Data Protection Bill [Lords] (Sixth sitting) Debate
Full Debate: Read Full DebateLouise Haigh
Main Page: Louise Haigh (Labour - Sheffield Heeley)Department Debates - View all Louise Haigh's debates with the Department for Digital, Culture, Media & Sport
(6 years, 8 months ago)
Public Bill CommitteesThe Information Commissioner has a breadth of corrective powers at her disposal to investigate breaches of data protection legislation. One such power is the ability to issue an information notice on a data controller requesting that they provide the commissioner with specified information. Article 2 of the general data protection regulation states that certain types of processing of personal data, including purely personal or household activities, are exempt from the provisions of the GDPR. That includes the list of all those hon. Members who deserve a Christmas card this year.
Although such processing is exempt, it is important that in certain situations the Information Commissioner is able to verify that the processing actually meets this test and does not fly under the radar of GDPR requirements unduly. Government amendments 51 and 52 will ensure that the Information Commissioner is able to issue an information notice, in order to determine whether the process is genuinely being undertaken in the course of a purely personal or household activity.
Government amendment 54 is a consequential amendment. It ensures that the reference to processing of personal data in the subsection added by Government amendment 52 means any type of processing, pulling on the definitions provided in subsections (2) and (4) of clause 3, rather than those under parts 2, 3 or 4, none of which apply to processing in the course of purely personal or household activities.
Government amendments 58 and 126 make further consequential changes to clause 159 and paragraph 9 of schedule 16. The amendments ensure that certain safeguards for controllers and processors in the context of enforcement action extend to all persons, since their exact status may in fact be the source of dispute.
All in all, this is a common sense set of changes that enjoy the full support of the Information Commissioner’s Office.
Amendment 51 agreed to.
Amendments made: 52, in clause 143, page 77, line 40, at end insert “, or
(b) require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.”
This amendment and Amendments 51 and 54 enable the Information Commissioner to obtain information in order to work out whether processing is carried out in the course of purely personal or household activities. Such processing is not subject to the GDPR or the applied GDPR (see Article 2(2)(c) of the GDPR and Clause 21(3)).
Amendment 53, in clause 143, page 78, line 23, leave out
“with the day on which”
and insert “when”.
This amendment is consequential on Amendment 71.
Amendment 54, in clause 143, page 78, line 30, at end insert—
“(10) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (1)(b).”—(Margot James.)
This amendment secures that the reference to “processing” in the new paragraph (b) inserted by Amendment 52 includes all types of processing of personal data. It disapplies Clause 3(14)(b), which provides that references to processing in Parts 5 to 7 of the bill are usually to processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.
Question proposed, That the clause, as amended, stand part of the Bill.
In this of all weeks, it is particularly relevant that we debate this clause, which relates to information notices, and the powers and enforcement sanctions available to the Information Commissioner, given the horrendous breaches of our data regulation that have been exposed by Channel 4 and The Guardian.
The Secretary of State for Digital, Culture, Media and Sport told the House yesterday that the Information Commissioner was seeking further powers to compel compliance with information notices, testimony from other individuals in complex investigations, such as that into Cambridge Analytica, and criminal sanctions for breaches of information notices.
Under the current data protection legislation, breach of information notice is a criminal offence that carries a custodial sentence. The maximum sentence under this Bill is only a fine. That is a significant weakening of the data protection regime and its sanctions. Indeed, in her own evidence, the Information Commissioner said:
“The new approach in the Bill of failure to comply with an”
information notice
“no longer being a criminal offence but punishable by a monetary penalty issued by the ICO is likely to be less of a deterrent, as data controllers with deep pockets might be inclined to pay the fine, rather than disclose the information being requested.”
I would be grateful if the Minister could set out exactly why the Government have decided to weaken the powers given to the Information Commissioner and the sanctions available to her.
