Read Bill Ministerial Extracts
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Lords ChamberMy Lords, I thank the Minister for his comprehensive introduction to the Bill. I look forward to working with him, in what seems to be a never-ending stream of legislation from the previously rather quiescent DCMS. This is our sixth Bill together, and long may it continue.
The Minister mentioned his talented team joining him on the Front Bench—this is a joint venture between the DCMS and the Home Office. On my side, I am joined by my noble friend Lord Kennedy and supported by my noble friends Lord Griffiths and Lord Grantchester.
I congratulate the Bill team on the excellence of the paperwork that we have received—I am sure everybody has read it, word for word, all the way through; it is worth it. They are obviously ahead early in the “Bill team of the year” stakes, a prize which they won easily last time on the Digital Economy Bill, and they are building on that.
We also welcome the chance to debate the excellent House Of Lords EU Committee report, not least because of the substantial weight of evidence that it has brought to this debate, which I will refer to later.
This is a tricky Bill to get hold of, first because of its size and volume. It is a bulky package and it is not even complete because we are told to expect a large number of amendments still being processed and not yet available which may—who knows?—change it substantially. Even without that, it has 300 paragraphs and 18 schedules, one of which helpfully signposts the way that the Government intend to make changes to the Bill so that the GDPR becomes domestic law when we leave the EU, even though the amendments to make that happen will actually be made by secondary legislation. This is “Hamlet” without the prince.
The GDPR itself, which runs to 98 paragraphs—or articles, as it calls them—and which will be the new data-processing law that comes into force in May 2018 whether or not we in Parliament have agreed it, is not actually printed in the Bill. That therefore raises the concern that—post Brexit, courtesy of another, separate Bill, probably by secondary legislation—the regulations will become UK law without ever having been scrutinised by either House of Parliament. I wonder if other noble Lords share my feeling that this is a bad precedent and, if so, what we might do about it. I suspect that this decision might have made sense were we to stay in the EU but we are going to leave, so there is a gap in our procedures here. That is compounded by the fact that this is a Lords starter Bill that comes to us without the benefit of consideration in the other place, and particularly without the usual evidence-taking sessions that ensure that a Bill meets the needs of those affected by it.
I have a suggestion: given the expertise displayed in the EU Committee report HL Paper 7 that we are debating in parallel today, could the authorities arrange for that committee to look carefully at the Bill and at the GDPR in its printed form and arrange for that committee to bring forward either a report or simply a testimony about what the GDPR contains, how it is reflected in the Bill and how it works? It would help the House to do the job that we ought to be doing of scrutinising this legislation. I gather that the committee is due to meet shortly and perhaps the noble Lord, Lord Jay, who speaks in a few minutes, might respond if he can. I am sorry for embarrassing him if he is not prepared for that.
The Government claim that the Bill,
“will bring our data protection laws up to date”,
and,
“ensure that we can remain assured that our data is safe as we move into a future digital world”.
We will probe that rather florid assertion in Committee over the next few weeks, paying particular reference to the needs of business to have certainty about the rules that will be applied in this key sector of our economy in the medium and long term and the need for consumers, particularly vulnerable people and children, to be better supported and protected in this brave new digital world. What we are embarking on here is the precursor to the legislative nightmare that will accompany all our Brexit discussions. As we will hear from the noble Lord, Lord Jay, and others from the EU Committee who considered this, the key issues are what will happen if we leave the Common Market and the customs union, and whether there are any ways in which the Government can secure unhindered and uninterrupted flows of data between the UK and EU post Brexit. The report concludes that,
“any arrangement that resulted in greater friction around data transfers between the UK and the EU post-Brexit could hinder police and security cooperation. It could also present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage”.
In his opening remarks, the Minister said all the right things about the Government’s commitment to unhindered and uninterrupted flows of data post Brexit, but the Bill comprehensively fails to set out how they plan to deliver that outcome. Worse, it may contain measures in Parts 3 and 4 that make it impossible to achieve the “adequacy” agreement, which is the only card that they have left to play post Brexit. You could not make it up.
Some 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with EU member states. Even if the Bill successfully aligns UK law with the EU data protection framework as at 25 May 2018, that does not mean that the Bill makes proper provision for the future. On the UK’s exit from the EU, the UK will need to satisfy the European Commission that our legislative framework ensures an “adequate level of protection”, but achieving a positive adequacy decision for the UK is not as uncontentious as the Government think. Under article 45, the GDPR requires the European Commission to consider a wide array of issues such as the rule of law, respect for fundamental rights, and legislation on national security, public security and criminal law when it makes its decision. As has already been pointed out by several commentators, the current surveillance practices of the UK intelligence services may jeopardise a positive adequacy decision, as the UK’s data protection rules do not offer an equivalent standard of protection to that available in the rest of the EU. We will need to pursue this disjuncture in Committee.
The Government seem to have lost sight of the need to ensure continuity during the transition period and afterwards. Surely they must have measures in place to reassure businesses that they will pass the adequacy test and ensure “stability and certainty”, particularly for SMEs, as pointed out by the European Union Committee. If there was any doubt about the importance of this, I draw the attention of your Lordships to a briefing from the ABI which states that the ability to transfer data between firms in different jurisdictions is of particular importance to our insurance and long-term saving providers, who rely on data to provide their customers with the best products at the best price. The association goes on to say that:
“Losing the ability to access, and make use of, European and international data flows risks isolating the UK from the increasingly globalised market. Creating a system where UK insurers have to abide by dual or multiple regulatory systems in order to transfer data internationally will create inefficiencies, legal uncertainty, and risks damaging the global competitiveness of UK insurance”.
My second point was also raised by the European Union Committee. It is about how to establish sustainable longer-term arrangements, about which the Bill is remarkably silent. Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, once we leave the EU, policies will be developed within the EU 27 without our input. The EU will inevitably amend or update its rules either by new regulations or by case law derived from ECJ/EU decisions. This is of course a toxic issue for Brexiteers, but it needs to be addressed in the Bill and, no doubt, in many other areas. Perhaps a way forward here would be for the Information Commissioner to have a duty placed on her to make regulations which reflect the changes taking place in the EU, or the Bill could provide for some form of lock-step arrangement under which statutory instruments would be triggered when UK laws need to be amended. We will look at this again in Committee.
I turn now to data protection. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or the private sector, is important for everyone. If we cannot get this right in the Bill, people will not benefit to the fullest extent possible from the new data-handling services which are coming on stream now and in the future. We welcome the Government’s decision—a rather surprising one—to gold-plate some of the requirements of the legal enforcement directive, particularly the fact that the Bill will ensure that for the first time the data protection regime applies to the intelligence services. Indeed, as the Information Commissioner has observed, including these provisions in a single piece of primary legislation is welcome, although there is a need for much more detail about how this will work in practice.
My point on this is that there seems to be an imbalance in the Bill, with much more consideration being given to the rights of data subjects. At a time of increasing concern about the use and misuse of personal data, is there not a need for a broader and far more ambitious set of regulatory structures for data capitalism, as it is now called? The big tech companies have for far too long got away with the conceit that they are simply neutral platforms. They are not; they are active media and information companies, and their stock market valuations are based on the data flows they generate and how they can be monetised. With that role surely should come broader societal responsibilities, but the Bill does not go into this area at all. There is nothing about regulating fake news, no attempt has been made to ensure that data companies are covered by competition and other regimes which apply to media companies, and there are no proposals to deal with the allegations being made about undue influence by social media companies and others on politics and elections both here and in the US. We will certainly table amendments in this area.
On more concrete issues about the rights of data subjects, we have a number of issues to pursue, although today I shall concentrate on only three: children and the “age of consent”, the rights of data subjects in relation to third-party use of their data, and the proper representation of data subjects. I shall end with some thoughts on the Leveson report and its implications for this Bill.
The Bill proposes to set the age at which children can consent to the processing of their data through “information society services” which include websites and social media platforms at 13 years. That is a surprising decision and no credible evidence has been adduced to support it. Understandably, there is much concern about this low age limit, particularly as the general data protection regulation gives discretion in a range up to 16 years of age. Last month, the Children’s Commissioner for England said:
“The social media giants have … not done enough to make children aware of what they are signing up to when they install an app or open an account”.
These are often the first contracts a child signs in their life, yet,
“terms and conditions are impenetrable, even to most adults”.
I think we can all say “Hear, hear” to that. The commissioner also said:
“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online”.
Setting an age limit of 13, or even 16, would almost certainly be illegal under the UN Convention on the Rights of the Child, to which the UK is a signatory. Perhaps the Government could respond on that point.
The Children’s Society argues that if companies continue to rely on their current practices—whereby they allow only over-13s to have an account but have no age verification process to check that children who are consenting are the age they state themselves to be—then there will continue to be widespread breaches of both the companies’ own rules and this new Data Protection Act. In the Bill, it is unclear how breaches will be handled by the Information Commissioner and what penalties will be put in place for those companies failing to verify age properly.
There is also no consideration in the Bill about capacity, rather than simply age, or protection for vulnerable children. Although there are arguments for setting the age limit higher—or indeed lower—there is surely a need both for proper evidence to be gathered and for a minimum requirement for companies to have robust age verification systems and other safeguards in place before any such legislation is passed. We will pursue that. There is also the question of the overlap this derogation has with the right to be forgotten, which the Minister mentioned. That right kicks in only at age 18; we need to probe why that is the case and how that will work in practice.
During Committee, we want to check that the current rules affecting data subjects’ personal data are unchanged by the new laws. Taking the data of workers and prospective workers as an example, there are concerns about where personal data has been collected: it should be gathered, used and shared by employers only following affirmative, meaningful consent. The recent disgraceful cases of blacklisting come to mind in that respect, and we are also concerned about whistleblowers’ rights. The House has been very strong on that point.
Concern about the increasing use of algorithms and automatic data processing needs to be addressed, perhaps requiring recording, testing and some level of disclosure about the use of algorithms and data analysis, particularly when algorithms might affect employment or are used in a public policy context. Related to that is the question of the restriction on data subjects’ rights in relation to processing data contained in documents relating to criminal investigations. Here, we agree with the Information Commissioner that the provision, as drafted, restricts not just access rights but the right to rectification, the right to erasure and the restriction of processing. We welcome greater clarification on the policy intent behind this as we go into Committee.
We welcome the Government’s proposal for an offence of knowingly or recklessly re-identifying de-identified personal data without the data controller’s consent. The rapid evolution of technology and growth in the digital economy has led to a vast increase in the availability and value of data. There is a clear need for robust safeguards against misuse in this area.
On representation, we welcome the provision in article 80(1) of the GDPR which gives greater ability for civil society and other representative bodies to act on behalf of citizens and mirrors consumer rights in goods and services. However, article 80(2) contains a provision that the Government have chosen not to implement, under which consumer groups that operate in the privacy field can act on behalf of data subjects without a particular complainant. We think that this super-complainant system would help to protect anonymity and create a stronger enforcement framework. We know we are supported in that belief by the Information Commissioner.
The wider question here is perhaps whether data subjects in general, particularly vulnerable ones, have sufficient support in relation to the power of media companies that want to access and use their data. Does any of us know what really happens to our data? The Information Commissioner’s Office already has a huge area of work to cover and may struggle to cover all its new responsibilities. Having a better system for dealing with complaints submitted by civil society bodies may be a good first step, but I wonder whether we might think harder about how this will be organised—perhaps modelled on the Caldicott data guardians.
Finally, there has been a lot of debate since the publication of the Leveson report on the cultural practices and ethics of the press, particularly on the role of a future regulatory framework. There has been far less discussion on Lord Leveson’s recommendations to extend data protection regulation. I reassure the Government that we do not see this Bill as an opportunity to rerun many of the excellent debates or table amendments that we have already considered in your Lordships’ House in recent years. Of course, much remains to be done in this field, and the Government’s lack of action is a national disgrace and a flagrant betrayal of the victims who trusted them and gave them a once-in-a-generation chance to sort out the situation, which they have comprehensively failed to take. However, if amendments of this type come forward, we will consider them on their merits, although a better approach would be for an all-party consensus to try to bridge the gap once and for all between the press and Parliament. I hope to have further discussions on this point.
I give notice that we will table amendments which probe why the Government have decided not to bring forward the Leveson recommendations covering: exemptions from the Data Protection Act 1998, available for investigative newsgathering by journalists; extending the scope for statutory intervention over the press by the Information Commissioner; and changes to the power, structure, functions and duties of the ICO relevant to the press. We will also probe whether the Government intend to implement amendments previously made to Section 55 of the Data Protection Act by virtue of Section 77 of the Criminal Justice and Immigration Act 2008, which would allow terms of imprisonment of up to two years to be imposed for offences of unlawfully obtaining disclosure of personal data. As the Information Commissioner has previously noted, this has much wider application than just to the press, because there is an increasing number of cases of blagging and unauthorised use of personal data which must be stopped.
The Government have set themselves a very tight timetable to pass this Bill into law before the end of April 2018. We will support the main principles of the Bill, but, as indicated above, many areas need to be scrutinised in depth before we can agree to them. I hope that we can gather more evidence and find a way of bringing Hamlet back into the play by looking in detail at the GDPR before it becomes the law of the land. If data is the new oil, we owe it to the country and particularly our children to get this right and to get our laws fit for the digital age.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, in moving Amendment 1 in my name I shall speak also to Amendment 4A, which I hope the Government will agree is consequential. We now commence seven days in Committee on the Bill in your Lordships’ House with a simple amendment. It sets out a principle that we think is important enough to ensure that it is at the heart of the Bill. As in all Committee debates, Her Majesty’s loyal Opposition hope to engage the Government on issues of both principle and detail, and thereby improve the Bill by the time it leaves this House. As witness to our willingness to work with the Government, we have been reading the rather florid statements that the Government put out over the weekend and have tabled an amended version of our Amendment 4 in manuscript, which I gather significantly reduces the gap between us and the Government on a number of key points. But we will not resile from ensuring that the principles which underpin this Bill are securely in place.
As we made clear at Second Reading, we broadly support the Bill but we cannot ignore the fact that if the European Union (Withdrawal) Bill receives Royal Assent as it currently stands, it will remove rights which the people of this country currently enjoy, care deeply about, and are essential to UK business going forward. We think that the status quo has worked well for the UK up until now, so if it is not broken, why change it? I hope that the noble Lord has a convincing argument to make on this point when he comes to respond.
Much has already been said in your Lordships’ House about how complicated this Bill is. It has to deal with a fast-growing and crucial part of our economy and the pace of technological change will create services that we cannot even imagine today. Legislating for this is complicated, but getting the principles right is the key here. It gets even more complicated. The Bill deals with the situation that will obtain after the general data protection regulation is implemented across Europe on 25 May 2018. It provides for the period from that date until such time as the UK leaves the EU and it covers the period after that when what is called the “applied GDPR” will become the law of the land. It has been remarked on that all this is happening without Parliament actually scrutinising the basic text. I suggest again that principles are the key.
One of the key principles which underpinned earlier data protection legislation is Article 8 of the EU Charter of Fundamental Rights. It is indeed the basis of much of what is in the GDPR and applies to the whole of the EU, but when we try to find references in the Bill to the right to privacy and to the protection of personal data which Article 8 guarantees, they are not mentioned explicitly. We believe that the Government approach is wrong for three reasons. These principles matter and have been the subject of recent decisions in the courts, not least the one mounted by the Secretary of State for Exiting the European Union when he was David Davis MP, along with Tom Watson MP. Secondly, the removal of the right to protection of personal data risks weakening, or being perceived as weakening, UK data protection post Brexit. That may have significant consequences for UK data processing businesses, a point that I want to come back to.
The third reason is a broader point, one that the Government do not seem or perhaps do not want to get: rights and specific law act together to make a whole that is greater than the sum of the parts. If we were continuing in our membership of the EU, the fact that the Bill does not explicitly cover our rights to privacy and protection of our personal data might not matter because the EU Charter of Fundamental Rights would continue to be in force and individual data subjects such as Mr Davis and Mr Watson could rely on it if required. But while the EU withdrawal Bill currently in another place contains thousands of provisions that will be converted into our law, only one provision has been singled out for extinction—the EU Charter of Fundamental Rights. This omission from the Data Protection Bill really does matter because as well as underpinning personal rights to privacy, the wording of Article 8 will in effect be right across the rest of Europe and underpinning the legal framework permitting the free flow of data across European borders. It is the removal of the references to Article 8 that will provide a significant and totally unnecessary risk when the time comes for the EU to assess whether our regime is essentially equivalent to the rest of the EU, because that will be the test.
It is common ground among all the parties that it is essential that immediately after Brexit, the Government should obtain an adequacy agreement from the Commission so that UK businesses can continue to exchange personal data with EU countries and vice versa. If we are unable to reach such an agreement with the EU, there will be no legal basis for the lawful operation of countless British businesses and there will also be a significant question of whether EU companies will be able to trade with us if we do not enjoy the Article 8 protections that they will have. That, in fact, is double jeopardy. The Government seem to have forgotten that the frictionless transfer of data is critical to the functioning of our economy. Roughly 70% of the UK’s trade and services is reliant on the free flow of personal data. The EU’s data economy is expected to be worth £643 billion by 2020 and millions of UK citizens regularly share their lives online. To operate, UK businesses require clarity on the legal basis for data transfer post Brexit, but so do EU companies.
The rights outlined in our Amendment 4A are at the cutting edge of global data protection law and are essential for our tech industry in the UK. Indeed, the wording of the amendment was suggested to us by techUK, which is the industry voice of the UK tech sector, representing more than 950 companies, which collectively employ more than 800,000 people. That is about half of the tech jobs in the United Kingdom. If compliance with the Charter of Fundamental Rights is required to secure regulatory harmony and thus business confidence, the Government’s commitment to jettison these references in the charter appears rather odd.
Finally, concerns have been raised as to whether the amendment, even as redrafted, cuts across the GDPR. This is not the intention. The amendment does not undermine the role of the GDPR or the derogations to the GDPR set out elsewhere in the Data Protection Bill, which we support.
We will listen very carefully to the debate. I make it clear that we hope the Government will agree that the principles we outline in these amendments are important and will offer to work with us to make sure the Bill is amended on Report to achieve the objectives I have outlined. I beg to move.
My Lords, I thank all those who have contributed to this debate—at some personal cost, I understand. There are points that we will certainly reflect on as we read Hansard.
I shall start with a slightly unusual point. I want to commiserate with the Minister for the unfortunate loss of his data just before he came into the Chamber this afternoon. His speaking notes and apparently much other data were stolen from him. That just shows the sorts of difficulties that one has with data, privacy and the issues that we have been talking about. I am surprised that he did not mention it, but he did not and I can only assume that things have worked out all right. However, if he wants help in drafting the personal victim statement, we will be very happy to meet him outside the Chamber on a number of occasions if that will be of assistance.
I do not have much luck with my drafting. I seem to recall being in this place only a few months ago and being coruscatingly attacked by a Cross-Bencher who thought that I had got a lower second with an amendment that I put forward to the higher education Bill. Mind you, I had quite a good result on that Bill. It was amended on the first day in Committee and that seemed to concentrate the minds of Ministers rather effectively. Therefore, I do not agree with those who have felt that this is a constitutional absurdity. In this House we have always reserved the right to vote “inappropriately” at any point, and Committee is one of those occasions. I am not saying whether we will do that today; I am just saying that it is not barred and it often has a purpose to serve.
However, the general tenor of the responses has been that we should not rush this. I was particularly pleased that the Minister suggested that we should meet outside the Chamber to discuss this issue, possibly reach agreement on it—those were his words—and perhaps come back on Report. I should remind him that Amendment 4 was tabled three weeks ago and no invitation to such a discussion reached my ears, so I am a bit surprised. The amendment was published and was available, and it could have been discussed. The fact that we are not going to move it today is slightly irrelevant but it raises all the issues that we are now engaging with. Indeed, at the meeting only last week, we did not really get on to the discussion about what we are about—we talked about other matters.
However, I do not want to fall out with the Minister because I enjoy working with him. Six Bills may seem a lifetime to many people but it has been a time enlivened by the ability to talk inside and outside the Chamber and to reach agreement. I hope that that is a genuinely meant proposal and, if it is, I will consider it very carefully.
My noble and learned friend Lord Goldsmith pointed out a really important issue. As I said in my speech—he picked it up and exemplified it—in order to achieve what the Government want to do, we need a combination of the rights that exist and the statutes that deliver the particularities of the issues concerned. I take on board all the points that have been made about drafting and the inability to do so, and I will reflect on those. However, if we have the right objective, which is to ensure that that balance is available to the people of the United Kingdom and that it will support our businesses in the future, surely we have a duty to make sure that it is delivered to a final conclusion and, if necessary, voted on.
In passing, I observe that it is interesting that the Minister had to resort to the recitals to the GDPR to be convincing about the fact that the GDPR has the effect of bringing the rights in the charter into the discussions about data processing. That is amusing because one very striking thing about the regulation, apart from the fact that we do not have it in front of us to discuss it, is that, in the form in which it will appear in law in the United Kingdom at the end of this process, the recitals will not be part of it. Therefore, his reliance on them is ironic to the point of being rather difficult to accept, but he made points of substance, so I think we will move over that.
Despite the rightful criticisms, there is a general feeling across the Committee that we need to do a bit more work on this. I think that we are on to something that is important enough to spend time on, and we are prepared to do that. We do not think that we are in a muddle on this—we think that there is an issue—but I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, it is late and I have little to add to what my noble friend Lord Patel said. I declare an interest as chair of the Wellcome Trust, and I was also closely involved with Imperial until conflicts of interest preventing my going on. I have a lot of sympathy with those who spoke earlier on the issue of fundraising for universities. I speak tonight briefly about the concern I raised on Second Reading: the Bill as drafted just does not offer the clarity we need for people dealing with medical research in universities and other institutions, such as the Crick Institute.
The noble Lord, Lord Patel, amply illustrated the value of such research in understanding fundamental disease, the efficacy of treatment, and following on and learning from big datasets which give us the power to do things in medical research that were once not possible. We are not looking for medical researchers to be given particularly special treatment—there are quite a lot of exceptions here anyway—but to clarify what they are doing and how, so they can do it safely and with confidence.
I come back to where the noble Lord, Lord Patel, started. Researchers need to be able to do this work to improve global health—the health of everyone. Health does not stop at boundaries. Results are shared and we all learn from each other. We heard examples from the noble Lord. In a more parochial sense, this is a critical part of the industrial strategy we need to implement to deal with the economy post-Brexit. That document said that we have to streamline our legal and ethical approvals for medical research. This is one of the ways to get economic growth, so over and above the health aspects, there are strong economic reasons for being sure we can provide absolute clarity for people doing this sort of work. The consent issues are not straightforward but provided there are other safeguards—proper ethical committees and proper supervision—I think we can get there. However, we need to say a bit more in the Bill so that people are confident that they can do this.
I am conscious that we have had had a full and interesting introduction to this group of amendments from the noble Lord, Lord Patel, which builds on earlier discussions. It was difficult to get into this debate without having a little more than he was able to give us—and I do not want to push him too hard on this, but it would be helpful to hear a bit more about ethical committees.
As I understand it, the argument is a three-pronged one. An additional point was made about the need to think about the industrial strategy and not to hold back the research that will be influential in driving forward our brilliant life sciences. But the issue here is whether we could have a parallel system, changing the nature of the public interest test as described by the noble Lord, Lord Patel, and relying on an agency basis. We are calling that an ethics committee, which will basically take on the burden of determining what is appropriately done outside the narrow scope of the Bill as drafted. It would provide the measures of assurance that the Bill seeks, because it deals with a particular type of operation that would not fit naturally into the GDPR more generally. That is the main burden of the argument. I need a bit more information on how the noble Lord sees ethics committees more generally taking on that burden; perhaps he could share that with us.
I shall respond to some of the points raised. First, on the research ethics committee, we established through legislation—and I remember the debates that we had—a national Research Ethics Committee to deal with all applications for biomedical research, but particularly research involving patient data and transfer of data. If I as a clinician want to do a trial, I have to apply to that committee with a full protocol as to what consent procedures and actual research there will be, and what will be the closing time of that consent. If I subsequently found the information that I had could lead to further research, or that the research that I had carried out had suddenly thrown up a next phase of research, I would have to go back to the committee and it would have to say, “Yes, that’s part of the original consent, which is satisfactory to progress with the further research”. It is a robust, nationally driven, independently chaired national ethics committee, apart from the local ethics committee that each trust will run. So the national ethics committee is the guardian.
Furthermore, there is a separate ethics committee for the 500,000 genomes project, run by the Wellcome Trust and other researchers; it is specifically for that project, for the consent issues that it obtains, the information given at the time when the subject gives the consent and how the data can be used in future. The genomes project aims to sequence all the 500,000 genomes, and to link that genome sequence data with the lifestyles that people had and diseases that they developed to identify the genes that we can subsequently use for future diagnosis and treatment—and to develop diagnostic tests that will provide early diagnosis of cancers, for instance. The future is in the diagnostic tests. Eventually we will find them for diseases which have not developed but which have a likelihood of developing. Those diagnostic tests will identify the early expression of a protein from a gene and then find a treatment to suppress that expression well before the diseases develop, rather than waiting until the cancer develops and then treating it.
All this is based on the data originally collected. At this stage, it is impossible to know where that research will lead—that is the history—apart from the clinical trials which are much more specific and you get consent for them. I realise that there is a limit to how much the text of the Bill can deviate from the GDPR, unless it is dealing with specific issues which the GDPR permits member states to provide derogations for. I realise that, post exit, the UK will need an adequacy agreement and some equivalent, neutral recognition of data protection regimes between the UK and the EU. We need that for the transfer of data. For instance, the noble Baroness, Lady Neville-Jones, has talked about extremely rare diseases, which require the exchange of data across many countries because their incidence is low and no one country could possibly have enough information on that group of patients.
The research exemption does not undermine agreement on Clause 7—which is what the noble Lord, Lord Clement-Jones, was leading up to when he asked about the ethics committee. The noble Baroness, Lady Neville-Rolfe, suggested that medical research should be possible through the research exemption, but that has to be wide enough yet not specific enough to encompass wider exemptions. I hope that the Minister will come up with that trick in an amendment which he might bring forward. It will not be restrictive, yet protect the patient’s personal interest.
There is a research exemption for processing specific categories of data, including health data. The legal basis for this is through article 9 of the GDPR, referred to in Part 1 of Schedule 1 to the Bill. However, all processing of personal data also needs an article 6 legal basis: research is not exempt from needing this. I am arguing today that research needs that exemption, defined in wide enough terms. For processing special categories, you need both an article 6 and an article 9 legal basis. We need to have provision for both in the Bill. One of the article 6 legal bases is consent and I have explained why this is not suitable for much research. The other feasible route for universities and other public bodies processing personal data for research is public interest. This is why it is so important to be clear on what processes can use this legal basis.
There was serious concern about the likely impact of the GDPR on research as it was being drafted. However, this was successfully resolved and it provides the necessary flexibility for the UK to create a data protection regime that is supportive of research in the public interest. The Government, and other UK organisations, worked hard to make sure that this was the case. The provision is there: it is now for the Government to act on it. It is also important to seek an adequacy agreement post Brexit: we will have to have one. It will be vital to consider the need to retain, post Brexit, cross-border transfers of data for research. I give the same example of rare diseases as the noble Baroness, Lady Neville-Jones, used. The Government have recognised the value of retaining a data protection regime consistent with the EU, but the research community would welcome knowing whether it will seek a status of adequacy as a third country or an equivalent agreement.
The plea I make is that unless we include a provision, and there are exemptions which can be written in the Bill in the format that is required, we will not be able to carry out much of the research. A question was asked about the life sciences industrial strategy. It is the key pillar of the Government’s industrial strategy Green Paper. It relies on data that the NHS collects and the data that the science community collects and marrying up the two to produce, and lead the world in, treatments and developing technologies. If we are not able to do this, the whole thing will be unworkable.
I am very grateful to the noble Lord for a very full response. It was quite a narrow question. I did not need all of that response but I have learned a lot more in the last few minutes—
It might have been. The noble Lord has exposed a much greater issue than we thought we were grappling with. The case has now been well made that there are four pillars rather than the three that I adumbrated before. We seem to have a case for special treatment. I am sure that the noble Lord, Lord Patel, with his assiduous workload and high work rate will have made this point several times to officials and Ministers. However, if he is not getting the answers he needs, we have a bit of a problem here, so I hope that the Minister will be able to help us on that.
