Data Protection Bill [HL]

Lord Lucas Excerpts
Monday 13th November 2017

(7 years, 1 month ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Moved by
71ZA: After Clause 10, insert the following new Clause—
“Regulations relating to the processing of personal data under Part 3 of the Digital Economy Act 2017
(1) Subject to the following provisions of this section, the age-verification regulator under section 16 of the Digital Economy Act 2017 may publish, and revise from time to time, regulations relating to the processing of personal data for purposes of age verification under types of arrangements for making pornographic material available not prohibited by section 14 of the Digital Economy Act 2017 in order to—(a) provide appropriate protection, choice and trust in respect of personal data processed as part of any such arrangements; and(b) create any technical obligations necessary to achieve the aims set out in subsection (1)(a).(2) Once the regulator has prepared a draft of regulations it proposes to publish under subsection (1), it must submit the draft to the Secretary of State.(3) When draft regulations are submitted to the Secretary of State under subsection (2), the Secretary of State must lay those draft regulations before both Houses of Parliament.(4) If, within the period of 40 days beginning with the day on which draft regulations are laid before Parliament under subsection (3), either House resolves not to approve those draft regulations, the age-verification regulator must not publish those regulations in the form of that draft.(5) If no such resolution is made within that period, the age-verification regulator must publish the regulations in the form of the draft laid before Parliament.(6) But subsection (8) applies, instead of subsections (4) and (5), in a case falling within subsection (7).(7) The cases falling within this subsection are those where draft regulations are laid before Parliament under subsection (3) and no previous regulations have been published under subsection (1) by the age-verification regulator.(8) The regulator must not publish regulations in the form of the draft laid before Parliament unless the draft has been approved by a resolution of each House of Parliament.(9) Subsection (4) does not prevent new draft regulations from being laid before Parliament. (10) For the purposes of subsection (4)—(a) where draft regulations are laid before each House of Parliament on different days, the later day is to be taken as the day on which it was laid before both Houses, and(b) in reckoning any period of 40 days, no account is to be taken of any time during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.(11) References in this section to regulations and draft regulations include references to revised regulations and draft revised regulations.”
Lord Lucas Portrait Lord Lucas (Con)
- Hansard - -

My Lords, I thank the Open Rights Group for pushing for this amendment, and particularly the Public Bill Office for getting it into a form that is acceptable in the Bill. This amendment addresses age verification for accessing pornography; currently there are no specific safeguards. However, sexual preferences are very sensitive, so this amendment allows—it does not compel—regulation at a higher level than is currently the case. The pornography industry has a woeful record of regular, large-scale breaches of data security and I do not believe that we should trust it. Even if we think we might trust the industry, we ought to be in a position where we do not have to. Our young people deserve proper protection regarding some very sensitive data.

I believe that we should take this seriously—my experience of young boys of 14 and 15 is that they are being exposed to high-grade pornography on a large scale, something that in the context of their relationships with women later in life we may want to think about carefully. Therefore, surely we should take the opportunity to give ourselves the powers to take action, should we decide that that is necessary, rather than having to come back to primary legislation with all the time and delay that that involves. We can anticipate this difficulty—we can see it coming down the tracks—so let us prepare for it. I beg to move.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, I am completely discombobulated because the noble Lord, Lord Lucas, has hidden himself on the far right-hand side of the Chamber, which makes it very difficult to engage with him—but I am sure we can get over it. He is also incredibly skilful to have got an amendment of this type into the Bill, because we were looking at this issue as well but could not find a way through. I would like a tutorial with him afterwards about how to get inside the interstices of this rather complicated legislative framework.

I must say that I have read his amendment several times and still cannot quite get it. I shall therefore use my usual strategy, which is to come in from an aerial height on a rarefied intellectual plane and ask the Minister to sum up in a way that I can understand—but under the radar I will ask for three things. First, we spent a lot of time on this in the Digital Economy Act. It is an important area and it is therefore important that we get it right. It would be quite helpful to the Committee, and would inform us for the future, if we could have a statement from the Dispatch Box or a letter saying where we have got to on age verification.

I hear rumours that the system envisaged at the time when the Digital Economy Act was going through has not been successful in practice. I think that we have heard from the Minister and others in earlier groups in relation to similar topics that in practice the envisaged age verification system is not being implemented as it stands. What is happening is that the process of trying to clear up this area and making sure that age verification is in place is actually being carried out on a voluntary basis by those who run credit cards and banking services for the companies involved and for whom a simple letter from the regulator, in this case the BBFC, is sufficient to cause them to cease to process any moneys to the sites concerned—and, as a result, that is what is happening in the pornography industry. That may or may not be a good thing—it is probably too early to say—but it was not the intention of the Bill. That was to have a system that was dependent on a proper age verification system and to make the process open and transparent. If it is different, we ought to know that before we start considering these areas.

