Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateLord Vaux of Harrowden
Main Page: Lord Vaux of Harrowden (Crossbench - Excepted Hereditary)Department Debates - View all Lord Vaux of Harrowden's debates with the Department for Science, Innovation & Technology
(1 year ago)
Lords ChamberMy Lords, it is a great pleasure to follow my noble friend Lord de Clifford and to congratulate him on an excellent and insightful maiden speech. I am pleased that he has chosen this important Bill for this occasion. Data protection is something of a minority sport and it is great to add another person to the select group in this Chamber.
Data protection is about finding the right balance between protecting individuals’ privacy and the bureaucracy and costs that go with it, for small businesses and others. My noble friend’s long experience in managing small and medium-sized businesses gives him great insight into how these regulations will impact the businesses that typically find it most difficult to deal with greater bureaucracy, as he so rightly pointed out. SMEs are often overlooked more generally, so having such an experienced voice to remind us of their importance during our deliberations will be a great asset to the House, and from a personal point of view it is a great pleasure to welcome a fellow finance professional to join us.
The noble Lord’s experience in the veterinary sector should also be of enormous value to the House. I hope that my noble friend Lord Trees will not mind having his monopolistic position in the field broken. It seems that the noble Lord has also been hiding another light under a bushel: I believe that he has also competed for Great Britain in equestrianism, so he is clearly a man of many talents. I tried to find a joke to do with horsing around, but I am afraid that inspiration completely deserted me. I—and, I am sure, all noble Lords—look forward to his future contributions, both on this Bill and more widely.
I turn now to the specifics of the Bill. As I mentioned, data protection is about finding the right balance between individual privacy and the costs, processes and rules that must be in place, alongside the ability to carry out essential criminal investigations and national security. I think it is generally agreed that the GDPR has its flaws, so an effort to look again at that balance is welcome. There is much in the Bill to like. However, there are a number of areas where the Bill may move the balance too far away from individual privacy, as a number of other noble Lords have already mentioned. In fact, there is not much that I have disagreed with in the speeches so far.
It is a long and very complex Bill; the fact that the excellent Library briefing alone runs to 70 pages says a lot. It will not be possible to raise all issues; noble Lords are probably grateful for that. I am going to concentrate on four areas where I can see significant risks, but the Minister should not take that as meaning that I disagree with other things that have been said so far; I agree with almost everything that has been raised.
First, a general concern raised a number of times, in particular by the noble Lord, Lord Allan, is that the Bill moves us significantly away from our existing data protection rules, which were based clearly on the EU regulations. We are currently benefiting from an EU data adequacy ruling which allows data to be transferred freely between the EU and the UK. This was a major concern at the time of the Brexit discussions. At that time, data adequacy was not a given. This ruling comes to an end in July 2025, but it can be ended sooner if the EU considers that our data protection rules have diverged too far.
The impact assessment for the Bill—another inch-thick document—says:
“Cross-border data transfers are a key facilitator of international trade, particularly for digitised services. Transfers underpin business transactions and financial flows. They also help streamline supply chain management and allow business to scale and trade globally”.
It is good that the impact assessment recognises that. The loss of data adequacy would therefore have significant negative impacts on trade and on the costs of doing business. Without it, alternative and more costly methods of transferring data would be required, such as standard contractual clauses. There are also implications for investment, as the noble Lord, Lord Allan, pointed out. Large international financial services organisations would be much less likely to establish data processing activities in the UK if we were to lose data adequacy. Indeed, they may decide that it is worth moving their facilities away from here.
The impact assessment suggests surprisingly low costs that might arise: one-off costs of £190 million to £460 million, and annual lost trade of £210 million to £420 million. However, these are only the direct reduction in trade with the EU; as the impact assessment points out, they will likely be larger when taking into account interactions with onward supply chains.
The impact assessment does not judge the probability of losing the data adequacy status. I find that rather extraordinary, possibly even shocking, as it is so important. The New Economics Foundation and UCL conservatively estimate the cost of losing data adequacy at £1 billion to £1.6 billion; however you look at it, these are very large numbers.
What can the Minister tell us that could set our minds at rest? What discussions have taken place with the EU? What initial indications have been received? What changes have been made to the original draft Bill to take account of concerns raised by the EU around data adequacy? What is the Government’s assessment of this risk? The Bill has been on the blocks for a long time now. I have to assume that a responsible Government must have had discussions with the EU around data adequacy in relation to these proposals.