This goes back to an earlier debate about the public interest. It again worries me—I think the noble Lord, Lord Clement-Jones, touched on this—that “public interest” is becoming an overworked term for rather too many issues. In other words, the argument here is not about the public interest at all; it is about the public good that would come from a differential approach, safeguarded by the ethics approach—I said that was new to me and I am grateful to hear about it—and about reinforcing the contribution that would make to an industrial strategy covering a much broader range of understanding about what we are doing, thus making this country a world centre for all that. So there is a power behind this that I had not appreciated and I am grateful to the noble Lord for explaining it. It is easy to analyse it in this way and come up with the answer that he might want, but is it the right way forward on this?
The noble Lord was wise to point out that there are constraints within the GDPR and limits on what the Government can do, but it must be possible to think more creatively about the problem that has come forward. If, as the noble Lord said, the GDPR opens up the question of not requiring consent in that very formal sense, and we are looking for an evidence-led policy initiative which addresses the public good, it behoves Ministers to think very carefully about how one might take it forward.
This may or may not be the only issue that requires this sort of approach, but the case has been made on its merits that more needs to be done. Listing existing bodies that are not included, to put it in the positive, in a list of issues—for example, the administration of justice is a function of the Houses of Parliament—is not the way into this issue. I appeal to the Minister to think creatively about this because it seems to me that we need a new approach here. I am very convinced by that and look forward to hearing what the Minister says.
My Lords, first, I thank the noble Lord, Lord Patel, for his insightful remarks and for providing us with evidence of his knowledge of this subject, and of the Bill’s potential implications for pioneering medical research. I am grateful to him for sharing his expertise on these issues. I am also grateful to the noble Baroness, Lady Manningham-Buller, who speaks on behalf of the Wellcome Trust. Other reputable medical research organisations and universities have also expressed concern about this issue. I understand about the issue of consent and whether it is GDPR-compliant.
On the concerns the noble Lord raised in relation to Clause 7, I mentioned at Second Reading, and on a previous group of amendments, that the list of tasks in Clause 7 is deliberately designed to be indicative and non-exhaustive. When I wrote to noble Lords after that debate, I committed to make this clearer in the Explanatory Notes and the Government will honour that commitment.
The noble Lord, Lord Stevenson, mentioned that we might have to have a new approach to this problem. We are happy to think about these issues. At the moment we find that it is difficult to expand Clause 7 to cover every scenario where personal data has been processed in the public interest. Each addition to the list, however justified on its own merits, would cast greater uncertainty on the public interest tasks that continue to be omitted. However, I can reassure universities and research groups carrying out legitimate medical research, that, in the Government’s view, such tasks are in the public interest for these purposes. I will come later to how we take this forward.
I believe also that even when consent is obtained, the worry is that it may not be subject to GDPR compliance, even if consent was acceptable before.
I think we have already made the point and we do not need to come back to it. What I took from the noble Lord’s earlier contribution was that one way in which medical research is developed and carried out involves a consent process, and we would not want to change anything in that sense. However, for lots of reasons—the noble Lord gave three or four—you cannot always use consent. You may not want to go to the patient, or perhaps you cannot go to or find the patient. Alternatively, the noble Lord made the more general point that you often collect data without any real sense of where it might go in the future. We are not saying that any of that is good, bad or indifferent—one is no better than the other—but they all need to be considered in a broader understanding of the public good being best served by having the least restrictive system concomitant with appropriate procedures being in place. That is the line, with the ethics committee sitting at the top, that gets you to the point where that would be a fruitful conversation to have with Ministers.
I must make the issue absolutely clear. If I did not do so before, I will set it out again slowly and carefully. Medical researchers are not asking to be allowed to do research without consent. They are asking for consent to be interpreted not in a narrow sense but in a sense that will allow research to continue with consent having been obtained. I shall give an example. When I chaired the UK Stem Cell Bank, we made it clear that consent would have to be obtained from those who donated stem cell material, including embryonic stem cells. Consent was given on the basis that the embryonic stem cells would be used for research to improve healthcare, but at that time it was not possible to say which healthcare.
Embryonic stem cells, properly kept, are immortal: they can survive for generations. There is a classic example of this. Most of your Lordships are familiar with the lady whose tissue was taken in 1950. Her name was Henrietta Lacks—hence the cells are called HeLa cells. These aggressive cervical cancer cells were taken from her in the United States without consent, but they still exist in every laboratory in the world. A billion dollars-worth of drugs have been developed and marketed using HeLa cells. If consent had been obtained, what would that consent have been for? Exactly the same applies to consent for stem cells—it is for the development of drugs.
Researchers are not saying that we should not have consent. They are saying that there ought to be an authority like the ethics committee that gives consent and to which you can go back and say, “By the way, I have that material and I have found more. I am still developing drugs but this is not the same”. I hope I have been clear about that. We are looking for exemptions that are wide enough.
Perhaps I may come back to the matters raised by the Minister and refer, first, to the public interest issues. I understand that the Government do not intend the functions listed in Clause 7 to be exhaustive and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. It would provide much needed clarity and assurance for the research community if that could be made explicit in the Bill. That, basically, is all we are saying on the public interest. There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and about what they can or cannot do with that data and for what purposes. If it is made clear what they can do or where they have to go to make it clear, that will be helpful. This is why the public interest legal basis matters so much for research. The Data Protection Bill is an opportunity to set out very clearly the legitimate basis for processing personal data, setting out a clear public interest function for research that will give researchers the confidence to know when they are operating within the law.
I will now make a comment about what the Minister said about the safeguards. My Amendment 111 is to Clause 18, which prohibits the processing of personal data to support measures or decisions with respect to particular individuals. This is clearly problematic for any research that involves an intervention for an individual, which forms the bedrock of our understanding of a vast range of treatment of diseases. The range of law covering the use of personal data for research is complex, governed both by data protection law and common law, where duties of confidentiality toward the data subject exist. In my view, the implementation of GDPR through the Bill is an opportunity to provide clear information to researchers about the legal basis for processing personal data and the requirements of accountability, transparency and safeguards.
It is therefore essential that authoritative, comprehensive and unambiguous guidance is created to assist with this transition to a new data protection law. The Health Research Authority is working on guidance for health research, but researchers are urgently in need of this advice to ensure they are compliant by May 2018.
Those are my comments in response to the Minister. I am labouring these points today because this is the only opportunity I will have in Committee to debate these issues at length. I do not wish to rehearse this at Third Reading if we can resolve these issues by communication and find a way out.
My Lords, I shall speak only to Amendment 188, and I do so because, as so often, I am confused. In Scotland, a person aged 12 is presumed to have capacity to exercise rights under the Data Protection Act 1998, and that position is perpetuated in the Bill. How does that mesh with the general data protection regulations, which provide that consent to process personal data is lawful below the age of 13 only if given by a parent? I think that is the position and that is why I have tabled my probing amendment. Perhaps my noble friend could explain why Scottish children are so much more mature than English children.
I was persuaded by the view expressed by the noble Baroness, Lady Lane-Fox, at Second Reading when she said that we do not want to bring in lots of new and different laws for 13 year-olds and we need to recognise the reality that children will wish to do what their peers are doing. We do not want to incentivise them to tell lies online. So I am perfectly happy with the Government’s position on the age of 13 and just a bit bewildered about Scotland.
As a Scot I can hardly complain, and I am always bewildered, too—not only about this but about many other things. Our Amendment 17 in this group is also one of bewilderment. Clause 8 is headed:
“Child’s consent in relation to information society services”,
and refers to “preventive or counselling services” not being included. This goes back to an earlier amendment, when we established that these references are actually recitals and not part of the substantive GDPR, so we are back in what is not normative language and issues that we cannot possibly talk about in relation to the wider context because we are talking about the law that will apply.
There are three points that need to be made and I would be grateful if the noble Lord would either respond today or write to me about them. The first is to be clear that the reference to “information society services”, which is defined, has nothing in it that would suggest that it is a problem in relation to the lack of inclusion of preventive or counselling services. The answer is probably a straightforward yes. Secondly, what are the preventive or counselling services that we are talking about? I think the context is that these are meant to exclude any data processing relating to a data subject if the data subject concerned—with parental consent if the subject is younger than 13 and on their own if they are older than 13—who is taking a form of counselling that may be related to health or sexual issues would not be allowed to be included. Is my understanding of that right? I am sure that it is.
Thirdly, could we have a better definition of preventive or counselling services because those are very wide-ranging terms? Yes, they come from a recital and perhaps in that sense they can be tracked back to earlier discussions around the formation of the GDPR, but they have to be applied in this country to situations in real life. I am not sure what a preventive service is and I should like to have it explained. Counselling services I probably do get, but do they include face-to-face counselling or is this about only online counselling services? Is it the same if the child is being accompanied by a parent or guardian? There are other issues that come into this and there is a need for clarity on the point.
While I am on my feet I should like to respond to the amendment moved by the noble Baroness, Lady Howe, who has campaigned long and hard on these issues. We would be bereft if she did not enter into this Bill with all its implications for children, given the wisdom and experience that she brings to the table. The point she makes is one of simple clarity. There is a need to be very careful about the evidence gathering on this issue and it is probably not appropriate for it to be left to Ministers in regulations. There needs to be a wider discussion and debate on the matter, perhaps involving the Children’s Commissioner and other persons with expertise. She has made her point very well and I should like to support it.
My Lords, I associate myself with the amendment in the name of the noble Baroness, Lady Howe. We are in Committee and it is a probing amendment. When we discussed it with colleagues the feeling was that 13 might be the right age but, as the noble Baroness indicated, it needs probing and some thinking about.
There is a danger, particularly in a House with our age group, that we assume these technologies are understood by the young—even the very young. We all hear anecdotes of parents or grandparents who have to consult their eight year-olds on how to make various gadgets work, but that misses the point. A frightening amount of information is being freely given. I mentioned at Second Reading that my generation and my parents’ generation had thoughts of personal privacy that my daughter and her contemporaries seem to have no thought of. They are very happy to exchange information about themselves, what they do and where they are with gay abandon.
When we get to the very young it is very important to make sure—we will discuss this in later amendments, if not tonight—that there is sufficient understanding and information to make informed choices, otherwise we get into very dangerous territory indeed. Therefore we are, not for the first time, in the noble Baroness’s debt for raising these questions. Late as it is, it is right that we put on record that these things, along with the amendments that will follow in the next couple of groupings, need to be taken as a whole before we make a final judgment as to the right age.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I support this amendment and apologise to the Minister and the House for not being present at Second Reading as I was overseas. However, my noble friend Lady Jay more than adequately set out some of my concerns around Part 5 of the Bill. However, this is also a very important amendment. In the debate initiated by the noble Baroness, Lady Lane-Fox, on 7 September, the noble Baroness, Lady Kidron, said:
“There is an awkward tension in having a technology that is able to help us to confront our societal needs … and a corporate culture that aggressively balks at … long-term societal responsibilities”.—[Official Report, 7/9/17; col. 2118.]
In the end, that is precisely what this comes down to. The noble Baroness, Lady Harding, made a very important point a little earlier. She referred to barriers to entry being used by corporations to not do the things that they should do, and at the time they should do them.
Today is the 20th anniversary of my entering your Lordships’ House and, if I had to count the number of times I have been told that barriers to entry are the reason for not doing something, we would all be here all day. I well remember the noble Lord, Lord Oxburgh, who is in his place, and I having a meeting with the then Ministers for Energy and being told that “barriers to entry” were one reason that the large energy companies could not do the things that we suggested they might do at the time. Therefore the idea that the Silicon Valley companies have not reached a sufficient size or sophistication to be able to carry out the de minimis changes to their platforms—the effect of the amendment which the noble Baroness, Lady Kidron, set out so beautifully—is a nonsense. Please can the noble Lord, Lord Ashton, beg Matt Hancock, the Minister, to put to one side any more arguments about unacceptable barriers to entry being raised by this and indeed other amendments on the same subject?
My Lords, this has been a terrific debate on an important subject. We probably all agree that of all the issues that will come up on the Bill, we care about this one the most and would like to see it settled in a way that balances, as has been said, the wish for people to enjoy the use of the internet—which brings so much in so many different ways—with an appropriate regulatory structure that means that harm is prevented where it is appropriate to do so.
I was struck by what the noble Baroness, Lady Harding, said. Obviously, she is in a difficult position, speaking against her Government on a matter about which she has so much expertise and knowledge. However, she made the case so well that it is worth paying tribute to her for that. If we find a situation in any aspect of our public life where those responsible for an issue are unwilling or unable to deal with it appropriately, the public authorities have to take that step. We are in that situation—she made that clear so well.
Other arguments have been used today that were knocked back by the noble Baroness, Lady Kidron, when she spoke, but it is important to bear this in mind. There is no question here about us affecting our adequacy issues. This is definitely left to the government agencies in the countries involved to act on, and there is no issue here with regard to what we would say to the European Union should that be required in terms of adequacy, so we should not be dissuaded by that. As the recitals attached to the GDPR say, it is still a question of needing to balance the lower age of consent with the appropriate safeguards required. Age is one of those—it is important, but not the only one; capacity has also been raised before. However, we have the issue here about age, and there is a need for guidance around that.
The Government will not address the issue in any future sense. The internet strategy, which was referred to, is a bit of a red herring here, and, as we have heard, self-regulation, on which it is largely based, does not work. Therefore, action is probably required. As I said, if the industry will not do it, the public authorities should. We want this country to be the best place in the world to be online, and we want it to be safe to do so. If it is possible to design an age-appropriate environment, we should look very hard at that. The case that has been made today is incredibly important. The Government have a good sense of that from all around the Committee, as was said, and I hope they will be able to respond positively to it.
I will speak briefly to Amendment 20A, which picks up points made by the noble Baroness, Lady Howe. One issue that affects all those who wish to work in this area is the lack of information about what is happening on the ground: who is using what and how, with regard to time, effort and use of the internet? Amendment 20A, in my name, suggests to the Government that there is need at some point for a proper review which will require the companies to divest the information they currently have but which they do not share on information society services. Only then will the evidence of which the noble Baroness, Lady Howe, spoke, which will inform us as we go forward, be available. However, it should not stand in the way of the need to act in this way in this amendment, which I fully support.
My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.
At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.
The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.
The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.
The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.
I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.
The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.
Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.
We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.
I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.
Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.
I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.
First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.
Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.
I do not think that the Minister answered the point made by my noble friend Lady Jay on extraterritoriality—a word that I know he will want to use. Also, before the noble Baroness, Lady Kidron, replies, the main thrust of the Minister’s points was that government action on a code and on the digital charter would take most of the issues away. He relied on that in terms of his main argument. But am I right in saying that the code that has been consulted on is voluntary and that there will be no statutory basis for the digital charter? I would be grateful if he could help us on those two points.
My Lords, I add my voice to that of the noble Baroness, Lady Kidron. President Clinton memorably said that the first step in solving a problem is recognising there is one. If anyone does not believe there is one, we rehearsed some of it in the previous debate; I would also advise them to watch two very recent TED Talks by Zeynep Tufekci and Sam Harris. If, having seen these, they can convince themselves there is not a serious and urgent problem, then their judgment is very different from mine.
I will speak for a couple of moments on this because I regard it as a very significant issue. Karl Marx—who knew a thing or two—said that if you change the dominant mode of production that underpins a society, the social and political structure will change, too. I believe we have changed the fundamental mode of production that underpins society. It is now called digital. We have to address that and we are not addressing it anything like seriously enough. There are two issues I would like to raise, and if there is a note of frustration in my voice, I apologise.
In 2003, through very torturous processes in this House, we managed to persuade the then Labour Government to impose a duty on Ofcom—and I spend most of my life defending Ofcom—which was very clear; it was laid out by the noble Baroness, Lady Jay, at Second Reading. Ofcom was given the specific duty of promoting media literacy. The wording was that Ofcom was required,
“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”,
and,
“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.
Fifteen years later, in respect of these duties, Ofcom has wholly failed. By taking a very narrow, technical view of its responsibility, it has done almost nothing to promote notions of digital literacy in the electronic media. If we are not careful, the same will happen in the digital world. The noble Baroness, Lady Lane-Fox, used a much better phrase than “digital literacy”. She used the phrase “digital understanding” in a recent debate in your Lordships’ House. That is really what this is about.
To emphasise something that the noble Baroness, Lady Kidron, said, this is all about data. Ten days ago in Los Angeles, Lachlan Murdoch—who I think also knows a thing or two about this business—said the following:
“We’re in the beginning of an incredible transformation … we’re in the first months of something that will have a multi-decade life and future. Businesses that have large data sets and robust data sets will be the companies that win in the future”.
Every company in Silicon Valley and every communications company in the world knows that. This is why this is such a fundamental issue.
To my delight and surprise, the Italians appear to have picked up on this. In the New York Times of 18 October there is a long piece about a new law that was passed on 31 October by the Italian parliament that entirely acknowledges that young people have to have a far greater understanding of the modes of information, the nature of information and the ramifications of information than is presently the case. Some 8,000 schools in Italy are now receiving instructions on how to get across to children the seriousness and importance of, first, the manner in which they give and use their data and, secondly, the means by which they are informed.
Finally, in a very recent book Move Fast and Break Things by Jonathan Taplin, a man I happen to know, he says:
“Part of our role as citizens is to look more closely at the media surrounding us, think critically about its effects, and whose agenda is being promoted”.
I put it to your Lordships that every single front page of every newspaper over the past four months has made this extraordinarily evident. In the words of the noble Baroness, Lady Lane-Fox, we are “sleepwalking” into a situation over which we have little control and of which the companies that do have control are not taking sufficient notice. As proved by the Communications Act 2003, you can crunch out the best possible wording and it is still possible for that wording to have absolutely no lasting effect on society as a whole.
My Lords, my name is also on this amendment. It is a great pleasure to follow the noble Lord, Lord Puttnam, who has championed these issues for 20 years or more. It is worth while having a reality check for ourselves. One of the good things about the House of Lords is a certain continuity. I was in this House for the Data Protection Act 1998, which we are now reviewing, and for the Communications Act to which the noble Lord, Lord Puttnam, referred, and I served on his committee. We had no idea what revolution was coming our way. Indeed, in the Communications Committee, we were asked not to look at the internet; it was for the future. If we think about what has happened in those 20 years, what on earth is going to happen in the next 20, when we are reliably told we are on the verge of a fourth industrial revolution driven by data?
We were quietly asked by the noble Baroness, Lady Kidron, not to include this amendment in the previous group in case the whole thing became hijacked by a debate about education, and she was shrewd in that, but it was useful that she pointed out—I love this point—that data literacy should be as important as the three Rs as a core competency for the 21st-century child. If we are going to achieve that, we have to get out of the silo mentality: “It’s not our job, it’s the Information Commissioner’s job”; “It’s the Department for Education’s job”; “It’s DCMS’s job”. Somebody has to take responsibility for what we are saying because it is one of the great challenges.
There is a danger, particularly in a House of this age group, that we overestimate the capacity of the young. We all have our anecdotes about our grandchildren or our children being able to work the gadgets that we cannot work, but that does not mean that they have the competence or the maturity to make proper rational, responsible decisions about some of the factors that come within their ambit with this new technology. My noble friend Lord Storey referred earlier to a story in today’s paper about the increase in sexting among young children. We also know the extent of cyberbullying that goes on between children and about the naivety of children in being willing to reveal personal information online. Navigating the digital world is very complex.
The noble Lord, Lord Lexden, is in his place, and I am always worried about quoting history, but when the reform Act was passed in 1867, somebody said, “We now must educate our masters”, and that brought about the Elementary Education Act 1870. Nobody can now be in any doubt about the enormity of the task of preparing the whole population, but especially our children, to handle the new powers that are coming down the track at us. Educating for digital is one of the most important tasks facing us. I enjoyed and appreciated the way the noble Baroness, Lady Kidron, delivered her amendments. She made the point that that education is not to make this generation of children able to fit into the needs of Silicon Valley; it is to give them the power to make sure that Silicon Valley responds to their needs as citizens. That is the task that this amendment is trying to promote.
My Lords, I will speak briefly to support this amendment and particularly what the noble Lord, Lord McNally, has just said. We are asking our children to take on a whole set of responsibilities for which we, let alone they, are not prepared. The social consequences of social media and how to handle them produce enormous stresses on friendship. As for where this amendment is directed, there are also the consequences for children in the way their data are gathered and used, which we do not understand. The House of Lords can now track where each of us was geographically over the last month. It is all on our phones. A complete record is kept unless you happen to have turned it off. When did we give permission for that? If we cannot handle it, how can we expect our children to be able to handle it?
It is also quite clear that the sort of middle-range teenagers—14 and 15 year-olds, boys in particular—are living in a world of extreme pornography, in quality and content, that is quite unprecedented. What effects we can expect that to have on relationships between the genders when they get through to university and life afterwards I do not know. We cannot abrogate our responsibility to make sure that children are looked after properly and that we are not exposing them to amoral companies—I am not aware that any of these companies have a deep moral sense, whatever they may claim. We entrust their upbringing and education to that, but we care very much about their mental health, their sense of society, their sense of relationship to each other and the qualities that they will bring to the world as young people. We ought to be doing something about it in schools. We probably need a bit of thought as to what that should be, but we absolutely should not be doing nothing.
My Lords, I am very sorry for interrupting the noble Lord, Lord McNally, as what he had to say was very apposite and appropriate. I thought at one stage that he was going to say that he had been around for the passing of the first reform Act as well as everything else he was talking about, but I must have misheard him.
This has been a good debate, which has tended to range rather widely, mainly because it is so important we get this right. I confidently expect the Minister to respond by saying that this is a very good idea but he lacks the power to be able to give any response one way or another because it lies in the hands of one of his noble friends. That of course is the problem here, that we have another linked issue. Whitehall is useless at trying to take a broader issue that arises in one area and apply it in another. Education seems to be one of the worst departments in that respect. I mean that, as it has come up time and again: good ideas about how we need to radicalise our curriculum never get implemented because there seems to be an innate inability in the department to go along with it. It may well be that the changes to the structure of education in recent years have something to do with that. It is good to see in the second line of this amendment that this would apply to “all children” irrespective of the type of school or type of organisational structure that school is in, so that it applies to everyone. We support that.
However, two worries remain that still need to be looked at very hard, and the noble Lord who just spoke was on the point here. Do we have the skills in the schools to teach to the level of understanding that we are talking about? I suspect that we do not. If so, what are we going to do about that? Thirdly, I suspect that our kids are way ahead of us on this. They have already moved across into a knowledge and understanding of this technology that we cannot possibly match. Teaching them to go back to basics, as has been the case in previous restructuring of the curriculum, is not the right way. We need a radical rethink of the overall curriculum, something which is urgent and pressing. It is raised, interestingly enough, in a number of publications that are now appearing around the industrial strategy. If we do not get this right, we will never have a strategy for our industries that will resolve all the issues we have with improving productivity. I hope the Minister will take this away.
My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.
The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.
I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.
Lord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Scotland Office
(7 years ago)
Lords ChamberMy Lords, at Second Reading I touched on the question of whether the Bill might be used as a vehicle for rehearsing some of the arguments that we have heard in your Lordships’ House about the issues raised by Sir Brian Leveson in his report. I opined at the time, and am still of the belief, that this would not be the right place to put forward those amendments again, because I would favour an initiative from the other side of the House which tried to build on some of the work that was done in the run-up to the work that was done after the Leveson report was first published, which saw all party groups coming together to try and find a way forward. It seemed that we were beginning to get ourselves into a cul-de-sac on many of these issues. Although there were strong passions and strong beliefs, and good intellectual and other reasons for taking forward some of these issues, the times had changed and the climate had moved on. It was therefore important to try and think again about what would happen.
However, I also said that maybe others would take a different view of that and come forward with amendments on these and related issues. I expressed the view that, if they did, Her Majesty’s Loyal Opposition would look at them on their merits and respond to them as and when they came up. This explains why we have not signed up to some of the amendments that are before your Lordships’ House today.
I also said that our main concern going into Committee would be to make sure that the arrangements under which we currently operated, which were largely set out in the Data Protection Act 1998, were continued. It was very important that all concerned had confidence that the transposition between 1998 and today, and going forward to 25 May 2018, was adequate and sufficient, in terms of how we approached them in relation to that Bill. I am therefore introducing Amendment 42, which is largely a probing amendment aimed at getting Ministers on the record as to whether or not they feel that the transposition has been made fairly and effectively. To the extent that there is an addition to the existing law, as I understand that to be the case, it is in response to a particular aspect of the current regime which does not seem to work well in practice. The Information Commissioner’s Office has made it clear that it feels that it could do with an additional power, which I think is provided for in the Bill, to assist with the ability to reimburse those who have been affected by actions arising from a complaint they have taken forward in relation to the press. If that is the case, I would be happy to have that confirmed. That is the reason for Amendment 42, and I look forward to hearing from Ministers how they respond to that.
In pursuit of a perfectly normal and natural wish to scrutinise the Bill as it is before us, we have two other amendments in this group. Amendment 87B was offered to us by the NUJ, and is on a question which comes up a lot when talking about intellectual property issues relating to photography—not that this is actually about that, but journalism has a common-sense meaning which is often used in language other than that of Bills to reflect all aspects of journalism, including photojournalism. But of course it is not the totality of what photographers do, so this amendment is an attempt to get on the record what Ministers believe to be the sense on page 136, in Part 5, where paragraph 24(2) states that GDPR provisions do not apply,
“to personal data that is being processed only for the special purposes to the extent that … the personal data is being processed with a view to the publication by a person of journalistic, academic, artistic or literary material”.
Given the absence of the term “photography” or “photographer”, I have a slightly rhetorical question, but one to which I am looking for an answer. Can I assume that the sense of that paragraph is that this would catch photographers?
If that is the case, since photography is often done in a way that would not always result in publication, could we have clarity about the situation if the photographers were to rely on this provision in relation to material? Say, for instance, they were taking a number of photographs of a demonstration, some of which would be used but a lot would not be, and then it was felt that there was some other purpose that those photographs could be used for—that was an example given to us by the NUJ. It was concerned that the photographer should not be discriminated against, in the sense that the work of building up a personal archive of photographs taken on the job that did not result in specific publication might not necessarily fit particularly well with that. This is just a probing amendment to see what the response to that is.
The other amendment in our name in this group is Amendment 87E, relating to an issue that has been raised by others in this group. There is what I think is meant to be a transposition from the Data Protection Act 1998 to refer to the question of whether or not the public interest is engaged, and various rules and regulations around that. The notion behind our amendment is that we are not sure it is helpful nowadays for the legislation to refer in specifics to a list of codes and practices, particularly because one of those—I reference paragraph 24(5)(c)—is not correctly described. I think others will speak to this as well. Obviously there is a code of practice that editors of major newspapers have contributed to and which works reasonably well in practice, but the danger about that as an example is that it cuts out a lot of other codes of practice that could easily be mentioned there. Having them there does not seem to advance the argument, which is that the controller must have regard to appropriate codes of practice or guidelines that exist. In the event that any question is raised by the Information Commissioner or others, it is more appropriate for that to be left more general than specific. With that, I look forward to the responses. I beg to move.
My Lords, I will speak to the amendment in my name. I am grateful to the noble Earl, Lord Attlee, who has added his name in support. I will also speak in support of the amendment in the name of my noble friend Lord Skidelsky.
First, I want to explain why the Bill in its current form does not provide an adequate balance between privacy and freedom of expression, despite claims to the contrary by some parts of the media this weekend. Freedom of expression is essential to hold power to account and to expose wrongdoing, and it must be protected. However, the public also need to be protected from those who might seek to abuse such freedoms with the primary business purpose of selling newspapers.
The need for balance was recognised by Lord Justice Leveson in his 2012 report, and these amendments seek simply to implement some of the Leveson recommendations on data protection. It is worth remembering how some newspapers exploited private data in the past. Operation Motorman was a lengthy police investigation. The Information Commissioner reported on it in 2006, detailing the kinds of information that private investigators were buying unlawfully or obtaining by deception, including bank records, medical records, tax records, benefits records, phone records—thousands of transactions obtained from just one private investigator and commissioned by journalists. The victims whose data had been illegally accessed were not celebrities or public figures being investigated for genuine public interest reasons. They were just ordinary people with tenuous connections to those in the public eye: the sister of a well-known MP’s partner; the mother of a man once linked romantically to a “Big Brother” contestant; the decorator who had once worked for a lottery winner; and the GP who was doorstepped by a Sunday newspaper in the mistaken belief that he had inherited a large sum from a former patient. All these were victims of data misuse, and we are still learning how widespread those practices were.
