Data Protection Bill [ Lords ] (First sitting) Debate
Full Debate: Read Full DebateLiam Byrne
Main Page: Liam Byrne (Labour - Birmingham Hodge Hill and Solihull North)Department Debates - View all Liam Byrne's debates with the Department for Digital, Culture, Media & Sport
(6 years, 8 months ago)
Public Bill CommitteesIt is a pleasure to serve under your chairmanship, Mr Hanson. Clause 1 is a signposting overview of the Bill. It is not intended to have any effect other than to help us to navigate such a large Bill; I trust that hon. Members agree that it achieves its purpose.
It is a pleasure to serve under your chairmanship, Mr Hanson. Looking around the Committee Room, I see that you have an extremely unruly bunch of hon. Members to police in the next couple of weeks, but I know that you will do so with skill and care.
The Opposition do not wish to object to clause 1, which is basically the foundation stone of the Bill. We wish only to underline the Bill’s peculiarity in that it seeks to incorporate a piece of European legislation into British law without actually reproducing the legislation in question. Throughout the debate, we will hear references to the general data protection regulation—GDPR—a text that appears nowhere in the Bill. I hope that over the coming weeks the Committee will therefore focus on a series of principles for data protection. The Opposition will move amendments to enshrine those principles more firmly into our law. Beyond that, I have no objections to this foundation stone of the Bill.
Question put and agreed to.
Clause 1 accordingly agreed to.
Clause 2
Protection of personal data
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss new clause 12— Right to protection of personal data—
“(1) A person (“P”) has the right to protection of personal data concerning him or her.
(2) Personal data must be processed fairly for specified purposes as set out in the GDPR, and in accordance with the provisions, exceptions and derogations of this Act; and on the basis of the consent of P or some other legitimate basis.
(3) The Information Commissioner shall be responsible for ensuring compliance with the rights contained within this section.”
This new clause would incorporate Article 8 of the Charter of Fundamental Rights of the European Union (Protection of personal data) into the Bill.
New clause 12, which I tabled with other Opposition members of the Committee, seeks to achieve something very simple: to incorporate article 8 of the EU charter of fundamental rights into British law. It is beyond dispute that both sides of the House share the objective of ensuring friction-free trade with our neighbour, the European Union, over the years to come. The role of this Bill in enabling that trade is of fundamental significance. Something like 70% of our exports of goods and services rely on the smooth transfer of data, and we know that the European data economy will be worth something like £643 billion by 2020. Despite all the efforts of the Secretary of State for International Trade, the reality is that the EU data economy, sitting next door to us, remains one of the most important, if not the most important, global markets from which we should aspire to profit over the years to come.
One of the great risks of Brexit is that technology firms will relocate, which is already beginning to take place. Many such firms will choose to headquarter in the Republic of Ireland. It is therefore in everybody’s interest that our trade and data protection regimes allow the smooth export of digitally enabled services. I hope that is not a contentious point.
In new clause 12, we propose to incorporate into British law what is, in effect, at the cutting edge of global data protection measures. It is not a trivial or frivolous new clause. Her Majesty’s Opposition did not make it up; it was crafted with techUK—an organisation that represents 950 companies, which employ something like 800,000 people and make up about half of the UK tech industry. When techUK proposes a fundamental measure of reform, it is important that we listen.
When we leave the European Union, we will need to agree with it an adequacy agreement by which it recognises the data protection regime in this country as adequate and therefore indicates that it is permissible for us to share data across the continental borders. The question, therefore, is how do we put that adequacy agreement beyond any doubt, not just for the immediate years after Brexit but for the decades to come? We know that trade will be fundamental to the health and wellbeing of our economy over many, many years. Let us put the data sharing regime between us and the European Union beyond doubt, not just for the short term but for the long term. Failure to get an adequacy agreement could arguably be fatal to the British economy. We simply cannot consider a shred of risk to that adequacy agreement. I hope that, having looked at this amendment and appreciated some of the refinements we made in the other place, the Government will decide that they will not put dogma in the way of agreeing to it. It is too important to leave to doubt.
In the debate on clause 1, I said that this principle was all the more important, because right hon. and hon. Members are being asked to agree to a Bill that does not feature the GDPR, which it seeks to incorporate into British law. Hon. Members can look it up if they like, but the Government have not set it out in a schedule or anywhere else. The fact that the Bill does not include the GDPR makes it all the more important that the House agrees a series of principles that are good now and for the future. Principles are paramount, and in this Bill the principle of privacy is first among equals.
