Data Protection and Digital Information Bill
Lord Bethell ExcerptsMonday 15th April 2024
(2 weeks, 1 day ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-IV(a) Amendment for Grand Committee (Supplementary to the Fourth Marshalled List) - (15 Apr 2024)
Lord Bethell (Con)
My Lords, I will speak to Amendment 115 in my name. I start by saying a huge thanks to the noble Lord, Lord Clement-Jones, and my noble friend Lord Kirkhope, who have put everything so well and persuasively that I have almost nothing else to say in support. I am looking forward to the Minister throwing in the towel and accepting all the measures as suggested. Noble Lords have really landed it well.
I shall not go through the principle behind my amendment because, frankly, its benefit is so self-evident and clear that it does not need to be rehearsed in great detail. What I want to get across is the absolute and paramount urgency of the Government adopting this measure or a similar one. This is a terrific Bill; I thank the Minister for all the work that he and his team have done on it. I sat through Second Reading, although I did not speak on that day, when the Minister gave a persuasive account of the Bill; we are grateful for that.
However, this is a massive gap. It is a huge lacuna in the provisions of a Bill called a data protection Bill. It is a well-known gap in British legislation—and, by the way, in the legislation of lots of other countries. We could try to wait for an international settlement—some kind of Bretton Woods of data—where all the countries of the world put their heads together and try to hammer out an international agreement on data. That would be a wonderful thing but there is no prospect whatever of it in sight, so the time has come for countries to start looking at their own unilateral arrangements on the international transfer of data.
We have sought to duck this commitment by stringing together a Heath Robinson set of arrangements around transfer risk arrestments and bilateral agreements with countries. This has worked to some extent—at least to the extent that there is a booming industry around data. We should not diminish that achievement but there are massive gaps and huge liabilities in that arrangement, as my noble friend Lord Kirkhope rightly described, particularly now that we are living in a new, polarised world where countries of concern deliberately seek to harvest our data for their own security needs.
There are three reasons why this has become not just a chronic issue that could perhaps be kicked down the road a bit but an acute issue that should be dealt with immediately in the Bill’s provisions. The first, which my noble friend hinted at, is the massive flood of new data coming our way. I had the privilege of having a look at a BYD car. It was absolutely awesome and, by the way, phenomenally cheap; if the Chinese taxpayer is okay with subsidising our cars, I would highly recommend them to everyone here. One feature of the car is a camera on the dashboard that looks straight at the driver’s face, including their emotional resonance; for instance, if you look weary, it will prompt you to stop and have a coffee. That is a lovely feature but it is also mapping your face for hours and hours every year and, potentially, conveying that information to the algorithmic artificial intelligence run by the CCP in China—something that causes me huge personal concern. Lady Kirkhope may be worried about her fridge but I am very worried about my potential car. I embrace the huge global growth of data exchanges and technology’s benefits for citizens, taxpayers and voters, but this must be done in a well-curated field. The internet of things, which, as many noble Lords will know, was invented by Charlie Parsons, is another aspect of this.
Secondly, the kind of data being exchanged is becoming increasingly sensitive. I have mentioned the video in the BYD car; genomics data is another area of grave concern. I have an associate fellowship at King’s College London’s Department of War Studies, looking specifically at bioweapons and the transfer of genomic data. Some of this is on the horizon; it is not of immediate use from a strategic and national security point of view today but the idea that there could be, as in a James Bond film, some way of targeting individuals with poisons based on their genomic make-up is not beyond imagination.
The idea that you could create generalised bioweapons around genomics or seek to influence people based in part on insight derived from their genomic information is definitely on the horizon. We know that because China is doing some of this already; in the west of China, it is able to identify members of the Uighur tribes. In fact, China can say to someone, “We’re calling you up because we know that you’re the cousin of someone who is in prison today”, and this has happened. How does China know that? It has done it through the genomic tracking in its databases. China’s domestic use of data, through the social checking of genomic data and financial transactions, is a very clear precedent for the kinds of things that could be applied to the data that we are sharing with such countries.
Thirdly, there is the sensitivity of what uses the data is being put to. The geopolitics of the world are changing considerably. We now have what the Americans call countries of concern that are going out of their way to harvest and collect data on our populations. It is a stated element of their national mission to acquire data that could be used for national security purposes. These are today’s rivals but, potentially, tomorrow’s enemies.
For those three reasons, I very much urge the Minister to think about ways in which provisions on the international transfer of data could be added to the Bill. Other countries are certainly looking at the same; on 28 February this year, President Biden issued executive order 14117, which in many ways echoes the themes of our Amendment 115. It says clearly that there is an “unacceptable risk” to US national security from the large sharing of data across borders and asks the DoJ to publish a “countries of concern” list. That list has already been published and the countries on it are as the Committee would expect. It also seeks to define priority data. In other words, it is a proportionate, thoughtful and sensible set of measures to try to bring some kind of guard-rail to an industry where data transfer is clearly of grave concern to Americans. It looks particularly at genomic and financial transaction data but it has the capacity to be a little broader.
