Lord Kirkhope of Harrogate (Con)

- View Speech - Hansard -

Copy Link

-

My Lords, at this late stage in any debate much of the field is likely to have been covered, but, as someone deeply involved in the crafting, drafting and evolution of the EU GDPR while an MEP in Brussels, I declare a strong vested interest in this subject. I hope that the Minister will not be too negative about the work that we did —much of it was done by Brits in Europe—on producing the GDPR in the first place.

I raised this issue at the recent UK-EU Parliamentary Partnership Assembly and in bilateral discussions with the European Parliament’s civil liberties committee, on which I served for many years, on its recent visit to London. Let me be candid: while the GDPR stands as a significant achievement, it is not without need for enhancement or improvement. The world has undergone a seismic shift since the GDPR’s inception, particularly in the realm of artificial intelligence. Both the UK and the EU need to get better at developing smart legislation. Smart legislation is not only adaptive and forward-looking; it is also flexible enough to evolve alongside emerging trends and challenges.

The importance of such legislation is highlighted by the rapid advancement in various sectors, and particularly in areas such as artificial intelligence—as so well referred to by my noble friend Lord Holmes of Richmond—and how our data is used. These fields are evolving at a pace that traditional legislative processes struggle to match. Such an approach is vital, not only to foster innovation but to ensure that regulations remain relevant and effective in a swiftly changing world, helping to maintain our competitive edge while upholding our core values and standards.

The aspirations of this Bill, which is aimed at modernising and streamlining the UK’s data protection framework while upholding stringent standards, are indeed laudable. I regret that, when my noble friend Lord Kamall was speaking about cookies, I was temporarily out of the Chamber enjoying a culinary cookie for lunch. While there may be further advantages to be unearthed in the depths of this complex legislation, so far, the biggest benefit I have seen is its commitment to removing cookie pop-ups. Above all, we must tread carefully to ensure international compliance, which has been referred to by a number of noble Lords, and steadfastly adhere to the bedrock GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and citizens’ redress.

On a procedural note, following other noble Lords, the Government’s recent flurry of amendments—I think there were 266 in total, including 38 new clauses and two new schedules, a staggering 240 of which were introduced at the 11th hour—places a key duty on our House to meticulously scrutinise the new legislation line by line. I have heard other speakers refer to my friend, the right honourable Member for Haltemprice and Howden, in the other place, who astutely observed that that House has

“in effect delegated large parts of the work on this important Bill to the House of Lords”.—[Official Report, Commons, 29/11/23; col. 888.]

I have to say that that is wonderful because, for those of us who are always arguing that this is the House that does the work, that is an acknowledgement of its skills and powers. It is a most welcome reference.

I wish to draw the House’s attention briefly to three important terms: adequacy, which noble Lords have heard about, equivalence and approximation. Adequacy in data protection primarily comes from the EU’s legal framework. It describes the standard that non-EU countries must meet to allow free flow of personal data from the EU. The European Commission assesses this adequacy, considering domestic laws and international commitments. The UK currently benefits from the EU’s two data adequacy decisions, which, I remind the House, are unilateral. However, we stand on the cusp of a crucial review in 2024, when the Commission will decide the fate of extending data adequacy for another four years and it has the power to withdraw its decision in the meantime if we threaten the basis for it. This Bill must not increase the risk of that happening.

Equivalence in the realm of data protection signifies that different systems or standards, while not mirror images, offer comparable levels of protection. It is about viewing a non-EU country’s data protection laws through a lens that recognises their parity with GDPR in safeguarding personal data. Past EU adequacy decisions have not demanded a carbon copy of laws; rather, they seek an essentially equivalent regulatory landscape.

Approximation refers to aligning the laws of EU member states with each other. In data protection, it could describe efforts to align national laws with GDPR standards. The imperative of maintaining data adequacy with the EU cannot be overstated; in fact, it has been stated by many noble Lords today. It stands as a top priority for UK business and industry, a linchpin in law enforcement co-operation, and a gateway to other vital databases. The economic stakes are monumental for both sides: EU personal data-enabled services exports to the UK were worth approximately £42 billion in 2018, and exports from the UK to the EU were worth £85 billion.

I commend the Government for listening to concerns that I and others have raised about democratic oversight and the independence of the Information Commissioner’s Office. The amendment to Clause 35, removing the proposal for the Secretary of State to veto ICO codes of practice, was welcome. This move has, I am informed, sent reassuring signals to our friends in Brussels. However, a concern still remains regarding the UK’s new ambition for adequacy partnerships with third countries. The Government’s impact assessment lists the United States, Australia, the Republic of Korea, Dubai International Finance Centre, Singapore and Colombia, with future agreements with India, Brazil, Kenya and Indonesia listed as priorities.

Some of these nations have data standards that may not align with those of the EU or in fact offer fewer safeguards than our current system. I urge extreme caution in this area. We do not want to be in the situation where we gain a data partnership with Kenya but jeopardise our total data adequacy with the EU. Fundamentally, this Bill should not weaken data protection rights and safeguards. It should ensure transparency in data use and decision-making, uphold requirements for data processors to consider the rights and interests of affected individuals and, importantly, not stray too far from international regulations.

I urge my noble friend the Minister and others to see that adopting a policy of permanent dynamic alignment with the EU GDPR is important, engaging actively with the EU as a partner, not just implementing new rules blindly. Protecting and strengthening the UK-EU data partnership offers an opportunity for closer co-operation, benefiting businesses, consumers, innovation and law enforcement; and together, we can reach out to others to encourage them to join these truly international standards.