Some argue that that is history and that newsroom practices have changed since the Leveson report, but the economic pressures which drove newspapers to desperate practices before are even more acute now. Many of the same editors and senior executives are still in place, and many in this House will remember similar promises of reform made by newspaper editors in the wake of the Calcutt report nearly 25 years ago. Does the Minister agree that this time, it is our responsibility to act decisively to protect the public from the less scrupulous elements of the press?
There is an exemption in the Data Protection Act 1998 for journalism, and this is reproduced in the Bill, but the exemption as drafted effectively offers a blank cheque to publishers and would allow them to breach data rights with little protection for the public from abuse. The GDPR is clear: exemptions should be made only when they are necessary to reconcile the right to protection of personal data with freedom of expression. My amendments are designed to ensure that this balance is properly preserved. They have been drafted by a senior QC and are based on recommendations made by Lord Justice Leveson, himself an independent senior judge, after a public inquiry in which he heard evidence and arguments from all sides, including the newspaper industry. I should declare an interest here and remind the Committee that I gave evidence to the Leveson inquiry.
Let me elaborate on the point for a moment to make it clear. IPSO did not exist in 1998; the editors’ code did and therefore the editors’ code was incorporated as such by reference to the 1998 Act and the 2000 order. The relevant editors’ code is now known as the IPSO code. It is essentially the same code, as I understand it. I see that the noble Lord, Lord Stevenson, is shaking his head on this point, but it is essentially the editors’ code that is now incorporated within the IPSO code.
I could not resist jumping up. I think the nub of the argument is the four letters IPSO. It is an editors’ code. IPSO is a separate body. I think there would be less concern if it were just simply the editors’ code because we understand what that is. That would be the right reference, but I think we will return to this later.
The terms of the editors’ code are now referred to as the IPSO code, but I take the noble Lord’s point and I will take away and consider whether there is any material issue about using the designation of that code in the schedule. However, it is, with respect, essentially the editors’ code as it was originally recognised. As I understand it, that is reflected in the Information Commissioner’s current guidance under reference to Section 32, which is why it appears in the schedule in the form that it does.
My Lords, this has been a very interesting debate. It has lasted one hour and 25 minutes and there is a little more to go. The hour is late and I do not think one wants to rush to judgment on the many important things that have been said today. As I am sure many other noble Lords do when faced with such an intense and important debate, I want to reflect a little on it, read what it looks like in Hansard the next day and then form a view on it. However, I shall share one or two things with the Committee that come to my mind and I think we should take away from this.
Of course this is about the balance between privacy and freedom of expression. It was interesting that the noble Lord, Lord Black, was at pains to point out in his intervention that he did not think there would be any country in which the sort of systems that are discussed in some of the amendments here took place. I ask him: is there a country that he would be happy to live in that did not have a statutory protection of privacy and freedom of expression, however well balanced and proportionate that would have to be? The answer would be very interesting.
My memories from this will be of the long campaign that the noble Baroness, Lady Hollins, has fought to try to get this troubled area of our law into better shape. The perhaps reluctant speech by the noble Lord, Lord McNally, in opening up the way for the noble Lord to debate issues relating to earlier approaches to this area, struck home for me. I thought it was a powerful intervention and one we should think hard about.
My ultimate feeling about this is that we may be talking about the very narrow issue of data processing in relation to journalism, but of course it engages all the issues that arise from any decision that we make about the balance between privacy and freedom of expression. As I tried to demonstrate in the discussions on day one of Committee, if there were better protections between a right to privacy and the right to freedom of expression than there currently are in the Bill, maybe this would be an easier process, but they are not there yet. We need some movement here. The genuine offer that I made to the noble and learned Lord to try to find common ground on this and move forward, which was picked up by others, seems to have been rejected. That is sad, and we will not get very far if that is the attitude we are going to encounter.
At the end of the day, we may not have a choice on this. If Parliament is unable to act, it may well be that the privacy law we end up with will be judge-led, arising from cases that happen to come in, out of which a body of law will be built up that does not suit the noble and learned Lord and his friends. He should think very carefully about where we are at the moment, where the political power lies, where the interests of those engaging with this are coming from and how long it would be before we got to a point where we could take this forward.
I think we will come back to this on Report more than once. There are issues here that will survive the helpful comments made by the noble and learned Lord, who covered the detail of the amendments very fully. I will read what he said very carefully. I do not think we have got to the bottom of how you get the balance in law for a long time so that it works. It is not to do with definitions of which code or otherwise we are talking about; we are talking about real principles here that need to be addressed.
I should like to make just one point. The noble and learned Lord, Lord Keen, came close to admitting that to put IPSO in the Bill was a mistake—I say came close to admitting—whereas it would have been perfectly all right to have just said, “the editors’ code”. There is something there to discuss, because if you call it the IPSO editors’ code, that looks as if you are favouring a particular organisation, rather than a code. The code is owned by the newspaper publishers; it is their code; we need to take that into account. It is less obnoxious just to have “the editors’ code”, than to have an organisation named in the Bill as the effective carrier of that code. I do not know whether the noble and learned Lord is willing to consider leaving out mention of the organisation. If so, it would be interesting to discuss how best to do that. I may come back to this on Report, but thank him very much for his speech.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, the noble Earl, Lord Kinnoull, has clearly and knowledgeably introduced the amendment, which I strongly support. He made clear through his case studies the Bill’s potential impact on the insurance industry, and I very much hope that the Minister has taken them to heart. Processing special category data, including health data, is fundamental to calculating levels of risk, as the noble Earl explained, and to underwriting most retail insurance products. Such data is also needed for the administration of insurance policies, particularly claims handling.
The insurance industry has made the convincing case that if the implementation of the Bill does not provide a workable basis for insurers to process that data, it will interrupt the provision to UK consumers of retail insurance products such as health, life and travel insurance, and especially products with health-related consumer benefits, such as enhanced annuities. The noble Earl mentioned a number of impacts, but estimates suggest that, in the motor market alone, if this issue is not resolved, it could impact on about 27 million policies and see premiums rise by about 3% to 5%.
There is a need to process criminal conviction data for the purposes of underwriting insurance in, for instance, the motor insurance market. Insurers need to process data to assess risk and set the prices and terms for mainstream products such as motor, health and travel insurance.
The key issue of concern is that new GDPR standards for consent for special category data, including health, such as the right to withdraw consent without experiencing detriment, are incompatible with the uninterrupted provision of these products. As the noble Earl, Lord Kinnoull, has clearly stated, there is scope for a UK derogation represented by these amendments, which would be in the public interest, to allow processing of criminal conviction and special category data when it is necessary for arranging, underwriting and administering insurance and reinsurance policies and insurance and reinsurance policy claims. I very much hope that the Minister will take those arguments on board.
My Lords, the noble Earl, Lord Kinnoull, has done us a great favour in introducing with great skill these amendments, which get to the heart of problems with some of the language used in the Bill. We are grateful to him for going through and picking out the choices that were before the Government and the way their particular choices seem to roll back some of the advances made in the insurance industry in recent years. I look forward to the Minister’s response.
Our probing Amendment 47 in this group is on a slightly higher level. It is not quite as detailed—nor was it intended to be—as the one moved by the noble Earl. We were hoping to raise a more general question, to which I hope the Minister will be able to respond. Our concern, which meets the concerns raised by the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, is where the Government want to get to on this. It must be true that insurance is one of the key problems facing many people in our country. It is the topic that will be discussed in the QSD in today’s dinner break as it bears heavily on financial inclusion issues. So many people in this country do not take out insurance, personal or otherwise, and suffer as a result. We have to be very careful as we take this forward as a social issue.
However, an open-ended derogation to allow those who wish to gather information to make a better insurance market surely also raises risks. If we are talking about highly personal profiling—we may not be because there are constraints in the noble Earl’s amendment—it would lead to a more efficient and cheaper insurance industry, but at what personal cost? For instance, if it is possible to pick up data from those who perhaps unadvisedly put on Facebook or Twitter how many times they get drunk—I am sure that is not unusual, particularly among the younger generation—information could be gathered for a profile that ought to be taken into account for their life, health or car insurance. I am not sure that we would be very happy with that.
Underlying our probing amendment is to ask the Minister to respond—it may be possible by letter rather than today—on protections the Government have in mind. What sort of stock points are there that we can rely on as we move forward in this area? As processing becomes more powerful and more data is available, pooled risks are beginning to look a little old-fashioned. The old traditional model under which insurance is gathered is that the more the pool is expanded, the risks are spread out more appropriately across everybody. The trouble is that the more we know, we will be including people who are perhaps more reckless and therefore skewing the pooling arrangements. We have to be careful about that.
There is obviously a social objective in having a more efficient and effective insurance market but this ought to be counterbalanced to make sure that those people who are vulnerable are not excluded or uninsurable as a result. The state could step in, obviously, and has done so, as we have been reminded already in our Committee discussions about the difficulty of getting insurance for those who build on flood plains. However that is not the point here. This is about general insurance across the range of current market opportunities being affected by the fact that we are not ensuring that the data gathered is both proportionate and correct in terms of what it provides for the individual data subjects concerned.
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
I must say how delighted I am that on this occasion we had the noble Lord advocating his own amendment. I was nearly in the hot seat last week, but we have just avoided it. I was delighted at his powerful advocacy because of course the noble Lord is extraordinarily well informed on all matters to do with sport, and this goes to the heart of sport in terms of preventing cheats who prevent the rest of us enjoying what should be clean sport, however that may be defined. All I have to do is pick out one or two of the elements of what the noble Lord said in my supportive comments.
There is the fact that neither “doping” nor “sport” is defined in the Bill, as the noble Lord pointed out. There is no definition of the bodies to be covered by paragraph 21, which is extremely important. He also made an extraordinarily important point about UKAD. Naming UKAD in the Bill, as the amendment seeks to do, would add to its authority and allow it to carry out all the various functions that he outlined in his speech. If it is necessary to add other bodies, as he suggested, that should of course be considered.
The noble Lord’s reference to performance-enhancing substances, which again are mentioned in the amendment and included in the World Anti-Doping Code, ties the Bill together with that code and was very important as well. Finally, the point that he made about gender and the substances used in connection with gender change was bang up to the minute. That, too, must be covered by provisions such as this. So if the Minister is not already discussing these issues with the noble Lord, Lord Moynihan, I very much hope that he is about to and will certainly do so before Report.
My Lords, once again your Lordships’ House is very grateful to the noble Lord, Lord Moynihan, for raising this issue and, as the noble Lord, Lord Clement-Jones, said, for doing so in such a comprehensive way. It is in the context of the much wider range of issues that the noble Lord, Lord Moynihan, has been pursuing regarding how sport, gambling and fairness are issues that all need to be taken together. We have been supporting him on those issues, which need legislation behind them.
Noble Lords may not be aware that we have been slightly accused of taking our time over the Bill. I resist that entirely because we are doing exactly what we should be doing in your Lordships’ House: going through line-by-line scrutiny and making sure that the Bill is as good as it can be before it leaves this House. We saw the noble Lord, Lord Moynihan, at the very beginning of Committee and he then dashed off to Australia to do various things, no doubt not unrelated to sport. He has had time to come back and introduce these amendments—but, meanwhile, the noble Lord, Lord Clement-Jones, and I were debating who was going to pick the straw that would require us to introduce them. We were very lucky not to have to do so because they were introduced so well on this occasion.
Our amendment in this group is a probing amendment that picks up on some of the points already made. It raises the issue of why we are restricting this section of the Bill to “sport”—whatever that is. If we are concerned about performance enhancement, we have to look at other competitive arrangements where people gain an advantage because of a performance-enhancing activity such as taking drugs. For instance, in musical competitions, for which the prizes can be quite substantial, it is apparently possible to enhance one’s performance—perhaps in high trills on the violin or playing the piano more brilliantly—if you take performance-enhancing drugs. Is that not somehow seeking to subvert these arrangements? Since that is clearly not sport, is it not something that we ought to be thinking about having in the Bill as well? I say that because, although the narrow sections of the Bill that relate to sport are moving in the right direction, they do not go far enough. As a society, we are going to have to think more widely about this as we go forward.
I am slightly confused by what is a performance-enhancing drug. We have seen athletes and other sportsmen banned in this country for taking what I would call non-enhancing drugs: in other words, cannabis or whatever it might be. In that case they are not performance-enhancing drugs but the reverse of them—yet people can be banned even if taking them is deemed legal in the country where they do so. Even if it is legal to take cannabis, the drug can still be deemed a banned drug by the anti-drug authorities.
My noble friend is quite right. He has obviously been careful to make sure that he has no personal experience of what he talks about and I would like to make it clear that I have none, either. But it is a very tricky area and we are wrong just to dance around it with the idea that we are somehow doing something important in relation to a particular aspect of drug enforcement.
To do this properly, we need a much clearer approach. I realise that I am in danger of rising above the detail here and going back to my high plain of intellectual approach to the Bill for which I have already been criticised—but I hope that when the Minister responds we can get somewhere on this. A meeting on the particular narrow points raised by the government amendment and by the noble Lord, Lord Moynihan, is required. It would be helpful to see the context in which this might operate. I would be happy to attend such a meeting should that be the case.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, we will see if the EU withdrawal Bill gets passed, but that is a matter for another day.
I thank the Minister for his remarks. There are many aspects of his reply which Members around the House will wish to unpick.
Perhaps I may pursue this for a second. It is late in the evening and I am not moving fast enough in my brain, but the recitals have been discussed time and again and it is great that we are now getting a narrow understanding of where they go. I thought we were transposing the GDPR, after 20 May and after Brexit, through Schedule 6. However, Schedule 6 does not mention the recitals, so if the Minister can explain how this magic translation will happen I will be very grateful.
We are not transposing the GDPR. It takes direct effect on 25 May.
I knew I was slow. We are moving to applied GDPR; that is correct. The applied GDPR, as I read it in the book—that great wonderful dossier that I have forgotten to table; I am sure the box can supply it when we need it—does not contain the recitals.
My Lords, just to heap Pelion on Ossa, I assume that until 29 March the recitals are not part of UK law.
My Lords, when the famous French long-serving Foreign Minister Talleyrand died and the news was taken to his long-term rival Prince Metternich of Austria, Metternich looked at the telegram and said, “What does he mean by this?”. Some of my friends have a similar reaction to any amendments that carry the name of the noble Lord, Lord Black, but I am not among them. I think that we share a common belief in a free and a vigorous and independent press. He knows that when at Second Reading he referred to the Defamation Act 2013, my ears pricked up, because it is one of the things that I am most proud of from my time as a Minister. With my noble friend Lord Lester as my mentor, we piloted that Bill into legislation. I am certainly very interested in any amendment that would prevent this Bill becoming a backdoor to getting around the protections that the Defamation Act gave to free comment and academic freedom to have peer comment, and so on. The Act has worked—we are no longer considered the libel capital of the world—and there is a great deal more freedom in the academic world for peer comments and criticisms, without the threat of libel actions, which had a chilling effect.
The problem is that this is an alphabet soup of amendments, which the noble Lord, Lord Black, has put forward with great clarity, so we will be able to study what exactly he wants to do and how he wants to do it. I am interested in a number of things; I am interested in the idea, which he quite rightly pointed out, of investigative journalists having to give prior notice of what they are doing, which seems rather counterintuitive to the idea of investigative journalism. I have certainly received that point of view from the BBC and other forms of journal about the effect of that proposal. The noble Lord, Lord Black, is quite right. We have seen only recently the Paradise papers as another example of investigative journalism exposing things that people would rather keep quiet, which is massively in the public interest. He also referred to the number of exposés of care homes, prisons and young offender institutions, all of which are massively in the public interest. It would be wrong to allow the Bill to bring into law provisions that would chill, prevent or curb the great traditions of a free and vigorous press. In the spirit of Committee stage, I would like to look carefully at what the amendments of the noble Lord, Lord Black, seek to do. As he knows, after Second Reading I offered to collaborate with him on amendments but that would probably have been too great a shock to both our constitutions. However, I would certainly be interested to see where we can work together on the broad aim of ensuring that the Bill contains no accidental curbs on the activities of a vigorous and free press and media.
As I have said before, the noble Lord, Lord Black, and his friends would be in a stronger position if the background to this was not one of previous criminality and invasion of the privacy of people who had every right to see their privacy protected. Therefore, there is bound to be a certain scepticism about whether these proposals give overgenerous access to overbroad exemptions. But let us have a look at them and at some of the issues that have been raised in other quarters—as I say, by the BBC and journals that are not members of IPSO that have expressed the concerns raised by the noble Lord, Lord Black. Following that and what the Minister is about to tell us, we can then make judgments about how we shall approach these issues on Report.
My Lords, we are all very grateful to the noble Lord, Lord Black, for his very full introduction to these amendments. I shall read very carefully what the noble Lord, Lord McNally, said and take his remarks on their merits. I have no problem with that.
I am sure that the noble Lord, Lord Black, will not mind if I quote what he said in Committee only a week ago and pose a question to him. He said:
“This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20”.—[Official Report, 6/11/17; cols. 1667-68.]
What a difference a week makes to one’s thinking. The noble Lord was pressed by a number of noble Lords, including his noble friend Lord Attlee, to come up with a much more detailed and engaged critique. We would love to hear from him again if he is prepared to tell us why there has been a change in his thinking. However, I do not think that gets in the way of what he is saying, which is that some issues need to be addressed. We will look at them carefully when we have the chance to see them in print. I shall also be interested to hear what the noble Baroness makes of this when she replies.
As my noble friend Lord Black and the noble Lord, Lord Stevenson, said, the Government are firmly committed to preserving the freedom of the press, maintaining the balance between privacy and the freedom of expression in our existing law that has served us well.
I shall try to reply to my noble friend as I go through the many amendments—a soup of amendments, as the noble Lord, Lord McNally, said. As we heard, Amendments 87ZA, 87AA, 87AB and 87AC would enable the special purposes exemptions to be used when processing for other purposes in addition to a special purpose. The use of the word “only” in the Bill is consistent with the existing law. Examples have been given of where further processing beyond the special purposes might be justified without prejudicing the overall journalistic intent in the public interest. None the less, the media industry has been able to operate effectively under the existing law, and while we are all in favour of further clarity, we must be careful not to create any unintended consequences.
Paragraph 24(3) of Schedule 2 concerns the test to determine whether something is in the public interest. Amendment 87CA seeks to define the compatibility requirement, and Amendments 87DA and 87DB seek to clarify the reasonable belief test. The Bill is clear that the exemption will apply where the journalist reasonably believes that publication would be in the public interest, taking account of the special importance of the public interest in the freedom of expression and information. To determine whether publication is in the public interest is a decision for the journalist. They must decide one way or another. It is not necessary to change the existing position.
Amendments 89C to 89F seek to widen the available exemptions by adding in additional data rights that can be disapplied. Amendment 89C seeks to add an exemption for article 19 concerning the obligation to give the data subjects notice regarding the processing carried out under articles 16, 17 and 18 of the GDPR. The Bill already provides exemptions for the special purposes for these articles, rendering article 19 irrelevant in this context.
Amendment 89D seeks to add an exemption for article 36. This requires the controller to give notice to the Information Commissioner before engaging in high-risk processing. My noble friend Lord Black and the noble Lord, Lord McNally, both argued that this might require the commissioner to be given notice of investigative journalistic activity. This is not the case. We do not believe that investigative journalism needs to put people’s rights at high risk. Investigative journalism, like other data-processing activities, should be able to manage risks to an acceptable level.
Amendment 89E concerns the need for journalists to transfer data to third countries. We are carefully considering whether the GDPR creates any obstacles of the type described. We certainly do not intend to prevent the transfers the noble Lord describes.
Amendment 89F seeks to add an exemption from the safeguards in article 89 that relate to research and archiving. Following the interventions of the noble Lord, Lord Patel, the Government have agreed to look again at these safeguards. Once we have completed that, we will assess whether any related derogations also need reconsidering.
Amendment 91B seeks to introduce a time limit by which complaints can be brought. The Government agree that complaints should be brought in a timely manner and are concerned to hear of any perceived abuses. We will consider this further and assess the evidence base.
The Government are firmly committed to preserving the freedom of the press and preventing restrictions to journalists’ ability to investigate issues in the public interest. We will continue to consider the technical points raised by my noble friend, and I hope—at this late hour, and with the view that we will further consider points that have been raised—that he feels able to withdraw his amendment.
Lord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Home Office
(7 years ago)
Lords ChamberI am delighted to move Amendment 108A, which is an extremely important amendment. No, it is not—Amendment 108B is. If noble Lords want to know, this has not been a good day so far. I attended a wonderful memorial service for Lord Joffe, at which many noble Lords were present, and which was a moving and grand experience—so moving that I left the church without my bag, which contained all my possessions: my keys, wallet and everything else. I then spent most of the time until about five minutes ago worrying about that and not concentrating as I should have done on the important business of the House. This has a happy ending. Somebody found the bag, did not hand it in, took it home, thought it belonged to the other Lord Stevenson, the noble Lord, Lord Stevenson of Coddenham, spent four hours trying to find him, and eventually decided that it belonged not to him but to me. I now have my bag back and I feel much better.
I thank your Lordships.
Amendment 108B would prevent regulations under this section being used to amend, repeal or revoke the GDPR after Brexit. This may seem a rather tough charge to lay at the Government’s door. However, concerns about adequacy after Brexit will be so important that it may be in the Government’s best interest to ensure that the Bill contains no hint that the GDPR after Brexit, which will be the responsibility of this Parliament and this Parliament alone, could be amended simply by secondary legislation. If the Government follow this argument they will see that it has a symmetry behind it that encourages the approach taken here, in that when we are a third party and need to rely on an adequacy agreement the GDPR will be seen to be especially ring-fenced.
I will also speak to the other amendments in this group, two of which come from recommendations on delegated legislation made by your Lordships’ House. Amendment 110B is about replacing the current requirement for a negative procedure with a requirement for an affirmative one. In order to explain that, it is probably best if I quote from the report itself. The DPRRC took the view that the framework for the transfer of personal data to third countries should be provided on a test greater than just simply the negative procedure. This is a major issue. One possible example is if the Government were to use the argument that it was in the public interest to transfer bulk personal data held by a UK government department to the agencies of a foreign power—a remote possibility, I know. That would be of interest to the House and probably would need to be debated. The recommendation is that a change should be made from a negative to an affirmative procedure, and that is what this amendment seeks to do.
In a similar vein, the proposal to delete Clause 21 comes from the DPRRC report. The report says that the committee was,
“puzzled by the inclusion of … a suite of delegated powers … to provide by regulations for various exemptions and derogations from the obligations and rights contained in the GDPR which, as noted above, may … be exercised in respect of ‘the applied GDPR’. The memorandum fails to explain why those powers are considered inadequate, or why the Government might need to have recourse to the distinct powers in section 2(2) of the 1972 Act—which allows Ministers to make regulations”,
around EU obligations. The point is that there will be a period after Royal Assent to the Bill and when the country leaves—if it does—the EU in which it is possible that the Government will wish to make regulations. The committee assumes that this clause has been included just in case the Government decide that these powers are required. But the committee goes on to say:
“We consider it unsatisfactory that the Government should seek to take this widely drafted power without explaining properly what it might be used for”.
I therefore call on the Government to do so if it is appropriate at this time.
The final two amendments in the group, Amendments 180A and 180B, play to the same issue: that the powers, however they are finally settled, will still be wide ranging and grant the Government of the day a considerable amount of power to introduce rules by secondary legislation. In a sense, that is inevitable given the way that things are going, and we are not attacking the main principle. The question is around what safeguards would be appropriate. On these powers we think it would be appropriate for the Government to consult not only the commissioner, for which there is a provision, but the data subjects affected by the regulations. This is not a power that is currently there and we recommend that the Government consider it. I beg to move.
My Lords, I hope I will not add to the troubles of the noble Lord, Lord Stevenson, when I say that I am troubled by a couple of his amendments, Amendments 108B and 180A. The former suggests that the Government should not be permitted to,
“amend, repeal or revoke the GDPR”.
I know the Government will have responsibility for the provisions of the GDPR, but these are surely provisions for which the regulations either are or are not. They are European Union regulations, and I would not have thought the Government would have the power to amend or repeal them.
I am also confused, as so often, by the fact that we have already discussed whether Clause 15 should stand part of the Bill but are now considering an amendment to it. No doubt that is just one of the usual vagaries that leads to my confusion about the procedures of this House.
I move on to Amendment 180A, which suggests that the Secretary of State must consult not only the commissioner but data subjects. I am not sure how on earth he could find out who those data subjects were in order to consult them. Therefore, due to practical concerns, I hope the noble Lord will not press the amendment to a Division.
My Lords, I am thrilled that the day of the noble Lord, Lord Stevenson, has got better, and I hope that at the end of my speech it will get better still. Things are definitely looking up for the noble Lord, I hope.
I will be reasonably brief on this because we have debated other delegated powers before and much of what my noble friend Lady Chisholm said on day two of Committee holds here.
On Amendment 108B, I agree with much of what my noble friend Lord Arbuthnot said. I shall answer the noble Lord, Lord Paddick, in a different way which will address his point. The amendment would prevent the Secretary of State using the delegated power contained in Clause 15 to,
“amend, repeal or revoke the GDPR”.
I am happy to reassure the noble Lord not only that the Government do not intend to use the power in Clause 15 to amend, repeal or revoke the GDPR but that they actively cannot. As the opening line of Clause 15 describes, the power contained in it permits the Secretary of State only to,
“make provision altering the application of the GDPR”.
The noble Lord’s amendment is therefore unnecessary.
Clause 17(1)(a) would allow the Secretary of State to specify in regulations circumstances in which a transfer of personal data to a third country is necessary for an important reason of public interest not already recognised in law. Public interest is one of a number legal bases on which a controller can rely when justifying such a transfer. This is very much a backstop power. In many cases, reasons of public interest will already be recognised in law, so the power is likely to be needed only when there is a pressing need to recognise a particular but novel reason for transferring personal data as being one of public interest. We are wary of any change such as that proposed in Amendment 110B, which may hamper its exercise in emergency situations such as financial crises.
Amendment 180B seeks to amend Part 7 of the Bill to ensure that the power contained in Clause 21 cannot be exercised without consulting the Information Commissioner. The clause is a backstop power which allows the Secretary of State to amend Part 2 of Chapter 3 of the Bill—that is, the applied GDPR and associated provisions—to mirror changes made using Section 2(2) of the European Communities Act 1972 in relation to the GDPR. As I am sure we are all aware, a Bill is being considered in another place that would repeal the European Communities Act, so this power is already specific and time-limited. We are not sure what consulting the Information Commissioner before exercising it would add. However, these points notwithstanding, we are happy to consider the role of Clause 21 and Amendments 110B and 180B in the context of the Government’s response to the Delegated Powers and Regulatory Reform Committee’s recent report on the Bill.
The Government have previously committed to considering amendments substantively similar to Amendment 180A and I am happy to consider that amendment as well. However, I echo what my noble friend Lady Chisholm said about the importance of the law being able to keep up with a fast-moving field.
With those reassurances, I hope the noble Lord will feel able to withdraw the amendment.
It certainly is turning out to be my day. I am grateful to the Minister for his comments. We are perhaps anticipating a further debate that we may have to have on the basis of what the Government intend to take back to the DPRRC, but it is good to have a sense of where the thinking is going, which I am sure we will look at in a sympathetic light. Where he ended up will be an appropriate way of progressing on this point.
On the Minister’s first point in relation to Clause 15, I hesitate to ask because I know he is already burdened, but it would be helpful if he can write to me about subsection (1) because our reading of the line:
“The following powers to make provision altering the application of the GDPR”,
could not, according to what he has said, change the GDPR itself, only the way that it is applied. We may be talking only about nuances of language. Interpretations from the far north, where the noble Lord resides, down to the metropolitan south may well not survive the discussion, so I would be grateful to have something in writing. With that, I beg leave to withdraw the amendment.
My Lords, we turn to Schedule 5, which deals with an issue covered in the Data Protection Act 1998 and comes forward again in this Bill. It relates to how the accreditation of certification providers is carried out in practice and, for a primary piece of legislation, goes into rather a lot of detail about the way reviews are carried out and appeals are heard. These are probing amendments to try to put on the record some of the issues.
