All 6 Lord Paddick contributions to the Data Protection Act 2018

Read Bill Ministerial Extracts

Tue 10th Oct 2017
Data Protection Bill [HL]
Lords Chamber

2nd reading (Hansard - continued): House of Lords
Wed 15th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 4th sitting (Hansard): House of Lords
Mon 20th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 5th sitting (Hansard): House of Lords
Wed 13th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 2nd sitting (Hansard - continued): House of Lords
Wed 10th Jan 2018
Data Protection Bill [HL]
Lords Chamber

Report: 3rd sitting Hansard: House of Lords
Wed 17th Jan 2018
Data Protection Bill [HL]
Lords Chamber

3rd reading (Hansard): House of Lords & Report: 2nd sitting (Hansard): House of Lords

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

Lord Paddick Excerpts
2nd reading (Hansard - continued): House of Lords
Tuesday 10th October 2017

(7 years, 1 month ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, this has been an interesting, and for me at times a rather confusing, debate on the issues associated with the Bill. The Bill is complex, but I understand that it is necessarily complex. For example, under European law it is not allowed to reproduce the GDPR in domestic legislation. The incorporation of the GDPR into British law is happening under the repeal Bill, not under this legislation. Therefore, the elephant and the prints are in the other place rather than here.

We on these Benches welcome the Bill. It provides the technical underpinnings that will allow the GDPR to operate in the UK both before and after Brexit, together with the permitted derogations from the GDPR available to all EU member states. For that reason it is an enabling piece of legislation, together with the GDPR, which is absolutely necessary to allow the UK to continue to exchange data, whether it is done by businesses for commercial purposes or by law enforcement or for other reasons, once we are considered to be a third-party nation rather than a member of the European Union.

We also welcome the extension of the effect of the GDPR—the rules and regulations that the GDPR provides—to other areas that are currently covered by the Data Protection Act 1998 but which are outside the scope of the GDPR, thus, as far as I understand it, providing a consistent approach to data protection across the piece. This leaves law enforcement and national security issues outside of the scope of GDPR and the “applied GDPR”, which are covered in Parts 3 and 4.

The enforcement regime, the Information Commissioner, is covered in Part 5, because we will repeal the Data Protection Act 1998 and so we need to restate the role of the Information Commissioner as the person who will enforce, and we will need to explore concerns that we have in each part of the Bill as we go through Committee. However, generally speaking, we welcome the Bill and its provisions.

Of course, what the Government, very sensibly, are trying to do but do not want to admit, is to ensure that the UK complies with EU laws and regulations—in this case in relation to data protection—so that it can continue to exchange data with the EU both before and after Brexit. All this government hype about no longer being subject to EU law after Brexit is merely the difference between having to be subject to EU law because we are a member of the EU and having to be subject to EU law because, if we do not, we will not be able to trade freely with the EU or exchange crime prevention and detection intelligence, and counterterrorism intelligence, with the EU. That is the only difference.

For most aspects of data exchange, compliance with the GDPR is required. The GDPR is directly applicable, so it cannot simply be transposed into this Bill. Coupled with the derogations and applying the GDPR to other aspects of data processing not covered by the GDPR makes this part of the Bill complex—and, as I suggest, probably necessarily so.

For law enforcement purposes, data exchange is covered by an EU law enforcement directive, which can be, and has been, transposed to form Part 3 of the Bill as far as I understand it. A data protection regime for the processing of personal data by the intelligence services—in the case of the UK, MI5, MI6 and GCHQ —is covered by Council of Europe Convention 108. Part 4 of the Bill is based on a modernised draft of Convention 108, which has yet to be formally agreed, but this puts the UK in effect slightly ahead of the curve on that aspect of regulation.

Clearly, we need to probe and test the derogations allowed under the GDPR that are proposed in the Bill, particularly when hearing about the potential consequences, as outlined by, for example, the noble Viscount, Lord Colville of Culross. We also need to examine whether applying GDPR rules and regulations to other areas of data processing provides equivalent or enhanced safeguards compared with those provided by the Data Protection Act, and we need to ensure that the safeguards provided by the law enforcement directive and Council of Europe Convention 108 are provided by the Bill.

