Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsWednesday 22nd November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Stevenson of Balmacara (Lab)
My Lords, I apologise to the House because my voice is annoyingly masked. I urge noble Lords to put their hearing aids on because it might not last until I have said what I want to say.
Every now and then in this House, we have a debate of such importance and significance that the House behaves in a completely different manner from its normal routine. We have had that today. There is a sense of stillness, expectancy and interest that we do not always get, and it is important that we hold on to it because we are touching on some very important and deep issues. While we obviously need to deal with the narrow question of the amendments before us, I hope very much that the wider resonances of this debate might help unpick some of the difficulties that have been raised in our discussion and which are relevant in society today.
I am so taken by the debate we have had that I want first to mention to the House that our amendment in this group, which was laid as one of the first amendments, is an entirely “fake” amendment, if I may use that word. It is a probing amendment and does not mean anything. I can tell the House now that I will not be pressing it. I hope the Minister will do me the justice of not even bothering to respond to it because it has lost all relevance in the light of the issues that have been raised subsequently. My second point is a slightly cheeky one: since I am no longer involved with our amendment in this group and we do not have any names attached to any of the others, I will bring a completely new and independent view to the discussions. I hope that noble Lords will enjoy that.
I hope that the noble Lord, Lord Black, does not take this my final opening point the wrong way. I am not going to follow the line of the noble Lord, Lord McNally, and accuse him of crimes he is not going to commit, but this is so important that we need to come back to it in another place and at another time. I hope that he will understand that. I think that it probably needs a Bill of its own to get this right. We can discuss that later.
Okay. Trying to make sense of what we have in front of us—in this alphabet soup that we often have in complicated parts of Bills—I want to approach this in the following way. I said at Second Reading, and I repeated in the debate last week, that I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson. I do not think that anything said today should be withdrawn; it is really important stuff that needs to be resolved. But this is probably not the Bill to do that in and I will give some reasons for that.
The main worry that I have, and several noble Lords have mentioned this, is that we are talking about a package of measures that were the product of a particular time. For all the reasons that have been given, bits have succeeded and bits have not succeeded; bits have been implemented and bits have not been implemented, and I do not think that it is right for this Bill at this time to try to kick-start some of the bits that need to be looked at, particularly the amendments that relate to the Crime and Courts Act 2013. The speech of the noble Earl, Lord Attlee, was a very good introduction to those. He made a very good case for them. That case does need to be answered, but this is not the right place for that, so I do not support them.
I do not think that Amendment 179A works in the context that I am trying to sketch out. The case made by the noble Baroness, Lady Hollins, as always, was incredibly powerful and one’s heart reaches out to everything she says, which was also picked up by the noble Lord, Lord Low. We want to do something about this and we think that the way that the Government have treated Leveson 2 is a disgrace. It is a shameful way to behave, given the treatment of the victims. We must never forget that.
The third group of amendments here—the amendments of the noble Lord, Lord McNally—also makes very good sense. They are sensible amendments but, for the same reason, we should not continue with them today.
Lord McNally
The noble Lord is giving the Government a “get out of jail free” card, unless he has something else to say. There are areas in all these amendments that have massive implications for data and data protection. If they do not fit into the scope of a Data Protection Bill, where on earth will they fit?
Earl Attlee
My Lords, I would also like to have a little pop at the noble Lord. I understand his point that this is a Data Protection Bill and not something to amend the Crime and Courts Act. Of course, I experienced significant difficulties with the clerks trying to table an amendment to try to amend that Act. But if we had a suitable legislative opportunity—another criminal justice Bill—would the noble Lord’s party support an amendment to make Section 40 of the Crime and Courts Act commence forthwith?
Lord Stevenson of Balmacara
To answer that last point first, we have supported that in the past and on the right occasion we would probably support it again. But my point is not about the quality of the case made or the correctness of the approach. It is just not the right time to do that. The same answer applies to the noble Lord, Lord McNally. I did not say that we would not support him if he brought this back at Report. I am simply saying that, at this particular point, I want to use this debate to focus on something else and that is why I am trying to approach the issue in this way. I hope that noble Lords will bear with me before my voice gives up finally. I hope that I can allow that to ring out so that noble Lords can be inspired by it. That is a faint hope.
Underneath the debate that we have had today are some really important questions. I will pose them quickly in the hope that we will get a response from the Minister. It is really important that the noble and learned Lord uses this opportunity to set out very clearly what the Government’s position is on a number of these key points. Is the regime that currently applies to the press, as set out in the Data Protection Act 1998, still the case in the Bill? In other words, has the regime that has worked well since 1998 been changed in any way by its transposition into this Bill? If it has not, he has to be very clear that that is the case. The case that has been made suggests that, in the rewriting and repositioning of Clause 164, something has happened that has alerted everyone to the point, which was made very well by the noble Viscount, Lord Colville, and the noble Lord, Lord Black. I do not think that that was what we understand to be the case, and certainly I and my noble friend Lord Griffiths have asked for chapter and verse on this so that we can be sure that what we are seeing is exactly what the current law is. That is a straightforward question.
Secondly, we need to be persuaded, if we have not been already, that either the technology or the working practices in print journalism in particular, but also in relation to how print journalism is now often paired up with moving image technologies, has produced such a step-change in the way they operate that the additional defences proposed by the noble Lord, Lord Black, or the additional protections that might be needed by victims, which are so important and relevant, do not need to be brought into the Bill. The case has been made, the charge is there, and the Government must come back and tell us what arrangements have been made.
Thirdly, does the fact that many, but not all, direct investigations of a journalistic type are now done jointly with an audio-visual component, so that we have combinations between major newspapers and television broadcasters or even film, mean that we now have in perpetuity dual regulation, in which case the approach taken by Ofcom has to sit with the regulations under the Data Protection Act 1998 or the Data Protection Bill when it becomes law? If that is the case, we have a problem that needs to be confronted. We have one post hoc regulatory structure and one that is mainly post hoc but has an element, albeit restricted and on a narrow basis, in print journalism. If the way the world is moving suggests that everyone doing this work will have to be involved with two regulators, the Government’s Bill does not take that trick and we will need to come back to the point.
Fourthly, what is it about print journalism which is so different that it requires there to be a predetermination capacity for the ICO compared with the situation when the same work, and possibly the same output, is done under Ofcom? My noble friend Lord Puttnam and the noble Baroness, Lady Stowell, made the point that the difference is that the media in this country are very strongly regulated. There are codes, statutory frameworks and editors who are clearly responsible for them and work to them well. However, a different situation pertains here. That does not mean to say that it should be applied across all the outputs involving investigative journalism, but it must be said that if there was in existence a robust, independent and effective press complaints system which enjoyed the confidence of victims, perhaps we would make better progress on the particular issues which have been raised today. That is the point on which we must focus as regards where we might go with this. I hope that when the noble and learned Lord comes to respond, he can bring some light to this issue.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, I am obliged to all noble Lords for their contributions this afternoon. I would hope that recent debates, particularly in Committee on the Bill, have assured noble Lords that the Government are absolutely committed to preserving the freedom of the press and maintaining the necessary balance between privacy and freedom of expression in our existing law that has generally served us well over many years.
Perhaps I may take some of the amendments in turn. The first, Amendment 163A, was brought forward by my noble friend Lord Black. It asks that the Bill should require that greater consideration be given to the right to freedom of expression and information when the Information Commissioner is exercising her enforcement powers. Amendment 164A would require the commissioner to consider, for example, any other financial penalties imposed by another regulator as a result of failure—a point that was touched on tangentially by the noble Lord, Lord Stevenson, in his closing remarks.
I hope that my noble friend Lord Black agrees that it is important that any amendments in this space do not impact disproportionately on the commissioner’s resources and her ability to execute her regulatory functions in an effective manner. I will give further consideration as to whether these amendments meet that test. I will address my noble friend’s contribution on this point in Hansard and the Government will reflect upon it. I do not hesitate because I am making a concession; I am merely making an observation.
Lord Stevenson of Balmacara
My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.
Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.
The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.
Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,
“must set standards by which a data controller is required to anonymise personal data”.
There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.
The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.
At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.
The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.
There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.
Lord Clement-Jones (LD)
We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
Lord Ashton of Hyde
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
Lord Stevenson of Balmacara
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
“( ) In relation to the processing of personal data to which the GDPR applies, Article 80(2) of the GDPR (representation of data subjects) permits and this Act provides that a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate, under—(a) Article 77 (right to lodge a complaint with a supervisory body);(b) Article 78 (right to an effective judicial remedy against a supervisory authority); and(c) Article 79 (right to an effective judicial remedy against a controller or processor),of the GDPR if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.”
Lord Stevenson of Balmacara
My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,
“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.
I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.
Lord Stevenson of Balmacara
It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.
I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.
Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.
The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.
The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.
However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.
Lord Clement-Jones
My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.
I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.
The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.
I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.
Lord Ashton of Hyde
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
Lord Stevenson of Balmacara
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 20th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Paddick (LD)
My Lords, I will speak to Amendment 153 in my name and that of my noble friend Lord Clement-Jones. Section 17(1) of the Data Protection Act 1998 states that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Effectively, processing personal data without registering and without paying a fee is, at the moment, a strict liability criminal offence. This ensures that all data controllers are aware of their most basic obligations and that a central register of who is processing personal data is maintained. It also provides a simple means of collecting notification fee income.
We have been made acutely aware during the debates on the passage of the Bill of the increased responsibilities that will be placed on the Information Commissioner and the need for her to have additional resources. This is one way of ensuring that she has those resources, provided she is able to keep the fees raised and does not have to hand over large amounts of those fees to the Treasury.
This is an important protection for data subjects, and the Government have asserted that they are strengthening the law to protect data subjects. If the requirement to register is removed, as will happen without this amendment, this will weaken those protections. In addition to protections provided by registration and the increased awareness of the other requirements around data protection as a result of registering, it allows for the Proceeds of Crime Act to be used to confiscate money generated by the unlawful processing of personal data by those who are not registered. This would be lost if this amendment is not adopted.
The amendment seeks to maintain the current position by requiring the Information Commissioner to register all data controllers. However, unlike the current requirement for more detailed information, the amendment requires that the data controller provides only the minimum of information—such as his name and address; if he has nominated a representative for the purposes of the Act, their name and address; and the principal activity or activities undertaken by the data controller.
The Minister may wish to pray in aid article 57(3) of the GDPR, which states:
“The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer”.
We argue that this is a notification fee, not a task performed by the Information Commissioner, and a fee that would be levied on the data controller and not the data protection officer. I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.
Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.
The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.
So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.
Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.
Baroness O’Neill of Bengarve (CB)
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
Lord Stevenson of Balmacara
My Lords, I want to come back to an issue relating to the situation post Brexit: companies operating in the UK, for which a representative will not be required. I listened to the Minister very carefully and I understand what he is saying, but I take it that, post Brexit, he is basically relying on the force of the Information Commissioner’s personality and her ability to maintain her current relationships and build on them. As such, when taking issues abroad, individuals in the UK will not have any statutory provision, as they currently do, but will have to rely on the informal mechanisms the Minister mentioned and their own resources. He has failed to answer the question whether that is a good situation to be in as we progress through the Bill, but I will read what he said more carefully and come back to him later.
Lord Paddick
My Lords, I thank the noble Baroness, Lady O’Neill of Bengarve, for her contribution—we will look at that should we bring back the amendment on Report. I also thank the noble Lord, Lord Stevenson of Balmacara, for his support for the amendment.
The Minister said that provision in the 1998 Act requiring all data controllers to be registered was an important part of data protection, yet his argument for not continuing with that seemed to be that it would be difficult to maintain a register with the numbers now involved. Either the register is an important contribution to data protection or it is not. In any event, we should bear in mind that a charge could be levied. The Minister suggested that a register would not be a proportionate use of the Information Commissioner’s resources, but those resources could significantly increase. If the existing law were enforced, it is estimated that an additional £1 billion in income would be possible.
On a detailed central register, I said when introducing the amendment that the detail suggested would be far less than is currently the case. However, we will reflect on what the Minister said. For the moment, I beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, the amendment is in my name and that of my noble friend Lord Kennedy. Clause 117 allows the commissioner to inspect personal data held on any automated or structured system where the inspection is necessary,
“to discharge an international obligation of the United Kingdom”.
Before exercising the power, the commissioner under subsection (4) must by written notice inform a controller of her intention. However, this does not apply if the case is “urgent”. Since in every other aspect of the Bill phrases such as “urgent” are usually defined, uniquely in this case it is not, so the amendment is merely to allow the Minister to read into record those cases that he might consider to be urgent. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, the amendments in this small group are probing in nature. Amendment 153C is in my name and that of my noble friend Lord Kennedy. Clause 119 places an obligation on the commissioner to publish and keep under review a data-sharing code of practice that would contain guidance on data sharing and good practice, as the name suggests. This is good, we talked about it in some detail in earlier sittings of the Committee and we have no problems with it. It continues a practice that we are well aware of and there are no particular issues arising from it, provided that it continues to be comprehensive and to provide the sort of advice that data controllers and data subjects will need as we go forward.
Amendment 153D raises the question of whether a 40-day approval process for codes should apply, in order to make it clear that codes under Clauses 119 and 120 are subject to parliamentary scrutiny and that the 40-day approval period would fit in with the procedures of Parliament. As I said, this is a probing amendment and I would be grateful to have the comments of the Minister in due course.
