Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
I thank the noble Lord, Lord Clement-Jones, for his support on this. I accept that there may be things to look at that the noble Lord, Lord Stevenson, has mentioned. It is better to consider those things properly rather than give an answer off the top of my head at the Dispatch Box. I certainly commit to taking those points back and having a look at them. It may be that, when we correspond, something can take place in another place. In the meantime, I beg to move.
My Lords, as a result of the vagaries of grouping, redrafting and so on, I am in danger of being the tail that wags the dog on this group of amendments, especially as Amendment 175 deals with the processing of personal data to which the GDPR does not apply. Amendment 175A is a much broader amendment, dealing with the implementation of not only article 82 but other aspects that are extremely desirable.
I know that the Minister will be fairly brief in response, so I will not rehearse all the arguments we put forward in Committee. The noble Lord, Lord Stevenson, led on this group of amendments and put forward many of the arguments made by a great number of organisations, such as Which?, Age UK, Privacy International and the Open Rights Group, for this kind of group representation, along the lines of the super-complaints in the Consumer Rights Act, which are highly desirable. I recommend—which shortens the job I have of introducing this amendment—that the Minister reads the blog on the Privacy International site written by the chair emeritus of PI’s board of trustees, Anna Fielder. She puts the arguments extremely well and wrestles with some of the points that the Minister made in Committee, which is extremely useful. I am certainly not going to go through all that, let alone the polling data, which I think refutes quite a lot of what the Minister said. This is extremely desirable. I support very strongly what the noble Lord, Lord Stevenson, has tabled. It is quite comprehensive in many ways. I look forward to his introduction of his amendment.
Finally, a very important factor in all of this is the support of the Information Commissioner. She has come to the conclusion, as she wrote very convincingly in her second memorandum, that we need to have this kind of right of representation where consent has not necessarily been obtained. I think we should listen very carefully to what she has to say. I beg to move.
My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
My Lords, the Government introduced quite late in the proceedings in Committee a group of amendments that set up a parallel system under which data processing undertaken by government departments could be considered to be governed. Our Amendment 176 attempts to ask some questions, and in that sense it is a probing amendment. It probably does not work as it stands, on reflection, but it raises important points. Because the Government introduced the amendments so late in the day, I feel justified in asking for a response to some of our questions around them. The scrutiny that we could have given to the amendments did not take place, and I am grateful to the noble Lord, Lord Clement-Jones, for adding his name to the amendment and look forward to his comments later.
The main purpose of the amendment is to get on record from the Secretary of State a set of answers to questions. To be clear, we are talking about the framework for data processing by government to which the original amendments apply, and to which our amendment refers, covering all data held by any public body, including the NHS. It is both outside the ICO’s jurisdiction and under the direct control of Ministers. The courts are bound by the framework, as are tribunals, and a special case exists only for international law. I am not quite sure how that works, so maybe we can get some answers on that. There may well be updates, but if there are changes, they will be applied retrospectively. It is quite a significant package in terms of powers. I understand that there may be nothing wrong with that if everything else is working. In a sense, if one wants efficient government and effectiveness, one is asking for such things to be in place. I am not criticising that.
There are questions. First, on the name, why is it a framework and not a code of practice? Codes of practice are defined in the Bill and have considerable consequences as a result. There is a standard for developing them and a process under which they take place. There are regulatory arrangements and the involvement of Parliament, but that does not apply to the framework. In other words, the Government’s own data does not go through the processes that apply to other data.
Why do the Government’s proposals exempt public sector processing from normal data protection law? Surely if the concern is about making sure that a subject’s data is always looked after properly, and data controllers, whoever they are, are doing it in accordance with the procedures set out at length by the Bill, in the GDPR and in the derived legislation that will take place—if we leave—under Brexit, all we are getting is a way of keeping people out of any consideration regarding the data that is held by government. Citizens’ data should really belong to citizens and we should not have a situation where it is looked after by Ministers on behalf of Ministers and there is no external view.
One could make a strong case—I am not necessarily doing that, but others have—that the Secretary of State has the power to create their own framework for the data protection of their own data and their own department. They can ignore completely what the Information Commissioner may say about that framework—she has no locus in that. The framework can be brought to Parliament but it is a negative procedure, not an affirmative one, so it is very difficult to scrutinise. We can vote against it; we can certainly discuss it if we see it in time, but it will not be at the same level of scrutiny as perhaps applies to other matters. Barriers can be raised, and the ICO’s enforcement mechanisms can be fettered, extended or changed.
I am sure that the Minister will have good answers to that and I am in no sense trying to attack the basic principle. I just wonder whether there is not a case here for Caesar’s wife—excuse the old-fashioned language, but it is a quotation, not a reference. Caesar’s wife was always required to be above suspicion, above any other public person in Rome of the day. I say that with detailed knowledge having just been to the RSC’s performances of the Cicero plays, as I think I already mentioned. Sorry if I am boring people.
Nevertheless, it raises in one’s mind the issues of standards and propriety in public life in a forceful way. Blood was more common then than it might be today, but the issue is right. If you are in a public position and a public responsibility is placed on you, you must not only be above reproach, you must be seen to be above reproach. I am not sure that the government amendments satisfy that. I beg to move.