The question of privacy is not disputed. It is a principle that has been agreed by our own Supreme Court in a recent case that was brought by the right hon. Member for Haltemprice and Howden (Mr Davis), who is now the Secretary of State for Brexit. Together with my hon. Friend the Member for West Bromwich East (Tom Watson), he brought the case of David Davis and others v. Secretary of State for the Home Department to the High Court, which confirmed the right of privacy in this country. This is not something that is necessarily party political; this is something on which there is strong cross-party consensus. These principles will become all the more important as the EU (Withdrawal) Bill is given effect because the Bill has thousands of ideas and proposals but kills off only one piece of legislation: the EU charter of fundamental rights.
A British tradition helped shape the EU charter of fundamental rights. We are the country of the Magna Carta and we are the country that helped craft the European convention on human rights after world war two to ensure there was never a return to the horrors of the 1930s and 1940s. Our lawyers played a fundamental role in shaping the EU charter of fundamental rights, but now, in the EU (Withdrawal) Bill, the Government decide to kill off the whole thing.
In killing off the whole thing, and in particular article 8—the fundamental foundational right to privacy—we create a new risk to keeping in lockstep the data protection regime in this country and the data protection regime in the European Union. If we bring that into doubt, we jeopardise an adequacy agreement for the future. I fear that, by setting their face against this new clause 12, the Government are, in some way and for some reason, trying to preserve the illusion of harmony between our regime and the regime of the European Union in order to camouflage the flexibility that might allow it to depart from regulatory harmonisation in the years to come. To coin a phrase, they are trying to have their cake and eat it.
That is not a reasonable position. The Minister will reassure us that that is not the intention of Her Majesty’s Government today. No doubt, she will tell us there is no will to try and win a race to the bottom in the data protection regime and many of us may be sympathetic to her position, as she is quite famously a reasonable Minister. However, the Tory party is not a stable place and the worry on all parts is not only how long the Minister will enjoy her office but what will come after her and what Government will come after this Government. There will be Governments of many colours over the course of the next 70 or 80 years and in this Committee we do not want to risk leaving unfettered a future Government who may take a less reasonable position than the famously reasonable Minister. That is why we want to move the incorporation of article 8 into British law.
We currently have a Bill without a data protection instrument and without clear data protection principles. That is a high-risk situation when, today, we have a low-risk regime. Nobody is particularly troubled by the current privacy regimes; we have been operating under article 8 of the EU charter of fundamental rights for some time and, certainly, no arguments I have heard suggest that it is troublesome in any way. What is wrong with continuing with it?
When we first crafted this new clause, there were some issues to which we were alert. A number of noble peers expressed a concern that we were creating too absolutist a right, a right without balancing test and provisions. That has been corrected in the new clause presented to this Committee today. We would therefore like to press it to a vote, as we want to ensure this fundamental right is part and parcel of British law for the years to come. It de-risks an adequacy agreement for data protection for the future. We have enjoyed the provisions of article 8 for some years, and there is no reason to suggest that they may be more troublesome in the years ahead. We do not think the Government want to depart from a harmonisation of regulations in this area over the years to come so the flexibility that this Bill currently offers will not be taken up. Let us put the matter beyond dispute and beyond doubt and let us incorporate article 8 into the Bill.
I remind Members—particularly new Members—that new clause 12 is being debated now, but will not be voted on, if Members wish to have a vote, until we have completed consideration of the Bill. Today’s debate is on clause 2 and new clause 12, but the vote on the new clause will come later.
I thank speakers for their thoughtful contributions. I share many of their concerns, as do the Government, particularly with regard to adequacy, which I will talk about in more detail. I think we are all agreed that after Britain leaves the European Union we must be able to negotiate an adequacy agreement for the free flow of data between us and the EU. That is absolutely essential.
First, the GDPR implements the right to data protection and more. It is limited in scope, but the Bill also implements data protection rights on four areas beyond GDPR. It applies GDPR standards to personal data beyond EU competence, such as personal data processed for consular purposes or national security. Secondly, the Bill applies the standards to non-computerised and unstructured records held by public authorities that the GDPR ignores. Thirdly, the Bill regulates data processed for law enforcement purposes. Fourthly, it covers data processed by the intelligence services.
There is no doubt in our minds that we have fully implemented the right to data protection in our law and gone further. Clause 2 is designed to provide additional reassurance. Not only will that be clear in the substance of the legislation, but it is on the face of the Bill. The Bill exists to protect individuals with regard to the processing of all personal data. I think this is common ground. We share Opposition Members’ concern for the protection of personal data. It must be processed lawfully, individuals have rights, and the Information Commissioner will enforce them.
New clause 12 creates a new and free-standing right, which is the source of our concern. Subsection (1) is not framed in the context of the Bill. It is a wider right, not constrained by the context of EU law. However, the main problem is that it is not necessary. It is not that we disagree with the thinking behind it, but it is not necessary and might have unforeseen consequences, which I will come to.