Amendment 154A concerns the statement that the commissioner will review and revise the codes regularly, or keep each code under review. There is no specification of the timescale or the frequency of that. I suspect that the answer will be that it will be as seen fit by the Information Commissioner—but if the Minister can shed some light on this, it would be helpful.
Finally, Amendment 154B draws attention to Clause 119(2), which says, at the top of page 65:
“Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code”.
We have already touched on this, and the procedure is not explained. I would like to confirm that, since this matter may be of interest to Parliament, it will be by the affirmative procedure. I look forward to hearing a response and I beg to move.
Baroness Chisholm of Owlpen (Con)
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
Lord Stevenson of Balmacara
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
“Personal data ethics code of practice
(1) Within six months of the passing of this Act, the Commissioner must prepare an ethics code of practice for data controllers.(2) The code must include a duty of care from the data controller and the processor to the data subject.(3) The code must provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—(a) reduce vulnerabilities and inequalities;(b) protect human rights;(c) increase the security of personal data;(d) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.(4) The code must consider—(a) how to support data processing which has clear benefits for users and members of the public;(b) the effectiveness of measures to seek the consent of users to the collection and use of their personal data;(c) the risks and limitations of new technologies, ensuring that there is sufficient human oversight.(5) The code must also provide guidance on—(a) default privacy settings;(b) data minimisation standards;(c) presentation and language of terms and conditions;(d) transparency of paid for activity, such as product placement and marketing;(e) sharing and resale of data;(f) veracity and accuracy of information;(g) strategies used to encourage extended user engagement;(h) user reporting and resolution processes and systems;(i) responses to unintended consequences of technological advances in the processing of personal data; and(j) any other aspect of design that the Commissioner considers relevant.(6) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.(7) Before preparing the code of practice and prior to every revision, the Commissioner must consult the Secretary of State and relevant stakeholders.(8) The Secretary of State must bring the code of practice into force by regulations made by statutory instrument. (9) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
Lord Stevenson of Balmacara
My Lords, with so many codes of practice flying around it would not be hard to lose one in the crowd, but this one stands out. With this amendment, we are suggesting to the Government that there is a need at the top of the pyramid for a code of practice which looks at the whole question of data ethics and morality. We discussed this topic in earlier sittings of the Committee and I think we were of one mind that there was a gap in the overall architecture of the organisations supporting data processing, which concerned us, in the sense that there was a need for an expert body.
The body could be some sort of combination along the lines of the HFEA or the Committee on Climate Change. It would have a duty to look at the moral and ethical issues affecting data collection and use, and be able to do some blue-sky thinking and to provide a supervisory approach to the way in which thinking on these matters would have to go. We are all aware, as has been mentioned many times, that this is a fast-moving technology in an area full of change where people feel a bit concerned about where their data is and how it is being looked at. They are worried that they do not have sufficient control or understanding of the processes involved.
The amendment suggests to the Government a data ethics code of practice which I hope they will look at with some care. It would begin to provide a hand of support to individuals who are concerned about their data and how it has been processed. Under this code of practice the commissioner could set out the moral and ethical issues, rather than the practical day-to-day stuff. It would focus on duties of care and need to provide examples of where best practice can be found. It would increase the security of personal data and ensure that the access to its use and sharing were transparent, and that the purposes of data processing were communicated to data subjects.
Some codes of this type already exist. I think that the Royal Statistical Society has been behind a number of codes on the use of our overall statistics, such as that operated within the OSS. Having read that code, I was struck by how apposite it was to some of the issues faced in the data-processing community. Some of the wording of this amendment comes from that, while other wording comes from think tanks and others who are working in this field. It will also come as no surprise to the Committee that some of the detail in the code’s latter subsections about privacy settings, minimisation standards and the language of terms and conditions also featured in the proposed code recommended to the Committee by the noble Baroness, Lady Kidron, in relation to children’s use of the internet and how their data is treated. The amendment meets other interests and examples of activity. It seems to fulfil a need, which is becoming more pressing every day, and is ambitious in its attempt to try to make sure that whatever regulatory and statutory provisions are in place, there will also be a wider dimension employed, which I think we will increasingly be part of.
I do not expect the Government to accept the amendment tout court, because it needs a lot more work. I fully accept that the drafting is a bit rough at the edges, despite the fact that we spent a lot of time in the Public Bill Office trying to get it right. I have already explained that I am not very good at synthesising in the way that the Bill team obviously is. I have no doubt that when he responds the Minister will be able to encapsulate in a few choice words what I have been struggling to say over the past three or four sentences—he nods, so it is clearly going to hit me again. I hope that he will take away from this short debate that this is an issue that will not go away. It is an issue that we need to address, and it may be that the new body, which was, I think, generally accepted by the Committee as something that we should move to in short order, might take on this as its first task. I beg to move.
Lord Clement-Jones (LD)
My Lords, the noble Lord, Lord Stevenson, is too modest about his drafting—I think that this is one of the most important amendments to the Bill that we have seen to date. I am just sorry that we were not quick enough off the mark to put our name to it. I do not know which hand the noble Lord, Lord Stevenson, is using—there seem to be a certain number of hands involved in this—but anybody who has read Jonathan Taplin’s Move Fast and Break Things, as I did over the weekend, would be utterly convinced of the need for a code of ethics in these circumstances. The increasing use of data in artificial intelligence and algorithms means that we need to be absolutely clear about the ethics involved in that application. The noble Lord, Lord Stevenson, mentioned a number of codes that he has based this amendment on, but what I like about it is that it does not predicate any particular code at this stage. It just talks about the desirable architecture of the code. That makes it a very robust amendment.
Like the noble Lord, I have looked at various other codes of ethics. For instance, the IEEE has rather a good code of ethics. This is all of a piece with the stewardship council, the data ethics body that we debated in the previous day in Committee. As the Royal Society said, the two go together. A code of ethics goes together with a stewardship council, data ethics committee or whatever one calls it. You cannot have one without the other. Going forward, whether or not we agree today on this amendment, it is very clear that we need to keep coming back to this issue because this is the future. We have to get it right, and we cannot prejudice the future by not having the right ethical framework.
Lord Ashton of Hyde
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
Lord Stevenson of Balmacara
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
“( ) Within the period of three months, beginning with the day on which this Act is passed, the Commissioner must specify in guidance the amounts that constitute a reasonable fee in relation to subsection (1).”
Lord Stevenson of Balmacara
My Lords, although the amendment’s wording is narrow, it is very much a probing amendment. I hope we will be able to range a bit further on the funding and the structure of the Information Commissioner’s Office, which depends on its ability to raise funding to survive. I will make various points on that.
In some senses the Information Commissioner’s Office is a rather strange regulator, in terms not of its functions, but of the way it has survived a number of possibilities for change and development that have been applied to other sectors of British industry, particularly those relating in some senses to data processing. If noble Lords compare Oftel, the IBM, to some extent the BBC and what has now emerged as Ofcom, they will see a change from the original structure of regulators, which were very largely bodies set up to make sure the previously public sector nature of an activity that had been privatised was done in a way that did not exclude the public interest. These regulators were largely economic in origin and have only gradually added social regulation to their parts.
In a sense the ICO’s journey is different. First, the way these other regulators have moved has not been followed, so the change from a one-off individual dealing with economic and a limited amount of social regulation to being partnerships or boards with a range of individuals appointed to take over various functions—Ofcom is perhaps the easiest example to use—has not been followed. We still have a single regulator which is independent and reports to Parliament, and I understand the structure to be that of a corporation sole, which is an issue that we might want to reflect on.
Lord Ashton of Hyde
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
Lord Stevenson of Balmacara
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 13th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Clement-Jones (LD)
My Lords, the noble Earl, Lord Kinnoull, has clearly and knowledgeably introduced the amendment, which I strongly support. He made clear through his case studies the Bill’s potential impact on the insurance industry, and I very much hope that the Minister has taken them to heart. Processing special category data, including health data, is fundamental to calculating levels of risk, as the noble Earl explained, and to underwriting most retail insurance products. Such data is also needed for the administration of insurance policies, particularly claims handling.
The insurance industry has made the convincing case that if the implementation of the Bill does not provide a workable basis for insurers to process that data, it will interrupt the provision to UK consumers of retail insurance products such as health, life and travel insurance, and especially products with health-related consumer benefits, such as enhanced annuities. The noble Earl mentioned a number of impacts, but estimates suggest that, in the motor market alone, if this issue is not resolved, it could impact on about 27 million policies and see premiums rise by about 3% to 5%.
There is a need to process criminal conviction data for the purposes of underwriting insurance in, for instance, the motor insurance market. Insurers need to process data to assess risk and set the prices and terms for mainstream products such as motor, health and travel insurance.
The key issue of concern is that new GDPR standards for consent for special category data, including health, such as the right to withdraw consent without experiencing detriment, are incompatible with the uninterrupted provision of these products. As the noble Earl, Lord Kinnoull, has clearly stated, there is scope for a UK derogation represented by these amendments, which would be in the public interest, to allow processing of criminal conviction and special category data when it is necessary for arranging, underwriting and administering insurance and reinsurance policies and insurance and reinsurance policy claims. I very much hope that the Minister will take those arguments on board.
Lord Stevenson of Balmacara (Lab)
My Lords, the noble Earl, Lord Kinnoull, has done us a great favour in introducing with great skill these amendments, which get to the heart of problems with some of the language used in the Bill. We are grateful to him for going through and picking out the choices that were before the Government and the way their particular choices seem to roll back some of the advances made in the insurance industry in recent years. I look forward to the Minister’s response.
Our probing Amendment 47 in this group is on a slightly higher level. It is not quite as detailed—nor was it intended to be—as the one moved by the noble Earl. We were hoping to raise a more general question, to which I hope the Minister will be able to respond. Our concern, which meets the concerns raised by the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, is where the Government want to get to on this. It must be true that insurance is one of the key problems facing many people in our country. It is the topic that will be discussed in the QSD in today’s dinner break as it bears heavily on financial inclusion issues. So many people in this country do not take out insurance, personal or otherwise, and suffer as a result. We have to be very careful as we take this forward as a social issue.
However, an open-ended derogation to allow those who wish to gather information to make a better insurance market surely also raises risks. If we are talking about highly personal profiling—we may not be because there are constraints in the noble Earl’s amendment—it would lead to a more efficient and cheaper insurance industry, but at what personal cost? For instance, if it is possible to pick up data from those who perhaps unadvisedly put on Facebook or Twitter how many times they get drunk—I am sure that is not unusual, particularly among the younger generation—information could be gathered for a profile that ought to be taken into account for their life, health or car insurance. I am not sure that we would be very happy with that.
Underlying our probing amendment is to ask the Minister to respond—it may be possible by letter rather than today—on protections the Government have in mind. What sort of stock points are there that we can rely on as we move forward in this area? As processing becomes more powerful and more data is available, pooled risks are beginning to look a little old-fashioned. The old traditional model under which insurance is gathered is that the more the pool is expanded, the risks are spread out more appropriately across everybody. The trouble is that the more we know, we will be including people who are perhaps more reckless and therefore skewing the pooling arrangements. We have to be careful about that.
There is obviously a social objective in having a more efficient and effective insurance market but this ought to be counterbalanced to make sure that those people who are vulnerable are not excluded or uninsurable as a result. The state could step in, obviously, and has done so, as we have been reminded already in our Committee discussions about the difficulty of getting insurance for those who build on flood plains. However that is not the point here. This is about general insurance across the range of current market opportunities being affected by the fact that we are not ensuring that the data gathered is both proportionate and correct in terms of what it provides for the individual data subjects concerned.
Lord Ashton of Hyde
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
Lord Stevenson of Balmacara
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
Lord Ashton of Hyde
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
Lord Clement-Jones
I must say how delighted I am that on this occasion we had the noble Lord advocating his own amendment. I was nearly in the hot seat last week, but we have just avoided it. I was delighted at his powerful advocacy because of course the noble Lord is extraordinarily well informed on all matters to do with sport, and this goes to the heart of sport in terms of preventing cheats who prevent the rest of us enjoying what should be clean sport, however that may be defined. All I have to do is pick out one or two of the elements of what the noble Lord said in my supportive comments.
There is the fact that neither “doping” nor “sport” is defined in the Bill, as the noble Lord pointed out. There is no definition of the bodies to be covered by paragraph 21, which is extremely important. He also made an extraordinarily important point about UKAD. Naming UKAD in the Bill, as the amendment seeks to do, would add to its authority and allow it to carry out all the various functions that he outlined in his speech. If it is necessary to add other bodies, as he suggested, that should of course be considered.
The noble Lord’s reference to performance-enhancing substances, which again are mentioned in the amendment and included in the World Anti-Doping Code, ties the Bill together with that code and was very important as well. Finally, the point that he made about gender and the substances used in connection with gender change was bang up to the minute. That, too, must be covered by provisions such as this. So if the Minister is not already discussing these issues with the noble Lord, Lord Moynihan, I very much hope that he is about to and will certainly do so before Report.
Lord Stevenson of Balmacara
My Lords, once again your Lordships’ House is very grateful to the noble Lord, Lord Moynihan, for raising this issue and, as the noble Lord, Lord Clement-Jones, said, for doing so in such a comprehensive way. It is in the context of the much wider range of issues that the noble Lord, Lord Moynihan, has been pursuing regarding how sport, gambling and fairness are issues that all need to be taken together. We have been supporting him on those issues, which need legislation behind them.
