Lord Thomas of Cwmgiedd (CB)

- View Speech - Hansard -

Copy Link

-

My Lords, I, too, welcome the Bill, but there is one matter we should have at the forefront of our minds as we work through it: that it must be implemented and carried through by SMEs and individuals. Regrettably—and I say this as a lawyer—lawyers have become far too expensive. We must appreciate the need to draft legislation and regulatory regimes that are as easy as possible to operate without the benefit of legal advice. If we cannot achieve that, it must be incumbent on the Government and the regulators to set out clearly what the position is, in a way that people can understand. We do not want our SMEs and individual traders to enter into operating under this new regime without being able to understand the law. I fear that this Bill, by its very length, is a good example of how we can overcomplicate things.

The second issue is the protection and transferability of data. The Minister, the noble Lord, Lord Markham, and the noble Baroness, Lady Kidron, have all spoken about the importance and value of data, its transferability and the need to balance correctly the protections and rights of the individual against the importance of being able to use it in research. I want to say a word about the contrasting positions we face in the transferability of data between us and the European Union, and the slightly more difficult and unpredictable situation that may arise between us and the United States. They are the same problem, but they may need addressing in different ways. On the first, I need to be slightly technical, but as the adequacy of our data regime is such an important issue, I hope that noble Lords will forgive me.

I am going to ask the Minister a question, but it is not for answer today; I think it will require a bit more than that. It takes us back to the battles and debates we have had over the last six years in relation to the manner of our withdrawal from the European Union. When we left the EU, we left in place retained EU law. We got rid of the charter, because it was said that all that mattered and was important was embodied in retained EU law. That was almost certainly right, but the problem that I believe has arisen—it is partly complicated by advice contained in the Government’s human rights memorandum attached to the Bill—arises from the effect of the Retained EU Law (Revocation and Reform) Act. I can hear, almost visibly, the sighs—“Are we back to that again?”—and I am so sorry to be dredging this up.

I have looked at various things—I am particularly grateful for the help I have had from Eleonor Duhs of Bates Wells—and I believe there is a problem we need to address. As data adequacy is so important, I will say a word about the detail. At the moment, I think we proceed on the assumption that the UK GDPR, with its numerous references to the data subject’s rights and freedoms, is adequate. The last Government, when dealing with the matter, passed the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations, which said that all the many references in the UK GDPR to these rights are to be read as referring to

“the Convention rights within the meaning of the Human Rights Act”.

The difficulty that has arisen is in paragraph 47 of the Government’s human rights memorandum:

“Where processing is conducted by a public authority and engages a right under the ECHR, that authority must, in accordance with section 6 of the Human Rights Act 1998, ensure that such processing is not incompatible with a convention right”.


Then comes the important sentence:

“Where processing is conducted by a private body, that processing will not usually engage convention rights”.


The important point is that it is generally understood that, save in specific circumstances, the Human Rights Act applies only to state entities and not to private companies. If and where data is being processed by private entities, as the Bill and the market largely envisage, how are we to be sure that our references in the UK GDPR refer to the human rights convention but not to the charter? Having lost EU retained law, how are data privacy and data protections protected when processed by private companies?

I raise this point because it is important that we clarify it. If there is an issue, and I hope the Government will look at this carefully, we will need to amend the Bill to make sure that there can be no doubt that, where data is processed by private companies, the data rights are properly protected as they would have been if we had retained EU law, or if the charter applied. It is a very narrow point but one of fundamental importance as to the Human Rights Act being directed at state actors, by and large, and not private entities. I am sorry to take up a little time on this very general subject, but data protection is so important, and retaining our data adequacy status is, as I have learned over many years, essential to our industry.

We know that, provided we can get our law in order, there is no problem as regards the EU, I hope. We face a much more difficult problem with regard to data dealings with the United States. First, the law is much more complicated and developing at an enormous pace. It is partly federal and partly state. Of course, we have no idea—and I am not going to speculate, because speculation is pointless—what may happen under the new Administration in the United States. One thing we have learned from the EU, particularly the EU AI Act, is that legislating in terms that are hard can produce results that very quickly get out of date. It seems to me that we have to look constructively at finding a way to adapt our legislative framework to what happens in the United States as regards transferability and, more importantly, the protection of our data in respect of the very large American companies. How are we to do this? Do we give Ministers very broad statutory powers? There may, I regret to say, be a case for doing that. It is something that I do not favour. If Ministers are to have such broad statutory powers, how is that power to be made properly accountable to this House?

