric data that is used for classification or categorisation purposes.
The hon. Lady referred to the Ada Lovelace Institute’s comments on these provisions, and its 2022 “Countermeasures” report issued on biometric technologies, but we are not convinced that such a change is necessary. One example in the report was using algorithms to make judgments that prospective employees are bored or not paying attention, based on their facial expressions or tone of voice. Using biometric data to draw inferences about people, using algorithms or otherwise, is not as invasive as using biometric data uniquely to identify someone. For example, biometric identification could include matching facial images caught on closed circuit television to a centrally held database of known offenders.
Furthermore, using biometric data for classification or categorisation purposes is still subject to the general data protection principles in the UK GDPR. That includes ensuring that there is a lawful ground for the processing, that the processing is necessary and proportionate, and is fair and transparent to the individuals concerned. If algorithms are used to categorise and make significant decisions about people based on their biometric characteristics, including in an employment context, they will have the right to be given information about the decision, and to obtain human intervention, as a result of the measures we previously debated in clause 11.
Therefore, we do see a distinction between the use of biometric information for identification purposes and the more general classification which the hon. Lady sought to draw. Though we believe that there is sufficient safeguard already in place regarding possible use of classification by biometric data, given what I have said, I hope that she will consider withdrawing the amendment.
I am grateful to the Minister for his comments. We will be speaking about the private uses of biometric data later, so I beg to ask leave to withdraw my amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
DNA and fingerprints are key tools in helping the police to identify and eliminate suspects quickly and accurately by comparing evidence left at crime scenes with the appropriate files on the national databases. As I previously set out, clause 106 makes changes to the National DNA Database Strategy Board. The board provides oversight of the operation of the database, including setting policies for access and use by the police.
These reforms change the scope of the board to make it clear that they should provide similar oversight of the police fingerprint database, which operates under similar rules. The change brings the legislation up to date with the board’s recently published governance rules. Clause 106 also updates the name of the board to the Forensic Information Databases Strategy Board, to better reflect the broadened scope of its work. We are also taking this opportunity to simplify and future-proof oversight of national police biometric databases. While DNA and fingerprints are well established, biometrics is an area of rapid technological development, including for example the growing use of iris, face and voice recognition. Given the pace of technological change in this area and the benefits of consistent oversight, Clause 106 also includes a power for the Secretary of State to make regulations which make changes to the board’s scope, for example by adding new biometric databases into the board’s remit or to remove them, where a database is no longer used. Such regulations would be subject to the affirmative procedure.
For these reasons, I commend the clause to the Committee.
Clause 106 will primarily increase the scope of the Forensic Information Databases Strategy Board to provide oversight of the national fingerprint database. However, there are also provisions enabling the Secretary of State to add or remove a biometric database that the board oversees, using the affirmative procedure. I would therefore like to ask the Minister whether they have any plans to use these powers regarding any particular databases—or whether this is intended as a measure for future-proofing the Bill in the case of changed circumstances?
I would also like to refer hon. Members to the remarks that I have made throughout the Bill that emphasise a need for caution when transferring the ability to change regulation further into the hands of the Secretary of State alone.
I would add only that this is an area where technology is moving very fast, as I referred to earlier. We think it is right to put in place this provision, to allow an extension if it becomes necessary—though I do not think we have any current plans. It is future-proofing of the Bill.
Question put and agreed to.
Clause 106 accordingly ordered to stand part of the Bill.
Clause 107
Regulations
Question proposed, That the clause stand part of the Bill.
Clause 107 will give the Secretary of State a regulation-making power to make consequential amendments to other legislation. The power enables amendments to this Bill itself where such amendments are consequential to the abolition of the Information Commissioner and his replacement by the new Information Commission. Such provision is needed because there are a number of areas where data protection legislation will need to be updated as a consequence of the Bill. This is a standard power, commonly included in Bills to ensure that wider legislation is updated where necessary as a result of new legislation. For example, references to “the Commissioner” in the Data Protection Act 2018 will no longer be accurate, given changes to the governance structure of the Information Commissioner’s Office within the Bill, so consequential amendments will be required to that Act.
Clause 108 outlines the form and procedure for making regulations under the powers in the Bill: they are to be made by statutory instrument. Where regulations in the Bill are subject to the affirmative resolution procedure, they may not be made unless a draft of the statutory instrument has been laid before Parliament and approved by a resolution of each House. That provision is needed because the Bill introduces new regulation-making powers, which are necessary to support the Bill’s policy objectives. For example, powers in part 3 of the Bill replace an existing statutory framework with a new, enhanced one.
Clause 109 explains the meaning of references to “the 2018 Act” and “the UK GDPR” in the Bill. Such provision is needed to explain the meaning of those two references. Clause 110 authorises expenditure arising from the Bill. That provision is needed to confirm that Parliament will fund any expenditure incurred under the Bill by the Secretary of State, the Treasury or a Government Department. It requires a money resolution and a Ways and Means resolution, both of which were passed in the House of Commons on 17 April.
Clause 111 outlines the territorial extent of the Bill. Specifically, the clause states that the Bill extends to England and Wales, Scotland and Northern Ireland, with some exceptions. Much of the Bill, including everything on data protection, is reserved policy. In areas where the Bill legislates on devolved matters, we are working with the devolved Administrations to secure legislative consent motions. Clause 112 gives the Secretary of State a regulation-making power to bring the Bill’s provisions into force. Some provisions, listed in subsection (2), come into force on the date of Royal Assent. Other provisions, listed in subsection (3), come into force two months after Royal Assent. Such provision is needed to outline when the Bill’s provisions will come into force.
Clause 113 gives the Secretary of State a regulation-making power to make transitional, transitory or saving provisions that may be needed in connection with any of the Bill’s provisions coming into force. For example, provision might be required to clarify that the Information Commissioner’s new power to refuse to act on complaints will not apply where such complaints have already been made prior to commencement of the relevant provision. Clause 114 outlines the short title of the Bill. That provision is needed to confirm the title once the Bill has been enacted. I commend clauses 107 to 114 to the Committee.
The clauses set out the final technical provisions necessary in order for the Bill to be passed and enacted effectively, and for the most part are standard. I will focus briefly on clause 107, however, as a number of stakeholders including the Public Law Project have expressed concern that, as a wide Henry VIII power, it may give the Secretary of State the power to make further sweeping changes to data protection law. Can the Minister provide some assurance that the clause will allow for the creation only of further provisions that are genuinely consequential to the Bill and necessary for its proper enactment?
It is my belief that this would not have been such a concern to civil society groups had there not been multiple occasions throughout the Bill when the Secretary of State made grabs for power, concentrating the ability to make further changes to data protection legislation in their own hands. I am disappointed, though of course not surprised, that the Government have not accepted any of my amendments to help to mitigate those powers with checks and balances involving the commissioner. However, keeping the clause alone in mind, I look forward to hearing from the Minister how the powers in clause 107 will be restricted and used.
We have previously debated the efficacy of the affirmative resolution procedure. I recognise that the hon. Lady is not convinced about how effective it is in terms of parliamentary scrutiny; we will beg to differ on that point. Although the power in clause 107 allows the Secretary of State to amend Acts of Parliament, I can confirm that that is just to ensure the legal clarity of the text. Without that power, data protection legislation would be harder to interpret, thereby reducing people’s understanding of the legislation and their ability to rely on the law.
Question put and agreed to.
Clause 107 accordingly ordered to stand part of the Bill.
Clause 108
Regulations
I beg to move, That the clause be read a Second time.
In order for the public to have trust in algorithmic decision making, particularly where used by the Government, they must be able to understand how and when it is being used as a basic minimum. That is something that the Government themselves previously recognised by including a proposal to make transparency reporting on the use of algorithms in decision making for public sector bodies compulsory in their “Data: a new direction” consultation. Indeed, the Government have already made good progress on bringing together a framework that will make that reporting possible. The algorithmic transparency recording standard they have built provides a decent, standardised way of recording and sharing information about how the public sector uses algorithmic tools. There is also full guidance to accompany the standard, giving public sector bodies a clear understanding of how to complete transparency reports, as well as a compilation of pilot reports that have already been published, providing a bank of examples.
However, despite that and the majority of consultation respondents agreeing with the proposed compulsory reporting for public sector bodies—citing benefits of increased trust, accountability and accessibility for the public—the Government chose not to go ahead with the legislative change. Relying on self-regulation in the early stages of the scheme is understandable, but having conducted successful pilots, from the Cabinet Office to West Midlands police, it is unclear why the Government now choose not to commit to the very standard they created. This is a clear missed opportunity, with the standard running the risk of failing altogether if there is no legislative requirement to use it.
As the use of such algorithms grows, particularly considering further changes contained in clause 11, transparency around Government use of big data and automated decision-making tools will only increase in importance and value—people have a right to know how they are being governed. As the Public Law Project argues, transparency also has a consequential value; it facilitates democratic consensus building about the appropriate use of new technologies, and it allows for full accountability when things go wrong.
Currently, in place of that accountability, the Public Law Project has put together its own register called “Tracking Automated Government”, or TAG. Using mostly freedom of information requests, the register tracks the use of 42 algorithmic tools and rates their transparency. Of the 42, just one ranked as having high transparency. Among those with low transparency are asylum estates analysis, used to help the Home Office decide where asylum interviews should take place, given the geographical distribution of asylum seekers across the asylum estate; the general matching service and fraud referral and intervention management system, used as part of the efforts of the Department for Work and Pensions to combat benefit fraud and error—for example, by identifying claimants who may potentially have undisclosed capital or other income; and housing management systems, such as that in Wigan Metropolitan Borough Council, which uses a points-based system to prioritise social housing waiting lists.
We all want to see Government modernising and using new technology to increase efficiency and outcomes, but if an algorithmic tool impacts our asylum applications, our benefits system and the ability of people to gain housing, the people affected by those decisions deserve at the very least to know how they are being made. If the public sector sets the right example, private companies may choose to follow in the future, helping to improve transparency even further. The framework is ready to go and the benefits are clear; the amendment would simply make progress certain by bringing it forward as part of the legislative agenda. It is time that we gave people the confidence in public use of algorithms that they deserve.
I thank the hon. Member for Barnsley East for moving new clause 9. We completely share her wish to ensure that Government and public authorities provide transparency in the way they use algorithmic tools that process personal data, especially when they are used to make decisions affecting members of the public.
The Government have made it our priority to ensure that transparency is being provided through the publication of the algorithmic transparency recording standard. That has been developed to assist public sector organisations in documenting and communicating their use of algorithms in decision making that impacts members of the public. The focus of the standard is to provide explanations of the decisions taken using automated processing of data by an algorithmic system, rather than all data processing.
The standard has been endorsed by the Government’s Data Standards Authority, which recommends the standards, guidance and other resources that Government Departments should follow when working on data projects. Publishing the standard fulfils commitments made in both the national data strategy 2020 and the national artificial intelligence strategy. Since its publication, the standard has been piloted with a variety of public sector organisations across the UK, and the published records can be openly accessed via gov.uk. It is currently being rolled out more widely across the public sector.
Although the Government have made it a priority to advance work on algorithmic transparency, the algorithmic transparency recording standard is still a maturing standard that is being progressively promoted and adopted. It is evolving alongside policy thinking and Government understanding of the complexities, scope and risks around its use. We believe that enshrining the standard into law at this point of maturity could hinder the ability to ensure that it remains relevant in a rapidly developing technology field.
Therefore, although the Government sympathise with the intention behind the new clause, we believe it is best to continue with the current roll-out across the public sector. We remain committed to advancing algorithmic transparency, but we do not intend to take forward legislative change at this time. For that reason, I am unable to accept the new clause as proposed by the Opposition.
I am grateful to the Minister, but I am still confused about why, having developed the standard, the Government are not keen to put it into practice and into law. He just said that he wants to keep it relevant; he could use some of the secondary legislation that he is particularly keen on if he accepted the new clause. As I outlined, this issue has real-life consequences, whether for housing, asylum or benefits. In my constituency, many young people were affected by the exam algorithm scandal. For those reasons, I would like to push the new clause to a vote.
Question put, That the clause be read a Second time.
I am grateful to the hon. Lady for setting out the purposes of the new clause. As she has described, it aims to require the Secretary of State to use regulation-making powers under section 190 of the Data Protection Act to implement article 80(2) of the UK GDPR. It would enable non-profit organisations with an expertise in data protection law to make complaints to the Information Commissioner and/or take legal action against data controllers without the specific authorisation of the individuals who have been affected by data breaches. Relevant non-profit organisations can already take such actions on behalf of individuals who have specifically authorised them to do so under provisions in article 80(1) of the UK GDPR.
In effect, the amendment would replace the current discretionary powers in section 190 of the Data Protection Act with a duty for the Secretary of State to legislate to bring those provisions into force soon after the Bill has received Royal Assent. Such an amendment would be undesirable for a number of reasons. First, as required under section 189 of the Data Protection Act, we have already consulted and reported to Parliament on proposals of that nature, and we concluded that there was not a strong enough case for introducing new legislation.
Although the Government’s report acknowledged that some groups in society might find it difficult to complain to the ICO or bring legal proceedings of their own accord, it pointed out that the regulator can and does investigate complaints raised by civil society groups even when they are not made on behalf of named individuals. Big Brother Watch’s recent complaints about the use of live facial recognition technology in certain shops in the south of England is an example of that.
Secondly, the response concluded that giving non-profit organisations the right to bring compensation claims against data controllers on behalf of individuals who had not authorised them to do so could prompt the growth of US-style lawsuits on behalf of thousands or even millions of customers at a time. In the event of a successful claim, each individual affected by the alleged breach could be eligible for a very small payout, but the consequences for the businesses could be hugely damaging, particularly in cases that involved little tangible harm to individuals.
Some organisations could be forced out of business or prompted to increase prices to recoup costs. The increase in litigation costs could also increase insurance premiums. A hardening in the insurance market could affect all data controllers, including those with a good record of compliance. For those reasons, we do not believe that it is right to extend the requirement on the Secretary of State to allow individuals to bring actions without the consent of those affected. On that basis, I ask the hon. Lady to withdraw the motion.
Data is increasingly used to make decisions about us as a collective, so it is important that GDPR gives us collective rights to reflect that, rather than the system being designed only for individuals to seek redress. For those reasons, I will press my new clause to a vote.
Question put, That the clause be read a Second time.
I beg to move, That the clause be read a Second time.
Privacy enhancing technologies are technologies and techniques that can help organisations to share and use people’s data responsibly, lawfully and securely. They work most often by minimising the amount of data used, maximising data security—for example by encrypting or anonymising personal information—or empowering individuals. One of the best-known examples of a PET is synthetic data: data that is modelled to reproduce the statistical properties of a real dataset when taken as a whole. That type of data could allow third-party researchers or processors to analyse the statistical outcomes of the data without having access to the original set of personal data, or any information about identifiable living individuals.
Another example of PETs are those that minimise the amount of personal data that is shared without affecting the data’s utility. Federated learning, for example, allows for the training of an algorithm across multiple devices or datasets held on servers, so if an organisation wants to train a machine-learning model but has limited training data available, they can send the model to a remote dataset for training. The model will then return having benefited from those datasets, while the sensitive data itself is not exchanged or ever put in the hands of those in ownership of the algorithm. The use of PETs therefore does not necessarily exclude data from being defined as personal or falling within the remit of GDPR. They can, however, help to minimise the risk that arises from personal data breaches and provide an increased level of security.
The Government have positioned the Bill as one that seeks to strengthen the data rights of citizens while catalysing innovation. PETs could and should have been a natural area for the Bill to explore, because not only can such devices help controllers demonstrate an approach based on data protection by design and default, but they can open the door for new ways of collaborating, innovating and researching with data. The Royal Society has researched the role that PETs can play in data governance and collaboration in immense detail, with its findings contained in its 2023 report, which is more than 100 pages long. One of the report’s key recommendations was that the Government should develop a national PET strategy to promote their responsible use as tools for advancing scientific research, increasing security and offering new partnership possibilities, both domestically and across borders.
It is vital to acknowledge that working with PETs involves risks that must be considered. Some may not be robust enough against attacks because they are in the early stages of development, while others might require a significant amount of expertise to operate, without which their use may be counterproductive. It is therefore important to be clear that the amendment would not jump ahead and endorse any particular technology or device before it was ready. Instead, it would enshrine the European Union Agency for Cybersecurity definition of PETs in UK law and prompt the Government to issue a report on how that growing area of technology might play a role in data processing and data regulation in future.
That could include identifying the opportunities that PETs could provide while also looking at the threats and potential harms involved in using the technologies without significant expertise or technological readiness. Indeed, in their consultation response, the Government even mentioned they were keen to explore opportunities around smart data, while promoting understanding that they should not be seen as a substitute for reducing privacy risks on an organisational level. The report, and the advancing of the amendment, would allow the Government that exploration, indicating a positive acknowledgment of the potentially growing role that PETs might play in data processing and opening the door for further research in the area.
Even by their name, privacy enhancing technologies reflect exactly what the Bill should be doing: looking to the future to encourage innovation in tech and then using such innovation to protect citizens in return. I hope hon. Members will see those technologies’ potential value and the importance of analysing any harms, and look to place the requirement to analyse PETs on the statute book.
We absolutely agree with the Opposition about the importance of privacy enhancing technologies, which I will call PETs, since I spoke on them recently and was told that was the best abbreviation—it is certainly easier. We wish to see their use by organisations to help ensure compliance with data protection principles and we seek to encourage that. As part of our work under the national data strategy, we are already exploring the macro-impacts of PETs and how they can unlock data across the economy.
The ICO has recently published its draft guidance on anonymisation, pseudonymisation and PETs, which explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. In addition, the Centre for Data Ethics and Innovation has published an adoption guide to aid decision making around the use of PETs in data-driven projects. It has also successfully completed delivery of UK-US prize challenges to drive innovation in PETs that reinforce democratic values. Indeed, I was delighted to meet some of the participants in those prize challenges at the Royal Society yesterday and hear a little more about some of their remarkable innovations.
As the hon. Lady mentioned, the Royal Society has published reports on how PETs can maximise the benefit and reduce the harms associated with data use. Adding a definition of PETs to the legislation and requiring the Government to publish a report six months after Royal Assent is unlikely to have many advantages over the approach that the ICO, the CDEI and others are taking to develop a better understanding in the area. Furthermore, many PETs are still in the very early stages of their deployment and use, and have not been widely adopted across the UK or globally. A statutory definition could quickly become outdated. Publishing a comprehensive report on the potential impacts of PETs, which advocated the use of one technology or another, could even distort a developing market, and lead to unintended negative impacts on the development of what are promising technologies. For that reason, I ask the hon. Lady to withdraw the new clause.
A wider range of biometric data is now being collected than ever before. From data on the way we walk and talk to the facial expressions we make, biometric data is now being collected and used in a wide range of situations for many distinct purposes. Great attention has rightly been paid to police use of facial recognition technology to identify individuals, for example at football matches or protests. Indeed, to date, much of the regulatory attention has focused on those use cases, which are overseen by the Investigatory Powers Commissioner. However, the use of biometric technologies extends far beyond those examples, and there has been a proliferation of biometrics designed by private organisations to be used across day-to-day life—not just in policing.
We unlock smartphones with our faces or fingerprints, and companies have proposed using facial expression analysis to detect whether students are paying attention in online classes. Employers have used facial expression and tone analysis to decide who should be selected for a job—as was already mentioned in reference to new clause 8. As the proliferation of biometric technologies occurs, a number of issues have been raised about their impact on people and society. Indeed, if people’s identities can be detected by both public and private actors at any given point, there is potential for it to significantly infringe on someone’s privacy to move through the world with freedom of expression, association and assembly. Similarly, if people’s traits, characteristics or abilities can be automatically assessed on the basis of biometrics, often without a scientific basis, it may affect free expression and the development of personality.
Public attitudes research carried out by the Ada Lovelace Institute shows that the British public recognise the potential benefits of tools such as facial recognition in certain circumstances—for example, smartphone locking systems and in airports—but often reject their use in others. Large majorities are opposed to the use of facial recognition in shops, schools and on public transport, as well as by human resources departments in recruitment. In all cases, the public expect the use of biometrics to be accompanied by safeguards and limitations, such as appropriate transparency and accountability measures.
Members of the citizens’ biometrics council, convened by the Ada Lovelace Institute in 2020 and made up of 50 members of the public, expressed the view that biometric technologies as currently used are lacking in transparency and accountability. In particular, safeguards are uneven across sectors. Private use of biometrics are not currently subject to the same level of regulatory oversight or due process as is afforded within the criminal justice system, despite also having the potential to create changes of life-affecting significance. As a result, one member of the council memorably asked:
“If the technology companies break their promises…what will the implications be? Who’s going to hold them to account?”
It is with those issues in mind that experts and legal opinion seem all to come to the same consistent conclusion that, at the moment, there is not a sufficient legal framework in place to manage the unique issues that the private proliferation of biometrics use raises. An independent legal review, commissioned by the Ada Lovelace Institute and led by Matthew Ryder KC, found that current governance structures and accountability mechanisms for biometrics are fragmented, unclear and ineffective. Similar findings have been made by the Biometrics and Surveillance Camera Commissioner, and Select Committees in this House and in the other place.
The Government, however, have not yet acted on delivering a legal framework to govern the use of biometric technology by private corporations, meaning that the Bill is a missed opportunity. New clause 13 therefore seeks to move towards the creation of that framework, providing for the Information Commission to oversee the use of biometric technology by private parties, and ensure accountability around it. I hope that the Committee see the value of this oversight and what it could provide and will support the new clause.
New clause 13 would require the Information Commission to establish a new separate statutory biometrics office with responsibility for the oversight and regulation of biometric data and technology. However, the Information Commissioner already has responsibility for monitoring and enforcing the processing of biometric data, as it falls within the definition of personal data. Under the Bill, the new body corporate—the Information Commission—will continue to monitor and enforce the processing of all personal data under the data protection legislation, including biometric data. Indeed, with its new independent board and governance structure, the commission will enjoy greater diversity in skills and decision making, ensuring that the regulator has the right blend of skills and expertise at the very top of the organisation.
Furthermore, the Bill allows the new Information Commission to establish committees, which may include specialists from outside the organisation with key skills and expertise in specialist areas. As such, the Government are of the firm view that the Information Commission is best placed to provide regulatory oversight of biometric data, rather than delegating responsibility and functions to a separate office. The creation of a new body would likely cause confusion for those seeking redress, by creating novel complaints processes for biometric-related complaints, as set out in new clause 13(3)(c)(iii). It would also complicate regulatory oversight and decision making by providing the new office with powers to impose fines, as per subsection (2)(e). For those reasons, I encourage the hon. Lady to withdraw her new clause.
New clauses 14 and 15 would require non-law enforcement bodies that process biometric data about individuals to register with the Information Commissioner before the processing begins. Where the processing started prior to passage of the Bill, the organisation would need to register within six months of commencement. As part of the registration process, the organisation would have to explain the intended effect of the processing and provide annual updates to the Information Commissioner’s Office on current and future processing activities. Organisations that fail to comply with these requirements would be subject to an unlimited fine.
I appreciate that the new clauses aim to make sure that organisations will give careful thought to the necessity and proportionality of their processing activities, and to improve regulatory oversight, but they could have significant unintended consequences. As the hon. Lady will be aware, there are many everyday uses of biometrics data, such as using a thumbprint to access a phone, laptop or other connected device. Such services would always ask for the user’s explicit consent and make alternatives such as passwords available to customers who would prefer not to part with their biometric data.
If every organisation that launched a new product had to register with the Information Commissioner to explain its intentions and complete annual reports, that could place significant and unnecessary new burdens on businesses and undermine the aims of the Bill. Where the use of biometric data is more intrusive, perhaps involving surveillance technology to identify specific individuals, the processing will already be subject to the heightened safeguards in article 9 of the UK GDPR. The processing would need to be necessary and proportionate on the grounds of substantial public interest.
The Bill will also require organisations to designate a senior responsible individual to manage privacy risks, act as a contact point for the regulator, undertake risk assessments and keep records in relation to high-risk processing activities. It would be open to the regulator to request to see these documents if members of the public expressed concern about the use of the technology.
I hope my response has helped to address the issues the hon. Lady was concerned about, and I would respectfully ask her to not to press these new clauses.
It does indeed provide reassurance. On that basis, I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
Okay, I will wait for the next Question. Thank you for your guidance, Mr Hollobone.
I thank my hon. Friend the Member for Loughborough, who has been assiduous in pursuing her point and has set out very clearly the purpose of her new clause. We share her wish to reduce unnecessary burdens on the police as much as possible. The new clause seeks to achieve that in relation to the preparation by police officers of pre-charge files, which is an issue that the National Police Chiefs’ Council has raised with the Home Office, as I think she knows.
This is a serious matter for our police forces, which estimate that about four hours is spent redacting a typical case file. They argue that reducing that burden would enable officers to spend more time on frontline policing. We completely understand the frustration that many officers feel about having to spend a huge amount of time on what they see as unnecessary redaction. I can assure my hon. Friend that the Home Office is working with partners in the criminal justice system to find ways of safely reducing the redaction burden while maintaining public trust. It is important that we give them the time to do so.
We need to resolve the issue through an evidence-based solution that will ensure that the right amount of redaction is done at the right point in the process, so as to reduce any delays while maintaining victim and witness confidence in the process. I assure my hon. Friend that her point is very well taken on board and the Government are looking at how we can achieve her objective as quickly as possible, but I hope she will accept that, at this point, it would be sensible to withdraw her new clause.
It has been a real pleasure to represent His Majesty’s loyal Opposition in the scrutiny of the Bill. I thank the Minister for his courteous manner, all members of the Committee for their time, the Clerks for their work and the many stakeholders who have contributed their time, input and views. I conclude by thanking Anna Clingan, my senior researcher, who has done a remarkable amount of work to prepare for our scrutiny of this incredibly complex Bill. Finally, I thank you, Mr Hollobone, for the way in which you have chaired the Committee.
May I join the hon. Lady in expressing thanks to you, Mr Hollobone, and to Mr Paisley for chairing the Bill Committee so efficiently and getting us to this point ahead of schedule? I thank all members of the Committee for their participation: we have been involved in what will be seen to be a very important piece of legislation.
I am very grateful to the Opposition for their support in principle for many of the objectives of the Bill. It is absolutely right that the Opposition scrutinise the detail, and the hon. Member for Barnsley East and her colleagues have done so very effectively. I am pleased that we have reached this point with the Bill so far unamended, but obviously we will be considering it further on Report.
I thank all my hon. Friends for attending the Committee and for their contributions, particularly saying “Aye” at the appropriate moments, which has allowed us to get to this point. I also thank the officials in the Department for Science, Innovation and Technology. I picked up this baton on day two of my new role covering the maternity leave of my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez); I did so with some trepidation, but the officials have made my task considerably easier and I am hugely indebted to them.
I thank everybody for allowing us to get this point. I look forward to further debate on Report, in due course.
(1 year, 6 months ago)
Public Bill CommitteesIt is a pleasure to serve under your chairmanship, Mr Paisley. Welcome to the Committee.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 place specific requirements on organisations in relation to use of personal data in electronic communications. They include, for example, rules on the use of emails, texts and phone calls for direct marketing purposes and the use of cookies and similar technologies.
Trade associations have told us that sometimes their members need guidance on complying with the legislation that is more bespoke than the general regulatory guidance from the Information Commissioner’s Office. New clause 2 will allow representative bodies to design codes of conduct on complying with the PEC regulations that reflect their specific processing operations. There are already similar provisions in articles 40 and 41 of the UK General Data Protection Regulation to help organisations in particular sectors to comply.
Importantly, codes of conduct prepared under these provisions can be contained in the same document as codes of conduct under the UK GDPR. That will be particularly beneficial to representative bodies that are developing codes for processing activities that are subject to the requirements of both the UK GDPR and the PEC regulations. New clause 2 envisages that representative bodies will draw up voluntary codes of conduct and then seek formal approval of them from the Information Commissioner. The Information Commissioner will approve a code only if it contains a mechanism for the representative body to monitor their members’ compliance with the code.
New clause 1 makes a related amendment to article 41 of the UK GDPR to clarify that bodies accredited to monitor compliance with codes of conduct under the GDPR are required to notify the Information Commissioner only if they suspend or exclude a person from a code. Government amendment 5 is a minor and technical amendment necessary as a consequence of new clause 2.
These provisions are being put into the Bill at the suggestion of business organisations. We hope that they will allow organisations to comply more easily with the requirements.
It is a pleasure to serve under your chairship, Mr Paisley, and I too welcome you to the Committee.
As I have said more than once in our discussions, in many cases the burden of following regulations can be eased just as much by providing clarification, guidance and support as by removing regulation altogether. I advocated for codes of practice in more detail in the discussion of such codes in the public sector, under clause 19, and during our debates on clauses 29 and 30, when we were discussing ICO codes more generally. New clauses 1 and 2 seem to recognise the value of codes of practice too, and both seek to provide either clarification or the sharing of best practice in terms of following the PEC regulations. I have no problem with proceeding with the Bill with these inclusions.
Amendment 5 agreed to.
I beg to move amendment 48, in clause 78, page 100, line 30, after “86” insert “and [Pre-commencement consultation]”.
This amendment is consequential on NC7.
New clause 7 clarifies that the consultation requirements imposed by the Bill in connection with or under the PEC regulations can be satisfied by consultation that takes place before the relevant provision of the Bill comes into force. That ensures that the consultation work that supports development of policy before the Bill is passed can continue and is not paused unnecessarily. A similar provision was included in section 182 of the Data Protection Act 2018. Government amendment 48 is a minor and technical amendment which is necessary as a consequence of new clause 7. I commend the new clause and amendment to the Committee.
The new clause and accompanying amendment seek to expedite work on consultation in relation to the measures in this part. It makes sense that consultation can begin before the Bill comes into force, to ensure that regulations can be acted on promptly after its passing. I have concerns about various clauses in this part, but no specific concerns about the overarching new clause, and am happy to move on to discussing the substance of the clauses to which it relates.
Amendment 48 agreed to.
Question proposed, That the clause, as amended, stand part of the Bill.
Clause 78 introduces part 4 of the Bill, which amends the Privacy and Electronic Communications (EC Directive) Regulations 2003. Clauses 79 to 86 refer to them as “the PEC Regulations” for short. They sit alongside the Data Protection Act and the UK GDPR. We will debate some of the more detailed provisions in the next few clauses.
Question put and agreed to.
Clause 78, as amended, accordingly ordered to stand part of the Bill.
