Lord Lucas
Main Page: Lord Lucas (Conservative - Excepted Hereditary)Department Debates - View all Lord Lucas's debates with the HM Treasury
(11 years, 10 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Lucas
“( ) The general principle that consumers should have to give informed consent to the use of their personal data by a regulated financial institution, and in particular to the transfer of such data into or out of such an institution when that institution is part of a group of companies whether that group is a qualifying parent undertaking or not, and that it should be possible for such informed consent to be easily and effectively withdrawn.”
Lord Lucas
My Lords, the amendment concerns a subject raised by the noble Lord, Lord Whitty, at Second Reading. With his consent, I raise the matter now in his absence.
The issue of consent to the use of information on the internet is greatly confused at the moment. We have the principle of caveat emptor, as far as possible; we have a set of data protection regulations which are of variable application; and we have a daft system doing the rounds at the moment under which every website pops up with the message, “Can we use cookies?”, to which you answer, “Yes”, because the website will not function without that. That is a complete waste of time which has been foisted on us by Europe.
The question raised by the noble Lord, Lord Whitty, is interesting and I shall be interested to see where the Government find themselves. When you have a regulated institution with financial data on people, under what circumstances is it allowed to share those data with other bits of the same company which are not regulated? This may apply to Tesco with all the data which it has on Clubcard. Is the retail side of Tesco allowed to look at what people are doing in their bank accounts and to understand what they should be marketing to them? Vice versa, is the banking side of Tesco allowed to look at all the Clubcard data and say, “Hang on, this guy looks as though he is going bust because he is starting to buy cheap orange juice, so we really ought not to be offering him the degree of credit that we are”. If we are to allow such sharing, what degree of information should be offered to consumers about what is happening? There is a standard practice on the internet—I rather suspect that we have all done it—where we are presented with a little form saying, “Have you read the agreement? Tick ‘yes’”, and the agreement is 154 pages long. As it is not really clear where the changes are from the previous one you signed, you tick “Yes” because you want to use the thing. You sort of trust the people you are dealing with.
Are we in the territory where the consent to share information will be hidden away in that kind of automatically signed agreement on the web, or are we in the territory where things would have to be made clear in the preamble to the consent form that this sort of sharing was being permitted and that no disadvantage would be incurred by the customer if they refused to share? I find this a puzzling area and I shall be very interested to know what the Government intend that the FCA should do. I beg to move.
Baroness Hayter of Kentish Town
My Lords, the British banking market is changing, thanks, partly, to the ongoing regulatory reforms, as new competitors enter the market. Clearly, that new competition is very much to be welcomed. Consumers need greater choice both for themselves and to drive up standards. However, we should be aware, as the noble Lord, Lord Lucas, has spelt out, that potentially some of the new entrants to the financial sector happen to possess a large amount of data on their customers from the non-banking activities. Therefore, it will be important for safeguards to be put in place to prevent any abuse of that information.
Clearly, supermarket banks own some of the largest consumer databases in the world, with item-level purchase data on each of the millions of members of their loyalty card schemes. Should that information be used by the banking arms of those conglomerates, it would clearly raise concerns for consumers about their personal privacy and about the potential for misuse. The concerns are fairly obvious. What about invasion of privacy? A consumer’s lender will know everything about what they had purchased and when. For example, imagine that a bank learnt from the supermarket side when a consumer started to buy cheaper food, they would know exactly when payday loans might be welcome. Similarly there is a possibility of the use of that ordinary supermarket data as a credit rating mechanism.
Lord Sassoon
My Lords, I shall respond to the amendment that has been moved but I shall not respond to the amendment that has been not been addressed. Amendment 106ZA seeks to add to the list of matters to which the FCA must have regard in advancing its consumer protection objective. The new “have regard” proposed by my noble friend focuses on data protection, as he has explained, and specifically would require the FCA to consider the issue of consumers having to give informed consent in order for their data to be shared, in particular within a group of companies which includes a non-financial services institution.
Of course, I agree that consumers should have full knowledge about what is being done with their data at all times and have to consent to any sharing of them. I will do my best to reassure the Committee, as I think it is fairly clear, that there is already legislative provision in place to deliver what my noble friend wants to achieve and that this applies whether or not we are talking about different entities—because it is essentially a legal entity test—within a banking group or different entities within a supermarket group. The bank within a supermarket group is bound to be in a different legal entity from the supermarket operation itself. The same considerations apply whether within a banking group, within other financial services groups or within a supermarket group.
The ability of a subsidiary to share personal information about its customers, either with the parent company or with another member of the group, is already regulated by the Information Commissioner under the Data Protection Act 1998. It is legislation that applies to a financial services firm in exactly the same way as it applies to a supermarket or any other data controllers. If a financial services firm has breached a customer’s rights under the Data Protection Act—for example, if it has used the customer’s personal information unfairly, for a reason that is not the one for which it was collected, or without proper security—then the right course of action is for the customer to complain to the firm and then to the Information Commissioner. The Information Commissioner has the powers to force compliance with the law.
The FCA will not, therefore, be the first line of defence in the area of data protection. It is important that we do not blur the lines of responsibility between a financial services regulator and the Information Commissioner, who, as we have seen through numbers of cases, whether in financial services or in other areas, is a regulator with teeth. The case in 2007 of Nationwide is an example of the Information Commissioner taking aggressive action. In support of that, the FSA will take action where appropriate. The Information Commissioner is the first line of defence, but if a financial services firm were to do something reckless, such as losing a laptop with consumer data on it, then it will be fined, as Nationwide was fined £1 million in 2007.
We have the Information Commissioner as the first line of protection to make sure that information cannot leak from one entity to another within the group without the informed consent of the consumer and that the data within the entity are properly used in the way I have suggested. However, as a second line of defence, in areas such as the one that I have described, of the loss of a laptop, the FSA—and in future the FCA—will have important supporting powers. Therefore, I would suggest that this “have regard” is one that is not necessary or appropriate and might raise false expectations about the responsibility of the FCA in an area where there is a regulator with proven ability to come down hard on those institutions that abuse consumer data. I ask my noble friend to withdraw his amendment.
Lord Lucas
My Lords, I am very grateful for that explanation. At this stage, it is exactly what I was hoping for. I beg leave to withdraw the amendment.