Amendments 108C and 110A would ensure that documentation submitted by the applicant must be relevant to the matter to be considered by the commissioner. This is quite a widely drafted power and it would be otiose if the applicant raises issues that are not narrowly to the point.
Amendment 108D is a probing amendment into the grounds on which an applicant can bring an appeal. At the moment, all the applicant appears to have to show is that they are “dissatisfied”, which seems a rather broad way of opening up a discussion on an important issue. The word “dissatisfied” does not sound as though it will restrict the ability of people to put in submissions on this point.
Amendment 108E deals with the timing. There is a two-stage review process, each stage lasting 28 days, so it is odd that we have different timings. I would be grateful for a comment on that. I do not think there is a particular issue; perhaps the problem is the way it is expressed.
Amendment 108F deals with the very wide powers specified for the grounds to appeal against those appointed members of an appeal panel. Again, I do not see anything wrong with that, but it would be helpful to know the Government’s thinking on why the grounds are so wide: someone can simply put in an appeal and it must be heard. That would probably be rather open-ended, but it may be that there is a history of this and issues that we are not aware of.
Finally, on Amendment 110A, the arrangements for the appeal panel hearings also seem heavily specified. I wonder whether there may be a case for a slightly lighter touch and leaving it more open to the ACAS body, if that is the one concerned, to carry them through.
There are no particular issues here and we are not looking for major changes, but I would be grateful for a response. I beg to move.
If Amendment 108F is agreed to, I cannot call Amendment 109 due to pre-emption.
My Lords, I am grateful to the noble Lord for turning the attention of the Committee to the accreditation process. I recognise the intention behind his detailed amendments; namely, to reduce the administrative burden associated with requests for accreditation decisions to be reviewed and, subsequently, for the review process to be appealed. Under the new regime, both the Information Commissioner and the United Kingdom Accreditation Service will be able to accredit organisations that wish to offer a certification service for compliance with data protection legislation. Many organisations may wish to make use of certification services to support their compliance with the new law, and the accreditation process is intended to support them in choosing a provider of certification.
Schedule 5 establishes a mechanism for organisations that have applied for accreditation to seek redress against a decision made by UKAS or the Information Commissioner. The mechanism process has two elements. In the first instance, organisations can seek a review of the accreditation decision. Then, if they are unhappy with that review process, they can lodge an appeal. I share the noble Lord’s desire to minimise the administrative burden created by that review and appeal mechanism. Amendments 108C and 110A limit the documents that may be submitted when appealing. Amendment 108E reduces the time to lodge an appeal. Amendment 108F removes the ability of the appellant to object to members of the appeal panel.
I assure noble Lords that we want a fair and straightforward review and appeals mechanism. Our choice of process, time limits and other restrictions mirrors the appeals process that UKAS currently operates. That process is as provided for by the Accreditation Regulations 2009. Maintaining a consistent appeals process creates administrative simplicity and efficiency. The Government consider that the process in Schedule 5 strikes the right balance between limiting the administrative burden on the accrediting bodies, while also providing applicants with sufficient means of redress.
To add them up, there are four reasons why we feel that what is in there now works well: our choice of process, time limits and other restrictions limits the appeals process that UKAS currently operates; it maintains a consistent appeals process, which creates administrative simplicity and efficiency; it strikes the right balance between limiting the administrative burden but provides applicants with sufficient means of redress; and the accreditation process will give organisations confidence that they are choosing the right provider of certification. I hope I have addressed the noble Lord’s concerns and urge him to withdraw the amendment.
I am grateful to the Minister for her response. I think I may have slightly misled the Committee: I think I am right in saying that this is a new process, brought in by the Bill. It was not in the Data Protection Act 1998. I should have said that there is an additional reason for wanting to scrutinise it, to make sure we are looking at the right things.
I should have asked one question, to which I do not expect a response now, unless the Minister has it to hand. I notice that the national accreditation body, which has to be set up by member states because of the GDPR, is set up under another EU instrument because it is the designated body under the Accreditation Regulations 2009. I take it that they will be brought forward in the withdrawal Bill as necessary regulations for that to be provided.
As the noble Lord said, the process is new to the GDPR and not in the 1995 directive or the DPA. The GDPR requires member states to ensure that certification bodies are accredited by the ICO and/or the national accreditation body. As such, the UK Government will need to demonstrate their compliance with that requirement, which Clause 16 and Schedule 5 fulfil.
I thank the Minister for that response. I am sure that the narrow point about the regulations can be dealt with by correspondence, so I will not press it today. I beg leave to withdraw the amendment.
My Lords, in moving Amendment 113A I will speak to Amendments 114A, 118A, 119A and 121A. Schedule 6 changes references to “the Union” to “the United Kingdom” and deals with the transposition between the GDPR and the applied GDPR as and when we move beyond Brexit.
The paragraphs to which these amendments relate may be a bit confusing unless we understand the timescale under which they operate. We think that the GDPR, as originally drafted, aims to say that there should be a free flow of information between member states, creating a single market for data flows across the whole of the EU, applied irrespective of the concerns of the various national regimes. Once we leave the EU it hardly seems necessary to have such a provision because it would seem to imply we need to provide powers for data to flow within the United Kingdom. Therefore, the heart of the amendment and of part of this group is the suggestion that this is otiose. Will the Government explain what they are trying to do if it is not about the flow of data within the United Kingdom? If it is, it surely is not needed because we should not have that situation arising.
The concern is not really about whether the Bill refers to Union or domestic law, but which space we are talking about. Are we talking about the United Kingdom or parts of the United Kingdom? Will different rules apply in Jersey, Guernsey and the Isle of Man? These are all the issues that regularly come up about the United Kingdom. By focusing too narrowly on this we raise a danger that we might be overcomplicating what should be a relatively straightforward issue. I beg to move.
My Lords, it is a great pleasure to speak on these amendments, which cover the applied GDPR. Before I address them directly, it is worth recalling that the purpose of the applied GDPR is to extend GDPR standards to those additional areas of processing that are outside the scope of EU law and not covered separately in Parts 3 and 4 of the Bill. The benefit of taking this approach is that it avoids relevant controllers and processors needing to adapt their systems to two different sets of standards, or even needing to know which set of standards they should be applying. However, if the need for such analysis arises, it is crucial that the data subjects and controllers and processors are clear about their respective rights and obligations.
In such circumstances, reference to text that contains concepts that have no meaning or practical application for processing out of scope of EU law will result in confusion and uncertainty. So, while the intention of the applied GDPR is to align as closely as possible with the GDPR, Schedule 6 adapts the GDPR’s wording where necessary so that it is clear and meaningful. It is important to remember that the GDPR does not apply to such processing, so the creation of equivalent standards under UK law is a voluntary measure we are making in the Bill.
In particular, paragraph 4 of Schedule 6—the subject of Amendment 113A—replaces references to such terms as “the Union” and “member state” with reference to the UK. This simply clarifies that, unlike the GDPR itself, the applied GDPR is a UK-only document and should be read in that context. References to “the Union” et cetera are at best confusing and at worst create uncertainty for the small number of controllers whose processing is captured by the applied GDPR. Paragraph 4 provides important legal clarity to them and, of course, to the Information Commissioner. The United Kingdom in this context refers to England, Wales, Scotland and Northern Ireland only, in accordance with Clause 193.
Paragraph 8, the subject of Amendment 114A, limits the territorial application of the applied GDPR so that it is consistent with that for Parts 3 and 4 of the Bill, as set out in Clause 186, without the EU-wide, and indeed extraterritorial, application of the GDPR itself. As we have touched on in a previous debate, the applied GDPR will apply almost exclusively to processing by UK public bodies relating to areas such as defence and the UK consular services. Controllers in these situations either are in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same EU-wide or extraterritorial application as the GDPR.
Article 9.2(j) of the GDPR provides for a derogation for processing of special categories of personal data for archiving and research purposes, and references the need to comply with the safeguards set out in Article 89 when conducting such processing. The Bill makes full use of this derogation, so paragraph 12(f) of Schedule 6, the subject of Amendment 118A, tidies up the drafting of Article 9.2(j) for the purposes of the applied GDPR so that, rather than setting out the need for derogation, it refers directly to the relevant provisions in the Bill.
Paragraph 27, the subject of Amendment 119A, removes certain requirements on the Information Commissioner relating to data protection impact assessments on the grounds that those provisions exist mainly or wholly to assist the European Data Protection Board in ensuring consistent application among member states. There is clearly no need for such consistency in respect of the applied GDPR—a document which exists only in UK law—and the Information Commissioner will in any case undertake very comparable activities in respect of the GDPR itself. Paragraph 46(d), the subject of Amendment 121A, simply makes further provision to the same end, both specifically in relation to data protection impact assessments and more broadly. I hope that, with those reassurances, the noble Lord will feel able to withdraw his amendment.
I am grateful to the Minister for that very full response. I shall read it in Hansard, because there is a lot of detail in it, but I want to make sure that I have got the essence of it to help in subsequent discussions.
On Amendment 113A, I think the Minister’s argument was that the provision was mainly a tidying-up and voluntary measure which was not required by the GDPR but was being done by the Government as a matter of good practice to make sure that data controllers in particular—I suppose it would apply also to data subjects—do not have to keep worrying about how the rules might change once we get to Brexit or later. I understand that point. I think he also clarified that this was a UK mainland rather than a total-UK situation —again, it is helpful to have that clarification.
Perhaps I may ask the Minister about extraterritoriality —our second favourite word. The implication from discussion on a previous set of amendments was that the requirements under the GDPR for extraterritorial application—so that when companies are not established in the EU, they need to have a representative here—will be dropped once we leave the EU. I worry that that would make it harder for data subjects in particular to gain access to data held by data controllers from extraterritorial companies—we have one or two in mind —if a representative is not required to be in the UK. I wonder whether the Minister might reflect on that.
On Amendment 119A, I think that the Minister said that the reason for the original requirement for data protection impact assessments was to satisfy any concern that the European Data Protection Board might have that the same standards were not being applied equally in all EU countries. That is fine, and if we leave the EU, it would not apply. Am I right in assuming that the ICO effectively takes the place of the European Data Protection Board in that respect and that to some extent the question of whether comparability is operating throughout the EU is also true of the United Kingdom? Would there not be a case for maintaining the board in that case? I do not know whether the Minister wants to respond in writing or today.
I think it would be sensible to reply in writing, just because I want to get it right. It would be more useful for noble Lords to get a letter.
I thank the Minister for that offer, I look forward to a letter and I beg leave to withdraw the amendment.
My Lords, this group of amendments is about data protection principles. Our Amendments 129G and 129H would add transparency to the requirements of lawfulness and fairness for processing. Here, the directive is again being reflected, but why, since transparency is a requirement in the case of the intelligence services? I confess that I found this counterintuitive. I might have expected the services to have an argument against transparency because of the very nature of what they do, but not so law enforcement—at least, not so much.
Amendment 129J enables me to ask, as I did at Second Reading, why some activities are “strictly necessary” and others merely “necessary”. This arises in several places and this is the first example, although for good measure my Amendment 133ZJ seeks to add “strictly” to another of these—I am not sure that it was my best choice, but there you go. The point is that “strictly” calls into question just how necessary something that does not attract the term is. This may be an example of adopting language used in other legislation and directives without it having been considered in the context of UK legislation.
The Minister used the example of our seeking in the first group of amendments on these parts to change a term used in current legislation. I take that point, because it opens up a question as to whether there is any distinction. The point I am making about terminology is not a million miles away from that.
Amendment 130A concerns the scope for the Secretary of State to amend Schedule 8 by regulations. That schedule sets out the conditions for “sensitive processing”—in other words, when that processing is permitted. Should the Secretary of State be able to add circumstances when it is permitted, or to vary the schedule, omitting items from the schedule by regulations would fulfil the objective of protecting the data subject. That is very different from “adding” or “varying”.
Amendment 133ZB deals with another instance of different legislative styles. In Clause 34(1), the law enforcement purpose must be “legitimate”—an interesting term when applied to law enforcement. I suggest as an alternative “authorised by law”, a term used later in the clause, in order to probe this. In not very technical language “legitimate” suggests something wider than legal. It has elements of logic and justification and might import the notion of balance. The term comes from not only the GDPR but the 1995 directive—so there is a history to this—and there are many examples of the accepted meaning of “legitimate” in EU law. However, I am concerned about how we interpret the term and apply it in the UK. Looking to the future, what will happen when we are cut adrift from the European Court of Justice? Presumably we will have to rely on the development of case law in the UK and the different UK jurisdictions. It is worth thinking about how this may be dealt with as we go forward.
On Amendment 133ZD, under Clause 36(3) a clear distinction needs to be made “where relevant”—the amendment would delete this—as far as possible between data relating to different categories of data subject. I do not see what “where relevant” means in this context. It begs the question of whether or not something is relevant and whether the provision is applicable.
Amendment 133ZE applies to Clause 36(4), which deals what must be done—or, rather, not done—with inaccurate, incomplete or out-of-date data, which must not be “transmitted or made available”. That is the phrase used and my amendment probes the question of why the term “disclosed” is not used. There is a definition of “processing” in Clause 2, which includes,
“disclosure by transmission, dissemination or otherwise making available”.
In other words, “disclosed” would cover everything.
Amendment 133ZK relates to Clause 40, which deals with the controller having an appropriate policy document. Under that clause, the controller must make the document available to the Information Commissioner. Is it not a public document? Should it not be published? The amendment proposes that it should be. I beg to move.
My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.
Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.
The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.
Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,
“in relation to the processing of personal data for a law enforcement purpose”,
and would be conferred by rule of law as well. It repeats other areas that cover,
“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.
I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.
Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.
When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?
Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.
Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.
I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?
Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.
My Lords, as the noble Baroness, Lady Hamwee, said in her opening remarks, the amendments in this group relate to the data protection principles as they apply to law enforcement processing.
I will deal first with the amendments in the name of the noble Baroness, Lady Hamwee, before moving on to the others. Amendments 129G and 129H would add a requirement that processing under Part 3 be transparent as well as lawful and fair, thus mirroring the data protection principles set out in Parts 2 and 4 of the Bill. There is a very simple explanation for the difference of approach. The GDPR and the Council of Europe Convention 108, on which the provisions of Parts 2 and 4 are based, are designed for general processing. Therefore, it is wholly appropriate in that context that the processing of personal data should be transparent. Of course, that data protection principle, as with certain others, will apply subject to the application of the exceptions provided for in Parts 2 and 4, including where necessary to safeguard national security. At first glance, I accept that it might seem odd that Part 4 of the Bill, which relates to processing by the intelligence services, contains a requirement for transparency, but the provisions in Part 4 must be compliant with the modernised Convention 108. As I have said, that data protection principle will operate subject to the application of the exceptions provided for in that part.
In contrast, Part 3 of the Bill reflects the provisions of the law enforcement directive, which is designed to govern law enforcement processing; in this context, it is appropriate that the transparency requirement should not apply. A requirement that all such processing be transparent would, for example, undermine police investigations and operation capabilities. That is not to say that controllers under Part 3 will not process data transparently where they can, and Chapter 3 of this part imposes significant duties on controllers to provide information to data subjects.
Amendments 129J and 133ZJ are not about a popular Saturday night television programme, but about the significance of the word “strictly” in the context of Clause 33(5). Our approach here, and elsewhere, has been to copy out the language of the law enforcement directive wherever possible. Article 10 of the LED uses the phrase “strictly necessary”. The noble Baroness asked whether references in Part 3 to “necessary” and “strictly necessary” should be interpreted differently. That must be the case: “strictly necessary” is a higher threshold than “necessary” on its own.
Amendment 130A brings us back to the report of the Delegated Powers and Regulatory Reform Committee, which was the subject of some debate on day two of Committee. As the noble Baroness, Lady Chisholm, indicated in response to that debate, we are carefully considering the Delegated Powers Committee’s report and will respond before the next stage of the Bill.
Amendment 133ZB would replace the term “legitimate” in Clause 34—which establishes the second data protection principle—with the phrase “authorised by law”. I do not believe that there is any material difference between the two terms. Moreover, “legitimate” is used in both the GDPR and the LED, so for that reason we should retain the language used in those instruments to avoid creating legal uncertainty.
The noble Baroness asked about ECJ case law, post Brexit. The European Union (Withdrawal) Bill sets out how judgments of the Court of Justice of the European Union are to be treated by domestic courts and tribunals after exit day. Clause 6 of that Bill draws a distinction between pre-exit and post-exit CJEU case law. Domestic courts and tribunals are not bound by post-exit case law but may have regard to it if they consider it appropriate. In contrast, pre-exit case law is binding on most domestic courts and tribunals in so far as it is relevant to questions pertaining to retained EU law. The Supreme Court and, in some circumstances, the High Court of Justiciary are, however, not bound. They may depart from pre-exit CJEU case law by reference to the same test that applies when they decide whether to depart from their own case law.
Amendment 133ZD seeks to strike out the reference to “where relevant” in Clause 36(3), which requires a controller to make a distinction between different categories of data subjects, such as suspects, convicted offenders and victims. There may well be a case where it simply would not be relevant for a controller to draw such a distinction. If a controller processes data in respect of only one of the categories of data subject, there is evidently no need for this provision.
Amendment 133ZE seeks to simplify the drafting of Clause 36(4). I do not believe the definitions in Clause 2 support the case for this amendment. Clause 2 defines processing, which includes disclosure, but it does not provide a general definition of disclosure, so it is preferable to retain the language in Clause 36(4).
Amendment 133ZK would introduce a requirement on controllers to publish their policy documents relating to sensitive processing. Such policy documents may contain operationally sensitive information that could well be damaging if published. Given this, scrutiny of such documents by the Information Commissioner, where necessary, provides an appropriate safeguard.
I turn to the amendments tabled by the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson. Amendment 133ZA would remove archiving from the list of conditions for processing sensitive data. Law enforcement agencies often archive data for public protection purposes. However, it is right that sufficient safeguards should be in place, particularly concerning sensitive data. The Bill achieves this by permitting archiving only where it is necessary.
The noble Lord asked in what circumstances archiving would be carried out for a purpose connected with law enforcement processing. It may be necessary where, for example, a law enforcement agency needs to review historical offences, such as allegations of child sexual exploitation. On this occasion, data have been processed for the purposes of reviewing the approach taken in child abuse cases investigated decades previously.
I am grateful to the noble Baroness for that example. I could have used scientific or historical research. Again, I am not entirely clear why these are law enforcement categories. The general ability to take a derogation relating to either of the items listed is well spelled out in the schedule, but I was trying to address the narrow formulation of that in a law enforcement category. The particular example is fine and it is possible that could be right, but I do not think it applies across science, historical or statistical research. Does it?
It may do if it pertains to law enforcement purposes, but we may be dancing on the head of a very small pin. Perhaps I could come back to the noble Lord, but where it overlaps into the law enforcement sphere I would think it relevant. However, I will write to him to clarify and confirm my thoughts on that.
The noble Lord also asked about retention of data. I am not sure that was on this amendment, but he is right that it is not—
Okay, I will carry on to Amendment 133ZC, which seeks to require that further processing for law enforcement purposes must have a statutory basis. This would prevent further processing in circumstances that are lawful but not provided in statute. It cannot be in the public interest to unduly restrict the use of data that could assist law enforcement to carry out its legitimate functions.
Amendment 133ZF would remove the law enforcement qualification from Clause 36(4). Its purpose appears to be to ensure that inaccurate data cannot be processed irrespective of whether it is for a law enforcement purpose. For processing other than for a law enforcement purpose, the controller must apply Part 2 of the Bill. Also with reference to Clause 36, Amendment 133ZG would insert a requirement that inaccurate data must be erased if it is not corrected. I understand exactly why this might be a fitting addition. However, it will not always be appropriate for law enforcement where data may form part of a criminal case. For instance, it may be important for evidential reasons for data to be kept unaltered. Inaccurate information could also be evidence of perjury or perverting the course of justice.
Amendment 133ZH would require the controller to have in place a document outlining their retention policy, which would have to be made available to the Information Commissioner on request. Clause 42 already provides safeguards, including a duty to inform the subject about the period for which the data will be stored or the criteria used to determine the period. Moreover, in the policing context, there are policy documents already published that cover this ground, such as the College of Policing manual on the management of police information.
Finally, I will deal briefly with the three government amendments in this group, Amendments 131, 139 and 140, for which the noble Lord has stated his support. They relate to Schedules 8, 9 and 10, which set out a number of conditions, at least one of which must be met, where a law enforcement agency processes sensitive personal data, or one of the intelligence services processes any personal data. They clarify that any processing is lawful for the purposes of the exercise of a function conferred on a person by a rule of law as well as by an enactment. This is consistent with the existing scheme under the Data Protection Act 1998.
In the case of the police, the processing of personal data is, in some instances, undertaken utilising common-law powers in pursuit of their function to prevent crime. One such example is the operation of the domestic violence disclosure scheme, or Clare’s law. Under that scheme, a police force may disclose information to a person about a previous violent and abusive offending behaviour of their partner when he or she was in a previous relationship. It is vital that the police can continue to protect people by disclosing sensitive personal information using their common-law powers.
Amendments 139 and 140 to Schedules 9 and 10 respectively ensure consistency of approach across Parts 3 and 4 of the Bill.
To go back to the point about retention of data and the noble Lord’s point about reviewing whether data are still required, appropriate action should follow such a review. The fifth data protection principle makes this clear. If data are no longer required they should be deleted. I am not entirely sure which amendment that refers to, but I hope some of the explanations I have given will ensure that noble Lords and the noble Baroness are content not to press their amendments.
I am very grateful for the late intelligence that came across on the point about withdrawal. The issue was not that there is not sufficient power in the Bill—there is, we accept that—but just that there seems to be an unfortunate separation between the need periodically to review the length of time for which the data is held and the fact that, when a decision has been arrived at, the data is no longer required. There seems to be no prod to remove the data that should be removed. I understand the point made earlier by the Minister that some data, although wrong, should be kept, but that was not the point I was making. However, I think we can deal with this outside the Chamber.
My Lords, without wanting to appear ungrateful, I am very troubled by some of what we have heard about the incorporation of language used in the law enforcement directive and in the modernised 108. Simply to reflect that language, incorporate it into our primary legislation and cause confusion thereby does not seem to be a very good way to proceed. My questions about the difference between “strictly necessary” and “necessary” illustrate this well. To be told that “necessary” is a lower threshold than “strictly necessary”—which is certainly how I would read it—calls into question how necessary something which is necessary really is.
We will have to come back to this—it may be something that we can discuss outside the Chamber before Report. I wonder whether I should threaten to unleash my noble friend Lord Lester of Herne Hill—that might be enough to lead us to a resolution, but I have not consulted him yet. However, I am troubled, because we are in danger of doing a disservice to the application of these important provisions. For the moment, of course, I beg leave to withdraw the amendment.
My Lords, we debated automated decision-making under Part 2 on Monday. Clause 48 provides for automated decision-making in the case of law enforcement. No doubt we will return to the issues raised on Monday in this connection, but for now, Clause 48(1) provides that a “qualifying significant decision” must be,
“required or authorised by law”.
This is perhaps a slightly frivolous probe, but may a controller take a decision that is not required or authorised by law? If it is not authorised, how is the data subject protected?
Amendment 135 refers to not engaging the rights of the data subject under the Human Rights Act. Again, we had a debate on this on Monday and it is a subject to which we may return. I simply ask: does the Minister have anything to add to what her noble friend Lord Ashton of Hyde had to say then? He told us that human rights are always engaged—indeed they are—and that the amendment therefore did not really work but that there are, as he said in col. 1871, “appropriate safeguards”. Are the Government satisfied that the balance between processing and protection is the right one? As I say, I am sure we will come back to this issue.
Amendment 135A is to Clause 48(2), which deals with decisions based solely on automated processing. Article 11 of the directive, which I believe is the basis for this, provides for automated processing, including profiling. Profiling is a defined term, so I merely want to check that there is no significance in omitting the reference to it. I doubt there is but the language is reproduced exactly elsewhere, so this is a simple check.
Clause 48(2)(a) provides that notification of a decision must be given “as soon as … practicable”. Amendment 135B would limit this to a maximum of 72 hours. I do not want to describe what is in the Bill as open-ended but I think the Minister would accept that it is less certain than it could be, which is a pity as the requirement under this clause to notify the right to ask for reconsideration is important. I note that at another point close to this, the data subject has an exact limit of 21 days. That may not be practicable for the data subject but perhaps the Minister can confirm whether that means within 21 days of actual receipt, not 21 days of delivery, as the means of serving that notification.
Amendment 136A would insert a new provision. We have been considering some form of independent oversight of automated decision-making. That would not be quite right because we have the commissioner, who is independent, but the amendment proposes more assistance and advice in this connection and the publication of reports on the subject.
Amendment 137 proposes a new clause. We debated a more elaborate amendment on the right to information about decisions based on algorithmic profiling on Monday. The proposed new clause would allow the data subject to obtain an understanding of the reasoning underlying the processes, when the results of it are applied to him. The wording might seem familiar to noble Lords, which would show that they have read on in the Bill. The amendment would reproduce in the law enforcement part a right that is included in Clause 96 in Part 4, which deals with the intelligence services. If they can do it, why not law enforcement? I was quite surprised that they could do it and were expected to provide the underlying reasoning, but that is a good thing. I am not arguing that this would be a silver bullet for all the issues around algorithms but it would be significant. Perhaps it would be courteous and appropriate to say I understand that as regards the intelligence services exemptions, the UK is proposing one of the most advanced explanation rights in the world—tick.
Amendment 144 raises the human rights point again, in the context of the intelligence services’ automated decision-making. Amendments 145 and 146 are to ask the Government to justify decisions based solely on automated processing which significantly affects the data subject when it relates to a contract. Clause 94(2)(c) refers to,
“considering whether to enter into a contract with the data subject”,
and,
“with a view to entering into … a contract”,
with them. There must be a fine distinction between those two provisions but they are dealt with differently. These are all in Part 4, on the intelligence services. Finally, Amendment 146A is to ask whether the commissioner should have a role in the process, because there is a bit more scope for people doing their own thing in this part of the Bill than under Part 3. I beg to move.
My Lords, I support the amendments that have just been moved and spoken to by the noble Baroness, Lady Hamwee. We should perhaps have signed up to them but I do not think we had the time to do so. However, they all bear on important issues that need to be addressed and I look forward to hearing the responses from the Minister.
Our amendments in this group are also about automated processing but they attach to a slightly different arrangement. In Clause 92, on page 52, the right of access provisions are largely copied from earlier parts of the Bill and are extensive. Like the noble Baroness, Lady Hamwee, we appreciate that. The Government have moved a long way to try to reassure everyone that the intelligence services, as well as the defence services, are trying to operate in a manner that could be taken almost directly from the GDPR. While this may be gold-plating, it is a good way of making progress. Having said that, halfway down page 52 are two things that our amendments address. In Amendment 142C, we suggest that there should be a,
“right to object to automated-decision making”,
within automatic processing, because at the end of Clause 92(2) all the other rights are there but the one present in other parts of the Bill on the right to object is not. I wonder why it has been missed out. It would be interesting to hear from the Minister about that.
In Amendment 143B, we also wish to challenge why the fee has to be paid for this. The Government have tried hard to make an equality of approach right the way across but fees suddenly appear here, in a way which seems rather strange. It cannot be that the information services of Her Majesty’s Government are so starved of cash that they have to charge money to get their services completed for those who just want reasonable information, which should specifically be made available. It seems a double bind to have a situation where these rights and obligations are tantalisingly included in the Bill, but are then removed from reasonable access because of the costs that might be charged. I know that the Secretary of State would have to do it by regulations, which would be subject to further scrutiny, but perhaps this could be looked at again.
My Lords, under Clause 59, the controller must record certain information, including, according to subsection (2)(g),
“where applicable, details of the use of profiling”.
The purpose of Amendment 137B is to ask whether, if profiling is used, this is not applicable. My amendment would delete the words, but the Minister will understand that I am probing.
I am afraid this is quite a big group of amendments. Clause 62 provides for data protection impact assessments when there is a “high risk” to “rights and freedoms”. In assessing the risk, the controller,
“must take into account the nature, scope, context and purposes of the processing”.
Amendment 137C would insert a reference to,
“new technologies, mechanisms and procedures”,
picking up wording which is in articles 27 and 28 of the law enforcement directive.