Clause 79
Storing information in the terminal equipment of a subscriber or user
I beg to move amendment 116, in clause 79, page 101, line 15, leave out
“making improvements to the service”
and insert
“making changes to the service which are intended to improve the user’s experience”.
Cookies are small text files that are downloaded on to somebody’s computer or smartphone when they access a website; they allow the website to recognise the person’s device, and to store information about the user’s preferences or past actions. The current rules around using cookies, set out in regulation 6 of the PEC regulations, dictate that organisations must tell people that the cookies are there, explain what the cookies are doing and why, and finally get the person’s freely given, specific and informed consent to store cookies on their device. However, at the moment there is almost universal agreement that the system is not working as intended.
To comply with the legislation, most website have adopted what is known as a cookie banner—a notice that pops up when a user first visits the site, prompting them to indicate which cookies they are happy with. However, due to the sheer volume of those banners, in many cases people no longer feel they are giving consent because they are informed or because they freely wish to give it, but are doing so simply because the banners stop them using the website as they wish.
In their communications regarding the Bill, the Government have focused on reducing cookie fatigue, branding it one of the headline achievements of the legislation. Unfortunately, as I will argue throughout our debates on clause 79, I do not believe that the Bill will fix the problem in the way that users hope. The new exemptions to the consent requirement for purposes that present a low risk to privacy may reduce the number of circumstances in which permission might be required, but there will still be a wide-ranging list of circumstances where consent is still required.
If the aim is to reduce cookie fatigue for users, as the Government have framed the clause, the exemptions must centre on the experience of users. If they do not, the clause is not about reducing consent fatigue, but rather about legitimising large networks of online surveillance of internet users. With that in mind, amendment 116 would narrow the exemption for collecting statistical information with a view to improving a service so that it is clear that any such improvements are exclusively considered to be those from the user’s perspective. That would ensure that the term “improvements” cannot be interpreted as including sweeping changes for commercial benefit, but is instead focused only on benefits to users.
I will speak to proposed new regulation 6B when we debate later amendments, but I reiterate that I have absolute sympathy for the intention behind the clause and want as much as anyone to see an end to constant cookie banners where possible. However, we must place the consumer and user experience at the heart of any such changes. That is what we hope to ensure through the amendment, with respect to the list of exemptions.
I am grateful to the hon. Lady for making it clear that the Opposition share our general objective in the clause. As she points out, the intention of cookies has been undermined by their ubiquity when they are placed as banners right at the start. Clause 79 removes the requirement to seek consent for the placement of audience measurement cookies. That means, for example, that a business could place cookies to count the number of visitors to its website without seeking the consent of web users via a cookie pop-up notice. The intention is that the organisation could use the statistical information collected to understand how its service is being used, with a view to improving it. Amendment 116 would mean that “improvements to the service” would be narrowed in scope to mean improvements to the user’s experience of the service, but while that is certainly one desirable outcome of the new exception, we want it to enable organisations to make improvements for their own purposes, and these may not necessarily directly improve the user’s experience of the service.
Organisations have repeatedly told us how important the responsible use of data is for their growth. For example, a business may want to use information collected to improve navigation of its service to improve sales. It could use the information collected to make improvements to the back-end IT functionality of its website, which the user may not be aware of. Or it could even decide to withdraw parts of its service that had low numbers of users; those users could then find that their experience was impaired rather than improved, but the business could invest the savings gained to improve other parts of the service. We do not think that businesses should be prevented from improving services in this way, but the new exception provides safeguards to prevent them from sharing the collected data with anyone else, except for the same purpose of making improvements to the service. On that basis, I hope the hon. Lady will consider withdrawing her amendment.
I am grateful for the Minister’s answer. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 79 reforms regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which sets the rules on when an organisation can store information or gain access to information stored on a person’s device—for example, their computer, phone or tablet. This is commonly described as the cookies rule, but it includes similar technologies such as tracking pixels and device fingerprinting. Currently, organisations do not have to seek a user’s consent to place cookies that are strictly necessary to provide a service requested by the user—for example, to detect fraud or remember items in a user’s online shopping basket.
To reduce the number of cookie pop-up notices that can spoil web users’ enjoyment of the internet, clause 79 will remove the requirement for organisations to seek consent for several low privacy risk purposes, including the installation of software updates necessary for the security of the device. Government amendments 49 and 51 remove the user’s right to opt out of the software security update and the right to remove an update after it has taken effect. Government amendment 50 removes the right to disable an update before it takes effect.
Although these measures were initially included in the Bill to give web users a choice about whether security updates were installed, stakeholders have subsequently advised us that the failure to install certain updates could result in a high level of risk to the security of users’ devices and personal information. We have been reflecting on the provisions since the Bill was introduced, and have concluded that removing them is the right thing to do, in the interests of security of web users. Even if these provisions are omitted, organisations will still need to provide users with clear and comprehensive information about the purpose of software security updates. Web users will also still have the right to postpone an update for a limited time before it takes effect.
Government amendment 54 concerns the regulation-making powers under the new PEC regulations. One of the main aims is to ensure that web users are empowered to use automated technology such as browsers and apps to select their choices regarding which cookies they are willing to accept. The Secretary of State could use powers under these provisions to require consent management tools to meet certain standards or specifications. so that web users can make clear, meaningful choices once and have those choices respected throughout their use of the internet.
The Committee will note that new regulation 6B already requires the Secretary of State to consult the Information Commissioner and other interested parties before making any new regulations on consent management tools. Government amendment 54 adds the Competition and Markets Authority as a required consultee. That will help ensure that any competition impacts are properly considered when developing new regulations that set standards of design.
Finally, Government amendments 52 and 53 make minor and technical changes that will ensure that future regulations made under the reformed PEC regulations can include transitional, transitory or savings provisions. These will simply ensure there is a smooth transition to the new regime if the Secretary of State decides to make use of these new powers. I commend the amendments to the Committee.
I understand that amendments 49 to 51 primarily remove the option for subscribers or users to object to or disable an update or software for security reasons. As techUK has highlighted, the PEC regulations already contain an exemption on cookie consent for things that are strictly necessary, and it was widely accepted that security purposes met this exemption. This is reflected by its inclusion in the list of things that meet the criteria in new paragraph (5).
However, in the Bill the Government also include security updates in the stand-alone exemption list. This section introduces additional conditions that are not present in the existing law, including the requirement to offer users an opt-out from the security update and the ability to disable or postpone it. The fact that this overlap has been clarified by removing the additional conditions seems sensible. Although user choice has value, it is important that we do not leave people vulnerable to known security flaws.
In principle, Government amendment 54 is a move in the right direction. I will speak to regulation 6B in more detail when we discuss amendment 117 and explain why we want to remove it. If the regulation is to remain, it is vital that the Competition and Markets Authority be consulted before regulations are made due to the impact they will likely have in entrenching power in the hands of browser owners. That the Government have recognised that it was an oversight not to involve the CMA in any consultations is really pleasing. I offer my full support to the amendment in that context, though I do not believe it goes far enough and will advocate the removal of regulation 6B entirely in due course.
Amendment 49 agreed to.
Amendments made: 50, in clause 79, page 102, line 25, leave out “disable or”.
Clause 79 amends regulation 6 of the PEC Regulations to create new exceptions from the prohibition on storing and accessing information in terminal equipment. New paragraph (2C) contains an exception for software updates that satisfy specified requirements. This amendment removes a requirement for subscribers and users to be able to disable, not just postpone, the update.
Amendment 51, in clause 79, page 102, leave out lines 27 to 29.
Clause 79 amends regulation 6 of the PEC Regulations to create new exceptions from the prohibition on storing and accessing information in terminal equipment. New paragraph (2C) contains an exception for software updates that satisfy specified requirements. This amendment removes a requirement that, where the update takes effect, the subscriber or user can remove or disable the software.
Amendment 52, in clause 79, page 104, line 20, leave out “or supplementary provision” and insert
“, supplementary, transitional, transitory or saving provision, including provision”.—(Sir John Whittingdale.)
This amendment provides that regulations under the new regulation 6A of the PEC Regulations, inserted by clause 79, can include transitional, transitory or saving provision.
I entirely agree with my hon. Friend. He accurately sums up the reason that the Government decided it was important that the Competition and Markets Authority would have an input into the development of any facility to allow browser users to set their preferences at the browser level. We will see whether, with the advent of other browsers, AI-generated search engines and so on, the dominance is maintained, but I think he is absolutely right that this will remain an issue that the Competition and Markets Authority needs to keep under review.
That is the purpose of Government amendment 54, which will ensure that any competition impacts are considered properly. For example, we want any review of regulations to be relevant and fair to both smaller publishers and big tech. On that basis, I hope that the hon. Member for Barnsley East will consider withdrawing her amendment.
I appreciate the Minister’s comments and the Government change involving the CMA, but we simply do not believe that that is worth putting into law. We just do not know the full implications, as echoed by the hon. Member for Folkestone and Hythe. I will therefore press my amendment to a Division.
Question put, That the amendment be made.
I shall not repeat all that has been said about the purpose of the clause. To recap quickly, consent is required for any non-essential functions, such as audience measurement, design optimisation, presentation of adverts and tracking across websites but, clearly, the current system is not working well. Researchers found that people often click yes to cookies to make the banner go away and because they want to access the service quickly.
The clause will remove the requirement for organisations to seek consent to cookies placed for several low privacy risk purposes. As a result of the new exceptions we are introducing, web users should know that if they continue to see cookie pop-up messages it is because they relate to more intrusive uses of cookies. It is possible that we may identify additional types of non-intrusive cookies in the future, so the clause permits the Secretary of State to make regulations amending the exceptions to the consent requirement or introducing new exceptions.
The changes will not completely remove the existence of cookie pop-ups. However, we are committed to working with tech companies and consumer groups to promote technologies that help people to set their online preferences at browser level or by using apps. Such technology has the potential to reduce further the number of pop-ups that appear on websites. Alongside the Bill, we will take forward work to discuss what can be done further to develop and raise awareness of possible technological solutions. On that basis, I commend the clause to the Committee.
I spoke in detail about my issues with the clause during our debates on amendments 116 and 117, but overall I commend the Government’s intention to explore ways to end cookie fatigue. Although I unfortunately do not believe that these changes will solve the issues, it is pleasing that the Government are looking at ways to reduce the need for consent where the risk for privacy is low. I will therefore not stand in the way of the clause, beyond voicing my opposition to regulation 6B.
Question put and agreed to.
Clause 79, as amended, accordingly ordered to stand part of the Bill.
Clause 80
Unreceived communications
Question proposed, That the clause stand part of the Bill.
Clause 80 provides an additional power for the Information Commissioner when investigating unsolicited direct marketing through telephone calls, texts and emails—more commonly known as nuisance calls or nuisance communications.
Some unscrupulous direct marketing companies generate hundreds of thousands of calls to consumers who have not consented to be contacted. That can affect the most vulnerable in our society, some of whom may agree to buy products or services that they did not want or cannot afford. Successive Governments have taken a range of actions over the years—for example, by banning unsolicited calls from claims management firms and pensions providers—but the problem persists and further action is needed.
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Information Commissioner can investigate and take enforcement action against rogue companies where there is evidence that unsolicited marketing communications have been received by the recipient. The changes we are making in clause 80 will enable the Information Commissioner to take action in relation to unsolicited marketing communications that have been generated, as well as those received or connected.
Not every call that is generated reaches its intended target. For example, an individual may be out or may simply not pick up the phone. However, the potential for harm should be a relevant factor in any enforcement action by the Information Commissioner’s Office. The application of the regulations, through the changes in clause 80, to communications generated will more accurately reflect the level of intent to cause disturbance.
Clause 81 is a minor and technical clause that should improve the readability of the PEC regulations. The definition of “direct marketing”, which the PEC regulations rely on, is currently found in the Data Protection Act 1998. To help the reader quickly locate the definition, the clause adds the definition to the PEC regulations themselves.
Under the current PEC regulations, businesses can already send direct marketing to existing customers, subject to certain safeguards. That is sometimes known as the soft opt-in rule. Clause 82 applies the same rule to non-commercial organisations, such as charities. The changes will mean that charitable, political and non-commercial organisations will be able to send direct marketing communications to persons who have previously expressed an interest in the organisation’s aims and ideals.
The current soft opt-in rules for business are subject to certain safeguards. We have applied the same safeguards to these new provisions for non-commercial organisations. We think these changes will help non-commercial organisations, including charities and political parties, to build ongoing relationships with their supporters. There is no good reason why the soft opt-in rule should apply to businesses but not to non-commercial organisations. I hope Members will see the benefit of these measures in ensuring the balance between protecting the most vulnerable in society and supporting organisations. I commend clauses 80 to 82 to the Committee.
As I have said many times during our discussion of the Bill, I believe that the Information Commissioner should be given proportionate powers to investigate and take action where that is needed to uphold our regulations. That is no less the case with clause 80, which introduces measures that allow the Information Commissioner to investigate organisations responsible for generating unsolicited direct marketing communications, even if they are not received by anyone.
Clause 81 simply lifts the definition of “direct marketing” from the Data Protection Act 1998 and places it into the PEC regulations to increase the readability of that legislation. I have no issues with that.
Clause 82 extends the soft opt-in rules to charities and non-commercial organisations. It is only right that the legislation is consistent in offering non-profits the opportunity to send electronic marketing communications in the same way as for-profit organisations. It might, however, be worth raising the public’s awareness of the rule and of the ability to opt out at any point. If they suddenly find themselves on the end of such communications, they will have a clear understanding of why that is the case and that consent may be withdrawn if they so wish.
Question put and agreed to.
Clause 80 accordingly ordered to stand part of the Bill.
Clauses 81 and 82 ordered to stand part of the Bill.
Clause 83
Direct marketing for the purposes of democratic engagement
Before I speak to the amendment, I will set out the provisions of clause 83, which gives the Secretary of State the power to make exceptions to the PEC regulations’ direct marketing provisions for communications sent for the purposes of democratic engagement. We do not intend to use the powers immediately because the Bill contains a range of other measures that will facilitate a responsible use of personal data for the purposes of political campaigning, including the extension of the soft opt-in rule that we have just debated. However, it is important we keep the changes we are making in the Bill under review to make sure that elected representatives and parties can continue to engage transparently with the electorate and are not unnecessarily constrained by data protection and privacy rules.
The Committee will note that if the Secretary of State decided to exercise the powers, there are a number of safeguards in the clause that will maintain a sensible balance between the need for healthy interaction with the electorate and any expectations that an individual might have with regard to privacy rights. Any new exceptions would be limited to communications sent by the individuals and organisations listed in clause 83, including elected representatives, registered political parties and permitted participants in referendum campaigns.
Before laying any regulations under the clause, the Secretary of State will need to consult the Information Commissioner and other interested parties, and have specific regard for the effect that further exceptions could have on the privacy of individuals. Regulations will require parliamentary approval via the affirmative resolution procedure. Committee members should also bear in mind that the powers will not affect an individual’s right under the UK GDPR to opt out of receiving communications.
We have also tabled two technical amendments to the clause to improve the way it is drafted. Government amendment 55 will make it clear that regulations made under this power can include transitory or savings provisions in addition to transitional provisions. Such provisions might be necessary if, for example, new exceptions were only to apply for a time-limited period. Clause 84 is also technical in nature and simply sets out the meaning of terms such as “candidate”, “elected representative” and “permitted participant” for the purposes of clause 83.
The clauses mirror somewhat the involvement of democratic engagement purposes on the recognised legitimate interests list. However, here, rather than giving elected representatives and the like an exemption from completing a balancing test when processing under this purpose, the Bill paves the way for them to be exempt from certain direct marketing provisions in future.
The specific content of any future changes, however, should be properly scrutinised. As such, it is disappointing that the Government have not indicated how they intend to use such regulations in future. I appreciate that the Minister has just said that they do not intend to use them right now. Does he have in mind any examples of any exemptions that he might like to make from the direct marketing provisions for democratic engagement purposes? That is not to say that such exemptions will not be justified; just that their substance should be openly discussed and democratically scrutinised.
As I have set out, the existing data protection provisions remain under the GDPR. In terms of specific exemptions, I have said that the list will be subject to future regulation making, which will be also subject to parliamentary scrutiny. We will be happy to supply a letter to the hon. Lady to set out specific examples of where that might be the case.
Amendment 55 agreed to.
Clause 83, as amended, ordered to stand part of the Bill.
Clause 84
Meaning of expressions in section 83
Amendment made: 31, in clause 84, page 110, line 31, leave out “fourth day after” and insert
“period of 30 days beginning with the day after”.—(Sir John Whittingdale.)
Clauses 83 and 84 enable regulations to make exceptions from direct marketing rules in the PEC Regulations, including for certain processing by elected representatives. This amendment increases the period for which former members of the Westminster Parliament and the devolved legislatures continue to be treated as "elected representatives" following an election. See also NC6 and Amendment 30.
Clause 84, as amended, ordered to stand part of the Bill.
Clause 85
Duty to notify the Commissioner of unlawful direct marketing
The ambition of the clause is broadly welcome, and we agree that there is a need to tackle unwanted calls, but the communications sector, including Vodafone and BT, as well as techUK, has shared concerns that the clause, which will place a new duty on telecoms providers to report to the commissioner whenever they have “reasonable grounds” for suspecting a breach of direct marketing regulations, might not be the best way to solve the issue.
I will focus my remarks on highlighting those concerns, and how amendment 118 would address some of them. First, though, let me say that the Government have already made it clear in their explanatory notes that it is not the intention of the Bill to require providers to monitor communications. However, that has not been included in the Bill, which has caused some confusion in the communications sector.
Amendment 118 would put that confusion to rest by providing for the explicit inclusion of the clarification in the clause itself. That would provide assurances to customers who would be sure their calls and texts would not be monitored, and to telecoms companies, which would be certain that such monitoring of content was absolutely not required of them.
Secondly, the intent of the clause is indeed not to have companies monitoring communications, but many relevant companies have raised concerns around the technological feasibility of identifying instances of unlawful and unsolicited direct marketing. Indeed, the new duty will require telecommunications providers to be able to identify whether a person receiving a direct marketing call has or has not given consent to receive the call from the company making it. However, providers have said they cannot reliably know that, and have warned that there is no existing technology to conduct that kind of monitoring accurately and at scale. In the absence of communication monitoring and examples of how unsolicited direct marketing is to be identified, it is therefore unclear how companies will fulfil their duties under the clause.
That is not to say the industry is not prepared to commit significant resources to tackling unwanted calls. BT, for example, has set up a range of successful tools to help customers. That includes BT Call Protect, which is used by 4.4 million BT customers and now averages 2.35 million calls diverted per week. However, new measures must be feasible, and our amendment 118 would therefore require that guidance around the implementation of the clause include illustrative examples of the grounds on which a provider may reasonably suspect that a person is contravening, or has contravened, any of the direct marketing regulations.
If the Minister does not intend to support the amendment, I would like to hear such examples from him today, so that the communications sector was absolutely clear about how to fulfil its new duties, given the technology available.
As the hon. Lady has said, amendment 118 would require the commissioner to state clearly in the guidance that the new duty does not oblige providers to intercept or monitor the content of electronic communications in order to determine whether there has been a contravention of the rules. It would also require the guidance to include illustrative examples of the types of activity that may cause a provider reasonably to suspect that there had been a contravention of the requirements.
I recognise that the amendment echoes concerns that have been raised by communications service providers, and that there has been some apprehension about exactly what companies will have to do to comply with the duty. In response, I would emphasise that “reasonable grounds” does mean reasonable in all circumstances.
The hon. Lady has asked for an example of the kind of activity that might give reasonable grounds for suspicion. I direct her to the remarks I made in moving the amendment and the example of a very large number of calls being generated in rapid succession in which, in each case, the telephone number is simply one digit away from the number before. The speed at which that takes place does provide reasonable grounds to suspect that the requirement to, for instance, check with the TPS is not being fulfilled.
There are simple examples of that kind, but I draw the attention of the hon. Lady and the Committee to the consultation requirements that will apply to the ICO’s guidance. In addition to consulting providers of public electronic communications networks and services on the development of the guidance, the ICO will be required to consult the Secretary of State, Ofcom and other relevant stakeholders to ensure that the guidance is as practical and useful to organisations as possible.
I completely agree; my hon. Friend is right to make that distinction. Companies should use their best endeavours, but it is worth repeating that the guidance does not expect service and network providers to monitor the content of individual calls and messages to comply with the duty. There is more interest in patterns of activity on networks, such as where a rogue direct marketing firm behaves in the manner that I set out. On that basis, I ask the hon. Lady not to press her amendment to a vote.
I appreciate the Minister’s comments and those of the hon. Member for Folkestone and Hythe. We have no issue with the monitoring of patterns; we wanted clarification on the content. I am not sure that the Minister addressed the concerns about the fact that, although the Government have provided a partial clarification in the explanatory notes, this is not in the Bill. For that reason, I will press my amendment to a vote.
Amendment 56 agreed to.
Amendment proposed: 118, in clause 85, page 113, line 3, at end insert—
“(1A) Guidance under this section must—
(a) make clear that a provider of a public electronic communications service is not obligated to monitor the content of individual electronic communications in order to determine whether those communications contravene the direct marketing regulations; and
(b) include illustrative examples of the grounds on which a provider may reasonably suspect that a person is contravening or has contravened any of the direct marketing regulations.”—(Stephanie Peacock.)
Question put, That the amendment be made.
Before turning specifically to the provisions of the amendment, I will set out the provisions of clause 86 and schedule 10. Clause 86 updates the ICO’s powers in respect of enforcing the PEC regulations. Currently, the ICO has to rely mainly on outdated powers in the Data Protection Act 1998 to enforce breaches of the PEC regulations. The powers were not updated when the UK GDPR and the Data Protection Act came into force in 2018. That means that some relatively serious breaches of the PEC regulations, such as nuisance calls being generated on an industrial scale, cannot be investigated as effectively or punished as severely as breaches under the data protection legislation.
The clause will therefore give the ICO the same investigatory and enforcement powers in relation to breaches of the PEC regulations as currently apply to breaches of the UK GDPR and the 2018 Act. That will result in a legal framework that is more consistent and predictable for organisations, particularly for those with processing activities that engage both the PEC regulations and the UK GDPR.
Clause 86 and schedule 10 add a new schedule to the PEC regulations, which sets out how the investigatory and enforcement powers in the 2018 Act will be applied to the PEC regulations. Among other things, that includes the power for the Information Commissioner to impose information notices, assessment notices, interview notices and enforcement and penalty notices. The maximum penalty that the Information Commissioner can impose for the most serious breaches of the PEC regulations will be increased to the same levels that can be imposed under the UK GDPR and the Data Protection Act. That is up to 4% of a company’s annual turnover or £17.5 million, whichever is higher.
Relevant criminal offences under the Data Protection Act, such as the offence of deliberately frustrating an investigation by the Information Commissioner by destroying or falsifying information, are also applied to the PEC regulations. The updated enforcement provisions in new schedule 1 to the PEC regulations will retain some pre-existing powers that are unique to the previous regulations.
Clause 86 also updates regulation 5C of the PEC regulations, which sets out the fixed penalty amount for a failure to report a personal data breach under regulation 5. Currently, the fine level is set at £1,000. The clause introduces a regulation-making power, which will be subject to the affirmative procedure, for the Secretary of State to increase the fine level. We have tabled Government amendment 57 to provide an explicit requirement for the Secretary of State to consult the Information Commissioner and any other persons the Secretary of State considers appropriate before making new regulations. The amendment also confirms that regulations made under the power can include transitional provisions.
Finally, we have tabled two further minor amendments to schedule 10. Government amendment 58 makes a minor correction by inserting a missing schedule number. Government amendment 32 adjusts the provision that applies section 155(3)(c) of the Data Protection Act for the purposes of the PEC regulations. That is necessary as that section is being amended by schedule 4. Without making those corrective amendments, the provisions will not achieve the intended effect.
Clause 86 and schedule 10 insert and clarify the commissioner’s enforcement powers with regards to privacy and electronic communications regulation. Particularly of note within the proposals is the move to increase fines for nuisance calls and messages to a higher maximum penalty of £17.5 million or 4% of the undertaking’s total annual worldwide turnover, whichever is higher. That is one of the Government’s headline commitments in the Bill and should create tougher punishments for those who are unlawfully pestering people through their phones.
We are in complete agreement that more must be done to stop unwanted communications. However, to solve the problem as a whole, we must take stronger action on scam calling as well as on instances of unsolicited direct marketing. Labour has committed to going further than Ofcom’s new controls on overseas scam calls and has proposed the following to close loopholes: first, no phone call made from overseas using a UK telephone number should have that number displayed when it appears on a UK mobile phone or digital landline; and secondly, all mobile calls from overseas using a UK number should be blocked unless the network provider confirms that the known bill payer for the number is currently roaming. To mitigate the fact that some legitimate industries rely on overseas call centres that handle genuine customer service requests, we will also require Ofcom to register those legitimate companies and their numbers as exceptions to the blocking.
As the clause and schedule seek to take strong action against unwanted communications, I would be pleased to hear from the Minister whether the Government would consider going further and matching our commitments on overseas scam calling, too.
I say to the hon. Lady that the provisions deal specifically with nuisance calls, not necessarily scam calls. As she will know, the Government have a comprehensive set of policies designed to address fraud committed through malicious or scam calls, and those are being processed through the fraud prevention strategy. I accept that more needs to be done and say to her that it is already taking place.
Amendment 57 agreed to.
Clause 86, as amended, ordered to stand part of the Bill.
Schedule 10
Privacy and electronic communications: Commissioner’s enforcement powers
Amendments made: 32, in schedule 10, page 180, line 25, leave out “for “data subjects”” and insert
“for the words from “data subjects” to the end”.
This amendment adjusts provision applying section 155(3)(c) of the Data Protection Act 2018 (penalty notices) for the purposes of the PEC Regulations to take account of the amendment of section 155(3)(c) by Schedule 4 to the Bill.
Amendment 58, in schedule 10, page 183, line 5, at end insert “15”.—(John Whittingdale.)
This amendment inserts a missing Schedule number, so that the provision refers to Schedule 15 to the Data Protection Act 2018.
Schedule 10, as amended, agreed to.
Clause 87
The eIDAS Regulation
Question proposed, That the clause stand part of the Bill.
“Trust services” refers to services including those relating to electronic signatures, electronic seals, timestamps, electronic delivery services and website authentication. As has been mentioned, trust services are required to meet certain standards and technical specifications for operation across the UK economy, which are outlined under eIDAS regulations. These clauses seek to make logistical adjustments to that legal framework for trust service products and services within in the UK.
Although we understand that the changes are intended to enable flexibility in case EU regulations should no longer be adequate, and absolutely agree that we must future-proof regulations to ensure that standards are always kept high, we must also ensure that any changes made are necessary, to ensure that standards remain high, rather than being made simply for their own sake. It is vital that any alterations made are genuinely intended to improve current practices and have been thoroughly considered to ensure that they are making positive and meaningful change.
Question put and agreed to.
Clause 87 accordingly ordered to stand part of the Bill.
Clauses 88 to 91 ordered to stand part of the Bill.
Clause 92
Disclosure of information to improve public service delivery to undertakings
Question proposed, That the clause stand part of the Bill.
The clause will amend the Digital Economy Act 2017 to extend the powers under section 35 to include businesses. Existing powers enable public authorities to share data to support better services to individuals and households. The Government believe that businesses too can benefit from responsive, joined-up public services across the digital economy. The clause introduces new data sharing powers allowing specified public authorities to share data with other specified public authorities for the purposes of fulfilling their functions.
The sharing of data will also provide benefits for the public in a number of ways. It will pave the way for businesses to access Government services more conveniently, efficiently and securely—by using digital verification services, accessing support when trying to start up new businesses, completing import and export processes or applying for Government grants such as rural grants, for example. Any data sharing will of course be carried out in accordance with the requirements of the Data Protection Act and the UK GDPR.
Being able to share data about businesses will bring many benefits. For example, by improving productivity while keeping employment high we can earn more, raising living standards, providing funds to support our public services and improving the quality of life for all citizens. Now that we have left the EU, businesses that take action to improve their productivity will increase their resilience to changing market conditions and be more globally competitive. The Minister will be able to make regulations to add new public authorities to those already listed in schedule 4 to the Digital Economy Act. However, any regulations would be made by the affirmative procedure, requiring the approval of both Houses. I commend the clause to the Committee.
The clause amends section 35 of the Digital Economy Act to enable specified public authorities to share information to improve the delivery of public services to businesses with other specified persons. That echoes the existing legal gateway that allows for the sharing of information on improving the delivery of public services to individuals and households.
I believe that the clause is a sensible extension, but would have preferred the Minister and his Department to have considered public service delivery more broadly when drafting the Bill. While attention has rightly been paid throughout the Bill to making data protection regulation work in the interests of businesses, far less attention has gone towards how we can harness data for the public good and use it to the benefit of our public services. That is a real missed opportunity, which Labour would certainly have taken.
Question put and agreed to.
Clause 92 accordingly ordered to stand part of the Bill.
Clause 93
Implementation of law enforcement information-sharing agreements
I beg to move amendment 8, in clause 93, page 119, line 18, leave out first “Secretary of State” and insert “appropriate national authority”.
This amendment, Amendment 10 and NC5 enable the regulation-making power conferred by clause 93 to be exercised concurrently by the Secretary of State and, in relation to devolved matters, by Scottish Ministers and Welsh Ministers.
Clause 93 creates a delegated power for the Secretary of State, and a concurrent power for Welsh and Scottish Ministers, to make regulations to implement international agreements relating to the sharing of information for law enforcement purposes. The concurrent power for Welsh and Scottish Ministers has been included in an amendment to the clause. While international relations are a reserved matter, the domestic implementation of the provisions likely to be contained in future international agreements may be devolved, given that law enforcement is a devolved matter to various extents in each devolved Administration.
In the light of introducing a concurrent power for Welsh and Scottish Ministers, amendments to clauses 93 and 108 have been tabled, as has new clause 5. Together they specifically detail the appropriate national authority that will have the power to make regulations in respect of clause 93. The Government amendments make it clear that the appropriate national authority may make the regulations. New clause 5 then defines who is an appropriate national authority for those purposes. I therefore commend new clause 5 and the related Government amendments to the Committee.
It is right that the powers conferred by clause 93 can be exercised by devolved Ministers where appropriate. I therefore have no objections to the amendments or the new clause.
Amendment 8 agreed to.
Amendments made: 9, in clause 93, page 119, line 18, leave out second “Secretary of State” and insert “authority”.
This amendment is consequential on Amendment 8.