Noble Lords may not be aware that we have been slightly accused of taking our time over the Bill. I resist that entirely because we are doing exactly what we should be doing in your Lordships’ House: going through line-by-line scrutiny and making sure that the Bill is as good as it can be before it leaves this House. We saw the noble Lord, Lord Moynihan, at the very beginning of Committee and he then dashed off to Australia to do various things, no doubt not unrelated to sport. He has had time to come back and introduce these amendments—but, meanwhile, the noble Lord, Lord Clement-Jones, and I were debating who was going to pick the straw that would require us to introduce them. We were very lucky not to have to do so because they were introduced so well on this occasion.
Our amendment in this group is a probing amendment that picks up on some of the points already made. It raises the issue of why we are restricting this section of the Bill to “sport”—whatever that is. If we are concerned about performance enhancement, we have to look at other competitive arrangements where people gain an advantage because of a performance-enhancing activity such as taking drugs. For instance, in musical competitions, for which the prizes can be quite substantial, it is apparently possible to enhance one’s performance—perhaps in high trills on the violin or playing the piano more brilliantly—if you take performance-enhancing drugs. Is that not somehow seeking to subvert these arrangements? Since that is clearly not sport, is it not something that we ought to be thinking about having in the Bill as well? I say that because, although the narrow sections of the Bill that relate to sport are moving in the right direction, they do not go far enough. As a society, we are going to have to think more widely about this as we go forward.
Lord Maxton
I am slightly confused by what is a performance-enhancing drug. We have seen athletes and other sportsmen banned in this country for taking what I would call non-enhancing drugs: in other words, cannabis or whatever it might be. In that case they are not performance-enhancing drugs but the reverse of them—yet people can be banned even if taking them is deemed legal in the country where they do so. Even if it is legal to take cannabis, the drug can still be deemed a banned drug by the anti-drug authorities.
Lord Stevenson of Balmacara
My noble friend is quite right. He has obviously been careful to make sure that he has no personal experience of what he talks about and I would like to make it clear that I have none, either. But it is a very tricky area and we are wrong just to dance around it with the idea that we are somehow doing something important in relation to a particular aspect of drug enforcement.
To do this properly, we need a much clearer approach. I realise that I am in danger of rising above the detail here and going back to my high plain of intellectual approach to the Bill for which I have already been criticised—but I hope that when the Minister responds we can get somewhere on this. A meeting on the particular narrow points raised by the government amendment and by the noble Lord, Lord Moynihan, is required. It would be helpful to see the context in which this might operate. I would be happy to attend such a meeting should that be the case.
Data Protection Bill [HL]
Lord Stevenson of Balmacara Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Lucas (Con)
My Lords, I thank the Open Rights Group for pushing for this amendment, and particularly the Public Bill Office for getting it into a form that is acceptable in the Bill. This amendment addresses age verification for accessing pornography; currently there are no specific safeguards. However, sexual preferences are very sensitive, so this amendment allows—it does not compel—regulation at a higher level than is currently the case. The pornography industry has a woeful record of regular, large-scale breaches of data security and I do not believe that we should trust it. Even if we think we might trust the industry, we ought to be in a position where we do not have to. Our young people deserve proper protection regarding some very sensitive data.
I believe that we should take this seriously—my experience of young boys of 14 and 15 is that they are being exposed to high-grade pornography on a large scale, something that in the context of their relationships with women later in life we may want to think about carefully. Therefore, surely we should take the opportunity to give ourselves the powers to take action, should we decide that that is necessary, rather than having to come back to primary legislation with all the time and delay that that involves. We can anticipate this difficulty—we can see it coming down the tracks—so let us prepare for it. I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, I am completely discombobulated because the noble Lord, Lord Lucas, has hidden himself on the far right-hand side of the Chamber, which makes it very difficult to engage with him—but I am sure we can get over it. He is also incredibly skilful to have got an amendment of this type into the Bill, because we were looking at this issue as well but could not find a way through. I would like a tutorial with him afterwards about how to get inside the interstices of this rather complicated legislative framework.
I must say that I have read his amendment several times and still cannot quite get it. I shall therefore use my usual strategy, which is to come in from an aerial height on a rarefied intellectual plane and ask the Minister to sum up in a way that I can understand—but under the radar I will ask for three things. First, we spent a lot of time on this in the Digital Economy Act. It is an important area and it is therefore important that we get it right. It would be quite helpful to the Committee, and would inform us for the future, if we could have a statement from the Dispatch Box or a letter saying where we have got to on age verification.
I hear rumours that the system envisaged at the time when the Digital Economy Act was going through has not been successful in practice. I think that we have heard from the Minister and others in earlier groups in relation to similar topics that in practice the envisaged age verification system is not being implemented as it stands. What is happening is that the process of trying to clear up this area and making sure that age verification is in place is actually being carried out on a voluntary basis by those who run credit cards and banking services for the companies involved and for whom a simple letter from the regulator, in this case the BBFC, is sufficient to cause them to cease to process any moneys to the sites concerned—and, as a result, that is what is happening in the pornography industry. That may or may not be a good thing—it is probably too early to say—but it was not the intention of the Bill. That was to have a system that was dependent on a proper age verification system and to make the process open and transparent. If it is different, we ought to know that before we start considering these areas.
My third point is that we would rely on Ministers to let us know whether it is necessary to return to this issue in the sense of the information that we hope will be provided. It is only at that level that we can respond carefully to what the noble Lord said—although I have no doubt that it is a very important area.
Lord Elton (Con)
My Lords, perhaps I may intervene between the two Front Benches. I wish to ask my noble friend on the Front Bench not to say—should he be tempted to—that this simply will not work, even if he explains why in great detail, but to say whether what the amendment tries to do is worth doing and, if so, how it can be achieved.
“Right to be informed of the commercial exploitation of personal data
(1) Data controllers must notify data subjects of all intended or actual commercial exploitation of their personal data.(2) The notification under subsection (1) must be made—(a) at the time when the data subject consents to their personal data being processed by the data controller,(b) before commercial exploitation takes place, if this is more than six months after the notification in paragraph (a), and(c) every six months thereafter if the commercial exploitation is ongoing.(3) Notifications under this section must include—(a) the primary uses to which the personal data will be put, and(b) the gross revenues the data controller expects to receive through the exploitation of that personal data.”
Lord Stevenson of Balmacara
My Lords, I was not referring to this amendment specifically in commenting on Amendment 71ZA, but we had difficulty getting this amendment in scope, so as to be in line with our aspirations and what we wanted to discuss today.
Amendment 71A would introduce an individual right for data subjects to be informed by data controllers when there is an actual or intended commercial exploitation of their personal data. Machine learning will allow data companies to get a lot of value out of people’s data—indeed, it already does. It will allow greater and more valuable targeting of advertisements and services on a vast scale, given the way that modern data platforms work. This skews further the balance of power between those companies and the individuals whose data is being exploited.
One could probably describe the current relationship between people and the data companies to whom they give their data as rather unsophisticated. People hand it over for a very low value, as in a bartering service or crude exchange—and, as in a barter economy, it cannot be efficient. This amendment will test whether we can get more power into the hands of the people who make the exchange to make the market function better. The companies’ position is completely the reverse: it is almost that of a monopsony, although as a technical term monopsonies are those situations in which dominant companies set a price for the market, whereas in this case there is no price. It is interesting to follow that line of thought a little further because, where there are monopsonies, the normal remedy put forward by those involved is to publish a standard price list. That improves choice to the point that people are not exploited on the price they pay; it is just a question of choice on quality or service, rather than the price. That at least protects individuals to some extent against the dominant company exploiting control.
The essence of this amendment is an attempt to try to give power back to the people whose data is being used. We are talking about very significant sums of money. I gather from a recent article in the Guardian that the top price you can get for your data—although I am not sure whether “price” is the right word here; “value” might be better—is about $14 each quarter for a company such as Facebook. If you compare that across the world, in the Asia-Pacific region it is worth only about $2. There is a variation, and the reason is the ability to exploit some form of advertising revenue from individual data, so the US, where the highest prices are going to be available, was worth about $2.8 billion in advertising revenue to Facebook last quarter while the second-biggest Facebook market, Europe, was worth only about £$1.4 billion, which is about half. You can see how the prices would follow through in terms of the data. We are talking about quite a lot of resource here in terms of how this money flows and how it works.
The process of trying to seek the money has already started. Some companies are now trying to reverse the direction of travel. They go to individuals through the web and offer them the chance to connect all their data together across the social media companies in which they already have it. The companies then value it and try to sell it on behalf of the individuals to the companies concerned. That is obviously the beginning of a market approach to this, which is where this amendment is centred.
I mentioned that I had difficulty getting what I wanted in the scope of the Bill. I think I have mentioned this before, but it seems to us that we do not yet have the right sense of what people’s data represent in relation to the companies that seek to use it. One suggestion we have had is that we might look to the creative industries—not inappropriately since this is a DCMS Bill—and think of it as some form of copyright. If it were a copyright—and it may or may not be possible to establish one’s personal data in a copyright mode—we would immediately be in a world where the data transferring from the individual to the company would be not sold but licensed, and therefore there would be a continuing sense of ownership in the process in which the data is transferred. It would also mean that there would have to be continuing reporting back to the licence holder for the use of the data, and we could go further and expect to follow the creative industries down the track which they currently go. The personal copyright would then have value to the company and there is a waterfall, as they call it, of revenue exploitation so that those who hold the copyright might expect to earn a small but not insignificant amount from it. We begin to see a commercial system, more obviously found in other areas of the marketplace, but it relates to the way in which individuals would have a value in relation to their data, and there might even be a way in which that money could be returned. If you were in that happy situation, what would you do with the money? One would hope that it would be useful to some people, but it might also be possible to accumulate it, perhaps through a collecting society, and see it invested in educational work or improving people’s security in relation to their data, for instance. There are many choices around that.
Having said all that about copyright, I am not particularly wedded to it as a concept because there are downsides to copyright, but it is an issue worth exploring. The essence of the amendment is to try to restore equality of arms between the individual and the companies to which the data is transferred. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Stevenson, for raising this important subject. I recall the questions that he posed at Second Reading about whether data subjects had sufficient support in relation to the power of companies that wanted to access, use and monetise their data, and I recognise the intention behind his amendment, which he carefully explained. I also agree wholeheartedly with him that these are questions worthy of debate, not only during the passage of this Bill, but over the coming months and years as the digital economy continues to develop. Later in Committee, we may discuss suitable forums where this could take place. These are big questions of data rights and how they are monetised, if they are, versus the growth of the digital economy for public benefit.
Lord Stevenson of Balmacara
My Lords, I am very grateful to the Minister for engaging with the issues and for responding so positively to some of the ideas that underlie the amendment. This is an issue that we will need to come back to, but I take the point that the level of detail in the amendment and the impact it may have may not be appropriate at this time, in terms of our understanding of and knowledge about where we are trying to get to.
As the Minister said, there may be opportunities to discuss the way this might be taken forward, including the possibility of the data ethics group. Should the Bill be amended in that way, that would be a base on which this could come forward.
Having said that, this was clearly a probing amendment and I was not expecting a detailed response. The noble Lord was careful to make sure that we were aware of the problems concerning some of the issues, but I put it to him that the technology we are already experiencing—and there is a lot more to come—allows those who have our data to almost magically know things about us, which results in us getting birthday greetings, targeted adverts and everything else. They are already on to us on this, and I do not think we need to worry too much about the burden that might be placed on these poor companies. But I take the point and beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, Clause 12 deals primarily with credit reference agencies. It is not an area that I think we want to go through in complete detail, but in comparing the current version of the Bill with the provisions in the Data Protection Act 1998, in particular Section 39(2), we wondered whether the updating of that provision was entirely correct and thought it would be helpful to give the Minister a chance to respond to that point.
The question that underlies the suggestion that the clause should not stand part is whether Clause 12 constitutes a restriction on a data subject’s access rights. It can be read as a presumption that a data subject in this area is asking only about their financial standing, and not for other data that the credit reference agency might have. The provision therefore might be said to run contrary to the underpinning rationale behind the GDPR that data controllers should be transparent and that data subjects should not be put in the position of having to guess what data is held about them in order to ask for it.
I am sorry to have to refer again to a recital, but recital 63, which the Minister might be aware of, specifies that among other purposes, the right of access is to allow a data subject to be aware of the data held about them so as to be able to,
“verify … the lawfulness of the processing”
that is taking place. This is different from the wording in Clause 12, in that the trigger appears to be based on the quantity of data rather than the type of controller. There is also no presumption about the nature of the data that the data subject wants. I think I have said enough to suggest that there is possibly an issue behind this and I would be grateful if the Minister could respond to that point.
Baroness Chisholm of Owlpen (Con)
My Lords, as your Lordships know, before giving somebody credit, lenders such as banks, loan companies and shops want to be confident that the person can repay the money they lend. To help them do this, they may look at the information held by credit reference agencies.