As regards our specific concerns, as my noble friend Lord McNally mentioned in his opening remarks and as reinforced by my noble friend Lady Ludford, if the Bill results in a refusal to allow not-for-profit bodies to exercise Articles 77 to 79 to pursue data protection infringements on their own accord, we will have to challenge that, but perhaps the Minister can clarify whether that is the case.

As my noble friend Lady Ludford also mentioned, along with the noble Baroness, Lady Jay of Paddington, various provisions to allow Ministers to alter the application of the GDPR by regulation is something that we need much further scrutiny of, albeit that Ministers’ hands are likely to be tied by the requirement to comply with changing EU law after Brexit—de facto even if not de jure. Could it be—perhaps the Minister can help us here—that the purpose of these powers, put into secondary legislation, is to enable the UK to keep pace with changes in EU law after Brexit?

Although we welcome the ability of individuals to challenge important wholly automated decisions, requiring human intervention at the request of the data subject, research shows that the application of algorithms and artificial intelligence, even in machine learning of language, can result in unfair discrimination. Even when human decision-making is informed by automated processes, safeguards still need to be in place to ensure fairness, such as transparency around what the automated processes involve. While decisions around personal finance, such as credit scoring and the assessment of insurance risk, are important, in the United States the application of algorithms in the criminal justice arena has resulted in unfair discrimination that has even more serious consequences for individuals. Even if such automated processes are yet to apply to the UK criminal justice system, the Bill must safeguard against future developments that may have unintended negative consequences.

As other noble Lords have said, we have concerns about the creation of a criminal offence of re-identification of individuals. As the noble Lord, Lord Arbuthnot of Edrom, said, criminalising re-identification could allow businesses to relax the methods that they use to try to anonymise data on the basis that people will not try to re-identify individuals because it is a criminal offence.

Despite what is contained in this Bill, we have serious concerns that there are likely to be delays to being granted data adequacy status by the European Commission when we leave the EU. That means that there would not be a seamless continuation of data exchange with the EU 27 after Brexit. We also have serious concerns, as does the Information Commissioner, that there are likely to be objections to being granted data adequacy status because of the bulk collection of data allowed for under the Investigatory Powers Act, as the noble Lord, Lord Stevenson of Balmacara, said in his opening remarks. We also intend to revisit the issue of the requirement under international human rights law, and upheld by the European Court of Human Rights in 2007, that as soon as notification can be made without prejudicing the purpose of surveillance after its termination, information should be provided to the persons concerned.

As the noble Baroness, Lady Lane-Fox, mentioned, it is essential that the Information Commissioner is provided with adequate resources. My understanding is that there has been a considerable loss of staff in recent times, not least because commercial organisations want to recruit knowledgeable staff to help them with the implementation of GDPR, plus the 1% cap on public sector pay has diminished the number of people working for the Information Commissioner. It is absolutely essential that she has the resources she needs, bearing in mind the additional responsibilities that will be placed upon her.

The age of consent will clearly be an interesting topic for discussion. What we are talking about here is at what age young people should be allowed to sign up to Facebook or other social media. Most of us would acknowledge that children have a greater knowledge and are more computer literate than their parents and grandparents. As one of the surveys mentioned this evening showed, it would be very easy for young people to circumvent rules around the age of consent as set in legislation. For example, any teenager would know how to make the internet believe that they were in the United States when they were physically in the United Kingdom, and therefore they would have to comply only with any age of consent set in America. While I understand the burning desire for people to protect children and ensure that they are not exploited through social media, one has to live in the real world and look for solutions that are actually going to work: for example, educating young people on how to avoid being groomed online and the dangers of social media, and informing parents about how they can keep an eye on their children’s activities, rather than trying to set an unrealistic target for the age at which someone could sign up.

Finally, the noble Lord, Lord Mitchell, talked about the data privately stored on iPhones, which was informative. Last week, I was rather shocked when, in California, I went to a gym that was rather busy. I looked on Google Maps, which very helpfully informed me when the busiest times were in that particular gym on that particular day. I found that very useful, but I found it very frightening that it also told me that I had been at that gym three hours before.

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

Lord Paddick Excerpts
Lord Arbuthnot of Edrom Portrait Lord Arbuthnot of Edrom (Con)
- Hansard - - - Excerpts

My Lords, I hope I will not add to the troubles of the noble Lord, Lord Stevenson, when I say that I am troubled by a couple of his amendments, Amendments 108B and 180A. The former suggests that the Government should not be permitted to,

“amend, repeal or revoke the GDPR”.