Amendment 10, in clause 93, page 119, line 36, at end insert—
‘“appropriate national authority” has the meaning given in section (Meaning of “appropriate national authority”);’.—(Sir John Whittingdale.)
See the explanatory statement for Amendment 8.
Question proposed, That the clause, as amended, stand part of the Bill.
As I have already set out, clause 93 creates a delegated power for the Secretary of State, along with a concurrent power for Welsh and Scottish Ministers, to make regulations to implement international agreements relating to the sharing of information for law enforcement purposes. The legislation will provide powers to implement technical aspects of such international agreements via secondary legislation once the agreements have been negotiated.
Clause 93 stipulates that regulations can be made in connection with implementing an international agreement only in so far as it relates to the sharing of information for law enforcement purposes, and that any data sharing must comply with data protection legislation. These measures will enable the implementation of new international agreements designed to help keep the public safe from the threat posed by international criminality and cross-border crime, as well as helping to protect vulnerable people.
Clauses 94 to 98 amend the Births and Deaths Registration Act, with the overall effect of removing the provision for birth and death records to be kept on paper, and allowing them to be held in an online database. This is a positive move, with the potential to bring many benefits. First, it will improve the functioning of the registration system—for example, it will allow the Registrar General and the superintendent registrar to have immediate access to all birth and death entries as soon as they have been entered into the system. The changes will undoubtedly be important to families who are experiencing joy or loss, because they make registrations easier and more likely to be correct in the first instance, minimising unnecessary clarifications at what can often be a very difficult time. Indeed, one of the recommendations of the 2022 UK Commission on Bereavement’s landmark report, which looked at the key challenges facing bereaved people in this country, was that it should be possible to register deaths online.
It is great that the Government have chosen to pursue this change. However, despite it being the recommendation listed right next to online death registration, the Government have not used this opportunity to explore the potential of extending the Tell Us Once service, which is disappointing. Indeed, the existing Tell Us Once service has proved very helpful to bereaved people in reducing the administrative burden they face, by enabling them to inform a large number of Government and public sector bodies in one process, rather than forcing them to go through the same process time and again. However, private organisations are not included, and loved ones are still tasked with contacting organisations such as employers, energy and electricity companies, banks, telephone and internet providers, and more. At a time of emotional struggle, this is a huge administrative burden to place on the bereaved and leaves them vulnerable to other unsettling variables, such as communication barriers and potentially insensitive customer service.
The commission found that 61% of adult respondents reported experiencing practical challenges when notifying the organisations that need to be made aware of the death of a loved one. We are therefore disappointed that the Government have not explored whether the Bill could extend the policy to the private sector in order to further reduce the burden on grieving friends and families, and make the inevitably difficult process a little easier. Overall, however, the clauses will mark a positive change for families up and down the country, and we are pleased to see them implemented.
I merely say to the hon. Lady that, having used the Tell Us Once service myself in relation to the death of my mother not that long ago, I absolutely hear what she says about the importance of making the process as easy as possible. We will certainly consider what she says.
Question put and agreed to.
Clause 94 accordingly ordered to stand part of the Bill.
Information standards govern how data can be shared and compared across a sector. They are important in every sector in which they operate, but particularly in health, where they are critical to enabling the information sharing and interoperability necessary for good patient outcomes across health and social care services. For many reasons, however, we do not have a standard national approach to health data; as such, patients receive a far from seamless experience between different healthcare services. The Bill’s technical amendments and clarifications of existing rules on information standards in health, and how they interact with IT and IT services, are small but good steps in the journey towards trying resolve that.
Tom Schumacher of Medtronic told us in oral evidence that one of the problems faced by his organisation and NHS trusts is
“variability in technical and IT security standards.”
He suggested that harmonising those standards would be a “real opportunity,” since it would mean that
“each trust does not have to decide for itself which international standard to use and which local standard to use.”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 42, Q90.]
However, it is unclear how much headway these IT-related changes will make in providing that harmonisation, let alone the seamless service that patients so often call for.
I have one query that I hope the Minister can help with. MedConfidential has shared with us a concern that new section 251ZE of the Health and Social Care Act 2012 on accreditation of information technology, which is introduced by schedule 12, seems to imply that the Department of Health and Social Care and NHS England will have the power to set data standards in social care. MedConfidential says that would be a major policy shift, and that it seems unusual to implement such a shift through an otherwise unrelated Bill. Will the Minister write to me to clarify whether it is the Government’s intention to have DHSC and NHS England take over the information infrastructure of social care—and, if so, why they have come to that decision?
I am grateful to the hon. Lady for her support in general. I hear the concern that she expressed on behalf of the firm that has been in contact with her. We will certainly look into that, and I will be happy to let her have a written response in due course.
Mr Paisley, might I beg the Committee’s indulgence to correct the record? I incorrectly credited the hon. Member for Solihull for the private Member’s Bill, but it was in fact my hon. Friend the Member for Meriden (Saqib Bhatti). I apologise to him for getting his constituency wrong—
(1 year, 6 months ago)
Public Bill CommitteesI think we will come on to some of the questions around the fees that are potentially payable, particularly by those organisations that may be required to provide more evidence, and the costs that that could entail. I will return to that subject shortly.
The new strategic framework acknowledges the breadth of the ICO’s remit and its impact on other areas. We believe that it will provide clarity for the commissioner, businesses and the general public on the commissioner’s objectives and duties. I therefore commend clause 27 to the Committee.
The importance to any data protection regime of an independent, well-functioning regulator cannot be overstated. The ICO, which is soon to be the Information Commission as a result of this Bill, is no exception to that rule. It is a crucial piece of the puzzle in our regime to uphold the information rights set out in regulation. Importantly, it works in the interests of the general public. The significance of an independent regulator is also recognised by the European Commission, which deems it essential to any adequacy agreement. The general duties of our regulator, such as those set out in this clause, are therefore vital because they form the foundations on which it operates and the principles to which it must be accountable.
Although the duties are more an indicator of overarching direction than a prescriptive list of duties, they should still aim to reflect the wide range of tasks that the regulator carries out and the values with which they do so. On the whole, the clause does this well. Indeed, the principal objective for the commissioner set out in this clause, which is
“to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and…to promote public trust and confidence in the processing of personal data”
is a good overarching starting point. It simply outlines the basic functions of the regulator that we should all be able to get behind, even if the Bill itself does disappointingly little to encourage the promotion of public trust in data processing.
It is particularly welcome that the principal objective includes specific regard to
“matters of general public interest.”
This should cover things like the need to consider sustainability and societal impact. However, it is a shame that that is not made explicit among the sub-objectives, which require the commissioner to have regard to the likes of promoting innovation and safeguarding national security. That would have ingrained in our culture a desire to unlock data for the wider good, not just for the benefit of big tech. Overall, however, the responsibilities set out in the clause, and the need to report on fulfilling them, seem to reflect the task and value of the regulator fairly and accurately.
I think that was slightly qualified support for the clause. Nevertheless, we welcome the support of the Opposition.
Question put and agreed to.
Clause 27 accordingly ordered to stand part of the Bill.
Clause 28
Strategic priorities
Clause 28 provides a power for the Secretary of State to prepare a statement of strategic priorities relating to data protection as part of the new strategic framework for the Information Commissioner. The statement will contain only the Government’s data protection priorities, and the Secretary of State may choose to include both domestic and international priorities. That will enable the Government to provide a transparent statement of how their data protection priorities fit in with their wider agenda, giving the commissioner, we hope, helpful context.
Although the commissioner must take the statement into account when carrying out his functions, he is not required to act in accordance with it. That means that the statement will not be used in a way to direct what the commissioner may and may not do. Once the statement is drafted, the Secretary of State will be required to lay it before Parliament, where it will be subject to the negative resolution procedure before it can be designated. The commissioner will need to consider the statement when carrying out functions under the data protection legislation, except functions relating to a particular person, case or investigation.
Once designated, the commissioner will be required to respond to the statement, outlining how he intends to consider it in future data protection work. The commissioner will also be required to report on how he has considered the statement in his annual report. I commend the clause to the Committee.
Clause 28 requires that every three years the Secretary of State publish a statement of strategic priorities for the commissioner to consider, respond to, and have regard to. The statement would be subject to the negative resolution procedure in Parliament, and the commissioner would be obliged to report on what they have done to comply with it annually. Taken in good faith, I see what the clause was intended to achieve. It is, of course, important that the Government’s data priorities are understood by the commissioner. It is also vital that we ensure that the regulator functions in line with the most relevant issues of the day, given the rapidly evolving landscape of technology.
A statement of strategic priorities could, in theory, allow the Government to set out their priorities on data policy in a transparent way, allowing both Ministers and the ICO to be held accountable for their relationship. However, there is and must be a line drawn between the ICO understanding the modern regulatory regime that it will be expected to uphold and political interference in the activities and priorities of the ICO. The Open Rights Group, among others, has expressed concern that the introduction of a statement of strategic priorities could cross that line, exposing the ICO to political direction, making it subject to culture wars and leaving it vulnerable to corporate capture or even corruption.
Although the degree to which those consequences would become a reality given the current strength of our regulator might be up for debate, the very concept of the Government setting out a statement of strategic priorities that must be adhered to by the commissioner at the very least sets out a need for the ICO to follow some sort of politically led direction, something that seems counterintuitive with respect to independence. As I have already argued, an independent ICO is vital not only directly, for data subjects to be sure that their rights will be implemented and for controllers to be sure of their obligations, but indirectly, as a crucial component of our EU adequacy agreement.
Even though the clause may not be intended to threaten independence, we must be extremely careful not to unintentionally embark on a slippery slope, particularly as there are other mechanisms for ensuring that the ICO keeps up with the times and has a transparent relationship with Government. In 2022, the ICO published its new strategic plan, ICO25, which sets out why its work is important, what it wants to be known for and by whom, and how it intends to achieve that by 2025. It describes the ICO’s purpose, objectives and values and the shift in approach that it aims to achieve through the life of the plan, acknowledging that its work is
“complex, fast moving and ever changing.”
The plan was informed by extensive stakeholder consultation and by the responsibilities that the ICO has been given by Parliament. There are therefore ways for the ICO to communicate openly with Government, Parliament and other relevant stakeholders to ensure that its direction is in keeping with the most relevant challenges and with updates to legislation and Government activity. Ministers might have been better off encouraging transparent reviews, consultations and strategies of that kind, rather than prompting any sort of interference from politicians with the ICO’s priorities.
We agree about the importance of the independence of the Information Commissioner, but I do not think that the statement, as we have set out, is an attempt to interfere with that. I remind the hon. Lady that in relation to the statement of strategic priorities, she asked the Information Commissioner himself:
“Do you perceive that having any impact on your organisation’s ability to act independently of political direction?”,
and he replied:
“No, I do not believe it will undermine our independence at all.”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 6, Q3.]
The Minister is right to quote the evidence session, but he will perhaps also remember that in a later session Ms Irvine from the Law Society of Scotland said that she was surprised by the answer given by the Information Commissioner.
Ms Irvine may have been surprised. I have to say that we were not. What the Information Commissioner said absolutely chimed with our view of the statement, so I am afraid on this occasion I will disagree with the Law Society of Scotland.
Question put, That the clause stand part of the Bill.
Given the significant number of ways in which personal data can be used, we believe that it is important that the regulator provides guidance for data controllers, particularly on complex and technical areas of the law, and that the guidance should be accessible and enable compliance with the legislation efficiently and easily. We are therefore making a number of reforms to the process by which the Information Commissioner produces statutory codes of practice.
Clause 29 is a technical measure that ensures that all statutory codes of practice issued under the Data Protection Act 2018 follow the same parliamentary procedures, have the same legal effect, and are published and kept under review by the Information Commissioner. Under sections 121 to 124 of the Data Protection Act, the commissioner is obliged to publish four statutory codes of practice: the data sharing code, the direct marketing code, the age-appropriate design code, and the data protection and journalism code. The DPA includes provisions concerning the parliamentary approval process, requirements for publication and review by the commissioner, and details of the legal effect of each of the codes. So far, the commissioner has completed the data sharing code and the age-appropriate design code.
Section 128 of the Act permits the Secretary of State to make regulations requiring the Information Commissioner to prepare other codes that give guidance as to good practice in the processing of personal data. Those powers have not yet been used, but may be useful in the future. However, due to the current drafting of the provisions, any codes required by regulations made by the Secretary of State and issued by the commissioner would not be subject to the same formal parliamentary approval process or review requirements as the codes issued under sections 121 to 124. In addition, they do not have the same legal effect, and courts and tribunals would not be required to take a relevant provision of the code into account when determining a relevant question. Clearly, it is not appropriate to have two different standards of statutory codes of practice. To address that, clause 29 replaces the original section 128 with new section 124A, so that codes required in regulations made by the Secretary of State follow a similar procedure to codes issued under sections 121 to 124.
New section 124A provides the Secretary of State with the power to make regulations requiring the commissioner to produce codes of practice giving guidance as to good practice in the processing of personal data. Before preparing any code, the commissioner must consult the Secretary of State and other interested parties such as trade associations, data subjects and groups representing data subjects. That is similar to the consultation requirements for the existing codes. The parliamentary approval processes and requirements for the ICO to keep existing codes under review are also extended to any new codes required by the Secretary of State. The amendment also ensures that those codes requested by the Secretary of State have the same legal effect as those set out on the face of the DPA.
Clauses 30 and 31 introduce reforms to the process by which the commissioner develops statutory codes of practice for data protection. They require the commissioner to undertake and publish impact assessments, consult with a panel of experts during the development of a code, and submit the final version of a code to the Secretary of State for approval. Those processes will apply to the four statutory codes that the commissioner is already required to produce and to any new statutory codes on the processing of personal data that the commissioner is required to prepare under regulation made by the Secretary of State.
The commissioner will be required to set up and consult a panel of experts when drafting a statutory code. That panel will be made up of relevant stakeholders and, although the commissioner will have discretion over its membership, he or she will be required to explain how the panel was chosen. The panel will consider a draft of a statutory code and submit a report of its recommendations to the commissioner. The commissioner will be required to publish the panel’s response to the code and, if he chooses not to follow a recommendation, the reasons must also be published.
Clause 30 also requires the commissioner to publish impact assessments setting out who will be affected by the new or amended code and the impact it will have on them. While the commissioner currently carries out impact assessments when developing codes of practice, we believe that there are advantages to formalising an approach on the face of the legislation to ensure consistency.
Given the importance of the statutory codes, we believe it is important that there is a further degree of democratic accountability within the process. Therefore, clause 31 requires the commissioner to submit the final version of a statutory code to the Secretary of State for approval.
On that basis, I commend the relevant clauses to the Committee, but I am aware that the hon. Member for Barnsley East wishes to propose an amendment.
I turn first to clauses 29 and 30. Codes of practice will become increasingly important as the remit of the ICO expands and modernises. As such, it is important that the codes are developed in a way that is conducive to the product being as effective and useful as possible.
Although the ICO already carries out impact assessments for new codes of practice, that is only done as best practice and currently does not have any statutory underpinning. It is therefore pleasing to see clauses that will require consistency and high standards when developing new codes, ensuring that the resulting products are as comprehensive and helpful as possible. It is welcome, for example, to see that experts will be consulted in the process of developing these codes, including Government officials, trade associations and data subjects. It is also good to see that the commissioner will be required to publish a statement relating to the establishment of the expert panel, including how and why members were selected.
The new threshold contained in the clause has been discussed in debates under clause 7, and I refer hon. Members to my remarks in those debates, as many of the same concerns apply. The guidance that will be needed to interpret the terms “vexatious” and “excessive” should be no less applicable to the Information Commissioner, whose co-operation with data subjects and transparency should be exemplary, not least because the functioning of the regulator inherently sets an example for other organisations on how the rules should be followed.
Question put and agreed to.
Clause 32, as amended, accordingly ordered to stand part of the Bill.
Clause 33
Analysis of performance
Question proposed, That the clause stand part of the Bill.
Clause 33 introduces the requirement for the Information Commissioner to prepare and publish an analysis of their performance, using key performance indicators. The regulator will be required to publish that analysis at least annually. The commissioner will have the discretion to decide which factors effectively measure their performance.
Improving the commissioner’s monitoring and reporting mechanisms will strengthen their accountability to Parliament, organisations and the public, who have an interest in the commissioner’s effectiveness. Performance measurement will also have benefits for the commissioner, including by supporting their work of measuring progress towards their objectives and ensuring that resources are prioritised in the right areas. I urge that clause 33 stand part of the Bill.
I welcome the clause, as did the majority of respondents who supported the proposal in the “Data: a new direction” consultation. As recognised by the Government’s response to their consultation, respondents felt the proposal would allow for the performance of the ICO to be assessed publicly and provide evidence of how the ICO is meeting its statutory obligations. We should do all we can to promote accountability, transparency and public awareness of the obligations and performance of the ICO. The clause allows for just that.
Question put and agreed to.
Clause 33 accordingly ordered to stand part of the Bill.
Clause 34
Power of the Commissioner to require documents
Question proposed, That the clause stand part of the Bill.
This is a slightly chunkier set of clauses and amendments, so I will not be as brief as in the last two debates.
Clause 34 is a clarificatory amendment to the Information Commissioner’s powers in section 142 of the Data Protection Act to require information. Its purpose is to clarify the commissioner’s existing powers to put it beyond doubt that the commissioner can require specific documents as well as information when using the information notice power. Subsections (3) to (7) of the clause make consequential amendments to references to information notices elsewhere in the Data Protection Act.
Clause 35 makes provision for the Information Commissioner to require a data controller or processor to commission a report from an approved person on a specified matter when exercising the power under section 146 of the Data Protection Act to issue an assessment notice. The aim of the power is to ensure that the regulator can access information necessary to its investigations.
In the event of a data breach, the commissioner is heavily dependent on the information that the organisation provides. If it fails to share information—for example, because it lacks the capability to provide it—that can limit the commissioner’s ability to conduct a thorough investigation. Of course, if the organisation is able to provide the necessary information, it is not expected that the power would be used. The commissioner is required to act proportionately, so we expect that the power would be used only in a small minority of investigations, likely to be those that are particularly complex and technical in nature.
Clause 36 grants the Information Commissioner the power to require a person to attend an interview and answer questions when investigating a suspected failure to comply with data protection legislation. At the moment, the Information Commissioner can only interview people who attend voluntarily, which means there is a heavy reliance on documentary evidence. Sometimes that is ambiguous or incomplete and can lead to uncertainty. The ability to require a person to attend an interview will help to explain an organisation’s practices or evidence submitted, and circumvent a protracted and potentially fruitless series of back-and-forth communication via information notices. The power is based on existing comparable powers for the Financial Conduct Authority and the Competition and Markets Authority.
Clause 37 amends the provisions for the Information Commissioner to impose penalties set out in the Data Protection Act. It will allow the commissioner more time, where needed, to issue a final penalty notice after issuing a notice of intent. At the moment the Act requires the commissioner to issue a notice of intent to issue a penalty notice; the commissioner then has up to six months to issue the penalty notice unless an extension is agreed. That can prove difficult in some cases—for instance, if the organisation under investigation submits new evidence that affects the case at a late stage, or when the legal representations are particularly complex. The clause allows the regulator more time to issue a final penalty notice after issuing a notice of intent, where that is needed. That will benefit business, as it means the commissioner can give organisations more time to prepare their representations, and will result in better outcomes by ensuring that the commissioner has sufficient time to assess representations and draw his conclusions.
Clause 38 introduces the requirement for the Information Commissioner to produce and publish an annual report on regulatory activity. The report will include the commissioner’s investigatory activity and how the regulator has exercised its enforcement powers. That will lead to greater transparency of the commissioner’s regulatory activity.
Clauses 34 to 37, as I said, make changes to the Data Protection Act 2018 in respect of the Information Commissioner’s enforcement powers. Consequential on clauses 35 and 36, clause 42 makes changes to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016, known as the EITSET regulations. The EITSET regulations extend and modify the Information Commissioner’s enforcement powers to apply to its role as the supervisory body for trust service providers under the UK regulations on electronic identification and trust services for electronic transactions, known as the UK eIDAS. Clause 42 amends the EITSET regulations to ensure that the new enforcement powers introduced by clauses 34 to 37 are available to the Information Commissioner for the purposes of regulating trust service providers.
The new powers will help to ensure that the Information Commissioner is able to access the evidence needed to inform investigations. The powers will result in more informed investigations and, we believe, better outcomes. Clause 42 ensures that the Information Commissioner will continue to be able to act as an effective supervisory body for trust service providers established in the UK.
Government amendment 47 amends schedule 2 to the EITSET regulations. The amendment 2 is consequential to the amendment of section 155(3)(c) of the Data Protection Act made by schedule 4 to the Bill. The amendment to schedule 2 will remove the reference to consultation under section 65 of the Data Protection Act when section 155 is applied. It is necessary to remove reference to section 65 of the Data Protection Act when section 155 is applied with modification under schedule 2, as consultation requirements under that section are not relevant to the regulation of trust service providers under the UK eIDAS.
I hope that that is helpful to Members in explaining the merits of our approach to ensuring that the Information Commissioner has the right enforcement tools at its disposal and continues to be an effective and transparent regulator. I commend the clauses and Government amendment 47 to the Committee.
I will speak to each of the relevant clauses in turn. On clause 34, I am satisfied that the clarification that the Information Commissioner can require documents as well as information is necessary and will be of use to the regulator. I am pleased therefore pleased to accept the clause as drafted and to move on to the other clauses in this part.
Clause 35 provides for the commissioner to require an approved person to prepare a report on a specified matter, as well as to provide statutory guidance on, first, the factors it considers when deciding to require such a report and, secondly, the factors it considers when determining whom the approved person might be. That power to commission technical reports is one that the vast majority of respondents to the “Data: a new direction” consultation supported, as they felt it would lead to better informed ICO investigations. Any measures that help the ICO to carry out its duties rigorously and to better effect, while ensuring that relevant safeguards apply, are measures that I believe Members across the Committee will want to support.
In the consultation, however, the power was originally framed to commission a “technical report”, implying that it would be limited to particularly complex and technical investigations where there is significant risk of harm or detriment to data subjects. Although the commissioner is required to produce guidance on the circumstances in which a report might be required, I would still like clarification from the Minister of why such a limit was not included in the Bill as drafted. Does he expect it to be covered by the guidance produced by the ICO? Such a clarification is necessary not because we are against clause 35 in principle, just in acknowledgement that ICO’s powers—indeed, enforcement powers generally—must always be proportionate to the task at hand.
Furthermore, some stakeholders have said that it is unclear whether privilege will attach to reports required by the ICO and whether they may be disclosable to third parties who request copies of them. Greater clarity about how the power will operate in practice would therefore be appreciated.
Turning to clause 36, it is a core function of the ICO to monitor and enforce the UK’s data protection legislation and rules, providing accountability against the activities of all controllers, processors and individuals. To fulfil that function, the ICO may have to conduct an investigation to establish a body of evidence and determine whether someone has failed to comply with the legislation. The Government’s consultation document said that the ICO sometimes faces problems engaging organisations in those investigations, despite their having a duty to co-operate fully, especially in relation to interviews, as many people are nervous of negative consequences in their life or career if they participate in one. However, interviews are a crucial tool for investigations, as not all the relevant evidence will be available in written form. Indeed, that may become even more the case after the passing of this Bill, due to the reduced requirements to keep records, conduct data protection impact assessments and assign data protection officers—all of which contribute to a larger pool of documentation tracking data processing.
Clause 36, which will explicitly allow the ICO to compel witnesses to comply with interviews as part of an investigation, will, where necessary, ensure that as much relevant evidence as possible is obtained to inform the ICO’s judgment. That is something that we absolutely welcome. It is also welcome to see the safeguards that will be put in place under this clause, including the right not to self-incriminate and exemptions from giving answers that would infringe legal professional privilege or parliamentary privilege. That will ensure that the investigatory powers of the ICO stay proportionate to the issues at hand. In short, clause 36 is one that I am happy to support. After all, what is the purpose of us ensuring that data protection legislation is fit for purpose here today if the ICO is unable to actually determine whether anyone is complying?
On clause 37, it seems entirely reasonable that the ICO may require more than the standard six months to issue a penalty notice in particularly complex investigations. Of course, it remains important that the operations of the ICO are not allowed to slow unduly in cases where a penalty can be issued in the usual timeframe, but where the subject matter is particularly complicated, it makes sense to allow the ICO an extension to enable the investigation to be concluded in the proper, typically comprehensive manner. Indeed, complex investigations may be more common as we adjust to the new data legislation and a rapidly evolving technological landscape. By conducting the investigations properly and paying due attention to particularly technical issues, new precedents can be set that will speed up the regulator’s processes on the whole. Clause 37 is therefore welcomed by us, as it was by the majority of respondents to the Government’s consultation.
Turning to clause 38, as we have said multiple times throughout the progress of this Bill and in Committee, transparency and data protection should go hand in hand. Requiring the ICO to publish information each year on the investigations it has undertaken and the powers it has used will embed a further level of transparency into the regulatory system. Transparency breeds accountability, and requiring the regulator to publish information on the powers it is using will encourage such powers to be used proportionately and appropriately. Publishing an annual report with that information should also give us a better idea of how effectively the new regulatory regime is working. For example, a high volume of cases on a recurring issue could indicate a problem within the framework that needs addressing. Overall, it is welcome that Parliament and the public should be privy to information about how the ICO is discharging its regulatory functions. As a result, I am pleased to support clause 38.
Finally, the amendments to clause 42 are of a consequential nature, and I am happy to proceed without asking any further questions about them.
I am most grateful to the hon. Lady for welcoming the vast majority of the provisions within these clauses. She did express some concern about the breadth of the powers available to the Information Commissioner, but I point out that they are subject to a number of safeguards defining how they can be used. The commissioner is required to publish how he will exercise his powers, and that will provide organisations with clarity on the circumstances in which they are to be used.
As the hon. Lady will be aware, like other regulators, the Information Commissioner is subject to the duty under the Legislative and Regulatory Reform Act to exercise their functions
“in a way which is transparent, accountable, proportionate and consistent”,
and,
“targeted only at cases in which action is needed.”
There will also be a right of appeal, which is consistent with the commissioner’s existing powers. On that basis, I hope that the hon. Lady is reassured.
Question put agreed to.
Clause 34 accordingly ordered to stand part of the Bill.
Clauses 35 to 38 ordered to stand part of the Bill.
Clause 39
Complaints to controllers
I understand that the clause contains legal clarifications relating to the interaction of data protection laws with other laws. On that basis, I am happy to proceed.
Question put and agreed to.
Clause 43 accordingly ordered to stand part of the Bill.
Clause 44
Regulations under the UK GDPR
Question proposed, That the clause stand part of the Bill.
The clause outlines the process and procedure for making regulations under powers in the UK GDPR. Such provision is needed because the Bill introduces regulation-making powers into the GDPR. There is an equivalent provision in section 182 of the Data Protection Act. Among other things, the clause makes it clear that, before making regulations, the Secretary of State must consult the Information Commissioner and such other persons as they consider appropriate, other than when the made affirmative procedure applies. In such cases, the regulations can be made before Parliament has considered them, but cannot remain as law unless approved by Parliament within a 120-day period.
I am sure that the Committee will be pleased to learn that we have now completed part 1 of the Bill. [Hon. Members: “Hear, hear!”]
Clause 46 provides an overview of the provisions in part 2 that are aimed at securing the reliability of digital verification services through a trust framework, a public register, an information gateway and a trust mark.
Clause 47 will require the Secretary of State to prepare and publish the digital verification services trust framework, a set of rules, principles, policies, procedures and standards that an organisation that wishes to become a certified and registered digital verification service provider must follow. The Secretary of State must consult the Information Commissioner and other appropriate persons when preparing the trust framework; that consultation requirement can be satisfied ahead of the clause coming into force. The Secretary of State must review the trust framework every 12 months and must consult the Information Commissioner and other appropriate persons when carrying out the review. I commend both clauses to the Committee.
Clause 46 defines digital verification services. Central to the definition, and to the framing of the debate on part 2, is the clarification that they are
“services that are provided at the request of an individual”.
That is a crucial distinction: digital verification services and the kinds of digital identity that they enable are not the same as any kind of Government-backed digital ID card, let alone a compulsory one. As we will discuss, it is important that any such services are properly regulated and can be relied on. However, the clause seems to set out a sensible definition that clarifies that all such services operate at individual request and are entirely separate from universal or compulsory digital identities.
I will speak in more depth about clause 47. As we move towards an increasingly digitally focused society, it makes absolute sense that someone should be able, at their own choice, to prove their identity online as well as in the physical world. Providing for a trusted set of digital verification services would facilitate just that, allowing people to prove with security and ease who they are for purposes including opening a bank account or moving house, akin to using physical equivalents like a passport or a proof of address such as a utility bill. It is therefore understandable that the Government, building on their existing UK digital identity and attributes trust framework, want to legislate so that the full framework can be brought into law when it is ready.
In evidence to the Committee, Keith Rosser highlighted the benefits that a digital verification service could bring, using his industry of work and employment as a live case study. He said:
“The biggest impact so far has been on the speed at which employers are able to hire staff”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 52, Q112.]
In a study of 70,000 hires, the digital identity route took an average time of three minutes and 30 seconds, saving about a week compared with having to meet with an employer in person to provide physical documents. That has benefits not only to the individuals, who can start work a week earlier, but to the wider economy, since the same people will start contributing to taxation and their local economy a week earlier too.
Secondly, Keith identified that digital verification could open up remote jobs to people living in areas where employment opportunities are harder to come by. In theory, someone living in my constituency of Barnsley East could be hired in a role that would previously have been available only in London, thanks to their ability to prove who they are without ever having to meet their employer in person.
In the light of those benefits, as well as the potential reduction in fraud from cutting down on the usability of fake documents, in principle it seems only logical to support a framework that would allow trusted digital verification services to flourish. However, the key is to ensure that the framework breeds the trust necessary to make it work. In response to the digital identity call for evidence in 2019, the Government identified that a proportion of respondents were concerned about their privacy when it came to digital verification, saying that without assurances on privacy protections it would be hard to build trust in those systems. It is therefore curious that the Government have not accompanied their framework with any principles to ensure that services are designed and implemented around user needs and that they reflect important privacy and data protection principles.
Can the Minister say why the Government have not considered placing the nine identity assurance principles on the statute book, for example, to be considered when legislating for any framework? Those principles were developed by the Government’s own privacy and consumer advisory group back in 2014; they include ensuring that identity assurance can take place only where consent, transparency, multiplicity of choice, data minimisation and dispute resolution procedures are in place. That would give people the reassurance to trust that the framework is in keeping with their needs and rights, as well as those of industry.
