Baroness Ludford (LD)

- Hansard -

Copy Link

-

My Lords, I welcome the modernisation of data protection law that the Bill represents and the intention to comply with EU law in the regulation and directive—which of course we must do while we are still in the EU. I am particularly concerned with the future and the prospects for an adequacy decision from the Commission if we find ourselves outside both the EU and the EEA. A failure to get such a decision would be extremely harmful for both businesses and other organisations and for law enforcement.

I will look briefly at the past. In 2013 in the European Parliament I was one of the lead MEPs establishing the Parliament’s position on the regulation. I believe that we did a decent job—that was before the negotiations with the Council, which watered it down somewhat. The Government rightly acknowledge that the new system will build accountability with less bureaucracy, alleviating administrative and financial burdens while holding data controllers more accountable for data being processed—backed up by the possibility of remedies for abuse including notable fines. But the purpose is to provide incentives to build in privacy from the beginning through such instruments as data protection impact assessments and having a data protection officer, through data protection by design and default—thereby avoiding getting to the point of redress being necessary. As an aside, the routine registration with the Information Commissioner’s Office will be abolished, and I am not aware of how the ICO will be funded in future, because that was a revenue stream.

I will say briefly that the new rights that are in the regulation include tougher rules on consent, so we should see the end of default opt-ins or pre-selected tick boxes. That will probably be one of the most visible things for consumers; I hope that it does not become like the cookies directive, which has become a bit of a joke. The need for explicit consent for processing sensitive data is important, as is the tightening of conditions for invoking legitimate interests.

There are several matters which will give improved control over one’s own data, which is very important. There is also the right to be told if your data has been hacked or lost—so-called data breach notification—and a strengthened ability to take legal action to enforce rights. All these are considerable improvements. However, I am rather concerned about the clarity of this very substantial Bill. It is explained that the format is chosen to provide continuity with the Data Protection Act 1998, but whether or not as a result of this innocent, no doubt valuable, choice, it seems to me that some confusion is thereby created.

First, there is the fact that the GDPR is the elephant in the room—unseen and yet the main show in town. You could call it Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet without the Prince. Traces exist without the GDPR being visible. Is the consequent cross-referencing to an absent document the best that can be done? I realise that there are constraints while we are in the EU, but it detracts from the aims of simplicity and coherence. Apparently, things are predicted to be simpler post Brexit, at least in this regard, when the GDPR will be incorporated into domestic law under the withdrawal Bill in a “single domestic legal basis”, according to the Explanatory Memorandum. Does that mean that this Bill—by then it will be an Act—will be amended to incorporate the regulation? It seems odd to have more clarity post Brexit than pre-Brexit. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.

Secondly, we seem to have some verbal gymnastics regarding what “apply” means. The departmental briefing says that the Bill will apply GDPR standards, but then we have the so-called “applied GDPR” scheme, which is an extension of the regulation in part 2, chapter III. Can the Minister elaborate on precisely what activities part 2, chapter III covers? The Bill says that manual unstructured files come within that category. I do not know how “structured” and “unstructured” are defined, but what other data processing activities or sectors are outside the scope of EU law and the regulation, and are they significant enough to justify putting them in a different part?

Looking forward, I want to mention some of what I see as the possible weaknesses in the Bill which might undermine the potential for an adequacy decision for data transfers to the EU and the EEA. The future partnership paper published in August, which has already been mentioned by the noble Lord, Lord Jay, referred to a UK-EU model which could build on the existing adequacy model. Can the Minister explain what that really means? As the noble Lord, Lord Jay, said, while national security is outside EU law, when it comes to assessing the adequacy of our level of data protection as a third country, we could find ourselves held to a higher standard because the factors to be taken into account include the rule of law and respect for human rights, fundamental freedoms and relevant legislation, including concerning public security, defence, national security, criminal law and rules for the onward transfer of personal data to another third country. Therefore, our data retention and surveillance regime, such as the bulk collection of data under the Investigatory Powers Act, will be exposed to full, not partial, assessment by EU authorities. This will include data transfers, for instance to the United States, which I would expect to be very much under the spotlight, and could potentially lead to the same furore as other transatlantic transfers. I lived through a lot of that. I remember that in 2013 there was a lot of flak about the actions of the UK, but nothing could be done about it because we are inside the EU. However, in the future it could.

There are also a number of aspects in the Bill in which the bespoke standards applied to intelligence agencies are less protective than for general processing, such as data breach reporting and redress for infringement of rights. We will need to give serious thought to the wisdom of these, looking to the future. This will not just be a snapshot on Brexit day or even on future relationship day, because at issue will be how our standards are kept up to scratch with EU ones. The fact that with another part of their brain the Government intend to decline to incorporate the European Charter of Fundamental Rights into UK domestic law, with its Article 8 on data protection, will not help the part of the governmental brain which looks forward to the free flow of data exchange with the EU. Our Government seem to be somewhat at cross purposes on what their future intentions are.