I know the Government will have responsibility for the provisions of the GDPR, but these are surely provisions for which the regulations either are or are not. They are European Union regulations, and I would not have thought the Government would have the power to amend or repeal them.

I am also confused, as so often, by the fact that we have already discussed whether Clause 15 should stand part of the Bill but are now considering an amendment to it. No doubt that is just one of the usual vagaries that leads to my confusion about the procedures of this House.

I move on to Amendment 180A, which suggests that the Secretary of State must consult not only the commissioner but data subjects. I am not sure how on earth he could find out who those data subjects were in order to consult them. Therefore, due to practical concerns, I hope the noble Lord will not press the amendment to a Division.

Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, I will briefly comment on Amendment 108B. Taking up the position of the noble Lord, Lord Arbuthnot of Edrom, is it not the case that if we leave the European Union, the GDPR will then become, by means of the repeal Bill, part of UK law and therefore could be changed, which is why the amendment makes sense?

However, while I agree with the argument of the noble Lord, Lord Stevenson of Balmacara, that if parts of the GDPR were amended, repealed or revoked after we have left the EU, this may affect the adequacy decision of the European Union. Presumably, if the European Union makes changes to the GDPR it would be advantageous for the Government to be able to respond quickly by means of secondary legislation to those changes to ensure that we can continue to have adequacy—that is, when the change is on the EU side rather than on the UK side. Perhaps the Minister will clarify that.

Data Protection Bill [HL]

Lord Paddick Excerpts
Committee: 5th sitting (Hansard): House of Lords
Monday 20th November 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Moved by
153: After Clause 114, insert the following new Clause—
“Function of the Commissioner to maintain a register of data controllers
(1) The Commissioner must maintain a register of all data controllers.(2) Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under subsection (1).(3) Subsections (1) and (2) do not apply in relation to any processing whose sole purpose is the maintenance of a public register.”
Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, I will speak to Amendment 153 in my name and that of my noble friend Lord Clement-Jones. Section 17(1) of the Data Protection Act 1998 states that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Effectively, processing personal data without registering and without paying a fee is, at the moment, a strict liability criminal offence. This ensures that all data controllers are aware of their most basic obligations and that a central register of who is processing personal data is maintained. It also provides a simple means of collecting notification fee income.

We have been made acutely aware during the debates on the passage of the Bill of the increased responsibilities that will be placed on the Information Commissioner and the need for her to have additional resources. This is one way of ensuring that she has those resources, provided she is able to keep the fees raised and does not have to hand over large amounts of those fees to the Treasury.

This is an important protection for data subjects, and the Government have asserted that they are strengthening the law to protect data subjects. If the requirement to register is removed, as will happen without this amendment, this will weaken those protections. In addition to protections provided by registration and the increased awareness of the other requirements around data protection as a result of registering, it allows for the Proceeds of Crime Act to be used to confiscate money generated by the unlawful processing of personal data by those who are not registered. This would be lost if this amendment is not adopted.

The amendment seeks to maintain the current position by requiring the Information Commissioner to register all data controllers. However, unlike the current requirement for more detailed information, the amendment requires that the data controller provides only the minimum of information—such as his name and address; if he has nominated a representative for the purposes of the Act, their name and address; and the principal activity or activities undertaken by the data controller.

The Minister may wish to pray in aid article 57(3) of the GDPR, which states:

“The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer”.


We argue that this is a notification fee, not a task performed by the Information Commissioner, and a fee that would be levied on the data controller and not the data protection officer. I beg to move.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.

Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.

The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.

So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.

Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.

--- Later in debate ---
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, I want to come back to an issue relating to the situation post Brexit: companies operating in the UK, for which a representative will not be required. I listened to the Minister very carefully and I understand what he is saying, but I take it that, post Brexit, he is basically relying on the force of the Information Commissioner’s personality and her ability to maintain her current relationships and build on them. As such, when taking issues abroad, individuals in the UK will not have any statutory provision, as they currently do, but will have to rely on the informal mechanisms the Minister mentioned and their own resources. He has failed to answer the question whether that is a good situation to be in as we progress through the Bill, but I will read what he said more carefully and come back to him later.