Furthermore, can the Minister explain whether the Government intend to ensure that digital verification will not be the only option in any circumstance, making it mandatory? As Big Brother Watch points out, digital identity is not a practical or desired option, particularly for vulnerable or marginalised groups. Elderly people may not be familiar with such technology, while others might be priced out of it, especially given the recent rise in the cost of broadband and mobile bills attached to inflation. Although we must embrace the opportunities that technology can provide in identity verification, there must also be the ability to opt out and use offline methods of identification where needed, or we will risk leaving people out of participating in key activities such as jobseeking.
Finally, I look forward to hearing more about the governance of digital verification services and the framework. The Bill does not provide a statutory basis for the new office for digital identities and attributes, and there is therefore no established body for the functions related to the framework. It is important that when the new office is established, there is good communication from Government about its powers, duties, functions and funding model. After all, the framework and the principles it supports are only as strong as their enforcement.
Overall, I do not wish to stand in the way of this part of the Bill, with the caveat that I am keen to hear from the Minister on privacy protections, on the creation of the new office and on ensuring that digital verification is the beginning of a new way of verifying one’s identity, not the end of any physical verification options.
It is a pleasure to follow my hon. Friend the Member for Barnsley East. I have some general comments, which I intend to make now, on the digital verification services framework introduced and set out in clause 46. I also have some specific comments on subsequent clauses; I will follow your guidance, Mr Hollobone, if it is your view that my comments relate to other clauses and should be made at a later point.
Like my hon. Friend, I recognise the importance of digital verification services and the many steps that the Government are taking to support them, but I am concerned about the lack of coherence between the steps set out in the Bill and other initiatives, consultations and activities elsewhere in Government.
As my hon. Friend said, the Government propose to establish an office for digital identities and attributes, which I understand is not a regulator as such. It would be good to have clarity on the position, as there is no discussion in the Bill of the duties of the new office or any kind of mechanisms for oversight or appeal. What is the relationship between the office for digital identities and attributes and this legislation? The industry has repeatedly called for clarity on the issue. I think we can all agree that a robust and effective regulatory framework is important, particularly as the Bill confers broad information-gathering powers on the Secretary of State. Will the Minister set out his vision and tell us how he sees the services being regulated, what the governance model will be, how the office—which will sit, as I understand it, in the Department for Science, Innovation and Technology—will relate to this legislation, and whether it will be independent of Government?
Will the Minister also help us to understand the relationship between the digital verification services set out in the Bill and other initiatives across Government on digital identity, such as the Government Digital Service’s One Login service, which we understand will be operated across Government services, and the initiatives of the Home Office’s fraud strategy? Is there a relationship between them, or are they separate initiatives? If they are separate, might that be confusing for the sector? I am sure the Minister will agree that we in the UK are fortunate to have world leaders in digital verification, including iProov, Yoti and Onfido. I hope the Minister agrees that for those organisations to continue their world-leading role, they need clarification and understanding of the direction of Government and how this legislation relates to that direction.
Finally, I hope the Minister will agree that digital identity is a global business. Will he say a few words about how he has worked with, or is working with, other countries to ensure that the digital verification services model set out in this legislation is complementary to other services and interoperable as appropriate, and that it builds on the learnings of other digital verification services?
(1 year, 6 months ago)
Public Bill CommitteesThis is a function that will operate within Government. I do not think that it is one where there is any specific need for particular independence, but as I said, I am happy to supply further details about precisely how it will operate if that is helpful to the hon. Lady.
Let me move on from the precise operation of the body. Clause 53 sets out requirements for certified digital verification service providers in relation to obtaining top-up certificates where the Secretary of State revises and republishes the DVS trust framework.
Clause 48 provides that the Secretary of State must establish and maintain a register of digital verification service providers. The register must be made publicly available. The Secretary of State is required to add a digital verification service provider to the register, provided that it has met certain requirements. To gain a place on the register, the provider must first be certified against the trust framework by an accredited conformity assessment body. Secondly, the provider must have applied to be registered in line with the Secretary of State’s application requirements under clause 49. Thirdly, the provider must pay any fee set by the Secretary of State under the power in clause 50.
The United Kingdom Accreditation Service accredits conformity assessment bodies as competent to assess whether a digital verification service meets the requirements set out in the trust framework. That, of course, is an arm’s length body. Assessment is by independent audits, and successful DVS providers are issued with a certificate.
The Secretary of State is prohibited from registering a provider if it has not complied with the registration requirements. An application must be rejected if it is based on a certificate that has expired, has been withdrawn by the issuing body, or is required to be ignored under clause 53 because the trust framework rules have been amended and the provider has not obtained a top-up certificate in time. The Secretary of State must also refuse to register a DVS provider if the provider was removed from the register through enforcement powers under clause 52 and reapplies for registration while still within the specified removal period.
Clause 48(7) provides definitions for “accredited conformity assessment body”, “the Accreditation Regulation”, “conformity assessment body” and “the UK national accreditation body”.
Clause 49 makes provision for the Secretary of State to determine the form of an application for registration in the digital verification services register, the information that an application needs to contain, the documents to be provided with an application and the manner in which an application is to be submitted.
Clause 50 allows the Secretary of State to charge providers a fee on application to be registered in the DVS register. The fee amount is to be determined by the Secretary of State. The clause also allows the Secretary of State to charge already registered providers ongoing fees. The amount and timing of those fees are to be determined by the Secretary of State.
Clauses 51 and 52 confer powers and duties on the Secretary of State in relation to the removal of persons from the register. Clause 51 places a duty on the Secretary of State to remove a provider from the register if certain conditions are met. That will keep the register up to date and ensure that only providers that hold a certificate to prove that they adhere to the standards set in the framework are included in the register. Clause 52 provides a power to the Secretary of State to remove a provider from the register if the Secretary of State is satisfied that the provider is failing to provide services in accordance with the trust framework, or if it has failed to provide the Secretary of State with information as required by a notice issued under clause 58. Clause 52 also contains safeguards in respect of the use of that power.
Clause 53 applies where the Secretary of State revises and republishes the DVS trust framework to include a new rule or to change an existing rule and specifies in the trust framework that a top-up certificate will be required to show compliance with the new rule from a specified date.
I hope that what I have set out is reasonably clear, and on that basis I ask that clauses 48 to 53 stand part of the Bill.
As has been mentioned, a publicly available register of trusted digital verification services is welcome; as a result, so is this set of clauses. A DVS register of this kind will improve transparency for anyone wanting to use a DVS service, as they will be able to confirm easily and freely whether the organisation that they hope to use complies with the trust framework.
However, the worth of the register relies on the worth of the trust framework, because only by getting the trust framework right will we be able to trust those that have been accredited as following it. That will mean including enough in the framework to assure the general public that their rights are protected by it. I am thinking of things such as data minimisation and dispute resolution procedures. I hope that the Department will consider embedding principles of data rights in the framework, as has been mentioned.
As with the framework, the detail of these clauses will come via secondary legislation, and careful attention must be paid to the detail of those measures when they are laid before Parliament. In principle, however, I have no problem with the provisions of the clauses. It seems sensible to enable the Secretary of State to determine a fee for registration, to remove a person from the register upon a change in circumstances, or to remove an organisation if it is failing to comply with the trust framework. Those are all functions that are essential to the register functioning well, although any fees should of course be proportionate to keep market barriers low and ensure that smaller players continue to have access. That facilitates competition and innovation.
Similarly, the idea of top-up certificates seems sensible. Members on both sides of the House have agreed at various points on the importance of future-proofing a Bill such as this, and the digital verification services framework should have space for modernisation and adaptation where necessary. Top-up certificates will allow for the removal of any organisation that is already registered but fails to comply with new rules added to the framework.
The detail of these provisions will be analysed as and when the regulations are introduced, but I will not object to the principle of an accessible and transparent register of accredited digital verification services.
I thank the Minister for clarifying the role of the office for digital identities and attributes. Some of the comments I made on clause 46 are probably more applicable here, but I will not repeat them, as I am sure the Committee does not want to hear them a second time. However, I ask the Minister to clarify the process. If a company objects to not being approved for registration or says that it has followed the process set out by the Secretary of State but the Secretary of State does not agree, or if a dispute arises for whatever reason, what appeal process is there, if any, and who is responsible for resolving disputes? That is just one example of the clarity that is necessary for an office of this kind.
Will the Minister clarify the dispute resolution process and whether the office for digital identities and attributes will have a regulatory function? Given the lack of detail on the office, I am concerned about whether it will have the necessary powers and resources. How many people does the Minister envisage working for it? Will they be full-time employees of the office, or will they be job sharing with other duties in his Department?
My other questions are about something I raised earlier, to which the Minister did not refer: international co-operation and regulation. I imagine there will be instances where companies headquartered elsewhere want to offer digital verification services. Will there be compatibility issues with digital verification that is undertaken in other jurisdictions? Is there an international element to the office for digital identities and attributes?
Everyone on the Committee agrees that this is a very important area, and it will only get more important as digital verification becomes even more essential for our everyday working lives. What discussions is the Minister having with the Department for Business and Trade about the kind of market that we might expect to see in digital verification services and ensuring that it is competitive, diverse and across our country?
Clause 54 creates a permissive power to enable public authorities to share information relating to an individual with registered digital verification service providers. That the power is permissive means that public authorities are not under any obligation to disclose information. The power applies only where a digital verification service provider is registered in the DVS register and the individual has requested the digital verification service from that provider. Information disclosed using the power does not breach any duty of confidentiality or other restrictions relating to the disclosure of information, but the power does not enable the disclosure of information if disclosure would breach data protection legislation. The clause also gives public authorities the power to charge fees for disclosing information.
All information held by His Majesty’s Revenue and Customs is subject to particular statutory safeguards relating to confidentiality. Clause 55 establishes particular safeguards for information disclosed to registered digital verification service providers by His Majesty’s Revenue and Customs under clause 54. The Government will not commence measures to enable the disclosure of information held by HMRC until the commissioners for HMRC are satisfied that the technology and processes for information sharing uphold the particular safeguards relating to taxpayer confidentiality and therefore allow information sharing by HMRC to occur without adverse effect on the tax system or any other functions of HMRC.
Clause 56 obliges the Secretary of State to produce and publish a code of practice about the disclosure of information under clause 54. Public authorities must have regard to the code when disclosing information under this power. Publication of the first version of the code is subject to the affirmative resolution procedure. Publication of subsequent versions of the code is subject to the negative resolution procedure. We will work with the commissioners for HMRC to ensure that the code meets the needs of the tax system.
New clauses 3 and 4 and Government amendments 6 and 7 establish safeguards for information that reflect those already in the Bill under clause 55 for HMRC. Information held by tax authorities in Scotland and Wales—Revenue Scotland and the Welsh Revenue Authority—is subject to similar statutory safeguards relating to confidentiality. These safeguards ensure that confidence and trust in the tax system is maintained. Under these provisions, registered DVS providers may not further disclose information provided by Revenue Scotland or the Welsh Revenue Authority unless they have the consent of that revenue authority to do so. The addition of these provisions will provide an equivalent level of protection for information shared by all three tax authorities in the context of part 2 of the Bill, avoiding any disparity in the treatment of information held by different tax authorities in this context. A similar provision is not required for Northern Irish tax data, as HMRC is responsible for the collection of devolved taxes in Northern Ireland.
Many digital verification services will, to some extent, rely on public authorities being able to share information relating to an individual with an organisation on the DVS register. To create a permissive gateway that allows this to happen, as clause 54 does, is therefore important for the functioning of the entire DVS system, but there must be proper legal limits placed on these disclosures of information, and as ever, any disclosures involving personal data must abide by the minimisation principle, with only the information necessary to verify the person’s identity or the fact about them being passed on. As such, it is pleasing to see in clause 54 the clarification of some of those legal limits, as contained in the likes of data protection legislation and the Investigatory Powers Act 2016. Similarly, clause 55 and the Government new clauses apply the necessary limits on sharing of personal data from HMRC and devolved revenue authorities under clause 54.
Finally, clause 56, which seeks to ensure that a code of practice is published regarding the disclosure of information under clause 54, will be a useful addition to the previous clauses and will ensure that the safety of such disclosures is properly considered in comprehensive detail. The Information Commissioner, with their expertise, will be well placed to help with this, so it is pleasing to see that they will be consulted during the process of designing this code. It is also good to see that this consultation will be able to occur swiftly—before the clause even comes into force—and that the resulting code will be laid before both Houses.
In short, although some disclosures of personal data from public authorities to organisations providing DVS are inevitable, as they are necessary for the very functioning of a verification service, careful attention should be paid to how this is done safely and legally. These clauses, alongside a well-designed framework—as already discussed—will ensure that that is the case.
Question put and agreed to.
Clause 54 accordingly ordered to stand part of the Bill.
Clauses 55 and 56 ordered to stand part of the Bill.
Clause 57
Trust mark for use by registered persons
Question proposed, That the clause stand part of the Bill.
Clause 57 makes provision for the Secretary of State to designate a trust mark to a DVS provider. The trust mark is essentially a kitemark that shows that the provider complies with the rules and standards set out in the trust framework, and has been certified by an approved conformity assessment body. The trust mark must be published by the Secretary of State and can only be used by registered digital verification service providers. The clause gives the Secretary of State powers to enforce that restriction in civil proceedings.
Trust marks are useful tools that allow organisations and the general public alike to immediately recognise whether or not a product or service has passed a certain testing standard or criterion. This is especially the case online, where due to misinformation and the prevalence of scams such as phishing, trust in online services can be lower than in the physical world.
The TrustedSite certification, for example, offers online businesses an earned certification programme that helps them to demonstrate that they are compliant with good business practices and maintain high safety standards. This is a benefit not only to the business itself, which is able to convert more users into clicks and sales, but to the users, who do not have to spend time researching each individual business and can explore pages and shop with immediate certainty. A trust mark for digital verification services would serve a similar purpose, enabling certified organisations that meet the trust framework criteria to be immediately recognisable, offering them the opportunity to be used by more people and offering the public assurance that their personal data is being handled by a verified source.
Of course, as is the case with this entire section of the Bill, the trust mark is only worth as much as the framework around it. Ministers should again think carefully about how to ensure that the framework supports the rights of the individual. Furthermore, the trust mark is useful only if people recognise it; otherwise, it cannot provide the immediate reassurance that it is supposed to. When the trust mark is established, what measures will the Department take to raise public awareness of it? In the same vein, to know the mark’s value, the public must also be aware of the trust framework that the mark is measured against, so what further steps will the Department take to increase knowledge and understanding of digital verification services and frameworks? Finally, will the Department publish the details of any identified unlawful use of the trust mark, so that public faith in the reliability of the trust mark remains high?
Overall, the clause is helpful in showing that we take seriously the need to ensure that people do not use digital verification services that may mishandle their data.
I am grateful to the hon. Lady for her support. I entirely take her point that a trust mark only really works if people know what it is and can look for it when seeking a DVS provider.
Regarding potential abuse, obviously that is something we will monitor and potentially publicise in due course. All I would say at this stage is that she raises valid points that I am sure we will consider as the new system is implemented.
Question put and agreed to.
Clause 57 accordingly ordered to stand part of the Bill.
Clause 58
Power of Secretary of State to require information
Amendments made: amendment 6, in clause 58, page 84, line 5, after “55” insert
“or (Information disclosed by the Welsh Revenue Authority)”
This amendment prevents the Secretary of State requesting a disclosure of information which would contravene the new clause inserted by NC3.
Amendment 7, in clause 58, page 84, line 5, after “55” insert
“or (Information disclosed by Revenue Scotland)”—(Sir John Whittingdale.)
This amendment prevents the Secretary of State requesting a disclosure of information which would contravene the new clause inserted by NC4.
Question proposed, That the clause, as amended, stand part of the Bill.
To oversee the DVS register, it is understandable that the Secretary of State may in some cases need to require information from registered bodies to ensure that they are complying with their duties under the framework. It is good that clause 58 provides for that power, and places reasonable legal limits on it, so that disclosures of information do not disrupt legal professional privilege or other important limitations. Likewise, it is sensible that the Secretary of State be given the statutory power to delegate some oversight of the measures in this part in a paid capacity, as is ensured by clause 59.
As I have mentioned many times throughout our scrutiny of the Bill, the Secretary of State may not always have the level of expertise needed to act alone in exercising the powers given to them by such regulations. The input of those with experience and time to commit to ensuring the quality of the regulations will therefore be vital to the success of these clauses. Again, however, we will need more information about the establishment of the OfDIA and the governance of digital identities overall to be able to interpret fully both the delegated powers and the power to require information, and how they will be used. Once again, therefore, I urge transparency from the Government as those governance structures emerge.
That leads nicely to clause 60, which requires the Secretary of State to prepare and publish yearly reports on the operation of this part. A report of that nature will offer the chance to periodically review the functioning of the trust framework, register, trust mark and all other provisions contained in this part, thereby providing an opportunity to identify and rectify any recurring issues that the system may face. That is sensible for any new project, particularly one that, through its transparency, will offer accountability of the Government to the general public, who will be able to read the published reports. In short, there are no major concerns regarding any of the three clauses, though further detail on the governance of digital identities services will need proper scrutiny.
Question put and agreed to.
Clause 58 accordingly ordered to stand part of the Bill.
Clauses 59 and 60 ordered to stand part of the Bill.
Clause 61
Customer data and business data
I beg to move amendment 46, in clause 61, page 85, line 24, after “supplied” insert “or provided”.
The definition of “business data” in clause 61 refers to the supply or provision of goods, services and digital content. For consistency with that, this amendment amends an example given in the definition so that it refers to what is provided, as well as what is supplied.
We move on to part 3 of the Bill, concerning smart data usage, which I know is of interest to a number of Members. Before I discuss the detail of clause 61 and amendment 46, I will give a brief overview of this part and the policy intention behind it. The provisions in part 3 allow the Secretary of State or the Treasury to make regulations that introduce what we term “schemes” that compel businesses to share data that they hold on customers with the customer or authorised third parties upon the customer’s request, and to share or publish data that they hold about the services or products that they provide. Regulations under this part will specify what data is in scope within the parameters set out by the clauses, and how it should be shared.
The rest of the clauses in this part permit the Secretary of State or the Treasury to include in the regulations the measures that will underpin these data sharing schemes and ensure that they are subject to proper safeguards—for example, relating to the enforcement of regulations; the accreditation of third party businesses wanting to facilitate data sharing; and how these schemes can be funded through levies and charging. Regulations that introduce schemes, or significantly amend existing schemes, will be subject to prior consultation and parliamentary approval through the affirmative procedure.
The policy intention behind the clauses is to allow for the creation of new smart data schemes, building on the success of open banking in the UK. Smart data schemes establish the secure sharing of customer data and contextual information with authorised third parties on the customer’s request. The third parties can then be authorised by the customer to act on their behalf. The authorised third parties can therefore provide innovative services for the customer, such as analysing spending to identify cost savings or displaying data from multiple accounts in a single portal. The clauses replace existing regulation-making powers relating to the supply of customer data in sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013; those powers are not sufficient for new smart data schemes to be effective.
Clause 61 defines the key terms and concepts for the powers in part 3. We have tabled a minor Government amendment to the clause, which I will explain. The definitions of data holder and trader in subsection (2) explain who may be required to provide data under the regulations. The definitions of customer data and business data deal with the two kinds of data that suppliers may be required to provide. Customer data is information relating to the transactions between the customer and supplier, such as a customer’s consumption of the relevant good or service and how much the customer has paid. Business data is wider contextual data relating to the goods or services supplied or provided by the relevant supplier. Business data may include standard prices, charges or tariffs and information relating to service performance. That information may allow customers to understand their customer data. Government amendment 46 clarifies that a specific example of business data—information about location—refers to the supply or provision of goods or services. It corrects a minor inconsistency in the list of examples of business data in subsection (2)(b).
Subsection (3) concerns who is a customer of the supplying trader, and who can therefore benefit from smart data. Customers may include both consumers and businesses. Subsection (4) enables customers to exercise smart data rights in relation to contracts they have already entered into, and subsection (5) allows the schemes to function through provision of access to data, as opposed to sending data as a one-off transfer.
The clause defines key terms in this part of the Bill, such as business data, customer data and data holder, as well as data regulations, customer and trader. These are key to the regulation-making powers on smart data in part 3, and I have no specific concerns to raise about them at this point.
I note the clarification made by the Minister in his amendment to the example given. As he outlined, that will ensure there is consistency in the definition and understanding of business data. It is good to see areas such as that being cleaned up so that the Bill can be interpreted as easily as possible, given its complexity to many. I am therefore happy to proceed with the Bill.
I rise to ask the Minister a specific question about the use of smart data in this way. A lot of users will be giving away data a device level, rather than just accessing individual accounts. People are just going to a particular account they are signed into and making transactions, or doing whatever they are doing in that application, on a particular device, but there will be much more gathering of data at the device level. We know that many companies—certainly some of the bigger tech companies—use their apps to gather data not just about what their users do on their particular app, but across their whole device. One of the complaints of Facebook customers is that if they seek to remove their data from Facebook and get it back, the company’s policy is to give them back data only for things they have done while using its applications—Instagram, Facebook or whatever. It retains any device-level data that it has gathered, which could be quite significant, on the basis of privacy—it says that it does not know whether someone else was using the device, so it is not right to hand that data back. Companies are exploiting this anomaly to retain as much data as possible about things that people are doing across a whole range of apps, even when the customer has made a clear request for deletion.
I will be grateful if the Minister can say something about that. If he cannot do so now, will he write to me or say something in the future? When considering the way that these regulations work, particularly in the era of smart data when it will be far more likely that data is gathered across multiple applications, it should be clear what rights customers have to have all that data deleted if they request it.
I share my hon. Friend’s general view. Customers can authorise that their data be shared through devices with other providers, so they should equally have the right to take back that data if they so wish. He invites me to come back to him with greater detail on that point, and we would be very happy to do so.
Amendment 46 agreed to.
Clause 61, as amended, ordered to stand part of the Bill.
Clause 62
Power to make provision in connection with customer data
I beg to move amendment 112, in clause 62, page 87, line 2, at end insert—
“(3A) The Secretary of State or the Treasury may only make regulations under this section if—
(a) the Secretary of State or the Treasury has conducted an assessment of the impact the regulations may have on customers, businesses, or industry,
(b) the assessment mentioned in paragraph (a) has been published, and
(c) the assessment concludes that the regulations achieve their objective without imposing disproportionate, untargeted or unnecessary cost on customers or businesses.”
I assure the hon. Lady that I and, no doubt, the whole Committee share her excitement about the potential offered by smart data, and I have sympathy for the intention behind her amendments. However, taking each one in turn, we feel amendment 112 is unnecessary because the requirements are already set by the better regulation framework, the Small Business, Enterprise and Employment Act 2015 and, indeed, these clauses. Departments will conduct an impact assessment in line with the better regulation framework and Green Book guidance when setting up a new smart data scheme, and must demonstrate consideration of their requirements under the Equality Act 2010. That will address the proportionality, targeting and necessity of the scheme.
Moreover, the clauses require the Government to consider the effect of the regulations on matters including customers, businesses and competition. An impact assessment would be an effective approach to meeting those requirements. However, there is a risk that prescribing exactly how a Department should approach the requirements could unnecessarily constrain the policymaking process.
I turn to amendment 113. Clause 74(5) already requires the Secretary of State or the Treasury to consult with relevant sector regulators as they consider appropriate. As part of the process, sector regulators may be asked to contribute to the development of regulatory impact assessments, so we do not believe the amendment is necessary.
On amendment 114, we absolutely share the view of the importance of Government consulting businesses before making regulations. That is why, under clause 74(6), the Secretary of State or the Treasury must, when introducing a smart data scheme, consult such persons as are likely to be affected by the regulations and such sectoral regulators as they consider appropriate. Those persons will include businesses relevant to the envisaged scheme.
On amendment 115, we absolutely share the ambition to grab whatever opportunities smart data offers. In particular, I draw the hon. Lady’s attention to the commitments made last month by the Economic Secretary to the Treasury, who set out the Treasury’s plans to use the smart data powers to provide open banking with a sustainable regulatory framework, while the Under-Secretary of State for Business and Trade, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake), chaired the inaugural meeting of the Smart Data Council last month. That council has been established to support and co-ordinate the development of smart data schemes in a timely manner.
With respect to having a deadline for schemes, we should recognise that implementation of the regulations requires careful consideration. The hon. Member for Barnsley East clearly recognises the importance of consultation and of properly considering the impacts of any new scheme. We are committed to that, and there is a risk that a statutory deadline for making the regulations would jeopardise our due diligence. I assure her that all her concerns are ones that we share, so I hope that she will accept that the amendments are unnecessary.
I am grateful to the Minister for those assurances. I am reassured by his comments, and I am happy to beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Clause 62 provides the principal regulation-making power to establish smart data schemes in relation to customer data. The clause enables the Secretary of State or the Treasury to make regulations that require data holders to provide customer data either directly to a customer, or to a person they have authorised, at their request. Subsection (3) of the clause also allows for an authorised person who receives the customer data, to exercise the customer’s rights in relation to their data on their behalf. We call that “action initiation”.
An illustrative example could be in open banking, where customers can give authorised third parties access to their data to compare the consumer’s current bank account with similar offers, or to group the contracts within a household together for parents or guardians to better manage children’s accounts. Subsection (3) could allow the authorised third party to update the customer’s contact details across the associated accounts, for example if an email address changes.
Clause 63 outlines the provisions that smart data scheme regulations may contain when relating to customer data. The clause establishes much of the critical framework that smart data schemes will be built on. On that basis, I commend clauses 62 and 63 to the Committee.
As previously mentioned, and with the caveats that I expressed when I was discussing my amendments, I am extremely pleased to be able to welcome this part of the Bill. In essence, clauses 62 and 63 enable regulations that will allow for customer data to be provided to a third party on request. I will take the opportunity to highlight why that is the case by looking at some of the benefits that smart data can provide.
Since 2018, open banking—by far the most well known and advanced version of smart data in operation—has demonstrated what smart data can deliver over and over again. For the wider economy, the benefits have been remarkable, with the total value to the UK economy now amounting to more than £4.1 billion, according to Coadec, the Coalition for a Digital Economy. Consumers’ experience of banking has been revolutionised if they have consented of their own accord to have third-party applications access their financial data.
Indeed, a whole host of money management tools and apps can now harness people’s financial data to create personalised recommendations based on their spending habits, including how to budget or save. During a cost of living crisis, some of those tools have been extremely valuable in helping people to manage new bills and outgoings. Furthermore, online retailers can now connect directly to someone’s bank so that, rather than spending the time filling in their card details each time they make a purchase, an individual can approve the transaction via their online banking system.
It is important to reiterate that open banking is based on consent, so consumers participate only if they feel it is right for them. As it happens, millions of people have capitalised on the benefits. More than seven million consumers and 50% of small and medium-sized enterprises have used open banking services to gain a holistic view of their finances, to support applications for credit and to pay securely, quickly and cheaply.
Though open banking has brought great success for both consumers and the wider economy, it is also important that the Government learn lessons from its implementation. We must pay close attention to how the introduction of open banking has impacted both the industry and consumers and ensure that any takeaways are factored in when considering an expansion of smart data into new industries.
Further, given that the Government clearly recognise the value of open data, as shown by this section of the Bill, it is a shame that the Bill does not go further in exploring the possibilities of opening datasets in other settings. Labour has explicitly set out to do that in its industrial strategy. For example, we have identified that better, more open datasets on jobs could help us to understand where skills shortages are, allowing jobseekers, training providers and Government to better fill those gaps.
The provisions in clauses 62 and 63 to create new regimes of smart data are therefore welcome, but the Bill unfortunately remains a missed opportunity to fully capitalise on the opportunities of open, secure data flows.
Question put and agreed to.
Clause 62 accordingly ordered to stand part of the Bill.
Clause 63 ordered to stand part of the Bill.
Clause 64
Power to make provision in connection with business data
Question proposed, That the clause stand part of the Bill.
Clause 64 provides the principal regulation-making power for the creation of smart data schemes relating to business data. Regulations created through this clause allow for business data to be provided to the customer of a trader or a third-party recipient. Business data may also be published to be more widely available.
These regulations relating to business data will increase the transparency around the pricing of goods and services, which will increase competition and benefit both consumers and smaller businesses. To give just one example, the Competition and Markets Authority recently highlighted the potential of an open data scheme that compared the prices of fuel at roadside stations, increasing competition and better informing consumers. It is that kind of market intervention that the powers provide for.
Clause 65 outlines provisions that regulations relating to business data may contain. Those provisions are non-exhaustive. The clause largely mirrors clause 63, extending the same protections and benefits to schemes that make use of businesses data exclusively or in tandem with customer data. The clause differs from clause 63 in subsection (2), where an additional consideration is made as to who may make a request for business data. As action initiation relates only to an authorised person exercising a customer’s rights relating to their data, clause 65 does not include the references to that that are made in subsections (7) and (8) of clause 63.
The measures in these clauses largely mirror 62 and 63, but they refer to business data rather than customer data. I therefore refer back to my comments on clause 62 and 63 and the benefits that new regulations such as these might be able to provide. Those remarks provide context as to why I am pleased to support these measures, which will allow the making of regulations that require data holders to share business data with third parties.
However, I would like clarification from the Minister on one point. The explanatory notes explain that the powers will likely be used together with those in clauses 62 and 63, but it would be good to hear confirmation from the Minister on whether there may be circumstances in which the Department envisages using the powers regarding business data distinctly. If there are, will he share examples of those circumstances? It would be good for both industry and Members of this House to have insight into how these clauses, and the regulatory powers they provide, will actually be used.
I think it is probably sensible if I come back to the hon. Lady on that point. I am sure we would be happy to provide examples if there are ones that we can identify.
Question put and agreed to.
Clause 64 accordingly ordered to stand part of the Bill.
Clause 65 ordered to stand part of the Bill.
Clause 66
Decision-makers
Clauses 66 to 72 contain a number of provisions that will allow smart data regulations to function effectively. They are provisions on decision makers who approve and monitor third parties that can access the data, provisions on enforcement of the regulations and provisions on the funding of smart data schemes. It is probably sensible that I go through each one in more detail.
Clause 66 relates to the appointment of persons or accrediting bodies referred to as decision makers. The decision makers may approve the third parties that can access customer and business data, and act on behalf of customers. The decision makers may also revoke or suspend their accreditation, if that is necessary. An accreditation regime provides certainty about the expected governance, security and conduct requirements for businesses that can access data. Customers can be confident their chosen third party meets an appropriate standard. Clause 66 allows the decision maker to monitor compliance with authorisation conditions, subject to safeguards in clause 68.