Article 6 of the treaty on European Union makes it clear that due regard must be had to the explanations of the charter when interpreting and applying the European charter of fundamental rights. The explanations to article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection. The Government have absolutely no plans to withdraw from the European Court of Human Rights.
The new right in new clause 12 would create confusion if it had to be interpreted by a court. For rights set out in the Human Rights Act, there is a framework within which to operate. The Human Rights Act sets out the effect of a finding incompatible with rights. However, new clause 12 says nothing about the consequences of potential incompatibility with this new right to the protection of personal data.
The Minister is rehearsing the argument that was made in the other place before the requirements that we put into our amendments. She can see as well as me that the new clause was rewritten so that, under subsection (2), it is to be interpreted only
“in accordance with the provisions, exceptions and derogations of this Act;”.
So the idea that we are creating some kind of new and unfettered right is nonsense. We had this debate in the other place. We made refinements and they have been presented in the new clause.
If there is no dispute about the importance of adequacy and of putting it beyond risk, what is the problem with putting the question beyond doubt and dispute and incorporating the same foundation that is enjoyed in the European Union into British law?
New clause 12 takes article 8 of the charter outside that context and creates a free-standing right. That is the potential for confusion. New clause 12 says nothing about the consequences of incompatibility with the new right to the protection of personal data. That would create, legal, regulatory and economic uncertainty. We are endeavouring not just to ensure adequacy after we leave the European Union, but to go beyond the mere requirement for adequacy, as the Prime Minister set out in her speech almost two weeks ago.
Further, how would the courts approach other legislation in the light of this new right? One has to ask how they would approach other rights. Could this new right be balanced against other rights?
It is not a new right; it is a roll-over of an existing right. I have not heard of a case prosecuted in British courts where there was a problem with balancing the right that we currently enjoy with anything else. We simply seek to roll this right over into the future.
That brings me on to my other point: not only does this roll-over, as the right hon. Gentleman puts it, threaten to create confusion and undermine other rights, but it is unnecessary. The charter of fundamental rights merely catalogues rights that already exist in EU law; it is not the source of those rights. The rights, including to data protection, which is, importantly, what we are here to debate, arise from treaties, EU legislation and case law. They do not arise from the European charter of fundamental rights, so we argue that the new clause is completely unnecessary.
The European Union (Withdrawal) Bill fully protects the rights to data protection in our law. As I said earlier, we are seeking not only adequacy after Brexit, but a continuing role in conjunction with the bodies in Europe that govern the GDPR, with the idea that we continue to contribute our expertise and benefit from theirs.
I am afraid we have heard a very weak argument against new clause 12. The Minister sought to prosecute two lines of argument: first, that new clause 12 risks confusion in the courts; and, secondly, that it is not needed. Let me take each in turn.
First, there can be no risk of confusion because this is not a new right. It is a right we already enjoy today, and our courts are well practised in balancing it with the other rights we enjoy. We are simply seeking to roll over the status quo into the future to put beyond doubt an adequacy agreement not just in the immediate years after we leave the European Union but in the decades that will follow.
Secondly, the Minister sought to persuade us that the new clause was not needed, and she had a couple of different lines of attack. First, she said that the source of our new protections would be the incorporation of EU case law and legislation as enshrined by the European Union (Withdrawal) Bill. Of course, that is simply not applicable to this case, because the one significant part of European legislation that the withdrawal Bill explicitly does not incorporate is the European charter of fundamental rights. The Minister slightly gave the game away when she read out the line in her briefing note that said that the rights we currently have in EU law would be enshrined and protected “so far as it is possible to do so.” That is exactly the kind of risk we are seeking to guard against.
As noble peers argued in the other place, the challenge with incorporating the GDPR into British law is that this is a piece of regulation and legislation that reflects the world of technology as it is today. It is not the first bit of data protection legislation and it will not be the last. At some point in the years to come, there will be a successor piece of legislation to this Bill and the courts’ challenge will be to make judgments that interpret an increasingly outmoded and outdated piece of legislation. We have to ensure that judgments made in the British courts and in the European courts remain in lockstep. If we lose that lockstep, we will jeopardise the future of an adequacy agreement. That will be bad for Britain, bad for British businesses and bad for technology jobs in all our constituencies.
The challenge we have with regulating in this particular field is that sometimes we have to be anticipatory in the way we structure regulations. Anyone who has spent any time with the British FinTech industry, which Ministers are keen to try and enhance, grow and develop for the years to come, will know that FinTech providers need to be able to test and reform bits of regulation in conjunction not only with the Information Commissioner but with other regulators such as the Financial Conduct Authority. For those regulators to be able to guarantee a degree of regulatory certainty, sometimes they will need to look beyond the letter of a particular piece of legislation, such as the Data Protection Bill when it becomes an Act, and reflect on the spirit of that legislation. The spirit is captured best by fundamental rights. The challenge we have is in the thousands of decisions that our regulators must take in the future. How do we put beyond doubt or dispute the preservation of regulatory lockstep with our single most important market next door?
