Wednesday 13th December 2017
(6 years, 4 months ago)
Lords ChamberData Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Stevenson of Balmacara (Lab)
My Lords, I have been trying to search for words to explain what is going on at the moment. It seems to me that we are living in two parallel universes. My first thought was that we were back in World War I territory—the noble Lord, Lord Black, will get the reference—and that we were engaging in sniping over long pieces of dead ground over issues that nobody could understand, fought by people who did not want to be there and led by people even more stupid than that. But I have decided that this is the rerun of an acrimonious family dinner that we had before the break. We are now reflecting on that and trying to nerve ourselves up to talk again to each other and restore relationships, because relationships must go on.
Again, we have had these passionate stories, anecdotes and recollections of times when things have gone disastrously wrong. No amount of legal redress can undo that suffering. From others, we have heard a perfectly robust and understandable account of why things are perfectly all right at the moment and, given time, will be sorted out. I begin to think that Leveson, for all the great work he did and the excellence of his report—and the longevity of its recommendations—is a bit of a McGuffin here. This is about us and society; it is about Parliament. I tried to address some of that at the end of the last debate. We have to get serious about this and work out how to make progress. We have to restore the rightful balance between Parliament, which must be sovereign, and those who work within an environment in which Parliament seems at the moment to have been discounted.
If we do not get this sorted, we will continue to be like this for the rest of time. It is insufficient and ineffective. It will not be the way we want to live our lives and we will all be much the losers as a result. We must give credit to the noble Baroness, Lady Hollins, and her proposals. Yes, they come from Leveson—but underneath that there is the greater truth that things are not working as they could be. They should be working better.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, while we have already debated amendments that are challenging to a free press, I fear that this group of amendments would be potentially hostile to the concept of a free press. Where there are abuses the answer is to enforce the law, not to shut down the media. I adopt the observations of the noble Lord, Lord Pannick, and my noble friend Lady Wheatcroft in that regard.
Amendment 53 would remove the requirement to give special weighting to the public interest in freedom of expression and information. This is something that we consider an essential way of ensuring that information that is in the public interest is not buried due to the data protection regime that is put in place. In this context, giving special weight to the public interest in freedom of expression and information is an important way of ensuring that we provide constitutional protection of freedom of speech, as required pursuant to Article 10 of the European Convention and the Human Rights Act.
Amendments 54 and 56 relate to the codes of practice to guide journalists in conducting the essential public interest balancing test that has to be carried out. We have already debated this in the previous group, before the dinner break. Amendment 54 intends to take away the absolute requirement to have regard to the listed codes of practice when determining whether publication would pass the public interest test. This requirement is a way of strengthening the obligations on journalists. In line with the enhanced protection of the GDPR, we are making sure that those journalists who are covered by one of the listed codes must have regard to their relevant code.
In a related amendment, Amendment 56, the noble Baroness, Lady Hollins, has suggested that we alter the language of the condition on the special purposes exemption at paragraph 24 of Schedule 2 to the Bill by changing “relevant” to “appropriate”. This amendment makes it unclear which code should be consulted in a given case. We want to ensure that the code which pertains to a particular set of journalists is the code to which they have regard when carrying out the public interest test.
We are not being unreasonable in resisting Amendments 54 and 56. They may look innocuous, just slightly changing the language of the Bill, but if we are to be true to the GDPR, we must ensure that in our law we have resolved the article 85 requirement to set where the public interest lies in managing the balance between privacy and freedom of expression. If we make the use of these codes discretionary and their application vague, we will simply undermine that balance.
Finally, I turn to the amendments from the noble Baroness that aim to create a special group of exemptions only for those journalists who are members of an approved regulator. As drafted, the Bill is designed to protect journalists who should be able legitimately to rely on these exemptions when undertaking journalism in the public interest, regardless of which regulator they belong to or whether they belong to any at all. The reality of the press landscape today is that the vast majority of publishers are not members of an approved regulator. As such, limiting certain exemptions to only those who are members of an approved regulator would limit the ability of most journalists in this country to undertake investigative journalism in the public interest. Whatever the motive or the intention behind these amendments, they are, I am afraid, either wrecking amendments or amendments designed to force publishers to sign up to a regulator to which they object—and that is not acceptable.
Section 40 of the Crime and Courts Act 2013 was mentioned. As we have previously discussed, the Government are currently considering Section 40 with regard to part 2 of the Leveson inquiry. We do not believe that using data protection legislation is an appropriate means of trying to incentivise compliance with, for example, Section 40.
The noble Lord, Lord Stevenson, observed just three weeks ago, and earlier this evening, that this is not perhaps the place for this debate. He commented:
“I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson”.—[Official Report, 22/11/17; col. 195.]
I concur with that observation, which he just reinforced with his observations about the need for us perhaps to look more clearly at what the real issue is rather than being distracted by trying to act as tail-end Charlies to a particular piece of legislation on data protection.