My third point is that we would rely on Ministers to let us know whether it is necessary to return to this issue in the sense of the information that we hope will be provided. It is only at that level that we can respond carefully to what the noble Lord said—although I have no doubt that it is a very important area.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, as we have heard, Part 3 of the Digital Economy Act 2017 requires online providers of pornographic material on a commercial basis to institute appropriate age verification controls. My noble friend’s Amendment 71ZA seeks to allow the age verification regulator to publish regulations relating to the protection of personal data processed for that purpose. The amendment aims to provide protection, choice and trust in respect of personal data processed for the purpose of compliance with Part 3 of the 2017 Act.

I think that I understand my noble friend’s aim. It is a concern I remember well from this House’s extensive deliberations on what became the Digital Economy Act, as referred to earlier. We now have before us a Bill for a new legal framework which is designed to ensure that protection, choice and trust are embedded in all data-processing practices, with stronger sanctions for malpractice. This partly answers my noble friend Lord Elton, who asked what we would produce to deal with this problem.

Personal data, particularly those concerning a data subject’s sex life or sexual orientation, as may be the case here, will be subject to rigorous new protections. For the reasons I have just mentioned, the Government do not consider it necessary to provide for separate standards relating exclusively and narrowly to age verification in the context of accessing online pornography. That is not to say that there will be a lack of guidance to firms subject to Part 3 of the 2017 Act on how best to implement their obligations. In particular, the age verification regulator is required to publish guidance about the types of arrangements for making pornographic material available that the regulator will treat as compliant.

As noble Lords will be aware, the British Board of Film Classification is the intended age verification regulator. I reassure noble Lords that in its preparations for taking on the role of age verification regulator, the BBFC has indicated that it will ensure that the guidance it issues promotes the highest data protection standards. As part of this, it has held regular discussions with the Information Commissioner’s Office and it will flag up any potential data protection concerns to that office. It will then be for the Information Commissioner to determine whether action or further investigation is needed, as is her role.

The noble Lord, Lord Clement-Jones, talked about anonymisation and the noble Lord, Lord Stevenson, asked for an update of where we actually were. I remember the discussions on anonymisation, which is an important issue. I do not have the details of exactly where we have got to on that subject—so, if it is okay, I will write to the noble Lord on that.

I can update the noble Lord, Lord Stevenson, to a certain extent. As I just said, the BBFC is in discussion with the Information Commissioner’s Office to ensure that best practice is observed. Age verification controls are already in place in other areas of internet content access; for example, licensed gambling sites are required to have them in place. They are also in place for UK-based video-on-demand services. The BBFC will be able to learn from how these operate, to ensure that effective systems are created—but the age verification regulator will not be endorsing a list of age verification technology providers. Rather, the regulator will be responsible for setting guidance and standards on robust age verification checks.

We continue to work with the BBFC in its engagement with the industry to establish the best technological solutions, which must be compliant with data protection law. We are aware that such solutions exist, focusing rightly on verification rather than identification—which I think was the point made by the noble Lord, Lord Clement-Jones. If I can provide any more detail in the follow-up letter that I send after each day of Committee, I will do so—but that is the general background.

Online age verification is a rapidly growing area and there will be much innovation and development in this field. Industry is rightly putting data privacy and security at the forefront of its design, and this will be underscored by the new requirements under the GDPR. In view of that explanation, I hope that my noble friend will be able to withdraw his amendment.

Lord Lucas Portrait Lord Lucas
- Hansard - -

My Lords, I am very grateful for my noble friend’s reply. With his leave, I will digest it overnight and tomorrow. I look forward to the letter that he promised—but if, at the end of that, I still think that there is something worth discussing, I hope that his ever-open door will be open even to that.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I believe that during our previous day in Committee, I offered to meet my noble friend.

Lord Lucas Portrait Lord Lucas
- Hansard - -

I am very grateful and I beg leave to withdraw the amendment.

Amendment 71ZA withdrawn.
--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Automated processing could do that. However, with the appropriate safeguards we have put in the Bill, we do not think that it will.

Amendment 77 seeks to define a significant decision as including a decision that has legal or similar effects for the data subject or a group sharing one of the nine protected characteristics under the Equality Act 2010 to which the data subject belongs.