As the noble Baroness, Lady Kidron, demonstrated, there is no use delaying these decisions until we know what the US regime may be. Maybe the US regime, unlike the EU, will change very rapidly. Bureaucracy has some advantages when you are dealing with it from the outside, but someone who believes in constant change and turmoil is much more difficult to deal with from our legislative point of view. It is a very important aspect of this legislation that we look at how, in the transnational market in data, which is of immense value and importance to us, we protect the British public.

There are loads of other points that one could raise, but I will raise only one, to follow what has just been said. It is of fundamental importance that we examine automated decision-making with the greatest care. Some very good principles have been developed both in the United States, under the current regime, and in Europe. When a decision is made by a machine—that is a rather facile way of describing it; it is made as a result of an algorithmic process—how do we ensure that, first, there is some right to a human intervention and, secondly, and equally importantly, that the person affected understands why the decision has been made? The point that has just been made is very important, because when you get a decision from an individual, you normally have it accompanied by an understanding of the human, plus reasons. This is a very important part of the Bill; it is so important to give confidence about the way forward.

There are many other detailed points, but those are the three principal points I wanted to make. Let us keep it simple, look at the transnational aspects and look at automated decision-making.

Lord Thomas of Cwmgiedd (CB)

- Hansard -

Copy Link

-

My Lords, although it is a late hour, I want to make two or three points. I hope that I will be able to finish what I wish to say relatively quickly. It is important that in looking at the whole of this Bill we keep in mind two things. One is equivalence, and the other is the importance of the rights in the Bill and its protections being anchored in something ordinary people can understand. Unfortunately, I could not be here on the first day but having sat through most of today, I deeply worry about the unintelligibility of this whole legislative package. We are stuck with it for now, but I sincerely hope that this is the last Civil Service-produced Bill of this kind. We need radical new thinking, and I shall try to explore that when we look at automated decision-making—again, a bit that is far too complicated.

Amendment 87 specifically relates to equivalence, and I want to touch on Amendment 125. There is in what I intend to suggest a fix to the problem, if it really exists, that will also have the benefit of underpinning this legislation by rights that people understand and that are applicable not merely to the state but to private companies. The problem that seems to have arisen—there are byproducts of Brexit that from time to time surface—is the whole history of the way in which we left the European Community. We left initially under the withdrawal Act, leaving retained EU law. No doubt many of us remember the debates that took place. The then Government were wholly opposed to keeping the charter. In respect of the protection of people’s data being processed, that is probably acceptable on the basis that the rights of the charter had merged into ordinary retained EU law through the decisions of the Court of Justice of the European Union. All was relatively well until the retained Retained EU Law (Revocation and Reform) Act, which deleted most general EU retained law principles, including fundamental rights, from the UK statute book. What then happened, as I understand it, was that a fix to this problem was attempted by the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023, which tidied up the UK GDPR by making clear that any references to fundamental rights and freedoms were regarded as reference to convention rights within the meaning of the Human Rights Act.

For good and understandable reasons, the Human Rights Act applies to public authorities and in very limited circumstances to private bodies but not as a whole. That is accepted generally and certainly is accepted in the human rights memorandum in respect of this Bill. The difficulty with the Bill, therefore, is that the protections under the Human Rights Act apply only to public authorities but not to private authorities. Whereas, generally speaking, the way in which the Charter of Fundamental Rights operated was to protect, also on a horizontal basis, the processing or use of data by private companies.

This seems to cause two problems. First, it is critical that there is no doubt about this, and I look forward to hearing what the Minister has to say as to the view of the Government’s legal advisers as to whether there is a doubt. Secondly, the amendment goes to the second of the two objectives which we are trying to achieve, which is to instil an understanding of the principles so that the ordinary member of the public can have trust. I defy anyone, even the experts who drafted this, to think that this is intelligible to any ordinary human being. It is simply not. I am sorry to be so rude about it, but this is the epitome of legislation that is, because of its sheer complexity, impossible to understand.

Of course, it could be made a lot better by a short series of principles introduced in the Bill, the kind of thing we have been talking about at times today, with a short, introductory summary of what the rights are under the Bill. I hope consideration can be given to that, but that is not the purpose of my amendment. One purpose that I suggest as a fix to this—to both the point of dealing with rights in a way that people can understand and the point on equivalence—is a very simple application, for the purposes of data processing, of the rights and remedies under the Human Rights Act, extending it to private bodies. One could therefore properly point, in going through the way that the Bill operates, to fundamental rights that people understand which are applicable, not merely if a public authority is processing the data but to the processing of data by private bodies. That is what I wanted to say about Amendment 87.