Lord Kirkhope of Harrogate (Con)

- Hansard -

Copy Link

-

My Lords, I rise with some temerity. This is my first visit to this Committee to speak. I have popped in before and have been following it very carefully. The work going on here is enormously important.

I am speaking to Amendment 115, thanks to the indulgence of my noble friend Lord Bethell, who is the lead name on that amendment but has kindly suggested that I start the discussions. I also thank the noble Lord, Lord Clement-Jones, for his support. Amendment 115 has one clear objective and that is to prevent transfer of UK user data to jurisdictions where data rights cannot be enforced and there is no credible right of redress. The word “credible” is important in this amendment.

I thank my noble friend the Minister for his letter of 11 April, which he sent to us to try to mop up a number of issues. In particular, in one paragraph he referred to the question of adequacy, which may also touch on what the noble Lord, Lord Clement-Jones, has just said. The Secretary of State’s powers are also referred to, but I must ask: how, in a fast-moving or unique situation, can all the factors referred to in this long and comprehensive paragraph be considered?

The mechanisms of government and government departments must be thorough and in place to satisfactorily discharge what are, I think, somewhat grand intentions. I say that from a personal point of view, because I was one of those who drafted the European GDPR—another reason I am interested in discussing these matters today—and I was responsible for the adequacy decisions with third countries. The word “adequacy” matters very much in this group, in the same way that we were unable to use “adequacy” when we dealt with the United States and had to look at “equivalence”. Adequacy can work only if one is working to similar parameters. If one is constitutionally looking at different parameters, as is the case in the United States, then the word “equivalence” becomes much more relevant, because, although things cannot be quite the same in the way in which administration or regulation is carried out, if you have an equivalence situation, that can be acceptable and lead to an understanding of the adequacy which we are looking for in terms of others being involved.

I have a marvellous note here, which I am sure noble Lords have already talked about. It says that every day we generate 181 zettabytes of personal data. I am sure noble Lords are all aware of zettabytes, but I will clarify. One zettabyte is 1,000 exabytes—which perhaps makes it simpler to understand—or, if you like, 1 billion trillion bytes. One’s mind just has to get around this, but this is data on our movements, finances, health and families, from our cameras, phones, doorbells and, I am afraid, even from our refrigerators—though Lady Kirkhope refuses point blank to have any kind of detector on her fridge door that will tell anybody anything about us or what we eat. Increasingly, it is also data from our cars. Our every moment is recorded—information relating to everything from shopping preferences to personal fitness to our anxieties, even, as they are displayed or discussed. It is stored by companies that we entrust with that data and we have a right to expect that such sensitive and private data will be protected. Indeed, one of the core principles of data protection, as we all know, is accountability.

Article 79 of the UK GDPR and Section 167 of our Data Protection Act 2018 provide that UK users must have the right to effective judicial remedy in the event of a data protection breach. Article 79 says that

“each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation”.

Lord Kirkhope of Harrogate (Con)

- Hansard -

Copy Link

-

I am sorry to interrupt my noble friend, but the point I made—this now follows on from other remarks—was that these requirements have been in place for a long time, and we are seeing abuses. Therefore, I was hoping that my noble friend would be able to offer changes in the Bill that would put more emphasis on dealing with these breaches. Otherwise, as has been said, we look as though we are going backwards, not forwards.

Lord Kirkhope of Harrogate (Con)

- Hansard -

Copy Link

-

My Lords, I support Amendment 208A. I declare my interest as a solicitor but not one who has been directly involved with personal injury claims. This is an area of particular specialism that requires particular expertise and experience for it to be carried out to the best advantages of those who seek that help.

Looking back, I am concerned that this matter has been raised, in different fora, on a number of occasions. For instance, in 2016, the Telephone Preference Scheme opt-out was discussed when it was removed from the control of Ofcom to that of the ICO. At that point, there was a great opportunity for this matter to be dealt with. Indeed, a number of organisations, including personal injury lawyers, the Motor Accident Solicitors Society and others, said that it was vital to carry this out and that cold calling should be ended because of the pressures it placed on an awful lot of very vulnerable people.

Since 2016, things have got worse in one respect—although, perhaps, they are a little less bad in respect of telephone calling. It is a little while now since I was last told that I had just had a major accident in my car as I was sitting enjoying a glass of wine and not having such worries in my mind. Telephone cold calling seems to have diminished but pressures through social media contact, various scams and so on have increased dramatically. I have been told this by a number of my legal colleagues.

In 2023, the Government produced the UK’s Fraud Strategy. As I am sure noble Lords will know, when it was published, it specifically pursued the question of extending the ban on cold calling to personal injury cases; that was very important and included all servers. So, unless there is some relationship already in place—something where that is a defence, as it were, here—and a voluntary willingness on the part of those who suffer from personal injuries to be contacted by an organisation with which they already have a relationship, this is something that we should pursue very strongly indeed.

Although it is correct that the legal profession, and perhaps other professions, are banned from this procedure, on a regulatory or disciplinary basis, some of my colleagues in the profession are, in some cases, susceptible to financial and commercial challenges through these organisations, such that they would become—sometimes, almost inadvertently—part of the process. Therefore, I hope that, in passing such an amendment, we would give a clear sign to the Solicitors Regulation Authority and the Law Society that it underlines yet again that these practices are not acceptable to those members of the profession.