Data Protection Bill [ Lords ] (Third sitting) Debate
Full Debate: Read Full DebateLouise Haigh
Main Page: Louise Haigh (Labour - Sheffield Heeley)Department Debates - View all Louise Haigh's debates with the Department for Digital, Culture, Media & Sport
(6 years, 8 months ago)
Public Bill CommitteesIt is a pleasure to serve under your chairmanship once again, Mr Streeter. I think it was about 18 months ago that we were in this very room, debating the Bill that became the Digital Economy Act 2017. We discussed at length the trade-off between the rights of data subjects, privacy, transparency and the need for Government access to data. In that context we were debating the rights of viewers of online pornography, rather than matters of national security. I note that the Government have had to delay the introduction of the regulations, because they failed to get to grips with the issues that we raised in Committee. I do not envy the new Minister, or, indeed, my right hon. Friend the shadow Minister, their task of attempting to get things right. It was one of the low points of my political career when I had to negotiate with the present Secretary of State for Digital, Culture, Media and Sport on what sexual acts would be blocked. I wish them both luck in taking the matter forward, and am glad I am dealing only with national security issues in the Bill that we are considering today.
As we come to crucial clauses that give Ministers and the security services a great deal more latitude, it is important for the Opposition to lay out key principles on national security certificates. Of course we support the legitimate interests of the intelligence services, as dictated by their statutory functions, including the safeguarding of national security. Of course we recognise that protecting citizens from harm often means striking a difficult balance between operational requirements and the rights of individuals who may fall within the scope of the investigations. We know that the security services take that seriously.
It is the Opposition’s duty, however, to scrutinise the Government’s approach, to ensure that any powers that explicitly allow the setting aside of citizens’ data rights under the Bill are proportionate and necessary, and that they will be overseen through appropriate safeguards. Clauses 26 and 27 provide for a national security certification regime allowing restriction of and exemption from a wide range of rights under the GDPR and the Bill on the basis of national security, and for defence purposes.
The Government state that national security falls outside the scope of EU law and, therefore, the GDPR, and that therefore any processing of personal data relating to national security will be governed by the applied GDPR. Article 4(2) of the treaty on the European Union provides that national security remains the sole responsibility of each member state. Despite that, EU data protection legislation provides for derogations for national security. If national security were entirely outside the scope of the EU treaty, such derogations would be unnecessary, so, as the Joint Committee on Human Rights argued, the provisions imply the retention of some level of EU scrutiny over derogations from EU data protection rights on the grounds of national security. It is thus not at all clear that the Government’s assertions about blanket national security exemptions are correct.
Furthermore, there is no clear definition of which entities will be covered by the extremely broad exemptions under subsection 1, which refers to “national security” and “defence purposes”. I am concerned that a measure allowing broad exemptions to the rights of citizens does not stipulate which entities will be entitled to jettison those rights. As was debated at length in the other place, there are no clear definitions of national security, or of the extended exemption for defence purposes, which goes beyond the Data Protection Act 1998, in the Bill or the explanatory notes. As the right hon. and learned Member for Rushcliffe (Mr Clarke) remarked during the passage of the Investigatory Powers Act 2016,
“National security can easily be conflated with the policy of the Government of the day.”—[Official Report, 15 March 2016; Vol. 607, c. 850.]
As the Joint Committee on Human Rights concluded,
“it is unclear why the authorities require such a breadth of exemptions from their obligations under the data protection regime.”
Before we move on to discuss our amendments to clause 26, I should be grateful if the Minister could assure us about the definitions of “national security” and “defence purposes” and in particular which entities they apply to.
Again, surely it is for the Executive—elected officials—to take responsibility for decisions that are made by data controllers in the Ministry of Defence. Obviously, the Department has considered the Information Commissioner’s representations, but this is not a blanket exemption. The high threshold can be met only in very specific circumstances.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27
National security: certificate
I beg to move amendment 161, in clause 27, page 17, line 2, leave out subsection (1) and insert—
“A Minister of the Crown must apply to a Judicial Commissioner for a certificate, if exemptions are sought from specified provisions in relation to any personal data for the purpose of safeguarding national security.”
This amendment would introduce a procedure for a Minister of the Crown to apply to a Judicial Commissioner for a National Security Certificate.
With this it will be convenient to discuss the following:
Amendment 162, in clause 27, page 17, line 5, at end insert—
“(1A) The decision to issue the certificate must be—
(a) approved by a Judicial Commissioner,
(b) laid before Parliament,
(c) published and publicly accessible on the Information Commissioner’s Office website.