Credit reference agencies give lenders a range of information about potential borrowers, which lenders use to make decisions about whether or not to offer a person credit. It is safe to say that the three main credit reference agencies in the UK—Equifax, Experian and Callcredit—are likely to hold certain information about most adults in the country. Most of the information held by the credit reference agencies relates to how a person has maintained their credit and their service and utility accounts. It also includes details of people’s previous addresses and information from public sources such as the electoral roll, public records including county court judgments, and bankruptcy and insolvency data.
The information held by the credit reference agencies is also used to verify the identity, age and residency of individuals, to identify and track fraud, to combat money laundering and to help recover payment of debts. Government bodies may also access this credit data to check that individuals are entitled to certain benefits and to recover unpaid taxes and similar debts. Credit reference agencies are licensed by the Financial Conduct Authority.
As noble Lords may be aware, anyone can write to a credit reference agency to request a copy of their credit reference file. Given the sheer volume of requests that such agencies receive, Section 9 of the Data Protection Act 1998 provides that a subject access request made under Section 7 of the Act will be taken to mean a request for information about the person’s financial standing, unless the person makes it clear that he or she is seeking different information. Very importantly, when responding to such a request, Section 9(3) of the 1998 Act requires the credit reference agencies to provide the person with details about how he or she can go about correcting any wrong information held by the agencies. The process for doing so is set out in Section 159 of the Consumer Credit Act 1974, and the 1998 Act makes reference to it. If personal information held about someone is incorrect or out of date, noble Lords will appreciate that it could lead to that person being unfairly refused credit.
Clause 12 of the Bill simply replicates the provisions in Section 9 of the DPA in relation to handling of subject access requests made under article 15 of the GDPR. If it were omitted without anything being put in its place, this could create uncertainty for consumer reference agencies about how they should respond to a subject access request. It would create uncertainty for data subjects, who would no longer be supplied with guidance on how to update details in their file that were wrong or misleading. As far as we are aware, these provisions have worked well over the last 20 years and we can see no reason why they should be omitted from the Bill.
On that basis, I respectfully invite the noble Lord to accept that Clause 12 should stand part of the Bill.
Lord Stevenson of Balmacara
I am grateful to the Minister for her response. I think we agree that any impact on one’s credit standing is a major issue and that it is really important that we get this right. Although she did not specifically say so, I take it that all the big companies involved in this field were consulted before this measure was put forward. One notices, but does not make any comment, that Equifax is one of the companies concerned—and look what happened to it.
The message coming through is that the DPA 1998 provisions are being reproduced here: there is no intention to change them and people should not be concerned about this. On that basis, I will not object to Clause 12 standing part of the Bill.
Lord Stevenson of Balmacara
My Lords, we have a number of amendments in this group and I want to associate myself with many of the points made on the other amendments by the noble Lord, Lord Clement-Jones. I was only sorry that we did not get round to signing up to more of them in time to get some of the glory, because he has picked up a lot of very interesting points.
We will come to later groups of amendments that deal with a broader concern of effects and moral issues in relation to this Bill. It has been growing on me for a number of weeks now, but one of the most irritating things about the Bill, apart from the fact that it does not have the main clauses in it that one wants to discuss, is that every now and again we come up against a brick wall where there is suddenly a big intellectual jump on where we have got to and where we might want to get to through the Bill, and this is one of them.
This whole idea of automated data and how it operates is very interesting indeed. One of the people with whom I have been having conversations around this suggested that, in processing this Bill, we are in danger of not learning from history in your Lordships’ House and indeed Parliament as a whole, in relation to other areas in which deep moral issues are raised. The point was made, which is a good one, that when Parliament was looking at the Human Fertilisation and Embryology Act 1990 there had been four or five years, perhaps slight longer, of pre-discussion in which all the big issues had been thrashed out both in public and in private—in both Houses and in the newspapers, and in private Bills. There were loads of attempts to try to get to the heart of the issue. We are missing that now, in a way that suggests that it will become a lot clearer when we have discussions later about a data ethics body. I am sure that they will be good and appropriate discussions.
Having said that, the issue here is extremely worrying. We are at the very start of a rich and very interesting development in how computers operate and how machines take away from us a lot of the work that we currently regard as being human work. It is already happening in the world go championship. A computer played the human go champion and beat them easily. Deep Blue, the IBM computer, beat Garry Kasparov the chess player a few years ago. The point is not so much that these things were happening, but that nobody could understand what the machines were doing in relation to the results they were achieving. It is that apparent ability to exceed human understanding that is the great worry behind what people say. Of course, it is quite a narrow area and not one that we need to be too concerned about in terms of a broader approach. But in a world where people say with a resigned shrug that the computer has said no to a request they have made to some website, it is a baleful reflection of the helplessness we all feel when we do not understand what computers are doing to us. Automated processing is one facet of that, and we have to be careful.
We have to think of people’s fears. If they have fears, they will not engage. If they will not engage, the benefits that should flow from this terrific new initiative, new thinking and new way of doing things will be that we do not get the productivity or the changes that will help society as we move forward. We have to think of future circumstances in a reflective way. In a deliberative way we have to think about technical development and public attitudes. It again plays back to the work that was done by Mary Warnock and her team when they were trying to introduce the HFEA. She said, importantly, that reason and sentiment are not necessarily opposed to each other. It is that issue we are trying to grapple with today. The amendments that have been so well introduced by the noble Lord, Lord Clement-Jones, cover that.
The regulatory and legal framework may not be sufficient. Companies obviously have natural duties only to their shareholders. Parliament will have to set rules that make people in those companies take account of public fears, as well as shareholder interests. That approach is not well exemplified in this Bill yet. We need to think about how to allow companies to bring forward new initiatives and push back the boundaries of what they are doing, while retaining public confidence. That is the sort of work that was done on the HFEA and that is where we have to go.
Our Amendment 74 has already been spoken to by the noble Lord, Lord Clement-Jones. It is an important one. There is an issue about whether or not an individual—“a natural person”, as the amendment has it—is involved “in the decision-making process”. We should know that.
“Personal Data Ethics Advisory Board
(1) The Secretary of State must appoint an independent Personal Data Ethics Advisory Board as soon as reasonably practicable after the passing of this Act.(2) The Personal Data Ethics Advisory Board’s functions, in relation to the processing of personal data to which the GDPR and this Act applies, are to—(a) monitor further technical advances in the use and management of personal data and their implications for the rights of data subjects;(b) protect the individual and collective rights and interests of data subjects in relation to their personal data;(c) ensure that trade-offs between the rights of data subjects and the use and management of personal data are made transparently, accountably and inclusively;(d) seek out good practices and learn from successes and failures in the use and management of personal data; and(e) enhance the skills of data subjects and controllers in the use and management of personal data.(3) The Personal Data Ethics Advisory Board must report annually to the Secretary of State.(4) The report in subsection (3) may contain recommendations to the Secretary of State and the Commissioner relating to how they can improve the processing of personal data and the protection of data subjects’ rights by improving methods of—(a) monitoring and evaluating the use and management of personal data;(b) sharing best practice and setting standards for data controllers; and(c) clarifying and enforcing data protection rules.(5) The Secretary of State must lay the report in subsection (3) before both Houses of Parliament.”
Lord Stevenson of Balmacara
My Lords, it always used to be said that reaching the end of your Lordships’ day was the graveyard slot. This is a bit of a vice slot. You are tempted by the growing number of people coming in to do a bit of grandstanding and to tell them what they are missing in this wonderful Bill that we are discussing. You are also conscious that the dinner hour approaches—and I blame the noble Baroness, Lady Hamwee, for that. All her talk of dining in L’Algorithme, where she almost certainly had a soup, a main course and a pudding, means that it is almost impossible to concentrate for the six minutes that we will be allowed—with perhaps a few minutes more if we can be indulged—to finish this very important group. It has only one amendment in it. If noble Lords did not know that, I bet that has cheered them up. I am happy to say that it is also a réchauffage, because we have already discussed most of the main issues, so I will be very brief in moving it.
It is quite clear from our discussion on the previous group that we need an ethics body to look at the issues that we were talking about either explicitly or implicitly in our debates on the previous three or four groups and to look also at moral and other issues relating to the work on data, data protection, automatics and robotics, and everything else that is going forward in this exciting field. The proposal in Amendment 78A comes with a terrific pedigree. It has been brought together by members of the Royal Society, the British Academy, the Royal Statistical Society and the Nuffield Trust. It is therefore untouchable in terms of its aspirations and its attempt to get to the heart of what should be in the contextual area around the new Bill.
I shall not go through the various points that we made in relation to people’s fears, but the key issue is trust. As I said on the previous group, if there is no trust in what is set up under the Bill, there will not be a buy-in by the general public. People will be concerned about it. The computer will be blamed for ills that are not down to it, in much the same way that earlier generations always blamed issues external to themselves for the way that their lives were being lived. Shakespeare’s Globe was built outside the city walls because it was felt that the terribly dangerous plays that were being put on there would upset the lieges. It is why penny dreadfuls were banned in the early part of the last century and why we had a fight about video nasties. It is that sort of approach and mentality that we want to get round to.
There is good—substantial good—to be found in the work on automation and robotics that we are now seeing. We want to protect that but in the Bill we are missing a place and a space within which the big issues of the day can be looked at. Some of the issues that we have already talked about could easily fit with the idea of an independent data ethics advisory board to monitor further technical advances in the use and management of personal data and the implications of that. I recommend this proposal to the Committee and beg to move.
Lord Clement-Jones
My Lords, the noble Lord, Lord Stevenson, has been admirably brief in the pre-dinner minutes before us and I will be brief as well. This is a very important aspect of the debate and, despite the fact that we will be taking only a few minutes over it, I hope that we will return to it at a future date.
I note that the Conservative manifesto talked about a data ethics body, and this is not that far away from that concept. I think that the political world is coalescing around the idea of an ethics stewardship body of the kind recommended by the Royal Society and the British Academy. Whatever we call it—a rose by any other name—it will be of huge importance for the future, perhaps not as a regulator but certainly as a setter of principles and of an ethical context in which AI in particular moves forward.
The only sad thing about having to speed up the process today is that I am not able to take full advantage of the briefing put forward by the Royal Society. Crucially, it recommends two things. The first is:
“A set of high-level principles to help visibly shape all forms of data governance and ensure trustworthiness and trust in the management and use of data as a whole”.
The second is:
“A body to steward the evolution of the governance landscape as a whole. Such a stewardship body would be expected to conduct expert investigation into novel questions and issues, and enable new ways to anticipate the future consequences of today’s decisions”.
This is an idea whose time has come and I congratulate the noble Lords, Lord Stevenson and Lord Kennedy, on having tabled the amendment. I certainly think that this is the way forward.
Lord Ashton of Hyde
I cannot agree with the noble Baroness’s point. However, I accept that that is a possibility and that things will not last for ever. However, in this case we expect to have the proposals shortly and this Government will definitely be around at that time.
Lord Ashton of Hyde
The noble Baroness asked whether it would be enshrined in this Bill. As I tried to explain, it will have a far broader remit than this Bill.
Lord Stevenson of Balmacara
That is a no, then. Oh well, these things happen. You are up one minute and then down. We cannot live like this, can we? However, it is only the Committee stage and we have plenty of time. We can presumably inveigle the Minister into a meeting about this. Not with everyone concerned because that would be too much, but I would be happy to meet him about this on neutral turf if possible. I am fairly confident that we would not want to see the Government voting against a manifesto commitment, which I think I heard him say. We can be reasonably certain that progress can be made on this issue and I wish to signal here our considerable support for that. I look forward to the discussions and beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 13th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Clement-Jones
My Lords, we will see if the EU withdrawal Bill gets passed, but that is a matter for another day.
I thank the Minister for his remarks. There are many aspects of his reply which Members around the House will wish to unpick.
Lord Stevenson of Balmacara (Lab)
Perhaps I may pursue this for a second. It is late in the evening and I am not moving fast enough in my brain, but the recitals have been discussed time and again and it is great that we are now getting a narrow understanding of where they go. I thought we were transposing the GDPR, after 20 May and after Brexit, through Schedule 6. However, Schedule 6 does not mention the recitals, so if the Minister can explain how this magic translation will happen I will be very grateful.
Lord Ashton of Hyde
We are not transposing the GDPR. It takes direct effect on 25 May.
Lord Stevenson of Balmacara
I knew I was slow. We are moving to applied GDPR; that is correct. The applied GDPR, as I read it in the book—that great wonderful dossier that I have forgotten to table; I am sure the box can supply it when we need it—does not contain the recitals.
Lord Clement-Jones
My Lords, just to heap Pelion on Ossa, I assume that until 29 March the recitals are not part of UK law.
Lord McNally (LD)
My Lords, when the famous French long-serving Foreign Minister Talleyrand died and the news was taken to his long-term rival Prince Metternich of Austria, Metternich looked at the telegram and said, “What does he mean by this?”. Some of my friends have a similar reaction to any amendments that carry the name of the noble Lord, Lord Black, but I am not among them. I think that we share a common belief in a free and a vigorous and independent press. He knows that when at Second Reading he referred to the Defamation Act 2013, my ears pricked up, because it is one of the things that I am most proud of from my time as a Minister. With my noble friend Lord Lester as my mentor, we piloted that Bill into legislation. I am certainly very interested in any amendment that would prevent this Bill becoming a backdoor to getting around the protections that the Defamation Act gave to free comment and academic freedom to have peer comment, and so on. The Act has worked—we are no longer considered the libel capital of the world—and there is a great deal more freedom in the academic world for peer comments and criticisms, without the threat of libel actions, which had a chilling effect.