Clause 67 enables regulations to confer powers of enforcement on a public body. The public body will be the enforcer, responsible for acting upon any breaches of the regulations. We envisage that the enforcer for a smart data scheme is likely to be an existing sectoral regulator, such as the Financial Conduct Authority in open banking. While the clause envisages civil enforcement of the regulations, subsection (6) allows for criminal offences in the case of falsification of information or evidence. Under subsections (3) and (10), the regulations may confer powers of investigation on the enforcer. That may include powers to require the provision of information and powers of entry, search and seizure. Those powers are subject to statutory restrictions in clause 68.
Clause 68 contains provisions limiting the investigatory powers given to enforcers. The primary restriction is that regulations may not require a person to give an enforcer information that would infringe the privileges of Parliament or undermine confidentiality, legal privilege and, subject to the exceptions in subsection (7), privilege against self-incrimination. Subsection (8) prevents any written or oral statement given in response to a request for information in the course of an investigation from being used as evidence against the person being prosecuted for an offence, other than that created by the data regulations.
Clause 69 contains provisions relating to financial penalties and the relevant safeguards. It sets out what regulations must provide for if enabling the use of financial penalties. Subsection (2) requires that the amount of a financial penalty is specified in, or determined in accordance with, the regulations. For example, the regulations may set a maximum financial penalty that an enforcer can impose and they may specify the methodology to be used to determine a specific financial penalty.
Clause 70 enables actors in smart data schemes to require the payment of fees. The circumstances and conditions of the fee charging process will be specified in the regulations. The purpose of the clause, along with clause 71, is to seek to ensure that the costs of smart data schemes, and of bodies exercising functions under them, can be met by the relevant sector.
It is intended that fees may be charged by accrediting bodies and enforcers. For example, regulations could specify that an accrediting body may charge third parties to cover the cost of an accreditation process and ongoing monitoring. Enforcers may also be able to charge to cover or contribute to the cost of any relevant enforcement activities. The regulations may provide for payment of fees only by persons who are directly affected by the performance of duties, or exercise of powers, under the regulations. That includes data holders, customers and those accessing customer and business data.
Clause 71 will enable the regulations to impose a levy on data holders or allow a specified public body to do so. That is to allow arrangements similar to those in section 38 of the Communications Act 2003, which enables the fixing of charges by Ofcom. Together with the provision on fees, the purpose of the levy is to meet all or part of the costs incurred by enforcers and accrediting bodies, or persons acting on their behalf. The intention is to ensure that expenses can be met without incurring a cost to the taxpayer. Levies may be imposed only in respect of data holders that appear to be capable of being directly affected by the exercise of the functions.
Clause 72 provides statutory authority for the Secretary of State or the Treasury to give financial assistance, including to accrediting bodies or enforcers. Subsection (2) provides that the assistance may be given on terms and conditions that are deemed appropriate by the regulation maker. Financial assistance is defined to include both actual or contingent assistance, such as a grant, loan, guarantee or indemnity. It does not include the purchase of shares. I commend clauses 66 to 72 to the Committee.
Clauses 66 to 72 provide for decision makers and enforcers to help with the operation and regulation of new smart data regimes. As was the case with the digital verification services, where I agreed that there was a need for the Secretary of State to have limited powers to ensure compliance with the trust framework, powers will be needed to ensure that any regulations made under this part of the Bill are followed. The introduction in clause 67 of enforcers—public bodies that will, by creating fines, penalties and notices of compliance, ensure that organisations follow regulations made under part 3—is therefore welcome.
As ever, it is pleasing to see that the relevant restrictions on the powers of enforcers are laid out in clause 68, to ensure that they cannot infringe upon other, more fundamental rights. It is also right, as is ensured by clause 69, that there are safeguards on the financial penalties that an enforcer is able to issue. Guidance on the amount of any penalties, as well as a formalised process for issuing notices and allowing for appeal, will provide uniformity across the board so that every enforcer acts proportionately and consistently.
Decision makers allowed for by clause 66 will be important, too, in conjunction with enforcers. They will ensure there is sufficient oversight of the organisations that are enabled to have access to customer or business data through any particular smart data regimes. Clauses 70, 71 and 72, which finance the activities of decision makers and enforcers, follow the trend of sensible provisions that will be required if we are to have confidence that regulations made under this part of the Bill will be adhered to. In short, the measures under this grouping are largely practical, and they are necessary to support clauses 62 to 65.
Question put and agreed to.
Clause 66 accordingly ordered to stand part of the Bill.
Clauses 67 to 72 ordered to stand part of the Bill.
Clause 73
Confidentiality and data protection
Question proposed, That the clause stand part of the Bill
Clauses 73 to 77 relate to confidentiality and data protection; various provisions connected with making the regulations, including consultation, parliamentary scrutiny and a duty to conduct periodic reviews of regulations; and the repeal of the existing regulation-making powers that these clauses replace.
Clause 73(1) allows the regulations to provide that there are no contravening obligations of confidence or other restrictions on the processing of information. Subsection (2) ensures that the regulations do not require or authorise processing that would contravene the data protection legislation. The provisions are in line with the approach taken towards pension dashboards, which are electronic communications services that allow individuals to access information about their pensions.
Clause 74(1) allows the regulation-making powers to be used flexibly. Subsection (1)(f) allows regulations to make provision by reference to specifications or technical requirements. That is essential to allow for effective and safe access to customer data, for instance the rapid updating of IT and security requirements, and it mirrors the powers enacted in relation to pensions dashboards, which I have mentioned. Clause 74(2) provides for limited circumstances in which it may be necessary for regulations to modify primary legislation to allow the regulations to function effectively. For instance, it may be necessary to extend a statutory alternative dispute resolution scheme in a specific sector to cover the activities of a smart data scheme.
Clause 74(3) states that affirmative parliamentary scrutiny will apply to the first regulations made under clauses 62 or 64; that is, affirmative scrutiny will apply to regulations that introduce a scheme. Affirmative parliamentary scrutiny will also be required where primary legislation is modified, where regulations make requirements more onerous for data holders and where the regulations confer monitoring or enforcement functions or make provisions for fees or a levy. Under clause 74(5), prior to making regulations that will be subject to affirmative scrutiny, the Secretary of State or the Treasury must consult persons who are likely to be affected by the regulations, and relevant sectoral regulators, as they consider appropriate.
The Government recognise the importance of enabling the ongoing scrutiny of future regulations, so clause 75 requires the regulation maker to review the regulations at least at five-yearly intervals. Clause 76 repeals the regulation-making powers in sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013, which are no longer adequate to enable the introduction of effective smart data schemes. Those sections are replaced by the clauses in part 3 of the Bill. Clause 77 defines, or refers to definitions of, terms used in part 3 and is essential to the functioning and clarity of part 3. I commend the clauses to the Committee.
Many of the clauses in this grouping are supplementary to the provisions that we have already discussed, or they provide clarification as to which regulations under part 3 are subject to parliamentary scrutiny. I have no further comments to add on the clauses, other than to welcome them as fundamental to the wider part. However, I specifically welcome clause 75, which requires that the regulations made under this part be periodically reviewed at least every five years.
I hope that such regulations will be under constant review on an informal basis to assess how well they are working, but it is good to see a formal mechanism to ensure that that is the case over the long term. It would have been good, in fact, to see more such provisions throughout the Bill, to ensure that regulations that are made under it work as intended. Overall, I hope it is clear that I am very supportive of this part’s enabling of smart data regimes. I look forward to it coming into force and unlocking the innovation and consumer benefits that such schemes will provide.
Question put and agreed to.
Clause 73 accordingly ordered to stand part of the Bill.
Clause 74 to 77 ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Steve Double.)
(1 year, 6 months ago)
Public Bill CommitteesWhen the Committee adjourned this morning, I was nearly at my conclusion; I was responding to points made by the hon. Member for Barnsley East and by the hon. Member for Glasgow North West, who has not yet rejoined us. I was saying that the exemption applies where the data originally collected is historic, where to re-contact to obtain consent would require a disproportionate effort, and where that data could be of real value in scientific research. We think that there is a benefit to research and we are satisfied that the protection is there. There was some debate about the definition of scientific research, which we covered earlier; that is a point that is appealable to the Information Commissioner’s Office. On the basis of what I said earlier, and that assurance, I hope that the Committee will agree to the clause.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Clause 10 ordered to stand part of the Bill.
Clause 11
Automated decision-making
I beg to move amendment 78, in clause 11, page 18, line 13, after “subject” insert “or decision subject”.
This amendment, together with Amendments 79 to 101, would apply the rights given to data subjects by this clause to decision subjects (see NC12).
I am pleased to speak to new clause 12, which would insert a definition of decision subjects, and to amendments 79 to 101, 106 and 108 to 110, which seek to insert rights and considerations for decision subjects that mirror those of data subjects at various points throughout the Bill.
Most of our data protection legislation operates under the assumption that the only people affected by data-based and automated decision making are data subjects. The vast majority of protections available for citizens are therefore tied to being a data subject: an identifiable living person whose data has been used or processed. However, as Dr Jeni Tennison described repeatedly in evidence to the Committee, that assumption is unfortunately flawed. Although data subjects form the majority of those affected by data-based decision making, they are not the only group of people impacted. It is becoming increasingly common across healthcare, employment, education and digital platforms for algorithms created and trained on one set of people to be used to reach conclusions about another, wider set of people. That means that an algorithm can make an automated decision that affects an individual to a legal or similarly significant degree without having used their personal data specifically.
For example, as Connected by Data points out, an automated decision could be made about a neighbourhood area, such as a decision on gritting or a police patrol route, based on personal data about some of the people who live in that neighbourhood, with the outcome impacting even those residents and visitors whose data was not directly used. For those who are affected by the automated decision but are not data subjects, there is currently no protection, recognition or method of redress.
The new clause would therefore define the decision subjects who are impacted by the likes of AI without their data having been used, in the hope that we can give them protections throughout the Bill that are equal to those for data subjects, where appropriate. That is especially important because special category data is subject to stricter safeguards for data subjects but not for decision subjects.
Connected by Data illustrates that point using the following example. Imagine a profiling company that uses special category data about the mental health of some volunteers to construct a model that predicts mental health conditions based on social media feeds, which would not be special category data. From that information, the company could give an estimate of how much time people are likely to take off work. A recruitment agency could then use that model to assess candidates and reject those who are likely to have extended absences. The model would never use any special category data about the candidates directly, but those candidates would have been subject to an automated decision that made assumptions about their own special category data, based on their social media feeds. In that scenario, by virtue of being a decision subject, the individual would not have the right to the same safeguards as those who were data subjects.
Furthermore, there might be scenarios in which someone was subject to an automated decision despite having consciously prevented their personal data from being shared. Connected by Data illustrates that point by suggesting that we consider a person who has set their preferences on their web browser so that it does not retain tracking cookies or share information such as their location when they visit an online service. If the online service has collected data about the purchasing patterns of similarly anonymous users and knows that such a customer is willing to pay more for the service, it may automatically provide a personalised price on that basis. Again, no personal data about the purchaser will have been used in determining the price that they are offered, but they will still be subject to an automated decision based on the data of other people like them.
What those scenarios illustrate is that it is whether an automated decision affects an individual in a legal or similarly significant way that should be central to their rights, rather than whether any personal data is held about them. If the Bill wants to unlock innovation around AI, automated decisions and the creative use of data, it is only fair that that be balanced by ensuring that all those affected by such uses are properly protected should they need to seek redress.
This group of amendments would help our legislative framework to address the impact of AI, rather than just its inputs. The various amendments to clause 11 would extend to decision subjects rights that mirror those given to data subjects regarding automated decision making, such as the right to be informed, the right to safeguards such as contesting a decision and the right to seek human intervention. Likewise, the amendments to clauses 27 and 29 would ensure that the ICO is obliged to have regard to decision subjects both generally and when producing codes of conduct.
Finally, to enact the safeguards to which decision subjects would hopefully be entitled via the amendments to clause 11, the amendment to clause 39 would allow decision subjects to make complaints to data controllers, mirroring the rights available to data subjects. Without defining decision subjects in law, that would not be possible, and members of the general public could be left without the rights that they deserve.
I am very much aware of the concern about automated decision making. The Government share the wish of the hon. Member for Barnsley East for all those who may be affected to be given protection. Where I think we differ is that we do not recognise the distinction that she tries to make between data subjects and decision subjects, which forms the basis of her amendments.
The hon. Lady’s amendments would introduce to the UK GDPR a definition of the term “decision subject”, which would refer to an identifiable individual subject to data- based and automated decision making, to be distinguished from the existing term “data subject”. The intended effect is to extend the requirements associated with provisions related to decisions taken about an individual using personal data to those about whom decisions are taken, even though personal information about them is not held or used to take a decision. It would hence apply to the safeguards available to individuals where significant decisions are taken about them solely through automated means, as amendments 78 to 101 call for, and to the duties of the Information Commissioner to have due regard to decision subjects in addition to data subjects, as part of the obligations imposed under amendment 106.
I suggest to the hon. Lady, however, that the existing reference to data subjects already covers decision subjects, which are, if you like, a sub-group of data subjects. That is because even if an individual’s personal data is not used to inform the decision taken about them, the fact that they are identifiable through the personal data that is held makes them data subjects. The term “data subject” is broad and already captures the decision subjects described in the hon. Lady’s amendment, as the identification of a decision subject would make them a data subject.
I will not, at this point, go on to set out the Government’s wider approach to the use of artificial intelligence, because that is somewhat outside the scope of the Bill and has already been set out in the White Paper, which is currently under consultation. Nevertheless, it is within that framework that we need to address all these issues.
Essentially, if anybody is affected by automated decision making on the basis of the characteristics of another person whose data is held—in other words, if the same data is used to take a decision that affects them, even if it does not personally apply to them—they are indeed within the broader definition of a data subject. With that reassurance, I hope that the hon. Member for Barnsley East will consider withdrawing her amendment.
I appreciate the Minister’s comments, but the point is that the data could be used—I gave the example that it might affect a group of residents who were not identifiable but were still subject to that data—so I am not quite sure that I agree with the Minister’s comparison. As the use of automated decision making evolves and expands, it is crucial that even if a person’s data is not being used directly, they are afforded protections and rights if they are subject to the outcome. I would like to press my amendment to a vote.
Question put, That the amendment be made.
They would obviously have that right, and indeed they would ultimately have the right to appeal to the Information Commissioner if they felt that they had been subjected unfairly to a decision where they had not been properly informed of the fact. On the basis of what I have said, I hope the hon. Member for Barnsley East might withdraw her amendment.
I appreciate the Minister’s comment, but the Government protection does not go as far as we would like. Our amendment speaks to the potential imbalance of power in the use of data and it would not require any extra administrative effort on behalf of controllers. For that reason, I will press it to a vote.
Question put, That the amendment be made.
The hon. Lady began her remarks on the broader question of the ambition to ensure that the UK benefits to the maximum extent from the use of artificial intelligence. We absolutely share that ambition, but also agree that it needs to be regulated. That is why we have published the AI regulation White Paper, which suggests that it is most appropriate that each individual regulator should develop its own rules on how that should apply. I think in the case that she was quoting of those who had lost their jobs, maybe through an automated process, the appropriate regulator—in that case, presumably, the special employment tribunal —would need to develop its own mechanism for adjudicating decisions.
I will concentrate on the amendment. On amendment 76, we feel that clause 44 already provides for an overarching requirement on the Secretary of State to consult the Information Commissioner and other persons that she or he considers appropriate before making regulations under UK GDPR, including the measures in article 22. When the new clause 44 powers are used in reference to article 22 provisions, they will be subject to the affirmative procedure in Parliament. I know that the hon. Lady is not wholly persuaded of the merits of using the affirmative procedure, but it does mean that parliamentary approval will be required. Given the level of that scrutiny, we do not think it is necessary for the Secretary of State to have to publish an assessment, as the hon. Lady would require through her amendment.
On amendment 75, as we have already debated in relation to previous amendments, there are situations where non-statutory guidance, which can be produced without being requested under regulations made by the Secretary of State, may be more appropriate than a statutory code of practice. We believe that examples of the kinds of processing that do and do not fall within the definitions of the terms “meaningful human involvement” and “similarly significant” are best placed in non-statutory guidance produced by the ICO, as this will give the flexibility to amend and change the examples where necessary. What constitutes a significant decision or meaningful human involvement is often highly context-specific, and the current wording allows for some inter-pretability to enable the appropriate application of this provision in different contexts, rather than introducing an absolute definition that risks excluding decisions that ought to fall within this provision and vice versa. For that reason, we are not minded to accept the amendments.
I appreciate the Minister’s remarks about consultation and consulting relevant experts. He is right to observe that I am not a big fan of the affirmative procedure as a method of parliamentary scrutiny but I appreciate that it is included in this Bill as part of that.
I think the problem is that we fundamentally disagree on the power to change these definitions being concentrated in the hands of the Secretary of State. It is one thing to future-proof the Bill but another to allow the Secretary of State alone to amend things as fundamental as the safeguards offered here. I would therefore like to proceed to a vote.
Question put, That the amendment be made.
As I was Chair of the Culture, Media and Sport Committee in 2008 when we published a report calling for legislation on online safety, I recognise the hon. Lady’s point that these things take a long time—indeed, far too long—to come about. She calls for action now on governance and regulation of the use of artificial intelligence. She will know that last month the Government published the AI regulation White Paper, which set out the proposals for a proportionate outcomes-focused approach with a set of principles that she would recognise and welcome. They include fairness, transparency and explainability, and we feel that this has the potential to address the risks of possible bias and discrimination that concern us all. As she knows, the White Paper is currently out to consultation, and I hope that she and others will take advantage of that to respond. They will have until 21 June to do so.
I assure the hon. Lady and the hon. Member for Barnsley East that the Government are keenly aware of the need to move swiftly, but we want to do so in consultation with all those affected. The Bill looks at one relatively narrow aspect of the use of AI, but certainly the Government’s general approach is one that we are developing at pace, and we will obviously respond once the consultation has been completed.
The power imbalance between employer and worker has no doubt grown wider as technology has developed. Our amendment speaks to the real-life consequences of that, and to what happens when employment and data law lags behind technology. For the reasons that have been outlined by my hon. Friend the Member for Newcastle upon Tyne Central and myself, I would like to continue with my amendment.
Question put, That the amendment be made.
We have, I think, covered a lot of ground already in the debates on the amendments. To recap, clause 11 reforms the rules relating to automated decision making in article 22 of the UK GDP and relevant sections of the Data Protection Act 2018. It expands the lawful grounds on which solely automated decision making that produces a legal or similarly significant effect on an individual may be carried out.
Currently, article 22 of the UK GDPR restricts such activity to a narrow set of circumstances. By expanding the available lawful grounds and ensuring we are clear about the required safeguards, these reforms will boost confidence that the responsible use of this technology is lawful, and will reduce barriers to responsible data use.
The clause makes it clear that solely automated decisions are those that do not involve any meaningful human involvement. It ensures that there are appropriate constraints on the use of sensitive personal data for solely automated decisions, and that such activities are carried out in a fair and transparent manner, providing individuals with key safeguards.
The clause provides three powers to the Secretary of State. The first enables the Secretary of State to describe cases where there is or is not meaningful human involvement in the taking of a decision. The second enables the Secretary of State to further describe what is and is not to be taken as having a significant effect on an individual. The third enables the introduction of further safeguards, and allows those already set out in the reforms to be amended but not removed.
The reformed section 50 of the Data Protection Act mirrors the changes in subsection (1) for solely automated decision making by law enforcement agencies for a law enforcement purpose, with a few differences. First, in contrast to article 22, the rules on automated decision making apply only where such decisions have an adverse legal or similarly significant effect on the individual. Secondly, the processing of sensitive personal data cannot be carried out for the purposes of entering into a contract with the data subject for law enforcement purposes.
The final difference relates to the safeguards for processing. This clause replicates the UK GDPR safeguards for law enforcement processing but also allows a controller to apply an exemption to them where it is necessary for a particular reason, such as to avoid obstructing an inquiry. This exemption is available only where the decision taken by automated means is reconsidered by a human as soon as reasonably practicable.
The subsections amending relevant sections of the Data Protection Act 2018, which apply to processing by or on behalf of the intelligence services, clarify that requirements apply to decisions that are entirely automated, rather than solely automated. They also define what constitutes a decision based on this processing. I have explained the provisions of the clause, and hope the Committee will feel able to accept it.
I talked at length about my views about the changes to automated decision making when we debated amendments 77, 120, 76, 75, 121 and 122. I have nothing further to add at this stage, but those concerns still stand. As such, I cannot support this clause.
Question put, That the clause stand part of the Bill.
I can be reasonably brief on these amendments. Schedule 3 sets out the consequential changes needed to reflect references to the rules on automated decision making in reformed article 22 and section 50 and other provisions in the UK GDPR and the Data Protection Act 2018. Schedule 3 also sets out that section 14 of the Data Protection Act is repealed. Instead, reformed article 22 sets out the safeguards that must apply, regardless of the lawful ground on which such activity is carried out.
Government amendments 17 to 23 are minor technical amendments ensuring that references elsewhere in the UK GDPR and the Data Protection Act to the provisions on automated decision making are comprehensively updated to reflect the reforms related to such activity in this Bill. That means that references to article 22 UK GDPR are updated to the reformed article 22A to 22D provisions, and references to sections 49 and 50 in the Data Protection Act are updated to the appropriate new sections 50A to 50D.
I thank the Minister for outlining these technical changes. I have nothing further to add on these consequential amendments beyond what has already been discussed on clause 11 and the rules around automated decision making. Consistency across the statute book is important, but all the concerns I raised when discussing the substance of those changes remain.
Amendment 17 agreed to.
Amendments made: 18, in schedule 3, page 140, line 30, before second “in” insert “provided for”.
This amendment and Amendment 19 adjust consequential amendments of Article 23(1) of the UK GDPR for consistency with other amendments of the UK GDPR consequential on the insertion of new Articles 22A to 22D.
Amendment 19, in schedule 3, page 140, line 31, leave out “in or under” and insert
“arising under or by virtue of”.
See the explanatory statement for Amendment 18.
Amendment 20, in schedule 3, page 140, line 33, leave out from “protection” to end of line 35 and insert
“in accordance with, and with regulations made under, Articles 22A to 22D in connection with decisions based solely on automated processing (including decisions reached by means of profiling)”.
This amendment adjusts the consequential amendment of Article 47(2)(e) of the UK GDPR to reflect the way in which profiling is required to be taken into account for the purposes of provisions about automated decision-making (see Article 22A(2) inserted by clause 11).
Amendment 21, in schedule 3, page 140, line 36, leave out paragraph 10 and insert—
“10 In Article 83(5) (general conditions for imposing administrative fines)—
(a) in point (b), for “22” substitute “21”, and
(b) after that point insert—
“(ba) Article 22B or 22C (restrictions on, and safeguards for, automated decision-making);””.
This amendment adjusts the consequential amendment of Art 83(5) of the UK GDPR (maximum amount of penalty) for consistency with the consequential amendment of equivalent provision in section 157(2) of the Data Protection Act 2018.
Amendment 22, in schedule 3, page 141, line 8, leave out sub-paragraph (2) and insert—
“(2) In subsection (3), for “by the data subject under section 45, 46, 47 or 50” substitute “made by the data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D”.”.
This amendment adjusts the consequential amendment of section 52(3) of the Data Protection Act 2018 for consistency with other amendments of that Act consequential on the insertion of new sections 50A to 50D.
Amendment 23, in schedule 3, page 141, line 9, leave out sub-paragraph (3) and insert—
“(3) In subsection (6), for “under sections 45 to 50” substitute “arising under or by virtue of sections 45 to 50D””.—(Sir John Whittingdale.)
This amendment adjusts the consequential amendment of section 52(6) of the Data Protection Act 2018 for consistency with other amendments of that Act consequential on the insertion of new sections 50A to 50D.
Schedule 3, as amended, agreed to.
Clause 12
General obligations
Question proposed, That the clause stand part of the Bill.
One of the main criticisms that the Government have received of the current legislative framework is that it sets out a number of prescriptive requirements that organisations must satisfy to demonstrate compliance. They include appointing independent data protection officers, keeping records of processing, appointing UK representatives, carrying out impact assessments and consulting the ICO about intended processing activities in specified circumstances.
Those rules can sometimes generate a significant and disproportionate administrative burden, particularly for small and medium-sized enterprises and for some third sector organisations. The current framework provides some limited exemptions for small businesses and organisations that are carrying out low-risk processing activities, but they are not always as clear or as useful as they should be.
We are therefore taking the opportunity to improve chapter 4 of the UK GDPR, and the equivalent provisions in part 3 of the Data Protection Act, in respect of law enforcement processing. Those provisions deal with the policies and procedures that organisations and law enforcement organisations must put in place to monitor and ensure compliance. Clauses 12 to 20 will give organisations greater flexibility to implement data protection management programmes that work for their organisations, while maintaining high standards of data protection for individuals.
Clause 12 is technical in nature. It will improve the terminology in the relevant articles of the UK GDPR by replacing the requirement to implement
“appropriate technical and organisational measures”.
In its place, data protection risks must be managed with
“appropriate measures, including technical and organisational measures,”.
That will give organisations greater flexibility to implement any measures that they consider appropriate to help them manage risks. A similar clarification is made to equivalent parts of the Data Protection Act.
Clause 13 will remove article 27 of the UK GDPR, ending the requirement for overseas controllers or processors to appoint a representative in the UK where they offer goods or services to, or monitor the behaviour of, UK citizens—
I think I have covered the points that I would like to make on clause 12.
Clause 12 is a set of largely technical amendments to terminology that I hope will provide clarity to data controllers and processors. I have no further comments to make at this stage.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Removal of requirement for representatives for controllers etc outside the UK
Question proposed, That the clause stand part of the Bill.
As I was saying, clause 13 will remove article 27 of the UK GDPR, ending the requirement for overseas controllers or processors to appoint a representative in the UK where they offer goods or services to, or monitor the behaviour of, UK citizens. By no longer mandating organisations to appoint a representative, we will be allowing organisations to decide for themselves the best way to comply with the requirements for effective communication. That may still include the appointment of a UK-based representative. The removal of this requirement is therefore in line with the Bill’s wider strategic aim of removing unnecessary prescriptive regulation.
The rules set out in the UK GDPR apply to all those who are active in the UK market, regardless of whether their organisation is based or located in the UK. Article 27 of the UK GDPR currently requires controllers and processors based outside the UK to designate a UK-based representative, unless they process only occasionally without special categories of data, providing an element of proportionality, or are a public authority or body. The idea is that the representative will act on behalf of the controller or processor regarding their UK GDPR compliance and will deal with the ICO and data subjects in that respect, acting as a primary contact for all things data within the country.
The removal of the requirement for a UK representative was not included in the Government’s consultation, “Data: a new direction”, nor was it even mentioned in their response. As a result, stakeholders have not been given an opportunity to put forward their opinions on this change. I wish to represent some of those opinions so that they are on the record for the Minister and his Department to consider.
Concern among the likes of Lexology, DataRep and Which? relates primarily to the fact that the current requirements for UK-based representatives ensure that UK data subjects can conveniently reach the companies that process their personal data, so that they can exercise their rights under the GDPR. Overseas data handlers may have a different first language, operate in a different time zone or have local methods of contact that are not easily accessible from the UK. Having a UK-based point of contact therefore ensures that data subjects do not struggle to apply the rights to which they are entitled because of the inevitable differences that occur across international borders.
As Lexology has pointed out, the Government’s own impact assessment says:
“There is limited information and data on the benefits of having an Article 27 representative as it is a relatively new and untested requirement and also one that applies exclusively to businesses and organisations outside of the UK which makes gathering evidence very challenging.”
By their own admission, then, the Government seem to recognise the challenges in gathering information from organisations outside the UK. If the Government find it difficult to get the information that they require, surely average citizens and data subjects may also face difficulties.
Not only is having a point of contact a direct benefit for data subjects, but a good UK representative indirectly helps data subjects by facilitating a culture of good data protection practice in the organisation that they represent. For example, they may be able to translate complex legal concepts into practical business terms or train fellow employees in a general understanding of the UK GDPR. Such functions may make it less likely that a data subject will need to exercise their rights in the first place.
As well as things being harder for data subjects in the ways I have outlined, stakeholders are not clear about the benefits of removing representatives for UK businesses. For example, the Government impact assessment estimates that the change could save a large organisation £50,000 per year, but stakeholders have said that that figure is an overestimation. Even if the figure is accurate, the saving will apply only to organisations outside the UK and will be made through a loss of employment for those who are actually based in the UK and performing the job.
The question therefore remains: if the clause is not in the interests of data subjects, of UK businesses or of UK-based employees who act as representatives, how will this country actually benefit from the change? I am keen to hear from the Minister on that point.
If there are concerns that were not fed in during the consultation period, obviously we will consider them. However, it remains the case that even without the article 27 representative requirement, controllers will have to maintain contact with UK citizens and co-operate with the ICO under other provisions of the UK GDPR. For example, overseas controllers and processors must still co-operate with the ICO as a result of the specific requirements to do so under article 31 of the UK GDPR. To answer the hon. Lady’s question about where the benefit lies, the clause is part of a streamlining process to remove what we see as unnecessary administrative requirements and bureaucracy.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14
Senior responsible individual
Question proposed, That the clause stand part of the Bill.
In a number of places in the Bill, the Government have focused on trying to ensure a more proportionate approach to data protection. That often takes the form of reducing regulatory requirements on controllers and processors where low-risk processing, which presents less of a threat of harm to data subjects, is taking place. Clause 14 is one place in which Ministers have applied that principle, replacing data protection officers with a requirement to appoint a senior responsible individual, but only where high-risk processing is being carried out.
Such a proportionate approach makes sense in theory. Where the stakes are lower, less formalised oversight of GDPR compliance will be required, which will be particularly helpful in small business settings where margins and resources are tight. Where the stakes are higher, however, a senior responsible individual will have a similar duty to that of a data protection officer, but with the added benefit of being part of the senior leadership team, ensuring that data protection is considered at the highest level of organisations conducting high-risk processing.
However, the Government have admitted that the majority of respondents to their consultation disagreed with the proposal to remove the requirement to designate a data protection officer. In particular, respondents were concerned that removing DPOs would result in
“a loss of data protection expertise”
and
“a potential fall in trust and reassurance to data subjects.”