(1B) In deciding whether to approve an application under subsection (1), a Judicial Commissioner must review the Minister’s conclusions as to the following matters—
(a) whether the certificate is necessary on relevant grounds,
(b) whether the conduct that would be authorised by the certificate is proportionate to what it sought to be achieved by that conduct, and
(c) whether it is necessary and proportionate to exempt all provisions specified in the certificate.”
This amendment would ensure that oversight and safeguarding in the application for a National Security Certificate are effective, requiring sufficient detail in the application process.
Amendment 163, in clause 27, page 17, leave out lines 6 to 8 and insert—
“(2) An application for a certificate under subsection (1)—
(a) must identify the personal data to which it applies by means of a detailed description, and”.
This amendment would require a National Security Certificate to identify the personal data to which the Certificate applies by means of a detailed description.
Amendment 164, in clause 27, page 17, line 9, leave out subsection (2)(b).
This amendment would ensure that a National Security Certificate cannot be expressed to have prospective effect.
Amendment 165, in clause 27, page 17, line 9, at end insert—
“(c) must specify each provision of this Act which it seeks to exempt, and
(d) must provide a justification for both (a) and (b).”
This amendment would ensure effective oversight of exemptions of this Act from the application for a National Security Certificate.
Amendment 166, in clause 27, page 17, line 10, leave out “directly” and insert
“who believes they are directly or indirectly”
This amendment would broaden the application of subsection (3) so that any person who believes they are directly affected by a National Security Certificate may appeal to the Tribunal against the Certificate.
Amendment 167, in clause 27, page 17, line 12, leave out
“, applying the principles applied by a court on an application for judicial review,”
This amendment removes the application to the appeal against a National Security Certificate of the principles applied by a court on an application for judicial review.
Amendment 168, in clause 27, page 17, line 13, leave out
“the Minister did not have reasonable grounds for issuing”
and insert
“it was not necessary or proportionate to issue”.
These amendments would reflect that the Minister would not be the only authority involved in the process of applying for a National Security Certificate.
Amendment 169, in clause 27, page 17, line 16, at end insert—
“(4A) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Judicial Commissioner must give the Minister of the Crown reasons in writing for the refusal.
(4B) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Minister may apply to the Information Commissioner for a review of the decision.
(4C) It is not permissible for exemptions to be specified in relation to—
(a) Chapter II of the applied GDPR (principles)—
(i) Article 5 (lawful, fair and transparent processing),
(ii) Article 6 (lawfulness of processing),
(iii) Article 9 (processing of special categories of personal data),
(b) Chapter IV of the applied GDPR—
(i) GDPR Articles 24 – 32 inclusive,
(ii) GDPR Articles 35 – 43 inclusive,
(c) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)—
(i) GDPR Article 83 (general conditions for imposing administrative fines),
(ii) GDPR Article 84 (penalties),
(d) Part 5 of this Act, or
(e) Part 7 of this Act.”
This amendment would require a Judicial Commissioner to intimate in writing to the Minister reasons for refusing the Minister’s application for a National Security Certificate and allows the Minister to apply for a review by the Information Commissioner of such a refusal.
With our amendments we seek to provide some oversight of and protections against the very broad definitions in this part of the Bill. I am afraid we are not content with the Minister’s assertions in her response on the previous clause.
As they currently stand, national security certificates give Ministers broad powers to remove individuals’ rights with absolutely no oversight. If this is a matter for the Executive, as the Minister has just said, they must be subject to oversight and accountability when making such decisions, and as it stands there is absolutely none at all. The rights at risk from the exemption are the right to be informed when personal data is collected from individuals, which is in article 13 of the GDPR; the right to find out whether personal data against them is being processed, in article 15; and the right to object to automated decision making, in articles 21 and 22. Furthermore, the Information Commissioner’s inspection, authorisation and advisory powers are set aside, which is why she and her office raised concerns, as my hon. Friend the Member for Cambridge set out.
It is not difficult to envisage examples of why those exemptions may be necessary. The Minister has laid some of them out: for instance, during the course of an ongoing national security investigation, the right of an individual to be informed that their data is being processed would not be appropriate. With these exemptions, there will inevitably be a need for appropriate safeguards to protect the rights of citizens. We are not yet convinced that the Bill contains them. That is what these amendments seek to tackle.