Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateLord Vaux of Harrowden
Main Page: Lord Vaux of Harrowden (Crossbench - Excepted Hereditary)Department Debates - View all Lord Vaux of Harrowden's debates with the Department for Science, Innovation & Technology
(8 months ago)
Grand CommitteeMy Lords, I speak in favour of Amendment 195ZA in my name and that of the noble Lords, Lord Vaux of Harrowden and Lord Clement-Jones, and Amendments 289 and 300 on digital identity theft. I am also very sympathetic to many of the points made by the noble Baroness, Lady Jones of Whitchurch, particularly about the most disadvantaged people in our society.
As many noble Lords know, I am a member of the Communications and Digital Committee of this House. A few months ago, we did a report on digital exclusion. We had to be quite clear about one of the issues that we found: even though some people may partly use digital—for example, they may have an email address—it does not make them digitally proficient or literate. We have to be very clear that, as more and more of our public and private services go online, it is obvious that companies and others will want to know which people are claiming to use these services. At the same time, a number of people will not be digitally literate or will not have this digital ID available. It is important that we offer them enough alternatives. It should be clear, and not beyond the wit of man or clever lawyers, that there are non-digital alternatives available for consumers and particularly, as was said by the noble Baroness, Lady Jones of Whitchurch, people from disadvantaged communities.
As we found in the report on our inquiry into digital exclusion, this does not concern only people from deprived areas. Sometimes people get by in life without much digital literacy. There are those who may be scared of it or who do not trust it, and they can come from all sorts of wealth brackets. This drives home the point that it is important to have an alternative. I cannot really say much more than the amendment itself; it does what it says on the tin. The amendment is quite clear and I am sure that the noble Lord, Lord Vaux, will speak to it as well.
I will briefly speak in favour of Amendments 289 and 300. Digital identity theft is clearly an issue and has been for a long time. Even before the digital days, identity theft was an issue and it is so much easier to hack someone’s ID these days. I have had bank accounts opened in my name. I received a letter claiming this but, fortunately, the bank was able to deal with it when I walked in and said, “This wasn’t me”. It is quite clear that this will happen more and more. Sometimes, it will simply be stealing data that has been leaked or because a system is not particularly secure; at other times, it will be because you have been careless. No matter why the crime is committed, it must be an offence in the terms suggested by the amendments of the noble Lord, Lord Clement-Jones. It is clear that we have to send a strong signal that digital identity theft is a crime and that people should be deterred from engaging in it.
My Lords, I have added my name to Amendment 195ZA—I will get to understand where these numbers come from, at some point—in the name of the noble Lord, Lord Kamall, who introduced it so eloquently. I will try to be brief in my support.
For many people, probably most, the use of online digital verification will be a real benefit. The Bill puts in place a framework to strengthen digital verification so, on the whole, I am supportive of what the Government are trying to do, although I think that the Minister should seriously consider the various amendments that the noble Baroness, Lady Jones of Whitchurch, has proposed to strengthen parliamentary scrutiny in this area.
However, not everyone will wish to use digital verification in all cases, perhaps because they are not sufficiently confident with technology or perhaps they simply do not trust it. We have already heard the debates around the advances of AI and computer-based decision-making. Digital identity verification could be seen to be another extension of this. There is a concern that Part 2 of the Bill appears to push people ever further towards decisions being taken by a computer.
I suspect that many of us will have done battle with some of the existing identity verification systems. In my own case, I can think of one bank where I gave up in deep frustration as it insisted on telling me that I was not the same person as my driving licence showed. I have also come up against systems used by estate agents when trying to provide a guarantee for my student son that was so intrusive that I, again, refused to use it.
Therefore, improving verification services is to be encouraged but there must be some element of choice, and if someone does not have the know-how, confidence, or trust in the systems, they should be able to do so through some non-digital alternative. They should not be barred from using relevant important services such as, in my examples, banking and renting a property because they cannot or would prefer not to use a digital verification service.
At the very least, even if the Minister is not minded to accept that amendment, I hope that he can make clear that the Government have no intention to make digital ID verification mandatory, as some have suggested that this Part 2 may be driving towards.