Indeed, data protection officers perform a vital role in upholding GDPR, taking on responsibility for informing people of their obligations; monitoring compliance, including raising awareness and training staff; providing advice, where requested, on data protection impact assessments; co-operating with the regulator; and acting as a contact point. That provides not only guaranteed expertise to organisations, but reassurance to data subjects that they will have someone to approach should they feel the need to exercise any of their rights under the GDPR.
The contradiction between the theory of the benefits of proportionality and the reality of the concerns expressed by respondents to the consultation emphasises a point that the Government have repeatedly forgotten throughout the Bill: although removing truly unnecessary burdens can sometimes be positive, organisations often want clear regulation more than they want less regulation. They believe in the principles of the GDPR, understand the value of rights to data subjects and often over-comply with regulation out of fear of breaking the rules.
In this context, it makes sense that organisations recognise the value of having a data protection officer. They actually want in-house expertise on data—someone they can ask questions and someone they can rely on to ensure their compliance. Indeed, according to the DPO Centre, in September 2022, the UK data protection index panel of 523 DPOs unequivocally disagreed with the idea that the changes made by the clause would be in the best interests of data subjects. Furthermore, when asked whether the proposal to remove the requirement for a DPO and replace it with a requirement for a senior responsible individual would simplify the management of privacy in their organisation, 42% of DPOs surveyed gave the lowest score of 1.
Did the Department consider offering clarification, support and guidance to DPOs, rather than just removing them? Has it attempted to assess the impact of their removal on data subjects? In practice, it is likely that many data protection officers will be rebranded as senior responsible individuals. However, many will be relieved of their duties, particularly since the requirement to be part of the organisation’s senior management team could be problematic for external DPO appointments and those in more junior positions. Has the Department assessed how many data protection officers may lose their job as a result of these changes? Is the number expected to be substantial? Will there be any protections to support those people in transitioning to skilled employment surrounding data protection and to prevent an overall reduction of data protection expertise in organisations?
The clause does not in any way represent a lessening of the requirement on organisations to comply with data protection law. It simply introduces a degree of flexibility. An organisation could not get rid of data protection officers without ensuring that processing activities likely to pose high risks to individuals are still managed properly. The senior responsible individual will be required to ensure that that is the case.
At the moment, even small firms whose core activities do not involve the processing of sensitive data must have a data protection officer. We feel that that is an unnecessary burden on those small firms, and that allowing them to designate an individual will give them more flexibility without reducing the overall level of data protection that they require.
Question put and agreed to.
Clause 14 accordingly ordered to stand part of the Bill.
Clause 15
Duty to keep records
Question proposed, That the clause stand part of the Bill.
Clauses 15 and 16 will improve the record-keeping requirements under article 30 of the UK GDPR and the logging requirements under part 3 of the Data Protection Act, which is concerned with records kept for law enforcement purposes. Article 30 of the UK GDPR requires most organisations to keep records of their processing activities and includes a list of requirements that should be included in the record. Those requirements can add to the paperwork that organisations have to keep to demonstrate compliance. Although there is an exemption from those requirements in the UK GDPR for some small organisations, it has a limited impact because it applies only where their processing of personal data is “occasional”.
Clause 15 will replace the record-keeping requirements under article 30. It will make it easier for data controllers to understand exactly what needs to be included in the record. Most importantly, organisations of any size will no longer have to keep records of processing, unless their activities are
“likely to result in a high risk”
to individuals. That should help small businesses in particular, which have found the current small business exemption difficult to understand and apply in practice.
Clause 16 will make an important change to the logging requirements for law enforcement purposes in part 3 of the Data Protection Act. It will remove the ineffective requirement to record a justification when an officer consults or discloses personal data for the purposes of an investigation. The logging requirements are unique to the law enforcement regime and aim to assist in monitoring and auditing data use. Recording a justification for accessing data was intended to help protect against unlawful access, but the reality is that someone is unlikely to record an honest reason if their access is unlawful. That undermines the purpose of this requirement, because appropriate and inappropriate uses would both produce essentially indistinguishable data.
As officers often need to access large amounts of data quickly, especially in time-critical scenarios, the clause will facilitate the police’s ability to investigate and prevent crime more swiftly. We estimate that the change could save approximately 1.5 million policing hours. Other elements of the logs, such as the date and time of the consultation or disclosure and the identity of the person accessing them, are likely to be far more effective in protecting personal data against misuse; those elements remain in place. On that basis, I commend the clauses to the Committee.
Record keeping is a valuable part of data processing. It requires controllers, and to a lesser extent processors, to stay on top of all the processing that they are conducting by ensuring that they record the purposes for processing, the time limits within which they envisage holding data and the categories of recipients to whom the data has been or will be disclosed.
Many respondents to the Government’s consultation “Data: a new direction” said that they did not think the current requirements were burdensome. In fact, they said that the records allow them easily to understand the personal data that they are processing and how sensitive it is. It is likely that that was helped by the fact that the requirements were proportionate, meaning that organisations that employed under 250 people and were not conducting high-risk processing were exempt from the obligations.
It is therefore pleasing to see the Government rolling back on the idea of removing record-keeping requirements entirely, as was suggested in their consultation. As was noted, the majority of respondents disagreed with that proposal, and it is right that it has been changed. However, some respondents indicated a preference for more flexibility in the record-keeping regime, which is what I understand the clause is trying to achieve. Replacing the current requirements with a requirement to keep an appropriate record of processing, tied to high-risk activities, will give controllers the flexibility that they require.
As with many areas of the Bill, it is important that we be clear on the definition of “appropriate” so that it cannot be used by those who simply do not want to keep records. I therefore ask the Minister whether further guidance will be available to assist controllers in deciding what counts as appropriate.
I also wish to highlight the point that although in isolation the clause does not seem to change requirements much, other than by adding an element of proportionality, it cannot be viewed in isolation. In combination with other provisions, such as the reduced requirements on DPIAs and the higher threshold for subject access requests, it seems that there will be less records overall on which a data subject might be able to rely to understand how their personal information is being used or to prove how it has been used when they seek redress. With that in mind, I ask the Minister whether the Government have assessed the potential impact of the combination of the Bill’s clauses on the ability of data subjects to exercise their rights. Do the Government have any plans to work with the commissioner to monitor any such impacts on data subjects after the Bill is passed?
I turn to clause 16. Section 62 of the Data Protection Act 2018 requires competent authorities to keep logs that show who has accessed certain datasets, and at what time. It also requires that that access be justified: the reason for consulting the data must be given. Justification logs exist to assist in disciplinary proceedings, for example if there is reason to believe that a dataset has been improperly accessed or that personal data has been disclosed in an unauthorised way. However, as Aimee Reed, director of data at the Met police and chair of the national police data board, told the Committee:
“It is a big requirement across all 43 forces, largely because…we are operating on various aged systems. Many of the technology systems…do not have the capacity to log section 62 requirements, so police officers are having to record extra justification in spreadsheets alongside the searches”.––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 56, Q118.]
That creates what she described as a “considerable burden”.
Understandably, therefore, the Bill removes the justification requirement. There are some—the Public Law Project, for example—who have expressed concern that this change would pose a threat to individual rights by allowing the police to provide a retrospective justification for accessing records. However, as the explanatory notes indicate, it is highly unlikely that in an investigation concerning inappropriate use, a justification recorded by the individual under investigation for improper access or unauthorised access could be relied on anyway. Clause 16 would therefore not stop anyone from being investigated for improper access; it would simply reduce the burden of recording a self-identified justification that could hardly be relied on anyway. I welcome the intent of the clause and the positive impact that it could have on our law enforcement processing.
The intention behind clause 15 is to reduce the burden on organisations by tying the record-keeping requirements to high-risk processing activities. If there is uncertainty about the nature of the risk, organisations will be able to refer to ICO guidance. The ICO has already published examples on its website of processing that is likely to be high-risk for the purposes of completing impact assessments; clause 17 will require it to apply the guidance to the new record-keeping requirements as well. It will continue to provide guidance on the matter, and we are happy to work with it on that.
With respect to clause 16, I am most grateful for the Opposition’s welcome recognition of the benefits for crime prevention and law enforcement.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Assessment of high risk processing
I beg to move amendment 102, in clause 17, page 32, line 12, leave out from “with” to the end of line 28 on page 33 and insert
“subsection (2)
(2) In Article 57(1) (Information Commissioner’s tasks), for paragraph (k) substitute—
‘(k) produce and publish a document containing examples of types of processing which the Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals (for the purposes of Articles 27A, 30A and 35);’.”
This amendment would remove the provisions of clause 17 which replace the existing data protection impact assessment requirements with new requirements about “high risk processing”, leaving only the requirement for the ICO to produce a document containing examples of types of processing likely to result in a high risk to the rights and freedoms of individuals.
As was the intention, the Bill loosens restrictions on processing personal data in many areas: it adds a new lawful basis and creates new exceptions to purpose limitation, removes blocks to automated decision-making and allows for much thinner record keeping. Each change in isolation may make only a relatively small adjustment to the regime. Collectively, however, they result in a large-scale shift towards controllers being able to conduct more processing, with less transparency and communication, and having fewer records to keep, all of which reduces opportunities for accountability.
As mentioned, loosening restrictions is an entirely deliberate consequence of a Bill that seeks to unlock innovation through data—an aim that Members across the House, including me, are strongly behind, given the power of data to influence growth for the public good. However, given the cumulative impact of this deregulation, where increasingly opaque processing is likely to result in a large risk to people’s rights, a processor might at the very least record how they will ensure that any high-risk activities that they undertake do not lead to unlawful or discriminatory outcomes for the general public. That is exactly what the current system of DPIAs, as outlined in article 35 of GDPR, allows for. These assessments, which require processors to measure their activities against the risk to the rights and freedoms of data subjects, are not just a tick-box exercise, unnecessary paperwork or an administrative burden; they are an essential tool for ensuring that organisations do not deploy, and individuals are not subjected to, systems that may lead to a fundamental breach of their rights.
Assessments of that kind are not a concept unique to data processing. The Government routinely publish impact assessments on the legislation that they want to introduce; any researcher or scientist is likely to conduct an assessment of the safety and morality of their methodology; and a teacher will routinely and formally measure the risks involved when taking pupils on a school trip. Where activities pose a high risk to others, it is simply common practice to keep a record of where the risks lie, and to make plans to ensure that they are mitigated where possible.
In the case of data, not only are DPIAs an important mechanism to ensure that risks are managed, but they act as a key tool for data subjects. That is first because the process of conducting a DPIA encourages processors to consult data subjects, either directly or through a representative, on how the type of processing might impact them. Secondly, where things go wrong for data subjects, DPIAs act as a legal record of the processing, its purpose and the risks involved. Indeed, the Public Law Project, a registered charity that employs a specialist lawyer to conduct research, provide training and take on legal casework, identified DPIAs as a key tool in litigating against the unlawful use of data processing. They show a public law record of the type of processing that has been conducted, and its impact.
The TUC and the Institute for the Future of Work echo that, citing DPIAs as a crucial process and consultation tool for workers and trade unions in relation to the use of technology at work. The clause, however, seeks to water down DPIAs, which will become “assessments of high-risk processing”. That guts both the fundamental benefit of risk management that they offer in a data protection system that is about to become increasingly transparent, and the extra benefits that they give to data subjects.
Instead of requiring a systematic description of the processing operations and purposes, under the new assessments the controller would be required only to summarise the purpose of the processing. Furthermore, instead of conducting a proportionality assessment, controllers will be required only to consider whether the processing is necessary for the stated purpose. The Public Law Project describes the proportionality assessment as a crucial legal test that weighs up whether an infringement of human rights, including the right not to be discriminated against, is justified in relation to the processing being conducted.
When it comes to consultation, where previously it was encouraged for controllers to seek the views of those likely to be impacted by the processing, that requirement to seek those views will now be entirely omitted, despite the important benefit to data subjects, workers and communities. The new tests therefore simply do not carry the same weight or benefit as DPIAs, which in truth could themselves be strengthened. It is simply not appropriate to remove the need to properly assess the risk of processing, while simultaneously removing restrictions that help to mitigate those risks. For that reason, the clause must be opposed; we would keep only the requirement for the ICO to produce that much-needed guidance on what constitutes high-risk processing.
Moving on to amendment 103, given the inherent importance of conducting risk assessments for high-risk processing, and their potential for use by data subjects when things go wrong, it seems only right that transparency be built into the system where it comes to Government use of public data. The amendment would do just that, and only that. It would not adjust any of the requirements on Government Departments or public authorities to complete high-risk assessments; it would simply require an assessment to be published in any case where one is completed. Indeed, the ICO guidance on DPIAs says:
“Although publishing a DPIA is not a requirement of UK GDPR, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence. We would therefore recommend that you publish your DPIAs, where possible, removing sensitive details if necessary.”
However, very few organisations choose to publish their assessments. This is a chance for the Government to lead by example, and foster an environment of trust and confidence in data protection
Alongside the amendment I tabled on compulsory reporting on the use of algorithms, this amendment is designed to afford the general public honesty and openness on how their data is used, especially where the process has been identified as having a high risk of causing harm. Again, a published impact assessment would provide citizens with an official record of high-risk uses of their data, should they need that when seeking redress. However, a published impact assessment would also encourage responsible use of data, so that redress does not need to be sought in the first place.
The Government need not worry about the consequences of the amendment if they already meet the requirement to conduct the correct impact assessments and process them in such a way that the benefits are not heavily outweighed by a risk to data rights. If rules are being followed, the amendment will only provide proof of that. However, if anyone using public data in a public authority’s name did so without completing the appropriate assessments, or processed that data in a reckless or malicious way, there would be proof of that. Where there is transparency, there is accountability, and where the Government are involved, accountability is always crucial in a democracy. The amendment would ensure that accountability shined through in data protection law.
Finally, I turn to clause 18. The majority of respondents to the “Data: a new direction” consultation agreed that organisations are likely to approach the ICO voluntarily before commencing high-risk processing activities if that is taken into account as a mitigating factor in any future investigation or enforcement action. The loosening of requirements in the clause is therefore not a major concern. However, when that is combined with the watering down of the impact assessments, there remains an overarching concern about the oversight of high-risk processing. I refer to my remarks on clause 17, in which I set out the broader problems that the Bill poses to protection against harms from high-risk processing.
As we have discussed, one of the principal objectives of this part of the Bill is to remove some of the prescriptive unnecessary requirements on organisations to do things to demonstrate compliance. Clauses 17 and 18 reduce the unnecessary burdens placed on organisations by articles 35 and 36 of the UK GDPR in respect of data protection impact assessments and prior consultation with the ICO respectively.
Clause 17 will replace the EU-derived notion of a data protection impact assessment with more streamline requirements for organisations to document how they intend to assess and mitigate risks associated with high-risk processing operations. The changes will apply to both the impact assessment provisions under the UK GDPR and the section of the Data Protection Act 2018 that deals with impact assessments for processing relating to law enforcement. Amendment 102 would reverse those changes to maintain the current data protection impact assessment requirements, but we feel that this would miss an important opportunity for reform.
There are significant differences between the new provisions in the Bill and current provisions on data protection impact assessments. First, the new provisions are less prescriptive about the precise processing activities for which a risk assessment will be required. We think organisations are best placed to judge whether a particular activity poses a high risk to individuals in the context of the situation, taking account of any relevant guidance from the regulator.
Secondly, we have also removed the mandatory requirement to consult individuals about the intended processing activity as part of a risk-assessment process, as that imposes unnecessary burdens. There are already requirements in the legislation to ensure that any new processing is fair, transparent and designed with the data protection principles in mind. It should be open to businesses to consult their clients about intended new processing operations if they wish, but that should not be dictated to them by the data protection legislation.
Clause 18 will make optional the previous requirement for data controllers to consult the commissioner when a risk assessment indicates a potential high risk to individuals. The Information Commissioner will be able to consider any voluntary actions that organisations have taken to consult the ICO as a factor when imposing administrative fines on a data controller. Currently, compliance with the prior consultation requirement is low, likely due to a lack of clarity in the legislation and a reluctance for organisations to engage directly with the regulator on potential high-risk processing. The clause will encourage a more proactive, open and collaborative dialogue between the ICO and organisations, so that they can work together to better mitigate the risks.
The Opposition’s amendment 103 would mandate the publication of risk assessments by all public sector bodies. That requirement would, in our view, place a disproportionate burden on public authorities of all sizes. It would apply not just to Departments but to smaller public authorities such as schools, hospitals, independent pharmacies and so on. The amendment acknowledges that each public authority would have to spend time redacting sensitive details from risk assessments prior to publication. As those assessments can already be requested by the ICO as part of its investigations, or by members of the public via freedom of information requests, we do not think it is necessary to impose that significant new burden on all public bodies. I therefore invite the hon. Member for Barnsley East to withdraw her two amendments, and I commend clauses 17 and 18 to the Committee.
I am happy not to press amendment 103 to a vote, but on amendment 102, I simply do not think it is appropriate to remove the need to properly assess the risk of processing while removing the restrictions that help to mitigate it. For those reasons, I will press it to a vote.
Question put, That the amendment be made.
Clause 19 introduces an ability for public bodies with the appropriate knowledge and expertise to produce codes of conduct applicable to the law enforcement regime. The clause mirrors the equivalent provision in the UK GDPR.
As with regular guidance, these codes of conduct will be drafted by law enforcement data protection experts and tailored to the specific data protection issues that affect law enforcement agencies, to help improve compliance with the legislation and encourage best practice. However, they are intended to carry more weight, because they will additionally have the formal approval of the Information Commissioner.
When a code of conduct is produced, there is a requirement to submit a draft of it to the Information Commissioner. While that is good practice, we think it is unnecessary to mandate that. Government amendment 1 replaces that requirement with a duty on the commissioner to instead encourage public bodies to do that. Government amendments 2 and 3 are consequential to that.
Where a public body has submitted a code of conduct to the commissioner for review, Government amendment 4 removes the requirement for the commissioner to review any subsequent amendments made by the public body until the initial draft has been considered. This change will promote transparency, greater clarity and confidence in how police process personal data under the law enforcement regime. Codes of conduct are not a new concept. The clause mirrors what is already available under the UK GDPR.
The Bill fails to fully recognise that the burdens that organisations face in complying with data protection legislation are not always best dealt with by simply removing the protections in place. In many cases, clarification and proper guidance can be just as fruitful in allowing data protection to work more seamlessly. Clauses such as clause 19, which seeks to create an environment in which best practice is shared on how to comply with data protection laws and deal with key data protection challenges, are therefore very welcome. It is absolutely right that we should capitalise on pockets of experience and expertise, especially in the public sector, where resources have often been stretched, particularly over the last 13 years. We should ensure that learnings are shared with those who are less familiar with how to resolve challenges around data.
It is also pleasing to see that codes that give sector-specific guidance will be approved by the commissioner before being published. That will ensure absolute coherence between guidance and the enforcement of data protection law more widely. I look forward to seeing what positive impact the codes of conduct will have on how personal data is handled by public bodies, to the benefit of the general public as well as the public bodies themselves; the burden on them will likely be lifted as a result of the clarity provided by the guidance.
I welcome the Opposition’s support.
Amendment 1 agreed to.
Amendments made: 2, in clause 19, page 35, line 26, leave out from ‘body’ to ‘, the’ in line 27 and insert ‘does so’.
This amendment is consequential on Amendment 1.
Amendment 3, in clause 19, page 35, line 28, leave out ‘draft’.
This amendment is consequential on Amendment 2.
Amendment 4, in clause 19, page 35, line 33, leave out from ‘conduct’ to the end of line 34 and insert—
‘that is for the time being approved under this section as they apply in relation to a code’.—(Sir John Whittingdale.)
This amendment makes clear that the Commissioner’s duty under new section 68A of the Data Protection Act 2018 to consider whether to approve amendments of codes of conduct relates only to amendments of codes that are for the time being approved under that section.
Clause 19, as amended, ordered to stand part of the Bill.
Clause 20
Obligations of controllers and processors: consequential amendments
Question proposed, That the clause stand part of the Bill.
I am grateful to the Minister, and I will focus my remarks particularly on the contents of schedule 5 before explaining the thought process behind amendment 104.
In the globalised world in which we live, we have an obligation to be outward looking and to consider not just the activities that take place in the UK, but those that occur worldwide. When it comes to data protection, that means accepting that data will likely need to travel across borders, and inserting appropriate safeguards so that UK citizens do not lose the protection of data protection laws if their personal data is transferred away from this country. The standard of those safeguards is absolutely crucial to the integrity of our entire data protection regime. After all, if a controller can simply send the personal data of UK citizens to a country that has limited data protection laws for processing that would be unlawful here, and if they can transfer that data back afterwards, in reality our laws are only as strong as the country with the weakest protections in the world.
As things stand, there is only a limited set of circumstances under which personal data can be transferred to a third party outside the UK. One such circumstance is where there is an adequacy agreement, similar to that which we have with the EU. For such an agreement to be reached, the Secretary of State must have considered many things, including the receiver’s respect for human rights and data rules; the presence, or lack thereof, of a regulator, and its independence; and any international commitments they have made in relation to data protection. These amendments ensure that data can flow freely between the UK and another country as long as the level of protection received by citizens is not undermined by the regulatory structure in that country.
The Bill amends the adequacy-based framework and replaces it with a new outcomes-based approach through the data protection test. The test is met if the standard of the protection provided for data subjects, with regard to the general processing of personal data in the country or by the organisation, is not materially lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018.
When deciding whether the test is met, the Secretary of State must still consider many of the same things: their respect for human rights, the existence of a regulator, and international obligations. However, stakeholders such as Reset.tech and the TUC have expressed concern that the new test could mean that UK data is transferred to countries with lower standards of protection than previously. That is significant not just for data subjects in the UK, who may be faced with weaker rights, but for business, which fears that this may signify a divergence from the EU GDPR that could threaten the UK’s own adequacy status. Losing this agreement would have real-world consequences for UK consumers and businesses to the tune of hundreds of millions of pounds. What conversations has the Minister had with representatives of the European Commission to ensure that the new data protection test does not threaten adequacy? Does he expect the new data protection test to result in the data of UK citizens being passed to countries with weaker standards than are allowed under the current regime?
Moving on to amendment 104, one reason why some stakeholders are expressing concern about the new rules is because they appear to omit article 44. As it stands, for those who are concerned about the level of data protection available to them as a result of international transfers, article 44 of the UK GDPR provides a guarantee that the integrity of the UK’s data protection laws will be protected. Indeed, it sets out that all provisions relating to the international transfer of UK personal data
“shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
If UK data will not be transferred to countries with weaker protections, it is not clear why this simple guarantee would be removed. The amendment would clear up any confusion around that and reinsert the article so that data subjects can be reassured of the strength of this new data protection test and of their rights.
Again, it is important to emphasise that getting the clause right is absolutely essential, as it underpins the entire data protection regime in the country. Getting it wrong could cost a huge amount, rendering the Bill, the UK GDPR and the Data Protection Act 2018 essentially useless. It is likely that the Government do not intend to undermine their own regulatory framework. Reinserting the article would confirm that in the Bill, offering complete clarity that the new data protection test will not result in lower levels of protection for UK data subjects.
We completely agree with the hon. Lady that we would not wish to see data transferred to countries that have an inferior data protection regime. However, we do not think amendment 104 is required to achieve that, because the reforms in chapter 5 already provide for a clear and high standard of protection when transferring personal data overseas. It states that the standard of protection in that country must not be “materially lower” than the standard under the UK GDPR. That ensures that high standards of data protection are maintained. In addition, we feel that the amendment would return us to the confusion of the existing regime. At present, the legislative framework makes it difficult for organisations and others to understand what standard needs to be applied when transferring personal data internationally, with several terms used in the chapter and in case law. Our reforms ensure that a clear standard applies, which maintains protection for personal data.
The hon. Lady raised the EU’s data adequacy assessment. That is something that featured earlier in our debates on the Bill, and, as we heard from a number of our witnesses, including the information commissioner, there is no reason to believe that this in any way jeopardises the EU’s assessment of the UK’s data adequacy.
Government amendment 24 revises new article 45B(3)(c) of the UK GDPR, which is inserted by schedule 5 and which makes provision about the data protection test that must be satisfied for data bridge regulations to be made. An amendment to the Bill is required for the Secretary of State to retain the flexibility to make data bridge regulations covering transfers from the UK or elsewhere. The amendment will preserve the status quo under the current regime, in which the Secretary of State’s power is not limited to covering only transfers from the UK. In addition to these amendments, four other minor and technical Government amendments —25, 26, 28 and 29—were tabled on 10 May.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Schedule 5
Transfers of personal data to third countries etc: general processing
Amendments made: 24, in schedule 5, page 147, line 3, leave out “from the United Kingdom” and insert
“to the country or organisation by means of processing to which this Regulation applies as described in Article 3”.
New Article 45B(3)(c) of the UK GDPR explains how references to processing of personal data in a third country should be read (in the data protection test for regulations approving international transfers of personal data). This amendment changes a reference to data transferred from the United Kingdom to include certain data transferred from outside the United Kingdom.
Amendment 25, in schedule 5, page 147, line 12, leave out
“the transfer of personal data”
and insert “transfer”.
This amendment and Amendment 26 simplify the wording in new Article 45B(4)(b) of the UK GDPR.
Amendment 26, in schedule 5, page 147, line 14, leave out
“the transfer of personal data”
and insert “transfer”.—(Sir John Whittingdale.)
See the explanatory statement for Amendment 25.
Schedule 5, as amended, agreed to.
Schedule 6
Transfers of personal data to third countries etc: law enforcement processing
Amendments made: 27, in schedule 6, page 155, line 39, leave out “from the United Kingdom” and insert—
“to the country or organisation by means of processing to which this Act applies as described in section 207(2)”.
New section 74AB(3)(c) of the Data Protection Act 2018 explains how references to processing of personal data in a third country should be read (in the data protection test for regulations approving international transfers of personal data). This amendment changes a reference to data transferred from the United Kingdom to include certain data transferred from outside the United Kingdom.
Amendment 28, in schedule 6, page 156, line 6, leave out
“the transfer of personal data”
and insert “transfer”.
This amendment and Amendment 29 simplify the wording in new section 74AB(4)(b) of the Data Protection Act 2018.
Amendment 29, in schedule 6, page 156, line 8, leave out
“the transfer of personal data”
and insert “transfer”.—(Sir John Whittingdale.)
See the explanatory statement for Amendment 28.
Schedule 6, as amended, agreed to.
Schedule 7 agreed to.
Clause 22
Safeguards for processing for research etc purposes
Clause 22 creates a new chapter in the UK GDPR that provides safeguards for the processing of personal data for the purposes of scientific research or historical research, archiving in the public interest, and for statistical purposes. Currently, the provisions that provide safeguards for those purposes are spread across the UK GDPR and the Data Protection Act 2018.
Clause 22 consolidates those safeguards in a new chapter 8A of the UK GDPR. Those safeguards ensure that the processing of personal data for research, archiving and statistical purposes does not cause substantial damage or substantial distress and that appropriate technical and organisational measures are in place to respect data minimisation. Clause 23 sets out consequential changes to the UK GDPR and Data Protection Act 2018 required as a result of the changes being made in clause 22 to consolidate safeguards for research.
Government amendments 34 to 39 are minor, technical amendments clarifying that, as part of the pre-existing additional requirement when processing for research, archiving and statistical purposes, a controller is to use anonymous—rather that personal—data, unless that means that those purposes cannot be fulfilled. It makes clear that processing to anonymise the personal data is permitted. On that basis, I commend the clauses, and indeed the Government amendments, to the Committee.
With regards to clause 22, it is pleasing to see a clause confirming the safeguards that are applicable when processing under the new research and scientific purposes. For example, it is welcome that it is set out that such processing must not cause substantial damage or distress to a data subject, must respect the principle of data minimisation and must not make decisions related to a particular data subject unless it is for approved medical research.
Those safeguards are especially important given the concerns that I laid out over the definition of scientific research in clause 2, which could lead to the abuse of data under the guise of legitimate research. I have no further comments on the clause or the Government’s amendments to it at this stage, other than to reiterate that the definition of scientific research must have clear boundaries if any of the clauses that concern research are to be used as intended.
Clause 23 makes changes consequential on those in clause 22, so I refer to the substance of my remarks during the discussion of the previous clause.
Amendment 34 agreed to.
Clause 24 introduces an exemption that can be applied to the processing of personal data for law enforcement purposes under the law enforcement regime for the purposes of safeguarding national security. It will replace the current, more limited national security exemptions that exist in the law enforcement regime and mirror the existing exemptions in the UK GDPR and intelligence services regime.
The clause will allow organisations to exempt themselves from specified provisions in the law enforcement regime of the Data Protection Act 2018, such as some of the data protection principles and the rights of the individual, but only where it is necessary to do so for the purposes of safeguarding national security. Like the other exemptions in the Act, it must be applied on a case-by-case basis. There are limits to what the exemption applies to. The processing of data by law enforcement authorities must always be lawful, and the protections surrounding sensitive processing remain.
Subsection (2) amends the general processing regime of the Data Protection Act, regarding processing under UK GDPR, to remove the ability of organisations to exempt themselves, on the grounds of safeguarding national security, from article 77 of the UK GDPR, which provides the right for individuals to lodge a complaint with the Information Commissioner. That is because we do not consider exemption from that provision necessary. The change will align the national security exemption applicable to UK GDPR processing with the other national security exemptions in the Data Protection Act 2018, which do not permit the exemption to be applied in relation to an individual’s right to complain to the Commissioner.
The ability of a Minister of the Crown to issue a certificate certifying the application of the exemption for the purposes of safeguarding national security, which previously existed, is retained; clause 24(8) simply updates that provision to reflect the new exemption. That change will assist closer working between organisations operating under the three distinct data protection regimes by providing greater confidence that data that, for example, may be of importance to a police investigation but also pertinent to a separate national security operation can be properly safeguarded by both organisations. I will allow the hon. Member for Barnsley East to speak to amendment 105, because I wish to respond to her.
I am grateful to the Minister. I want to speak today about a concern that has been raised about clauses 24, 25 and 26, so I will address them before speaking to amendment 105.
In essence, the clauses increase the opportunities for competent authorities to operate in darkness when it comes to personal data through both national security certificates and designation notices. Though it may of course be important in some cases to adjust data protection regulation in a minimal way to protect national security or facilitate working with the intelligence services, important too is the right to understand how any competent authority is processing our personal data—particularly given the growing mistrust around police culture.
