Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, in moving Amendment 5, I will also speak to Amendment 6. Both are in my name. I will respond later to Amendment 115, which is in the same group but was tabled by other noble Lords. Amendments 5 and 6 are probing amendments to try to tease out what appears to be a change of definition between various parts of the Act.
Amendment 5 relates to page 3 and Clause 3(1), (2) and (3) in Chapter 1, which raise concerns about what exactly is happening with the arrangements. It is easier if I read out the two subsections concerned. Clause 3(2) states that:
“Chapter 2 of this Part … applies to the types of processing of personal data to which the GDPR applies by virtue of Article 2 of the GDPR”.
That is the question I want to peruse, because later in the Bill, on page 11, Clause 19(1)(a) refers to activities which operate. This amendment is a probing one to try to tease out an answer that we can read in Hansard so as to know what exactly we are talking about. It may appear to be a narrow difference or nitpicking, but “an activity” is a very broad term for anything in relation to data processing and contrasts with the narrow way in which Clause 3(2)(a) talks about “types of processing”. Are these the same? If they are not, what differentiates the two? If they are different, why have we got different parts in different areas of the Bill?
Amendment 6 relates to page 3, line 31. This question of definition has come up in relation to Chapter 3 of the part. I understand this to be more of a recital, if I may use that word, than a particular piece of statute and it may not have normative effect, if that is the correct terminology. Clause 3(3)(b) says that the part to which this applies,
“makes provision for a regime broadly equivalent to the GDPR to apply to such processing”.
What is “broadly” in this context? Maybe I am obsessed with the use of English words that have common meanings, but again it would be helpful to have a bit more information on the definition from the Minister when he responds.
Perhaps more than the “quite” used in response to an earlier amendment, this has not got transatlantic resonances, but it is important in questions of adequacy in any agreement we might seek with the EU in the future. “Broadly equivalent” carries echoes of an adequacy agreement, which would assert that the arrangements in the two countries concerned—the EU on the one hand and the third country on the other—were sufficiently equivalent to allow for future reliance on the processes in the third country to be treated as appropriate for the transfer of data into and from, in relation to future industrial processes.
We are aware that an element of legal decision-making arises, which might change that “broadly equivalent” to a higher bar of requirement in the sense that the court is beginning to think in terms of “essentially equivalent”, which is very different from “broadly equivalent”. Again, I would be grateful if the Minister could respond to that. I beg to move.
I will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.
Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.
Recital 80 of the GDPR explains the role of the representative:
“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Supposing that a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?
My Lords, I thank the Minister for that interesting exposition, which ranged from now into the future. He has given a vision of the post-Brexit shape of our data protection legislation. Extraterritoriality will apply even though the language used may be that of the applied GDPR as opposed to the GDPR itself—just to be confusing, perhaps as much as the Minister confused us.
I want to be absolutely clear that we are not derogating from the GDPR in extraterritoriality. That seems to be the nub of it. The Bill makes changes to the applied GDPR—I would like to read in Hansard exactly what the Minister said about the applied GDPR because I did not quite get the full logic of it—but there is no derogation in the GDPR on extraterritoriality. It would be helpful if he could be absolutely clear on that point.
Perhaps the Minister will respond to that because I, too, am troubled about the same point. If I am right, and I will read Hansard to make sure I am not misreading or mishearing what was said, the situation until such time as we leave through Brexit is covered by the GDPR. The extraterritorial—I cannot say it but you know what I am going to say—is still in place. Therefore, as suggested by the noble Lord, Lord Clement-Jones, a company operating out of a foreign country which was selling goods and services within the UK would have to have a representative, and that representative could be attached should there be a requirement to do so. It is strange that we are not doing that in the applied GDPR because, despite the great improvement that will come from better language, the issue is still the same. If there is someone that our laws cannot attack, there is obviously an issue. Perhaps the Minister would like to respond.
Quite apart from the get-out that Clause 3 is only a signposting, I can confirm that we are not derogating from the GDPR. We intend to apply GDPR standards when we leave the EU, so we are not derogating from the GDPR on extraterritoriality.
This concerns Amendment 115, which is to a substantial part of the Bill; it is not the issue raised by the amendment I introduced. We are talking about page 158, line 34. Perhaps it would be better if I requested a letter on this point so that—again, I cannot say the word—does not bog us down.
Isn’t he so smooth? Unfortunately, I bet Hansard does not print that. However, extraterritoriality is important because it represents a diminution of the ability of those data subjects affected by actions taken by those bodies in terms of their future redress. It is important that we get that right and I would be grateful if the Minister could write to us on that.
I am satisfied with what the Minister said on Amendments 5 and 6. I am grateful and beg leave to withdraw the amendment.
My Lords, I thank the noble Baroness for introducing these amendments in not too heavy a style, but this is an opportunity to ask a couple of questions in relation to them. We may have had since 20 October to digest them; nevertheless, that does not make them any more digestible. We will be able to see how they really operate only once they are incorporated into the Bill. Perhaps we might have a look at how they operate on Report.