Clause 63 requires consultation with the commissioner where there is a “high risk” to “rights and freedoms”. Article 28(3) of the directive allows for the “supervisory authority”—the commissioner, in our case—to,
“establish a list of the processing operations which are to be subject to prior consultation”.
Amendment 137D would allow the commissioner to “specify other conditions” where consultation is required. I am not sure I would defend the approach of having regulations under a negative resolution. The amendment was tabled following a certain amount of toing and froing—aka consultation with me—because my original amendment did not quite work, or at any rate I was not clear enough about it. I was not at Westminster at the time and I think I did not take in properly over the phone what was being proposed. I am sure the Minister will not take me too much to task for that, but focus instead on the nub of this.
Under Clause 63, the commissioner is required to give advice to the controller and the processor when she thinks that the intended processing would infringe Part 3. Amendment 137E set outs what advice would be included “to mitigate the risk” and would be a reminder of the commissioner’s powers in the event of non-compliance. The amendment builds on rather fuller provisions in article 28 of the directive, which provides for the use of powers.
Amendment 137F would amend Clause 64, which deals with the security of processing and refers to,
“appropriate measures … to ensure a level of security appropriate to the risks”.
The amendment proposes what “appropriate measures” might be, in particular whether cost is a criterion. Article 29(1) seems to envisage this—are we envisaging it in the Bill?
As for Amendment 137G, there is a duty in Clause 66 to inform the data subject when there is a breach, but not when the controller has implemented protection measures. In seeking to change “has” to “had” implemented, I just seek confirmation that the measures in question were applied before the breach. One might read the clause as meaning that, subsequently, steps had been taken and protection measures implemented. That will be good for the future, but would not address the specific breach.
On Amendment 137H, Clause 66(7) gives a wide exemption, setting out the reasons for restricting the provision of information to a data subject. I assume from the words “so long as necessary” that, once a specific security threat has passed or a court case is over, the right to that information would revive. Can the Minister confirm this? Again, I am not sure what the role of the commissioner would be here.
On Amendment 137J, Clause 69 sets out the tasks of the data protection officer. Chapter 5 of this part deals with transfers to third countries. By requiring the updating of controllers on the development of standards of third countries, my amendment suggests that the data protection officer should keep on top of international issues.
Amendment 137K is an amendment to Clause 71 in Chapter 5, on the principles for the transfer of data to a third country or international organisation. It would insert an explicit requirement that the rights of the data subject be protected. Article 44 provides:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
That is broad and overarching. My amendment probes how that protection is covered: is it in the detail of the subsequent clauses? It is spelled out in the article; does that imply that the clauses might not always properly provide protection if we do not spell it out in the same way, given the reflections that the Bill provides?
On Amendments 137L and 137M, authorisation under Clause 71(1)(b) from another member state from which the data originated is not required if the transfer is necessary for the prevention of a threat to the essential interests of a member state and authorisation cannot be obtained in good time. The amendments probe whether “essential interests” are more than law enforcement purposes—the first condition for transfer. Will the interests be clear? Is there a confusing element of subjectivity here? The person who wants the data might see things quite differently from the person who is being asked to transfer it. It is open to us to provide higher safeguards, which is what I am working towards. “Obtaining in good time” perhaps suggests a slightly more relaxed attitude than the subject matter should demand. I would substitute a reference to urgency.
On Amendment 137N—noble Lords will be relieved to know that I am on the last of our amendments in this group—there can be a transfer on the basis of special circumstances under Clause 74. I welcome the fact that, in some cases, the controller can refuse a transfer because fundamental rights and freedoms override the public interest in the transfer. Presumably, the controller’s determination must be reasonable. This seems to give some discretion to the commissioner; I wonder whether the commissioner might give guidance rather than leaving it entirely up to the controller. I beg to move.
My Lords, we have one amendment in this group, and I will speak to it. It affects what appears to be a lacuna—if that is not too technical a term for Hansard—in relation to the storage and retention of data collected by local police forces under the automatic number plate recognition system. Each local police force has an ANPR system. There are thousands of cameras, which we are all too aware of. Anyone who drives past one and has a picture of their number plate taken has a momentary shudder in case they are doing something wrong. When you add them all together, it is one of the biggest surveillance systems in the world—probably the world’s biggest non-military system—and it is growing every day. At the moment, there are probably about 1 billion shots of people cars in circulation. It is of course personal data, as it tracks people’s journeys, or can be read to do so.
There are two problems. First, the ANPR system has grown and grown but does not have proper governance or structure. Attention needs to be paid to that. This is not the Bill for that, but the noble Baroness might wish to take that point back with her. Secondly, an FOI request revealed in 2015 that the police had no systematic retention or disposal policy; they simply just kept the data because it might come in useful at some time. I do not think that works under the Data Protection Act 1998 and does not seem appropriate, given the way the Bill is framed.
In case there is any doubt whether those systems fall within the scope of the Act or whether there should be a change of policy, we have tabled the amendment to probe what is going on. There has been a recent change—I hope that the noble Baroness will update us about it—and several billion deletions, but there is still a question about the appropriate retention system. Our amendment is an attempt to move forward on that issue.
The problem is that the ANPR is not covered anywhere in statute. Despite the fact that it is very large, it is simply run. The Home Office does not see it as an espionage system—that is fair enough—so it is not covered in the Investigatory Powers Act. There is a case, however, for using the Bill to get this issue back into scope. The proposal here is simple. These particular words need not be used, but I hope the noble Baroness will accept that something should be done. We propose that the approach should be in accordance with the arrangements currently adopted in surveillance systems elsewhere.
My Lords, I can be very brief. We had intended to withdraw Amendment 142A in this group but, unfortunately, we could not do so in time so I will not speak to it. To complete the icing on the cake, I have already spoken, rather stupidly, to Amendment 142D, and therefore I do not need to repeat myself. I simply await the noble Baroness’s response on it.
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
The answer to that question is that we are not happy with what the Minister said about the ability of the intelligence services, uniquely in this whole area, to charge a fee to discourage people from getting access to the rights which they certainly have under the Act. I sensed that the Minister understands that; perhaps it is a little unfair to say that, as most other noble Lords were not able to see her smile, gently, as she tried to put substance and seriousness into the argument she was using, which was clearly very thin indeed. To make the point, we are relying on a convention which has yet to be signed. That is the fig leaf under which we will be smuggling these ridiculous fees. I urge the Minister to take this back and think again, and I look forward to a further discussion with her if she feels that any more information could be provided.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I will speak to Amendment 153 in my name and that of my noble friend Lord Clement-Jones. Section 17(1) of the Data Protection Act 1998 states that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Effectively, processing personal data without registering and without paying a fee is, at the moment, a strict liability criminal offence. This ensures that all data controllers are aware of their most basic obligations and that a central register of who is processing personal data is maintained. It also provides a simple means of collecting notification fee income.
We have been made acutely aware during the debates on the passage of the Bill of the increased responsibilities that will be placed on the Information Commissioner and the need for her to have additional resources. This is one way of ensuring that she has those resources, provided she is able to keep the fees raised and does not have to hand over large amounts of those fees to the Treasury.
This is an important protection for data subjects, and the Government have asserted that they are strengthening the law to protect data subjects. If the requirement to register is removed, as will happen without this amendment, this will weaken those protections. In addition to protections provided by registration and the increased awareness of the other requirements around data protection as a result of registering, it allows for the Proceeds of Crime Act to be used to confiscate money generated by the unlawful processing of personal data by those who are not registered. This would be lost if this amendment is not adopted.
The amendment seeks to maintain the current position by requiring the Information Commissioner to register all data controllers. However, unlike the current requirement for more detailed information, the amendment requires that the data controller provides only the minimum of information—such as his name and address; if he has nominated a representative for the purposes of the Act, their name and address; and the principal activity or activities undertaken by the data controller.
The Minister may wish to pray in aid article 57(3) of the GDPR, which states:
“The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer”.
We argue that this is a notification fee, not a task performed by the Information Commissioner, and a fee that would be levied on the data controller and not the data protection officer. I beg to move.
My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.
Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.
The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.
So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.
Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
My Lords, I want to come back to an issue relating to the situation post Brexit: companies operating in the UK, for which a representative will not be required. I listened to the Minister very carefully and I understand what he is saying, but I take it that, post Brexit, he is basically relying on the force of the Information Commissioner’s personality and her ability to maintain her current relationships and build on them. As such, when taking issues abroad, individuals in the UK will not have any statutory provision, as they currently do, but will have to rely on the informal mechanisms the Minister mentioned and their own resources. He has failed to answer the question whether that is a good situation to be in as we progress through the Bill, but I will read what he said more carefully and come back to him later.
My Lords, I thank the noble Baroness, Lady O’Neill of Bengarve, for her contribution—we will look at that should we bring back the amendment on Report. I also thank the noble Lord, Lord Stevenson of Balmacara, for his support for the amendment.
The Minister said that provision in the 1998 Act requiring all data controllers to be registered was an important part of data protection, yet his argument for not continuing with that seemed to be that it would be difficult to maintain a register with the numbers now involved. Either the register is an important contribution to data protection or it is not. In any event, we should bear in mind that a charge could be levied. The Minister suggested that a register would not be a proportionate use of the Information Commissioner’s resources, but those resources could significantly increase. If the existing law were enforced, it is estimated that an additional £1 billion in income would be possible.
On a detailed central register, I said when introducing the amendment that the detail suggested would be far less than is currently the case. However, we will reflect on what the Minister said. For the moment, I beg leave to withdraw the amendment.
My Lords, the amendment is in my name and that of my noble friend Lord Kennedy. Clause 117 allows the commissioner to inspect personal data held on any automated or structured system where the inspection is necessary,
“to discharge an international obligation of the United Kingdom”.
Before exercising the power, the commissioner under subsection (4) must by written notice inform a controller of her intention. However, this does not apply if the case is “urgent”. Since in every other aspect of the Bill phrases such as “urgent” are usually defined, uniquely in this case it is not, so the amendment is merely to allow the Minister to read into record those cases that he might consider to be urgent. I beg to move.
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
My Lords, the amendments in this small group are probing in nature. Amendment 153C is in my name and that of my noble friend Lord Kennedy. Clause 119 places an obligation on the commissioner to publish and keep under review a data-sharing code of practice that would contain guidance on data sharing and good practice, as the name suggests. This is good, we talked about it in some detail in earlier sittings of the Committee and we have no problems with it. It continues a practice that we are well aware of and there are no particular issues arising from it, provided that it continues to be comprehensive and to provide the sort of advice that data controllers and data subjects will need as we go forward.
Amendment 153D raises the question of whether a 40-day approval process for codes should apply, in order to make it clear that codes under Clauses 119 and 120 are subject to parliamentary scrutiny and that the 40-day approval period would fit in with the procedures of Parliament. As I said, this is a probing amendment and I would be grateful to have the comments of the Minister in due course.
Amendment 154A concerns the statement that the commissioner will review and revise the codes regularly, or keep each code under review. There is no specification of the timescale or the frequency of that. I suspect that the answer will be that it will be as seen fit by the Information Commissioner—but if the Minister can shed some light on this, it would be helpful.
Finally, Amendment 154B draws attention to Clause 119(2), which says, at the top of page 65:
“Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code”.
We have already touched on this, and the procedure is not explained. I would like to confirm that, since this matter may be of interest to Parliament, it will be by the affirmative procedure. I look forward to hearing a response and I beg to move.
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
My Lords, with so many codes of practice flying around it would not be hard to lose one in the crowd, but this one stands out. With this amendment, we are suggesting to the Government that there is a need at the top of the pyramid for a code of practice which looks at the whole question of data ethics and morality. We discussed this topic in earlier sittings of the Committee and I think we were of one mind that there was a gap in the overall architecture of the organisations supporting data processing, which concerned us, in the sense that there was a need for an expert body.
The body could be some sort of combination along the lines of the HFEA or the Committee on Climate Change. It would have a duty to look at the moral and ethical issues affecting data collection and use, and be able to do some blue-sky thinking and to provide a supervisory approach to the way in which thinking on these matters would have to go. We are all aware, as has been mentioned many times, that this is a fast-moving technology in an area full of change where people feel a bit concerned about where their data is and how it is being looked at. They are worried that they do not have sufficient control or understanding of the processes involved.
The amendment suggests to the Government a data ethics code of practice which I hope they will look at with some care. It would begin to provide a hand of support to individuals who are concerned about their data and how it has been processed. Under this code of practice the commissioner could set out the moral and ethical issues, rather than the practical day-to-day stuff. It would focus on duties of care and need to provide examples of where best practice can be found. It would increase the security of personal data and ensure that the access to its use and sharing were transparent, and that the purposes of data processing were communicated to data subjects.
Some codes of this type already exist. I think that the Royal Statistical Society has been behind a number of codes on the use of our overall statistics, such as that operated within the OSS. Having read that code, I was struck by how apposite it was to some of the issues faced in the data-processing community. Some of the wording of this amendment comes from that, while other wording comes from think tanks and others who are working in this field. It will also come as no surprise to the Committee that some of the detail in the code’s latter subsections about privacy settings, minimisation standards and the language of terms and conditions also featured in the proposed code recommended to the Committee by the noble Baroness, Lady Kidron, in relation to children’s use of the internet and how their data is treated. The amendment meets other interests and examples of activity. It seems to fulfil a need, which is becoming more pressing every day, and is ambitious in its attempt to try to make sure that whatever regulatory and statutory provisions are in place, there will also be a wider dimension employed, which I think we will increasingly be part of.
I do not expect the Government to accept the amendment tout court, because it needs a lot more work. I fully accept that the drafting is a bit rough at the edges, despite the fact that we spent a lot of time in the Public Bill Office trying to get it right. I have already explained that I am not very good at synthesising in the way that the Bill team obviously is. I have no doubt that when he responds the Minister will be able to encapsulate in a few choice words what I have been struggling to say over the past three or four sentences—he nods, so it is clearly going to hit me again. I hope that he will take away from this short debate that this is an issue that will not go away. It is an issue that we need to address, and it may be that the new body, which was, I think, generally accepted by the Committee as something that we should move to in short order, might take on this as its first task. I beg to move.
My Lords, the noble Lord, Lord Stevenson, is too modest about his drafting—I think that this is one of the most important amendments to the Bill that we have seen to date. I am just sorry that we were not quick enough off the mark to put our name to it. I do not know which hand the noble Lord, Lord Stevenson, is using—there seem to be a certain number of hands involved in this—but anybody who has read Jonathan Taplin’s Move Fast and Break Things, as I did over the weekend, would be utterly convinced of the need for a code of ethics in these circumstances. The increasing use of data in artificial intelligence and algorithms means that we need to be absolutely clear about the ethics involved in that application. The noble Lord, Lord Stevenson, mentioned a number of codes that he has based this amendment on, but what I like about it is that it does not predicate any particular code at this stage. It just talks about the desirable architecture of the code. That makes it a very robust amendment.
Like the noble Lord, I have looked at various other codes of ethics. For instance, the IEEE has rather a good code of ethics. This is all of a piece with the stewardship council, the data ethics body that we debated in the previous day in Committee. As the Royal Society said, the two go together. A code of ethics goes together with a stewardship council, data ethics committee or whatever one calls it. You cannot have one without the other. Going forward, whether or not we agree today on this amendment, it is very clear that we need to keep coming back to this issue because this is the future. We have to get it right, and we cannot prejudice the future by not having the right ethical framework.
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
My Lords, although the amendment’s wording is narrow, it is very much a probing amendment. I hope we will be able to range a bit further on the funding and the structure of the Information Commissioner’s Office, which depends on its ability to raise funding to survive. I will make various points on that.
In some senses the Information Commissioner’s Office is a rather strange regulator, in terms not of its functions, but of the way it has survived a number of possibilities for change and development that have been applied to other sectors of British industry, particularly those relating in some senses to data processing. If noble Lords compare Oftel, the IBM, to some extent the BBC and what has now emerged as Ofcom, they will see a change from the original structure of regulators, which were very largely bodies set up to make sure the previously public sector nature of an activity that had been privatised was done in a way that did not exclude the public interest. These regulators were largely economic in origin and have only gradually added social regulation to their parts.
In a sense the ICO’s journey is different. First, the way these other regulators have moved has not been followed, so the change from a one-off individual dealing with economic and a limited amount of social regulation to being partnerships or boards with a range of individuals appointed to take over various functions—Ofcom is perhaps the easiest example to use—has not been followed. We still have a single regulator which is independent and reports to Parliament, and I understand the structure to be that of a corporation sole, which is an issue that we might want to reflect on.
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I apologise to the House because my voice is annoyingly masked. I urge noble Lords to put their hearing aids on because it might not last until I have said what I want to say.
Every now and then in this House, we have a debate of such importance and significance that the House behaves in a completely different manner from its normal routine. We have had that today. There is a sense of stillness, expectancy and interest that we do not always get, and it is important that we hold on to it because we are touching on some very important and deep issues. While we obviously need to deal with the narrow question of the amendments before us, I hope very much that the wider resonances of this debate might help unpick some of the difficulties that have been raised in our discussion and which are relevant in society today.
I am so taken by the debate we have had that I want first to mention to the House that our amendment in this group, which was laid as one of the first amendments, is an entirely “fake” amendment, if I may use that word. It is a probing amendment and does not mean anything. I can tell the House now that I will not be pressing it. I hope the Minister will do me the justice of not even bothering to respond to it because it has lost all relevance in the light of the issues that have been raised subsequently. My second point is a slightly cheeky one: since I am no longer involved with our amendment in this group and we do not have any names attached to any of the others, I will bring a completely new and independent view to the discussions. I hope that noble Lords will enjoy that.
I hope that the noble Lord, Lord Black, does not take this my final opening point the wrong way. I am not going to follow the line of the noble Lord, Lord McNally, and accuse him of crimes he is not going to commit, but this is so important that we need to come back to it in another place and at another time. I hope that he will understand that. I think that it probably needs a Bill of its own to get this right. We can discuss that later.
Okay. Trying to make sense of what we have in front of us—in this alphabet soup that we often have in complicated parts of Bills—I want to approach this in the following way. I said at Second Reading, and I repeated in the debate last week, that I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson. I do not think that anything said today should be withdrawn; it is really important stuff that needs to be resolved. But this is probably not the Bill to do that in and I will give some reasons for that.
The main worry that I have, and several noble Lords have mentioned this, is that we are talking about a package of measures that were the product of a particular time. For all the reasons that have been given, bits have succeeded and bits have not succeeded; bits have been implemented and bits have not been implemented, and I do not think that it is right for this Bill at this time to try to kick-start some of the bits that need to be looked at, particularly the amendments that relate to the Crime and Courts Act 2013. The speech of the noble Earl, Lord Attlee, was a very good introduction to those. He made a very good case for them. That case does need to be answered, but this is not the right place for that, so I do not support them.
I do not think that Amendment 179A works in the context that I am trying to sketch out. The case made by the noble Baroness, Lady Hollins, as always, was incredibly powerful and one’s heart reaches out to everything she says, which was also picked up by the noble Lord, Lord Low. We want to do something about this and we think that the way that the Government have treated Leveson 2 is a disgrace. It is a shameful way to behave, given the treatment of the victims. We must never forget that.
The third group of amendments here—the amendments of the noble Lord, Lord McNally—also makes very good sense. They are sensible amendments but, for the same reason, we should not continue with them today.
The noble Lord is giving the Government a “get out of jail free” card, unless he has something else to say. There are areas in all these amendments that have massive implications for data and data protection. If they do not fit into the scope of a Data Protection Bill, where on earth will they fit?
My Lords, I would also like to have a little pop at the noble Lord. I understand his point that this is a Data Protection Bill and not something to amend the Crime and Courts Act. Of course, I experienced significant difficulties with the clerks trying to table an amendment to try to amend that Act. But if we had a suitable legislative opportunity—another criminal justice Bill—would the noble Lord’s party support an amendment to make Section 40 of the Crime and Courts Act commence forthwith?
To answer that last point first, we have supported that in the past and on the right occasion we would probably support it again. But my point is not about the quality of the case made or the correctness of the approach. It is just not the right time to do that. The same answer applies to the noble Lord, Lord McNally. I did not say that we would not support him if he brought this back at Report. I am simply saying that, at this particular point, I want to use this debate to focus on something else and that is why I am trying to approach the issue in this way. I hope that noble Lords will bear with me before my voice gives up finally. I hope that I can allow that to ring out so that noble Lords can be inspired by it. That is a faint hope.
Underneath the debate that we have had today are some really important questions. I will pose them quickly in the hope that we will get a response from the Minister. It is really important that the noble and learned Lord uses this opportunity to set out very clearly what the Government’s position is on a number of these key points. Is the regime that currently applies to the press, as set out in the Data Protection Act 1998, still the case in the Bill? In other words, has the regime that has worked well since 1998 been changed in any way by its transposition into this Bill? If it has not, he has to be very clear that that is the case. The case that has been made suggests that, in the rewriting and repositioning of Clause 164, something has happened that has alerted everyone to the point, which was made very well by the noble Viscount, Lord Colville, and the noble Lord, Lord Black. I do not think that that was what we understand to be the case, and certainly I and my noble friend Lord Griffiths have asked for chapter and verse on this so that we can be sure that what we are seeing is exactly what the current law is. That is a straightforward question.
Secondly, we need to be persuaded, if we have not been already, that either the technology or the working practices in print journalism in particular, but also in relation to how print journalism is now often paired up with moving image technologies, has produced such a step-change in the way they operate that the additional defences proposed by the noble Lord, Lord Black, or the additional protections that might be needed by victims, which are so important and relevant, do not need to be brought into the Bill. The case has been made, the charge is there, and the Government must come back and tell us what arrangements have been made.
Thirdly, does the fact that many, but not all, direct investigations of a journalistic type are now done jointly with an audio-visual component, so that we have combinations between major newspapers and television broadcasters or even film, mean that we now have in perpetuity dual regulation, in which case the approach taken by Ofcom has to sit with the regulations under the Data Protection Act 1998 or the Data Protection Bill when it becomes law? If that is the case, we have a problem that needs to be confronted. We have one post hoc regulatory structure and one that is mainly post hoc but has an element, albeit restricted and on a narrow basis, in print journalism. If the way the world is moving suggests that everyone doing this work will have to be involved with two regulators, the Government’s Bill does not take that trick and we will need to come back to the point.
Fourthly, what is it about print journalism which is so different that it requires there to be a predetermination capacity for the ICO compared with the situation when the same work, and possibly the same output, is done under Ofcom? My noble friend Lord Puttnam and the noble Baroness, Lady Stowell, made the point that the difference is that the media in this country are very strongly regulated. There are codes, statutory frameworks and editors who are clearly responsible for them and work to them well. However, a different situation pertains here. That does not mean to say that it should be applied across all the outputs involving investigative journalism, but it must be said that if there was in existence a robust, independent and effective press complaints system which enjoyed the confidence of victims, perhaps we would make better progress on the particular issues which have been raised today. That is the point on which we must focus as regards where we might go with this. I hope that when the noble and learned Lord comes to respond, he can bring some light to this issue.
My Lords, I am obliged to all noble Lords for their contributions this afternoon. I would hope that recent debates, particularly in Committee on the Bill, have assured noble Lords that the Government are absolutely committed to preserving the freedom of the press and maintaining the necessary balance between privacy and freedom of expression in our existing law that has generally served us well over many years.
Perhaps I may take some of the amendments in turn. The first, Amendment 163A, was brought forward by my noble friend Lord Black. It asks that the Bill should require that greater consideration be given to the right to freedom of expression and information when the Information Commissioner is exercising her enforcement powers. Amendment 164A would require the commissioner to consider, for example, any other financial penalties imposed by another regulator as a result of failure—a point that was touched on tangentially by the noble Lord, Lord Stevenson, in his closing remarks.
I hope that my noble friend Lord Black agrees that it is important that any amendments in this space do not impact disproportionately on the commissioner’s resources and her ability to execute her regulatory functions in an effective manner. I will give further consideration as to whether these amendments meet that test. I will address my noble friend’s contribution on this point in Hansard and the Government will reflect upon it. I do not hesitate because I am making a concession; I am merely making an observation.
My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.
Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.
The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.
Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,
“must set standards by which a data controller is required to anonymise personal data”.
There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.
The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.
At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.
The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.
There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.
We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,
“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.
I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.
It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.
I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.
Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.
The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.
The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.
However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.
My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.
I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.
The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.
I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, I thank the Minister for moving his amendment and for his concluding remarks, which I will return to. I welcome this amendment, and the implication it carries that the Government have listened to the discussions we have had in the last few weeks and have moved from their initial position.
I will speak to Amendment 2, which I am delighted has also been signed by the noble Baroness, Lady Ludford. I am sure that your Lordships’ House will recognise that, in bringing forward a revised draft, we have reflected very deeply on the points made by noble and noble and learned Lords in the debate on the original amendment moved in Committee. In addition to noble Lords who spoke on that occasion, I thank the academic and practising lawyers—as well as many in industry—who have contributed to our emerging thinking on this topic. Before it was submitted to the gruelling process that happens to all amendments when they go to the Public Bill Office, I sent an earlier draft of this amendment to many Members of this House who spoke in that earlier debate. I am grateful for the comments I have received.
It is unusual to have two amendments bearing on very similar points. It is an advantage to be able to see the conflicting, and often overlapping, thinking that has gone into this. It is clear to all who have read both and thought about them that, while we are not yet in full agreement, we are very close. Indeed, I venture to suggest that there is more that unites us on this issue than divides us. What do we agree on? We both recognise that the key data protection rights currently enjoyed by citizens in the UK crucially underpin any assessment of adequacy that might need to be made by the EU post Brexit. They are crucial for the future of our successful data-handling industry. We both want the key data protection rights currently enjoyed by citizens in the UK to continue once the Bill becomes law, while the GDPR is in force, and then after Brexit—if that happens. We agree that the key question to be determined is not the exact wording of one or other but whether it is necessary for these key rights, currently enjoyed by UK citizens through Article 8 of the EU Charter of Fundamental Rights, to be expressed clearly for all to see on the face of the Bill, or whether their existence in various parts of the Bill—and in the GDPR and its recitals—is sufficient.
By putting down their own amendment on this issue, the Government seem to agree that explicit references in the Bill will be helpful, for the reasons given above. We now need to get together to find a form of words which will achieve this aim and which we can both support. I therefore agree with the noble Lord that the right thing to do is for both sides to withdraw their amendments on this issue today and for the Minister to confirm—as he has done—that the matter is of sufficient importance to be brought back for further consideration at Third Reading. If he will agree to that, I will not move my amendment when it is called.
My Lords, I also welcome the fact that we are in touching distance of an agreement on this matter. I thank the Minister for bringing forward Amendment 1. However, there is a little way to go. Amendment 1 is declaratory of what is contained in the Bill, whereas Amendment 2 is rather stronger and clearer.
Embedding a general right to data protection inspired by the Charter of Fundamental Rights is not only important for UK citizens but, as we have agreed in many debates and exchanges in this House, it is crucial for unhindered data flows between the UK and the European Union if we Brexit. It is absolutely crucial for business and law enforcement to be able to exchange data and have access to EU databases, such as the Schengen Information System, Europol and so on. The Government’s review of the charter, which was also most welcome and was produced last week, says that,
“domestic courts will be required to interpret retained EU law consistently with the general principle reflected in Article 8, so far as it is possible to do so”.
Is the Minister able to elucidate what that caveat leaves out? What would not be possible?
In the Watson case, to which the Brexit Secretary was a party until he became the Brexit Secretary, the European Court of Justice found that the current UK data protection regime in relation to data retention and acquisition was incompatible with Article 8 of the charter. This demonstrated the deep importance that the European Union places on charter rights in the protection of privacy. The draft resolution that the European Parliament is due to debate and vote on this Wednesday, on the joint report on the phase 1 divorce agreement that was reached last Friday,
“underlines that it will accept a framework for the future EU-UK relationship as part of the Withdrawal Agreement only if it is in strict concordance with the following principles”,
including the,
“United Kingdom’s adherence to the standards provided by international obligations, including fundamental rights … data protection and privacy”.
So we can expect this to be a very important matter, on which there will be a spotlight in the consideration of an adequacy assessment by the European Commission, which I think we all agree it is essential to achieve.
As I said in Committee, the adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the United Kingdom. Of course, this will include the law and practice in terms of national security, which at the moment—rather ironically, or perversely—are excluded under the EU treaties. Once we are outside—if we are—there will be closer examination of how privacy fares in relation to the demands of national security than there is while we are in the EU. In that context, the national security issues in the Bill, which will be further debated as well, will perhaps take on a heightened importance.