To cite one stark example of why data transparency in law enforcement is important, after Sarah Everard was murdered, more than 30 police officers were reportedly investigated for unnecessarily looking up her personal data. First, that demonstrates that there is a temptation for officers to access personal data without due reason, perhaps particularly when it is related to a high-profile case. Secondly, however, it shows that transparency does hold people accountable. Indeed, thankfully, the individuals who were accused of accessing the data were swiftly investigated. That would not have been possible if that transparency had been restricted—for example, had there been a national security certificate or a designation notice in place.
The powers to apply for the certificates and notices that allow the police and law enforcement authorities exemptions from data protection, although sometimes needed, must be used extremely sparingly and must be proportionate to the need to protect national security. However, that proportionate approach does not appear to be guaranteed in the Bill, despite it being a requirement in human rights law.
In their oral and written evidence, representatives from Rights and Security International warned that clauses 24 to 26 could actually violate the UK’s obligations under the Human Rights Act 1998 and the European convention on human rights. Everything that the UK does, including in the name of national security or intelligence services, must comply with human rights and the ECHR. That means that any time there is interference with the privacy of people in the UK—which is considered a fundamental right—for it to be lawful, the law in question must do only what is truly necessary for national security. That necessity standard is a high one, and it does not take into account whether a change might be more convenient for a competent authority.
Will the Minister clearly explain in what way the potential powers given to law enforcement under clauses 24 to 26, in both national security certificates and designation notices, would be strictly proportionate and necessary for national security, rather than simply making the operations of law enforcement easier and more convenient?
Primarily, the concern is for those whose data could be used in a way that fundamentally infringes on their privacy, but there are practical concerns too. Any clauses that contain suspected violations of human rights could set up the Government for lengthy legal battles, both in the UK and at the European Court of Human Rights, about their data protection and surveillance regimes. Furthermore, any harm to the UK’s important relationships with the EU around data could threaten the adequacy agreement which, as we have all repeatedly heard, is vital to our economy.
It is vital, then, that Minister confirms that both national security certificates and designation notices will be used only where necessary, and exemptions will be allowed only where necessary. If that cannot be satisfied, we must oppose the clauses.
I will now focus on amendment 105. Where powers are available to provide exemptions to privacy protections on grounds of national security, it is important that they are protected from exploitation, and not unduly concentrated in any individual’s hands without appropriate checks and balances. However, Rights and Security International warned that that was not taken into appropriate consideration in clause 25. Instead, the power to issue designation notices has been concentrated almost entirely in the hands of the Secretary of State, with no accountability measures built in.
Designation notices allow for joint processing between a qualifying competent authority and the intelligence services, which could have greatly beneficial consequences for tackling crime and threats to our national security, but they will also allow for both those parties to be exempt from what are usually crucial data protections. They must therefore be used sparingly, and only when necessary and proportionate.
As we have seen—and as I will argue countless times—we cannot rely on the Secretary of State’s acting in good faith. Our legislation must instead protect against a Secretary of State who acts in bad faith. Neither can we rely on the Secretary of State having the level of expertise needed to make complex and technical decisions, especially those that impact on national security and data rights at the same time.
Despite that, under clause 25(2), the Secretary of State alone can specify which competent authorities qualify as able to apply for a designation notice. Under subsection (3), it is the Secretary of state alone to whom qualifying competent authorities will jointly apply. It is the Secretary of State who reviews a notice and has the power to withdraw it, and it is the Secretary of State who makes transition arrangements.
Although there is a requirement in the Bill to consult the commissioner, the amendment seeks to formalise some independent oversight of the designation process by ensuring that the commissioner has an actual say in approving the notices and adjusting the concentration of power so that it does not lie solely in the Secretary of State’s hands. That would mean that should the Secretary of State act in bad faith, or lack the expertise needed to make such a decision—whether aware or unaware of this fact—the commissioner would be able to help to ensure that an informed and proportionate decision was made with regard to each notice applied for. This would not present any designation notices from being issued when they were genuinely necessary; it would simply safeguard their approval when they were.
I assure the hon. Lady that clauses 25 and 26 are necessary for the improvement of national security. The reports on events such as the Manchester and Fishmongers’ Hall terrorist incidents have demonstrated that better joined-up working between the intelligence services and law enforcement is in the public interest to safeguard national security. A current barrier to such effective joint working is that only the intelligence services can operate under part 4 of the Data Protection Act, which is drafted to reflect the unique operational nature of their processing.
(1 year, 6 months ago)
Public Bill CommitteesIt is a pleasure to serve under your chairmanship, Mr Hollobone. May I thank all hon. Members for volunteering to serve on the Committee? When I spoke on Second Reading, I expressed my enthusiastic support for the Bill—just as well, really. I did not necessarily expect to be leading on it in Committee, but I believe it is a very important Bill. It is complex and will require quite a lot of scrutiny, but it will create a framework of real benefit to the UK, by facilitating the exchange of data and allowing us to take the maximum advantage of emerging technologies. I look forward to our debates over the next few days.
Clause 1 will create a test in legislation to help organisations to understand whether the data that they are processing is personal or anonymous. This is important, because personal data is subject to data protection rules but anonymous data is not. If organisations can be confident that the data they are processing is anonymous, they will be able to use it for important activities such as research and product development without concern about the potential impact on individuals’ personal data.
The new test will require data controllers considering whether data is personal or anonymous to consider two scenarios. The first is where a living individual can be identified by somebody within the data controller or processor’s own organisation using reasonable means at any point at which the data is being processed, from the initial point of collection for its use and storage to its eventual deletion or onward transmission. The second scenario is where the data controller or processor knows or should reasonably know that somebody outside the organisation is likely to obtain the information and to be able to re-identify individuals from it using reasonable means. That could be a research partner or a business client with whom the data controller intends to share the data, or an outside organisation that obtains the data as a result of the data controller not putting adequate security measures in place.
What would be considered “reasonable means” in any given case takes into account, among other things, the time, effort and cost of identifying the individual, as well as the technology available during the time the processing occurs. We hope that the clarity the test provides will give organisations greater confidence about using anonymous data for a range of purposes, from marketing to medical research. I commend the clause to the Committee.
It is a pleasure to serve under your chairship, Mr Hollobone. I echo the Minister’s thanks to everyone serving on the Bill Committee; it is indeed a privilege to be here representing His Majesty’s loyal Opposition. I look forward to doing our constitutional duty as we scrutinise the Bill today and in the coming sittings.
The definition of personal data is critical, not only to this entire piece of legislation, but to the data protection regime more widely. That is because the definition of what counts as personal data sets the parameters on who will benefit from protections and safeguards set out by the legislation, and, looking at it from the other side, the various protections will not apply when data is not classed as personal. It is therefore important that the definition should be clear for both controllers and data subjects, so that everyone understands where regulations and, by extension, rights do and do not apply.
The Bill defines personal data as that where a data subject can be identified by a controller or processor, or anyone likely to obtain the information,
“by reasonable means at the time of processing”.
According to the Bill, “reasonable means” take into account the time, effort, costs, technology and resources available to the person. The addition of “reasonable” to the definition has caused major concern among civil society groups, which are worried that it will introduce an element of subjectivity from the perspective of the controller when determining whether data is personal or not. Indeed, although recital 26 of the General Data Protection Regulation also refers to reasonable means—making this, in some ways, more of a formal change than a practical one—there must still be clear parameters on how controllers or processors are to make that judgment. Without those, there may be a danger of controllers and processors avoiding the requirement to comply with rules around personal data by simply claiming they do not have the means to identify living individuals within their resources.
Has the Department undertaken an impact assessment to determine whether the definition could, first, increase subjectivity in what counts as personal data, or secondly, reduce the amount of data classified as personal data? If an assessment identifies such a risk, what steps will the Department take to mitigate that and ensure that citizens are able to exercise their rights as they can under the current definition?
Other stakeholders have raised concerns that the phrase
“at the time of the processing”
in the definition might imply that there is no continuous obligation to consider whether data is personal. Indeed, under the current definition, where personal data is
“any information that relates to an identified or identifiable living individual”,
there is an implied obligation to consider whether an individual is identifiable on an ongoing basis. Rather than assessing the identifiability of a dataset at a fixed point, the controller or processor must keep the categorisation of data that it holds under careful review, taking into account technological developments, such as sophisticated new artificial intelligence or cross-referencing tools. Inserting the phrase
“at the time of the processing”
into this definition has prompted the likes of Which? to express concern that some processors may feel that they are no longer bound by this continuous obligation. That would be particularly worrying given the potential subjectivity of the new definition. If whether an individual is identifiable is based on “reasonable means”, including one’s resources and technology, it is perfectly feasible that, with a change of resources or technology, it could become reasonable to identify a person when once it was not.
My hon. Friend makes an important point, which I will come to later.
In these circumstances, it is crucial that if a person is identifiable through data at any time in the future, the data is legally treated as personal so that the relevant safeguards and rights that GDPR was designed to ensure still apply.
When arguing for increased Secretary of State powers across the Bill, Ministers have frequently cited the need to future-proof the legislation. Given that, we must also consider the need to future-proof the definition of data so that technological advances do not render it useless. Does the new definition involve a continuous obligation to assess whether data is personal? Will guidance be offered to inform both controllers and data subjects on the application of this definition, so that both sides can be clear on how it will work in practice? As 5Rights has pointed out, that could avoid clogging up the regulator’s time with claims about what counts as personal data in many individual cases.
Finally, when determining whether data is personal, it is also vital that controllers take into account how a determined stalker or malicious actor might find and use their data. It is therefore good to see the change made since the first iteration of the Data Protection and Digital Information Bill, to clarify that
“obtaining the information as a result of the processing”
also includes information obtained as a result of inaction by a controller or processor—for example, as the result of a failure to put in place appropriate measures to prevent or reduce the risk of hacking.
Overall, it is important that we give both controllers and data subjects clarity about which data is covered by which protections, and when. I look forward to hearing from the Minister about the concerns that have been raised, which could affect the definition’s ability to allow for that clarity.
I agree absolutely with the hon. Lady that the definition of personal data is central to the regime that we are putting in place. She is absolutely right that we need to be very clear and to provide organisations with clarity about what is within the definition of personal data and what is rightly considered to be anonymous. She asks whether the provision will lead to a reduction in the current level of protection. We do not believe that it will.
Clause 1 builds on the strong foundations used in GDPR recital 26 to clarify when data can be categorised as truly anonymous without creating undue risks. The aim of the provision in the Bill is to clarify when information should be considered to be personal data by including a test for identifiability in the legislation. That improved clarity will help organisations to determine when data can be considered truly anonymous and therefore pose almost no risk to the data subject.
The hon. Lady asked whether
“at the time of the processing”
extends into the future, and the answer is yes. The definition of data processing in the legislation is very broad and includes a lot of processing activities other than just the collection of data, such as alteration, retrieval, storage and disclosure by transmission, to name just a few. The phrase
“at the time of the processing”
could therefore cover a long period, depending on the nature and purpose of the processing. The test would need to be applied afresh for each new act of processing. That means that if at any point in the life cycle of processing, the data could be reasonably re-identified by someone by reasonable means, they would then not be able to legally consider to be anonymous. That includes transferring abroad to other regimes.
The clause makes it clear that a controller will have to consider the likelihood of re-identification at all stages of the processing activity. If a data controller held a dataset for several years, they would need to be mindful of the technologies available during that time that might be used to re-identify it. As the hon. Lady said, technology is advancing very fast and could well change over time from the point at which the data is first collected.
Again, yes, it will. It will be transferred abroad only if we are satisfied that the recipient will impose the same level of protection that we regard as necessary in this country.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Meaning of research and statistical purposes
I beg to move amendment 66, clause 2, page 4, line 8, at end insert—
“(c) do not include processing of personal data relating to children for research carried out as a commercial activity.”
This amendment would exempt children’s data from being used for commercial purposes under the definition of scientific purposes in this clause.
I welcome the recognition of the importance of allowing genuine research and the benefits that can flow from it. Such research may well be dependent on using data and the clause is intended to provide clarity as to exactly how that can be done and in what circumstances.
I will address the amendments immediately. I am grateful to the hon. Member for Barnsley East for setting out her arguments and we understand her concerns. However, I think that the amendments go beyond what the clause proposes and, in addition, I do not think that there is a foundation for those concerns. As we have set out, clause 2 inserts in legislation a definition for processing for scientific research, historical research and statistical purposes. The definition of scientific research purposes is set out as
“any research that can be reasonably described as scientific”
and I am not sure that some of the examples that the hon. Lady gave would meet that definition.
The definitions inserted by the clause are based on the wording in the recitals to the UK GDPR. We are not changing the scope of these definitions, only their status in the legislation. They will already be very familiar to people using them, but setting them out in the Bill will provide more clarity and legal certainty. We have maintained a broad scope as to what is allowed to be included in scientific research, with the view that the regulator can add more nuance and context through guidance, as is currently the case. The power to require codes of practice provides a route for the Secretary of State to require the Information Commissioner to prepare any code of practice that gives guidance on good practice in processing personal data.
There will be situations where non-statutory guidance, which can be produced without being requested under regulations made by the Secretary of State, may be more appropriate than a statutory code of practice. Examples of the types of activity that are considered scientific research and the indicative criteria that a researcher should demonstrate are best placed in non-statutory guidance produced by the Information Commissioner’s Office. That will give flexibility to amend and change the examples when necessary, so I believe that the process does not change the provision. However, putting it in the legislation, rather than in the recitals, will impose stronger safeguards and make things clearer. Once the Bill has come into effect, the Government will continue to work with the ICO to update its already detailed and helpful guidance on the definition of scientific research as necessary.
Amendment 66 would prohibit the use of children’s data for commercial purposes under the definition of scientific research. The definition inserted by clause 2 includes the clarification that processing for scientific research carried out as a commercial activity can be considered processing for scientific research purposes. Parts of the research community asked for that clarification in response to our consultation. It reflects the existing scope, as is already clear from the ICO’s guidance, and we have seen that research by commercial bodies can have immense societal value. For instance, research into vaccines and life-saving treatments is clearly in the public interest. I entirely understand the hon. Lady’s concern for children’s privacy, but we think that her amendment could obstruct important research by commercial organisations, such as research into children’s diseases. I think that the Information Commissioner would make it clear as to whether or not the kind of example that the hon. Lady gave would fall within the definition of research for scientific purposes.
I also entirely understand the concern expressed by my hon. Friend the Member for Folkestone and Hythe. I suspect that the question about the sharing of data internationally, particularly, perhaps, by TikTok, may recur during the course of our debates. As he knows, we would share data internationally only if we were confident that it would still be protected in the same way that it is here, which would include considering the possibility of whether or not it could then be passed on to a third country, such as China.
I hope that I can reassure the hon. Lady that emphasising the safeguards that researchers must comply with in clause 22 to protect individuals relates to all data used for these purposes, including children’s data and the protections afforded to children under the UK GDPR. For those reasons, I hope that she will be willing to withdraw her amendment.
I am disappointed that the Minister does not accept amendment 66. Let me make a couple of brief points about amendment 65. The Minister said that he was not sure whether some of the examples I gave fitted under the definition, and that is what the amendment speaks to. I asked what specific purposes would be ruled out under the letter of the current definition, and that is still not clear, so I will press the amendment to a vote.
Question put, That the amendment be made.
With regard to clause 3, I refer Members to my remarks on clause 2. It is sensible to clarify how controllers and processors conducting scientific research can gain consent where it is not possible to fully identify the full set of uses for that data when it is collected. However, what counts as scientific, and therefore what is covered by the clause, must be properly understood by both data subjects and controllers through proper guidance issued by the ICO.
Clause 4 is largely technical and inserts the recognised definition of consent into part 3 of the Data Protection Act 2018, for use when it is inappropriate to use one of the law enforcement purposes. I will talk about law enforcement processing in more detail when we consider clauses 16, 24 and 26, but I have no problem with the definition in clause 4 and am happy to accept it.
I am grateful to the hon. Lady for her support. I agree with her on the importance of ensuring that the definition of scientific research is clear. That is something on which I have no doubt the ICO will also issue guidance.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4 ordered to stand part of the Bill.
Clause 5
Lawfulness of processing
I beg to move amendment 68, in clause 5, page 6, line 37, at end insert—
“7A. The Secretary of State may not make regulations under paragraph 6 unless—
(a) following consultation with such persons as the Secretary of State considers appropriate, the Secretary of State has published an assessment of the impact of the change to be made by the regulations on the rights and freedoms of data and decision subjects (with particular reference to children),
(b) the Commissioner has reviewed the Secretary of State’s statement and published a statement of the Commissioner’s views on whether the change should be made, with reasons, and
(c) the Secretary of State has considered whether to proceed with the change in the light of the Commissioner’s statement.”
This amendment would make the Secretary of State’s ability to amend the conditions in Annex 1 which define “legitimate interests” subject to a requirement for consultation with interested parties and with the Information Commissioner, who would be required to publish their views on any proposed change.
At present, the lawful bases for processing are set out in article 6 of the UK GDPR. At least one of them must apply whenever someone processes personal data. They are consent, contract, legal obligation, vital interests, public task, and legitimate interests. That is where data is being used in ways that we would reasonably expect, there is minimal privacy impact, or there is a compelling justification for processing. Of the existing lawful bases, consent is by far the most relied upon, as it is the most clear. There have therefore been calls for the other lawful bases to be made clearer and easier to use. It is welcome to see some examples of how organisations might rely on the legitimate interests lawful ground brought on to the statute book.
At the moment, in order to qualify for using legitimate interests as grounds for lawful processing, a controller must also complete a balancing test. The balancing test is an important safeguard. As per the ICO, it requires controllers to consider the interests and fundamental rights and freedoms of the individual, and whether they override the legitimate interests that the controller has identified. That means at a minimum considering the nature of the personal data being processed, the reasonable expectations of the individual, the likely impact of processing on the individual, and whether any safeguards can be put in place to mitigate any negative impacts.
As tech.UK mentioned, the introduction of a list of legitimate interests no longer requiring that test is something many have long called for. When conducting processing relating to an emergency, for example, the outcome of a balancing test often very obviously weighs in one direction, making the decision straightforward, and the test itself an administrative task that may slow processing down. It makes sense in such instances that a considered exemption might apply.
However, given the reduction in protection and control for consumers when removing a balancing test, it is vital that a list of exemptions is limited and exhaustive, and that every item on such a list is well consulted on. It is also vital that the new lawful basis cannot be relied upon in bad faith or exploited by those who simply want to process without the burden, for reasons outside of those listed in annex 1. The Bill as it currently stands does not do enough to ensure either of those things, particularly given the Secretary of State’s ability to add to the list on a whim.
I turn to amendment 67. Although it is likely not the intention for the clause to be open to exploitation, Reset.tech, among many others, has shared concerns that controllers may be able to abuse the new lawful basis of “recognised legitimate interests”, stretching the listed items in annex 1 to cover some or all of their processing, and giving themselves flexibility over a wide range of processing without an explicit requirement to consider how that processing affects the rights of data and decision subjects. That is particularly concerning where controllers may be able to conflate different elements of their processing.
Reset.tech and AWO provide a theoretical case study to demonstrate that point. Let us say that there is a gig economy food delivery company that processes a range of data on workers, including minute-by-minute location data. That location data would be used primarily for performance management, but could occasionally be used in more extreme circumstances to detect crime—for example, detecting fraud by workers who are making false claims about how long they waited for an order to be ready for delivery. By exploiting the new recognised legitimate interests basis, the company could conflate its purposes of performance management and detecting crime, and justify the tracking of location data as a whole as being exempt from the balancing test, without having to record or specify exactly which processing is for the detection of crime.
Under the current regime, there remain two tests other than the balancing test that form a complete assessment of legitimate interests and help to prevent conflation of that kind. First, there is the purpose test, which requires the controller to identify which legitimate interest the company is relying upon. Secondly, there is the necessity test, which requires the controller to consider whether the processing that the company intends to conduct is necessary and proportionate to meet its purposes.
In having to conduct those tests, the food delivery company would find it much more difficult to conflate its performance management and crime prevention purposes, as it would have to identify and publicly state exactly which elements of its processing are covered by the legitimate interest purpose of crime prevention. That would make it explicit that any processing the company conducts for the purposes of performance management is not permitted under a recognised legitimate interest, meaning that a lawful basis for that processing would be required separately.
Amendment 67 therefore seeks to ensure that the benefits of the purpose and necessity tests are retained, safeguarding the recognised legitimate interests list from being used to cynically conflate purposes and being exploited more generally. In practice, that would mean that controllers relying on a purpose listed in annex 1 for processing would be required to document and publish a notice that explains exactly which processing the company is conducting under which purpose, and why it is necessary.
It is foundational to the GDPR regime that each act of processing has a purpose, so this requirement should just be formalising and publishing what controllers are already required to consider. The measure that the amendment seeks to introduce should therefore be no extra burden on those already complying in good faith, but should still act as a barrier to those attempting to abuse the new basis.
I turn to amendment 68. As the likes of Which? have argued, any instance of removing the balancing test will inevitably enable controllers to prioritise their interests in processing over the impact on data subjects, resulting in weaker protections for data subjects and weaker consumer control. Which? research, such as that outlined in its report “Control, Alt or Delete? The future of consumer data”, also shows that consumers value control over how their data is collected and used, and that they desire more transparency, rather than less, on how their data is used.
With those two things in mind—the value people place on control of their data and the degradation of that control as a result of removing the balancing test—it is vital that the power to remove the balancing test is used extremely sparingly on carefully considered, limited purposes only. Even for those purposes already included in annex 1, it is unclear exactly what impact assessment took place to ensure that the dangers of removing the test on the rights of citizens did not outweigh the positives of that removal.
It would therefore be helpful if the Minister could outline the assessment and analysis that took place before deciding the items on the list. Although it is sensible to future-proof the list and amend it as needs require, this does not necessarily mean vesting the power to do so in the Secretary of State’s hands, especially when such a power is open to potential abuse. Indeed, to say that the Secretary of State must have regard to the interests and fundamental rights and freedoms of data subjects and children when making amendments to the list is simply not a robust enough protection for citizens. Our laws should not rely on the good nature of the Secretary of State; they must be comprehensive enough to protect us if Ministers begin to act in bad faith.
Further, secondary legislation simply does not offer the scrutiny that the Government claim it does, because it is rarely voted on. Even when it is, if the Government of the day have a majority, defeating such a vote is incredibly rare. For the method of changing the list to be protected from the whims of a bad faith Secretary of State who simply claims to have had regard to people’s rights, proper consultation should be undertaken by the regulator on any amendments before they are considered for parliamentary approval.
This amendment would move the responsibility for judging the impact of changes away from the Secretary of State and place it with the regulator on a yearly basis, ensuring that amendments proceed only if they are deemed, after consultation, to be in the collective societal interest. That means there will be independent assurance that any amendments are not politically or maliciously motivated. This safeguard should not be of concern to anyone prepared to act in good faith, particularly the current Secretary of State, as it would not prevent the progression in Parliament of any amendments that serve the common good. The amendment represents what genuine future-proofing in a way that retains appropriate safeguards looks like, as opposed to what ends up looking like little more than an excuse for a sweeping power grab.
I welcome the hon. Lady’s recognition of the value of setting out a list of legitimate interests to provide clarity, but I think she twice referred to the possibility of the Secretary of State adding to it on a whim. I do not think we would recognise that as a possibility. There is an established procedure, which I would like to go through in responding to the hon. Lady’s concerns. As she knows, one of the key principles of our data protection legislation is that any processing of personal data must be lawful. Processing will be lawful where an individual has given his or her consent, or where another specified lawful ground in article 6 of the UK GDPR applies. This includes where the processing is necessary for legitimate interests pursued by the data controller, providing that those interests are not outweighed by an individual’s privacy rights.
Clause 5 addresses the concerns that have been raised by some organisations about the difficulties in relying on the “legitimate interests” lawful ground, which is used mainly by commercial organisations and other non-public bodies. In order to rely on it, the data controller must identify what their interest is, show that the processing is necessary for their purposes and balance their interests against the privacy right of the data subject. If the rights of the data subject outweigh the interests of the organisation, the processing would not be lawful and the controller would need to identify a different lawful ground. Regulatory guidance strongly recommends that controllers document the outcome of their legitimate interests assessments.
As we have heard, and as the hon. Lady recognises, some organisations have struggled with the part of the legitimate interests assessment that requires them to balance their interests against the rights of individuals, and concern about getting the balancing test wrong—and about regulatory action that might follow as a result—can cause risk aversion. In the worst-case scenario, that could lead to crucial information in the interests of an individual or the public—for example, about safeguarding concerns—not being shared by third-sector and private-sector organisations. That is why we are taking steps in clause 5 and schedule 1 to remove the need to do the balancing test in relation to a narrow range of recognised legitimate activities that are carried out by non-public bodies. Those activities include processing, which is necessary for the purposes of safeguarding national security or defence; responding to emergencies; preventing crimes such as fraud or money laundering; safeguarding vulnerable individuals; and engaging with the public for the purposes of democratic engagement.
As the Committee will be aware, data protection legislation prohibits the use of “special category” data—namely, information about a person that is sensitive in nature—unless certain conditions or exemptions apply. One such exemption is where processing is necessary on grounds of substantial public interest.
Schedule 1 to the Data Protection Act 2018 sets out a number of situations where processing would be permitted on grounds of substantial public interest, subject to certain conditions and safeguards. That includes processing by elected representatives who are acting with the authority of their constituents for the purposes of progressing their casework. The current exemption applies to former Members of the Westminster and devolved Parliaments for four days after a general election—for example, if the MP has been defeated or decides to stand down. That permits them to continue to rely on the exemption for a short time after the election to conclude their parliamentary casework or hand it over to the incoming MP. In practice, however, it can take much longer than that to conclude these matters.
New clause 6 will therefore extend what is sometimes known as the four-day rule to 30 days, which will give outgoing MPs and their colleagues in the devolved Parliaments more time to conclude casework. That could include handing over live cases to the new representative, or considering what records should be retained, stored and deleted. When MPs leave office, there is an onus on them to conclude their casework in a timely manner. However, the sheer volume of their caseload, on top of the other work that needs to be done when leaving office, means that four days is just not enough to conclude all relevant business. The new clause will therefore avoid the unwelcome situation where an outgoing MP who is doing his or her best to conclude constituency casework could be acting unlawfully if they continue to process their constituents’ sensitive data after the four-day time limit has elapsed. Extending the time limit to 30 days will provide a pragmatic solution to help outgoing MPs while ensuring the exemptions cannot be relied on for an indefinite period.
Government amendments 30 and 31 will make identical changes to other parts of the Bill that rely on the same definition of “elected representative”. Government amendment 30 will change the definition of “elected representative” when the term appears in schedule 1. As I mentioned when we debated the previous group of amendments, clause 5 and schedule 1 to the Bill create a new lawful ground for processing non-sensitive personal data, where the processing is necessary for a “recognised legitimate interest”. The processing of personal data by elected representatives for the purposes of democratic engagement is listed as such an interest, along with other processing activities of high public importance, such as crime prevention, safeguarding children, protecting national security and responding to emergencies.
Government amendment 31 will make a similar change to the definition of “elected representative” when the term is used in clause 84. Clauses 83 and 84 give the Secretary of State the power to make regulations to exempt elected representatives from some or all of the direct marketing rules in the Privacy and Electronic Communications (EC Directive) Regulations 2003. I have no doubt that we will debate the merits of those clauses in more detail later in Committee, but for now it makes sense to ensure that there is a single definition of “elected representative” wherever it appears in the Bill. I hope the hon. Member for Barnsley East and other colleagues will agree that those are sensible suggestions and will support the amendments.
This set of Government provisions will increase the period for which former MPs and elected representatives in the devolved regions can use the democratic engagement purpose for processing. On the face of it, that seems like a sensible provision that allows for a transition period so that data can be deleted, processed, or moved on legally and safely after an election, and the Opposition have a huge amount of sympathy for it.
I will briefly put on record a couple of questions and concerns. The likes of the Ada Lovelace Institute have raised concerns about the inclusion of democratic engagement purposes in schedule 1. They are worried, particularly with the Cambridge Analytica scandal still fresh in people’s minds, that allowing politicians and elected parties to process data for fundraising and marketing without a proper balancing test could result in personal data being abused for political gain. The decision to make processing for the purposes of democratic engagement less transparent and to remove the balancing test that measures the impact of that processing on individual rights may indicate that the Government do not share the concern about political processing. Did the Minister’s Department consider the Cambridge Analytica scandal when drawing up the provisions? Further, what safeguards will be in place to ensure that all data processing done under the new democratic engagement purpose is necessary and is not abused to spread misinformation?
I would only say to the hon. Lady that I have no doubt that we will consider those aspects in great detail when we get to the specific proposals in the Bill, and I shall listen with great interest to my hon. Friend the Member for Folkestone and Hythe, who played an extremely important role in uncovering what went on with Cambridge Analytica.
I think my hon. Friend is right. I have no doubt that we will go into these matters in more detail when we get to those provisions. As the hon. Member for Barnsley East knows, this measure makes a very narrow change to simply extend the existing time limit within which there is protection for elected representatives to conclude casework following a general election. As we will have opportunity in due course to look at the democratic engagement exemption, I hope she will be willing to support these narrow provisions.
I am grateful for the Minister’s reassurance, and we are happy to support them.
One of the key principles in article 5 of the EU GDPR is purpose limitation. The principle aims to ensure that personal data is collected by controllers only for specified, explicit and legitimate purposes. Generally speaking, it ensures that the data is not further processed in a manner that is incompatible with those purposes. If a controller’s purposes change over time, or they want to use data for a new purpose that they did not originally anticipate, they can go ahead only if the new purpose is compatible with the original purpose, they get the individual’s specific consent for the new purpose or they can point to a clear legal provision requiring or allowing the new processing in the public interest.
Specifying the reasons for obtaining data from the outset helps controllers to be accountable for their processing and helps individuals understand how their data is being used and whether they are happy with that, particularly where they are deciding whether to provide consent. Purpose limitation exists so that it is clear why personal data is being collected and what the intention behind using it is.
In any circumstance where we water down this principle, we reduce transparency, we reduce individuals’ ability to understand how their data will be used and, in doing so, we weaken assurances that people’s data will be used in ways that are fair and lawful. We must therefore think clearly about what is included in clause 6 and the associated annex. Indeed, many stakeholders, from Which? to Defend Digital Me, have expressed concern that what is contained in annex 2 could seriously undermine the principle of purpose limitation.
As Reset.tech illustrates, under the current regime, if data collected for a relatively everyday purpose, such as running a small business, is requested by a second controller for the purpose of investigating crime, the small business would need to assess whether this further processing—thereby making a disclosure of the data—was compatible with its original purpose. In many cases, there will be no link between the original and secondary purposes, and there are potential negative consequences for the data subjects. As such, the further processing would be unlawful, as it would breach the principle of purpose limitation.
