Lord Ashton of Hyde

- Hansard -

Copy Link

- - Excerpts

I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.

We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.

I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.

Lord Black of Brentwood (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I declare an interest in this group of amendments as executive director of Telegraph Media Group and draw attention to my other media interests in the register.

When I saw, not with a great deal of surprise, that this group of interlocking amendments relating to press regulation had been tabled—perhaps their second or third outing in as many years—I was reminded fleetingly of that famous line of President Reagan to Jimmy Carter in a presidential debate: “There you go again”. That is what this feels like. We have another Bill—with only the most tangential link to the media—and yet another attempt to hijack it to bring about some form of statutory press control. As the Times put it last week:

“The Data Protection Bill is meant to enhance protection of personal data. It is not meant to be a press regulation bill by another name”.


But this profoundly dangerous set of amendments seeks to warp the Bill in just that way.

Can we please be crystal clear about the impetus behind these amendments? It is certainly nothing to do with data protection. It is to try, yet again, to force the British press—national papers, regional and local papers, and magazines: in other words, everything from the Guardian and the Daily Telegraph to the Birmingham Mail, the Radio Times and Country Life—into a state-sponsored regulator, with virtually no members and no prospect of any, and almost wholly funded by the anti-press campaigner Max Mosley. Indeed, it is the very same regulator which was recently brought into disrepute when an internal report found that its chief executive and two members of its board had breached internal standards by distributing tweets attacking major national newspapers and journalists. These amendments try to do that by seeking to remove vital journalistic exemptions enshrined in the GDPR from all those who will not, on grounds of principle, be bullied into a system of state-sponsored regulation. Other amendments seek to remove the protection for freedom of expression, which has worked very well in the Data Protection Act 1998, to balance convention rights and make privacy in effect a trump card.

Let us be clear: the amendments would be a body blow to investigative journalism—at a time when, as we have seen in recent days and weeks, it has never been more vital—by giving powerful claimants with something to hide the ammunition to pursue legal claims and shut down legitimate public interest investigations into their activities even before anything is published. All UK news operations, none of which will under any circumstances join Impress or any body recognised by the Press Recognition Panel, would find themselves under incessant legal challenge, with a profound impact not just on investigations but on news, features and even the keeping of archives. In my view, it is no exaggeration to say that that would overturn the principle that has underpinned free speech in Britain for two centuries: that journalists have the right to publish what they believe to be in the public interest and answer for it after publication—a right upheld by the courts here and all the way up to the European Court of Human Rights.

The protections which make investigative journalism possible would in effect be enjoyed by only a handful of hyper-local publishers which have signed up to a state-backed regulator. Are the noble Lords in whose names these amendments stand really content to see the future of investigative journalism in this country invested in The Ferret or insideMoray, rather than in the teams from the Observer, the Liverpool Echo, the Scotsman and the many others which over the years have broken story after story in the public interest? Frankly, if this were not so deadly serious, it would be funny.

If these amendments ever found their way into this legislation, it would be not just a massive blow for investigative journalism and public interest reporting but a further knock to our international reputation as a beacon for press freedom. No other country in the free world has a system such as the one proposed here, where publications are bullied by politicians into some form of state-backed regulation.

It is six years since the Leveson inquiry took place. In those six years, the world has changed—not just in terms of the commercial position of newspapers and magazines, many of which now fight daily battles simply to survive, but also in terms of strong independent regulation. It is time that we moved on too, and I am very pleased that my party has done so by committing itself to the repeal of Section 40.

This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20. To unpick it in the way that this set of amendments tries to do, making so much public interest reporting impossible, is grossly irresponsible, and I hope that the Committee will reject it.

Lord Stevenson of Balmacara (Lab)

- Hansard -

Copy Link

- - Excerpts

My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.

Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.

The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.

So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.

Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

- - Excerpts

Could I ask the noble Baroness to repeat which provision she is referring to?

Lord Ashton of Hyde

- Hansard -

Copy Link

- - Excerpts

My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.

The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.

Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.

I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.

The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.

Lord Puttnam (Lab)

- Hansard -

Copy Link

- - Excerpts

My Lords, I support this amendment and identify myself totally with the remarks of the noble Lord, Lord Clement-Jones. I am trying to be practical, and I am possibly even pushing at an open door here. I have a facsimile of the 1931 Highway Code. The introduction by the then Minister says:

“By Section 45 of the Road Traffic Act, 1930, the Minister of Transport is directed to prepare a code of directions for the guidance of road users … During the passage of the Act through Parliament, the opinion was expressed almost universally … that much more could be done to ensure safety by the instruction and education of all road users as to their duties and obligations to one another and to the community as a whole”.


Those last few words are very important. This must be, in a sense, a citizens’ charter for users—a constantly updated notion—of the digital environment to be sure of their rights and of their rights of appeal against misuse. This is exactly where the Government have a duty of care to protect people from things they do not know about as we move into a very difficult, almost unknown digital environment. That was the thinking behind the 1931 Highway Code, and we could do a lot worse than do something similar. That is probably enough for now, but I will undoubtedly return to this on Report.

Baroness Hamwee (LD)

- Hansard -

Copy Link

- - Excerpts

My Lords, I too support the amendment. Picking up this last point, I am looking to see whether the draft clause contains provisions for keeping the code under review. A citizens’ charter is a very good way of describing the objective of such a code. I speak as a citizen who has very frequently, I am sure, given uninformed consent to the use of my data, and the whole issue of informed consent would be at the centre of such a code.