On these Benches we believe that the rights under the charter in relation to data protection should be reflected in the Bill so as to have a general right to the protection of personal data in UK law. I very much agree with the course advocated by the noble Lord, Lord Stevenson, to reflect further and to accept the Government’s offer to come forward at Third Reading with something that we could all agree on.
I thank the noble Lord. As I said in Committee, we too saw no need for this. The Government have moved because they are always listening and we hope that we can make this more acceptable. I will read what was said by the noble Lords, Lord Pannick and Lord McNally, and my noble friend Lord Faulks, but I would like to press my amendment so that we might have it as a basis for further discussion before Third Reading.
My Lords, the Minister has received quite a lot of comment from around the Chamber on this and I made it clear in my opening remarks that I though the best solution was to have neither amendment. If we are to have a genuine discussion, it does not seem helpful to have in the Bill the wording which the Minister has alighted on at this stage in his conversion. It would be much better to start with a blank sheet and try to work to a common solution. I beg him to reconsider his view and withdraw his amendment; I will not press mine. We could then move to Third Reading with a clean slate.
My Lords, I understand what the noble Lord is saying. This amendment has been around the houses in government; it has had many people from many departments looking at it from top to bottom. The feeling of the Government at the moment is that it is better to have something on paper as a basis for discussion. I would like to press my amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberBefore the Minister sits down, I put it to her that, in the considerations that will take place between now and the return in January, one thing that changes between 1998 and today in terms of the Act is something we have not looked at specifically, although it comes up in the Bill. It is the need to ring-fence the Information Commissioner from any involvement with Parliament or the Government. She is answerable to Parliament, but she should not be in that sense exposed to considerations that might adversely affect her. I hope that might be taken into account as well.
I agree with the noble Lord, and we will take that into account.
My Lords, I have already spoken on this at length and I do not intend to repeat myself, but I support the amendment from the noble Baroness, Lady Neville-Jones. This is a very important database. It is not just national but international, and it is difficult to collect. That is why I am glad that an accommodation has been made to support the amendment.
My Lords, I add my voice in support of the noble Baroness’s amendment and wish it well. I suspect she has run into the logjam that constitutes the waiting list to see the Bill team and the Ministers, who have been worked so hard in the last few months. But I hope it will be possible, given that there is a bit of time now before Third Reading, for this matter to be resolved quickly and expeditiously before then.
My noble friend Lady Neville-Jones explained in Committee that Unique plays a hugely important role in providing advice and support to sufferers of rare chromosomal disorders and their carers. Some of these charities have large databases dating back many years, so we understand their desire to maintain these when the GDPR comes into force without necessarily obtaining fresh consent to GDPR standards for each data subject included on the database. When families are providing support to their loved ones, some of whom may need round-the-clock care, filling in a new consent form may not be high on their agenda.
However, they may still value the support and services that patient support groups provide and would be concerned if they were removed from the charities’ databases. If charities such as Unique had to stop processing or delete records because consent could not be obtained, they worry that this would impede the work they do to put patients and their families in touch with others suffering from rare genetic conditions, help clinicians to deliver diagnoses and facilitate research projects. We recognise that this could be particularly damaging when there is barely any knowledge of the condition other than what they may hold on their database.
Let me be clear: if there is a grey area in the Bill that puts this work at risk, the Government are fully prepared to amend it. Legislating in this area is not straightforward and I am keen that the policy and legal teams in the department are able to continue with the constructive discussions they have been having with Unique and the UK Genetic Alliance to ensure that the legislation adequately covers the specific processing activities they are concerned about, while providing adequate safeguards for data subjects. I assure noble Lords that we will use our best endeavours to work on this legislative solution as quickly as possible. If it is not ready by Third Reading, and I am afraid I cannot promise it will be, the Government will endeavour to introduce any necessary provisions at the next possible amending stage of the Bill. I will of course ensure that my noble friend gets the credit she deserves for her persistent efforts on this subject when that time comes.
Government Amendments 72 to 77 are the products of detailed discussion with the noble Lord, Lord Patel, the noble Baroness, Lady Manningham-Buller, and representatives of the Wellcome Trust. I thank them very much for those constructive and helpful discussions. In Committee we discussed the operation of the safeguards in Clause 18 and the potentially damaging impact they would have on pioneering medical research. As I explained at the time, it was never the Government’s intention to undermine such important work, so it is with great pleasure that I table these amendments today.
Noble Lords will recall that the greatest concern stemmed from the safeguard in what is currently Clause 18(2)(a). That paragraph was designed to prevent researchers using personal data to make measures and decisions in respect of particular data subjects but, as the noble Lord explained, there are certain types of medical research where this is inevitable. In the context of a clinical trial, for example, a data subject might willingly agree to participate, but in the course of the trial researchers might need to make decisions about whether the treatment should continue or stop, with respect to some or all data subjects. Government Amendment 77 addresses this concern by making it clear that the safeguard is automatically met where processing is necessary for the purposes of approved medical research. Approved medical research is defined in the new clause and includes, for example, research approved by an ethics committee established by the Health Research Authority or relevant NHS body. Importantly, the new clause also contains an order-making power so that the definition of approved research can be kept up to date.
My Lords, I have put my name to this amendment. I stumbled on the omission of Members of this House during debate in Committee, when I asked what I thought was an innocent question. I was asked to appear on the BBC’s “Question Time” after the list of Peers of which I was one was announced but before I actually arrived here. It was a fairly difficult occasion, which I remembered when I was thinking about this issue at lunchtime today. When I referred, during the discussion, to Members of Parliament, Nicholas Ridley said, “You are a Member of Parliament”. We are all Members of Parliament. We happen to be Members of the House of Lords; those who are normally called MPs are Members of the House of Commons. I regard myself as being in a representative position, even though I am not elected.
I disagree with one comment of the noble and learned Lord, which was about the amount of casework that I do. I am so conscious of the problems of getting it wrong, particularly in the area of immigration, that I try not to do that work. However, it is notable how the number of requests to Peers to intervene in individual cases has grown over the last few years. I suppose that reflects the fact that MPs are taking on more and more of what a few years ago one might have called social work. There are not the same demarcation lines as perhaps there used to be.
The casework, among other things, informs our general response to policy issues and specific proposals put before us, so we cannot exclude ourselves from all this. Ten days or so ago, in response to a request to pursue a particular case, I made the point that the individual should approach her own MP. The answer came back, through an intermediary, “She’s an asylum seeker. She doesn’t have an MP. We’re looking for anyone who can help”.
In Committee, questions on this issue were asked round the House. I recall that the noble Lord, Lord Lucas, took up the point after I had asked a question. I am very grateful to the noble and learned Lord for pursuing this matter. I hope that the Minister will accept his suggestion that this should be considered further between now and Third Reading, and that it should be dealt with at this end. I hope that the Minister will this evening assure us that it will remain on the agenda and that we can return to it at the next stage of the Bill in this House.
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
My Lords, Amendments 28 and 29 create a new processing condition for Members of this House. The Government’s view is that the provisions in paragraphs 19 and 21 of Schedule 1 are intended to reflect the unique and special nature of the relationship between an elected representative and their constituent.
Like the noble Baroness, Lady Hamwee, and the noble and learned Lord, Lord Brown, I am very aware of the important and valuable work that many noble Lords carry out on behalf of members of the public, advocating for their rights, taking up their cases with government departments and representing their interests in any number of scenarios. However, this relationship between a Peer and a member of the public is of a different nature and order from that conferred on an elected representative by their constituents. Elected representatives have particular rights and duties to act on behalf of the citizens they represent. The Government therefore consider it appropriate for them to be able to deal with urgent situations where they could not reasonably be expected to obtain consent; for example, in the case of an individual facing imminent deportation. There is no such need for Peers to be exempted from the provisions on consent. I stress again that nothing in the Bill or the GDPR prevents Peers undertaking casework if they first obtain the consent of the individual concerned.
I emphasise that these provisions are not new. The position under the 1998 Act is very similar and, in answer to the point made by the noble Lord, Lord Stevenson, it has not prevented Peers who are interested in undertaking casework doing so. Indeed, I have not found difficulty in this respect; I have just obtained consent first.
I hope I have reassured the noble and learned Lord that the Government understand the concerns raised, and that in this instance he will withdraw his amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, I shall not follow the noble Viscount, Lord Falkland, down the road of horseracing because I have a confession to make, which is that I have never been in a betting shop in my life as far as I know—unless I was taken in as a very young child. I have three points to make. The first is the question of what sport is, because it is vital to the amendment—which I will be supporting. Darts and snooker are considered sports. They are therefore covered by any legislation relating to sport. You have only to watch “Strictly Come Dancing”, however, to know that a lot more physical activity is involved in dancing than in either darts or snooker, yet dancing is not covered by this legislation because it is not considered a sport.
Secondly, there are differences in the drugs taken by snooker players, for instance. A snooker player would be banned if he took a beta blocker, because a beta blocker slows the heart down, slows the pulse down and slows everything down, but if any other athlete took it, it might be for medical purposes—although it would not be to his benefit or advantage to do so.
Thirdly, I gather that under this country’s present doping laws recreational drugs are banned by all sporting bodies and the UK sports drugs authority. In some countries, however, it is legal to take, for instance, cannabis—to be honest, I am one of those who think it should be legal in this country as well; it should be part and parcel of the legal system that we allow people to take cannabis. But it would be banned. If it is illegal—this question may be one for the noble Lord, Lord Moynihan, directly—and an athlete comes to this country to take part in an international event, be it football or whatever, from a country where it is legal to take cannabis, and if he has taken cannabis in the last 24 hours and it shows up in a drugs test, will he be banned from taking part in that event? Some countries allow it. Why are recreational drugs part of that authority anyway? It is a police matter in this country, not a matter for sporting bodies, therefore we ought to take recreational drugs out of the equation altogether.
My Lords, the Government must be quaking in their shoes whenever a Back-Bencher offers to come to their help. I looked across at the Dispatch Box when I heard the noble Lord, Lord Moynihan, make that offer and I saw a definite quiver come over the Minister’s face. Clearly, we are in for something rather interesting. We were entertained by the noble Viscount, Lord Falkland, with his worries about the BHA, but he said he thought that it is really quite simple at the end of the day—we need to keep the money out and sort out the betting influences that are affecting all our sports. He is absolutely right. The public have come to the end of their tether and it is time that we got this sorted: we have to keep sport clean and eliminate cheating. The data is key to this, as the noble Lord, Lord Moynihan, said.
We expect a great deal of our athletes in terms of their whereabouts and their strict liability, so we have to make sure that the systems under which they operate are fair, properly organised and regulated. In short, we have such high stakes in this that we have to be sure that we up our game—I am sorry about the puns. We should be clearer than we are at the moment about who has responsibility for what and how it is operated, and that is what this amendment is about. DCMS needs a stronger NDPB, in the form of UKAD or a successor body, and there needs to be an authority exercised with care and consideration as to how the rules will apply and to whom they apply. All these definitional points, all the concern about where it goes, are tied up in that set of constructs, which is what this amendment deals with. I think it is very powerful.
If noble Lords look back at the way in which a state was able to influence the way that the drug-testing system operated in the winter Olympic Games in Russia, they will understand how this thing has got to a new level of concern. We must have appropriate safeguards and ways of operating in place to insulate those who are trying to do the right thing from the charge that they are involved too closely. The public will stand for no less. I recommend this amendment very strongly and we will support it should it be necessary to take it to a vote. I hope that that will not be necessary, because as the noble Lord, Lord Moynihan, said, this is an area of such importance that the right thing to do would surely be for the Government to accept this amendment today and bring it back at Third Reading with a proper wording and proper consideration that will reassure any who still doubt it. In the interim, we will support it if necessary.
My Lords, as ever the noble Lord, Lord Moynihan, made his case extremely well. We on these Benches share his objectives and, indeed, most of the objectives of the noble Lord, Lord Stevenson, around clean sport, particularly putting UKAD on a statutory footing and having a proper framework around the powers in the Bill.
I know that the noble Lord, Lord Moynihan, feels that these need a proper definition and control. However, despite the noble Lord’s best efforts this amendment is not the finished article. Sadly, there are still discussions taking place. Noble Lords have had a great deal of material from governing bodies, including the England and Wales Cricket Board, the Rugby Football Union, the British Horseracing Authority and the Sport and Recreation Alliance, which by itself represents some 320 organisations.
Further discussions need to take place so that we get to an agreed position. I feel very uncomfortable at this point. All those governing bodies may be speaking with different voices, as the noble Lord, Lord Moynihan, suggests, and he has entered discussion with them in good faith, but other voices have come to us saying that they are not yet able to accept what he has put forward. There is still work to be done. I very much hope that the Minister will take on board the fact that many of us around the House, particularly on these Benches, want those conversations to continue and an agreed amendment to be brought forth at Third Reading.
My Lords, I intend to be brief, but not because this is a minor matter—quite the reverse. This is one of the biggest concerns that we should have about how we engage through the public view on the issues that affect many of our citizens. I am talking particularly here about safeguarding, especially in relation to sport, although it also has wider concerns, wherever an adult has responsibility for a child.
The public concern has mostly focused on issues such as football and swimming in recent months and the last few years, but there are wider concerns that have been dealt with under various inquiries, and we await the results. The narrow issue relating to this Bill is that those individuals or bodies that have a protective function of safeguarding children or, indeed, vulnerable adults, and need to process sensitive data, even though they have no legal obligation to do it and have no statutory function may be an issue that the Government wish to return to. There is no doubt that UK Anti-Doping has the powers that are necessary in sports. But when members of the public and their children are not being sufficiently looked after, extra vigilance must be taken, and we must ensure that the Bill in no way affects that.
I have tabled this amendment, sent to us by a number of bodies involved in sport, but there are other groups outside the sporting area with interests here. The Government are currently discussing these issues and hoping to come to a conclusion shortly. On that basis, I hope that the Minister can give us some indication of the progress that has been made here and, if he can, some sense of the timescale in which the Government will act. I beg to move.
My Lords, I will be brief. Amendment 33 seeks to introduce a condition permitting the processing of special categories of personal data where it is necessary for the purposes of safeguarding children or vulnerable adults. The Government take the issue of safeguarding extremely seriously and recognise the need for the Bill to provide certainty to organisations with safeguarding responsibilities, so I thank the noble Lord, Lord Stevenson, for raising this issue.
Organisations in all sectors wish to ensure that they have a lawful basis when they process special categories of data for safeguarding purposes. In many—maybe even all—circumstances, organisations will be able to rely on existing conditions under the Bill: for example, where processing is necessary for the purposes of preventing or detecting unlawful acts or where the processing is necessary for the exercise of functions under legislation or under a rule of law. However, I recognise that there is an argument for having a specific safeguarding condition to put the issue beyond doubt.
This is an issue which requires careful consideration and noble Lords may be assured that my department is actively working across government and with stakeholders in the voluntary and private sectors to consider the issue. We must be mindful, for example, of the broader implications of defining safeguarding and vulnerability within data protection law. Inclusion of such definitions within the Bill could have unforeseen consequences for other legislation which uses the same, or similar, terminology. As such, I can assure noble Lords that the Government are sympathetic to the objective of this amendment. However, given the importance of this issue and the potential impacts both within and beyond data protection law, we are sure that further consideration is required before any amendment can be brought forward. I can assure noble Lords that we will continue to examine this issue urgently. While it will not be possible to conclude our consideration in time for Third Reading, I am confident of doing so in time for Committee stage in the Commons. On the understanding that we will return to the issue of safeguarding in the Commons, I hope that the noble Lord feels able to withdraw his amendment this evening.
I am grateful to the Minister for giving such a precise response to this, not only on the substance, recognising the issue and confirming that it needs to be put beyond doubt that the powers will exist, but giving us the assurance that this matter will be brought back in the Commons, which is wonderful. I beg leave to withdraw the amendment.
My Lords, I support my noble friend’s amendments. The points that he made apply almost entirely to Amendments 91, 92 and 94, which relate to later parts of the Bill, including particularly the phraseology “solely” and in Amendment 94 “solely” or “partially”.
I am pleased that the noble Baroness, Lady Jones, decided to retable her amendments. What she said can be summed up as, “Human rights, so human decision”. Human beings will ensure transparency and accountability in a way that machines simply do not. The Minister smiled when the noble Baroness said that she was not sure whether she was clear on the last occasion. I rather wish that I could ask her to give us the reassurances and concessions that that smile might have indicated, but I do not know.
These issues are extremely important. I was thinking about them over the weekend and, although it sounds patronising, the Government are entirely correct to ensure that human rights are engaged in these subjects. Given how central human rights are, they cannot be thought of as an occasional peripheral, particularly not as regards law enforcement and security issues. I have come full circle to thinking that the protection of human rights should be spelled out at the start of the Bill, which would take us back to our debate on Monday about an introductory clause covering the protection of a subject where the right is not absolute because of the criteria of necessity and proportionality. I think that that should be made clear in the Bill and it would put what the noble Baroness is seeking to achieve in her amendments in the right context. I support her in this.
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
My Lords, I start by thanking noble Lords for their amendments, which bring us back to the important issues around the use of automated processing in what is an increasingly digital world. I apologise if my smile was misleading, I was just very pleased to see the noble Baroness in her place; it did not indicate anything other than that.
The range in which automated processing is applied includes everything from suggested views on YouTube to quotes for home insurance and beyond. In considering these amendments it is important to bear in mind that automated decision-making can bring benefits to data subjects, so we should not view these provisions simply through the prism of threats to data subjects’ rights. The Government are conscious of the need to ensure that stringent provisions are in place to regulate appropriately decisions based solely on automated processing. We have included in the Bill the necessary safeguards such as the right to be informed of automated processing as soon as possible, along with the right to challenge an automated decision made by a data controller or processor. We have considered the amendments proposed by noble Lords and believe that Clauses 13, 43, 48, 94, 95, 111 and 189 provide sufficient safeguards to protect data subjects of all ages—adults as well as children.
My Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.
Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.
We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.
My Lords, this amendment has a lot of merit. For some time I have been discussing with certain people who know an awful lot about this, as has the noble Lord, the concept of agency: having control over your own information. It is a very important concept because the GDPR and the Bill are all about data processors looking after your stuff for you, but the real issue is having control over things that affect you. Why, if people are using it to make money out of you or on your behalf, should you not sell them that control in return for better access?
There are many issues around this that might suit a modern world in which your data can be useful, but to you, so that data processors do not just mine it and use it for their own purposes—you have control over it. This amendment has a lot of merit because it gives a foundation for us to start researching this. There is no compulsion here, but it could move us down a line whereby the data subject—the person in the street— suddenly gets some control over what happens when people research things for their own good. We are going to have to give away our location and other things to use most of these apps, so why can we not also control that and decide how to sell it to other people and benefit from it ourselves?
My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
I thank all noble Lords who have spoken in this short debate, particularly the noble Earl, Lord Erroll, for the idea about agency, which is an important construct that we will need to keep an eye on. He is quite right about that. I thank the noble Baroness, Lady Kidron, for reminding me, correctly, that I had got a lot of information from the IEEE, whose work on this I have praised before. I reiterate that: it has done a great job in trying to think through some of the bigger issues involved in this area. I also take this opportunity to acknowledge the debt I owe an organisation called HATDeX, which has been working in this area and from which I got the original idea of a private personal data account.
I agree with the noble Lord, Lord Clement-Jones, that this is something that will come back to haunt us. Obviously, as long as the Minister is there with her beaming smile, we will be able to resist all blandishments to come at it, but I think it will come and bite us. It was not an arbitrary thought of mine that it might be something that the ICO would want to look at it. I know from talking to the ICO that it is interested in this as well. I think the Minister is saying that the proposal, as it is, stands outside the Bill framework, but that is because the Bill focuses on a particular area, and perhaps that is a pity. But if it is not the ICO, who is it? I hope it will be the data ethics commissioner that we hope to establish in the future. I beg leave to withdraw the amendment.
I hope the noble Lord, Lord McNally, will forgive me, but I feel his comments require response. I recall at a university meeting when we had to discuss rules for debate, one student started a speech with, “I’m a liberal, but I’m against free speech”. I notice we have a very large turnout of both small “l” and big “L” liberals in the House, which usually suggests we are about to ban something. I am very sorry to be on the other side from the noble Lord, Lord McNally, who has been my inspiration and mentor for many years, but I have to disagree with him on this.
First, the proponents of these various amendments argue that these changes are not an attack on free speech but, in practice, they are. They tilt the balance against investigative journalism, scrutiny of the powerful and legitimate inquiry. The high bar introduced of necessity would have a chilling effect for anyone who has worked on practical investigations. What will happen is not so much that the law will be used, but that it will never be used because investigations will not take place.
Secondly, the proponents say that this is not about state regulation of the media, but it is. It will be done in two ways. The Information Commissioner will end up with so much power that he or she will become a press regulator whether or not he or she wishes to. That would be the impact of Amendment 55. At the same time, newspapers will be pulled against their will into Impress, which has been the burden of several remarks in this debate. That is also an aim of Amendment 55. It is simply nonsense to say that all that is being sought is voluntary self-regulation when the failure to volunteer or regulate in a state-approved way and be licensed by a state body is backed up by repeated attempts to penalise and punish, as these amendments would do.
Thirdly, the proponents say that all we will be doing is controlling behaviour, not content. I am afraid that this is wilfully naive. Impress has been named as a regulator. That choice by the panel is instructive. The behaviour of the staff and board of Impress, the body the panel has approved, shows quite clearly the agenda being followed. Its chief executive has been sharing views such as:
“John Lewis is bringing its name into disrepute by advertising in a Neo-Fascist rag”,
and:
“I do like @StopFundingHate’s campaign to defund racist media”.
This means it cannot claim to be the independent regulator the noble Lord, Lord Low, talked about. This is apparently acceptable as charter-approved behaviour, yet some noble Lords are critical that national newspapers are suspicious of the charter and fear Impress.
My fourth point is very important because the noble Lord, Lord McNally, said this in Committee. I respected it and listened to it. He said that newspapers have “got away with it”. This is not the case. People went to jail, newspapers closed and the regulatory system changed utterly. Those of us working in the industry all know and agree that there has to be change. Anyone who thinks that there has not been has not read a newspaper or been in a newspaper office since the scandal broke. I respect and understand the pressure for change, but you have to take “yes” for an answer.
Finally, there is a suggestion that the public are crying out for further regulation and more inquiries. People who advance this argument must have been in different constituencies from me. The attempt to hijack Bills to bully the press into compliance is a diversion from the public interest and there is no public pressure for it. Of course, it is right to insist on high standards of behaviour, but to introduce amendments designed to help powerful people keep secrets and to make free publication harder is an odd position for liberals. All I ask is that we do not remove protections in Britain enjoyed by Europeans. Normally, this rallying cry is very effective in this House. Let us hope that it is today.
My Lords, I had better deal with Amendment 55, which is in my name and that of my noble friend Lord Kennedy. I am loath to do so at any length, so I simply say that it will be answered by the Minister when he responds. He has partially given me the answer and it would be wrong for me to anticipate the rest of it. I reassure him that I do not intend to press that amendment.
This debate is not about free speech; it is the latest exchange in a long-running debate on how in a democratic society we enshrine the press’s freedom to publish as it sees fit, root out the culture of abuse, illegality and criminality which has for too long involved all the newspapers at some point or other, and make sure that victims can get effective redress when such abuse happens. We should not lose sight of those cardinal aims.
If the House believes that everything in the garden is rosy, as the previous speaker tried to persuade us, we can of course do nothing and simply allow the Data Protection Bill to go forward as amended. I agree that the Minister has moved a long way and agree with the noble Lord, Lord Black, that we could now rely on the processes and procedures that have worked so well since 1998—for nearly 20 years. They could be allowed to continue, because they are tried and trusted and seem to do most of what we require.
But it is not like that. One could not listen to my noble friend Lord Prescott and the noble Lord, Lord McNally, for any length of time without feeling that there is still a canker. Something needs to be cut out of what we currently do and we are failing as a House if we do not do what we must to get this right. We have a lot of problems. We had a cross-party agreement; that has gone. We have let down the victims grievously time and again. We are unable to discuss this without accusations of a ridiculous nature being thrown at us about our intentions and processes. We need to do this properly; we need to do it coolly and with some consideration. We need evidence of the changes that are affecting the press. Is it true that the traditional press as we know it is going down the tube? Is it true that fake news, other news sources and the other things that our children are reading and reporting to us will destroy our understanding in a democratic society of what it is to be informed about the way things are done? Will we lose the extremely good points made by the noble Baroness, Lady Cavendish, who said that she was an investigative journalist and proud of her record, which is exemplary? We want that to continue, but we do not want people such as the noble Baroness, Lady Hollins, to suffer as a result of it. We have to be mature about this; we have to get it right.
I have an amendment, Amendment 165, to be taken on Wednesday 10 January—buy your tickets now—which will rehash a lot of our discussion today. It is focused on running a proper inquiry into what needs to happen now to deal maturely with the issues which the press does not wish to be regulated. It tries to find a way forward, to investigate the illegality of the past and learn lessons from it. Above all, it seeks to get a handle on this whole issue and come forward with a proper set of recommendations that we can implement. I hope that the House will look at that carefully when we come to it. In the interim, my advice to the noble Baroness, Lady Hollins, whom I admire for the fantastic work she is doing and I want to be with her on it, is to withdraw her amendment now and live to fight another day on 10 January.
My Lords, the noble Baroness, Lady Hollins, has reminded us a number of times in this House of the need for suitable press regulation, and she has some interesting arguments. I am grateful for the time she took earlier this week to meet me and explain her perspective and concerns. However, the position remains that the Government cannot accept her Amendment 50A. The Government support objective, high-quality journalism and a free press. We are committed to ensuring there is a sustainable, effective business model for high-quality media. Of course, we also need a fair system and this Bill is designed to strike a fair balance between individual privacy rights and the right to freedom of expression. The noble Lords, Lord Lester and Lord Pannick, and the noble and learned Lord, Lord Brown of Eaton-under-Heywood, have just alluded to the requirement in law for us to maintain that balance. I do not seek to repeat that, but I gladly adopt the observations they made about the need for balance in the context of convention rights with regard to privacy and freedom of expression.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberPerhaps I may give the noble Lord some information which he may not have been aware of, as he may have left the Met by then. The reason that maybe up to 100 people were able to sue on the hacking was because their names appeared in the Mulcaire diaries, and the Met team kindly went and told every single person who had possibly been hacked, “They’re after you. You’re in Mulcaire’s diaries and you may care to contact some lawyers. Here are some lawyers who are doing a group action. If you join that, there is no great risk to yourself—you will be in there with a lot of others. The lawyers will be there on a no-win no-fee basis and you’re perfectly safe to do it”. That is why most of those people were able to go together in a joint action, but the thousands of individuals do not have a hope.
My Lords, I have been trying to search for words to explain what is going on at the moment. It seems to me that we are living in two parallel universes. My first thought was that we were back in World War I territory—the noble Lord, Lord Black, will get the reference—and that we were engaging in sniping over long pieces of dead ground over issues that nobody could understand, fought by people who did not want to be there and led by people even more stupid than that. But I have decided that this is the rerun of an acrimonious family dinner that we had before the break. We are now reflecting on that and trying to nerve ourselves up to talk again to each other and restore relationships, because relationships must go on.
Again, we have had these passionate stories, anecdotes and recollections of times when things have gone disastrously wrong. No amount of legal redress can undo that suffering. From others, we have heard a perfectly robust and understandable account of why things are perfectly all right at the moment and, given time, will be sorted out. I begin to think that Leveson, for all the great work he did and the excellence of his report—and the longevity of its recommendations—is a bit of a McGuffin here. This is about us and society; it is about Parliament. I tried to address some of that at the end of the last debate. We have to get serious about this and work out how to make progress. We have to restore the rightful balance between Parliament, which must be sovereign, and those who work within an environment in which Parliament seems at the moment to have been discounted.
If we do not get this sorted, we will continue to be like this for the rest of time. It is insufficient and ineffective. It will not be the way we want to live our lives and we will all be much the losers as a result. We must give credit to the noble Baroness, Lady Hollins, and her proposals. Yes, they come from Leveson—but underneath that there is the greater truth that things are not working as they could be. They should be working better.