We agree that all forms of discrimination, including discriminatory profiling via the use of algorithms and automated processing, are fundamentally wrong. However, we note that the Equality Act already provides a safeguard for individuals against being profiled on the basis of a particular protected characteristic they possess. Furthermore, recital 71 of the GDPR states that data controllers must ensure that they use appropriate mathematical or statistical procedures to ensure that factors which result in inaccuracies are minimised, and to prevent discriminatory effects on individuals,

“on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation”.

We therefore do not feel that further provision is needed at this stage.

Amendment 77A, in the name of the noble Lord, Lord Stevenson, seeks to require a data controller who makes a significant decision based on automated processing to provide meaningful information about the logical and legal consequences of the processing. Amendment 119, as I understand it, talks to a similar goal, with the added complication of driving a wedge between the requirements of the GDPR and applied GDPR. Articles 13 and 14 of the GDPR, replicated in the applied GDPR, already require data controllers to provide data subjects with this same information at the point the data is collected, and whenever it is processed for a new purpose. We are not convinced that there is much to be gained from requiring data controllers to repeat such an exercise, other than regulatory burden. In fact, the GDPR requires the information earlier, which allows the data subject to take action earlier.

Similarly, Amendment 77B seeks to ensure that data subjects who are the subject of automated decision-making retain the right to make a complaint to the commissioner and to access judicial remedies. Again, this provision is not required in the Bill, as data subjects retain the right to make a complaint to the commissioner or access judicial remedies for any infringement of data protection law.

Amendment 78 would confer powers on the Secretary of State to review the operational effectiveness of article 22 of the GDPR within three years, and lay a report on the review before Parliament. This amendment is not required because all new primary legislation is subject to post-legislative scrutiny within three to five years of receiving Royal Assent. Any review of the Act will necessarily also cover the GDPR. Not only that, but the Information Commissioner will keep the operation of the Act and the GDPR under review and will no doubt flag up any issues that may arise on this or other areas.

Amendment 153A would place a requirement on the Information Commissioner to investigate, keep under review and publish guidance on several matters relating to the use of automated data in the health and social care sector in respect of the terms on which enterprises gain consent to the disclosure of the personal data of vulnerable adults. I recognise and share noble Lords’ concern. These are areas where there is a particular value in monitoring the application of a new regime and where further clarity may be beneficial. I reassure noble Lords that the Information Commissioner has already contributed significantly to GDPR guidance being developed by the health sector and continues to work closely with the Government to identify appropriate areas requiring further guidance. Adding additional prescriptive requirements in the Bill is unlikely to help them shape that work in a way that maximises its impact.

As we have heard, Amendment 183 would insert a new clause before Clause 171 stating that public bodies who profile a data subject should inform the data subject of their decision. This is unnecessary as Clauses 13 and 48 state that when a data controller has taken a decision based solely on automated processing, they must inform the data subject in writing that they have done so. This includes profiling. Furthermore, Clauses 13 and 48 confer powers on the Secretary of State to make further provisions to provide suitable measures to safeguard a data subject’s rights and freedoms.

I thank noble Lords for raising these important issues, which deserve to be debated. I hope that, as a result of the explanation in response to these amendments, I have been able to persuade them that there are sufficient safeguards in relation to automated decision-making in the GDPR and Parts 2 to 4 of the Bill, and that their amendments are therefore unnecessary. On that basis, I invite noble Lords not to press their amendments.

Lord Lucas Portrait Lord Lucas
- Hansard - -

My Lords, I rather hope that the Minister has not been able to persuade noble Lords opposite. Certainly, I have not felt myself persuaded. First, on the point about “solely”, in recruiting these days, when big companies need to reduce a couple of thousand applications to 100, the general practice is that you put everything into an automated process—you do not really know how it works—get a set of scores at the end and decide where the boundary lies according to how much time you have to interview people. Therefore, there is human intervention—of course there is. You are looking at the output and making the decision about who gets interviewed and who does not. That is a human decision, but it is based on the data coming out of the algorithm without understanding the algorithm. It is easy for an algorithm to be racist. I just googled “pictures of Europeans”. You get a page of black faces. Somewhere in the Google algorithm, a bit of compensation is going on. With a big algorithm like that, they have not checked what the result of that search would be, but it comes out that way. It has been equally possible to carry out searches, as at various times in the past, which were similarly off-beam with other groups in society.