Crucially, the Information Commissioner has requested the power to compel compliance with information notices. As things stand, it is an offence not to deliver information, but the Information Commissioner does not have the power to demand compliance with information notices. She has said that that puts us out of step with our closest EU member state neighbour, Ireland, which has a much stronger data protection regime, with much tougher sanctions and, indeed, powers to compel compliance with an information notice.
That gap in the Information Commissioner’s enforcement powers has not caused significant problems up to now, because formal action has largely centred on security breaches or contraventions of the privacy and electronic communications regulations. In such cases, the commissioner rarely needs to use her information notice powers, because the evidence of a contravention is usually clear and in the public domain.
Where the Information Commissioner has used her enforcement powers against a data controller for contraventions of the data protection principles under the Data Protection Act, she has generally found data controllers to be co-operative because, under the current framework, financial penalties are reserved only for the most serious contraventions of the law. However, as investigations become more complex—and as we are seeing this week—the Commissioner will be unable to obtain the information she needs.
The Minister has said that the Government are considering potential amendments to the Bill, as laid out by the Secretary of State yesterday. It is baffling, however, that those amendments have not already been tabled, given that the Information Commissioner suggested them in her written evidence earlier in the process. The provisions represent a serious weakening of the existing regime and a failure of the Government to step up to the plate on the matter of the complex investigations conducted by the Information Commissioner.
I do not accept that this Bill represents a reduction in the powers of the Information Commissioner, and I do not think that that is her view either. Obviously, I accept what she said in response to questioning from Select Committee on Digital, Culture, Media and Sport. As I have already said, my right hon. Friend the Secretary of State is considering her request, and we are working on the areas where she feels there is a shortfall.
I reassure the Committee that the Bill strengthens ICO’s overall powers. The hon. Member for Sheffield, Heeley has mentioned fines. There are fines of up to 4% of global turnover, or £17 million, both for malpractice itself and for blocking investigations and inquiries mounted by the ICO.
Earlier, we debated the requirement for law enforcement agencies to conduct data protection impact assessments ahead of developing or using any new filing system, and we debated several examples of what those filing systems or methods of data collection could be, including automated facial recognition software, automatic number plate recognition and the use of algorithms to determine decisions made in the criminal justice system.
In relation to the clause, the Information Commissioner has requested that she be given the power to impose corrective measures where necessary, when a data protection impact assessment has revealed that the processing of that personal data is of high risk to individuals and where there are no measures to mitigate that risk in relation to law enforcement processing, as she has for other processing. She maintains that a different approach to law enforcement is not justified and might lead to adverse consequences in an important area affecting individuals. That is important because it gives weight to the important aspects raised earlier that require law enforcement agencies to conduct that DPIA. There is little point asking organisations and data controllers to conduct impact assessments and then, even when they are falling short dramatically, to let them carry on conducting assessments and collecting data in that way.
In evidence, the Information Commissioner has said that part 3 of the Bill
“requires these types of assessment to be undertaken”
and provides
“for requirements to consult the Commissioner where such a high risk is present but measures cannot be put in place to mitigate these. They also provide requirements for the Commissioner to use her corrective powers in relation to GDPR but the way the Bill is drafted these corrective powers will not be available in relation to concerns arising from a DIPA involving law enforcement processing. Nor are there any powers available to ensure that the Information Commissioner can take action if a DIPA for law enforcement processing is not carried out when required.”
Not only are there no enforcement powers if the DPIA is conducted and falls short, but the Information Commissioner is not provided with any powers under this legislation to compel a DPIA to take place. Given, as we discussed earlier, the serious threats not just to data rights, but to prevention with respect to an individual’s rights to liberty and freedom, it is very serious indeed if law enforcement agencies will be able to carry out impact assessments without any adherence to the provisions in the Bill.
The Information Commissioner says:
“Having the ability to issue corrective measures based upon the DPIA or indeed requiring a DPIA to be undertaken when it should have been, is an important measure which is missing in relation to law enforcement processing”.
The commissioner has raised her concerns with the Government and suggested drafting solutions. Will the Minister clarify why those were not introduced in Committee?
