(8 months, 4 weeks ago)
Grand CommitteeMy Lords, in moving Amendment 24, I will speak also to Amendment 26. I welcome the amendments in the name of the noble Lord, Lord Clement-Jones.
Together, these amendments go to the heart of questioning why the Government have found it necessary to change the grounds for the refusal of a subject access request from “manifestly unfounded” to “vexatious or excessive”. At the moment, Article 15 of the UK GDPR gives data subjects a right of access to find out what personal information an organisation hold on them, how it is using it and whether it is sharing it. This right of access is key to transparency and often underpins people’s ability to exercise other data rights and human rights; for example, it impacts on an individual’s right to privacy in Article 8 of the ECHR and their right to non-discrimination in Article 40 of the same.
The Equality and Human Rights Commission has raised specific concerns about these proposals, arguing that subject access requests
“are a vital mechanism for data subjects to exercise their fundamental rights to privacy and freedom from discrimination”.
It argues that these rights will be even more vital as AI systems are rolled out, using personal information
“in ways that may be less than transparent to data subjects”.
So we must be suspicious as to why these changes are being made and whether they are likely to reduce the legitimate opportunities for data subjects to access their personal information.
This comes back to the mantra of the noble Lord, Lord Clement-Jones, regarding a number of the clauses we have dealt with and, I am sure, ones we have yet to deal with: why are these changes necessary? That is the question we pose as well. Is it simply to give greater clarity, as the Minister in the Commons claimed; or is it to lighten the burden on business—the so-called Brexit dividend—which would result in fewer applications being processed by data controllers? Perhaps the Minister could clarify whether data subject rights will be weakened by these changes.
In the Commons, the Minister, John Whittingdale, also argued that some data search requests are dispro-portionate when the information is of low importance or low relevance to the data subject. However, who has the right to make that decision? How is a data controller in a position to judge how important the information is to an individual? Can the Minister clarify whether the data controller would have the right to ask the data subject their reasons for requesting the information? This is not permitted under the current regime.
A number of stakeholders have argued that the new wording is too subjective and is open to abuse by data controllers who find responding to such requests, by their very nature, vexatious or excessive. For a busy data operator, any extra work could be seen as excessive. Although the Information Commissioner has said that he is clear how these words should be applied, he has also said that they are open to numerous interpretations. Therefore, there is a rather urgent need for the Information Commissioner to provide clear statutory guidance on the application of the terms, so that only truly disruptive requests can be rejected. Perhaps the Minister can clarify whether this is the intention.
In the meantime, our Amendment 24 aims to remove the easy get-out clause for refusing a request by making it clear that the resources available to the controller should not, by itself, be a reason for rejecting an application for information. There is an inevitable cost involved in processing requests, and we need to ensure that it does not become the standard excuse for denying data subjects their rights. Our Amendment 26 would require the data controller to produce evidence of why a request is considered vexatious or excessive if it is being denied. It should not be possible to assert this as a reason without providing the data subject with a clear and justifiable explanation. Amendment 25, from the noble Lord, Lord Clement-Jones, has a similar intent.
We remain concerned about the changes and the impact they will have on established data and human rights. As a number of stakeholders have argued, access to personal data and its uses underpins so many other rights that can be enforced by law. We should not give these rights away easily or without proper justification. I look forward to hearing what the Minister has to say, but without further clarification in the Bill, I doubt whether our concerns will be assuaged. I beg to move.
My Lords, I will say a little bit about my intention to delete this clause altogether. Clause 9 significantly changes the data and privacy landscape, and for the worse. The Constitution Committee’s report on the Bill, published on 25 January, noted:
“Clause 9 amends Article 12 of the UK GDPR to broaden the basis for refusal”—
not for enhancing, but for refusal—
“of a data access request by providing more leeway to ‘data controllers’”.
In the world we live in, there is a huge imbalance of power between corporations, governments, public bodies and individuals. People must have a right to know what information is held about them, and how and when it is used. It is vital in order to check abuses and hold powerful elites to account.
The request for information can, at the moment, be wholly or partly denied, depending on the circumstances. It can be refused if it is considered to be manifestly unfounded or manifestly excessive. These phrases, “manifestly unfounded” and “manifestly excessive”, are fairly well understood. There is already a lot of case law on that. Clause 9, however, lowers the threshold for refusing information from “manifestly unfounded or excessive” to “vexatious or excessive”.