Data Protection Bill [ Lords ] (Third sitting)

Margot James Excerpts
Thursday 15th March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.

That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.

Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.

Margot James Portrait The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
- Hansard - -

It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.

Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.

However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.

Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.

We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.

Daniel Zeichner Portrait Daniel Zeichner (Cambridge) (Lab)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?

Margot James Portrait Margot James
- Hansard - -

I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.

Darren Jones Portrait Darren Jones
- Hansard - - - Excerpts

I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.

From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.

The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - -

I beg to move amendment 115, in schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—

“(b) in paragraph 2, for ‘Member States’ substitute ‘The Secretary of State’;

(c) after that paragraph insert—

‘3 The power under paragraph 2 may only be exercised by making regulations under section (Duty to review provision for representation of data subjects) of the 2018 Act.’”

This amendment is consequential on NC2.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Government amendments 63 to 68.

Amendment 154, in clause 183, page 106, line 24, at end insert—

“(4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject’s mandate—

(a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority),

(b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority),

(c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor).

(4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and—

(a) for the purposes of this subsection ‘proceedings’ includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court,

(b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’s own rights have been infringed,

(c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions,

(d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court’s own motion, and

(e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court.

(4C) Subsections (4A) and (4B)—

(a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section,

(b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and

(c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”

This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.

Amendment 155, in clause 205, page 120, line 38, at end insert—

“(ca) section 183 (4A) to (4C);”

This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.

Government amendments 73 and 74.

Government new clause 1—Representation of data subjects with their authority: collective proceedings.

Government new clause 2—Duty to review provision for representation of data subjects.

Margot James Portrait Margot James
- Hansard - -

These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.

New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).

New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.

Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.

We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.

The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.

What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.

To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.

Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.

--- Later in debate ---
None Portrait The Chair
- Hansard -

Before I call the Minister to respond, it might help the Committee to know that, although we are properly debating Opposition amendments 154 and 155 at the moment, if they are to be put to a Division, that cannot happen until we reach clause 183. However, that does not prevent the Minister from indicating she might accept them at this stage. That is entirely up to her.

Margot James Portrait Margot James
- Hansard - -

I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.

Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?

Margot James Portrait Margot James
- Hansard - -

The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?

Margot James Portrait Margot James
- Hansard - -

If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.

Margot James Portrait Margot James
- Hansard - -

As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.

There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.

Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.

Brendan O'Hara Portrait Brendan O'Hara
- Hansard - - - Excerpts

Does the Minister not accept, as I said earlier, that individuals are often the last people to know that their data has been breached and their rights have been infringed? For collective rights in hugely complicated areas, there must be a presumption that those rights are protected, and the Bill does not do that. I do not believe it reflects the principle that individuals are often the last people to know, and that they are the ones who need protecting.

Margot James Portrait Margot James
- Hansard - -

The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.

The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.

If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.

The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.