My Lords, while we have already debated amendments that are challenging to a free press, I fear that this group of amendments would be potentially hostile to the concept of a free press. Where there are abuses the answer is to enforce the law, not to shut down the media. I adopt the observations of the noble Lord, Lord Pannick, and my noble friend Lady Wheatcroft in that regard.
Amendment 53 would remove the requirement to give special weighting to the public interest in freedom of expression and information. This is something that we consider an essential way of ensuring that information that is in the public interest is not buried due to the data protection regime that is put in place. In this context, giving special weight to the public interest in freedom of expression and information is an important way of ensuring that we provide constitutional protection of freedom of speech, as required pursuant to Article 10 of the European Convention and the Human Rights Act.
Amendments 54 and 56 relate to the codes of practice to guide journalists in conducting the essential public interest balancing test that has to be carried out. We have already debated this in the previous group, before the dinner break. Amendment 54 intends to take away the absolute requirement to have regard to the listed codes of practice when determining whether publication would pass the public interest test. This requirement is a way of strengthening the obligations on journalists. In line with the enhanced protection of the GDPR, we are making sure that those journalists who are covered by one of the listed codes must have regard to their relevant code.
In a related amendment, Amendment 56, the noble Baroness, Lady Hollins, has suggested that we alter the language of the condition on the special purposes exemption at paragraph 24 of Schedule 2 to the Bill by changing “relevant” to “appropriate”. This amendment makes it unclear which code should be consulted in a given case. We want to ensure that the code which pertains to a particular set of journalists is the code to which they have regard when carrying out the public interest test.
We are not being unreasonable in resisting Amendments 54 and 56. They may look innocuous, just slightly changing the language of the Bill, but if we are to be true to the GDPR, we must ensure that in our law we have resolved the article 85 requirement to set where the public interest lies in managing the balance between privacy and freedom of expression. If we make the use of these codes discretionary and their application vague, we will simply undermine that balance.
Finally, I turn to the amendments from the noble Baroness that aim to create a special group of exemptions only for those journalists who are members of an approved regulator. As drafted, the Bill is designed to protect journalists who should be able legitimately to rely on these exemptions when undertaking journalism in the public interest, regardless of which regulator they belong to or whether they belong to any at all. The reality of the press landscape today is that the vast majority of publishers are not members of an approved regulator. As such, limiting certain exemptions to only those who are members of an approved regulator would limit the ability of most journalists in this country to undertake investigative journalism in the public interest. Whatever the motive or the intention behind these amendments, they are, I am afraid, either wrecking amendments or amendments designed to force publishers to sign up to a regulator to which they object—and that is not acceptable.
Section 40 of the Crime and Courts Act 2013 was mentioned. As we have previously discussed, the Government are currently considering Section 40 with regard to part 2 of the Leveson inquiry. We do not believe that using data protection legislation is an appropriate means of trying to incentivise compliance with, for example, Section 40.
The noble Lord, Lord Stevenson, observed just three weeks ago, and earlier this evening, that this is not perhaps the place for this debate. He commented:
“I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson”.—[Official Report, 22/11/17; col. 195.]
I concur with that observation, which he just reinforced with his observations about the need for us perhaps to look more clearly at what the real issue is rather than being distracted by trying to act as tail-end Charlies to a particular piece of legislation on data protection.
There will be a response to the consultation on Section 40 and Leveson 2, but I shall make one comment with regard to the suggestion about delay in that consultation process. Noble Lords may recollect that the Secretary of State was the subject of a judicial review application which made it impossible for her to proceed with the consultation because the terms of the consultation were the subject of legal challenge. Thereafter, when the consultation proceeded, there were more than 174,000 responses. They had to be analysed and considered, but the fact that there was that number of responses perhaps gives weight to the observation of the noble Lord, Lord Stevenson, about there being an issue that needs to be addressed, and therefore we must look forward to the response to the consultation. I invite the noble Baroness to withdraw the amendment.
My Lords, I am grateful to my noble friend Lord Kennedy for supporting me and to the noble Lord, Lord Clement-Jones, for adding his name to this amendment, which is one in search of an easy resolution—and I hope it can be done very quickly. The Minister and his colleagues have from time to time had to animadvert the recitals of the GDPR as evidence and support for claims that they make. I have no concerns with them doing that because I am quite happy with the recitals—I like them, understand them and think they are rather useful things to have around. What I do not understand is how that will happen when we go to the applied GDPR, when the only issue that will be able to be tested in court, as I understand it, is the GDPR itself. Therefore, I went to the Public Bill Office. Normally, its staff are difficult friends for an Opposition seeking to amend a Bill. They throw unforeseen, difficult and complicated legal issues in our way and make it very difficult for us to get to where we want. However, on this occasion, they said, “Leave it with us. We know exactly what you want. We will put an amendment together that will satisfy every concern you have”. It is there in front of us as Amendment 81, which I beg to move.
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
That is a very disappointing end to a rather splendid day. If you read Amendment 81 closely, it simply says “having regard to”, which is probably the weakest form of expression you can find in any legal circumstance. I am a bit surprised that the Minister could not come to a better conclusion than he did. In fact, we got a sort of Pepper v Hart-ish approach to it; we can rely on it but it is not as good as it would have been if we had agreed Amendment 81. I can say nothing more on this except that I am sure that we will return to this at some stage. I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, the noble Lord, Lord Deben, said that a small number of people do everything in small communities. It sometimes feels like that here. I do not think that we need to say much more; all the issues have been raised and I am sure that when he responds, the Minister will answer some, if not all, of the questions. The underlying theme is that we do not want to spoil what is a very good Bill with desirable aims by failing to pick up all the areas that it needs to address, because there will be benefits from it, as we have heard. I think that the Government understand that, but they must not be in the position of willing the ends of policy without also willing the means.
My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.
The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.
I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.
Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.
In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.
Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.
While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.
My Lords, in earlier amendments I have tried to interest the Government in the idea of establishing what I loosely call a copyright of one’s personal data. Another possibility put forward in a different amendment is that one could think of data provided by individuals as matters that would be controlled by them through the role of a data controller. I am not trying to be in any sense critical of the Government’s response to this but I think I was ahead of my time—a nice place to be if you can—and I do not think the idea is quite ready to be turned into legislative form. I suspect that the solution lies in a data ethics commission, an idea that we will come to later in the agenda. Such a commission may be established by statute, either today or through some future legislative process, so that we can begin to think through these important issues. I was interested in a lot of what the noble Lord, Lord Mitchell, said in his introduction of the amendment because it has bearing on these issues.
I agree with the noble Lord, Lord Clement-Jones, that we are not quite there yet. However, worrying issues have been raised that need to be addressed, particularly in relation to data that is acquired, used and commercially exploited without necessarily being certain that we are getting value for money from it. The amendments are relatively mild in their exhortations to the Government, but they certainly point the way to further work that should be done and I support them.
My Lords, I am grateful to the noble Lord, Lord Mitchell, for taking the time to come and see me to explain these amendments. We had an interesting conversation and I learned a lot—although clearly I did not convince him that they should not be put forward. I am grateful also to the noble Lords, Lord Clement-Jones and Lord Stevenson, who said, I think, that there may be more work to do on this—I agree—and that possibly this is not the right time to discuss these issues because they are broader than the amendment. Notwithstanding that, I completely understand the issues that the noble Lord, Lord Mitchell, has raised, and they are certainly worth thinking about.
These amendments seek to ensure that public authorities—for example, the NHS—are, with the help of the Information Commissioner, fully cognisant of the value of the data that they hold when entering into appropriate data-sharing agreements with third parties. Amendment 107B would also require the Information Commissioner to keep a register of this data of “national significance”. I can see the concerns of the noble Lord, Lord Mitchell. It would seem right that when public authorities are sharing data with third parties, those agreements are entered into with a full understanding of the value of that data. We all agree that we do not want the public sector disadvantaged, but I am not sure that the public sector is being disadvantaged. Before any amendment could be agreed, we would need to establish that there really was a problem.
Opening up public data improves transparency, builds trust and fosters innovation. Making data easily available means that it will be easier for people to make decisions and suggestions about government policies based on detailed information. There are many examples of public transport and mapping apps that make people’s lives easier that are powered by open data. The innovation that this fosters builds world-beating technologies and skills that form the cornerstone of the tech sector in the UK. While protecting the value in our data is important, it cannot be done with a blunt tool, as we need equally to continue our efforts to open up and make best use of government-held data.
In respect of health data, efforts are afoot to find this balance. For example, Sir John Bell proposed in the Life Sciences: Industrial Strategy, published in August last year, that a working group be established to explore a new health technology assessment and commercial framework that would capture the value in algorithms generated using NHS data. This type of body would be more suitable to explore these questions than a code of practice issued by the Information Commissioner, as the noble Lord proposes.
I agree that it is absolutely right that public sector bodies should be aware of the value of the data that they hold. However, value can be extracted in many ways, not solely through monetary means. For example, sharing health data with companies who analyse that data may lead to a deeper understanding of diseases and potentially even to new cures—that is true value. The Information Commissioner could not advise on this.
That sharing, of course, raises ethical issues as well as financial ones and we will debate later the future role and status of the new centre for data ethics and innovation, as the noble Lord, Lord Stevenson, mentioned. This body is under development and I am sure that this House would want to contribute to its development, not least the noble Lord, Lord Clement-Jones, and his Select Committee on Artificial Intelligence.
For those reasons, I am not sure that a code is the right answer. Having heard some of the factors that need to be considered, I hope the noble Lord will not press his amendment.
Perhaps I may offer some further reassurance. If in the future it emerged that a code was the right solution, the Bill allows, at Clause 124, for the Secretary of State to require the Information Commissioner to prepare appropriate codes. If it proves better that the Government should provide guidance, the Secretary of State could offer his own code.
There are technical questions about the wording of the noble Lord’s amendment. I will not go into them at the moment because the issues of principle are more important. However, for the reasons I have given that the code may not be the correct thing at the moment, I invite him to withdraw his amendment.
My Lords, we are very grateful to the Government for introducing Amendment 118. We still believe that they could and should have gone further. Taking the example of the Investigatory Powers Act 2016—the fact that Ministers are unable to authorise interception without oversight by an independent judicial commissioner of that decision—we wonder why that sort of oversight could not be applied to these certificates as well. Clearly, we are grateful to the Government for going as far as they have done. We are just disappointed that they did not go as far as we wanted.
My Lords, my noble friend Lord Kennedy is not available at the moment. He is occupied with a personal matter and has asked me to say that he supports the words of the Minister. She has listened to concerns. It is very welcome that she has done so and we agree with the amendment.
My Lords, I sense that the House wishes to move on, to hear from the Minister and move to the inevitable vote, which I think would be a good thing for all of us. Therefore I will not speak at length. We have had a really important debate today, ranging from the deeply personal to the high realms of public policy, and it is very hard to find a balancing point at which we might, as the noble Lord, Lord McNally, has just said, actually find a reason for dividing on the various issues. It is complicated and multilayered. It is also time-sensitive and there are very inconvenient issues in the way. However, one can dig down a little and start with the fact that the Bill, as I have always said and will continue to say, is not the right Bill to solve all the problems in relation to press regulation in the future. It is a Bill about data protection and although it has elements that obviously bear on everything we have been saying today and in the previous debates around the need to balance the rights to privacy against those of freedom of expression, it is not a complete picture and we should not think it is.
It is important that we learn our lessons and move forward. We have an existing framework, set out in the Data Processing Act 1998. It has worked well; it has been said that it will work well in future, and the Bill establishes that again as the basic understanding on which we operate. I welcome that, but we are uncertain about how the issues that were raised between 2010 and 2013, the period that led to Leveson 1, are going to be resolved in the Bill—maybe they cannot be. They include the need to ensure that, for all time, there is an effective redress mechanism for those affected by illegality and bad culture in the press, and that we should understand and learn the lessons of what has happened in the past. We certainly have a lot of information but I do not think we have a full understanding of it all.
As has been said by a number of noble Lords, we must anticipate changes that are in train for the new media, the media sources of information and news and the changes in consumption. We have to explore—this is really important—how we sustain our huge tradition of quality journalism without which this democracy would be a shadow of its current self. My noble and learned friend Lord Falconer, in a very powerful speech, said we need to go back and rethink what we were thinking at the time Leveson was set up, the promises that were made and the impact it will have on the country if we do not deliver on those promises. We promised the completion of the Leveson inquiry. Whether it is Leveson 2 or another inquiry is a lesser point than the need to honour that promise. Too many people are relying on it, too many people will be upset if it does not happen and we will all be the losers.
The noble Viscount, Lord Hailsham, said that this is really a policy issue, not an issue around data processing: noble Lords will have understood from what I said earlier that I agree with him. The problem is that we do not control policy—we are unable to put any pressure on that. The victims do not control policy. The Cross-Benchers and Liberal Democrats do not. The Government control policy but successive Governments have seemed unable to move forward. I happen to think, from private conversations, that a lot more unites us on this issue than divides us across this Dispatch Box.
I would welcome some words from the Minister explaining precisely what will be the way forward. However, I do not think he will be able to do that, for all the reasons that have been given about the inconvenience of timing, the difficulty about cutting across other measures that are in place and the need to think through some implications. I am sympathetic, but the problem is that we need action; we need to move this forward, and the only power we have is to put an inconvenient roadblock in the current thinking. That is why I support the amendment in the name of the noble Baroness, Lady Hollins, and I will support—although I think that they are probably not the whole story—the amendments in the name of the noble Earl, Lord Attlee. It is important that the Government own up to the fact that this is a problem of their own making, show that they understand the issues and take action.
My Lords, the Government recognise that there is great deal of passion and genuine concern on all sides of the debate and on all sides of the House on these matters. I am obliged to the noble Baroness, Lady Hollins, for the passionate way in which she advanced her argument on these amendments, and also to the noble Earl, Lord Attlee. Casting my mind back to my limited experience in government—and limited it is—I am slightly perplexed. Usually, Government are accused of seeking to avoid issues or hard decisions and of kicking matters into the long grass by proposing an inquiry. For me, it is a novelty that the matter should be reversed in this fashion. Indeed, I note that a number of noble Lords have made the same observation in various ways in the course of this debate. For us, it is a matter of concern that we should move forward and look at how we can maintain a suitable, appropriate and respectable media for this country, but also the freedom of that media, which underpins our democracy.
It is appropriate to notice that the media landscape has changed significantly since the Leveson inquiry was set up. We have witnessed the completion of three detailed police investigations, extensive reforms to policing practice and significant changes to press self-regulation, which have moved on even further in the recent past, with the changes to IPSO. Of course, we have seen that civil remedies, civil proceedings, provide an effective route for parties, particularly in the context of litigation where conditional fee agreements are available. The Government published a consultation in November 2016 to look at whether part 2 of the Leveson inquiry was still appropriate and, indeed, proportionate and in the public interest.
I note that date, November 2016, because one noble Lord referred to the delay. I just make the point, which I have made before, that progress on that consultation was delayed because the Secretary of State was subject to an application for judicial review with respect to the consultation process. It was not a case of the Government trying to delay that process; we were really quite anxious to bring it forward. Once we were able to proceed with that consultation process, we received more than 174,000 responses. That in itself demonstrates the depth and strength of public feeling on this issue.
We are currently consulting with Sir Brian Leveson as the chair of the inquiry. Sir Brian has asked to see the results of the consultation, along with individual responses to the consultation that were submitted by core participants in the Leveson inquiry. I notice that the noble and learned Lord, Lord Falconer, observed that Sir Brian’s views need to be canvassed. I entirely agree: that is what we are in the process of doing at the present time. It is not only right that his views should be canvassed in this context, it is actually necessary. The Leveson inquiry has not been terminated; it proceeds under the Inquiries Act 2005 and it cannot be brought to an end until the Government have formally consulted Sir Brian and considered his comments with an open mind on how to proceed further. That consultation is in train. When Sir Brian has shared his formal views with us, we will look to publish the Government’s response to the consultation. It would be our intention, subject to Sir Brian’s views, to publish his response at that time as well, in order that that can be in the public domain.
Amendment 127A in the name of the noble Baroness, Lady Hollins, assumes that the existing inquiry will be brought to an end, but, as I say, that decision has not—indeed cannot—be taken at this stage. If, for example, Sir Brian produces compelling reasons for proceeding with part 2 of the inquiry in some shape or form, the Government would have to give reasonable consideration to those representations and will do so. However, we clearly do not need two public inquiries going on at the same time into the same issues: that is where we would end up, on one view of this process. We have to take events in their proper order and this amendment is plainly not in its proper order; it is plainly premature and cuts across the present statutory process that is being carried on pursuant to the Inquiries Act 2005.
However, I emphasise that the Government are determined to address the challenges of the new media landscape in which we all live—not just the obvious printed media but the digital media and the issues that turn on that. We are in the process of developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to help keep people safe online and ensure that personal information is used appropriately. We are also working to deliver on a commitment to ensure a sustainable business model for high-quality media online. Again, that underpins freedom of expression and our democratic way of life.
These are matters of active consideration for the Government. It is in these circumstances that I emphasise that the noble Baroness’s amendment is not appropriate at the present time and would simply lead to confusion in this already difficult landscape. Let us move on: let us complete the process in which we are currently engaged; let us receive Sir Brian’s representations with regard to the consultation process; let the Government make a decision by way of their response to that consultation; let us look at it—the idea that it would not be examined in this House is almost mythical, to be perfectly candid. Of course it will come under scrutiny in this House. I would be amazed if it were simply to pass unnoticed in the night. There can be no question at all of that happening.
Turning briefly to Amendments 147 and 148, again, I recognise that these are modelled on Section 40 of the Crime and Courts Act 2013 and I recognise that Section 40, and press regulation more generally, is a matter that people have incredibly strong—and diverse and conflicting—opinions about. I understand and appreciate the work that the noble Baroness, Lady Hollins, has done in this area and I appreciate her own personal exposure to the difficulties that have emerged in the past with regard to the abuse and misuse of personal data. Again, I reassure noble Lords that the Government are firmly committed to ensuring that the sort of behaviour that led to the Leveson inquiry never happens again. We are determined to address that.
However, we cannot ignore the various concerns that have been raised regarding Section 40. I am not going to go into the issue of convention compliance or any technical issues about that; nor will I elaborate upon the point that Section 40 does, albeit by agreement between various parties, go further than the actual recommendations in Lord Justice Leveson’s original report. Again, that is why the Government have issued their consultation, which will look, among other things, at Section 40 of the 2013 Act. That matter will be addressed. As I say, the Government will publish their response to the consultation shortly. When I use a term such as “shortly” I see some rolling of eyes but let me be clear: the response to the consultation will await the opportunity for Sir Brian to make his own submissions. We will then give due consideration to those, as we will to the 174,000 responses to the consultation.
We understand the serious nature of the matter before us and it will be fully addressed but we do not believe that at this time it is appropriate to advance a provision similar to Section 40 but only in relation to data protection. There is a much wider issue at stake here and that is the issue that needs to be properly addressed and bottomed out. At the end of the day it would not be appropriate simply to carve out one provision on data protection for the purposes of this Bill in order to replicate the sorts of provisions that we see in Section 40 of the 2013 Act.
Of course we have to cast our minds to the abuses of the past but if we are going to make effective policy we have to look to the future and determine how the balance of interests is going to be achieved between the right to data protection, the right to privacy and the need to maintain a free and vibrant media and free expression. These amendments cut across the proper process that we are now following regarding part 2 of the Leveson inquiry and Section 40 of the 2013 Act. That work is ongoing. Of course we are determined to maintain that work and to bring it to a conclusion. This is not the time or the mechanism by which to try to address these issues. I fear that doing so would complicate an already complex picture. I urge noble Lords to withdraw or not move their amendments.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
I thank the noble Lord, Lord Clement-Jones, for his support on this. I accept that there may be things to look at that the noble Lord, Lord Stevenson, has mentioned. It is better to consider those things properly rather than give an answer off the top of my head at the Dispatch Box. I certainly commit to taking those points back and having a look at them. It may be that, when we correspond, something can take place in another place. In the meantime, I beg to move.
My Lords, as a result of the vagaries of grouping, redrafting and so on, I am in danger of being the tail that wags the dog on this group of amendments, especially as Amendment 175 deals with the processing of personal data to which the GDPR does not apply. Amendment 175A is a much broader amendment, dealing with the implementation of not only article 82 but other aspects that are extremely desirable.
I know that the Minister will be fairly brief in response, so I will not rehearse all the arguments we put forward in Committee. The noble Lord, Lord Stevenson, led on this group of amendments and put forward many of the arguments made by a great number of organisations, such as Which?, Age UK, Privacy International and the Open Rights Group, for this kind of group representation, along the lines of the super-complaints in the Consumer Rights Act, which are highly desirable. I recommend—which shortens the job I have of introducing this amendment—that the Minister reads the blog on the Privacy International site written by the chair emeritus of PI’s board of trustees, Anna Fielder. She puts the arguments extremely well and wrestles with some of the points that the Minister made in Committee, which is extremely useful. I am certainly not going to go through all that, let alone the polling data, which I think refutes quite a lot of what the Minister said. This is extremely desirable. I support very strongly what the noble Lord, Lord Stevenson, has tabled. It is quite comprehensive in many ways. I look forward to his introduction of his amendment.
Finally, a very important factor in all of this is the support of the Information Commissioner. She has come to the conclusion, as she wrote very convincingly in her second memorandum, that we need to have this kind of right of representation where consent has not necessarily been obtained. I think we should listen very carefully to what she has to say. I beg to move.
My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
My Lords, the Government introduced quite late in the proceedings in Committee a group of amendments that set up a parallel system under which data processing undertaken by government departments could be considered to be governed. Our Amendment 176 attempts to ask some questions, and in that sense it is a probing amendment. It probably does not work as it stands, on reflection, but it raises important points. Because the Government introduced the amendments so late in the day, I feel justified in asking for a response to some of our questions around them. The scrutiny that we could have given to the amendments did not take place, and I am grateful to the noble Lord, Lord Clement-Jones, for adding his name to the amendment and look forward to his comments later.
The main purpose of the amendment is to get on record from the Secretary of State a set of answers to questions. To be clear, we are talking about the framework for data processing by government to which the original amendments apply, and to which our amendment refers, covering all data held by any public body, including the NHS. It is both outside the ICO’s jurisdiction and under the direct control of Ministers. The courts are bound by the framework, as are tribunals, and a special case exists only for international law. I am not quite sure how that works, so maybe we can get some answers on that. There may well be updates, but if there are changes, they will be applied retrospectively. It is quite a significant package in terms of powers. I understand that there may be nothing wrong with that if everything else is working. In a sense, if one wants efficient government and effectiveness, one is asking for such things to be in place. I am not criticising that.
There are questions. First, on the name, why is it a framework and not a code of practice? Codes of practice are defined in the Bill and have considerable consequences as a result. There is a standard for developing them and a process under which they take place. There are regulatory arrangements and the involvement of Parliament, but that does not apply to the framework. In other words, the Government’s own data does not go through the processes that apply to other data.
Why do the Government’s proposals exempt public sector processing from normal data protection law? Surely if the concern is about making sure that a subject’s data is always looked after properly, and data controllers, whoever they are, are doing it in accordance with the procedures set out at length by the Bill, in the GDPR and in the derived legislation that will take place—if we leave—under Brexit, all we are getting is a way of keeping people out of any consideration regarding the data that is held by government. Citizens’ data should really belong to citizens and we should not have a situation where it is looked after by Ministers on behalf of Ministers and there is no external view.
One could make a strong case—I am not necessarily doing that, but others have—that the Secretary of State has the power to create their own framework for the data protection of their own data and their own department. They can ignore completely what the Information Commissioner may say about that framework—she has no locus in that. The framework can be brought to Parliament but it is a negative procedure, not an affirmative one, so it is very difficult to scrutinise. We can vote against it; we can certainly discuss it if we see it in time, but it will not be at the same level of scrutiny as perhaps applies to other matters. Barriers can be raised, and the ICO’s enforcement mechanisms can be fettered, extended or changed.
I am sure that the Minister will have good answers to that and I am in no sense trying to attack the basic principle. I just wonder whether there is not a case here for Caesar’s wife—excuse the old-fashioned language, but it is a quotation, not a reference. Caesar’s wife was always required to be above suspicion, above any other public person in Rome of the day. I say that with detailed knowledge having just been to the RSC’s performances of the Cicero plays, as I think I already mentioned. Sorry if I am boring people.
Nevertheless, it raises in one’s mind the issues of standards and propriety in public life in a forceful way. Blood was more common then than it might be today, but the issue is right. If you are in a public position and a public responsibility is placed on you, you must not only be above reproach, you must be seen to be above reproach. I am not sure that the government amendments satisfy that. I beg to move.
My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.
Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.
To regain some favour with my noble friend the Minister, may I just say a little word about affirmative orders? It is tempting to say that we should have affirmative procedure but, at the end of the day, we will have at some point to debate those affirmative orders, and they keep mounting up. In respect of negative instruments, there is a praying period and we can flag them up for debate and have them debated in the Chamber in exactly the same way as we can an affirmative order.
But I think that the noble Earl would accept that the last time a negative instrument was prayed against successfully was something like 1940—certainly a long time ago—and it was about the use of petroleum with open flames.
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
I know that we should not be intervening like this on Report, but the phrasing that the Minister just used is of interest—to the noble Lord, Lord Clement-Jones, as well, I think. What does “irrelevant” mean? Can the Minister unpick that a little? Either the Secretary of State has the power to do something, or not. If that power is conditional on the ICO having given broad agreement to it, under what conditions can the ICO intervene? Can it be because the commissioner regards it as irrelevant? What does that mean?
I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce. If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it. The words “must take into account” mean that she is not bound by the provision but has to take it into account. She is, after all, the regulator who sits above all data processors.
I reiterate that the guidance will provide reassurance to data subjects about the approach the Government take to processing data and the procedures that they follow when doing so. It will help further strengthen the Government’s compliance with the principles of the GDPR.
Amendments 177 and 178, in the name of the noble Lord, Lord Clement-Jones, concern the process for making the guidance. The guidance may be revised if Parliament does not approve it or if it needs adjustment to be compatible with international obligations. It would be odd and irresponsible to abandon the problem these clauses are trying to resolve if Parliament does not approve the guidance. A revised version should be prepared. Similarly, data protection rules are often international in nature and indeed this Bill is based on three international instruments, so revising the guidance to maintain compatibility must be the sensible approach.
Amendments 179 and 180 seek to limit the effect of the guidance. Persons must have regard to the guidance but there may be good reasons why processing data in a particular set of circumstances can lawfully be conducted in a manner outside the guidance. As long as regard has been had to the guidance but good reasons for departing from it or for its non-applicability have been established, it is perfectly proper and within the norm of usual public law principles to do so. Clause 178 ensures that those principles are enforced.
In our view, the existence of a framework in no way impinges upon the commissioner’s independence. Clause 178(5) simply requires the commissioner to take a provision in the Government’s framework into account if it appears to her to be relevant to the matter in hand. For example, if the commissioner were to investigate a data breach by a government department, she may consider it relevant to consider whether or not that department had applied the principles set out in the framework. It is standard practice for the Information Commissioner to take into account relevant sectoral guidance when examining issues related to the processing of personal data by a particular sector. Clause 178(5) simply reflects that practice. Furthermore, nothing in Clause 178(5) constrains the Information Commissioner in any way. She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents, as I said.
Government Amendments 184A and 184B are technical amendments and are similarly designed to assist with the Government’s compliance with the GDPR. Most bodies falling within the Bill’s definition of government departments are Crown bodies. Such bodies cannot contract with each other as the Crown cannot contract with itself. This constitutional quirk means that the usual GDPR requirement that controllers and processors must have a contractual relationship is impossible to satisfy where one department is processing on behalf of another. These amendments resolve this situation by allowing departments to enter into a memorandum of understanding between each other instead and remain GDPR-compliant.
On the basis of my comments, I hope that the noble Lord will feel able to withdraw his amendment and support the government amendments in this group.
I thank the Minister very much indeed for his very full response. I will read it carefully in Hansard but at this stage, although it is a rather complicated issue, I understand where he is coming from and I think we can probably let it rest at this point. If there is anything else, I will write to him rather than prolong the discussion today.