My Lords, this is quite a disparate group of amendments. I support Amendment 195ZA, which I have signed. I thought that the noble Baroness, Lady Jones, and the noble Lords, Lord Kamall and Lord Vaux, have made clear the importance of having a provision such as this on the statute book. It is important that an individual can choose whether to use digital or non-digital means of verifying their identity. It is important for the liberty and equality of individuals as well as to cultivate trust in what are essentially growing digital identity systems. The use of the word “empower” in these circumstances is important. We need to empower people rather than push them into digital systems that they may not be able to access. Therefore, a move towards digitalisation is not a justification for compelling individuals to use systems that could compromise their privacy or rights more broadly. I very much support that amendment on that basis.
I also very much support the amendments of the noble Baroness, Lady Jones, which I have signed. The Delegated Powers and Regulatory Reform Committee could not have made its recommendations clearer. The Government are serial offenders in terms of skeleton Bills. We have known that from remarks made by the noble Lord, Lord Hodgson, on the Government Benches over a long period. I am going to be extremely interested in what the Government have to say. Quite often, to give them some credit, they listen to what the DPRRC has to say and I hope that on this occasion the Minister is going to give us some good news.
This is an extremely important new system being set up by the Government. We have been waiting for the enabling legislation for quite some time. It is pretty disappointing, after all the consultations that have taken place, just how skeletal it is. No underlying principles have been set out. There is a perfectly good set of principles set out by the independent Privacy and Consumer Advisory Group that advises the Government on how to provide a simple, trusted and secure means of accessing public services. But what assurance do we have that we are going to see those principles embedded in this new system?
Throughout, it is vital that the Secretary of State is obliged to uphold the kinds of concerns being raised in the development of this DVS trust framework to ensure that those services protect the people who use them. We need that kind of parliamentary debate and it has been made quite clear that we need nothing less than that. I therefore very much support what the noble Baroness, Lady Jones, had to say on that subject.
My Lords, in essence, the Minister is admitting that there is a gap when somebody who does not have access to digital services needs an identity to deal with the private sector. Is that right?
In the example I gave, I was not willing to use a digital system to provide a guarantee for my son’s accommodation in the private sector. I understand that that would not be protected and that, therefore, someone might not be able to rent a flat, for example, because they cannot provide physical ID.
The Bill does not change the requirements in this sense. If any organisation chooses to provide its services on a digital basis only, that is up to that organisation, and it is up to consumers whether they choose to use it. It makes no changes to the requirements in that space.
I will now speak to the amendment that seeks to remove Clause 80. Clause 80 enables the Secretary of State to ask accredited conformity assessment bodies and registered DVS providers to provide information which is reasonably required to carry out her functions under Part 2 of the Bill. The Bill sets out a clear process that the Secretary of State must follow when requesting this information, as well as explicit safeguards for her use of the power. These safeguards will ensure that DVS providers and conformity assessment bodies have to provide only information necessary for the functioning of this part of the Bill.
This is a slightly disparate group of amendments. I have added my name in support of Amendment 296, tabled by the noble Baroness, Lady Jones of Whitchurch, which once again probes the question of whether this Bill risks causing the loss of the data adequacy ruling from the EU. This was an issue raised by many, if not most, noble Lords during Second Reading, and it is an area in which the Government’s position feels a little complacent.
The data adequacy ruling from the EU is extremely important, as the impact assessment that accompanies the Bill makes clear. It says:
“Cross-border data transfers are a key facilitator of international trade, particularly for digitised services. Transfers underpin business transactions and financial flows. They also help streamline supply chain management and allow business to scale and trade globally”.
The impact assessment then goes on to estimate the costs of losing data adequacy, and indicates a net present value cost range of between £1.6 billion and £3.4 billion over the next 10 years. As an aside, I note that that is a pretty wide range, which perhaps indicates the extent to which the costs are really understood.
The impact assessment notes that these numbers are the impact on direct trade only and that the impact may be larger still when considering supply chain impacts, but it does not make any attempt to calculate that effect. There are big potential costs, however we look at it. It therefore seems extraordinary that the impact assessment, despite running to 240 pages, makes no attempt at all to quantify the probability that the EU might decide—and it is a unilateral EU decision—to withdraw the data adequacy ruling, which it can do at any time, even before the current ruling comes to an end in July 2025. I find it extraordinary that no attempt has been made to estimate the probability of that happening. You would think that, if the Government were as confident as they say they are, they should have some evidence as to the probability of it happening.