I wanted to add a word of support, because it is closely allied to this on the equivalence point, to the amendment in the name of the noble Lord, Lord Clement-Jones, for whose support I am grateful in respect of Amendment 87. That relates to the need to have a thorough review of equivalence. Obviously, negotiations will take place, but it really is important that thorough attention is given to the adequacy of our legislation to ensure that there is no incompatibility with the EU regime so we do not get adequacy. Those are the two amendments to which I wished to speak in this group. There are two reasons why I feel it would be wrong for me to go on and deal with the others. Some are very narrow and some very broad, and it is probably easiest to listen to those who are speaking to those amendments in due course. On that basis, therefore, I beg to move.

Lord Thomas of Cwmgiedd (CB)

- Hansard -

Copy Link

-

My Lords, I thank the Minister for her response. I wish to make three points. First, the critical question is: are our laws adequate to pass the adequacy test? Normally, when you go in for a legal test, you check that your own house is in order. I am therefore slightly disappointed by the response to Amendment 125. Normally one has the full-scale medical first, rather than waiting until you are found to be ill afterwards.

Secondly, I listened to what the Minister said about my Amendment 87 and the difference between what rights are protected by the charter and the much greater limitation of the ECHR, normally simply to do with the extent to which they apply horizontally to private individuals. I will look at her answer, but at first sight it does not seem right to me that, where you have fundamental rights, you move to a second stage of rights—namely, the rights under the Data Protection Act.

Thirdly, I want to comment on the whole concept of data communities and data trusts. This is an important area, and it takes me back to what I said last time: this legislation really needs trying to reduce to principles. I am going to throw out a challenge to the very learned people behind the Minister, particularly the lawyers: can they come up with something intelligible to the people who are going to do this?

This legislation is ghastly; I am sorry to say that, but it is. It imposes huge costs on SMEs—not to say on others, but they can probably afford it—and if you are going to get trust from people, you have to explain things in simple principles. My challenge to those behind the Minister is: can they draft a Clause 1 of the Bill to say, “The principles that underpin the Bill are as follows, and the courts are to interpret it in accordance with those principles”? That is my challenge—a challenge, as the noble Baroness, Lady Kidron, points out, to be ambitious and not to sit in a tepid bath. I beg leave to withdraw the amendment.

Lord Thomas of Cwmgiedd (CB)

- Hansard -

Copy Link

-

My Lords, I rise briefly, first, to thank everyone who has spoken so eloquently about the importance of automated decision-making, in particular its importance to public trust and the importance of human intervention. The retrograde step of watering down Article 22 is to be deplored. I am therefore grateful to the noble Lord, Lord Clement-Jones, for putting forward that this part of the Bill should not stand part. Secondly, the specific amendment that I have laid seeks to retain the broader application of human intervention for automated decision-making where it is important. I can see no justification for that watering down, particularly when there is such uncertainty about the scope that AI may bring to what can be done by automated decision-making.

Lord Thomas of Cwmgiedd (CB)

- View Speech - Hansard -

Copy Link

-

I have added my name to this amendment, about which the noble Lord, Lord Clement-Jones, has spoken so eloquently, because of the importance to our economic growth of maintaining data adequacy with the EU. I have two points to add to what he said.

First, as I said and observed on some occasions in Committee, this is legislation of unbelievable complexity. It is a bad read, except if you want a cure for insomnia. Secondly, it has the technique of amending and reamending earlier legislation. Thirdly, this is not the time to go into detail of the legal problems that arise, some of which we canvassed in Committee, as to whether this legislation has no holes in it. I do not think I would be doing any favours either to the position of the United Kingdom or to those who have been patient enough to stay and listen to this part of the debate by going into any of those in any detail, particularly those involving the European Convention on Human Rights and the fundamental charter. That is my first point, on the inherent nature of the legislative structure that we have created. As I said earlier, I very much hope we will never have such legislation again.

Secondly, in my experience, there is a tendency among lawyers steeped in an area or department often to feel, “Well, we know it’s all right; we built it. The legislation’s fine”. Therefore, there is an additional and important safeguard that I think we should adopt, which is for a fresh pair of eyes, someone outside the department or outside those who have created the legislation, to look at it again to see whether there are any holes in it. We cannot afford to go into this most important assessment of data adequacy without ensuring that our tackle is in order. I appreciate what the Minister said on the last occasion in Committee—it is for the EU to pick holes in it—but the only prudent course when dealing with anything of this complexity in a legal dispute or potential dispute is to ensure that your own tackle is in order and not to go into a debate about something without being sure of that, allowing the other side to make all the running. We should be on top of this and that is why I very much support this amendment.