I urge the Minister to consider that this is now the time for unilateral action by the British Government. As my noble friend Lord Kirkhope said, if we do not do that, we may find ourselves being left behind by the EU, including the Irish, by the Americans and so on. There is an important spill-over effect from Britain acting sensibly that will do something to inspire and prod others into action. It is totally inappropriate to continue this pretence that British citizens are having their data suitably protected by the kind of commercial contracts that they are signing, which have no kind of redress or legal standing in the country of destination.
Lastly, the commercial point is very important. For those of us who seek to champion an open, global internet and a free flow of data while facilitating investment in that important trade, we must curate and care for it in a way that instils trust and responsibility, otherwise the whole thing will be blown up and people will start pulling wires out of the back of machines.
Baroness Jones of Whitchurch (Lab)
My Lords, I am very grateful to the noble Lords, Lord Clement-Jones, Lord Bethell and Lord Kirkhope, for tabling these amendments and for enabling us to have a good debate on the robustness of the proposed international data rules, which are set out in Schedules 5 and 7. Incidentally, I do not share the enthusiasm expressed by the noble Lord, Lord Bethell, for the rest of the Bill, but on this issue we are in agreement—and perhaps the other issues are for debate some other time.
Lord Bethell (Con)
The Minister mentioned prosecutions and legal redress in the UK from international data transfer breaches. Can he share some examples of that, maybe by letter? I am not aware of that being something with a long precedent.
Viscount Camrose (Con)
A number of important points were raised there. Yes, of course I will share—
Lord Bethell
“Access to data for vetted researchers(1) Upon a reasoned request from the Information Commissioner, a data controller or processor that meets the requirements in subsection (9) must, within a reasonable period, as specified in the request, provide access to data to vetted researchers who meet the requirements in subsection (7), for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks of non-compliance with United Kingdom law that is upheld by one or more of the regulatory bodies, the Information Commissioner, the Competition and Markets Authority (CMA), the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA).(2) Within 15 days following receipt of a request as referred to in subsection (1), the data controller or processor may request the Information Commissioner amend the request, where they consider that they are unable to give access to the data requested because one of the following two reasons—(a) they do not have access to the data;(b) giving access to the data would lead to significant vulnerabilities in the security of their service or the protection of confidential information, in particular trade secrets.(3) Requests for amendment under subsection (2) must contain proposals for one or more alternative means through which access may be provided to the requested data or other data which are appropriate and sufficient for the purpose of the request.(4) The Information Commissioner must decide on the request for amendment within 15 days and communicate to the data controller or processor its decision and, where relevant, the amended request and the new period to comply with the request. (5) Where the research request relates to United Kingdom law that is upheld by a different regulator, the Information Commissioner will notify the relevant regulator.(6) The data controller or processor must facilitate and provide access to data pursuant to subsections (1) and (4) through appropriate interfaces specified in the request, including online databases or application programming interfaces.(7) Upon a duly substantiated application from researchers, the Information Commissioner will grant such researchers the status of “vetted researchers” for the specific research referred to in the application and issue a reasoned request for data access to the data controller or processor pursuant to subsection (4), where the researchers demonstrate that they meet all of the following conditions—(a) they are affiliated to a research organisation;(b) they are independent from commercial interests;(c) their application discloses the funding of the research;(d) the intended research has demonstrated public interest and benefit;(e) they are capable of fulfilling the specific data security and confidentiality requirements corresponding to each request and to protect personal data, and they describe in their request the appropriate technical and organisational measures that they have put in place to this end;(f) their application demonstrates that their access to the data and the time frames requested are necessary for, and proportionate to, the purposes of their research, and that the expected results of that research will contribute to the purposes laid down in subsection (1);(g) the planned research activities will be carried out for the purposes laid down in subsection (1);(h) they have committed themselves to making their research results publicly available free of charge, within reasonable period after the completion of the research.(8) Data controllers and processors must give access without undue delay to data, including, where technically possible, to real-time data, provided that the data is publicly accessible in their online interface by researchers, including those affiliated to not for profit bodies, organisations and associations, who comply with the conditions set out in subsection (7)(b), (c), (d) and (e), and who use the data solely for performing research to advance the purposes set out in subsection (1) above.(9) A data controller or processor falls within the scope of subsection (1) if it has over 1 million service users or customers in the United Kingdom, if there is a large concentration of children on the service or if the researchers provide compelling evidence that the service is high risk.(10) The Information Commissioner must publish the technical conditions under which a data controller or processor must share data pursuant to subsections (1) and (4), including the application of data protection by design and default, and the purposes for which the data may be used.(11) The technical conditions under subsection (10) include the specific conditions under which such sharing of data with researchers may take place, as well as relevant objective indicators, procedures and, where necessary, independent advisory mechanisms in support of sharing of data, taking into account the rights and interests of the providers of data controllers and processors and the data subjects who use the service, including the protection of confidential information, in particular trade secrets, and maintaining the security of their service.” Member’s explanatory statement
This amendment mirrors the research provisions in the European Commission’s Digital Services Act and ensures that UK-based academic researchers are not put at a disadvantage when it comes to researching matters of public interest regarding whether the largest online services - including services most used by children - are safe, private and comply with UK law.