The Uruguayan defence offered by the Minister will reassure few people. We should not be aspiring to the Uruguayan regime; we should be aspiring to something much deeper, more substantive and more harmonious. The Minister’s proposal will create a field day for lawyers. We all like lawyers; some of our Committee members are former lawyers—recovering lawyers in some cases. Lawyers should enjoy a profitable and successful future, but we in this House do not necessarily need to maximise their profit-making possibilities in the future. However, that is exactly what the Minister is doing by creating a pot pourri of legislation, which lawyers and judges will have to pick their way through. It is much simpler, much lower-risk, much safer and better for economic growth if we put beyond doubt, dispute and question the harmonisation of our data protection regime with our single most important market. That is why we need to incorporate article 8.
I have a copy of the general data protection regulation here. Recital 1 on the first page states:
“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union—”.
Is it not the case, to use some imagery here, that at the moment the GDPR is built on a foundation as on page one of this fundamental right in the same way as a house is built on strong foundations? Are we now not seeking to build the same house but without the foundations? Does this risk us sinking our decision on adequacy?
My hon. Friend is right. He speaks with tremendous knowledge on this particular subject. There is a real risk that one of our most important industries will have its foundations wrecked by the inadequacies of this piece of legislation. There is no risk of confusion, there is no creation of a new and unchecked, unfettered right. We can draw no comfort from the EU (Withdrawal) Bill. There is a great risk of regulatory confusion and divergence over the years to come. I simply cannot understand why the Government would seek to put dogma and not the future protection of the British technology industry first.
This is not a trivial or frivolous issue; it has been put forward by the industry association representing half of technology jobs in this country. I hope that the Committee is persuaded by these arguments. We will seek to prosecute these arguments in a vote, at your discretion, Mr Hanson, but I hope that before we get to that point, the Government will see sense and accept the amendment.
As I said, the vote on new clause 12, should there be one, will take place at a later date.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
Clause 3
Terms relating to the processing of personal data
Clause 7 defines the meaning of “public authority” for the purposes of the GDPR. Generally speaking, “public authority” will have the same meaning as the definition used in the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002. Those Acts list a wide range of public authorities, including Departments, local authorities and NHS bodies. As the new legislation beds in, the list of authorities imported from those Acts may need to be adapted to function properly in a data protection setting rather than a freedom of information setting. Clause 7(1) therefore allows the Secretary of State to specify in regulations that additional bodies are public authorities for the purposes of data protection legislation. Conversely, subsection (3) allows the Secretary of State to specify that certain bodies are not to be treated as public authorities, even if they are defined as such for the purposes of freedom of information legislation.
Amendments 7 and 8 clarify that the Secretary of State may describe bodies that are or are not public authorities in addition to specifying them. They are technical amendments designed to improve the terminology used in relation to the Secretary of State’s regulation-making powers. Amendments 18 and 19 make corresponding provisions in relation to part 3 of the Bill.
Amendment 62 is designed to ensure that regulations made under clause 7 will not be considered as hybrid instruments. Regulations made under the clause are already subject to the affirmative resolution procedure, and the general duty to consult before making regulations, which is set out in clause 179, also applies. In this setting, the hybrid procedure would add nothing but bureaucracy.
The amendments look like tidying-up amendments, but it would help if the Minister put on the record the extent to which they will allow the Bill to bite effectively on the nation’s schools. Obviously, schools collect a great deal of data. They often hold not only exam data but data relating to eligibility for free school meals, and most schools operate systems such as ParentPay, which means that they capture children’s biometrics. Anything to do with the protection of children’s data has to be treated incredibly seriously. The school system in this country has been balkanised—often, academies are set up as private sector entities in complex chains and have problematic governance arrangements—so I think we would all benefit from the Minister saying a few words about the Bill’s bite on schools, academies and colleges. Will she also say a little more about her plans to ensure that there are statutory codes of practice to which everyone who provides education services must adhere?
I thank the right hon. Gentleman for his comments. Obviously, we share his concern about the protection of children. He cites important and highly sensitive personal data such as biometrics. Schools, like all bodies, must have a legal basis—the public interest or the normal course of their business—for processing personal data.
The right hon. Gentleman raises safeguarding. Later in our deliberations, my hon. Friend the Under-Secretary of State for the Home Department will introduce Government amendments to strengthen the safeguarding aspects of the processing of personal data. Schools are public authorities, and GDPR protections intended for authorities will apply, as I said. Schedule 3 provides further and specific protection on the points that he raises.