Noble Lords should be aware that this means that the potential cost of the loss of data adequacy is not included in the NPV analysis for the Bill. If that loss did occur, the net present value of the Bill would be largely wiped out, and if the lower end of the IA range is taken, the Bill’s overall financial impact becomes a net present cost to the tune of £2.1 billion. The retention of the EU data adequacy ruling is therefore key to retaining any real benefit from this Bill at all.
On Monday, the Minister said:
“We believe they are compatible with maintaining our data adequacy decisions from the EU. We have maintained a positive, ongoing dialogue with the EU to make sure that our reforms are understood. We will continue to engage with the European Commission at official and ministerial levels with a view to ensuring that our respective arrangements for the free flow of personal data can remain in place, which is in the best interests of both the UK and the EU”.—[Official Report, 15/4/24; col. GC 261.]
By “they”, he means the measures in the Bill. So far, so good. But your Lordships will remember that, at the time of Brexit, there was actually considerable doubt as to whether we would be granted a data adequacy ruling at that time, when our rules were almost entirely convergent. This Bill increases divergence, so the approach at the moment seems complacent at best.
I do not think it is any surprise at all that our European Affairs Committee recently launched an inquiry into this very subject. While the Minister has said how confident he is, noises being made in the EU are less encouraging. For example, the chair of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee wrote in February to the European Commissioner for Justice outlining his concerns about this Bill and questioning whether it will meet the requirements of “essential equivalence”, which is the test that we have to meet. He highlighted, in particular, the lack of independence of the Information Commissioner’s Office, and the elimination of the Biometrics and Surveillance Camera Commissioner, something we will come on to a little later.
It does not seem to be a given that data adequacy will be retained, despite the frankly rather woolly assurances from the Minister about his confidence. Given the enormous importance of the data adequacy ruling, and the fact that the impact assessment makes no attempt at all to assess the probability of retaining or losing it—something one would think to be really fundamental when deciding the extent of divergence we wish to follow—it must make sense to introduce the assessment proposed in Amendment 296. In the absence of something much stronger than the assurances the Minister has given so far, I urge the noble Baroness, Lady Jones, to return to this matter on Report: it is really fundamental.
My Lords, this group has three amendments within it and, as the noble Lord, Lord Vaux, said, it is a disparate group. The first two seem wholly benign and entirely laudable, in that they seek to ensure that concerns about the environmental impacts related to data connected to business are shared and provided. The noble Baroness, Lady Bennett, said hers was a small and modest amendment: I agree entirely with that, but it is valuable nevertheless.
If I had to choose which amendment I prefer, it would be the second, in the name of my noble friend Lady Young, simply because it is more comprehensive and seems to be of practical value in pursuing policy objectives related to climate change mitigation. I cannot see why the disclosure of an impact analysis of current and future announcements, including legislation, changes in targets and large contracts, on UK climate change mitigation targets would be a problem. I thought my noble friend was very persuasive and her arguments about impact assessment were sound. The example of offshore petroleum legislation effectively not having an environmental impact assessment when its impacts are pretty clear was a very good one indeed. I am one of those who believes that environmental good practice should be written all the way through, a bit like a stick of Brighton rock, and I think that about legislation. It is important that we take on board that climate change is the most pressing issue that we face for the future.
The third amendment, in the name of my noble friend Lady Jones, is of a rather different nature, but is no less important, as it relates to the UK’s data adequacy and the EU’s decisions on it. We are grateful to the noble Lords, Lord Vaux of Harrowden and Lord Clement-Jones, for their support. Put simply, it would oblige the Secretary of State to complete an assessment, within six months of the Bill’s passing,
“of the likely impact of the Act on the EU’s data adequacy decisions relating to the UK”.
It would oblige the Secretary of State to lay a report on the assessment’s findings, and the report must cover data risk assessments and the impact on SMEs. It must also include an estimate of the legislation’s financial impact. The noble Lord, Lord Vaux, usefully underlined the importance of this, with its critical 2025 date. The amendment also probes
“whether the Government anticipate the provisions of the Bill conflicting with the requirements that need to be made by the UK to maintain a data adequacy decision by the EU”.