Lord Bethell (Con)
My Lords, the issue of access to data for researchers is very familiar to all those involved in debates on the Online Safety Bill, now an Act. The issue is relatively simple and I am not going to spell it out in great detail. I will leave it to others to give more concrete examples.
The issue is that in the tech industry, there is a vast amount of data about the effect of social media and the impact on consumers of the technologies, algorithms and content that are in circulation. But there is a blackout when it comes to academics, epidemiologists, journalists or even parliamentarians who are trying to have a dig around to understand what is happening. What is happening on extremism or child safety? What is happening with fraud or to our national security? What is the impact on children of hours and hours spent on YouTube, Facebook, Snapchat and all the other technologies that are now consuming billions of hours of our time?
In other walks of life, such as the finance and retail sectors, there are open platforms where regulators, researchers and even the public can have a peek at what is going on inside. This is not commercial access; instead, it is trying to understand the impact on society and individuals of these very important and influential technologies. That kind of transparency absolutely underpins trust in these systems. The data is essential to policy-making and the surveillance is key to security.
What I want to convey is a sense that there is a very straightforward solution to this. There is a precedent, already being rolled out in the EU, that creates a good framework. Amendment 135 has been thoroughly discussed with the department in previous debates on the Online Safety Bill, and I thank the Minister and the Secretary of State for a number of meetings with parliamentarians and civil society groups to go through it. The idea of creating a data access pathway that has attached to it a clear validation system that secures the independence and privacy of researchers is relatively straightforward. Oversight by the ICO is something that we all agree gives it a sense of credibility and straightforwardness.
I want to try to convey to the Minister the importance of moving on this, because it has been discussed over several years. The regulator is certainly a supporter of the principle: Melanie Dawes, the CEO of Ofcom, gave testimony during the Joint Committee on the Online Safety Bill in which she said it was one of the things she felt was weak about that Bill. She would like to have seen it strengthened up. It was therefore disappointing that there was not a chance to do that then, but there is a chance to do it now.
During the passage of the Online Safety Act, the Minister also made commitments from the Dispatch Box about returning to this subject during the passage of this Bill, so it feels like a good moment to be discussing this. There are 40 impressive civic society groups that have written in clear terms about the need for this, so there is a wide body of opinion in support. One reason why it is so urgent that we get this measure in the Bill—and do not kick the can down the road—is that it is currently getting harder and harder for researchers, academics and scientists to look into the impact of the actions of our technology companies.
Twitter/X has withdrawn almost all access to the kind of data that makes this research possible. Facebook has announced that it will be stopping the support of CrowdTangle, the very important facility it had created, which had become a very useful tool. The feedback from the Meta live content library that is its theoretical replacement has not been very positive; it is a clunky and awkward tool to use. TikTok is a total black box and we have no idea what is going on in there; and the action by Elon Musk against the Center for Countering Digital Hate, which he pursued in the courts over its analysis of data, gives a sense of the very aggressive tone from tech companies towards researchers who are trying to do what is widely considered to be very important work.
Viscount Camrose (Con)
I am thinking very carefully about how best to answer. Yes, I do share that concern. I will set this out in more detail when I write to the noble Baroness and will place that letter in the House of Lords Library. In the meantime, I hope that my noble friend will withdraw his amendment.
Lord Bethell (Con)
I am enormously grateful to the Minister for his response. However, it falls short of my hopes. Obviously, I have not seen the letter that he is going to send us, but I hope that the department will have taken on board the commitments made by previous Ministers during discussions on the Online Safety Bill and the very clear evidence that the situation is getting worse, not better.
Any hope that the tech companies would somehow have heard the debate in the House of Lords and that it would have occurred to them that they needed to step up to their responsibilities has, I am afraid, been dashed by their behaviours in the last 18 months. We have seen a serious withdrawal of existing data-sharing provisions. As we approach even more use of AI, the excitement of the metaverse, a massive escalation in the amount of data and the impact of their technologies on society, it is extremely sobering to think that there is almost no access to the black box of their data.