Lord Paddick Portrait Lord Paddick
- Hansard - -

My Lords, I thank the noble Baroness, Lady O’Neill of Bengarve, for her contribution—we will look at that should we bring back the amendment on Report. I also thank the noble Lord, Lord Stevenson of Balmacara, for his support for the amendment.

The Minister said that provision in the 1998 Act requiring all data controllers to be registered was an important part of data protection, yet his argument for not continuing with that seemed to be that it would be difficult to maintain a register with the numbers now involved. Either the register is an important contribution to data protection or it is not. In any event, we should bear in mind that a charge could be levied. The Minister suggested that a register would not be a proportionate use of the Information Commissioner’s resources, but those resources could significantly increase. If the existing law were enforced, it is estimated that an additional £1 billion in income would be possible.

On a detailed central register, I said when introducing the amendment that the detail suggested would be far less than is currently the case. However, we will reflect on what the Minister said. For the moment, I beg leave to withdraw the amendment.

Amendment 153 withdrawn.
--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.

On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.

On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.

Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.

The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during the passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.

Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.

I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.

Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.

I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.

Lord Paddick Portrait Lord Paddick
- Hansard - -

My Lords, I do not know whether I am getting confused here. The Minister referred to Clause 132(2), about the power for the Information Commissioner to require data controllers to pay a charge regardless of whether the commissioner has provided, or proposes to provide, a service to the controller. How can that be done if there is to be no requirement for data controllers to register with her?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.

Data Protection Bill [HL]

Lord Paddick Excerpts
Report: 2nd sitting (Hansard - continued): House of Lords
Wednesday 13th December 2017

(6 years, 11 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, I did not intend to speak on these amendments, although we support them from these Benches, but I have to take issue with what the noble Lord, Lord Pannick, said—I think, quoting the noble Lord, Lord Black, from the previous debate—about how we do not need any of this stuff because people can sue the newspapers and achieve redress through those means.

When I was a commander in the Metropolitan Police Service, I was subjected to a kiss and tell story on the front page and eight inside pages of a tabloid newspaper. The story was a mixture of lies and intimate details of my private life and my relationship with somebody I loved and lived with for three and a half years. We broke up in acrimonious circumstances and subsequently he was paid £100,000 by the tabloid newspaper to tell these lies and intimate details of my private life. Thankfully, a group of solicitors and barristers agreed to a conditional fee agreement to pursue the newspaper. However, half way through the preliminaries leading up to the court case, it became apparent that I was unable to secure insurance against losing. Therefore, I was faced with a situation where if I pulled out of the action I would have to pay both sides’ costs—the newspaper’s costs and my own side’s costs because the conditional fee agreement would happen only if the case went to court and I lost—and could have lost my home.

The point is that there are many ordinary people, less high-profile than even I was at that time, who cannot get conditional fee agreements. They do not have the means to sue newspapers. Certainly, I would not recommend anybody going through the stress that I was put through by that newspaper and its lawyers, who tried every trick in the book to try to get us to fold before the court case happened. As it happens, two weeks before the case was due to be heard, they agreed to settle, although they claimed that it was not on the grounds of a breach of privacy but because everything that had been printed in the newspaper was untrue.

For noble Lords to say that there are sufficient safeguards at the moment for ordinary people to take the newspapers to court is, in my respectful submission, completely untrue.

Lord Pannick Portrait Lord Pannick
- Hansard - - - Excerpts

I am very sorry to hear about the noble Lord’s personal experience and of course I accept everything he says. But will he accept that hundreds of people have brought legal proceedings against national newspaper groups for their wrongful, unlawful action in accessing personal data—for example, by listening to their mobile telephone calls—and publishing articles in consequence of that, and they have recovered very substantial damages, and rightly so, against those newspapers?

Lord Paddick Portrait Lord Paddick
- Hansard - -

I completely accept what the noble Lord says but there are many hundreds, if not thousands, of other ordinary people who have not been able to claim redress for the wrongs that have been meted out to them by the press.

Lord Berkeley of Knighton Portrait Lord Berkeley of Knighton
- Hansard - - - Excerpts

This is not simply about money; it is what it does to your reputation. That is much more important than money.

Lord Paddick Portrait Lord Paddick
- Hansard - -

I am grateful for the noble Lord’s intervention. Obviously, despite the fact that we won the court case in the end and that there was a small apology in the said newspaper—I think it was on page 6—I was not able to recover the serious damage done to my reputation. I am grateful to be standing here in the House today to address noble Lords on this issue, but there are many people whose reputations have not recovered.