There is widespread and considerable concern about data adequacy and whether the UK legislative framework diverges too far from the standards that apply under the EU GDPR. The risk that the UK runs in attempting to reduce compliance costs for the free flow of personal data is that safeguards are removed to the point where businesses and trade become excessively concerned. In summary, many sectors including manufacturing, retail, health, information technology and particularly financial services are concerned that the free flow of data between us and the EU, with minimal disruption, will simply not be able to continue.
As the noble Lord, Lord Vaux, underlined, it is important that we in the UK have a relationship of trust with the European Commission on this, although ultimately data adequacy could be tested in the Court of Justice of the European Union. Data subjects in the EU can rely on the general principle of the protection of personal data to invalidate EU secondary and domestic law conflicting with that principle. Data subjects can also rely on the Charter of Fundamental Rights to bring challenges. Both these routes were closed off when the UK left the EU and the provisions were not saved in UK law, so it can be argued that data protection rights are already at a lower standard than across the European Union.
It is worth acknowledging that adequacy does not necessarily require equivalence. We can have different, and potentially lower, standards than the EU but, as long as those protections are deemed to meet whatever criteria the Commission chooses to apply, it is all to the good.
However, while divergence is possible, the concern that we and others have is that the Bill continues chipping away at standards in too many different ways. This chipping away is also taking place in statutory instruments, changes to guidance and so on. If His Majesty’s Government are satisfied that the overall picture remains that UK regulation is adequate, that is welcome, but it would be useful to know what mechanism DSIT and the Government generally intend using to measure where the tipping point might be achieved and how close these reforms take us to it.
The Committee will need considerable reassurance on the question of data adequacy, not least because of its impact on businesses and financial services in the longer term. At various times, the Minister has made the argument that a Brexit benefit is contained within this legislation. If he is ultimately confident of that case, what would be the impact on UK businesses if that assessment is wrong in relation to data adequacy decisions taken within the EU?
We are going to need more than warm words and a recitation that “We think it’s right and that we’re in the right place on data adequacy”. We are going to need some convincing. Whatever the Minister says today, we will have to return to this issue on Report. It is that important for businesses in this country and for the protection of data subjects.
Before the Minister stands up, let me just say that I absolutely agree with what the noble Lord, Lord Bassam, said. Have the Government taken any independent advice? It is easy to get wrapped up in your own bubble. The Government seem incredibly blithe about this Bill. You only have to have gone through our days in this Committee to see the fundamental changes that are being made to data protection law, yet the Government, in this bubble, seem to think that everything is fine despite the warnings coming from Brussels. Are they taking expert advice from outside? Do they have any groups of academics, for instance, who know about this kind of thing? It is pretty worrying. The great benefit of this kind of amendment, put forward by the noble Baroness, Lady Jones, is that nothing would happen until we were sure that we were going to be data adequate. That seems a fantastic safeguard to me. If the Government are just flying blind on this, we are all in trouble, are we not?
My Lords, can I point out, on the interests of the EU, that it does not go just one way? There is a question around investment as well. For example, any large bank that is currently running a data-processing facility in this country that covers the whole of Europe may decide, if we lose data adequacy, to move it to Europe. Anyone considering setting up such a thing would probably go for Europe rather than here. There is therefore an investment draw for the EU here.
I do not know what I could possibly have said to create the impression that the Government are flying blind on this matter. We continue to engage extensively with the EU at junior official, senior official and ministerial level in order to ensure that our proposed reforms are fully understood and that there are no surprises. We engage with multiple expert stakeholders from both the EU side and the UK side. Indeed, as I mentioned earlier, a number of experts have submitted evidence to the House’s inquiry on EU-UK data adequacy and have made clear their views that the DPDI reforms set out in this Bill are compatible with EU adequacy. We continue to engage with the EU throughout. I do not want to be glib or blithe about the risks; we recognise the risks but it is vital—
My Lords, I thank the Minister for his answer. This has been a fairly short but fruitful debate. We can perhaps commend the Minister for his resilience, although it feels like he was pounded back on the ropes a few times along the way.
