Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lord Bassam of Brighton
Main Page: Lord Bassam of Brighton (Labour - Life peer)Department Debates - View all Lord Bassam of Brighton's debates with the Department for Science, Innovation & Technology
Data Protection and Digital Information Bill
Lord Bassam of Brighton ExcerptsTuesday 19th December 2023
(4 months, 3 weeks ago)
Lords ChamberRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 29 November 2023 - large print - (29 Nov 2023)
Lord Bassam of Brighton (Lab)
My Lords, first I want to thank all those noble Lords who have spoken today, and actually, one noble Baroness who has not: my colleague, the noble Baroness, Lady Jones. I am sure the whole House will want to wish her a safe and speedy recovery.
While I am name-checking, I would also like to join in the general congratulation of the noble Lord, Lord de Clifford, who, as others have observed, made a valuable case on behalf of small businesses and SMEs generally, and also called, in his words, for investment to assist this sector to deal with the challenges of data protection.
The range of concerns raised is a good indication of the complexity of this Bill and the issues which will keep us pretty busy in Committee, and I am sure well beyond. We have been well briefed; a record number of briefings have been dispatched in our direction, and they have been most welcome in making sure that we are on top of the content of this Bill.
At the outset, let me make it clear that while we support the principle of modernising data protection legislation and making it suitable for a rapidly changing technological landscape, one that is fit for purpose, we join with noble Lords like the noble Lord, Lord Kirkhope, who made the case for ensuring that the legislation is relevant. We need to properly scrutinise this, and we understand the need to simplify the rules and make them clearer for all concerned. Most speakers commented on this real need and desire.
However, as others have said, this Bill represents a missed opportunity to grasp the challenges in front of us. It tinkers rather than reforms, it fails to offer a new direction and it fails to capitalise on the positive opportunities the use of data affords, including making data work for the wider social good. I thought the noble Lord, Lord Holmes, made a good case in saying it is our data and therefore needs to be treated with respect. I do not think this Bill does that.
The Bill fails to build on the important safeguards and protections that have been hard won by others in other fields of legislation covering the digital world, in particular, about the use of personal data that we want to see upheld and strengthened. The noble Baroness, Lady Kidron, made an inspired speech, pleading with us to hold the Government’s feet to the fire on this issue and others.
The Bill also fails to provide the simplicity and certainty that businesses desire, given that it is vital that we retain our data adequacy status with the EU. Therefore, businesses will find themselves navigating two similar but, as others have said, divergent sets of rules, a point well made by the right reverend Prelate the Bishop of St Albans and the noble Lords, Lord Vaux and Lord Kirkhope. In short, it feels like a temporary holding position rather than a blueprint for reform, and I suspect that, all too soon, we will be back here with a new Bill—perhaps a data protection (No. 3) Bill—which will address the more profound issues at the frontier of data use.
Before that, I must take over the points made by my noble friend Lord Knight, who opened the debate for us. It is an affront to our parliamentary system that the Government chose to table 266 amendments on the last available day before Report in the Commons—about 150 pages of amendments to consider in a single debate. The marvellous notes that accompany the Bill had to be expanded by something like a fifth to take account of all these amendments; it has grown over time. Clearly, our Commons colleagues had no way of being able to scrutinise these amendments with any degree of effectiveness, and David Davis made the point that it is down to us now to make sure that that job is well done.
I agree that some of the amendments are technical, but others are very significant, so can the Minister explain why it was felt necessary to rush them through without debate? For example, the new Schedule 1 will grant the Secretary of State the power to require banks, or other financial institutions, to provide the personal data for anyone in receipt of benefits. These include state pensions and universal credit, but they also include other benefits—working tax credit, child tax credit, child benefit, pension credit, jobseeker’s allowance and personal independence payments. That is a long list; we think that it probably covers some 40% of the population. What is the Government’s real need here?
Yesterday, we had a consultation session with the Minister. I asked where the proposals came from, and he was very honest that they were included in a DWP paper on fraud detection some two years ago. Why is it that the amendments were put into the Bill so late in the day, when they have been around and accessible to the Government for two years? Why has there not been any effective consultation on this? Nobody was asked whether they wanted these changes made, and it seems to me that the Government have acted in an entirely high-handed way.
Most of the population will fall into one or the other of the categories, as my noble friend Lady Young and the noble Lord, Lord Vaux, made clear. Some, such as the noble Lord, think that they might be exempted—but, having listened to my list, he may think otherwise. The criteria for these data searches are not clarified in the Bill and have no legislative limit. Why is that the case?
As Mel Stride and the DWP officials made clear when giving evidence to the Work and Pensions Select Committee recently, this is not about accessing individual bank accounts directly where fraud is suspected, it is about asking for bulk data from financial organisations. How will the Government be able to guarantee data security with bulk searches? When were the Government planning to tell the citizens of this country that they were planning to take this new set of powers to look into their accounts? I warn the Minister that I do not think it will go down very well, when the Government fully explain this.