The problem is that this is an alphabet soup of amendments, which the noble Lord, Lord Black, has put forward with great clarity, so we will be able to study what exactly he wants to do and how he wants to do it. I am interested in a number of things; I am interested in the idea, which he quite rightly pointed out, of investigative journalists having to give prior notice of what they are doing, which seems rather counterintuitive to the idea of investigative journalism. I have certainly received that point of view from the BBC and other forms of journal about the effect of that proposal. The noble Lord, Lord Black, is quite right. We have seen only recently the Paradise papers as another example of investigative journalism exposing things that people would rather keep quiet, which is massively in the public interest. He also referred to the number of exposés of care homes, prisons and young offender institutions, all of which are massively in the public interest. It would be wrong to allow the Bill to bring into law provisions that would chill, prevent or curb the great traditions of a free and vigorous press. In the spirit of Committee stage, I would like to look carefully at what the amendments of the noble Lord, Lord Black, seek to do. As he knows, after Second Reading I offered to collaborate with him on amendments but that would probably have been too great a shock to both our constitutions. However, I would certainly be interested to see where we can work together on the broad aim of ensuring that the Bill contains no accidental curbs on the activities of a vigorous and free press and media.
As I have said before, the noble Lord, Lord Black, and his friends would be in a stronger position if the background to this was not one of previous criminality and invasion of the privacy of people who had every right to see their privacy protected. Therefore, there is bound to be a certain scepticism about whether these proposals give overgenerous access to overbroad exemptions. But let us have a look at them and at some of the issues that have been raised in other quarters—as I say, by the BBC and journals that are not members of IPSO that have expressed the concerns raised by the noble Lord, Lord Black. Following that and what the Minister is about to tell us, we can then make judgments about how we shall approach these issues on Report.
Lord Stevenson of Balmacara
My Lords, we are all very grateful to the noble Lord, Lord Black, for his very full introduction to these amendments. I shall read very carefully what the noble Lord, Lord McNally, said and take his remarks on their merits. I have no problem with that.
I am sure that the noble Lord, Lord Black, will not mind if I quote what he said in Committee only a week ago and pose a question to him. He said:
“This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20”.—[Official Report, 6/11/17; cols. 1667-68.]
What a difference a week makes to one’s thinking. The noble Lord was pressed by a number of noble Lords, including his noble friend Lord Attlee, to come up with a much more detailed and engaged critique. We would love to hear from him again if he is prepared to tell us why there has been a change in his thinking. However, I do not think that gets in the way of what he is saying, which is that some issues need to be addressed. We will look at them carefully when we have the chance to see them in print. I shall also be interested to hear what the noble Baroness makes of this when she replies.
Baroness Chisholm of Owlpen (Con)
As my noble friend Lord Black and the noble Lord, Lord Stevenson, said, the Government are firmly committed to preserving the freedom of the press, maintaining the balance between privacy and the freedom of expression in our existing law that has served us well.
I shall try to reply to my noble friend as I go through the many amendments—a soup of amendments, as the noble Lord, Lord McNally, said. As we heard, Amendments 87ZA, 87AA, 87AB and 87AC would enable the special purposes exemptions to be used when processing for other purposes in addition to a special purpose. The use of the word “only” in the Bill is consistent with the existing law. Examples have been given of where further processing beyond the special purposes might be justified without prejudicing the overall journalistic intent in the public interest. None the less, the media industry has been able to operate effectively under the existing law, and while we are all in favour of further clarity, we must be careful not to create any unintended consequences.
Paragraph 24(3) of Schedule 2 concerns the test to determine whether something is in the public interest. Amendment 87CA seeks to define the compatibility requirement, and Amendments 87DA and 87DB seek to clarify the reasonable belief test. The Bill is clear that the exemption will apply where the journalist reasonably believes that publication would be in the public interest, taking account of the special importance of the public interest in the freedom of expression and information. To determine whether publication is in the public interest is a decision for the journalist. They must decide one way or another. It is not necessary to change the existing position.
Amendments 89C to 89F seek to widen the available exemptions by adding in additional data rights that can be disapplied. Amendment 89C seeks to add an exemption for article 19 concerning the obligation to give the data subjects notice regarding the processing carried out under articles 16, 17 and 18 of the GDPR. The Bill already provides exemptions for the special purposes for these articles, rendering article 19 irrelevant in this context.
Amendment 89D seeks to add an exemption for article 36. This requires the controller to give notice to the Information Commissioner before engaging in high-risk processing. My noble friend Lord Black and the noble Lord, Lord McNally, both argued that this might require the commissioner to be given notice of investigative journalistic activity. This is not the case. We do not believe that investigative journalism needs to put people’s rights at high risk. Investigative journalism, like other data-processing activities, should be able to manage risks to an acceptable level.
Amendment 89E concerns the need for journalists to transfer data to third countries. We are carefully considering whether the GDPR creates any obstacles of the type described. We certainly do not intend to prevent the transfers the noble Lord describes.
Amendment 89F seeks to add an exemption from the safeguards in article 89 that relate to research and archiving. Following the interventions of the noble Lord, Lord Patel, the Government have agreed to look again at these safeguards. Once we have completed that, we will assess whether any related derogations also need reconsidering.
Amendment 91B seeks to introduce a time limit by which complaints can be brought. The Government agree that complaints should be brought in a timely manner and are concerned to hear of any perceived abuses. We will consider this further and assess the evidence base.
The Government are firmly committed to preserving the freedom of the press and preventing restrictions to journalists’ ability to investigate issues in the public interest. We will continue to consider the technical points raised by my noble friend, and I hope—at this late hour, and with the view that we will further consider points that have been raised—that he feels able to withdraw his amendment.
Charitable Incorporated Organisations (Consequential Amendments) Order 2017
Lord Stevenson of Balmacara Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Hodgson of Astley Abbotts (Con)
My Lords, before we wave this goodbye, I wonder whether I could raise a couple of brief points with my noble friend. The CIO is clearly a very welcome new corporate form. As my noble friend explained, it offers trustees of charities the opportunity to obtain limited liability, where there had been a major disincentive for them in the past, as well as the alternative conversion features that he referred to.
As my noble friend also said, there is now a single statutory regulator for CIOs, the Charity Commission. Its workload will increase as these conversions take place and the number of CIOs increases. I know that it has been proposed to phase in the introduction of CIOs to minimise that additional burden; nevertheless, additional burden there must be. My noble friend will be well aware of the pressure the Charity Commission’s budget has been under as a result of past cuts. I hope he can reassure me and the House that the Government are aware of the additional pressures created by this very welcome new form, which we do not oppose at all; but these are additional straws on the camel’s back and the Government need to bear this in mind as we proceed with giving the Charity Commission further powers and responsibilities.
Lord Stevenson of Balmacara (Lab)
My Lords, I am grateful to the Minister for introducing the order. It may appear slight and not leave much of a shadow, but it is an important step forward on a path that has been charted for the past three or four years. The noble Lord, Lord Hodgson of Astley Abbotts, who knows a thing or two about charities, has kept his light quite well hidden under a bushel, but I am sure he could speak at length about the reasons and thinking behind the measure should it be required. As the Minister said, the order is very narrow, but the next two that come down the track set out slightly wider issues, and it is useful to have the context.
I have only one point to make in general, because having read the documentation and listened to the Minister, I think the regulation has been brought forward in an exemplary way. The department should be congratulated on what it has done and how it has done it, and the Explanatory Memorandum is clear about what we are doing and why.
Our country’s long tradition of charitable bodies being established under trustees who are forbidden from taking any benefit from the work they do is a noble one and should be cherished, and it has served us well in the past. However, it is interesting that the figures provided in the Explanatory Memorandum seem to suggest that that model is not as popular as it was. There may be some regulatory or other issues behind this, but it is striking that some 30,000 charities have chosen to incorporate as a company limited by guarantee and that a large proportion of new charities are choosing this new CIO operation. I should declare an interest, having worked for most of my professional life in charities and run a couple of small ones as well as being involved in large ones.
I can well understand why a CIO structure, with its benefit of limited liability and a corporate personality, is attractive, rather than the individual trustees being involved. However, I wonder whether there is a story behind this. There is a shift away from traditional routes, which may well be appropriate for small charities, particularly ones with a local focus; the bigger risks, the larger fund flows and the worries about public liability suggest that the corporate structures are now the ones to take. This is all by way of introduction to suggesting a closer look at what is happening in the charitable sector regarding structure, and whether there are good reasons for the changes we are observing. I do not expect a response today, but it would helpful at some point to receive a letter, or perhaps have a short debate or discussion of a report. These may be perfectly good and unthreatening reasons, but we should know what they are before we rush towards one model or another.
Lord Hodgson of Astley Abbotts
It might be helpful if my noble friend on the Front Bench could tell us when we are to have a response to the report by the Select Committee on Charities chaired by the noble Baroness, Lady Pitkeathley, because that would provide a vehicle for the sort of discussion that the noble Lord, Lord Stevenson, is suggesting.
Lord Stevenson of Balmacara
Indeed—my final point was to be that we have something waiting in the wings which presumably is the answer and I thank the noble Lord for raising it. That is my main point and there are two minor points around it. The first concerns paragraph 8.6 of the Explanatory Memorandum, which suggests that minor amendments were made as a result of the consultation, which I felt was well handled. Only one is given, which is that this order does not include,
“the requirement for charitable companies to have filed their most recent accounts or reports with Companies House before an application is granted”.
On the other hand, it states:
“We will retain the requirement to refuse an application if a charity is in default”.
This seems to me to be the same thing. Has the Minister any light to throw on it? If a charity has not completed its formal registration, then it will be in default, so I do not know what this adds. I may be misreading it; if so, I will be grateful to be corrected on it.
Finally, those who have followed my long and extensive career in quizzing statutory instruments will know that I am fixated on dates. The date for the introduction of this does not fall within the common commencement dates. I accept that this does not affect business, so it is not necessarily caught by that, but to choose 1 January, a public holiday, for implementation seems a little perverse and I would be grateful for any comments.
Lord Ashton of Hyde
My Lords, I thank both noble Lords for their comments. I shall start with my noble friend. Of course we are aware that there will be some work involved in this for the Charity Commission, and we also acknowledge that it has limited resources. That is why we have agreed with the commission a phased approach to implementation. It has been planning for this for a number of years and has IT processes and support systems in place. I remind noble Lords that the Charity Commission received an £8 million investment in 2015 to support its transition into a modern, effective regulator and we believe that it has made very good progress. Work is under way within government to explore future funding options, including bringing the Charity Commission more into line with the model of other regulators. All options regarding the future funding model will be properly considered by the Government and will be subject to public consultation before any changes are made.
I am grateful to the noble Lord, Lord Stevenson, for his kind words about the preparation of this order, for which I take no credit, but the DCMS team, which does, will be very pleased: I think it is merited. I take his point about the issues more generally about charities. I agree with my noble friend Lord Hodgson that the report by your Lordships’ Committee on Charities, Stronger Charities for a Stronger Society, is awaiting a response. I can say that that will be coming soon, and soon means soon in this case.
Lord Ashton of Hyde
I have spent a long time at this Dispatch Box debating what “soon” means, and “very soon” and “imminent”, but in this case it is soon. My noble friend Lord Hodgson said there are opportunities in that response. I think it will be worth reading. I am sure that in due course the business managers will arrange a debate on the report.
My noble friend did not mention, but the noble Lord, Lord Stevenson, did, that he was responsible for the statutory review of the Charities Act 2006. The Law Commission’s report, which was published in September, examined a range of technical changes in charity law, many of which my noble friend posited in his statutory review. We welcome the Law Commission’s report and we will respond formally in due course. I expect, but cannot guarantee, that our response will be positive. The challenge is likely to be securing a legislative slot, which may take some time.
The noble Lord, Lord Stevenson, asked why we chose 1 January. I can only assume—if I am wrong on this, I will confirm it—that it was because it is the beginning of the new year and we decided that would be a good time. He asked one more, rather technical, question, and I do not have an answer to it. I will certainly write to him.
As I explained, the order provides a right of appeal for community interest companies. The rest of the package will be laid if the order is agreed to. I commend it to the House.
Data Protection Bill [HL]
Lord Stevenson of Balmacara Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara
My Lords, I rise to speak to another rather wide-ranging group, in terms of numbers, although I think we will find the amendments are a theme and variation on an issue that will run through not just this Bill but a number of Bills to come. I refer to secondary legislation and powers in the future when it is necessary for the Government of the day to try to change that which has been set down in primary legislation in the past.
Amendment 22, which kicks this off, is taken very largely from the report of the Delegated Powers and Regulatory Reform Committee. I make no apology for that. I think it is a very good report, as always, from that committee which does a fantastic job on what we are doing. I think I am probably interposing in a dialogue that may be carrying on out of our direct ken since normally in this matter one would get a memorandum, which I think we have seen, and I thank the Minister and the Bill team for that. The first response from the Delegated Powers and Regulatory Reform Committee will make some comments and I think it likely that the Minister and his colleagues will respond to that. We are only in the early stages, so I suspect we are a bit previous on this point.