My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.
Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.
To regain some favour with my noble friend the Minister, may I just say a little word about affirmative orders? It is tempting to say that we should have affirmative procedure but, at the end of the day, we will have at some point to debate those affirmative orders, and they keep mounting up. In respect of negative instruments, there is a praying period and we can flag them up for debate and have them debated in the Chamber in exactly the same way as we can an affirmative order.
But I think that the noble Earl would accept that the last time a negative instrument was prayed against successfully was something like 1940—certainly a long time ago—and it was about the use of petroleum with open flames.
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
I know that we should not be intervening like this on Report, but the phrasing that the Minister just used is of interest—to the noble Lord, Lord Clement-Jones, as well, I think. What does “irrelevant” mean? Can the Minister unpick that a little? Either the Secretary of State has the power to do something, or not. If that power is conditional on the ICO having given broad agreement to it, under what conditions can the ICO intervene? Can it be because the commissioner regards it as irrelevant? What does that mean?
I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce. If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it. The words “must take into account” mean that she is not bound by the provision but has to take it into account. She is, after all, the regulator who sits above all data processors.
I reiterate that the guidance will provide reassurance to data subjects about the approach the Government take to processing data and the procedures that they follow when doing so. It will help further strengthen the Government’s compliance with the principles of the GDPR.
Amendments 177 and 178, in the name of the noble Lord, Lord Clement-Jones, concern the process for making the guidance. The guidance may be revised if Parliament does not approve it or if it needs adjustment to be compatible with international obligations. It would be odd and irresponsible to abandon the problem these clauses are trying to resolve if Parliament does not approve the guidance. A revised version should be prepared. Similarly, data protection rules are often international in nature and indeed this Bill is based on three international instruments, so revising the guidance to maintain compatibility must be the sensible approach.
Amendments 179 and 180 seek to limit the effect of the guidance. Persons must have regard to the guidance but there may be good reasons why processing data in a particular set of circumstances can lawfully be conducted in a manner outside the guidance. As long as regard has been had to the guidance but good reasons for departing from it or for its non-applicability have been established, it is perfectly proper and within the norm of usual public law principles to do so. Clause 178 ensures that those principles are enforced.
In our view, the existence of a framework in no way impinges upon the commissioner’s independence. Clause 178(5) simply requires the commissioner to take a provision in the Government’s framework into account if it appears to her to be relevant to the matter in hand. For example, if the commissioner were to investigate a data breach by a government department, she may consider it relevant to consider whether or not that department had applied the principles set out in the framework. It is standard practice for the Information Commissioner to take into account relevant sectoral guidance when examining issues related to the processing of personal data by a particular sector. Clause 178(5) simply reflects that practice. Furthermore, nothing in Clause 178(5) constrains the Information Commissioner in any way. She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents, as I said.
Government Amendments 184A and 184B are technical amendments and are similarly designed to assist with the Government’s compliance with the GDPR. Most bodies falling within the Bill’s definition of government departments are Crown bodies. Such bodies cannot contract with each other as the Crown cannot contract with itself. This constitutional quirk means that the usual GDPR requirement that controllers and processors must have a contractual relationship is impossible to satisfy where one department is processing on behalf of another. These amendments resolve this situation by allowing departments to enter into a memorandum of understanding between each other instead and remain GDPR-compliant.
On the basis of my comments, I hope that the noble Lord will feel able to withdraw his amendment and support the government amendments in this group.
I thank the Minister very much indeed for his very full response. I will read it carefully in Hansard but at this stage, although it is a rather complicated issue, I understand where he is coming from and I think we can probably let it rest at this point. If there is anything else, I will write to him rather than prolong the discussion today.
I opined that negative resolutions were rarely voted down and cited 1940 as the last occasion that that happened, but I was wrong. Some 40 years ago on 24 October 1979, the Paraffin (Maximum Retail Prices) (Revocation) Order 1979 was defeated late at night during what appears to have been rather unsavoury activity by members of the Labour Party who hid in cupboards and things and then jumped out. Mr Hamish Gray, whom Members may recall, was unable to sustain the standing order and it had to be brought back later on—it was all very complicated and Hansard is wonderful about it. I beg leave to withdraw the amendment.
My Lords, we can be quite brief on this matter. It is an open secret that both the Government and Her Majesty’s loyal Opposition, joined by others who have signed Amendment 181, were keen to try to move ahead with the idea of setting up a data ethics board or panel and giving it powers and teeth, particularly in light of the recent Budget, in which it was clear that there was money available for it to be established and start spending. We felt that it would be nice to get that going. Unfortunately, the rules of the House are so tight that it has not been possible to find a form of words for the powers that would be used to set up this advisory board which would be sufficiently broad to give a proper basis for the ambitions that we all share for it. On the basis that I think the Government may have something to say about this, I will not extend the discussion on this, because there is so much common ground. I look forward to hearing from the Minister, but to get the debate going I beg to move.
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
I am very grateful to the Minister for that response. That is probably the right way forward, and I beg leave to withdraw the amendment.