Will the Minister set on the record explicitly the fact that academies are covered in the same way as schools? An academy may be set up by a private sector organisation, set up as a charitable body, or set up in a way that is outwith the formal education system. Ofsted has raised concerns about unregulated schools, for example. Can she confirm whether organisations that provide education services—whether they are academies, charities or local education authority schools—are governed by the codes? Crucially, can she confirm that she will publish the code of practice?
I certainly can confirm that the schools that the right hon. Gentleman has cited—academies run by private sector organisations and/or charities—are public authorities for the purposes of the Bill, and will be subject to the same protections.
Question put and agreed to.
Amendment made: 8, in clause 7, page 5, line 13, after “specified” insert “or described”.—(Margot James.)
See the explanatory statement for Amendment 7.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Lawfulness of processing: public interest etc
It is a pleasure to serve under your chairmanship, Mr Hanson. I shall begin by declaring an interest: I chair the all-party parliamentary group on data analytics, the secretariat to which is provided by Policy Connect. In that capacity, I have had the pleasure of having many discussions about GDPR with experts over the past couple of years. I reflect on what a very good process it is that British parliamentarians in the European Parliament are able to intervene on such matters at early stages, to make sure that when the legislation finally comes to us it already has our slant on it. That may not be possible in future when we come to discuss such legislation.
I represent a university city, so research is a key part of what we do. It is on that basis that I tabled the amendments, and I am grateful to the Wellcome Trust and the Sanger Institute, which have given me advice on how the amendments would help them by providing certainty for the work that they do. The purpose of amendment 141 is to ensure that university researchers and public bodies with a research function are able to use what is called the “task in the public interest” lawful basis for processing personal data, where consent is not a viable lawful basis. I apologise for going into some detail, but it is important for universities and researchers that there is clarity.
As the Bill is drafted, clause 8 provides a definition of lawfulness of processing personal data under GDPR article 6(1)(e). Subsections (a) to (d) of clause 8 set out a narrow list of activities that could be included in the scope of public interest. I am told that that list is imported from schedule 2(5) of the Data Protection Act 1998, but I am also told that the drafters have omitted a version of the final and most general sub-paragraph from that list, which reads:
“for the exercise of any other functions of a public nature exercised in the public interest by any person.”
It is speculated that that may have been taken out of the list to tighten up, and to avoid a tautology in defining, “public interest”, but the worry is that taking it out has made the clause too restrictive. The explanatory notes indicate that the list in clause 8—that is, subsections (a) to (d)—is not intended to be exhaustive, but the Wellcome Trust and the Sanger Institute worry that it has narrowed the public interest terminology to a very narrow concept, which will be confined to public and judicial administration.
There was a very lengthy and very good debate in the other place on this matter. One of our universities’ main functions is to undertake research that will often involve processing personal data. In some cases, GDPR compliant consent, which may seem the obvious way of doing it, will not be the most appropriate lawful basis on which to process that data. It is therefore really important that an article 6 lawful basis for processing is available to university researchers with certainty and clarity.
The Government have included reference to medical research purposes in the explanatory notes, but the worry is that that does not necessarily have weight in law and the reference excludes many other types of research that are rightly conducted by universities. This is not a satisfactory resolution to the problems that are faced.
The amendment tries to enable research functions to be conducted by public bodies such as universities without doing what the Government fear, which is to broaden the definition of “public interest” too far. The wording retains the structure of the DPA list, from which the current clauses were imported, but it narrows it down in two ways. It specifies the purpose of processing, that is, research functions, which must be the reason for the processing and specifies who is doing the processing—the basis of it only being available to public bodies, as defined in the previous clause.
We are aware that the Government are worried about adding further subsections to the list. I think they said that it could open the floodgates in some way. However, I am told that there is not really any evidence to suggest that the current wording of paragraph 5 of schedule 2 of the Data Protection Act, which has a very broad notion of public interest, has in any way “opened the floodgates”. To give some sense of the concerns that have arisen, the processes by which university researchers seek permission to do things are quite complicated. Some of the bodies have already issued guidance. I am told that the Health Research Authority issued guidance on GDPR before Christmas. It advised that a clause on using legitimate interests should be included in the Bill.
There is confusion in the research sector, and there is a wider worry that if this is not clear, it is open to legal challenge. While some institutions will be able to take that risk, the worry is that smaller research bodies would conclude that, given the lack of clarity, it would not be worth taking that risk. I hope that the Government will think hard about the suggestion. It comes from the research institutions themselves and would give clarity and reassurance. I hope that the Minister will accept the amendment.