There will be a response to the consultation on Section 40 and Leveson 2, but I shall make one comment with regard to the suggestion about delay in that consultation process. Noble Lords may recollect that the Secretary of State was the subject of a judicial review application which made it impossible for her to proceed with the consultation because the terms of the consultation were the subject of legal challenge. Thereafter, when the consultation proceeded, there were more than 174,000 responses. They had to be analysed and considered, but the fact that there was that number of responses perhaps gives weight to the observation of the noble Lord, Lord Stevenson, about there being an issue that needs to be addressed, and therefore we must look forward to the response to the consultation. I invite the noble Baroness to withdraw the amendment.
Baroness Hollins
Before the Minister sits down, will he confirm that he will reflect on this debate, which has been very important, and in the light of the promised consultation report allow the debate to continue in the new year?
Lord Keen of Elie
I cannot guarantee the continuation of this debate, although the noble Lord, Lord Stevenson, appears determined to see it continue in the new year, under reference to his Amendment 165, and I look to engaging with him in a further interesting discussion on the topic at that stage. Beyond that, I say to the noble Baroness that the Government and Ministers are listening and considering these issues.
Lord Keen of Elie
The position with regard to the consultation and the response to the consultation is as I indicated before the break. Sir Brian Leveson has, very properly, asked to see material pertaining to the consultation and the responses to it because he is a necessary party in this context. Until he has had a reasonable opportunity to do that, it would not be appropriate for us to respond.
Baroness Hollins
My Lords, I would like just to make one or two corrections for the record. The noble and learned Lord suggested that the amendment, which would reserve some exemptions for newspapers signed up to a recognised regulator, would actually prevent the majority of journalists from engaging in investigative journalism. That is not the case. The exemptions required for investigative journalism remain intact for all journalists, regardless of their regulator.
There are one or two other corrections. The noble Lord, Lord Black, continues to misrepresent the establishment of the Press Recognition Panel, for example by saying that it is subject to interference by the Secretary of State. That is just not the case. It is so patently untrue that I can only assume that the noble Lord has not researched the facts, because it is a point that he has made before.
With respect to my noble friend Lord Pannick’s faith in the legal profession being able to sort out any illegal acts by newspapers, I will just say that affording the money to pay a lawyer and the time to mount a legal claim is not usually possible or a priority for victims of press abuse, particularly when they are in the midst of personal trauma. It is just not a priority. I personally would prefer that newspapers behaved themselves and did not fill lawyers’ pockets with money.
I take exception to being described as a bully. I have heard no compassion or concern for the victims of press abuse. Do noble Lords have any idea what it is like to be bullied by newspapers day after day after day? Any idea at all? To call my amendments bullying is unforgivable. Imagine the effect on the lady I spoke about before, who had lost weight and was described as a “grubby gran”. Imagine what that did to her mental state. I wonder whether she has been able to retain her weight loss.
This is the right Bill for these amendments. They are amendments to data protection legislation, and the victims of press abuse have waited a considerable length of time for an opportunity to take them forward. They are not hastily drawn-up, but the result of an extensive and impartial inquiry, and are as relevant today as they were in 2012. Sir Brian Leveson’s recommendations relate to the processing of data, not to the medium of publication, so it is irrelevant that the media landscape is changing.
I am grateful for the contributions of noble Lords who have spoken, in part because they demonstrate just how much there appears to be two parallel worlds. I assure your Lordships that I will return to this matter, but I beg leave to withdraw my amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
“( ) in Chapter IV of the GDPR (controller and processor), Article 36 (requirement for controller to consult Commissioner prior to high risk processing);( ) in Chapter V of the GDPR (transfers of data to third countries etc), Article 44 (general principles for transfers);”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“(3) Regulations under this section—(a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;(b) are otherwise subject to the affirmative resolution procedure.(4) For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”
Lord Ashton of Hyde
Lord Ashton of Hyde
“Minor definitionMeaning of “court”
Section 4(1) (terms used in this Chapter to have the same meaning as in the GDPR) does not apply to references in this Chapter to a court and, accordingly, such references do not include a tribunal.”
Lord Kennedy of Southwark
My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.
Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.
I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.
We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.
The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.
Lord Kennedy of Southwark
I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.
Lord Ashton of Hyde
Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.
Lord Kennedy of Southwark
It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.
Lord Ashton of Hyde
Baroness Hamwee (LD)
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
Lord Ashton of Hyde
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.
Lord Ashton of Hyde
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
Lord Stevenson of Balmacara
That is a very disappointing end to a rather splendid day. If you read Amendment 81 closely, it simply says “having regard to”, which is probably the weakest form of expression you can find in any legal circumstance. I am a bit surprised that the Minister could not come to a better conclusion than he did. In fact, we got a sort of Pepper v Hart-ish approach to it; we can rely on it but it is not as good as it would have been if we had agreed Amendment 81. I can say nothing more on this except that I am sure that we will return to this at some stage. I beg leave to withdraw the amendment.