Lord Blencathra Portrait Lord Blencathra
- Hansard - - - Excerpts

Perhaps I may give the noble Lord some information which he may not have been aware of, as he may have left the Met by then. The reason that maybe up to 100 people were able to sue on the hacking was because their names appeared in the Mulcaire diaries, and the Met team kindly went and told every single person who had possibly been hacked, “They’re after you. You’re in Mulcaire’s diaries and you may care to contact some lawyers. Here are some lawyers who are doing a group action. If you join that, there is no great risk to yourself—you will be in there with a lot of others. The lawyers will be there on a no-win no-fee basis and you’re perfectly safe to do it”. That is why most of those people were able to go together in a joint action, but the thousands of individuals do not have a hope.

Data Protection Bill [HL]

Lord Paddick Excerpts
Report: 3rd sitting Hansard: House of Lords
Wednesday 10th January 2018

(6 years, 10 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Tabled by
118A: After Clause 125, in subsection (4), after “if” insert “and for so long as”
Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, we are very grateful to the Government for introducing Amendment 118. We still believe that they could and should have gone further. Taking the example of the Investigatory Powers Act 2016—the fact that Ministers are unable to authorise interception without oversight by an independent judicial commissioner of that decision—we wonder why that sort of oversight could not be applied to these certificates as well. Clearly, we are grateful to the Government for going as far as they have done. We are just disappointed that they did not go as far as we wanted.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, my noble friend Lord Kennedy is not available at the moment. He is occupied with a personal matter and has asked me to say that he supports the words of the Minister. She has listened to concerns. It is very welcome that she has done so and we agree with the amendment.

--- Later in debate ---
Baroness Kennedy of Shaws Portrait Baroness Kennedy of The Shaws (Lab)
- Hansard - - - Excerpts

My Lords, it is such a relief to hear the noble Lord, Lord Pannick, admit to the House, as he did at the beginning of his speech, that he sometimes loses a case. In fact, even as a meagre lawyer, I enjoyed success over him on an occasion in the European Court of Justice. However, it is disingenuous of the noble Lord to say that we should wait to hear whether the Government intend to do anything about Leveson part 2. We know that that is not the intention of government. The dragging of feet on all this has made it very clear that the Government do not want to fall out with their friends in the press or to lose the editorial support they get from sections of the press. We should be very clear that it is not likely to happen with the current Government.

I have great sympathy for the noble Baroness, Lady Hollins, and what she is saying, because I share the concern that not all these lessons have been learned. There are ways in which we already see reluctance by those who are now seen as having authority to hold the press to account to take action. Therefore, I do not share the concern that this amendment is unlawful. I do not believe that premise is true and I think that it will be tested in the courts. The noble Lord, Lord Pannick, who often represents the press, may end up representing newspapers as opposed to individuals who have suffered transgressions. I support the amendment of the noble Baroness, Lady Hollins, as I have seen too much of this bad behaviour going on.

Unlike the noble Lord, Lord Pannick, I am a criminal lawyer and I have seen the ways in which the police have leaked information. I am afraid that I have also seen bad behaviour on the part of police officers in divulging information to the press. Concerns have often been raised that there may be what used to be called “a drink in it” for subverting the proper processes by which high standards are maintained. Therefore, I do not share the confidence of the noble Lord, Lord Pannick, that everything will be fine as the measure runs through. I still feel that the press has lessons to learn. I hope that we listened to what the noble Baroness, Lady Hollins, had to say.

Lord Paddick Portrait Lord Paddick
- Hansard - -

My Lords, I declare an interest. When I was a commander in the Metropolitan Police service, my personal details—this was in breach of data protection—were secured by Mulcaire, the private detective employed by a newspaper. This was discovered by the Metropolitan Police in 2002, but I was not told about it until 2010, when the Guardian alerted my lawyers to the fact that this had taken place. However, in the course of what subsequently transpired, I was shown an internal memorandum of the Metropolitan Police service, which showed that in 2002 it was aware that my phone and that of the then Deputy Prime Minister had been hacked into, and it never informed me of that. Therefore, noble Lords will understand that I should declare that personal interest.