The clause gives the commissioner the power to issue an enforcement notice, which requires a person to take steps or refrain from taking steps specified in the notice. For example, the commissioner can use an enforcement notice to compel a data controller to give effect to a data subject if they have otherwise failed to do so. Section 40 of the Data Protection Act 1998 made similar provision. In respect of the hon. Lady’s questions concerning the law enforcement aspects of the clause and the need for impact assessments, and the powers that the ICO might need to ensure that those impact assessments are done and are appropriate, I will have to write to her on the details of those latter points.
Question put and agreed to.
Clause 148 accordingly ordered to stand part of the Bill.
Clause 149
Enforcement notices: supplementary
Amendment made: 56, in clause 149, page 83, line 36, leave out “with the day on which” and insert “when”.—(Margot James.)
This amendment is consequential on Amendment 71.
Clause 149, as amended, ordered to stand part of the Bill.
Clause 150
Enforcement notices: rectification and erasure of personal data etc
Question proposed, That the clause stand part of the Bill.
As part of the Information Commissioner’s suite of corrective powers, she can issue penalty notices to data controllers requiring them to pay a fine. Fines can be issued where a controller has failed to comply with a previous notice or where significant breaches of data protection legislation have taken place. Members will be aware from our debate this afternoon that the maximum such penalty will increase from £0.5 million to £17 million, or 4% of global turnover, for the most serious breaches.
When imposing a penalty for breaches of the GDPR, the commissioner must follow the procedures set out in article 83 of the GDPR, which include acting on a case-by-case basis; ensuring that the fine is effective, proportionate and dissuasive; and taking into account various factors. Because law enforcement and intelligence services processing falls outside the scope of the GDPR, the clause makes parallel provision in respect of breaches of those parts of the Bill, including by listing matters that the commissioner must take into account when deciding whether to issue a fine for that type of processing and when determining the magnitude of that fine.
Government amendments 179 and 180 make it clear that, when considering a person’s failure to comply with notices—an information notice, for example—the commissioner is to have regard to the matters listed in article 83(2) of the GDPR and, in relation to law enforcement processing and intelligence processing, to clause 154(3) and (4) of the Bill. Clause 154 prescribes such requirements only for decisions regarding the issuing of a monetary penalty notice in relation to certain failings. The commissioner has powers to prepare guidance on how she uses her enforcement powers, so she could decide, as a matter of policy, to have regard to those matters in relation to other failings. However, the Government’s view is that there should be a requirement for her to do so in the Bill.
Government amendment 57 makes an addition to clause 154(3)(c) to ensure that the Information Commissioner takes into account any actions the controller has taken to mitigate not only damages, but distress suffered by the data subject. The amendment will bring the clause into line with other similar clauses in the Bill, where the Information Commissioner must take into account damage or distress caused. They include clause 149 regarding enforcement notices, where the Information Commissioner must take into account the magnitude of the damage or distress caused by the controller. I am sure right hon. and hon. Members will agree that providing consistency across the Bill is important; the amendment is a step to ensure that that is provided.
Amendment 179 agreed to.
Amendments made: 57, in clause 154, page 86, line 10, at end insert “or distress”.
This amendment is for consistency with Clause 149(2). It requires the Commissioner, when deciding whether to give a penalty notice to a person in respect of a failure to which the GDPR does not apply and when determining the amount of the penalty, to have regard to any action taken by the controller or processor to mitigate the distress suffered by data subjects as a result of the failure.
Amendment 180, in clause 154, page 86, line 28, at end insert—
“(3A) Subsections (2) and (3) do not apply in the case of a decision or determination relating to a failure described in section 148(5).” —(Margot James.)
See the explanatory statement for amendment 179.
Question proposed, That the clause, as amended, stand part of the Bill.