Meanwhile, the banking sector has also raised concerns about the proposals, which it describes as too broad and liable to put vulnerable customers at a disadvantage. The ICO also questions the proportionality of the measure. Let me make our position clear on this: Labour is unreservedly committed to tackling fraud. We will pursue the fraudsters, conmen and claimants who try to take money from the public purse fraudulently or illegally. This includes those involved in tax fraud or dodgy PPE contracts. As our shadow Minister Chris Bryant made clear in the Commons:
“I back 100% any attempt to tackle fraud in the system, and … will work with the Government to get the legislation right, but this is not the way to do it”.—[Official Report, Commons, 29/11/23; col. 887.]
I hope that the Minister can confirm that he will work with stakeholders, banks and ourselves to find a better way to focus on tackling fraud in all its guises.
Another aspect of the Bill that was revealed at a late date are the rules governing democratic engagement, to which a number of Peers have referred today. The Bill extends the opportunities for direct mail marketing for charitable or political purposes. It also allows the Secretary of State to change the rules for the purposes of democratic engagement. It has now become clear that this will allow the Government to switch off the direct marketing rules in the run-up to an election. Currently, parties are not allowed to send emails, texts, voicemails and so on to individuals without their specific consent. We are concerned that changing this rule could transform UK elections. These powers were opposed in the public consultation on the Bill; this is not what the public want. We have to wonder at the motives of the Government in trying to change these rules at such a late stage and with the minimum of scrutiny. This is an issue to which we will return in Committee; I hope that the Minister can come up with a better justification than his colleagues in the Commons were able to.
I turn to other important aspects of the Bill. A number of noble Lords gave examples of how personal rights to information and data protection, which were previously in the GDPR and the Data Protection Act 2018, have been watered down or compromised. For example, subject access requests have been diluted by allowing companies to refuse such requests on the grounds of being excessive or vexatious—terms that, by their very nature, are hard to define—or by allowing the Secretary of State to define who has a recognised, legitimate interest for processing personal data. Similarly, there is no definition in the Bill of what constitutes high-risk processing —risking uncertainty and instability for businesses and the potential misuse of personal data. We will want to explore these definitions in more detail.
A number of noble Lords quite rightly raised the widespread fear of machines making fundamental decisions about our lives with no recourse to a human being to moderate the decision. The impact of this can be felt more widely than an individual data subject—it can impact on a wider group of citizens as decisions are made, for example, on policing priorities, healthcare and education. This can also have a hugely significant impact in the workplace. Obviously, algorithms and data analysis can bring huge benefits to the workplace, cutting out mundane tasks and ensuring greater job satisfaction. But we also need to ensure that workers and their representatives know what data is being collected on them and have an opportunity for human contact, review and redress when an algorithmic system is used to make a decision. For example, we need to avoid a repeat of the experience of the Just Eat couriers who were unfairly sacked by a computer. We will want to explore how the rights of individuals, groups of citizens and workers can better be protected from unfair or biased automated decisions.
The noble Baroness, Lady Kidron, and others have argued the case for new powers needed to give coroners the right to access information held by tech companies on children’s data where there is a suspicion that the online world contributed to their death and demise. This is a huge and tragic issue that the Government have sadly ducked, although the promise to listen that I heard from the Minister was very welcome. We shall ensure that we keep him to that commitment.
Despite all the promises made, however, the Government have broken the trust of bereaved parents who were expecting this issue to be resolved in the Bill. Instead, the amendment addresses only cases where a child has taken their own life. We will do what we can in this Bill to make sure that the commitments made in the Online Safety Act are fully honoured.
On a separate but important point, Clause 2 allows companies to exploit children’s data for commercial purposes. We believe that without further safeguards, children’s rights will be put very much at risk as companies collect information on where they live, what they buy, how they travel and what they study. We will seek to firm up those children’s rights as the Bill goes forward.
On cookie pop-ups, it is widely accepted that the current system is not working, as everyone ignores them and they have become an irritant. But they were there for a purpose—to ensure that the public were informed of the data being kept on them, so we do not believe that simply removing them is the answer. Similarly with nuisance calls, we want to ensure that the new rules are workable by clarifying the responsibilities of telecoms companies.
As I said at the outset, we regard the Bill as a disappointment that fails to harness the huge opportunities that data affords and to build in the appropriate safeguards. My noble friend Lord Knight put his finger on it well, at the front of the debate, when he said that we need a data protection Bill, but not this Bill.
The Government’s answer to a lack of clarity in so many areas of the Bill is to build in huge, sweeping, Henry VIII powers. When reviewing the legislation recently, we managed to count more than 40 proposed statutory instruments. That is an immense amount of power in the hands of the Secretary of State. We do not believe that this is the right way to legislate on a Bill that is so fundamental to people’s lives and the future of our economy. We want to bring these powers back into play so that they have the appropriate level of parliamentary scrutiny.
With this in mind, and taking into account all the concerns raised today, we look forward to a long and fruitful exchange with the Government over the coming months. This will be a Bill that challenges the Government.