When you compile an algorithm to work with applications, you start off, perhaps, by looking at, “Who succeeds in my company now? What are their characteristics?”. Then you go through and you say, “You are not allowed to look at whether the person is a man or a woman, or black or white”, but perhaps you are measuring other things that vary with those characteristics and which you have not noticed, or some combinations. An AI algorithm can be entirely unmappable. It is just a learning algorithm; there is no mental process that a human can track. It just learns from what is there. It says, “Give me a lot of data about your employees and how successful they are and I will find you people like that”.

At the end of the day, you need to be able to test these algorithms. The Minister may remember that I posed that challenge in a previous amendment to a previous Bill. I was told then that a report was coming out from the Royal Society that would look at how we should set about testing algorithms. I have not seen that report, but has the Minister seen it? Does he know when it is coming out or what lines of thinking the Royal Society is developing? We absolutely need something practical so that when I apply for a job and I think I have been hard done by, I have some way to do something about it. Somebody has to be able to test the algorithm. As a private individual, how do you get that done? How do you test a recruitment algorithm? Are you allowed to invent 100 fictitious characters to put through the system, or should the state take an interest in this and audit it?

We have made so much effort in my lifetime and we have got so much better at being equal—of course, we have a fair way to go—doing our best continually to make things better with regard to discrimination. It is therefore important that we do not allow ourselves to go backwards because we do not understand what is going on inside a computer. So absolutely, there has to be significant human involvement for it to be regarded as a human decision. Generally, where there is not, there has to be a way to get a human challenge—a proper human review—not just the response, “We are sure that the system worked right”. There has to be a way round which is not discriminatory, in which something is looked at to see whether it is working and whether it has gone right. We should not allow automation into bits of the system that affect the way we interact with each other in society. Therefore, it is important that we pursue this and I very much hope that noble Lords opposite will give us another chance to look at this area when we come to Report.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - - - Excerpts

My Lords, I thank all noble Lords who spoke in the debate. It has been wide-ranging but extremely interesting, as evidenced by the fact that at one point three members of the Artificial Intelligence Select Committee were speaking. That demonstrates that currently we live, eat and breathe artificial intelligence, algorithms and all matters related to them. It is a highly engaged committee. Of course, whatever I put forward from these Benches is not—yet—part of the recommendations of that committee, which, no doubt, will report in due course in March.

--- Later in debate ---
Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - - - Excerpts

My Lords, I support the amendment and its very simple principle. We live in a complex world and this tries to lay rules on a complex system. The trouble is that rules can never work because they will never cover every situation. You have to go back to the basic principles and ethics behind what is being done. If we do not think about that from time to time, eventually the rules will get completely out of kilter with what we are trying to achieve. This is essential.

Lord Lucas Portrait Lord Lucas
- Hansard - -

My Lords, clearly the Royal Society has been talking to other people. I hope that someone from there is listening and will be encouraged to talk to me too. I am delighted with this amendment and think it is an excellent idea, paired with Amendment 77A, which gives individuals some purchase and the ability to know what is going on. Here we have an organisation with the ability to do something about it, not by pulling any levers but by raising enough of a storm and finding out what is going on to effect change. Amendments 77A and 78A are a very good answer to the worries we have raised in this area.

It is important that we have the ability to feel comfortable and to trust—to know that what is going on is acceptable to us. We do not want to create divisions, tensions and unhappiness in society because things are going on that we do not know about or understand. As the noble Lord said, the organisations running these algorithms do not share our values—it is hard to see that they have any values at all other than the pleasures of the few who run them. We should not submit to that. We must, in all sorts of ways, stand up to that. There are many ways in which these organisations have an impact on our lives, and we must insist that they do that on our terms. We are waking up quite slowly. To have a body such as this, based on principles and ethics and with a real ability to find out what is going on, would be a great advance. It would give me a lot of comfort about what is happening in this Bill, which otherwise is just handing power to people who have a great deal of power already.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, the noble Lord, Lord Stevenson, has raised the important issue of data ethics. I am grateful to everyone who has spoken on this issue tonight and has agreed that it is very important. I assure noble Lords that we agree with that. We had a debate the other day on this issue and I am sure we will have many more in the future. The noble Lord, Lord Puttnam, has been to see me to talk about this, and I tried to convince him then that we were taking it seriously. By the sound of it, I am not sure that I completely succeeded, but we are. We understand the points he makes, although I am possibly not as gloomy about things as he is.

We are fortunate in the UK to have the widely respected Information Commissioner to provide expert advice on data protection issues—I accept that that advice is just on data protection issues—but we recognise the need for further credible and expert advice on the broader issue of the ethical use of data. That is exactly why we committed to setting up an expert advisory data ethics body in the 2017 manifesto, which, I am glad to hear, the noble Lord, Lord Clement-Jones, read carefully.