Online Harms
Debate between Lord Ashton of Hyde and Baroness O'Neill of Bengarve(5 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness O'Neill of Bengarve (CB)
My Lords, I too welcome this White Paper. We have heard it heralded from the Front Bench week after week, and it is great to see it arrive. However, it deals with only part of the problem. That is, it is a paper about the private harms that may be done—for example, by cyberbullying, fraud or extremist material. All of those matter, but there is another set of harms: harms to public goods, democracy, culture and the standards of the media. The Digital, Culture, Media and Sport Committee in the other place recently had an interesting report on disinformation and fake news which discussed some of those harms—including those which I can loosely indicate by referring to the Cambridge Analytica scandal.
We are beginning to understand that there are people campaigning within democracies that our regulation cannot reach. The electoral commissioner cannot reach those harms. Is the proposal to reach those harms as well, or is that for another day? I fear that if we do not deal with those harms relatively soon, we will regret it. Political campaigning may be undertaken not only by legitimate, registered political parties and individuals, but also by non-citizens, other states, businesses and the security apparatuses of other states. I believe these public, online harms to democracy should be of the utmost concern to us, but they are little discussed in this White Paper.
Lord Ashton of Hyde
My Lords, I agree that those are serious issues and need to be addressed. We have made it clear in the White Paper the harms that are in scope, but have also been very open about those that are not. We have said that we are addressing some of the really serious issues on the internet which the noble Baroness describes as private harms. We have said that we cannot deal with everything, but we are dealing with matters such as disinformation and potential assaults on democracy. We do not want to duplicate within one big White Paper, followed by legislation, all the harms connected to the internet. We have said that we are not dealing with competition law, intellectual property violation, fraud, data protection and so on, but I absolutely accept that they are very important issues. The Cabinet Office is due to report on them soon, and it is right that that department, which has responsibility for the constitution, should be dealing with it. We have not neglected those problems.
Centre for Data Ethics and Innovation
Debate between Lord Ashton of Hyde and Baroness O'Neill of Bengarve(5 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
The board of the centre will be able to cope with whichever way round the wording is. It will deal with the balance and the tensions between ethics and innovation—and indeed innovation and ethics.
Baroness O’Neill of Bengarve (CB)
My Lords, yesterday evening the British-American Parliamentary Group and Ditchley met to discuss these topics. It was an interesting meeting, but it did reveal how readily innovation drives ethics. I say this as an academic philosopher, and it is quite important. The innovation questions are of great importance, but they are not the only questions, and I hope that steps will be taken to ensure that there is suitable rigour in the analysis of the ethical issues. The debate is full of pitfalls and inadequacies, including phrases such as “communication ethics” and “data ethics”, which ultimately mean nothing. Ethics is about what you do: it is not about data and communication. So I hope that there will be room for that sort of rigour on this advisory—and ultimately statutory—body.
Lord Ashton of Hyde
I completely agree with the noble Baroness. In dealing with modern technology, we often forget the very important point she makes. Ethics is about how you live your life and deal with things in a way that has a moral basis. I absolutely accept that, in dealing with modern technology and especially things such as AI, ethics is a very important component. That is precisely why they have also included not just technical people but parliamentarians and professional philosophers, to consider and to make sure that those aspects are given sufficient weight.
Cambridge Analytica
Debate between Lord Ashton of Hyde and Baroness O'Neill of Bengarve(6 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
My Lords, I want to put on the record that we absolutely agree with the noble Baroness that if these allegations—and at the moment they are allegations—are correct, that will be truly shocking. The new Data Protection Bill will bring forward stronger enforcement powers, and, as we have said, we might strengthen them even further. It is very important to consider that some people have said that the powers in the new Data Protection Bill are too burdensome. That shows exactly why we need strengthened individual data subjects’ rights and the means to protect them. The privacy of individual data subjects must be taken extremely seriously, and the Bill will do that. Of course, the Information Commissioner will certainly take seriously any links that she finds between any data breaches and elections, and I confirm to the noble Baroness that we will too.
Baroness O'Neill of Bengarve (CB)
My Lords, the Minister has, very understandably, spoken as though the problem that we are addressing is breach of privacy, and that is of course what data protection legislation is intended to achieve. However, does he not think that new uses of data, including personal data, by digital media and specifically by social media are evading the way in which we would like elections to be conducted and enabling data use that is not merely a breach of privacy but a breach of public interest?
Data Protection Bill [HL]
Debate between Lord Ashton of Hyde and Baroness O'Neill of BengarveMonday 20th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Baroness O’Neill of Bengarve (CB)
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
Could I ask the noble Baroness to repeat which provision she is referring to?
Baroness O’Neill of Bengarve
Subsection (2) of Amendment 153:
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
Data Protection Bill [HL]
Debate between Lord Ashton of Hyde and Baroness O'Neill of BengarveMonday 6th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Baroness O'Neill of Bengarve (CB)
I thank the Minister for giving way. Is he suggesting that the aim should be to adapt children to the realities of the online world and the internet service providers, rather than to adapt the providers to the needs of children?
Lord Ashton of Hyde
I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.
We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.
I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.