I will highlight, rather at random, some other examples which need reflection. We may need seriously to look at the lack of definition of “substantial public interest” as a basis for processing sensitive data, or even of public interest. I think the noble Lord, Lord Stevenson, mentioned the failure or the non-taking-up of the option under Article 80(2) of the regulation to confer on non-profit organisations the right to take action pursuing infringements with the regulator or court. This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other consumer rights, including financial rights. Perhaps the Minister could explain that omission.

There is also concern that the safeguards for profiling and other forms of automated decision-making in the Bill are not strong enough to reflect the provisions of Article 22 of the GDPR. There is no mention of “similar effects” to a legal decision, which is the wording in the regulation, or of remedies such as the right of complaint or judicial redress.

Very significant is the power for the Government under Clause 15 to confer exemptions from the GDPR by regulation rather than put them in primary legislation. That will need to be examined very carefully, not only for domestic reasons but also because it could undermine significantly an adequacy assessment in the future.

I will make one or two points in the health and research area. The Conservative manifesto commitment to,

“put the National Data Guardian for Health and Social Care on a statutory footing”,

is not fulfilled in the Bill; perhaps the Minister could explain why not. I would also expect clarification as the Bill proceeds on whether Clauses 162 and 172 sufficiently protect patients’ rights in the use or abuse of medical records. We know this is a sensitive issue given the history in this area, particularly of care data and other attempts to inform patients.

As a final point, I am glad that the research community was broadly positive about the compromises reached in the GDPR, although they were less explicit than the Parliament’s position. That leads to some uncertainty. I took note of what the noble Baroness, Lady Neville-Jones, said. Therefore, close examination will be merited of whether the Bill provides a good legal framework with sufficient legal basis for research, which many of us have all sorts of interests in promoting, balanced with a respect for individual rights. I very much hope this will be explored carefully at future stages.

Baroness Ludford (LD)

- Hansard -

Copy Link

-

My Lords, I am also pleased, as co-signatory, to support the amendment, the purpose of which is to retain in domestic law wording from the European Charter of Fundamental Rights concerning data protection. This is for the benefit of British citizens and to help ensure that vital data flows for business and law enforcement can continue if we Brexit.

The specific article in the EU charter, Article 8 on data protection, is stronger in this respect than the older non-EU European Convention on Human Rights, which deals with privacy only under the rubric of protection of family and personal life. The Government plan that the charter should cease to be part of UK domestic law after Brexit in Clause 5(4) of the European Union (Withdrawal) Bill. This broader issue will be considered as part of the scrutiny of that Bill, and there is a cross-party amendment tabled in the House of Commons and led by Dominic Grieve MP to remove that clause such that the charter continues to apply domestically in the interpretation of retained EU law. Liberal Democrats strongly support that amendment, but it seems appropriate not to wait for or depend on the success of that broader effort and at least effectively to embed the thrust of the charter as it concerns data protection in this Bill, which largely concerns EU law.

This is extremely important because if we Brexit, the UK will seek from the European Commission an adequacy decision on UK data protection so that transfers between the UK and the EU can continue smoothly—an objective the Prime Minister has singled out for mention. If we leave, EU states may no longer be able to share data with us unless our legal regime on matters including state surveillance powers aligns with EU requirements. The adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the UK. The embedding of the charter’s data protection right in this Bill would be an important safeguard for business continuity—especially for tech companies, which depend crucially on the free flow of data—as well as ensuring that essential cross-border police and intelligence co-operation is not disrupted.

I, my noble friends Lord McNally and Lord Paddick, and other noble Lords raised at Second Reading the need for measures to protect us from threats, not to undermine our civil liberties. We are used to the European Court of Human Rights ruling on privacy issues, several times finding the UK in breach of the convention, but more recently in the digital age it is the European Court of Justice—the EU court—that has come into play as EU law on protection of electronic communications and the provisions of the Charter of Fundamental Rights has begun to bite. The Snowden revelations brought heightened sensitivity about the extent of the legitimacy of the activities of our intelligence services.