I want to say a few words in support of my hon. Friend and these important amendments. I think there is an acknowledgement on both sides of the Committee that if we are to prosper in the world that is coming, we are going to need to increase the amount of money that we spend on research and development and make sure that a research-driven economy reaches every corner of the country.
The world of innovation and research is changing very quickly. I think it is next year that China becomes the world’s largest science spender for the first time in several centuries. If we are to compete in this new world, we need to invest more in our R&D base. The Government have made some helpful commitments in this area. Their proposals are not quite as ambitious as the Labour amendments, but none the less all progress is welcome.
I hope that the Minister will reflect on the reality—the way in which research is conducted in our country is changing. In the past, I have called that a shift from the cathedral to the campus. Once upon a time, big firms put a lot of people in a large building and prayed for the best. Now, they are building business parks and creating ecosystems of innovation where they may have a shared research and development facility, otherwise known as a university. There may be big international companies with global reach organised around them, but there are also scores of much smaller firms. They may be as small as a couple of post-docs in a shared lab. If we look at facilities such as BT at Dashwood Park, the Crick Institute or GSK in Stevenage, we see big global companies with hundreds of smaller companies around them which are undertaking research with much greater speed and much lower risk, but with an impact that could change the world.
We cannot jeopardise the conduct of that research. My hon. Friend the Member for Cambridge is right to point out that where there is doubt about the law, or the powers and freedoms of research firms, there is a risk that such firms simply will not undertake such work in the UK, and instead will seek relationships either with global companies or, increasingly, with universities that have R&D facilities elsewhere. We want to create the world’s best place to undertake new science, and that means having a research regime that is the best in the world. We therefore need a data protection regime that helps and does not hinder, which is why the Government should accept these carefully crafted amendments.
I beg to move amendment 9, in clause 8, page 5, line 29, at end insert—
“( ) an activity that supports or promotes democratic engagement.”
This amendment adds a reference to processing of personal data that is necessary for activities that support or promote democratic engagement to Clause 8 (lawfulness of processing: public interest etc).
Since the Bill’s introduction, it has been brought to our attention by a range of stakeholders from all sides of the political divide that there is concern about how processing for the purpose of democratic engagement should be treated for the purposes of the GDPR. As my noble Friend Lord Ashton set out in the other place, the Government believe that there is a strong public interest in political parties and elected representatives and officials being able to engage with the public both inside and outside elections, which may sometimes include the processing of personal data.
Having considered the matter further since the debates in the other place, the Government have concluded that it would be prudent to include a provision in the Bill to provide greater clarity to those operating in the area of democratic engagement. Helpfully, clause 8 already provides high-level examples of processing activities that the Government consider could be undertaken on grounds of public interest if the data controller can demonstrate that the processing is necessary for the purposes of the processing activity. As a consequence of the importance that the Government attach to the matter, amendment 9 adds to that list
“an activity that supports or promotes democratic engagement.”
That term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights. We think that that could include communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveys and opinion gathering and fundraising to support any of those activities. Any processing of personal data in connection with those activities would have to be necessary for their purpose and have a legal basis. We will ensure that the explanatory notes to the Bill include such examples, to assist the interpretation of what this provision might mean in practice.
The amendment does not seek to create a partisan advantage for any one side or to create new exemptions from the data protection legislation. It is intended to provide greater clarity. It is also independent of any particular technology, given that in a short time we have moved from physical post to email, Twitter, text messages, WhatsApp, Facebook and so forth.
The Government are always open to suggestions of what else could be done to ensure legal and operational clarity for political parties and elected representatives. Further work might be needed to ensure that their current activities have the legal basis required to rely on the public interest condition. The Government will shortly engage with political parties via the parliamentary parties panel to discuss the matter further and in more detail.
I was surprised and not a little troubled that the Minister did not include the opportunity of creating Member-specific apps in her list—especially those which suck out the pictures from someone’s phone without their permission. Presumably that was not included in her list because that is already illegal.
I am grateful to the Minister for tabling the amendment and for her earlier correspondence with my noble Friend Lord Kennedy. She undertook to reflect on that correspondence and bring forward amendments. She helpfully set out a list of some of the activities that may be undertaken by a political party that fall within the ambit of the amendment. She gave a pretty comprehensive list, but will she put beyond doubt whether canvassing and collecting canvass returns were in her mind when she tabled the amendment and are therefore covered by the amendment? That would be extremely helpful.
The amendment is well intentioned. The health of our democracy is important to all parties. We look forward to the conversations that she will broker through the parliamentary parties panel.
The clause is an important topic of debate because it enshrines the Government’s derogation from European frameworks in law and sets the minimum age of consent for data processing at 13 rather than 16.