I opined that negative resolutions were rarely voted down and cited 1940 as the last occasion that that happened, but I was wrong. Some 40 years ago on 24 October 1979, the Paraffin (Maximum Retail Prices) (Revocation) Order 1979 was defeated late at night during what appears to have been rather unsavoury activity by members of the Labour Party who hid in cupboards and things and then jumped out. Mr Hamish Gray, whom Members may recall, was unable to sustain the standing order and it had to be brought back later on—it was all very complicated and Hansard is wonderful about it. I beg leave to withdraw the amendment.
My Lords, we can be quite brief on this matter. It is an open secret that both the Government and Her Majesty’s loyal Opposition, joined by others who have signed Amendment 181, were keen to try to move ahead with the idea of setting up a data ethics board or panel and giving it powers and teeth, particularly in light of the recent Budget, in which it was clear that there was money available for it to be established and start spending. We felt that it would be nice to get that going. Unfortunately, the rules of the House are so tight that it has not been possible to find a form of words for the powers that would be used to set up this advisory board which would be sufficiently broad to give a proper basis for the ambitions that we all share for it. On the basis that I think the Government may have something to say about this, I will not extend the discussion on this, because there is so much common ground. I look forward to hearing from the Minister, but to get the debate going I beg to move.
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
I am very grateful to the Minister for that response. That is probably the right way forward, and I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, when we debated the right to data protection on Report, the House decided to opt for a declaratory statement, as opposed to the creation of a new right enshrining Article 8 of the European Charter of Fundamental Rights into UK law. In that debate, my noble friend Lord Ashton committed to consider further a number of points made by noble Lords, in particular the suggestions of the noble Lord, Lord Pannick.
Government Amendments 1 and 2 are the result of our further consideration of this matter. Amendment 1 concerns fairness. Data must be processed fairly. We previously took the view that this is clear and does not need repeating. The requirement for processing to be fair can be found in article 5(1)(a) of the GDPR and Clause 35(1) of the Bill. None the less, Clause 2 is entirely declaratory and, if it helps understanding, there is little to object to in this repetition, and our amendment inserts a reference to fairness.
Amendment 2 concerns the right to rectification. The right to rectification is in article 16 of the GDPR, which will soon be part of our domestic law. It is also found in Clause 46 of the Bill. As with the previous amendment, if it helps, we have no objection to covering this matter, and the amendment inserts the reference.
The data subject rights and the controller-processor obligations set out in the Bill are subject to specific limitations, restrictions and exemptions and in this clause and these amendments to the clause we do not change that, but hope that these amendments add to the value the declaratory clause has, as we previously agreed.
It was suggested to us on Report that we should also add reference to “proportionality”. I am grateful to the noble Lord, Lord Pannick, for taking the time to discuss this with me, and to the noble Lord, Lord Stevenson, who has also had several conversations with my noble friend Lord Ashton as well as the Bill team. I am sure that the noble Lord, Lord Stevenson, will speak more fully on this point in the context of his Amendment 3 but it may help the House if I say a few words on this now.
The GDPR takes effect in May and will be part of domestic law when we leave the European Union. There are 26 references to proportionality in the GDPR. In resisting this amendment we are not saying that proportionality is irrelevant or a concept we are avoiding, but we cannot simply say that the restriction of personal data rights must be proportionate. That oversimplifies a complex issue with unintended consequences. I will sit down but I will return to this once the noble Lord has spoken to his amendment.
My Lords, I have signed up to Amendments 1 and 2 in the name of the noble Lord, Lord Ashton of Hyde, and do so in support of the position that we reached after considerable discussion and debate. The noble and learned Lord, Lord Keen, mentioned a few of the occasions on which we discussed these matters but did not refer to—perhaps it would be embarrassing to do so—the flurry of paper that accompanied those discussions, when drafts were traded back and forth as if they were some bitcoin or equivalent, and people snapped at them in excitement and feverishly opened emails when a new draft appeared. That is not overstating the case.
I jest slightly but stress that, as noble Lords will be aware, this issue was raised on day one of Committee. That signified a sense on our side of the House that this matter was so important that it needed to be addressed early on in the Bill. We have moved our position considerably during the discussions; we were wise to listen to the voices raised at that time. I look at no one in particular but the general voice to which we listened was that more time was needed to think through the implications of this amendment and try to come to an appropriate conclusion on it. That time has been well spent. We have looked at various ways of doing what we set out to do, we have thought hard about the Government’s response, and we have been happy to have meetings and discussions and, as I said, we traded possible options. The conclusion we reached—in keeping with the main thrust of the Bill, which has a large amount of detail in it that is of a signposting nature so that those who read it understand correctly where the source documentation and source principles can be found—was that it would be appropriate to have at the head of the Bill a statement around the basic rights which personal data processing involves and for which the protection and privacy issues are so important.
Therefore, in support of both the original amendment placed by the Government on Report, which was voted in after debate and discussion, and in full support of the amendments to that, which would include “fairly” and,
“and to require inaccurate personal data to be rectified”,
we are happy to sign up and support this amendment today. However, as the Minister said, a couple of other issues were raised in the context of those debates, one of which is this question of proportionality. He has given a sense of why the Government have resisted our approach, and I will spend a couple of minutes just to make sure that we have explored this properly in the context of this Third Reading.
The point about proportionality is that it can, as I think he has argued and will argue again, be brought into the very drafting of the Bill. It is suffused throughout the GDPR and exists alongside a number of other documents to which we will still be bound, both while we are in the EU and should we leave, in the light of current legislation that is going through the other place and is soon to come to this House. It is therefore possible to argue—I hope that the Minister will reflect a little on that when he speaks again—that proportionality is a matter of fact to be determined by the readings that one makes of the Bills that pass through this House. I am sure that there is a better way to express that in legal language but that is the sensibility I take from it.
However, the point made by the noble Lord, Lord Pannick, which is reflected in our amendment, is that at times in the future adjustments may be made as a result of changes in legislation itself or perhaps because of judgments made by courts that hear data protection cases, and that other strands of thinking, points and issues may come to bear on the relationship which an individual subject has to the data controller and on the relationship which the whole has to the law. In that sense, Amendment 3 in my name is an attempt to try to add to the present signposting amendment—that is all it is trying to do—that proportionality is not just fixed as of today’s date or the date the Bill receives Royal Assent but that it is to be brought forward on all fours with the Bill and the Act as that Act progresses. On Report the noble Lord, Lord Pannick, observed that Her Majesty’s Government’s amendment on Report made no mention of the principle of proportionality, despite it being an important element of the European Charter of Fundamental Rights, and noted that it featured in the wording we are putting forward. The response “We don’t need to do this because it is already well cooked into the Bill, the GDPR and the applied GDPR” may not take into account the issue I have been raising, which is about what will happen in the future. If the Minister can reassure us on that point, I would have little difficulty in not pressing the amendment, but at the moment I would like to hear his comments before I respond.
My Lords, I take this opportunity to further reassure noble Lords that proportionality is a concept that has a continuing role in the Bill. Not only will the obligations in the GDPR carry over to domestic law but they will continue to apply to the Government. If Ministers are minded to use the powers in Clauses 10 or 16, for example, that allow new processing conditions or exemptions to be created in the future, they will need to continue to be proportionate. Further, the courts will continue to apply a proportionality test where appropriate. The Human Rights Act ensures that any public body must act compatibly with the convention, and as data protection is within Article 8 —the right to privacy—the public authority must act proportionately.
Clause 6 of the EU withdrawal Bill has the effect that any question as to the validity, meaning or effect of any retained EU law, including the GDPR, is to be decided, where relevant, in accordance with any retained case law and any retained general principles of EU law. Proportionality is one of those retained principles, so it will live on for as long as this legislation is in force.
Indeed, leaving the EU will not shake proportionality out of our legal system—it has worked its way into public law. Any public body acting disproportionately must be at risk of being challenged. Whenever any public body acts, it must act compatibly with the convention rights. Where qualified rights are concerned, such as Article 8 of the convention, which has been held to encompass personal data protection, there exists a requirement for that action to be a proportionate means of achieving a legitimate aim. So to that extent it is implicit that the Executive as well as data controllers must act in a proportionate manner. With that explanation, I invite the noble Lord, Lord Stevenson, not to press his Amendment 3.
My Lords, Clause 124(4)(b) refers to the United Nations Convention on the Rights of the Child, which defines a child as a person under the age of 18, so we can assume that that is the working principle. Clause 124, introduced at a previous stage by an amendment from the noble Baroness, Lady Kidron, talks about age-appropriate design, and so presumably that means appropriate at different ages—for example, safeguards for those aged 12 will be different from those for people aged 16 and 18. Bearing in mind the United Nations convention definition, will the Minister confirm that that is the working principle for this Bill?
My Lords, I do not wish to detain the House. I thank the noble Baroness for raising the point; clarity is always important, as we have learned, and she is right to put her finger on it. However, the point made by the noble Lord, Lord Paddick, is correct.
We run the risk in this Bill of pouring fuel on an already raging fire: the more we try to focus on children as a group, the more we demonise and make difficult the Bill’s attempts—through an amendment we all supported on Report—to raise our sights and find a way of expressing how all people are dealt with in terms of internet access, with particular reference to those with developmental or other support needs to whom the word “child” could well be applied. But that does not mean that we want the more generic approach to fail because it did not mention vulnerable adults, the elderly who may be struggling with internet issues, those with special needs or others. These groups all need to be considered in the right way, and I am sure that, in time, “age appropriate” may not be the most appropriate way of dealing with it. It does get us to a particular point, however. It was a historic decision that we took on Report to do it this way, but we need to have an eye on the much wider case for a better understanding of under what conditions and with what impact those of us who wish to use the internet can do so safely and securely.
My Lords, I feel confident that I will be able to reassure the noble Baroness and other noble Lords who have spoken this afternoon.
Child online safety is an issue close to the heart of the noble Baroness, Lady Howe, and everyone in this House. It is right that children in the UK should be granted a robust data regime so that they can access online services in a way that meets their age and development needs. It was with this goal in mind that the Government, with a great deal of support from a number of Peers from all sides of the House, led by the noble Baroness, Lady Kidron, agreed and supported her amendment. It introduced a requirement on the Information Commissioner to prepare an age-appropriate design code. This amendment was the product of many hours of discussion and days of drafting and redrafting, and I am glad that it was accepted with no dissenting voices in this House. The code will contain guidance on standards of age-appropriate design for relevant online services which are likely to be accessed by children.
The aim of Amendment 4, as explained by the noble Baroness, is to add a definition to the age-appropriate design code to define “children” as those under the age of 18. We are determined to ensure that children of different ages are able to access online services in a way that is safe and takes into account their different needs. For that reason, we included in Clause 124(4) a requirement that the commissioner must have regard to the fact that children have different needs at different ages, and in Clause 124 (4)(b) that the commissioner must have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. So I maintain that it is explicitly included in the Bill.
Article 1 of the United Nations Convention on the Rights of the Child defines children as,
“every human being below the age of eighteen years unless under the law applicable to the child, majority is attained earlier”.
As such, the existing age-appropriate design code, which requires the commissioner to have regard to the convention, already addresses the point that the proposed amendment is making.
Article 2 of the convention obliges state parties to respect and ensure the rights in the convention to each child—all those under 18. By requiring the commissioner to have regard to the convention, Clause 124 ensures that in order to comply with the requirements for the code on age-appropriate design, children up to 18 would need to be considered. Therefore, the existing age-appropriate design code already ensures that the commissioner must have regard to the different needs and rights of children under the age of 18, and as a result this amendment is not necessary.
Not only is the amendment unnecessary, it is potentially unhelpful. One of the key features of the existing age-appropriate design code is that it recognises that children have different needs at different ages. The proposed amendment risks undermining this important point by presenting children as a homogenous group. The needs of a child aged 17 are very different from the needs of a child aged 10 and it is right that the requirements of the age-appropriate design code reflect that.
The noble Baroness asked—the noble Baroness, Lady Kidron, also alluded to this—whether the Bill is consistent in its approach to children. As I said, children are human beings under the age of 18. That is the consistent approach we are taking on this legislation. But the Bill works in tandem with the GDPR and we cannot amend the GDPR. Nor does the GDPR allow member states to come up with their own definitions, so we interpret the GDPR as adopting the definitions from the UN Convention on the Rights of the Child.
There are of course differences between young children and older children, and the provision needs to be age appropriate. A child who is 12 years old may consent to having their data processed in the offline world. Clause 201 ensures that is consistent in Scotland as well as England and Wales. A child who is 13 years old may consent to having their data processed online. That is provided by Clause 9. Any website or app maker providing services for children—meaning everyone under 18—will have the benefit of the code of practice on age-appropriate design provided by Clause 124. Of course, the law generally makes different provision for older children and for young children—for example, the age of sexual activity, marriage and serving in the Armed Forces.
There is a risk that the proposed amendment to the clause on age-appropriate design could also have serious unintended consequences. The Data Protection Bill contains numerous references to “children”. We cannot agree to an amendment that could have implications for issues elsewhere in the Bill.
Finally, it is worth emphasising that the existing wording of the age-appropriate design code is completely consistent with the wording of the general data protection regulation, which itself does not define children. I hope I have reassured the noble Baroness and as a result she feels able to withdraw her amendment at this late stage of the Bill.
My Lords, we should all thank the noble and learned Lord, Lord Brown, together with officials of the House, for having prompted these amendments. In thanking the Minister I want also to mention in dispatches my noble friend Lady Hamwee. She highlighted this point early on in Committee, I think to the incredulity of the House at the time because it was thought that it was only Members of Parliament who should have the exemptions in the Bill. These elegant solutions demonstrate that parliamentary privilege covers both Houses.
I too thank the noble and learned Lord, Lord Brown of Eaton-under-Heywood, for his stalwart work in bringing forward these important amendments. What he did not say but we should also recognise is that on a couple of occasions he had to stay late in order to do that, I am sure far beyond his normal bedtime.
Unfortunately, squeezed out in the second group of amendments which I also supported but which did not find favour with the Government, was an effort to try to retain the current arrangements under which noble Lords of this House who wish to speak about individual cases would be able to do so on the basis that they would be treated as elected representatives. That did not win the support of the Government and therefore will be left to the other place, which I am sure will immediately seize on it and see the injustice reversed. In due course it will come back to us. With that, I support the amendment.
My Lords, I am grateful for most of the comments. It is a pity that the noble Lord, Lord Stevenson, had to bring up the one bit that did not quite go through, but as he says, I am sure that we can rely on the other place.
My Lords, I congratulate the noble Earl on the assiduous way in which he has pursued these issues on behalf of the insurance industry, and thank the Minister for his close engagement on them. We very much welcome these amendments but I have a couple of clarificatory questions for the Minister, the answers to which would be helpful in making sure that we all understand the exact position of the insurance industry relative to these new provisions.
The proposed derogation to paragraph 13A of Part 2 of Schedule 1 does not specifically address the processing of data relating to criminal convictions or offences. First, can the Minister confirm that paragraph 28 of Part 3 of Schedule 1 may be read in conjunction with paragraph 13A of Part 2 to permit the processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management or related money laundering and anti-fraud activities? The reference in paragraph 13A to,
“racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health”,
would appear to preclude this, but we assume that this is not the intent.
Secondly, can the Minister confirm that the processing of special category data or data relating to criminal convictions or offences by insurance companies and related intermediaries, such as reinsurers and brokers, for the purposes of conducting insurance-related business and managing claims will be regarded by the Government as purposes that are in the “substantial public interest”?
My Lords, I welcome these amendments and it is nice to hear the story that has come through of a listening Bill team and a listening Minister, and the way in which the industry has organised itself to make sure that the perceived faults were remedied.
If it is of interest to the House, a lot of us have been doing events with professional bodies and others interested in this whole area since the Bill started. I was reflecting just before this Third Reading debate that there were really only three things that came up time and again at these sessions, after the presentations by the experts and others such as us who were trying to keep up with what they were saying. The first was Article 8 of the European Charter of Fundamental Rights—that came up time and again. People did not understand the basis on which their rights would be retained, but we have dealt with that.
The second was the—unpronounceable—re-identification of previously anonymised data. I suspect that was because there are one or two very active persons going around all these groups—I seemed to recognise their faces every time it came up—who were anxious to make sure that this point was drilled back to Ministers. We have found a way forward on that, which is good.
The third item was the insurance industry time and time again raising points similar to those raised by the noble Earl, Lord Kinnoull, by suggesting that there was a problem with efficient markets and the operation of customer good, and that the Government had to look again. We are very glad that the Government have done so. I have now ticked off all my list and it is done.
My Lords, I am grateful to the noble Earl, Lord Kinnoull, and to the noble Lords, Lord Stevenson and Lord Clement-Jones. The noble Earl is absolutely right that there are various names for different insurance contracts, including reinsurance and retrocession, but they are all contracts of indemnity. The schedule absolutely covers all types of insurance, including reinsurance and retrocession contracts.
As for the clarificatory questions asked by the noble Lord, Lord Clement-Jones, they are very reasonable because this is not an easy part of the Bill to understand—even for people who have been looking at it for many weeks, as we have. First, he asked whether the provision permits processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management, and for insurance purposes. Technically speaking, paragraph 13A, introduced by Amendment 16, does not permit the processing of criminal convictions data because it exercises the derogation provided by article 9(2)(g) of the GDPR. Criminal convictions data is regulated by a separate article of the GDPR, article 10, but the noble Lord will be pleased to know that Amendment 17 extends paragraph 13A so that it also covers criminal convictions and offences data.
Secondly, as for the processing of special category data by insurance companies and related intermediaries such as reinsurers and brokers, which are important, as is managing claims, the noble Lord asked whether that will be regarded by the Government as purposes that are in the substantial public interest. The answer is that the Government have introduced paragraph 32A because they believe that the provision of core insurance products is in the substantial public interest. However, the world of insurance is an exciting and dynamic one—no, really it is—and controllers must be accountable for their own particular processing activities. I hope that answers his questions.
My Lords, I will just slip in for a couple of minutes in the light of the Minister’s very shrewd appraisal of the progress on the Bill. I had not quite realised that the Bill team were treating the Digital Economy Bill as a dress rehearsal for the Data Protection Bill, but that is really why this has gone so smoothly, with very much the same cast on the Front Benches.
We on these Benches welcomed many aspects of the Bill on its introduction last October and continue to do so. Indeed, it has improved on the way through, as the Minister pointed out. I thank my noble friends Lord Paddick, Lady Hamwee, Lord McNally, Lady Ludford and Lord Storey for helping to kick the tyres on this Bill so effectively over the last four months. I also thank the noble Lord, Lord Stevenson, and all his colleagues for a generally harmonious collaboration in so many areas of common interest.
I very much thank the Minister and all his colleagues on the Front Bench and the excellent Bill team for all their responses over time to our particular issues. The Minister mentioned a number of areas that have been significant additions to the Bill. I thank the Minister for his good humour throughout, even at late hours and on many complicated areas. We are hugely pleased with the outcome obtained by the campaign of the noble Baroness, Lady Kidron, for age-appropriate design, which many of us on these Benches think is a real game-changer.
There is just a slight sting in the tale. We are less happy with a number of aspects of the Bill, such as, first, the continuing presence of exemptions in paragraph 4 of Schedule 2 for immigration control. Solicitors need the facts to be able to represent their clients, and I am afraid these immigration exceptions will deny access to justice.
Secondly, the Minister made a pretty good fist of explaining the way the new framework for government use of personal data will operate, but I am afraid, in the light of examples given, for instance by the noble Earl, Lord Clancarty, in relation to the Department for Education’s approach to the national pupil database, and now concerns over Public Health England’s release of data on 180,000 patients to a tobacco firm, that there will be continuing concerns about that framework.
Finally, one of the triumphs of debate in this House was the passing of the amendment from the noble Baroness, Lady Hollins, calling for, in effect, Leveson 2. The response of the Secretary of State, whose appointment I very much welcomed at the time, was rather churlish:
“This vote will undermine high quality journalism, fail to resolve challenges the media face and is a hammer blow to local press”.
On Sunday he did even better, saying it could be the “death knell” of democracy, which is pretty strong and unnecessary language. I very much hope that a sensible agreement to proceed is reached before we start having to play ping-pong. I am sorry to have to end on that slightly sour note, but it is an important amendment and I very much hope that it stands.
My Lords, from this side of the House, I also thank the Bill team, as I think I can call them. What we faced when we first came across the Bill was a beast—a beast dressed up as legislation but a beast in many ways. As the Minister said, we got round most of it but then discovered there were another 250 amendments coming down the track from the Government. Although they were dressed up as being small, trivial things, you have to read them and understand them, and they add a little to one’s workload.
If we did not learn to love the Bill, we certainly at least respect it. It is a good Bill, now much better than it was before. I hope it will have the longevity of its predecessor, the 1998 Act. It has the same aspirations and aims but, because of the inclusivity of the age-appropriate design and other matters that the noble Lord, Lord Clement-Jones, mentioned, it also begins to shape the debate that we still need to have about how and under what conditions we as a mature democratic society wish to engage with those who provide information, data, statistics, facts, communications and other things in relation to the electronic world in a way that is, if not comparable to, at least as effective as what is applied in the current non-virtual world. That is not the subject of the Bill, I am afraid, but it is something that will trouble this House now and in the future. We should not shy away from it because at its heart lies the future of our society. Morality and ethics are dimensions that we have not yet touched on in the Bill; they are still to come. They may well be foreshadowed for us by the creation of a data ethics commissioner of some kind. I welcome that and hope it will come forward quickly. Without it, we really are not in a very good place, despite the strength of the Bill.
For my part I am grateful to my noble friend Lord Kennedy and to my apprentice—if I can call someone of such distinguished age and experience that—my noble friend Lord Griffiths of Burry Port, who is going to take over my responsibility here in the main, although, as the Minister said, I am not leaving the Front Bench; I am simply moving sideways to accommodate those with greater skills and abilities than I have myself.
I have enjoyed the Bill tremendously. It is the sixth Bill that I have done with DCMS, and five of those have been with the current team. With familiarity comes a certain ability both to see through the artifices as they come at you but also to recognise a true offer when it comes, and both sides have benefited from that. We understand some of the pressures a bit more, particularly the difficult time that any Bill team has when it is agreed to move forward but the processes and procedures in Whitehall are so slow that they cannot keep pace with our aspirations for doing it. That is very frustrating for all concerned.
On that point, but not related to the mechanics, there is a question that the House must address at some point in the near future. What happens when it is agreed around the House, through Second Reading and Committee and approaching Report, that a desired amendment would bring public good but it cannot be moved because it falls outwith the narrow scope of the Bill, is a frustration that we have all encountered on this Bill and the previous Bill that I was involved with. There is a solution to that which should be discussed by the Procedure Committee. I hope it will do so in the near future, and I will be writing to it to that effect.
The Bill team have been absolutely fantastic. I gave them a rousing welcome when they first arrived because they have a trick at DCMS, which I recommend to all departments, of bringing together in one place at the very beginning of the process all the documents that you need to work out what you are talking about. If only every Bill team did that, we would all have much easier lives. They did it again this time, and it was fantastic. I have enjoyed working with them; their professionalism and efficiency were wonderful and a great help to us. Our support is minuscule in comparison; effective and efficient though Nicola Jayawickreme and Dan Stevens are, there are only two of them to support all our work. I wish to ensure that our sincere appreciation is on the record.
This has been an enjoyable ride. I have had a great time, waxing lyrical on things I did not think I would ever want to talk about. I hope that the Bill passes, and that when it comes back we will be able to deal with it expeditiously and appropriately.
Lord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Scotland Office
(6 years, 6 months ago)
Lords ChamberMy Lords, although it is perfectly correct to debate the Government’s Motion to agree with the Commons, I am not convinced that it is a good idea even to debate a further Lords amendment in lieu at this point. As my noble friend Lord Cormack pointed out, we are out of time. I agree with my noble and learned friend the Minister that the Bill is good enough and, if there is a vote, I will support the Minister.
I share the worries about the new role of the Secretary of State but unfortunately I do not think that it is an appropriate role for the Press Recognition Panel. The PRP has a very specific role, which is to test whether the approved regulator meets the standards laid out in the royal charter.
The House will be pleased to hear that I have cut out seven minutes of my speech. Nevertheless, I will be engaging with my noble friend Lord Black of Brentwood to explore how we can achieve what we all want: a free, vibrant, sustainable, competent press that adheres to the rules and acts decently, but which cannot be chilled by a very rich complainant.
My Lords, the test has been given to us: we have to assess whether or not this Bill is good enough to pass. It is not the test I think we were expecting. It is quite refreshing in some ways because it means we do not have to look at every jot and every tittle, every “i” and every “t”, to make sure they are correct—we can just say that it is good enough so go with it. I am not sure it is the test that will sustain in your Lordships’ House for time to come, and perhaps we can draw a veil over it once we have got through this short period.
Is the Bill good enough to pass? Yes it is, and I have no doubt that it will pass today. However, it leaves behind two or three unanswered questions and some substantial issues that we will have to come back to. I think we have heard enough in the speeches today to know that these issues are not finally vanquished: they are present and they will be back, and we should think about that. If we wanted any assurance that this goes across all parties, all disciplines and all times, the speech by the noble Lord, Lord Fairfax of Cameron, put us absolutely on the spot. There is a sense that a great injustice has happened and a sense of fairness among UK citizens to want to see it organised better and done again. There was an all-party consensus—the evidence is that there still is an all-party consensus—that we should do it.
This was not the right Bill—I always said that it was not—but we have made huge changes to the way in which the Government were proposing to legislate in this area, changes which I welcome. Victim of the timing as we are, if there had been more time available, we perhaps could have sorted out many more of them. But we are not going to be able to do that because we must get the Bill through before midnight on 25 May. I absolutely subscribe to that.
What is left to do? There is no doubt that we have to know more about who did what to whom in the period running up to the Leveson inquiry being announced in November 2011. My Amendment A2 would have given the Information Commissioner powers to look at that and to provide what would effectively be a benchmarking report to allow subsequent work “looking forward”—in the words of the Secretary of State—to have a proper sense of what it was they were testing. I still think that that would be the right solution, but the noble and learned Lord made some welcome remarks from the Dispatch Box at the beginning of the debate and I accept those as being sufficient to make sure that I can withdraw the amendment at the appropriate time.
There is the narrow question of whether we should look at the particular points raised in the two other amendments. I think they are victim to the problems that we have had with this Bill, in that we have not been able to give detailed scrutiny in Committee or on Report to issues that we perhaps should have done had they been around. It is good that they are there and that the Government have listened. It is fantastic that they are prepared to work with us on these issues; much of the wording here has come out of discussions and debates with Ministers outside the House, and we have seen the benefit of that.
However, Amendment 62BC as proposed by the noble Lord, Lord McNally, worries us, and my noble and learned friend Lord Falconer made the point very well. It states:
“The Secretary of State must, before the end of each review period, lay before Parliament a report produced by the Secretary of State or an appropriate person on … the use of relevant alternative dispute resolution procedures … and … the effectiveness of those procedures in such cases”.
That goes a bit too close to whether it is politicians—the Secretary of State in this case—directing how independent assessments should go forward. I would be grateful if the noble and learned Lord could comment on that. It may well mean that the Secretary of State has the power but the actual work is done by others and, as was always going to be the case, that it is just a report and not a review. The confusion comes, I think, from having “review period” specified in the Bill, which is something that we would have picked up earlier.
On my noble and learned friend Lord Falconer’s amendments, there are issues around whether we are, in some senses, giving a responsibility to the Information Commissioner but not the powers to do the job that we want done. Again, some words from the Dispatch Box might help. I have covered my Amendment A2, in the sense that I think that responses have come back.
Is there a future for work in this area? Yes, there is. IPSO has made a significant change to its working practices since it was established and is now doing good and effective work. I do not disagree that the right thing is to let it continue on its path, watch how it goes and look at the reports that will be made on its effectiveness under Amendment 62BC.
We should not be tempted to change the structure of the PRP and its approval of independent press regulators. It may seem otiose but, as there are now 100 titles signed up to it, at least it is doing something right. As the noble Lord, Lord McNally, said, that system may well have something to offer Facebook, Google and others who might be interested in making sure that they are properly regulated.
Given that we are looking forward and the worry that we have in a liberal democracy of being able to see the kind of quality press and comment that we have in our present print journalism, which I support entirely, the review being carried out by Frances Cairncross will result in a number of recommendations and it is possible that we will need to legislate for that. These issues could come back relatively soon and I hope they do. There is enough all-party support in this House and the other place to get some movement on that and we will be happy to do so. For the moment, we wish the Bill well. It is good enough and we hope it will come into force and do the job it is meant to do.