I will briefly run through the amendments. I listened carefully to the Minister, although I will have to read it back in Hansard. I think he was trying to say that my Amendment 195A, which adds energy and carbon intensity to this list, is already covered. However, I really cannot see how that can be claimed to be the case. The one that appears to be closest is sub-paragraph (iv), which refers to “performance or quality”, but surely that does not include energy and carbon intensity. I will consider whether to come back to this issue.
The noble Baroness, Lady Young of Old Scone, presented a wonderfully clear explanation of why Amendment 218 is needed. I particularly welcome the comments from the noble Lord, Lord Bassam, expressing strong Labour support for this. Even if the Government do not see the light and include it in the Bill, I hope that the noble Lord’s support can be taken as a commitment that a future Labour Government intend to follow that practice in all their approaches.
My Lords, it is a pleasure to take part in today’s Committee proceedings. I declare my technology interests as an adviser to Boston Limited. It is self-evident that we have been talking about data but there could barely be a more significant piece of data than biometrics. In moving the amendment, I shall speak also to Amendments 197B and 197C, and give more than a nod to the other amendments in this group.
When we talk about data, it is always critical that we remember that it is largely our data. There could be no greater example of that than biometrics. More than data, they are parts and fragments of our very being. This is an opportune moment in the debate on the Bill to strengthen the approach to the treatment and the use of biometrics, not least because they are being increasingly used by private entities. That is what Amendments 197A to 197C are all about—the establishment of a biometrics office, a code of practice and oversight, and sanctions and fines to boot. This is of that level of significance. The Bill should have that strength when we are looking at such a significant part of our very human being and data protection.
Amendment 197B looks at reporting and regulatory requirements, and Amendment 197C at the case for entities that have already acted in the biometrics space prior to the passage of the Bill. In short, it is very simple. The amendments take principles that run through many elements of data protection and ensure that we have a clear statement on the use and deployment of biometrics in the Bill. There could be no more significant pieces of data. I look forward to the Minister’s response. I thank the Ada Lovelace Institute for its help in drafting the amendments, and I look forward to the debate on this group. I beg to move.
My Lords, I have added my name in support of the stand part notices of the noble Lord, Lord Clement-Jones, to Clauses 147, 148 and 149. These clauses would abolish the office of the Biometrics and Surveillance Camera Commissioner, along with the surveillance camera code of practice. I am going to speak mainly to the surveillance camera aspect, although I was taken by the speech of the noble Lord, Lord Holmes, who made some strong points.
The UK has become one of the most surveilled countries in the democratic world. There are estimated to be over 7 million CCTV cameras in operation. I give one example: the automated number plate recognition, ANPR, system records between 70 million and 80 million readings every day. Every car is recorded on average about three times a day. The data is held for two years. The previous Surveillance Camera Commissioner, Tony Porter, said about ANPR that it,
“must surely be one of the largest data gatherers of its citizens in the world. Mining of meta-data—overlaying against other databases can be far more intrusive than communication intercept”.
Professor Sampson, the previous commissioner, said about ANPR:
“There is no ANPR legislation or act, if you like. And similarly, there is no governance body to whom you can go to ask proper questions about the extent and its proliferation, about whether it should ever be expanded to include capture of other information such as telephone data being emitted by a vehicle or how it's going to deal with the arrival of automated autonomous vehicles”.
And when it came to independent oversight and accountability, he said:
“I’m the closest thing it’s got—and that’s nothing like enough”.
I am not against the use of surveillance cameras per se—it is unarguable that they are a valuable tool in the prevention and detection of crime—but there is clearly a balance to be found. If we chose to watch everything every person does all of the time, we could eliminate crime completely, but nobody is going to argue that to be desirable. We can clearly see how surveillance and biometrics can be misused by states that wish to control their populations—just look at China. So there is a balance to find between the protection of the public and intrusion into privacy.
Technology is moving incredibly rapidly, particularly with the ever-increasing capabilities of Al. As technology changes, so that balance between protection and privacy may also need to change. Yet Clause 148 will abolish the only real safeguards we have, and the only governance body that keeps an eye on that balance. This debate is not about where that balance ought to be; it is about making sure that there is some process to ensure that the balance is kept under independent review at a time when surveillance technologies and usage are developing incredibly rapidly.