That derogation was invented before social media companies arrived at their current strength and delivered the very wide and sophisticated range of tools that help ensure that children become almost addicted to social media devices. In the debate on this topic over the last two or three months there have been fresh revelations from leaders of social media firms that they forbid their children to engage in the apps that their companies deliver. We have had revelations from engineers who have worked at companies such as Facebook, Twitter and Instagram that a great deal of thought goes into how they create devices and forms of interaction that encourage that basic addiction to their apps.
We are at the beginning of what I hope is a period of re-regulation and better regulation of these firms, so that we can do away with many of the risks that affect our children. In a way, I was encouraged to see the Secretary of State’s interview with The Times on Saturday, in which he said very clearly that he would like to see better regulation of social media firms in this country before his own children are tempted to engage in this exciting online world. Many of us have children who are already engaged in this and, as a parent, I have real concerns about the freedom with which social media companies can develop and deliver these techniques, as well as their freedom to take a rather relaxed view of taking down often unfortunate and extremist content. I know that we will have this debate later, and we have tabled amendments to encourage the Government to set a deadline for reforming the electronic commerce directive.
It is important to draw a little more out of the Government about how they see the safeguards coming into place around clause 9. We have not sought to challenge the derogation the Government seek to enshrine in the Bill, but we ensured widespread support for Baroness Kidron’s amendment on the creation of an age-appropriate code. However, rather than simply wave clause 9 through, it is incumbent on the Minister to say a little about how she will ensure that there are adequate safeguards in place to protect our children from the very threats the Secretary of State lit up in lights on Saturday.
I support the general tone of the right hon. Gentleman’s comments. I too was pleased to see the interview with the Secretary of State, his focus on the addictive nature of some of these apps and the idea that there could be within the technology a means of limiting the time children spend on them, which parents could click on. The Information Commissioner’s Office will publish guidance shortly on how clause 9 will work and what those safeguards will be. She will take into consideration an age-appropriate design, as suggested by Baroness Kidron.
Overall, where online services referred to in the Bill as “information society services” choose to rely on consent as the basis for their processing, article 8 of the GDPR sets the age below which a website must obtain the parents’ and not the child’s consent. Most websites will be captured by this additional safeguard, ranging from online banking to search engines to social media, with social media probably being the most relevant to the age group in question.
The GDPR gives member states the flexibility to set this age within a prescribed range of between 13 and 16. The Bill sets it at 13, with an exception for preventive and counselling services, for which the test is based purely on the child’s capacity to understand what they are being asked to consent to. The Government are satisfied that the Information Commissioner’s Office has adequate enforcement powers, including large fines for any offences committed in this area.
We support these amendments very strongly, and if possible we would like to test the Committee’s will on this. The Bill has a succession of Henry VIII powers at a number of different clauses, which in effect give the Secretary of State the power to vary and amend regulations that are incredibly important. We cannot detach this debate from the earlier debate on the incorporation of article 8. We now have a Bill that is pretty weak on the fundamental principles of law that it seeks to enshrine; the Government want to set their face against incorporating some protections that we have in the European charter of fundamental rights. Therefore, the idea that we leave out some fundamental protections of rights, but then hand over to the Minister unfettered power to make regulations as he or she sees fit, does not seem to be in Parliament’s best interest. We think that the Government need to think again.
The powers in this particular clause create the possibility that exemptions to data protection rights, which have not been considered or debated in Parliament, go through effectively at the whim of the Minister. Those powers are enshrined in clause 10, and in clauses 35 and 86; we will come on to those debates, but the powers that clause 10 proposes to grant the Minister are in effect unilaterally to vary the conditions and safeguards governing the general processing of sensitive personal data—the general data set out in schedule 1—and then to add new conditions to schedules 1, 8 and 10.
That means that we would basically give the Secretary of State the power to expand the permissible reasons to allow processing of sensitive personal data, both generally and particularly for law enforcement and intelligence agencies. That is something that has been considered extensively in the other place. The House of Lords Constitution Committee said:
“The Government’s desire to future-proof legislation…must be balanced against the need for Parliament to scrutinise and, where necessary, constrain executive power.”
The Delegated Powers and Regulatory Reform Committee said that
“it is not good enough for Government to say that they need ‘flexibility’ to pass laws by secondary instead of primary legislation without explaining in detail why”.
The Ministers slightly let the cat out of the bag when Baroness Chisholm spoke up for the Government and said that if they were to accept the Committee’s recommendations in full that would
“leave the Government unable to accommodate developments in data processing and the changing requirements of certain sectors”—[Official Report, House of Lords, 11 December 2017; Vol. 787, c. 1464.]