The EU data retention directive—the EU law on mandatory mass data retention—was pushed through Brussels in 2005 when the UK had the presidency of the EU by the then UK Home Secretary in an expert piece of lobbying after the London bombings of that year. In a landmark 2014 judgment, the court struck it down as incompatible with the right to respect for private life and data protection under Articles 7 and 8 of the charter. Then, as mentioned by the noble Lord, Lord Stevenson, the judgment on DRIPA last December—technically, the Tele2/Watson case, although initially also involving the then Back-Bench David Davis MP—continued in the same vein, declaring that mass data retention was “disproportionate” to citizens’ rights to privacy. Its implications for the Investigatory Powers Act and the question of whether bulk collection of communications data could be permitted to infringe privacy on the grounds of pursuit of serious crime or threats to national security may be ascertained by the reference to the European court made by the Investigatory Powers Tribunal in September. Certainly, the wide range of powers in the Investigatory Powers Act might look vulnerable to being found in conflict with EU law. The Independent Reviewer of Terrorism Legislation, Max Hill, suggested that it was unclear whether the ruling in the Watson case on safeguards for data retention regimes could be interpreted as applicable to national security.

It is true that while in the EU the national security exemption from EU competence applies but, as was brought out at Second Reading, if we were outside the EU the arrangements for our intelligence agencies would go into the whole mix that is assessed for compliance with EU standards. The court’s decision in July, rejecting the legality of the EU agreement with Canada on the transfer of passenger name record details, provides a salutary lesson in how the court approaches third-country transfers. It struck down the agreement because several of its provisions were incompatible with EU fundamental rights. It is therefore crucial that we embed the wording of Article 8 of the charter.

The Labour Opposition have tabled an amended version of Amendment 4, namely Amendment 4A. This is an interesting variation and I look forward to learning a bit more as we progress about exactly how the new wording would work. As I understand it, the safeguards in subsection (1) of the proposed new clause and the first part of subsection (2), which are replicated from Amendment 4, would and should still govern the,

“provisions, exceptions and derogations of this Act”,

otherwise, the point of writing in safeguards is undermined.

I wonder about the reference to,

“purposes as set out in the GDPR”,

since the GDPR is concerned only with the processes for data manipulated in accordance with purposes set down in other instruments. I am slightly unclear about that.

I believe that there has been concern about a conflict with press freedom. Of course we are suffering here from the fact that we have only a partial bite from the charter, which contains a firm provision on freedom of expression and information as well as on the right to security. When we succeed in retaining the whole charter in domestic law via the EU withdrawal Bill, the whole balancing exercise will become more apparent than with this snapshot. In the meantime, we have to proceed with entrenching this partial aspect of the charter as concerns data protection.

Baroness Ludford (LD)

- Hansard -

Copy Link

-

My Lords, I also welcome the fact that we are in touching distance of an agreement on this matter. I thank the Minister for bringing forward Amendment 1. However, there is a little way to go. Amendment 1 is declaratory of what is contained in the Bill, whereas Amendment 2 is rather stronger and clearer.

Embedding a general right to data protection inspired by the Charter of Fundamental Rights is not only important for UK citizens but, as we have agreed in many debates and exchanges in this House, it is crucial for unhindered data flows between the UK and the European Union if we Brexit. It is absolutely crucial for business and law enforcement to be able to exchange data and have access to EU databases, such as the Schengen Information System, Europol and so on. The Government’s review of the charter, which was also most welcome and was produced last week, says that,

“domestic courts will be required to interpret retained EU law consistently with the general principle reflected in Article 8, so far as it is possible to do so”.

Is the Minister able to elucidate what that caveat leaves out? What would not be possible?

In the Watson case, to which the Brexit Secretary was a party until he became the Brexit Secretary, the European Court of Justice found that the current UK data protection regime in relation to data retention and acquisition was incompatible with Article 8 of the charter. This demonstrated the deep importance that the European Union places on charter rights in the protection of privacy. The draft resolution that the European Parliament is due to debate and vote on this Wednesday, on the joint report on the phase 1 divorce agreement that was reached last Friday,

“underlines that it will accept a framework for the future EU-UK relationship as part of the Withdrawal Agreement only if it is in strict concordance with the following principles”,

including the,

“United Kingdom’s adherence to the standards provided by international obligations, including fundamental rights … data protection and privacy”.

So we can expect this to be a very important matter, on which there will be a spotlight in the consideration of an adequacy assessment by the European Commission, which I think we all agree it is essential to achieve.

As I said in Committee, the adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the United Kingdom. Of course, this will include the law and practice in terms of national security, which at the moment—rather ironically, or perversely—are excluded under the EU treaties. Once we are outside—if we are—there will be closer examination of how privacy fares in relation to the demands of national security than there is while we are in the EU. In that context, the national security issues in the Bill, which will be further debated as well, will perhaps take on a heightened importance.

On these Benches we believe that the rights under the charter in relation to data protection should be reflected in the Bill so as to have a general right to the protection of personal data in UK law. I very much agree with the course advocated by the noble Lord, Lord Stevenson, to reflect further and to accept the Government’s offer to come forward at Third Reading with something that we could all agree on.

Baroness Ludford

- Hansard -

Copy Link

-

I thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?