However, under the new regime, all it would take for the disclosure to be deemed compatible with the original purpose is the second controller stating that it requires the data for processing in the public interest. In essence, this means that, for every item listed in annex 2, there are an increased number of circumstances in which data subjects’ personal information could be used for purposes outside their reasonable expectations. It seems logical, therefore, that whatever is contained in the list is absolutely necessary for the public good and is subject to the highest level of public scrutiny possible.
Instead, the clause gives the Secretary of State new Henry VIII powers to add to the new list of compatible purposes by secondary legislation whenever they wish, with no provisions made for consulting on, scrutinising or assessing the impact of such changes. It is important to remember here that secondary legislation is absolutely not a substitute for parliamentary scrutiny of primary legislation. Delegated legislation, as we have discussed, is rarely voted on, and even when it is, the Government of the day will win such a vote if they have a majority.
If there are other circumstances in which the Government think it should be lawful to carry out further processing beyond the original purpose, those should be in the Bill, rather than being left to Ministers to determine at a later date, avoiding the same level of scrutiny.
The Government’s impact assessment says that clarity on the reuse of data could help to fix the market failure caused by information gaps on how purpose limitation works. Providing such clarity is something we could all get behind. However, by giving the Secretary of State sweeping powers fundamentally to change how purpose limitation operates, the clause goes far beyond increasing clarity.
Improved and updated guidance on how the new rules surrounding reusing data work would be far more fruitful in providing clarity than further deregulation in this instance. If Ministers believe there are things missing from the clause and annex, they should discuss them here and now, rather than opening the back door to making further additions afterwards, and that is what the amendment seeks to ensure.
The clause sets out the conditions under which the reuse of personal data for a new purpose is permitted. As the hon. Lady has said, the clause expands on the purpose limitation principle. That key principle of data protection ensures that an individual’s personal data is reused only in ways they might reasonably expect.
The current provisions in the UK GDPR on personal data reuse are difficult for controllers and individuals to navigate. That has led to uncertainty about when controllers can reuse personal data. The clause addresses the existing uncertainty around reusing personal data by setting out clearly when it is permitted. That includes when personal data is being reused for a very different purpose from that for which it was originally collected—for example, when a company might wish to disclose personal data for crime prevention.
The clause permits reuse of personal data by a controller when the new purpose is “compatible”; they get fresh consent; there is a research purpose; UK GDPR is being complied with, such as for anonymisation or pseudonymisation purposes; there is an objective in the public interest authorised by law; and certain specified objectives in the public interest set out in a limited list in schedule 2 are met. I will speak more about that when we come to the amendment and the debate on schedule 2.
The clause contains a power to add or amend conditions or remove conditions added by regulations from that list to ensure it can be kept up to date with any future developments in how personal data should be reused in the public interest. It also sets out restrictions on reusing personal data that the controller originally collected on the basis of consent.
The Government want to ensure that consent is respected to uphold transparency and maintain high data protection standards. If a person gives consent for their data to be processed for a specific purpose, that purpose should be changed without their consent only in limited situations, such as for certain public interest purposes, if it would be unreasonable to seek fresh consent. That acts as a safeguard to ensure that organisations address the possibility of seeking fresh consent before relying on any exemptions.
The restrictions around consent relate to personal data collected under paragraph 1(a) of article 6 of the UK GDPR, which came into force in May 2018. Therefore, they do not apply to personal data processed on the basis of consent prior to May 2018, when different requirements applied. By simplifying the rules on further processing, the clause will give controllers legal certainty on when they can reuse personal data and give individuals greater transparency. I support the clause standing part of the Bill.
Let me turn to amendment 69, which proposes to remove the power set out in the clause to amend the annex in schedule 2. As I have already said, schedule 2 will insert a new annex in the UK GDPR, which sets out certain specific public interest circumstances where personal data reuse is permitted. The list is strictly limited and exhaustive, so a power is needed to ensure that it is kept up to date with any future developments in how personal data is reused for important public interest purposes. That builds on an existing power in schedule 2 to the Data Protection Act 2018, where there is already the ability to make exceptions to the purpose limitation principle via secondary legislation.
The power in the clause also provides the possibility of narrowing a listed objective if there is evidence of any of the routes not being used appropriately. That includes limiting it, by reference, to the lawful ground of the original processing—for example, to prohibit the reuse of data that was collected on the basis of an individual’s consent.
I would like to reassure the hon. Lady that this power will be used only when necessary and in the public interest. That is why the clause contains a restriction on its use; it may be used only to safeguard an objective listed in article 23 of the UK GDPR. Clause 44 of the Bill also requires that the Secretary of State must consult the commissioner, and any other persons as the Secretary of State considers appropriate, before making any regulations.
On that basis, I hope the hon. Lady will accept that the amendment is unnecessary.
The purpose behind our amendment —this speaks to a number of our amendments—is that we disagree with the amount of power being given to the Secretary of State. For that reason, I would like to continue with my amendment.
Question put, That the amendment be made.
As we have already discussed with clause 6, schedule 2 inserts a new annex into the UK GDPR. It sets out certain specific public interest circumstances in which personal data reuse is permitted regardless of the purpose for which the data was originally collected—for example, when the disclosure of personal data is necessary to safeguard vulnerable individuals. Taken together, clause 6 and schedule 2 will give controllers legal certainty on when they can reuse personal data and give individuals greater transparency.
Amendment 70 concerns taxation purposes, which are included in the list in schedule 2. I reassure the hon. Member for Barnsley East that the exemption for taxation is not new: it has been moved from schedule 2 to the Data Protection Act 2018. Indeed, the specific language in question goes back as far as 1998. We are not aware of any problems caused by that language.
The inclusion in the schedule of
“levied by a public authority”
would likely cause problems, since taxes and duties can be imposed only by law. Some must be assessed or charged by public authorities, but many become payable as a result of a person’s transactions or circumstances, without any intervention needed except to enforce collection if unpaid. They are not technically levied by a public authority. That would therefore lead to uncertainty and confusion about whether processing for certain important taxation purposes would be permitted under the provision.
I hope to reassure the hon. Lady by emphasising that taxation is not included in the annex 1 list of legitimate interests. That means that anyone seeking to use the legitimate interest lawful ground for that purpose would need to carry out a balancing-of-interests test, unless they were responding to a request for information from a public authority or other body with public tasks set out in law. For those reasons, I am afraid I am unable to accept the amendment, and I hope the hon. Lady will withdraw it.
Amendment 71 relates to the first paragraph in new annex 2 to the UK GDPR, as inserted by schedule 2. The purpose of that provision is to clarify that non-public bodies can disclose personal data to other bodies in certain situations to help those bodies to deliver public interest tasks in circumstances in which personal data might have been collected for a different purpose. For example, it might be necessary for a commercial organisation to disclose personal data to a regulator on an inquiry so that that body can carry out its public functions. The provision is tightly formulated and will permit disclosure from one body to another only if the requesting organisation states that it has a public interest task, that it has an appropriate legal basis for processing the data set out in law, and that the use of the data is necessary to safeguard important public policy or other objectives listed in article 23.
I recognise that the amendment is aimed at ensuring that the requesting organisation has a genuine basis for asking for the data, but suggest that changing one verb in the clause from “state” to “confirm” will not make a significant difference. The key point is that non-public bodies will not be expected to hand over personal data on entirely spurious grounds, because of the safeguards that I described. On that basis, I hope the hon. Lady will withdraw her amendment.
I am reassured by what the Minister said about amendment 70 and am happy not to move it, but I am afraid he has not addressed all my concerns in respect of amendment 71, so I will press it to a vote.
Question put, That the amendment be made.
I will speak first to clause 7 and amendment 72. Currently, everyone has the right to ask an organisation whether or not it is using or storing their personal data and to ask for copies of that data. That is called the right of access, and exercising that right is known as making a subject access request. Stakeholders from across the spectrum, including tech companies and civil society organisations, all recognise the value of SARs in helping individuals to understand how and why their data is being used and enabling them to hold controllers to account in processing their data lawfully.
The right of access is key to transparency and often underpins people’s ability to exercise their other rights as data subjects. After all, how is someone to know that their data is being used in an unlawful way, or in a way they would object to, if they are not able to ascertain whether their personal data is being held or processed by any particular organisation? For example, as the TUC highlighted in oral evidence to the Committee, the right of data subjects to make an information access request is a particularly important process for workers and their representatives, as it enables workers to gain access to personal data on them that is held by their employer and aids transparency over how algorithmic management systems operate.
It has pleased many across the board to see the Government roll back on their suggestion of introducing a nominal fee for subject access requests. However, the Bill introduces a new threshold for when controllers are able to charge a reasonable fee, or refuse a subject access request, moving from “manifestly unfounded or excessive” to “vexatious or excessive”. When deciding whether a request is vexatious or excessive, the Bill requires the controller to have regard to the circumstances of the subject access request. That includes, but is not limited to, the nature of the request; the relationship between subject and controller; the resources available to the controller; the extent to which the request repeats a previous request made by the subject; how long ago any previous request was made; and whether the request overlaps with other requests made by the data subject to the controller.
Stakeholders such as the TUC, the Public Law Project and Which? have expressed concerns that, as currently drafted, the terms that make up the new threshold are too subjective and could be open to abuse by controllers who may define any request they do not want to answer as vexatious or excessive. Currently, all there is in the Bill to guide controllers on how to apply the threshold is a non-exhaustive list of considerations; as I raised on Second Reading, if that list is non-exhaustive, what explicit protections will be in place to stop the application of terms such as “vexatious” and “excessive” being stretched and manipulated by controllers who simply do not want to fulfil the requests they do not like?
There are concerns that without further guidance even the considerations listed could be interpreted selfishly by controllers who lack a desire to complete a request. For example, given that many subject access requests come from applicants who are suspicious of how their data is being used, or have cause to believe their data is being misused, there is a high likelihood that the relationship any given applicant has with the controller has previously involved some level of friction and, perhaps, anger. The Bill prompts controllers to consider their relationship with a data subject when determining whether their request is vexatious; what is to stop a controller simply marking any data subject who has shared suspicions as “angry and vexatious”, thereby giving them grounds to refuse a genuine request?
Without clarity on how both the new threshold and the considerations apply, the ability of data subjects to raise a legal complaint about why their request was categorised as vexatious and excessive will be severely impeded. As AWO pointed out in oral evidence, that kind of legal dispute over a subject access request may be only the first stage of court proceedings for an individual, with a further legal case on the contents of the subject access request potentially coming afterwards. There simply should not be such a long timescale and set of legal proceedings in order for a person to exercise their fundamental data rights. Even the Information Commissioner himself, despite saying that he was clear on how the phrases “vexatious” and “excessive” should be applied, mentioned to the Committee that it was right to point out that such phrases were open to numerous interpretations.
The ICO is in a great position to provide clear statutory guidance on the application of the terms, with specific examples of when they do and do not apply, so that only truly bad-natured requests that are designed to exploit the system can be rejected or charged for. Such guidance would provide clarity on the ways in which a request might be considered troublesome but neither vexatious nor excessive. That way, controllers can be sure that they have dismissed, or charged for, only requests that genuinely pass the threshold, and data subjects can be assured that they will still be able to freely access information on how their data is being used, should they genuinely need or want it.
On amendment 73, one consideration that the Bill suggests controllers rely on when deciding whether a request is vexatious or excessive is the “resources available” to them. I assume that consideration is designed to operate in relation to the “excessive” threshold and the ability to charge. For example, when a subject access request would require work far beyond the means of the controller in question, the controller would be able to charge for providing the information needed, to ensure that they do not experience a genuine crisis of resources as a result of the request. However, the Bill does not explicitly express that, meaning the consideration in its vague form could be applied in circumstances beyond that design.
Indeed, if a controller neglected to appoint an appropriate number of staff to the responsibility of responding to subject access requests, despite having the finances and resources to do so, they could manipulate the consideration to say that any request they did not like was excessive, as a result of the limited resources available to respond. As is the case across many parts of the Bill, we cannot have legislation that simply assumes that people will act in good faith; we must instead have legislation that explicitly protects against bad-faith interpretations. The amendment would ensure just that by clarifying that a controller cannot claim that a request is excessive simply because they have neglected to arrange their resources in such a way that makes responding to the request possible.
On amendment 74, as is the case with the definition of personal data in clause 1, where the onus is placed on controllers to decide whether a living individual could reasonably be identified in any dataset, clause 7 again places the power—this time to decide whether a request is vexatious or excessive—in the hands of the controller.
As the ICO notes, transparency around the use of data is fundamentally linked to fairness, and is about being
“clear, open and honest with people from the start about who you are, and how and why you use their personal data”.
If a controller decides, then, that due to a request being vexatious or excessive they cannot provide transparency on how they are processing an individual’s data at that time, the very least they could do, in the interests of upholding fairness, is to provide transparency on their justification for classifying a request in that way. The amendment would allow for just that, by requiring controllers to issue a notice to the data subject explaining the grounds on which their request has been deemed vexatious or excessive and informing them of their rights to make a complaint or seek legal redress.
In oral evidence, the Public Law Project described the Bill’s lack of a requirement for controllers to notify subjects as to why their request has been rejected as a decision that creates an “information asymmetry”. That is particularly concerning given that it is often exactly that kind of information that is needed to access the other rights and safeguards outlined in the Bill and across GDPR. A commitment to transparency, as the amendment would ensure, would not only give data subjects clarity on why their request had been rejected or required payment, but provide accountability for controllers who rely on the clause, and thereby a deterrent from misusing it to reject any requests that they dislike. For controllers, the workload of issuing such notices should surely be less than that of processing a request that is genuinely vexatious and excessive, ensuring that the provision does not counterbalance the benefits brought to controllers through the clause.
Let me start by recognising the importance of of subject access requests. I am aware that some have interpreted the change in the wording for grounds of refusal as a weakening. We do not believe that is the case.
On amendment 72, in our view the new “vexatious or excessive” language in the Bill gives greater clarity than there has previously been. The Government have set out parameters and examples in the Bill that outline how the term “vexatious” should be interpreted within a personal data protection context, to ensure that controllers understand.
I completely agree with my hon. Friend. That is an issue that both he and I regard as very serious, and is perhaps another example of the kind of legal tactic that SLAPPs—strategic lawsuits against public participation—represent, whereby oligarchs can frustrate genuine journalism or investigation. He is absolutely right to emphasise that.
It is important to highlight that controllers can already consider resource when refusing or charging a reasonable fee for a request. The Government do not wish to change that situation. Current ICO guidance sets out that controllers can consider resources as a factor when determining if a request is excessive.
The new parameters are not intended to be reasons for refusal. The Government expect that the new parameters will be considered individually as well as in relation to one another, and a controller should consider which parameters may be relevant when deciding how to respond to a request. For example, when the resource impact of responding would be minimal even if a large amount of information was requested—such as for a large organisation—that should be taken into account. Additionally, the current rights of appeal allow a data subject to contest a refusal and ultimately raise a complaint with the ICO. Those rights will not change with regard to individual rights requests.
Amendment 74 proposes adding more detail on the obligations of a controller who refuses or charges for a request from a data subject. The current legislation sets out that any request from a data subject, including subject access requests, is to be responded to. The Government are retaining that approach and controllers will be expected to demonstrate why the provision applies each time it is relied on. The current ICO guidance sets out those obligations on controllers and the Government do not plan to suggest a move away from that approach.
The clause also states that it is for the controller to show that a request is vexatious or excessive in circumstances where that might be in doubt. Thus, the Government believe that the existing legislation provides the necessary protections. Following the passage of the Bill, the Government will work with the ICO to update guidance on subject access requests, which we believe plays an important role and is the best way to achieve the intended effect of the amendments. For those reasons, I will not accept this group of amendments; I hope that the hon. Member for Barnsley East will be willing to withdraw them.
I turn to clause 7 itself. As I said, the UK’s data protection framework sets out key data subject rights, including the right of access—the right for a person to obtain a copy of their personal data. A subject access request is used when an individual requests their personal data from an organisation. The Government absolutely recognise the importance of the right of access and do not want to restrict that right for reasonable requests.
The existing legislation enables organisations to refuse or charge a reasonable fee for a request when they deem it to be “manifestly unfounded or excessive”. Some organisations, however, struggle to rely on that in cases where it may be appropriate to do so, which as a consequence impacts their ability to respond to reasonable requests.
The clause changes the legislation to allow controllers to refuse or charge a reasonable fee for a request that is “vexatious or excessive”. The clause adds parameters for controllers to consider when relying on the “vexatious or excessive” exemption, such as the nature of the request and the relationship between the data subject and the controller. The clause also includes examples of the types of request that may be vexatious, such as those intended to cause distress, those not made in good faith or those that are an abuse of process.
We believe that the changes will give organisations much-needed clarity over when they can refuse or charge a reasonable fee for a request. That will ensure that controllers can focus on responding to reasonable requests, as well as other important data and organisational needs. I commend the clause to the Committee.
I appreciate that, as the Minister said, the Government do not intend the new terms to be grounds for refusal, but his remarks do not reassure me that that will not be the case. Furthermore, as I said on moving the amendment, stakeholders such as the TUC, Public Law and Which? have all expressed concern that, as drafted, those terms are too subjective. I will press the amendment to a vote.
Question put, That the amendment be made.
I expressed my thoughts on the value and importance of subject access requests when we debated clause 7, and most of the same views remain pertinent here. Clause 8 allows for subject access requests to be extended where the nature of the request is complex, or due to volume. Some civil society groups, including Reset.tech, have expressed concern that that could mean that requests are unduly delayed for months, reflecting concern that they could be disregarded altogether, which was discussed when we debated clause 7. With that in mind, can the Minister tell us what protections will be in place to ensure that data controllers do not abuse the new ability to extend subject access requests, particularly by using the excuse that it is a large amount of data, in order to delay requests that they simply do not wish to respond to?
The clause provides some clarity on clause 7 by demonstrating that just because a request is lengthy or comes in combination with many others, it is not necessarily excessive as the clause gives controllers the option to extend the timeframe for dealing with requests that are high in volume. Of course, we do not want to unnecessarily delay requests, but allowing controllers to manage their load within a reasonable extended timeframe can act as a safeguard against their automatically relying on the “excessive” threshold. With that in mind, I am happy for the clause to stand part. However, I reiterate that my comments on clause 7 should be referred to.
May I briefly respond to the hon. Lady’s comments? I assure her that controllers will not be able to stop the clock for all subject access requests—only for those where they reasonably require further information to be able to proceed with responding. Once that information has been received from a data subject, the clock resumes and the controller must proceed with responding to the request within the applicable time period, which is usually one month from when the controller receives the request information. A data subject who has provided the requested information would also be able to complain to a controller, and ultimately to the Information Commissioner’s Office, if they feel that their request has not been processed within the appropriate time. I hope the hon. Lady will be assured that there are safeguards to ensure that this power is not abused.
Question put and agreed to.
Clause 8 accordingly ordered to stand part of the Bill.
Clause 9
Information to be provided to data subjects
Question proposed, That the clause stand part of the Bill.
Clause 9 provides researchers, archivists and those processing personal data for statistical purposes with a new exemption from providing certain information to individuals when they are reusing datasets for a different purpose, which will help to ensure that important research can continue unimpeded. The new exemption will apply when the data was collected directly from the individual, and can be used only when providing the additional information would involve a disproportionate effort. There is already an exemption from this requirement where the personal data was collected from a different source.
The clause also adds a non-exhaustive list of examples of factors that may constitute a disproportionate effort. This list is added to both the new exemption in article 13 and the existing exemption found in article 14. Articles 13 and 14 of the UK GDPR set out the information that must be provided to data subjects at the point of data collection: article 13 covers circumstances where data is directly collected from data subjects, and article 14 covers circumstances where personal data is collected indirectly—for example, via another organisation. The information that controllers must provide to individuals includes details such as the identity and contact details of the controller, the purposes of the processing and the lawful basis for processing the data.
Given the long-term nature of research, it is not always possible to meaningfully recontact individuals. Therefore, applying a disproportionate effort exemption addresses the specific problem of researchers wishing to reuse data collected directly from an individual. The exemption will help ensure that important research can continue unimpeded. The clause also makes some minor changes to article 14. Those do not amend the scope of the exemption or affect its operation, but make it easier to understand.
I now turn to clause 10, which introduces an exemption relating to legally professionally privileged data into the law enforcement regime, mirroring the existing exemptions under the UK GDPR and the intelligence services regime. As a fundamental principle of our legal system, legal professional privilege protects confidential communications between professional legal advisers and their clients. The existing exemption in the UK GDPR restricts an individual’s right to access personal data that is being processed or held by an organisation, and to receive certain information about that processing.
However, in the absence of an explicit exemption, organisations processing data under the law enforcement regime, for a law enforcement purpose rather than under the UK GDPR, must rely on ad hoc restrictions in the Data Protection Act. Those require them to evaluate and justify its use on a case-by-case basis, even where legal professional privilege is clearly applicable. The new exemption will make it simpler for organisations that process data for a law enforcement purpose to exempt legally privileged information, avoiding the need to justify the use of alternative exemptions. It will also clarify when such information can be withheld from the individual.
Hon. Members might wonder why an exemption for legal professional privilege was not included under the law enforcement regime of the Data Protection Act in the first place. The reason is that we faithfully transposed the EU law enforcement directive, which did not contain such an exemption. Following our exit from the EU, we are taking this opportunity to align better the UK GDPR and the law enforcement regime, thereby simplifying the obligations for organisations and clarifying the rules for individuals.
The impact of clause 9 and the concerns around it should primarily be understood in relation to the definition contained in clause 2, so I refer hon. Members to my remarks in the debate on clause 2. I also refer them to my remarks on purpose limitation in clause 6. To reiterate both in combination, I should say that purpose limitation exists so that it is clear why personal data is being collected, and what the intention is behind its use. That means that people’s data should not largely be reused in ways not initially collected for, unless a new legal basis is obtained.
It is understandable that, where genuine scientific, historical and statistical research is occurring, and there is disproportionate effort to provide the information required to data subjects, there may be a need for exemption and to reuse data without informing the subject. However, that must be done only where strictly necessary. We must be clear that, unless there are proper boundaries to the definition of scientific data, this could be interpreted far too loosely.
I am concerned that, without amendment to clause 2, clause 9 could extend the problem of scientific research being used as a guise for using people’s personal data in malicious or pseudoscientific ways. Will the Minister tell us what protections will be in place to ensure that people’s data is not reused on scientific grounds for something that they would otherwise have objected to?
On clause 10, I will speak more broadly on law enforcement processing later in the Bill, but it is good to have clarity on the legal professional privilege exemptions. I have no further comments at this stage.
What we are basically doing is changing the rights of individuals, who would previously have known when their data was used for a purpose other than that for which it was collected. The terms
“scientific or historical research, the purposes of archiving in the public interest or statistical purposes”
are very vague, and, according to the Public Law Project, open to wide interpretation. Scientific research is defined as
“any research that can reasonably described as scientific, whether publicly or privately funded”.
I ask the Minister: what protections are in place to ensure that private companies are not given, through this clause, a carte blanche to use personal data for the purpose of developing new products, without the need to inform the data subject?
(1 year, 6 months ago)
Public Bill CommitteesQ
Neil Ross: Smart data is potentially a very powerful tool for increasing consumer choice, lowering prices and giving people access to a much broader range of services. The smart data provisions that the Government have introduced, as well as the Smart Data Council that they are leading, are really welcome. However, we need to go one step further and start to give people and industries clarity around where the Government will look first, in terms of what kind of smart data provisions they might look at and what kind of sectors they might go into. Ultimately, we need to make sure that businesses are well consulted and that there is a strong cost-benefit analysis. We then need to move ahead with the key sectors that we want to push forward on. Similarly to on nuisance calls, we will send some suggested text to the Committee to add those bits in, but it is a really welcome step forward.
(1 year, 6 months ago)
Public Bill CommitteesQ
Jonathan Sellors: I think it is a thoroughly useful clarification of what constitutes research. It is essentially welcome, because it was not entirely clear under the provisions of the General Data Protection Regulation what the parameters of research were, so this is a helpful clarification.
Tom Schumacher: I completely concur: it is very useful. I would say that a couple of things really stand out. One is that it makes it clear that private industry and other companies can participate in research. That is really important, particularly for a company like Medtronic because, in order to bring our products through to help patients, we need to conduct research, have real-world data and be able to present that to regulators for approval. It will be extremely helpful to have that broader definition.
The other component of the definition that is quite helpful is that it makes it explicit that technology development and other applied research constitutes research. I know there is a lot of administrative churn trying to figure out what constitutes research and what does not, and I think this is a really helpful piece of clarification.
Q
Tom Schumacher: Maybe I can give an example. One of the businesses we purchased is a business based in the UK called Digital Surgery. It uses inter-body videos to try to improve the surgery process and create technologies to aid surgeons in prevention and care. One of the challenges has been, to what extent is the use of surgery videos to create artificial intelligence and a better outcome for patient research? Ultimately, it was often the case that a particular site or hospital would agree, but it created a lot of churn, activity and work back and forth to explain exactly what was to be done. I think this will make it much clearer and easier for a hospital to say, “We understand this is an appropriate research use” and to be in a position to share that data according to all the protections that the GDPR provides around securing and de-identifying the data and so on.
Jonathan Sellors: I think our access test, which we apply to all our 35,000 users, is to ensure they are bona fide researchers conducting health-related research in the public interest. We quite often get asked whether the research they are planning to conduct is legitimate research. For example, a lot of genetic research, rather than being based on a particular hypothesis, is hypothesis-generating—they look at the data first and then decide what they want to investigate. This definition definitely helps clear up quite a few—not major, but minor—confusions that we have. They arise quite regularly, so I think it is a thoroughly helpful development to be able to point to something with this sort of clarity.
Q
Phillip Mind: Clauses 62 and 64 make provision for the Secretary of State and Treasury to consult on smart data schemes. We think that those provisions could be strengthened. We see a need for impact assessments, cost-benefit analysis and full consultation. The Bill already allows for a post-implementation review, and we would advise that too.
Harry Weber-Brown: I think the other one to call out is the pensions dashboard, which has been driven out of the Money and Pensions Service. Although it has not actually launched yet, it has brought the life assurance industry on the site to develop free access to information. The consumer can see all their pensions holdings in a single place, which will then help them to make better financial decisions.
I think my former employer, the Investing and Saving Alliance, was working on an open savings, investments and pensions scheme. Obviously, that is not mandatory, but this is where the provision for secondary legislation is absolutely imperative to ensure that you get a wide scope of firms utilising this. At the moment, it is optional, but firms are still lining up and wanting to use it. There is a commitment within the financial services industry to do this, but having the legislation in place—secondary legislation, in particular—will ensure that they all do it to the same standards, both technical and data, and have a trust framework that wraps around it. That is why it is so imperative to have smart data.
Q
Harry Weber-Brown: In part 2 or part 3 of the Bill? The digital verification services or smart data?
Q
Keith Rosser: From that 70,000 example, we have not seen evidence yet that public trust has been negatively impacted. There are some very important provisions in the Bill that have to go a long way to assuring that. One is the creation of a governance body, which we think is hugely important. There has to be a monitoring of standards within the market. It also introduces the idea of certifying companies in the market. That is key, because in this market right now 30% of DVSs—nearly one in three companies—are not certified. The provision to introduce certification is another big, important move forward.
We also found, through a survey, that we had about 25% fewer objections when a user, company or employer was working with a certified company. Those are two really important points. In terms of the provision on improving the fraud response, we think there is a real opportunity to improve what DVSs do to tackle fraud, which I will probably talk about later.
Q
Keith Rosser: I have every reason to believe that organisations not certified will not be meeting anywhere near the standards that they should be meeting under a certified scheme. That appears really clear. They certainly will not be doing as much as they need to do to tackle fraud.
My caveat here is that across the entire market, even the certified market, I think that there is a real need for us to do more to make sure that those companies are doing far more to tackle fraud, share data and work with Government. I would say that uncertified is a greater risk, certainly, but even with certified companies we must do more to make sure that they are pushed to meet the highest possible standards.
Q
Helen Hitching: Yes, it will aid it. Again, it brings in the ability to put the data protection framework on the same level, so we can share data in an easier fashion and make it less complex.
Q
Helen Hitching: The agency does not believe that those safeguards will be lowered. We will still not be able to share data internationally with countries that do not have the same standards that are met by the UK. It will provide greater clarity about which regimes should be used and at which point. The standards will not reduce.
Q
Mary Towers: The right to a data subject access request—again, like the DPIAs—is an absolutely crucial tool for trade unions in terms of establishing transparency over how their data is being used. Really, it provides a route for workers and unions to get information about what is going on in the workplace, how technologies operate and how they are operating in relation to individuals. It is an vital tool for trade unions.
What we are concerned about is that the new test specified in the Bill will provide employers with very broad discretion to decide when they do not have to comply with a data subject access request. The use of the term “vexatious or excessive” is a potential barrier to providing the right to an access request and provides employers with a lot of scope to say, for example, “Well, look, you have made a request several times. Now, we are going to say no.” However, there may be perfectly valid reasons why a worker might make several data subject access requests in a row. One set of information that is revealed may then lead a worker to conclude that they need to make a different type of access request.
We say that it is really vital to preserve and protect the right for workers to access information. Transparency as a principle is something that, again, goes to really important issues. For example, if there is discriminatory operation of a technology at work, how does a worker get information about that technology and about how the algorithm is operating? Data subject access requests are a key way of doing that.
Q
Andrew Pakes: “If we get this right” is doing a lot of heavy lifting there; I will leave it to Members to decide the balance. That should be the goal. There is a wonderful phrase from the Swedish trade union movement that I have cited before: “Workers should not be scared of the new machines; they should be scared of the old ones.” There are no jobs, there is no prosperity and there is no future for the kind of society that our members want Britain to be that does not involve innovation and the use of new technology.
The speed at which technology is now changing and the power of this technology compared with previous periods of economic change make us believe that there has to be a good, robust discussion about the balances of checks and balances in the process. We have seen in larger society—whether through A-level results, the Post Office or other things—that the detriment is significant on the individuals impacted if legislators get that balance wrong. I agree with the big principle and I will leave you to debate that, but we would certainly urge that checks and balances need to be balanced, not one-sided.
Mary Towers: Why does respect for fundamental rights have to be in direct conflict with growth and innovation? There is not necessarily any conflict there. Indeed, in a workplace where people are respected, have dignity at work and are working in a healthy way, that can only be beneficial for productivity and growth.