That includes, for example, the insurance sector. That is patently nonsense. It would not constrain the Government’s ability to introduce wise regulations in this place; it would simply constrain the Government’s ability to do that unilaterally without effective recourse to Parliament. We are seeking a very clear Government explanation as to why the Secretary of State, not Parliament, should be empowered to alter the data protection regime to keep it up to date, and that explanation needs to be all the more robust following the remarks that the Minister has made about her attitude towards incorporating the fundamental right of privacy in British law.
We think that the amendments would be sensible constraints on Henry VIII powers. There is wide consensus across both Houses that they are necessary. They will not damage or diminish the Secretary of State’s ability to keep regulation up to date. Many of us have been in this place long enough to know that it is perfectly within the Executive’s power to keep regulatory reform on track if the political will is there. We are asking for a defence of Parliament’s right to oversee, scrutinise and, where necessary, constrain the powers of the Secretary of State to regulate in this field.
Following recommendations by the Delegated Powers and Regulatory Reform Committee, we have considered carefully the use of the Bill’s order-making powers and amended the Bill in the House of Lords to provide additional safeguards for the exercise of those powers, but Members of the Lords on all sides of the House agreed that it was essential to retain the order-making powers in the Bill as amended.
I will explain how the powers will be used in practice. Article 9 of the GDPR prohibits the processing of special categories of personal data unless one of the exemptions in paragraph 2 of article 9 applies. The exemptions include, for example, the situation where processing is necessary for reasons of substantial public interest. Schedule 1 to the Bill provides a series of processing conditions for special categories of data under article 9 and criminal convictions data under article 10. Most of those processing conditions have been imported from the Data Protection Act 1998 and statutory instruments made under that Act, but some of them are new—for example, the conditions on anti-doping in sport or processing for insurance purposes. They have been added to reflect the way in which the use of data has changed over the past 20 years.
Amendment 129 would remove the ability to amend schedule 1 via secondary legislation. That would be particularly damaging because it would mean that primary legislation might be needed every time the need for a new processing activity involving special categories of data arose. The 1998 Act was itself amended several times through secondary legislation, and it is important that we retain the flexibility to respond to emerging technologies and the different ways in which data might be used in the future.
It is interesting to note that the hon. Member for Sheffield, Heeley has tabled an amendment to schedule 1 that would add a completely new processing condition in relation to maintaining the missing persons register. My hon. Friend the Under-Secretary of State for the Home Department will touch on the merits of that proposal later, but the fact that others in the Committee are considering further changes to schedule 1 illustrates the point that schedule 1 cannot simply freeze the regimes in parts 3 and 4 of the Bill. I urge colleagues to resist the amendment.
It does happen. That is not a new provision, but one that was imported from the current law. Unfortunately, some crucial words were accidentally lost in the process of importing it. The amendment reinstates them.
Schedule 1 sets out UK domestic legislation to allow the processing of particularly sensitive data in certain circumstances. The Government’s view is that the processing of such data must be undertaken with adequate and appropriate safeguards to ensure that individuals’ most sensitive data is appropriately protected. One of those safeguards is the new requirement for an appropriate policy document to be maintained in most circumstances when special categories of data and criminal convictions data are processed. That is set out in paragraph 5 and part 4 of the schedule.
Since the Bill’s introduction, we have reflected on whether there are cases where the requirement to hold an appropriate policy document is so disproportionate that, rather than improving protections, it effectively prevents the necessary processing from taking place. Amendments 79, 82 and 90 remove the requirement for a controller to have an appropriate policy document where processing involves the disclosure of special category data to a competent authority for the detection or prevention of an unlawful act, the disclosure of special category data for specific purposes in connection with journalism, or the disclosure of special category data to an anti-doping authority. Amendment 80 defines what is meant by “competent authority”. The aim of those amendments is to avoid a scenario in which an individual who never normally processes data under schedule 1 wishes to report a crime, report something of public interest to the media or report doping activities in sport and, in so doing, processes special categories of data and would have to have in place an appropriate policy document.
Amendment 76 reflects that change to the requirement to have an appropriate policy document by inserting the words, “Except as otherwise provided” in paragraph 5 of the schedule. Amendments 87 and 89 make it clear that, in the context of schedule 1, “withholding consent” means doing something purposeful, not just neglecting to reply to a letter from the data controller. That avoids a world in which data controllers have an incentive not to bother requesting consent in the first place.
Paragraph 31 of the schedule requires the controller to have an appropriate policy document in place when relying on a processing condition in part 2 of the schedule to process criminal convictions data. However, all the provisions in part 2 are subject to the policy document requirement except where noted, so there is no reason to state it again in paragraph 31. Amendment 91 removes that duplicate requirement. It is simply a tidying-up amendment to improve the coherence of the Bill.