However, this is an issue of some substance that may well be in all the Brexit-related Bills soon to arrive in your Lordships’ House, which suggests that we might just have a quick canter around it at the moment.
In preparing for this particular area, I had thought that we would just stick with Clause 9, but I was drawn into also putting in Clause 15, because there is an interesting point here that I wanted to raise with Ministers. The noble Lord, Lord Whitty, the noble Baroness, Lady Jones, and the noble Lords, Lord Clement-Jones and Lord Paddick, have had less restraint, and therefore we are covering quite a large number of the issues raised by the DPRRC. I look forward to hearing the response and to the wider contributions from those who have tabled amendments in this group.
The main theme that seems to run through this is what the committee says in paragraph 20 of its recent report, that,
“we take the view that the memorandum does not adequately justify the breadth of the power in clause 9(6) of the Bill, and that it is inappropriate for Ministers to be given carte blanche to rewrite any or all of the conditions and safeguards in Schedule 1 by regulations in order ‘to deal with changing circumstances’ instead of bringing forward a Bill”.
The committee then slightly changes its position by recognising that currently this is under the affirmative procedure, quite a strong measure to have in play in legislation, and suggesting an alternative approach:
“It may be appropriate … for Ministers to have a more focused power enabling them to update specific paragraphs”.
Maybe that is a line the Government will take. The essence of this is Henry VIII powers—how egregious they are and how bad it would be in future to come across them. At the same time we have to balance that against the obvious need, particularly in this Bill—as we have already discussed we are talking about fast-moving technology, although it applies in other areas—for some flexibility on the part of the Government of the day to bring forward amendments and changes as and when required. It is a balance and has to be struck properly, but the first shots in this have tended to be that Ministers are too aggressive. We await further discussions, but that is the ground which we will be traipsing around.
Amendment 106A relates to Clause 15(1)(b), at line 44 on page 8, which talks about,
“the power in Article 23(1) to make a legislative measure restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest.”
I take this to be a quote from the GDPR. It is therefore couched in language which I think would be unexceptional if we were transposing the GDPR into the Bill, but of course we are not, and we are not allowed to amend it. The question really is what a legislative measure is. This is not a rhetorical question, because I would like an answer. In our system, as I understand it, Secretaries of State bring forward legislation in the form of a Bill. If they are not doing that, they bring it forward in secondary regulations. But a legislative measure has no apparent meaning in terms of the work we do—maybe the Minister will confirm that this is perfectly right. But for the moment, this probing amendment not only underlines the point made by the DPRRC in relation to the power in Clause 15 but is also about the particularity of the language used. I beg to move.
The Deputy Chairman of Committees (Lord Faulkner of Worcester) (Lab)
I remind the Committee that if this amendment were to be agreed, I would be unable to call Amendment 22A for reason of pre-emption.
Baroness Chisholm of Owlpen (Con)
My Lords, I welcome this opportunity to set out the Government’s position on various delegated powers contained in the Bill, which have been the subject of recommendations by the Delegated Powers and Regulatory Reform Committee. The Government are very grateful to the committee for its usual thoroughness in examining the delegated powers in the Bill, but I should begin my remarks by saying that the committee’s report, which ran to some 20 pages, was published only on 24 October, so we are still considering its conclusions and recommendations. The range of views expressed in tonight’s debate will be further input into that process.
The current Data Protection Act has stood firm for almost 20 years. This one will be in danger of lasting barely two if we start striking out the delegated powers contained within it. As the noble Lord, Lord Stevenson, and the noble Baroness, Lady Jones, said, such is the pace of change in this area that we need to keep up with what is going on. Furthermore, new forms of data processing not yet dreamed of will have been designed, developed and deployed even before the Bill reaches Royal Assent. It is essential that the law can keep up.
It is also worth reminding ourselves that the Government have taken the opportunity to include directly in the relevant schedules numerous provisions which had previously been included only in secondary legislation. The noble Lord, Lord Stevenson, has been extremely busy, and has taken the opportunity to table more than a dozen amendments to Schedule 1 alone. We will of course turn to those shortly.
That said, the Government recognise that there is tension between the need to provide for appropriate future-proofing of legislation, such as provided for in Clauses 9, 15, 33, 84 and 111, and the need to ensure proper parliamentary scrutiny of the resultant delegated powers. It follows that we are open to constructive suggestions as to how provisions in the Bill can be improved and, obviously, that includes its regulation-making powers.
I have listened with care and interest to the case put forward by my noble friend Lord Arbuthnot, the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for the application of the super-affirmative procedure. I am also grateful to the noble Lord, Lord Whitty, for reminding us that data subjects, not just data controllers, have an interest in the proper application of these powers.
I am sure that noble Lords will agree that the amendments before us should be considered in the context of the broader recommendations of the Delegated Powers and Regulatory Reform Committee report. As I said earlier, the process of considering these issues is still ongoing, but I am more than confident that it will conclude in time for the Bill’s next stage.
Before I conclude, I think that the noble Lord, Lord Stevenson, asked what was meant by “legislative measure”. Clause 15(1)(b) uses the term “legislative measure” to reflect the wording used in Article 23 of the GDPR. Recital 41 makes clear that a legislative measure would include an Act or statutory instrument. I hope that that answers the question.
I therefore humbly invite the noble Lord to withdraw his amendment on the understanding that we will return to this important issue on Report.
Lord Stevenson of Balmacara
I thank all noble Lords for their contributions; we have had a very good go at this, which has raised all the big issues. The Minister made a positive response, with a sideswipe at me for being too active on the amendment front; but that is what we do, and we expect Ministers to be able to deal with them without too much worry. We are enjoying this debate and will have lots of things to come back to on Report because of the interesting points being made.
However, on this issue, we are slightly narrower. The Government have got themselves into a bit of a hole here. I appreciate the wider context, and the point has been very well made. It seems to me that there are three options. They can tough it out and just say to the DPRRC that it has stepped too far from where they want to be and this is the only way forward. They can follow the DPRRC and find amendments that they can bring back on Report—I think the Minister was talking about Report; later than that would be too late. We are talking here about narrower powers to define down the areas within which discretion is operated. To follow the point made by the noble Baroness, Lady Neville-Jones, and the noble Lord, Lord Arbuthnot—I think this is my noble friend Lord Whitty’s concern and is shared widely around the House—the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation, or legislative measures, as we now call them.
The helpful suggestion, backed up by the noble Lord, Lord Clement-Jones—that we should have a super-affirmative measure when matters are almost of the status of requiring there to be primary legislation, but for which flexibility requires a lesser measure—seems to be the way forward. A very little research shows that “super-affirmative” has many meanings. That chosen by the noble Lord and the noble Baroness, Lady Neville-Jones, is one of about seven or eight. The Public Bill Office has published a table which noble Lords can pore over at leisure and find themselves completely confused at the end about the best route forward. I am sure the clerks will guide us as we go forward down that route. However, the best seems to be the one that provides for amendments to be made to the measure that is being considered before the vote. That is the sensibility which is being assembled around the Committee, and I hope that the Government will take it away and do it.
The noble Lord, Lord McNally, is right: there is a possibility here of a constitutional car crash. It is not restricted to this Bill, and no noble Lords who have spoken in this debate would want it to be taken, sui generis, to this Bill. It has to be taken more widely, because it is a much bigger issue. On the other hand, this provides an opportunity to go forward. In the meantime, I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 6th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Lord Puttnam (Lab)
My Lords, I support this amendment and apologise to the Minister and the House for not being present at Second Reading as I was overseas. However, my noble friend Lady Jay more than adequately set out some of my concerns around Part 5 of the Bill. However, this is also a very important amendment. In the debate initiated by the noble Baroness, Lady Lane-Fox, on 7 September, the noble Baroness, Lady Kidron, said:
“There is an awkward tension in having a technology that is able to help us to confront our societal needs … and a corporate culture that aggressively balks at … long-term societal responsibilities”.—[Official Report, 7/9/17; col. 2118.]
In the end, that is precisely what this comes down to. The noble Baroness, Lady Harding, made a very important point a little earlier. She referred to barriers to entry being used by corporations to not do the things that they should do, and at the time they should do them.
Today is the 20th anniversary of my entering your Lordships’ House and, if I had to count the number of times I have been told that barriers to entry are the reason for not doing something, we would all be here all day. I well remember the noble Lord, Lord Oxburgh, who is in his place, and I having a meeting with the then Ministers for Energy and being told that “barriers to entry” were one reason that the large energy companies could not do the things that we suggested they might do at the time. Therefore the idea that the Silicon Valley companies have not reached a sufficient size or sophistication to be able to carry out the de minimis changes to their platforms—the effect of the amendment which the noble Baroness, Lady Kidron, set out so beautifully—is a nonsense. Please can the noble Lord, Lord Ashton, beg Matt Hancock, the Minister, to put to one side any more arguments about unacceptable barriers to entry being raised by this and indeed other amendments on the same subject?
Lord Stevenson of Balmacara (Lab)
My Lords, this has been a terrific debate on an important subject. We probably all agree that of all the issues that will come up on the Bill, we care about this one the most and would like to see it settled in a way that balances, as has been said, the wish for people to enjoy the use of the internet—which brings so much in so many different ways—with an appropriate regulatory structure that means that harm is prevented where it is appropriate to do so.
I was struck by what the noble Baroness, Lady Harding, said. Obviously, she is in a difficult position, speaking against her Government on a matter about which she has so much expertise and knowledge. However, she made the case so well that it is worth paying tribute to her for that. If we find a situation in any aspect of our public life where those responsible for an issue are unwilling or unable to deal with it appropriately, the public authorities have to take that step. We are in that situation—she made that clear so well.
Other arguments have been used today that were knocked back by the noble Baroness, Lady Kidron, when she spoke, but it is important to bear this in mind. There is no question here about us affecting our adequacy issues. This is definitely left to the government agencies in the countries involved to act on, and there is no issue here with regard to what we would say to the European Union should that be required in terms of adequacy, so we should not be dissuaded by that. As the recitals attached to the GDPR say, it is still a question of needing to balance the lower age of consent with the appropriate safeguards required. Age is one of those—it is important, but not the only one; capacity has also been raised before. However, we have the issue here about age, and there is a need for guidance around that.
The Government will not address the issue in any future sense. The internet strategy, which was referred to, is a bit of a red herring here, and, as we have heard, self-regulation, on which it is largely based, does not work. Therefore, action is probably required. As I said, if the industry will not do it, the public authorities should. We want this country to be the best place in the world to be online, and we want it to be safe to do so. If it is possible to design an age-appropriate environment, we should look very hard at that. The case that has been made today is incredibly important. The Government have a good sense of that from all around the Committee, as was said, and I hope they will be able to respond positively to it.
I will speak briefly to Amendment 20A, which picks up points made by the noble Baroness, Lady Howe. One issue that affects all those who wish to work in this area is the lack of information about what is happening on the ground: who is using what and how, with regard to time, effort and use of the internet? Amendment 20A, in my name, suggests to the Government that there is need at some point for a proper review which will require the companies to divest the information they currently have but which they do not share on information society services. Only then will the evidence of which the noble Baroness, Lady Howe, spoke, which will inform us as we go forward, be available. However, it should not stand in the way of the need to act in this way in this amendment, which I fully support.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.
At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.
The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.
The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.
The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.
I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.
The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.
Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.
We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.
Lord Ashton of Hyde
I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.
Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.
I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.
First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.
Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.
Lord Stevenson of Balmacara
I do not think that the Minister answered the point made by my noble friend Lady Jay on extraterritoriality—a word that I know he will want to use. Also, before the noble Baroness, Lady Kidron, replies, the main thrust of the Minister’s points was that government action on a code and on the digital charter would take most of the issues away. He relied on that in terms of his main argument. But am I right in saying that the code that has been consulted on is voluntary and that there will be no statutory basis for the digital charter? I would be grateful if he could help us on those two points.
Lord Puttnam
My Lords, I add my voice to that of the noble Baroness, Lady Kidron. President Clinton memorably said that the first step in solving a problem is recognising there is one. If anyone does not believe there is one, we rehearsed some of it in the previous debate; I would also advise them to watch two very recent TED Talks by Zeynep Tufekci and Sam Harris. If, having seen these, they can convince themselves there is not a serious and urgent problem, then their judgment is very different from mine.
I will speak for a couple of moments on this because I regard it as a very significant issue. Karl Marx—who knew a thing or two—said that if you change the dominant mode of production that underpins a society, the social and political structure will change, too. I believe we have changed the fundamental mode of production that underpins society. It is now called digital. We have to address that and we are not addressing it anything like seriously enough. There are two issues I would like to raise, and if there is a note of frustration in my voice, I apologise.
In 2003, through very torturous processes in this House, we managed to persuade the then Labour Government to impose a duty on Ofcom—and I spend most of my life defending Ofcom—which was very clear; it was laid out by the noble Baroness, Lady Jay, at Second Reading. Ofcom was given the specific duty of promoting media literacy. The wording was that Ofcom was required,
“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”,
and,
“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.
Fifteen years later, in respect of these duties, Ofcom has wholly failed. By taking a very narrow, technical view of its responsibility, it has done almost nothing to promote notions of digital literacy in the electronic media. If we are not careful, the same will happen in the digital world. The noble Baroness, Lady Lane-Fox, used a much better phrase than “digital literacy”. She used the phrase “digital understanding” in a recent debate in your Lordships’ House. That is really what this is about.