Secondly, as we have heard, Clause 129 would enable Ofcom to require social media companies to retain information in connection with an investigation by a coroner into the death of a child, where the child was suspected to have died by suicide. This is a welcome addition but, as we have heard, it does not go far enough. It does not include all situations where a death was potentially related to online activity; for example, online grooming. My noble friend Lady Kidron has, as always, covered this with much greater eloquence than I could. I suspect the Minister already knows that the Government have got this wrong. As the noble Lord, Lord Knight, pointed out, it would be a brave Minister who tried to hold the current line in the face of opposition from my noble friend. I welcome the words that the Minister said at the beginning of this debate—that he is willing to engage on this matter. I hope that engagement will be constructive.
Thirdly, the Bill introduces draconian rules that would enable the DWP to access welfare recipients’ personal data by requiring banks and building societies to conduct mass monitoring without any reasonable grounds for suspecting fraudulent activity. As the noble Baroness, Lady Young, pointed out, this includes anyone receiving any kind of benefit, including low-risk benefits such as state pensions, so, as she has pointed out, most noble Lords will be subject to this potential intrusion into their privacy—although, fortunately, not me yet. The Government argue that this power is required to reduce levels of benefit fraud. My enthusiasm to tackle fraud is well known, but the Government already have powers to require information where they have grounds to suspect fraudulent behaviour. This new power, effectively enabling them to trawl any bank account with no grounds at all, is a step too far, and constitutes a worrying level of creep towards a surveillance society.
That brings me neatly on to my fourth concern, which the noble Lord, Lord Kamall, raised earlier. The Bill will abolish the post of Biometric and Surveillance Camera Commissioner—currently it is one person—as well as the surveillance camera code. It was interesting that the Minister did not mention this in his opening speech. It is extremely important.
The Government argue that these functions are covered elsewhere or would be moved elsewhere—for example, to the ICO—but that does not seem to be the case. An independent report by the Centre for Research into Information, Surveillance and Privacy, commissioned by the outgoing commissioner, sets out a whole range of areas in which there will be serious gaps in the oversight of handling biometric data and, in particular, the use of surveillance cameras, including facial recognition.
The independent report concludes that none of the Government’s arguments that the functions are adequately covered elsewhere “bear robust scrutiny”. It notes in particular that the claim that the Information Commissioner’s Office will unproblematically take on many BSCC functions mistakes surveillance as a purely data protection matter and thereby limits
“recognition of potential surveillance-related harms”.
Given the ever-widening use of surveillance in this country, including live and retrospective facial recognition, and the myriad other methods of non-facial recognition being developed, such as gait recognition or, as I was reading about this morning, laser-based cardiac recognition—it can read your heartbeat through your clothing—alongside the ability to process and retain ever greater amounts of data and the emerging technology of AI, having clear rules on and oversight of biometrics and surveillance is more important than ever. We see how the misuse of surveillance can go—just look at China. Imagine, for example, if this technology, unfettered, had been available when homosexuality was illegal. Why do the Government want to remove the existing safeguards? With the advances in technology, surely these are more important than ever. We should be strengthening safeguards, not removing them.
The outgoing commissioner—if the Government get their way, the last surveillance camera commissioner —Professor Sampson, put it best:
“There is no question that AI-driven biometric surveillance can be intrusive, and that the line between what is private and public surveillance is becoming increasingly blurred. The technology is among us already and the speed of change is dizzying with powerful capabilities evolving and combining in novel and challenging ways … The planned loss of the surveillance camera code is a good example of what will be lost if nothing is done. It is the only legal instrument we have in this country that specifically governs public space surveillance. It is widely respected by the police, local authorities and the surveillance industry in general. It’s one of those things that would have to be invented it didn’t already exist, so it seems absolutely senseless to destroy it now, junking the years of hard work it took to get it established”.
These are just four of the areas of concern in the Bill. There are many more, as we have heard. In the other place, following the failure of the recommittal Motion after all the new amendments were dropped in at the last minute, David Davis MP said that the Commons had
“in effect delegated large parts of the work on this important Bill to the House of Lords”.—[Official Report, Commons, 29/11/23; col. 888.]
That is our job, and I believe that we do it well. I hope the Minister will engage constructively with the very genuine concerns that have been raised. We must get this Bill right. If we do not, we risk substantial damage to the economy, businesses, individuals’ privacy rights—especially children—and even, as far as the surveillance elements go, to our status as a free and open democratic society.