I am sorry to labour the point; it is pertinent to the clause but also relates to the debate that we just had on information notices. The Minister has failed to set out why the Government have removed the custodial sentence as an enforcement power of the Information Commissioner when data controllers or processors breach information notices. The Minister said earlier that she does not accept that it is the Information Commissioner’s view that that weakens the existing data protection regime, but the commissioner explicitly set that out in her written evidence to the Committee:
“The new approach in the Bill of failure to comply with an IN no longer being a criminal offence but punishable by a monetary penalty issued by the ICO is likely to be less of a deterrent”.
We very much welcome the increased penalty as a sanction by the Information Commissioner, but the Minister has so far failed to set out why she has removed that custodial sentence, which, as the Information Commissioner has laid out, is a serious deterrent. That could weaken her abilities to investigate complex situations and, as I mentioned earlier, it is in direct contrast to the Irish Government’s approach, which carries a fine but also a custodial sentence of up to five years’ imprisonment if the data controller fails to comply with an information notice.
In written evidence, again, the Information Commission suggests that the Government’s approach pales in comparison to that taken by Ireland. Will the Minister take this opportunity to explain why she has so significantly weakened the Information Commissioner’s important powers?
The clause replicates section 55(a) of the 1998 Act, which gives the commissioner a power to serve a monetary penalty, requiring the data controller to pay the commissioner an amount determined by the commissioner. The maximum penalty is specified in clause 156. Before the commissioner can issue a penalty notice, she must be satisfied that a person has failed to comply with certain provisions of the GDPR or the Bill, or has failed to comply with an information notice, assessment notice or enforcement notice.
Clearly, it is up to the commissioner to decide whether a penalty notice is appropriate. She has stated:
“It’s about putting the…citizen first. We can’t lose sight of that…It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us.”
I was coming on to answer the hon. Member for Sheffield, Heeley, but as the hon. Member for Cambridge has raised her question again, I will jump to it. We are not removing all criminal powers under this new legislation. Under paragraph 2 of schedule 15, the commissioner may enforce assessment notices. That power includes the new offence of obstructing a warrant, which is a criminal offence, so criminal offences do remain. As I said, we are looking at the commissioner’s desire for stronger powers in certain areas, but under the current law there is a criminal sanction only for non-compliance with a notice, and that offence is not used. A civil penalty is a better way forward and is provided as the appropriate sanction by the GDPR itself.
The Minister has just confirmed that under the existing arrangements a custodial sentence is the maximum penalty if an individual fails to comply with an information notice. She has not given a coherent reason why she is removing that through the Bill. Is she really arguing that criminal sanctions are less of a deterrent than civil? That is a direct contradiction of the Information Commissioner’s evidence.
I have just been advised that the existing law is non-custodial criminal sanctions. I have referred to the criminal sanctions with respect to assessment notices, and I will get back to the hon. Lady on the question of the sanctions on the information notices that she has asked about. I am told what I am told; the existing law is non-custodial.
Question put and agreed to.
Clause 154, as amended, accordingly ordered to stand part of the Bill.
Schedule 16
PENALTIES
Amendments made: 123, page 203, line 26, leave out “with the day after” and insert “when”.
This amendment is consequential on Amendment 71.
124, page 204, line 10, leave out “with the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
125, page 205, line 5, leave out “with the day after the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
126, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”.—(Margot James.)
This amendment is consequential on Amendment 52.
Schedule 16, as amended, agreed to.
Clause 155 ordered to stand part of the Bill.
Clause 156
Maximum amount of penalty
Question proposed, That the clause stand part of the Bill.
My hon. Friend the Member for Bristol North West has raised important questions about social media providers. Before I entered this place, I worked in the insurance industry. Will the Minister confirm whether insurers would be covered by the clause if they re-identified individuals from datasets to inform the pricing of risk? That is potentially serious when considering the implications of loyalty card, bank or shopping information for health insurance.
I will have to write to the hon. Lady on that. I do not think it would provide cover for insurance companies in those circumstances, but I would like to double-check before I give a definitive answer to her question.
Question put and agreed to.
Clause 171 accordingly ordered to stand part of the Bill.
Clauses 172 to 176 ordered to stand part of the Bill.
Clause 177
Jurisdiction