To emphasise something that the noble Baroness, Lady Kidron, said, this is all about data. Ten days ago in Los Angeles, Lachlan Murdoch—who I think also knows a thing or two about this business—said the following:
“We’re in the beginning of an incredible transformation … we’re in the first months of something that will have a multi-decade life and future. Businesses that have large data sets and robust data sets will be the companies that win in the future”.
Every company in Silicon Valley and every communications company in the world knows that. This is why this is such a fundamental issue.
To my delight and surprise, the Italians appear to have picked up on this. In the New York Times of 18 October there is a long piece about a new law that was passed on 31 October by the Italian parliament that entirely acknowledges that young people have to have a far greater understanding of the modes of information, the nature of information and the ramifications of information than is presently the case. Some 8,000 schools in Italy are now receiving instructions on how to get across to children the seriousness and importance of, first, the manner in which they give and use their data and, secondly, the means by which they are informed.
Finally, in a very recent book Move Fast and Break Things by Jonathan Taplin, a man I happen to know, he says:
“Part of our role as citizens is to look more closely at the media surrounding us, think critically about its effects, and whose agenda is being promoted”.
I put it to your Lordships that every single front page of every newspaper over the past four months has made this extraordinarily evident. In the words of the noble Baroness, Lady Lane-Fox, we are “sleepwalking” into a situation over which we have little control and of which the companies that do have control are not taking sufficient notice. As proved by the Communications Act 2003, you can crunch out the best possible wording and it is still possible for that wording to have absolutely no lasting effect on society as a whole.
Lord McNally (LD)
My Lords, my name is also on this amendment. It is a great pleasure to follow the noble Lord, Lord Puttnam, who has championed these issues for 20 years or more. It is worth while having a reality check for ourselves. One of the good things about the House of Lords is a certain continuity. I was in this House for the Data Protection Act 1998, which we are now reviewing, and for the Communications Act to which the noble Lord, Lord Puttnam, referred, and I served on his committee. We had no idea what revolution was coming our way. Indeed, in the Communications Committee, we were asked not to look at the internet; it was for the future. If we think about what has happened in those 20 years, what on earth is going to happen in the next 20, when we are reliably told we are on the verge of a fourth industrial revolution driven by data?
We were quietly asked by the noble Baroness, Lady Kidron, not to include this amendment in the previous group in case the whole thing became hijacked by a debate about education, and she was shrewd in that, but it was useful that she pointed out—I love this point—that data literacy should be as important as the three Rs as a core competency for the 21st-century child. If we are going to achieve that, we have to get out of the silo mentality: “It’s not our job, it’s the Information Commissioner’s job”; “It’s the Department for Education’s job”; “It’s DCMS’s job”. Somebody has to take responsibility for what we are saying because it is one of the great challenges.
There is a danger, particularly in a House of this age group, that we overestimate the capacity of the young. We all have our anecdotes about our grandchildren or our children being able to work the gadgets that we cannot work, but that does not mean that they have the competence or the maturity to make proper rational, responsible decisions about some of the factors that come within their ambit with this new technology. My noble friend Lord Storey referred earlier to a story in today’s paper about the increase in sexting among young children. We also know the extent of cyberbullying that goes on between children and about the naivety of children in being willing to reveal personal information online. Navigating the digital world is very complex.
The noble Lord, Lord Lexden, is in his place, and I am always worried about quoting history, but when the reform Act was passed in 1867, somebody said, “We now must educate our masters”, and that brought about the Elementary Education Act 1870. Nobody can now be in any doubt about the enormity of the task of preparing the whole population, but especially our children, to handle the new powers that are coming down the track at us. Educating for digital is one of the most important tasks facing us. I enjoyed and appreciated the way the noble Baroness, Lady Kidron, delivered her amendments. She made the point that that education is not to make this generation of children able to fit into the needs of Silicon Valley; it is to give them the power to make sure that Silicon Valley responds to their needs as citizens. That is the task that this amendment is trying to promote.
Lord Lucas (Con)
My Lords, I will speak briefly to support this amendment and particularly what the noble Lord, Lord McNally, has just said. We are asking our children to take on a whole set of responsibilities for which we, let alone they, are not prepared. The social consequences of social media and how to handle them produce enormous stresses on friendship. As for where this amendment is directed, there are also the consequences for children in the way their data are gathered and used, which we do not understand. The House of Lords can now track where each of us was geographically over the last month. It is all on our phones. A complete record is kept unless you happen to have turned it off. When did we give permission for that? If we cannot handle it, how can we expect our children to be able to handle it?
It is also quite clear that the sort of middle-range teenagers—14 and 15 year-olds, boys in particular—are living in a world of extreme pornography, in quality and content, that is quite unprecedented. What effects we can expect that to have on relationships between the genders when they get through to university and life afterwards I do not know. We cannot abrogate our responsibility to make sure that children are looked after properly and that we are not exposing them to amoral companies—I am not aware that any of these companies have a deep moral sense, whatever they may claim. We entrust their upbringing and education to that, but we care very much about their mental health, their sense of society, their sense of relationship to each other and the qualities that they will bring to the world as young people. We ought to be doing something about it in schools. We probably need a bit of thought as to what that should be, but we absolutely should not be doing nothing.
Lord Stevenson of Balmacara
My Lords, I am very sorry for interrupting the noble Lord, Lord McNally, as what he had to say was very apposite and appropriate. I thought at one stage that he was going to say that he had been around for the passing of the first reform Act as well as everything else he was talking about, but I must have misheard him.
This has been a good debate, which has tended to range rather widely, mainly because it is so important we get this right. I confidently expect the Minister to respond by saying that this is a very good idea but he lacks the power to be able to give any response one way or another because it lies in the hands of one of his noble friends. That of course is the problem here, that we have another linked issue. Whitehall is useless at trying to take a broader issue that arises in one area and apply it in another. Education seems to be one of the worst departments in that respect. I mean that, as it has come up time and again: good ideas about how we need to radicalise our curriculum never get implemented because there seems to be an innate inability in the department to go along with it. It may well be that the changes to the structure of education in recent years have something to do with that. It is good to see in the second line of this amendment that this would apply to “all children” irrespective of the type of school or type of organisational structure that school is in, so that it applies to everyone. We support that.
However, two worries remain that still need to be looked at very hard, and the noble Lord who just spoke was on the point here. Do we have the skills in the schools to teach to the level of understanding that we are talking about? I suspect that we do not. If so, what are we going to do about that? Thirdly, I suspect that our kids are way ahead of us on this. They have already moved across into a knowledge and understanding of this technology that we cannot possibly match. Teaching them to go back to basics, as has been the case in previous restructuring of the curriculum, is not the right way. We need a radical rethink of the overall curriculum, something which is urgent and pressing. It is raised, interestingly enough, in a number of publications that are now appearing around the industrial strategy. If we do not get this right, we will never have a strategy for our industries that will resolve all the issues we have with improving productivity. I hope the Minister will take this away.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.
The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.
I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 30th October 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-I(Rev)(a) Amendment for Committee, supplementary to the revised marshalled list (PDF, 58KB) - (30 Oct 2017)
“( ) Section (Right to protection of personal data) makes provision for a general right to the protection of personal data.”
Lord Stevenson of Balmacara (Lab)
My Lords, in moving Amendment 1 in my name I shall speak also to Amendment 4A, which I hope the Government will agree is consequential. We now commence seven days in Committee on the Bill in your Lordships’ House with a simple amendment. It sets out a principle that we think is important enough to ensure that it is at the heart of the Bill. As in all Committee debates, Her Majesty’s loyal Opposition hope to engage the Government on issues of both principle and detail, and thereby improve the Bill by the time it leaves this House. As witness to our willingness to work with the Government, we have been reading the rather florid statements that the Government put out over the weekend and have tabled an amended version of our Amendment 4 in manuscript, which I gather significantly reduces the gap between us and the Government on a number of key points. But we will not resile from ensuring that the principles which underpin this Bill are securely in place.
As we made clear at Second Reading, we broadly support the Bill but we cannot ignore the fact that if the European Union (Withdrawal) Bill receives Royal Assent as it currently stands, it will remove rights which the people of this country currently enjoy, care deeply about, and are essential to UK business going forward. We think that the status quo has worked well for the UK up until now, so if it is not broken, why change it? I hope that the noble Lord has a convincing argument to make on this point when he comes to respond.
Much has already been said in your Lordships’ House about how complicated this Bill is. It has to deal with a fast-growing and crucial part of our economy and the pace of technological change will create services that we cannot even imagine today. Legislating for this is complicated, but getting the principles right is the key here. It gets even more complicated. The Bill deals with the situation that will obtain after the general data protection regulation is implemented across Europe on 25 May 2018. It provides for the period from that date until such time as the UK leaves the EU and it covers the period after that when what is called the “applied GDPR” will become the law of the land. It has been remarked on that all this is happening without Parliament actually scrutinising the basic text. I suggest again that principles are the key.
One of the key principles which underpinned earlier data protection legislation is Article 8 of the EU Charter of Fundamental Rights. It is indeed the basis of much of what is in the GDPR and applies to the whole of the EU, but when we try to find references in the Bill to the right to privacy and to the protection of personal data which Article 8 guarantees, they are not mentioned explicitly. We believe that the Government approach is wrong for three reasons. These principles matter and have been the subject of recent decisions in the courts, not least the one mounted by the Secretary of State for Exiting the European Union when he was David Davis MP, along with Tom Watson MP. Secondly, the removal of the right to protection of personal data risks weakening, or being perceived as weakening, UK data protection post Brexit. That may have significant consequences for UK data processing businesses, a point that I want to come back to.
The third reason is a broader point, one that the Government do not seem or perhaps do not want to get: rights and specific law act together to make a whole that is greater than the sum of the parts. If we were continuing in our membership of the EU, the fact that the Bill does not explicitly cover our rights to privacy and protection of our personal data might not matter because the EU Charter of Fundamental Rights would continue to be in force and individual data subjects such as Mr Davis and Mr Watson could rely on it if required. But while the EU withdrawal Bill currently in another place contains thousands of provisions that will be converted into our law, only one provision has been singled out for extinction—the EU Charter of Fundamental Rights. This omission from the Data Protection Bill really does matter because as well as underpinning personal rights to privacy, the wording of Article 8 will in effect be right across the rest of Europe and underpinning the legal framework permitting the free flow of data across European borders. It is the removal of the references to Article 8 that will provide a significant and totally unnecessary risk when the time comes for the EU to assess whether our regime is essentially equivalent to the rest of the EU, because that will be the test.
It is common ground among all the parties that it is essential that immediately after Brexit, the Government should obtain an adequacy agreement from the Commission so that UK businesses can continue to exchange personal data with EU countries and vice versa. If we are unable to reach such an agreement with the EU, there will be no legal basis for the lawful operation of countless British businesses and there will also be a significant question of whether EU companies will be able to trade with us if we do not enjoy the Article 8 protections that they will have. That, in fact, is double jeopardy. The Government seem to have forgotten that the frictionless transfer of data is critical to the functioning of our economy. Roughly 70% of the UK’s trade and services is reliant on the free flow of personal data. The EU’s data economy is expected to be worth £643 billion by 2020 and millions of UK citizens regularly share their lives online. To operate, UK businesses require clarity on the legal basis for data transfer post Brexit, but so do EU companies.
The rights outlined in our Amendment 4A are at the cutting edge of global data protection law and are essential for our tech industry in the UK. Indeed, the wording of the amendment was suggested to us by techUK, which is the industry voice of the UK tech sector, representing more than 950 companies, which collectively employ more than 800,000 people. That is about half of the tech jobs in the United Kingdom. If compliance with the Charter of Fundamental Rights is required to secure regulatory harmony and thus business confidence, the Government’s commitment to jettison these references in the charter appears rather odd.
Finally, concerns have been raised as to whether the amendment, even as redrafted, cuts across the GDPR. This is not the intention. The amendment does not undermine the role of the GDPR or the derogations to the GDPR set out elsewhere in the Data Protection Bill, which we support.
We will listen very carefully to the debate. I make it clear that we hope the Government will agree that the principles we outline in these amendments are important and will offer to work with us to make sure the Bill is amended on Report to achieve the objectives I have outlined. I beg to move.
Lord Stevenson of Balmacara
My Lords, I thank all those who have contributed to this debate—at some personal cost, I understand. There are points that we will certainly reflect on as we read Hansard.
I shall start with a slightly unusual point. I want to commiserate with the Minister for the unfortunate loss of his data just before he came into the Chamber this afternoon. His speaking notes and apparently much other data were stolen from him. That just shows the sorts of difficulties that one has with data, privacy and the issues that we have been talking about. I am surprised that he did not mention it, but he did not and I can only assume that things have worked out all right. However, if he wants help in drafting the personal victim statement, we will be very happy to meet him outside the Chamber on a number of occasions if that will be of assistance.
I do not have much luck with my drafting. I seem to recall being in this place only a few months ago and being coruscatingly attacked by a Cross-Bencher who thought that I had got a lower second with an amendment that I put forward to the higher education Bill. Mind you, I had quite a good result on that Bill. It was amended on the first day in Committee and that seemed to concentrate the minds of Ministers rather effectively. Therefore, I do not agree with those who have felt that this is a constitutional absurdity. In this House we have always reserved the right to vote “inappropriately” at any point, and Committee is one of those occasions. I am not saying whether we will do that today; I am just saying that it is not barred and it often has a purpose to serve.