I am sure that the Minister is going to argue that, as he said at Second Reading:
“Abolishing the Surveillance Camera Commissioner will not reduce data protection”.—[Official Report, 19/12/23; col. 2216.]
He is no doubt going to tell us that the roles of the commissioner will be adequately covered by the ICO. To be honest that completely misses the point. Surveillance is not just a question of data protection; it is a much wider question of privacy. Yes, the ICO may be able to manage the pure data protection matters, but it cannot possibly be the right body to keep the whole question of surveillance and privacy intrusion, and the related technologies, under independent review.
It is also not true that all the roles of the commissioner are being transferred to other bodies. The report by the Centre for Research into Surveillance and Privacy, or CRISP, commissioned by the outgoing commissioner, is very clear that a number of important areas will be lost, particularly reviewing the police handling of DNA samples, DNA profiles and fingerprints; maintaining an up-to-date surveillance camera code of practice with standards and guidance for practitioners and encouraging compliance with that code; setting out technical and governance matters for most public body surveillance systems, including how to approach evolving technology, such as Al-driven systems including facial recognition technology; and providing guidance on technical and procurement matters to ensure that future surveillance systems are of the right standard and purchased from reliable suppliers. It is worth noting that it was the Surveillance Camera Commissioner who raised the issues around the use of Hikvision cameras, for example—not something that the ICO is likely to be able to do. Finally, we will also lose the commissioner providing reports to the Home Secretary and Parliament about public surveillance and biometrics matters.
Professor Sampson said, before he ended his time in office as commissioner:
“The lack of attention being paid to these important matters at such a crucial time is shocking, and the destruction of the surveillance camera code that we’ve all been using successfully for over a decade is tantamount to vandalism”.
He went on to say:
“It is the only legal instrument we have in this country that specifically governs public space surveillance. It is widely respected by the police, local authorities and the surveillance industry in general … It seems absolutely senseless to destroy it now”.
The security industry does not want to see these changes either, as it sees the benefits of having a clear code. The Security Systems and Alarms Inspection Board, said:
“Without the Surveillance Camera Commissioner you will go back to the old days when it was like the ‘wild west’, which means you can do anything with surveillance cameras so long as you don’t annoy the Information Commissioner … so, there will not be anyone looking at new emerging technologies, looking at their technical requirements or impacts, no one thinking about ethical implications for emerging technologies like face-recognition, it will be a free-for-all”.
The British Security Industry Association said:
“We are both disappointed and concerned about the proposed abolition of the B&SCC. Given the prolific emergence of biometric technologies associated with video surveillance, now is a crucial time for government, industry, and the independent commissioner(s) to work close together to ensure video surveillance is used appropriately, proportionately, and most important, ethically”.
I do not think I can put it better than that.
While there may be better ways to achieve the appropriate safeguards than the current commissioner arrangement, this Bill simply abolishes everything that we have now and replaces the safeguards only partially, and only from a data protection perspective. I am open to discussion about how we might fill the gaps, but the abolition currently proposed by the Bill is a massively retrograde and even dangerous step, removing the only safeguards we have against the uncontrolled creep towards ever more intrusive surveillance of innocent people. As technology increases the scope for surveillance, this must be the time for greater safeguards and more independent oversight, not less. The abolition of the commissioner and code should not happen unless there are clear, better, safeguards established to replace it, and this Bill simply does not do that.
My Lords, to go back to some of the surveillance points, one of the issues is the speed at which technology is changing, with artificial intelligence and all the other things we are seeing. One of the roles of the commissioner has been to keep an eye on how technology is changing and to make recommendations as to what we do about the impacts of that. I cannot hear, in anything the noble Viscount is saying, how that role is replicated in what is being proposed. Can he enlighten me?
Yes, indeed. In many ways, this is advantageous. The Information Commissioner obviously has a focus on data privacy, whereas the various other organisations, particularly BSCC, EHRC and the FINDS Board, have subject-specific areas of expertise on which they will be better placed to horizon-scan and identify new emerging risks from technologies most relevant to their area.
Is the noble Viscount saying that splitting it all up into multiple different places is more effective than having a single dedicated office to consider these things? I must say, I find that very hard to understand.
I do not think we are moving from a simple position. We are moving from a very complex position to a less complex position.