The Bill is clearly a work in progress, and this is an extraordinary number of amendments even at this stage. It begs the question as to whether the Government are still engaged in discussions with outside bodies. Personally, I welcome that there has been dialogue with the insurance industry—a very important industry for us. We obviously have to make sure that the consumer is protected while it carries out an important part of its business. I know that the industry has raised other matters relating to third parties and so on. There have also been matters raised by those in the financial services industry who are keen to ensure that fraud is prevented. Even though they are private organisations, they are also keen to ensure that they are caught under the umbrella of the exemptions in the Bill. Can the noble Baroness tell us a little about what further discussions are taking place? It is important that we make sure that when the Bill finally hits the deck, so to speak, it is right for all the different sectors that will be subject to it.
My Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.
I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:
“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.
I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.
I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.
My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?
I thank noble Lords for all their contributions. The noble Lord, Lord Knight, wanted to know what “reasonable” meant in this context. The Financial Conduct Authority has set requirements on insurers in relation to the steps they must take in the case of insurance contracts that are automatically renewed. In this context, our view is that those steps are likely to be reasonable. As to how they get in contact, it is by normal business procedure acceptable to the FCA. Normally emails and so on is the way they do that.
My Lords, I do not need to say very much about our amendments in this group because they overlap to a great extent with what has just been said by the noble Lord, Lord Clement-Jones. I should not really delay the House as it is anxious to get on to other business, but the noble Lord made an interesting comment about the response that might come from my noble friend sitting to my right. In our Whips’ Office we have a regular problem, because Ray Collins and Roy Kennedy are, confusingly, always called Roy Collins and Ray Kennedy. I have never actually heard them be confused when called by their surnames, so we have had a first today. It is always nice to see firsts in our rather dull and restricted life—it is time for dinner.
This is quite an important amendment, and the noble Lord, Lord Clement-Jones, has made the case very well. When I was looking through the Bill and trying to come up with a sense of narrative that we could use here, I wondered about the introduction of “substantial public interest”, which predates this Bill significantly. It appears in the 1998 Data Protection Act but it was not challenged there. It felt to me like a mistranslation—a sort of anglicisation gone wrong, because there should not be gradations of public interest. A matter is either in the public interest or it is not: it should not have to be qualified by the word “substantial” to get it to a different level of concern or consent. In that sense, maybe “substantial” just means of greater sensitivity, rather than more important and therefore to be restricted. I should be grateful if the Minister reflected on that when responding.
I share the concern that the noble Lord, Lord Clement-Jones, raised in his first amendment. By and large, the Bill is pretty good at tying down where there is flexibility and where there is not, but here, the terminology seems very loose. We can understand what Clause 7 means, but the idea that it would be relatively easy to extend and adapt the list in subsections (a) to (d) is quite worrying. If that is to stand, and the defence says that it is reasonable in the circumstances to have such wording, we need to understand the powers under which that list could be adapted or amended. Are they to be found in the Government’s ability to seek regulatory approval, or will it be done in some other form? We ought to know the answer to that.
Since we are back on codes, as mentioned by the noble Lord, here is a code that it is really important to have before we get to Report. I would be grateful if the Minister confirmed that that will be possible. I understand that the issue is not in his hands, because the Information Commissioner will be the person responsible. However, given that the terminology in the Bill will have an impact right across our statutory provisions regarding what is or is not in the public interest, and if this is the long-awaited guidance and the substitute for a proper definition in statute, it is very important that we have it in time to discuss it on Report.
My Lords, I speak to Amendments 11 and 13, in the name of the noble Lord, Lord Clement-Jones, and Amendment 154, in the name of the noble Lord, Lord Stevenson of Balmacara, and to which I have added my name in support.
When I first read the amendments tabled by the noble Lord, Lord Clement-Jones, I was concerned because I thought them quite restrictive. Now that he has spoken to them, I can see that he intended them to be wider, so I apologise to him that I did not have the opportunity to speak with him beforehand, so that I would have had that clarification. None the less, having said that, I am concerned that the amendment would restrict the interpretation of,
“a task carried out in the public interest”,
and a narrow list is set out in Clause 7(a) to (d). That is a major concern for universities and other institutions involved in research.
It is absolutely important that universities and other public bodies that carry out research functions are able to use,
“task carried out in the public interest”,
as a legal basis for processing personal data. Restricting this clause to apply only to those functions listed in paragraphs (a) to (d) would instantly make all processing of personal data carried out for research purposes with a university illegal. That is unless it could meet the stringent requirements of GDPR-compliant consent, which I will speak to on an amendment in the group that follows.
None the less, providing further clarity through regulations would ensure that “public interest” was not used as a catch-all for public bodies, negating the incentive to restrict the definition in the Bill in the way proposed by this amendment. I have no doubt that we will have a discussion and that the amendment is not intended to be so restrictive. I look forward to the Minister’s summing up.
I support Amendment 154 in the name of the noble Lord, Lord Stevenson of Balmacara. However, under the GDPR, all users and controllers of data will need to be much clearer about the legal basis that they use to process personal data, and more explicit with data subjects about what is happening to data about them. However, this shift is also likely to generate a certain amount of confusion among researchers who process personal data as part of their studies.
An enormous amount of research using personal data is carried out by universities, which constitute public bodies. As it stands, the Bill defines “public interest” in quite a narrow way—and I shall come to that in more detail when I deal with a group of amendments in my name. But “public interest” is an underspecified notion that could be interpreted in many ways, in the absence of authoritative guidance—and it is that absence that the amendment under the name of the noble Lord, Lord Stevenson of Balmacara, deals with. Placing the requirement to produce codes of practice in the Bill will ensure that it is an undertaking that receives the urgent attention that it demands, and I support it for that reason.