However, I want to tell the following story to the House. I went with the family of Milly Dowler to see the then Prime Minister, the then Deputy Prime Minister and the then Leader of the Opposition to talk about the family’s experience. Noble Lords will recall that Milly Dowler went missing, was kidnapped and murdered, and that her family kept trying to call her mobile telephone. However, the phone relayed the message that the voicemail box for that number was full. Therefore, the family was losing hope that she might still be alive. Then they tried to phone again and found that some of the messages had been listened to. That gave them hope that she might still be alive. However, it transpired that there was room in that mailbox because journalists had hacked into her voicemail and had listened to some of the messages.

On the evening before the first of those meetings with the then Deputy Prime Minister, Nick Clegg, Milly Dowler’s father was telephoned by Surrey Police to tell him and the family that Surrey Police knew in 2002 that journalists had hacked into Milly Dowler’s voicemail, thereby allowing further messages to be left, as the journalists involved had called the police incident room to tell them that they had illegally hacked into the voicemail. However, it was not until nine years later and the imminent meeting with the then Prime Minister, the then Deputy Prime Minister and the then Leader of the Opposition, that the police felt obliged to tell the Dowler family that they knew from the outset that her phone had been hacked into. They did not offer any explanation for not having taken any action in relation to that illegal hacking into that phone.

These are the sorts of issues involved. This is not just about the conduct of the media. The aim of part 2 of Leveson is to examine the relationship between the police and the media and between politicians and the media, not simply the conduct of the media themselves. That is why we need part 2 of Leveson, and that is why I support Amendment 127A.

Viscount Hailsham Portrait Viscount Hailsham
- Hansard - - - Excerpts

My Lords, I will speak briefly, both to the proposed new clause in the amendment moved by the noble Baroness and the proposed new clause moved by my noble friend.

I am against the suggestion that we should have an inquiry. I share the view of the noble Lord, Lord Pannick, that we know enough already. The facts have been canvassed time and time again, in inquiry, in criminal cases and in civil cases, and the time has now come for policy. We do not need new facts—we need a policy decision, and that is essentially a matter for government and Parliament. If we call for a further inquiry, the policy decisions will be postponed. A further point is that, if the proposed new clause is carried, the pressure will be on a judge-led inquiry. In the generality, I am against judge-led inquiries when they address matters of major general policy. Judges are good at identifying facts and deficiencies in existing legislation, but they are not well placed to address general policy issues.

Data Protection Bill [HL]

Lord Paddick Excerpts
3rd reading (Hansard): House of Lords & Report: 2nd sitting (Hansard): House of Lords
Wednesday 17th January 2018

(6 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 77-I Marshalled list for Third Reading (PDF, 71KB) - (16 Jan 2018)
Lord Swinfen Portrait Lord Swinfen (Con)
- Hansard - - - Excerpts

My Lords, can the Minister tell the House at what age the United Nations considers that a child ceases to be a child?

Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, Clause 124(4)(b) refers to the United Nations Convention on the Rights of the Child, which defines a child as a person under the age of 18, so we can assume that that is the working principle. Clause 124, introduced at a previous stage by an amendment from the noble Baroness, Lady Kidron, talks about age-appropriate design, and so presumably that means appropriate at different ages—for example, safeguards for those aged 12 will be different from those for people aged 16 and 18. Bearing in mind the United Nations convention definition, will the Minister confirm that that is the working principle for this Bill?

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, I do not wish to detain the House. I thank the noble Baroness for raising the point; clarity is always important, as we have learned, and she is right to put her finger on it. However, the point made by the noble Lord, Lord Paddick, is correct.

We run the risk in this Bill of pouring fuel on an already raging fire: the more we try to focus on children as a group, the more we demonise and make difficult the Bill’s attempts—through an amendment we all supported on Report—to raise our sights and find a way of expressing how all people are dealt with in terms of internet access, with particular reference to those with developmental or other support needs to whom the word “child” could well be applied. But that does not mean that we want the more generic approach to fail because it did not mention vulnerable adults, the elderly who may be struggling with internet issues, those with special needs or others. These groups all need to be considered in the right way, and I am sure that, in time, “age appropriate” may not be the most appropriate way of dealing with it. It does get us to a particular point, however. It was a historic decision that we took on Report to do it this way, but we need to have an eye on the much wider case for a better understanding of under what conditions and with what impact those of us who wish to use the internet can do so safely and securely.