Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Lucas
Main Page: Lord Lucas (Conservative - Excepted Hereditary)Department Debates - View all Lord Lucas's debates with the Department for Digital, Culture, Media & Sport
Wednesday 22nd November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Lucas (Con)
My Lords, I entirely support my noble friend’s amendment. We have got ourselves into a complete mess in this country on insurance, and motor insurance is a pretty good example. Premiums in this country are about double what they should be. They are the highest in Europe, above even Italy, because of a level of fraud that we encourage by our legislation and by the lack of action from successive Governments to do anything about it. We can see the size of the problem that this clause will generate, if unamended, by what has happened in motor insurance. It leaves an open door to an enormous number of claims management companies, of which 500 or so were seriously active the last time I looked. It is a really big, profitable industry, and it will push into a hole like this with no difficulty at all.
We took a bit of action a while ago on whiplash injuries. Fine, whiplash injuries are down, but rocketing upwards now is, “Oh, I had this crash and now I get a buzzing in my ears”. It is wonderful—a disease which has suddenly appeared from nowhere because the claims management companies need an opportunity to push in here. We must realise what is happening. I hope we will get around to dealing with the general problem at some stage, but to open another door to these people is just foolish.
Lord Griffiths of Burry Port (Lab)
My Lords, I thank the noble Lord for his eloquent disquisition, which made me much more aware of the issues than I was before. I have no problem in aligning myself with the two points of view that have just been expressed. I had come to the conclusion partly myself, but to be told that the wording is not in the equivalent article in the European GDPR just adds to my simple conclusion that the words “other adverse effects” add precisely nothing but open a potential cave of dark possibilities. The rain of the noble Lord’s eloquence has found a crack in my roof, and I am very happy to align myself with his remarks.
Baroness Neville-Rolfe
I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.
The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.
The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.
I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.
I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.
Lord Lucas (Con)
I very much support what my noble friend has just said. The noble Lord, Lord Stevenson, has tried to give an exemption for researchers, but a lot of these things will happen in the course of other research. You are not spending your time solely trying to break some system; you are trying to understand what you can get from it, and suddenly you see someone you know, or you can see a single person there. It is something that you can discover as a result of using the data; you can get to the point where you understand that this is a single person, and you could find out more about them if you wanted to. If it is a criminal offence, of course, you will then tell nobody, which rather defeats the point. You ought to be going back to the data controller and saying that it is not quite right.
There are enormous uses in learning how to make a city work better by following people around with mobile phone data, for instance, but how do you anonymise it? Given greater computational power and more datasets becoming available, what can you show and use which does not have the danger of identifying people? This is ongoing technology—there will be new ways of breaking it and of maintaining privacy, and we have to have that as an active area of research and conversation. To my mind, this clause as it presently is just gets in the way.
Baroness Kidron (CB)
I, too, support the amendment. One thing that we can all agree on is that data regulations is a complex and highly technical area of the law. As the Bill stands, it asks members of the public to become experts on the subject, which actually creates a significant barrier to its successful implementation. My particular and declared interest in the Bill is the rights of children. It is a pervasive myth in the digital environment that all users are equal. That is a category error, because if all users are equal, children are treated in the digital environment as adults and their long-established rights and privileges do not then apply. So it is on behalf of that demographic that I want to say specifically that this amendment is very important.
Without the amendment, a child would be expected to take on the very adult responsibility of being a named complainant in a regulatory or judicial complaint for a breach of data law. In the case of a child, such a complaint is very likely to be made against a multimillion or indeed multibillion dollar corporation. That cannot be, in anybody’s mind, a fair fight. While the noble Lord’s amendment and indeed the GDPR are designed to benefit all users, I point out that the amendment usefully aligns with the recommendation made by the Children’s Commissioner and the House of Lords Communications Committee that children urgently need champions in the digital environment.
We have seen special provision being made in the Bill for libraries, archivists, the insurance industry, security and intelligence, and possibly even for journalists this evening. Given that, I am waiting for the Government to concede that, like all these other special needs groups, children are data subjects with specific needs. One of those needs is to have an informed advocate if they have a complaint. So, although I do not think that the amendment would adequately fulfil that role, because I would like to see something more formal, it would at least go some way to providing support for children should they have a complaint.
Lord Lucas
My Lords, without these amendments, I do not see how the Bill can provide an adequate remedy when a large number of people suffer a small degree of damage.