However, the general tenor of the responses has been that we should not rush this. I was particularly pleased that the Minister suggested that we should meet outside the Chamber to discuss this issue, possibly reach agreement on it—those were his words—and perhaps come back on Report. I should remind him that Amendment 4 was tabled three weeks ago and no invitation to such a discussion reached my ears, so I am a bit surprised. The amendment was published and was available, and it could have been discussed. The fact that we are not going to move it today is slightly irrelevant but it raises all the issues that we are now engaging with. Indeed, at the meeting only last week, we did not really get on to the discussion about what we are about—we talked about other matters.
However, I do not want to fall out with the Minister because I enjoy working with him. Six Bills may seem a lifetime to many people but it has been a time enlivened by the ability to talk inside and outside the Chamber and to reach agreement. I hope that that is a genuinely meant proposal and, if it is, I will consider it very carefully.
My noble and learned friend Lord Goldsmith pointed out a really important issue. As I said in my speech—he picked it up and exemplified it—in order to achieve what the Government want to do, we need a combination of the rights that exist and the statutes that deliver the particularities of the issues concerned. I take on board all the points that have been made about drafting and the inability to do so, and I will reflect on those. However, if we have the right objective, which is to ensure that that balance is available to the people of the United Kingdom and that it will support our businesses in the future, surely we have a duty to make sure that it is delivered to a final conclusion and, if necessary, voted on.
In passing, I observe that it is interesting that the Minister had to resort to the recitals to the GDPR to be convincing about the fact that the GDPR has the effect of bringing the rights in the charter into the discussions about data processing. That is amusing because one very striking thing about the regulation, apart from the fact that we do not have it in front of us to discuss it, is that, in the form in which it will appear in law in the United Kingdom at the end of this process, the recitals will not be part of it. Therefore, his reliance on them is ironic to the point of being rather difficult to accept, but he made points of substance, so I think we will move over that.
Despite the rightful criticisms, there is a general feeling across the Committee that we need to do a bit more work on this. I think that we are on to something that is important enough to spend time on, and we are prepared to do that. We do not think that we are in a muddle on this—we think that there is an issue—but I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
“( ) does not apply in the course of an activity which falls outside the scope of EU law.”
Lord Stevenson of Balmacara (Lab)
My Lords, in moving Amendment 5, I will also speak to Amendment 6. Both are in my name. I will respond later to Amendment 115, which is in the same group but was tabled by other noble Lords. Amendments 5 and 6 are probing amendments to try to tease out what appears to be a change of definition between various parts of the Act.
Amendment 5 relates to page 3 and Clause 3(1), (2) and (3) in Chapter 1, which raise concerns about what exactly is happening with the arrangements. It is easier if I read out the two subsections concerned. Clause 3(2) states that:
“Chapter 2 of this Part … applies to the types of processing of personal data to which the GDPR applies by virtue of Article 2 of the GDPR”.
That is the question I want to peruse, because later in the Bill, on page 11, Clause 19(1)(a) refers to activities which operate. This amendment is a probing one to try to tease out an answer that we can read in Hansard so as to know what exactly we are talking about. It may appear to be a narrow difference or nitpicking, but “an activity” is a very broad term for anything in relation to data processing and contrasts with the narrow way in which Clause 3(2)(a) talks about “types of processing”. Are these the same? If they are not, what differentiates the two? If they are different, why have we got different parts in different areas of the Bill?
Amendment 6 relates to page 3, line 31. This question of definition has come up in relation to Chapter 3 of the part. I understand this to be more of a recital, if I may use that word, than a particular piece of statute and it may not have normative effect, if that is the correct terminology. Clause 3(3)(b) says that the part to which this applies,
“makes provision for a regime broadly equivalent to the GDPR to apply to such processing”.
What is “broadly” in this context? Maybe I am obsessed with the use of English words that have common meanings, but again it would be helpful to have a bit more information on the definition from the Minister when he responds.
Perhaps more than the “quite” used in response to an earlier amendment, this has not got transatlantic resonances, but it is important in questions of adequacy in any agreement we might seek with the EU in the future. “Broadly equivalent” carries echoes of an adequacy agreement, which would assert that the arrangements in the two countries concerned—the EU on the one hand and the third country on the other—were sufficiently equivalent to allow for future reliance on the processes in the third country to be treated as appropriate for the transfer of data into and from, in relation to future industrial processes.
We are aware that an element of legal decision-making arises, which might change that “broadly equivalent” to a higher bar of requirement in the sense that the court is beginning to think in terms of “essentially equivalent”, which is very different from “broadly equivalent”. Again, I would be grateful if the Minister could respond to that. I beg to move.
Lord Clement-Jones (LD)
I will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.
Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.
Recital 80 of the GDPR explains the role of the representative:
“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Supposing that a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?
Lord Clement-Jones
My Lords, I thank the Minister for that interesting exposition, which ranged from now into the future. He has given a vision of the post-Brexit shape of our data protection legislation. Extraterritoriality will apply even though the language used may be that of the applied GDPR as opposed to the GDPR itself—just to be confusing, perhaps as much as the Minister confused us.
I want to be absolutely clear that we are not derogating from the GDPR in extraterritoriality. That seems to be the nub of it. The Bill makes changes to the applied GDPR—I would like to read in Hansard exactly what the Minister said about the applied GDPR because I did not quite get the full logic of it—but there is no derogation in the GDPR on extraterritoriality. It would be helpful if he could be absolutely clear on that point.
Lord Stevenson of Balmacara
Perhaps the Minister will respond to that because I, too, am troubled about the same point. If I am right, and I will read Hansard to make sure I am not misreading or mishearing what was said, the situation until such time as we leave through Brexit is covered by the GDPR. The extraterritorial—I cannot say it but you know what I am going to say—is still in place. Therefore, as suggested by the noble Lord, Lord Clement-Jones, a company operating out of a foreign country which was selling goods and services within the UK would have to have a representative, and that representative could be attached should there be a requirement to do so. It is strange that we are not doing that in the applied GDPR because, despite the great improvement that will come from better language, the issue is still the same. If there is someone that our laws cannot attack, there is obviously an issue. Perhaps the Minister would like to respond.
Lord Ashton of Hyde
Quite apart from the get-out that Clause 3 is only a signposting, I can confirm that we are not derogating from the GDPR. We intend to apply GDPR standards when we leave the EU, so we are not derogating from the GDPR on extraterritoriality.
Lord Stevenson of Balmacara
This concerns Amendment 115, which is to a substantial part of the Bill; it is not the issue raised by the amendment I introduced. We are talking about page 158, line 34. Perhaps it would be better if I requested a letter on this point so that—again, I cannot say the word—does not bog us down.
Lord Stevenson of Balmacara
Isn’t he so smooth? Unfortunately, I bet Hansard does not print that. However, extraterritoriality is important because it represents a diminution of the ability of those data subjects affected by actions taken by those bodies in terms of their future redress. It is important that we get that right and I would be grateful if the Minister could write to us on that.
I am satisfied with what the Minister said on Amendments 5 and 6. I am grateful and beg leave to withdraw the amendment.
Lord Clement-Jones
My Lords, I thank the noble Baroness for introducing these amendments in not too heavy a style, but this is an opportunity to ask a couple of questions in relation to them. We may have had since 20 October to digest them; nevertheless, that does not make them any more digestible. We will be able to see how they really operate only once they are incorporated into the Bill. Perhaps we might have a look at how they operate on Report.
The Bill is clearly a work in progress, and this is an extraordinary number of amendments even at this stage. It begs the question as to whether the Government are still engaged in discussions with outside bodies. Personally, I welcome that there has been dialogue with the insurance industry—a very important industry for us. We obviously have to make sure that the consumer is protected while it carries out an important part of its business. I know that the industry has raised other matters relating to third parties and so on. There have also been matters raised by those in the financial services industry who are keen to ensure that fraud is prevented. Even though they are private organisations, they are also keen to ensure that they are caught under the umbrella of the exemptions in the Bill. Can the noble Baroness tell us a little about what further discussions are taking place? It is important that we make sure that when the Bill finally hits the deck, so to speak, it is right for all the different sectors that will be subject to it.
Lord Stevenson of Balmacara
My Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.
I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:
“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.
I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.
I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.
My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?
Baroness Chisholm of Owlpen
I thank noble Lords for all their contributions. The noble Lord, Lord Knight, wanted to know what “reasonable” meant in this context. The Financial Conduct Authority has set requirements on insurers in relation to the steps they must take in the case of insurance contracts that are automatically renewed. In this context, our view is that those steps are likely to be reasonable. As to how they get in contact, it is by normal business procedure acceptable to the FCA. Normally emails and so on is the way they do that.
Lord Stevenson of Balmacara (Lab)
My Lords, I do not need to say very much about our amendments in this group because they overlap to a great extent with what has just been said by the noble Lord, Lord Clement-Jones. I should not really delay the House as it is anxious to get on to other business, but the noble Lord made an interesting comment about the response that might come from my noble friend sitting to my right. In our Whips’ Office we have a regular problem, because Ray Collins and Roy Kennedy are, confusingly, always called Roy Collins and Ray Kennedy. I have never actually heard them be confused when called by their surnames, so we have had a first today. It is always nice to see firsts in our rather dull and restricted life—it is time for dinner.
This is quite an important amendment, and the noble Lord, Lord Clement-Jones, has made the case very well. When I was looking through the Bill and trying to come up with a sense of narrative that we could use here, I wondered about the introduction of “substantial public interest”, which predates this Bill significantly. It appears in the 1998 Data Protection Act but it was not challenged there. It felt to me like a mistranslation—a sort of anglicisation gone wrong, because there should not be gradations of public interest. A matter is either in the public interest or it is not: it should not have to be qualified by the word “substantial” to get it to a different level of concern or consent. In that sense, maybe “substantial” just means of greater sensitivity, rather than more important and therefore to be restricted. I should be grateful if the Minister reflected on that when responding.
I share the concern that the noble Lord, Lord Clement-Jones, raised in his first amendment. By and large, the Bill is pretty good at tying down where there is flexibility and where there is not, but here, the terminology seems very loose. We can understand what Clause 7 means, but the idea that it would be relatively easy to extend and adapt the list in subsections (a) to (d) is quite worrying. If that is to stand, and the defence says that it is reasonable in the circumstances to have such wording, we need to understand the powers under which that list could be adapted or amended. Are they to be found in the Government’s ability to seek regulatory approval, or will it be done in some other form? We ought to know the answer to that.
Since we are back on codes, as mentioned by the noble Lord, here is a code that it is really important to have before we get to Report. I would be grateful if the Minister confirmed that that will be possible. I understand that the issue is not in his hands, because the Information Commissioner will be the person responsible. However, given that the terminology in the Bill will have an impact right across our statutory provisions regarding what is or is not in the public interest, and if this is the long-awaited guidance and the substitute for a proper definition in statute, it is very important that we have it in time to discuss it on Report.
Lord Patel (CB)
My Lords, I speak to Amendments 11 and 13, in the name of the noble Lord, Lord Clement-Jones, and Amendment 154, in the name of the noble Lord, Lord Stevenson of Balmacara, and to which I have added my name in support.
When I first read the amendments tabled by the noble Lord, Lord Clement-Jones, I was concerned because I thought them quite restrictive. Now that he has spoken to them, I can see that he intended them to be wider, so I apologise to him that I did not have the opportunity to speak with him beforehand, so that I would have had that clarification. None the less, having said that, I am concerned that the amendment would restrict the interpretation of,
“a task carried out in the public interest”,
and a narrow list is set out in Clause 7(a) to (d). That is a major concern for universities and other institutions involved in research.
It is absolutely important that universities and other public bodies that carry out research functions are able to use,
“task carried out in the public interest”,
as a legal basis for processing personal data. Restricting this clause to apply only to those functions listed in paragraphs (a) to (d) would instantly make all processing of personal data carried out for research purposes with a university illegal. That is unless it could meet the stringent requirements of GDPR-compliant consent, which I will speak to on an amendment in the group that follows.
None the less, providing further clarity through regulations would ensure that “public interest” was not used as a catch-all for public bodies, negating the incentive to restrict the definition in the Bill in the way proposed by this amendment. I have no doubt that we will have a discussion and that the amendment is not intended to be so restrictive. I look forward to the Minister’s summing up.
I support Amendment 154 in the name of the noble Lord, Lord Stevenson of Balmacara. However, under the GDPR, all users and controllers of data will need to be much clearer about the legal basis that they use to process personal data, and more explicit with data subjects about what is happening to data about them. However, this shift is also likely to generate a certain amount of confusion among researchers who process personal data as part of their studies.
An enormous amount of research using personal data is carried out by universities, which constitute public bodies. As it stands, the Bill defines “public interest” in quite a narrow way—and I shall come to that in more detail when I deal with a group of amendments in my name. But “public interest” is an underspecified notion that could be interpreted in many ways, in the absence of authoritative guidance—and it is that absence that the amendment under the name of the noble Lord, Lord Stevenson of Balmacara, deals with. Placing the requirement to produce codes of practice in the Bill will ensure that it is an undertaking that receives the urgent attention that it demands, and I support it for that reason.